(Artemis) My disfunctional memory dumper

**cYs Driver** · 11-14-2006, 12:04:32 PM

For the last three days i have tried to get this to work but no luck

(ignore the really bad coding and layout

)

Code:

main.c

#include <tamtypes.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <kernel.h>
#include <sifrpc.h>
#include <iopcontrol.h>
#include <loadfile.h>
#include <fileio.h>
#include <debug.h>
#include "libpad.h"
#include "malloc.h"
#include "libcdvd.h"
#include "r5900_regs.h"

#define _RESIDENT_	__attribute__((section(".resident")))
#define DEBUG
char *bootFileName;
#define ERROR_HAX0R				-4
#define ERROR_CDVDFSV_INIT		-5
#define ERROR_SYSTEMCNF_PARSE	-6
#define ERROR_SYSTEMCNF_FILEIO	-7
#define ERROR_SYSTEMCNF_MEMORY	-8

//PAD VARIABLES
	//check for multiple definitions
	#if !defined(ROM_PADMAN) && !defined(NEW_PADMAN)
	#define ROM_PADMAN
	#endif

	#if defined(ROM_PADMAN) && defined(NEW_PADMAN)
	#error Only one of ROM_PADMAN & NEW_PADMAN should be defined!
	#endif

	#if !defined(ROM_PADMAN) && !defined(NEW_PADMAN)
	#error ROM_PADMAN or NEW_PADMAN must be defined!
	#endif
	//pad buffer
	static char padBuf[256] __attribute__((aligned(64)));
	//rumblers
	static char actAlign[6];
	static int actuators;
	//button status
	struct padButtonStatus buttons;
		u32 paddata;
		u32 old_pad;
		u32 new_pad;
	int port, slot;

	#define MAKE_J(addr)   (u32)(0x08000000 | (0x03FFFFFF & ((u32)addr >> 2)))
	#define MAKE_JAL(addr)   (u32)(0x0C000000 | (0x03FFFFFF & ((u32)addr >> 2)))
	#define KSEG0(x)   ((void*)(((u32)(x)) | 0x80000000))

	static u32 vector;
	static u32 *p_vtbl;
	_RESIDENT_ u32 jal_cheats;

	extern void systemHook(void);
	extern void readPad(void);
	extern int j_defhandler;




void breakPoint(void);
//FUNCTIONS
/////////////////////////////////////////////////////////////////////
//loadModules
/////////////////////////////////////////////////////////////////////
static void loadModules(void)
{
    int ret;
#ifdef ROM_PADMAN
    ret = SifLoadModule("rom0:SIO2MAN", 0, NULL);
#else
    ret = SifLoadModule("rom0:XSIO2MAN", 0, NULL);
#endif
    if (ret < 0) {
        SleepThread();
    }
	ret = SifLoadModule("rom0:CDVDMAN", 0, NULL);
	if(ret < 0) {
		SleepThread();
	}

#ifdef ROM_PADMAN
    ret = SifLoadModule("rom0:PADMAN", 0, NULL);
#else
    ret = SifLoadModule("rom0:XPADMAN", 0, NULL);
#endif
    if (ret < 0) {
        SleepThread();
    }
}
///////////////////////////////////////////////////////////////////
//initalise
/////////////////////////////////////////////////////////////////////
void initalise(void)
{
	int ret;

	SifInitRpc(0);
	// init debug screen
	init_scr();
	// load all modules
	loadModules();
	// init pad
	padInit(0);
	if((ret = padPortOpen(0, 0, padBuf)) == 0) {
		#if defined DEBUG
			scr_printf("padOpenPort failed: %d\n", ret);
		#endif
		SleepThread();
	}

	if(!initializePad(0, 0)) {
		#if defined DEBUG
			scr_printf("pad initalization failed!\n");
		#endif
		SleepThread();
	}
}

