PPC for dummies :)

[TheSpecialist]

I think it's about time to start learn PPC ASM and since I guess that the majority of the hackers here are new to PPC (like myself), I thought it might be a good idea to open a thread where we can help each other out with specific PPC ASM info/questions.

Here are some helpful links I found myself:

1) The PPC bible from IBM, containing about everything you need to know:
http://www-306.ibm.com/chips/techlib/techlib.nsf/techdocs/F7E732FF811F783187256FDD004D3797/$file/pem_64bit_v3.0.2005jul15.pdf
2) A small PPC tutorial I just found: http://www.lightsoft.co.uk/Fantasm/Beginners/begin1.html (bad thing about this one is that it assumes you're new to asm in general, so it's filled with a lot of crap)
3) An interesting new thread on this board, discussing the exploit code: http://www.xboxhacker.net/index.php?topic=7020.0


If anybody has another useful link, please post it.

[DrMatrix]

I think we should work on creating a nicer environment, like a C framework.
If that's established, people can write C code. I have my own environment, but it's very hackish.

Basically all you need is to setup a stack, and to provide some stdio functions (printf would be enough, for a start).

[TheSpecialist]

I think we should work on creating a nicer environment, like a C framework.
If that's established, people can write C code. I have my own environment, but it's very hackish.

Yes, that's a good idea, but we need to get a basic understanding of PPC in order to understand the HV code of course, so hence, this thread.

So anyway, I already have 2 questions, hope somebody can answer them:
1) What's up with the '%' in front of the registers ? I don't see that in any other PPC code on the internet, does it even have a meaning ?
2) A question about the exploit:

   lis %r6, hello@h                # load r6 with 'hello' string high address
   ori %r6, %r6, (hello-1)@l       # load r6 with 'hello' string low address

I've just read that PPC instructions are always 32 bit long, which means that that damn CPU can't load a 32 bit adress to a reg in 1 go. So you need 2 instructions, like in the example above, where the adress of 'hello' (the string) is loaded to r6. But what's up with that 'hello-1' ?
I would have expected something like:

lis %r6, hello@h                # load r6 with 'hello' string high address
ori %r6, %r6, hello@l        # or the low word of r6 with the low adress word of hello

So in short, can somebody explain in (a lot of detail, hehe) the above 2 instructions (I know that lis = load immediate and shift and ori= or immediate, but I'd like some info about that @l, @h and that hello-1)


Anyone ? Sorry for these n00b questions, I'll start with that IBM document tomorrow 

[DrMatrix]

I'm not sure about the background of the '%' notation, but gnu as either wants "3" (for r3) or "%r3". Other code usually #define r3 3 etc.

the code loads r6 with the address of hello minus one. (as segher pointed out, the lis would be correctly "lis %r6, (hello-1)@h" as well, but as the high order bits don't change during the subtraction, this doesn't matter here. If "hello" would be 64k aligned, it would.)

This is done because the "lbzu %r3, 1(%r6)" instruction is used, which accesses at offset +1 (so the byte at hello-1+1 == 'h' from hello at the first iteration). You could also wite "lbz %r3, 0(%r6); addi %r6, %r6, 1" - then you wouldn't need the -1 offset.

Oh, @l just extracts the lower 16bits of the expression, and @h the upper 16bits.

[TheSpecialist]

Ah, ok, I didn't understand why he used -1 for the low adress and not the -1 for the high, which in fact, he should have done

Yep, makes sense, thanks DrMatrix !

[TheSpecialist]

Ok a little test to see if I'm starting to get this Let's say that in the exploit code you would replace this first part:

.globl _start
_start:

   li %r4, 0x200                   # r4 = 0x0000 0000 0000 0200
   rldicr  %r4, %r4, 32,31         # r4 = 0x0000 0200 0000 0000 (rotate r4's low word into r4's high word)
   oris %r4, %r4, 0xea00           # r4 = 0x0000 0200 ea00 0000 (load 0xea00 into r4[16-31])

   lis %r6, hello@h                # load r6 with 'hello' string high address
   ori %r6, %r6, (hello-1)@l       # load r6 with 'hello' string low address
1:
   lbzu %r3, 1(%r6)               
   cmpwi %r3, 0                   
   beq 1f                          # exit loop (forward) if equal

With:

.globl _start
_start:

   li %r4, 0x200                   # r4 = 0x0000 0000 0000 0200
   rldicr  %r4, %r4, 32,31         # r4 = 0x0000 0200 0000 0000 (rotate r4's low word into r4's high word)
   oris %r4, %r4, 0xea00           # r4 = 0x0000 0200 ea00 0000 (load 0xea00 into r4[16-31])

   li %r6, 0                   
1:
   lbzu %r3, 1(%r6-1)               
   cmpli %r6, 0x20000                   
   beq 1f                         

Then the exploit code would suddenly dump the HV mem (which is ought to reside in 0x0 to 0x20000) to the serial port, correct ?

