- Just so you want to know why i made this
- I wanted to give some definitions of what you might find in psplink, so next time you see a crash, you know if it's exploitable or not. I also thought of making some instruction definitions, to help the general understanding of PSP's Allegrex Processor
Basics
- CPU Registers
- $zr -> Zero Register, always contains 0x00000000
$at -> Assembler temporary, can generally ignore this
$v0-v1 -> Function return values, these tend to be easily changed from loading functions
$a0-a3 -> Function arguments, if you have control of these you will need to look into the following functions
$t0-t9 -> Temporaries, usually useless, may be useful depending how they are used
$s0-s7 -> Saved temporaries, should keep an eye on these in complex sections of code, can be useful
$k0-k1 -> Kernel registers, defines the exception handling
$gp -> Global data Pointer, name kind of says it all
$sp -> Stack Pointer, VERY useful in more complex sections of code, contain old $ra values and $s# values
$fp -> Frame Pointer, points to somewhere in the stack, only used by some(usually large) functions
$ra -> Return Address, easiest register to exploit if you have control
- LOAD AND STORE
- la: load address
lb: load byte
lbu: load byte unsigned
ld: load double
lh: load halfword
lhu: load halfword unsigned
lw: load word
lwl: load word left
lwr: load word right
ulh: unaligned load halfword
ulhu: unaligned load halfword unsigned
ulw: unaligned load word
lui: load upper immediate
sb: store byte
sd: store double
sh: store halfword
sw: store word
swl: store word left
swr: store word right
ush: unaligned store halfword
usw: unaligned store word
- COMPUTE
- Nymphaea's note: "Unsigned" in MIPS is kind of a misnomer from what I've seen/heard
add: add (with overflow)
addu: add unsigned
and : AND
div: divide (signed)
divu: divide unsigned
xor: exclusive OR
mul(t): multiply
mulo: multiply (with overflow)
mulou: multiply (with overflow unsigned)
nor: NOR
or: OR
seq: set equal
sge: set on greater than or equal
sgeu: set on greater than or equal unsigned
sgt: set on greater than
sgtu: set on greater than unsigned
sle: set on less than or equal
sleu: set on less than or equal unsigned
slt: set on less than
slt: set on less than unsigned
sne: set on not equal
sub: subtract
subu: subtract unsigned
rem: remainder
remu: remainder unsigned
rol: rotate left
ror: rotate right
sll: shift left logical
srl: shift right logical
sra: shift left logical variable
abs: absolute value
neg: negate (with overflow)
negu: negate (without overflow)
not: NOT
multu: multiply unsigned
teq: trap if equal
tge: trap if greater than or equal
tgeu: trap if greater than or equal unsigned
tlt: trap if less than
tltu: trap if less than unsigned
tne: trap if not equal
- JUMP AND BRANCH
- Nymphaea's first note: Jumps and branches(basically the same thing) usually happen within a single function, except jr $ra (end of function), jal (jumps to function/subroutine), and jalr(jumps to smaller functions, sometimes exploitable)
Nymphaea's second note: All jumps and branches have a "delay slot", a function that is placed right after it, but happens at the same time as the jump. Branches can also have a "likely" added to them(by adding an "l" to the end of the name), which makes the delay slot be executed ONLY if the condition is true.
j: Jump
jr: Jump to Register value
jal: Jump And Link
jalr: Jump And Link Register
beq: Branch on EQual
bge: Branch on Greater than or Equal
bgeu: Branch on Greater than or Equal Unsigned
bgtu: branch on greater than unsigned
bleu: branch on less than or equal
bltu: branch on less than unsigned
bne: branch on not equal
beqz: branch on equal to zero
bnez: branch on not equal to zero
bgezal: branch on greater than or equal to zero and link
bgtz: branch on greater than zero
blez: branch on less than or equal to zero
bltz:branch on less than zero
bltzal branch on less than zero and link
- SPECIAL
- break: break
mfhi: move from high
mflo: move from low
mthi: move to high
mtlo: move to low
nop: no operation
rfe: restore from exception
syscall:system call
- Original Post
- CPU Registers:CoProcessor Registers:
Code: Select all
$zr -> Constant zero $at -> Assembler temporary $v0-v1 -> Function return $a0-a3 -> Incoming arguments $t0-t9 -> Temporaries $s0-s7 -> Saved temporaries $k0-k1 -> Exception handling <- Defines the exception handling $gp -> Global data pointer $sp -> Stack pointer $fp -> Saved temporary $ra -> Return address <- GOAL
Code: Select all
BADVAddr -> Bad Virtual Address Status -> Status Register Cause -> Cause Register EPC -> Exception Program Counter Register
Exception Types:Instruction Syntax (for those who asked) :Code: Select all
0->External Interrupt (useless) 1-3->Reserved (most likely FPU exception) (useless) 4->Address error (load or instruction fetch)(BINGO!!! Available in Davee's Tiff Exploit) 5->Address error (data store) (useless, unless you control some registers' values) 6->Bus error (instruction fetch) (BINGO!!! Available in ALL game exploits) 7->Bus error (data load or store) (useless, unless you control some register's values) 8-Syscall instruction (useless) 9-Breakpoint (useless, BUT a very rare case where $ra was totally overwritten appeared, still it's very very rare that this happens) 10-Reserved instruction (useless) 11- Coprocessor unusable (useless) 12- Arithmetic overflow (useless) 13-15- Not used
Code: Select all
LOAD AND STORE la: load address lb: load byte lbu: load byte unsigned ld: load double lh: load halfword lhu: load halfword unsigned lw: load word lwl: load word left lwr: load word right ulh: unaligned load halfword ulhu: unaligned load halfword unsigned ulw: unaligned load word li: load immediate lui: load upper immediate sb: store byte sd: store double sh: store halfword sw: store word swl: store word left swr: store word right ush: unaligned store halfword usw: unaligned store word COMPUTE add: add (with overflow) addu: add unsigned and : AND div: divide (signed) divu: divide unsigned xor: exclusive OR mul(t): multiply mulo: multiply (with overflow) mulou: multiply (with overflow unsigned) nor: NOR or: OR seq: set equal sge: set on greater than or equal sgeu: set on greater than or equal unsigned sgt: set on greater than sgtu: set on greater than unsigned sle: set on less than or equal sleu: set on less than or equal unsigned slt: set on less than slt: set on less than unsigned sne: set on not equal sub: subtract subu: subtract unsigned rem: remainder remu: remainder unsigned rol: rotate left ror: rotate right sll: shift left logical srl: shift right logical sra: shift left logical variable abs: absolute value neg: negate (with overflow) negu: negate (without overflow) not: NOT move: move multu: multiply unsigned teq: trap if equal tge: trap if greater than or equal tgeu: trap if greater than or equal unsigned tlt: trap if less than tltu: trap if less than unsigned tne: trap if not equal JUMP AND BRANCH j: jump jal: jump and link beq: branch on equal bge: branch on greater than or equal bgeu: brach on greater than or equal unsigned bgt: branch on greater than bgtu: branch on greater than unsigned ble: branch on less than or equal bleu: branch on less than or equal blt: branch on less than bltu: branch on less than unsigned bne: branch on not equal beqz: branch on equal to zero bnez: branch on not equal to zero bgezal: branch on greater than or equal to zero and link bgtz: branch on greater than zero blez: branch on less than or equal to zero bltz:branch on less than zero bltzal branch on less than zero and link b: branch bal: branch and link SPECIAL break: break mfhi: move from high mflo: move from low mthi: move to high mtlo: move to low nop: no operation rfe: restore from exception syscall:system call
Advertising