/////////////////////////////////////////////////////////////////////
//waitPadReady
/////////////////////////////////////////////////////////////////////
static int waitPadReady(int port, int slot)
{
    int state;
    int lastState;
    char stateString[16];

    state = padGetState(port, slot);
    lastState = -1;
    while((state != PAD_STATE_STABLE) && (state != PAD_STATE_FINDCTP1)) {
        if (state != lastState) {
            padStateInt2String(state, stateString);
        }
        lastState = state;
        state=padGetState(port, slot);
    }
    // Were the pad ever 'out of sync'?
    if (lastState != -1) {

    }
    return 0;
}

/////////////////////////////////////////////////////////////////////
//initalizePad
/////////////////////////////////////////////////////////////////////
static int initializePad(int port, int slot)
{

    int ret;
    int modes;
    int i;

    waitPadReady(port, slot);
    modes = padInfoMode(port, slot, PAD_MODETABLE, -1);
    if (modes > 0) {
        for (i = 0; i < modes; i++) {
        }

    }
    if (modes == 0) {
        return 1;
    }

    i = 0;
    do {
        if (padInfoMode(port, slot, PAD_MODETABLE, i) == PAD_TYPE_DUALSHOCK)
            break;
        i++;
    } while (i < modes);
    if (i >= modes) {
        return 1;
    }

    ret = padInfoMode(port, slot, PAD_MODECUREXID, 0);
    if (ret == 0) {
        return 1;
    }
    padSetMainMode(port, slot, PAD_MMODE_DUALSHOCK, PAD_MMODE_LOCK);

    waitPadReady(port, slot);
    padInfoPressMode(port, slot);

    waitPadReady(port, slot);
    padEnterPressMode(port, slot);

    waitPadReady(port, slot);
    actuators = padInfoAct(port, slot, -1, 0);

    if (actuators != 0) {
        actAlign[0] = 0;
        actAlign[1] = 1;
        actAlign[2] = 0xff;
        actAlign[3] = 0xff;
        actAlign[4] = 0xff;
        actAlign[5] = 0xff;

        waitPadReady(port, slot);

       padSetActAlign(port, slot, actAlign);
    }
    else {
        //printf("Did not find any actuators.\n");
    }
    return 1;
}

/////////////////////////////////////////////////////////////////////
//buttonStatts
/////////////////////////////////////////////////////////////////////
static void buttonStatts(int port, int slot)
{
	int ret;
		ret = padRead(port, slot, &buttons);

        if (ret != 0) {
            paddata = 0xffff ^ buttons.btns;

            new_pad = paddata & ~old_pad;
            old_pad = paddata;
		}
}

/////////////////////////////////////////////////////////////////////
//checkPadConnected
/////////////////////////////////////////////////////////////////////
void checkPadConnected(void)
{
	int ret, i;
	ret=padGetState(0, 0);
	while((ret != PAD_STATE_STABLE) && (ret != PAD_STATE_FINDCTP1)) {
		if(ret==PAD_STATE_DISCONN) {
			#if defined DEBUG
	           scr_printf("	Pad(%d, %d) is disconnected\n", 0, 0);
			#endif
		}
		ret=padGetState(0, 0);
	}
	if(i==1) {
		//scr_printf("	Pad: OK!\n");
	}
}

/////////////////////////////////////////////////////////////////////
//pad_wat_button
/////////////////////////////////////////////////////////////////////
void pad_wait_button(u32 button)
{
	while(1)
	{
		buttonStatts(0, 0);
		if(new_pad & button) return;
	}
}



/////////////////////////////////////////////////////////////////////
//getSyscallVTblAddr
/////////////////////////////////////////////////////////////////////
u32 getSyscallVTblAddr(void)
{
   const s32 syscall_num[2] = { 0xFE, 0xFF };
   const u32 magic[2] = { 0x1337C0DE, 0xB16B00B5 };
   u32 addr = -1;
   u32 i;