[fungus]

hi

I don't think that code will work - the immediate for cmpli is 16-bit - here's a version I hastily cobbled together - I didn't use the pre-update form of the load

Code:

_start:
  li      %r4, 0x200              # r4 = 0x0000 0000 0000 0200
  rldicr  %r4, %r4, 32,31         # r4 = 0x0000 0200 0000 0000 (rotate r4's low word into r4's high word)
  oris    %r4, %r4, 0xea00        # r4 = 0x0000 0200 ea00 0000 (load 0xea00 into r4[16-31])

  li      %r6, 0                  # r6 = 0
  lui     %r7, 0x0002             # r7 = 0x20000
 
1:
  lbz     %r3, 0(%r6)             # load next byte
  bl      getc                    # output it
  addi    %r6, %r6, 1             # inc soure
  addi    %r7, %r7, -1            # dec to do
  cmplwi  %r7, 0                  # anything left ?
  bne     1b                      # keep going until we're done

2:
  b       2b                      # spin!

-fungus

[TheSpecialist]

Hi Fungus,

Yep, agreed, can't use 32 bit numbers on PPC in 1 instruction, like I said myself already, hehe Damn, that's some serious disadvantage to the ASM coder ! But then... I guess there won't be much ASM coders on PPC anyway

Anyway, thanks for your correction !

*EDIT* you made a small mistake: the 'bl getc' in your example should be 'bl putc' to output it of course
*EDIT 2* I can't find the 'lui' instruction in the IBM document !?!? But I assume that it is just 'shifting' to the upper word, right ? (LUI= 'Load to the 'Upper' word Immediate ?)

[StandardIO]

I can't find the 'lui' instruction in the IBM document !?!? But I assume that it is just 'shifting' to the upper word, right ? (LUI= 'Load to the 'Upper' word Immediate ?)

From what I read, its not 'shifting' per-se, but rather loading the top 16 bits and zero'ing the bottom 16 bits.  It appears rather common to use LUI to load the top 16 (and zero bottom), and then use ORI to load the bottom 16 bits.  Of course in the example above, there was not need to modify the bottom 16 bits, since they are to remain zero, so no ORI instruction was used.

[Takires]

*EDIT 2* I can't find the 'lui' instruction in the IBM document !?!? But I assume that it is just 'shifting' to the upper word, right ? (LUI= 'Load to the 'Upper' word Immediate ?)

'lui' is mips code
'lis' or 'addis' is doing the same in the ppc world.

[TheSpecialist]

Thanks for clearing that up Takires !

[fungus]

oops, yes, I made a few mistakes - sorry, the bl getc/putc was forgivable at least :-) - I've done a lot more mips asm than ppc, sorry for the lui - at least it had you digging through the manuals :-) - so do you have that area of memory dumped now ?

-fungus

[TheSpecialist]

Here's a much better description of the PPC instruction set:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.aixassem/doc/alangref/abs.htm

[TheSpecialist]

Here's a question for the PPC guru's:

li      %r3, 6
rldicr  %r3, %r3, 32,31
oris    %r3, %r3, 3
addi    %r3, %r3, 0x6000
addi    %r3, %r3, 0x6000

Why add 2 times that 0x6000 and not just one time 0xc000 ?

[vax11780]

Here's a question for the PPC guru's:

li      %r3, 6
rldicr  %r3, %r3, 32,31
oris    %r3, %r3, 3
addi    %r3, %r3, 0x6000
addi    %r3, %r3, 0x6000

Why add 2 times that 0x6000 and not just one time 0xc000 ?

Immediate values get sign extended.

VAX

I'm not a guru, but I pretend to be one on the internet.

[Takires]

To be precise: addi uses sign-extended immediates, ori uses unsigned immediates.

You can replace both addi instructions with a single ori instruction: ori %r3, %r3, 0xc000

[ubern00b]

Heres somthing i found while reading up on PPC for dummies

PowerPC Assembly Quick Reference Information: Simplified Mnemonics

http://class.ee.iastate.edu/cpre211/labs/simplified_mnemonics.pdf

Makes a n00bs life alot easier trying to understand whats written

Hope that helps