   SetSyscall(syscall_num[0], (void*)magic[0]);
   SetSyscall(syscall_num[1], (void*)magic[1]);
   ee_kmode_enter();

   for (i = 0x80000000; i < 0x80080000; i += 4) {
      if (!memcmp((u32*)i, magic, sizeof(magic))) {
         addr = i - syscall_num[0] * 4;
         break;
      }
   }

   ee_kmode_exit();
   SetSyscall(syscall_num[0], (void*)0);
   SetSyscall(syscall_num[1], (void*)0);

   return addr;
}

/////////////////////////////////////////////////////////////////////
//getVTblAddr
/////////////////////////////////////////////////////////////////////
int getVTblAddr(void)
{
	//GET SYSCALL VECTOR ADDRESS
	p_vtbl = getSyscallVTblAddr();
	//check for errors
	if(p_vtbl == NULL || p_vtbl == 0){
		scr_printf("	ERROR! Could not get vector address!! Cheat device will not run!\n");
		return -1;
	}
	#if defined DEBUG
		printf("vector table: %0x\n", p_vtbl);
		//scr_printf("	vector table: %0x\n", p_vtbl);
	#endif
	return 0;
}

/////////////////////////////////////////////////////////////////////
//KernelRead
/////////////////////////////////////////////////////////////////////
u32 KernelRead(void *addr, void *buf, u32 size)
{
   DI(); // Disable interrupts
   ee_kmode_enter(); // Enter kernel mode
   memcpy(buf, addr, size);
   ee_kmode_exit(); // Leave kernel mode
   EI(); // Enable interrupts

   return size;
}

/////////////////////////////////////////////////////////////////////
//HookSyscall
/////////////////////////////////////////////////////////////////////
void HookSyscall(int syscall_num, void *myhandler, u32 *j_defhandler)
{
   u32 vector;

   // Read origional handler from syscall vector table
   KernelRead(p_vtbl + syscall_num, &vector, sizeof(vector));

   // Insert jump to the syscall's default handler
   *j_defhandler = MAKE_J(vector);

   // Patch default vector to call my handler first
   SetSyscall(syscall_num, KSEG0(myhandler));
	#if defined DEBUG
   printf("Hooked syscall 0x%02X (old vector: 0x%08X, current: 0x%08X)\n",
      syscall_num, vector, (u32)KSEG0(myhandler));
	#endif
}
/////////////////////////////////////////////////////////////////////
//Dump_memory
/////////////////////////////////////////////////////////////////////
void dump_memory(void)
{
	//int i;
	//for(i = 0; i<10; i++)
	//{
	//	init_scr();
	//	scr_printf("	Hello world!! %i\n", i);
	//}
	//while(1);


	//u32 *memory;
	//int fd;
	//fd = fioOpen("mc0:dump.bin", O_RDONLY);
	//if(fd < 0) return;
	//memcpy(memory, 0x00100000, 0x20000);
	//fioWrite(fd, memory, sizeof(memory));
	//fioClose(fd);
	//free(memory);

}
/////////////////////////////////////////////////////////////////////
//Print_regs
/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////
//Set_break
/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////
//Breakpoint
/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////
//WaitCdReady
/////////////////////////////////////////////////////////////////////
void waitCdReady()
{
	// Block until the dvdrom is ready to take commands
	cdDiskReady(0);

	// Spin up the cd/dvd
	cdStandby();
}

/////////////////////////////////////////////////////////////////////
//ParseSystemCnf
/////////////////////////////////////////////////////////////////////
char *parseSystemCnf()
{
	char *buffer;
	int fd, fdSize;
	int i;

	// Open SYSTEM.CNF on the cdrom, allocate memory for it, terminate the array
	fd = fioOpen("cdrom0:\\SYSTEM.CNF;1", O_RDONLY);
	if(fd < 0) return (char *)ERROR_SYSTEMCNF_FILEIO;

	fdSize = fioLseek(fd, 0, SEEK_END);
	fioLseek(fd, 0, SEEK_SET);

	buffer = malloc(fdSize + 1);
	if(!buffer) return (char *)ERROR_SYSTEMCNF_MEMORY;

	if(fioRead(fd, buffer, fdSize) != fdSize) return (char *)ERROR_SYSTEMCNF_FILEIO;
	fioClose(fd);
	buffer[fdSize] = '\0';

	// Find boot file substring
	buffer = strstr(buffer, "BOOT2");
	buffer += 5;
	while((*buffer == ' ') || (*buffer == '\t')) buffer++;
	buffer++; // bypass '=' character
	while((*buffer == ' ') || (*buffer == '\t')) buffer++;

	i = 0;
	while((buffer[i] != '\n') && (buffer[i] != '\r')) i++;

	// Terminate string at end of boot elf filename
	buffer[i] = '\0';

	// Return pointer to boot elf filename string
	return buffer;
}


int main(void)
{
	initalise();
	scr_printf("				Welcome to cYs Cora Memory Dumper! writen by cYs Driver\n\n");

	if(getVTblAddr() !=0){
		scr_printf("	== Fatal Error ==\n");
		SleepThread();
	}

	while(1)
	{
		//check to see if the pad is still connected
		checkPadConnected();
		//read pad 1
		buttonStatts(0, 0);

		if(new_pad & PAD_CROSS){
			__asm("cross:");
			jal_cheats = MAKE_JAL(&readPad);
			#if defined DEBUG
					printf("jal_cheats: %0x\n",jal_cheats);
			#endif
			//hook the syscall - systemcall number, write_cheat address where it places jal on padread - location at the end of my function
			HookSyscall(0x10, &systemHook, &j_defhandler);
			scr_printf("	Done\n\n");

		}

		if(new_pad & PAD_SQUARE){

			__asm("square:");
			cdStop();

			scr_printf("	Swap CD/DVD's now and close tray\n	Press X to start game\n\n");
			cdTrayReq(0,0x00490000);

			pad_wait_button(PAD_CROSS);

			scr_printf("	Loading...\n");

			//wait for CD to spin up
			waitCdReady();
			if(strlen(bootFileName = parseSystemCnf()) <= 0)
			{
				scr_printf("	== Fatal Error ==\n");
				SleepThread();
			}

			scr_printf("	Loaded Game!");

			// Shutdown
			padPortClose(0, 0);
			SifExitRpc();
			LoadExecPS2((const char *)bootFileName, 0, NULL);

			// Should never get here
			SleepThread();
			return 0;
		}
	}
	

	
	//SifExitRpc();
	return 0;
}

Code:

.include "r5900_regs.h"
.set noreorder

.global j_defhandler
.extern dump_memory
.extern jal_cheat
.section .resident, "a" # really gay that i have to compile this specific part at 0x00080000!!

	.global systemHook
	.ent	systemHook
systemHook:
	addiu $sp, $sp,	-240
	sq $ra,		0($sp)
	sq $s0,		16($sp)
	sq $s1,		32($sp)
	sq $s2,		48($sp)
	sq $s3,		64($sp)
	sq $s4,		80($sp)
	sq $s5,		96($sp)
	sq $s6,		112($sp)
	sq $s7,		128($sp)
	sq $a0,		144($sp)
	sq $a1,		160($sp)
	sq $a2,		176($sp)
	sq $v0,		192($sp)
	sq $v1,		208($sp)
	
	
	# --- FOR CHEATING ---
	li $v0,		0x001bfa68
	li $v1,		0x0c0655f4
	sw $v1,		_orig_jal
	lw $v1,		jal_cheats
	sw $v1,		0($v0)
	
	# --- FOR CHEATING ---
	
	lq $v1,		208($sp)
	lq $v0,		192($sp)
	lq $a2,		176($sp)
	lq $a1,		160($sp)
	lq $a0,		144($sp)
	lq $s7,		128($sp)
	lq $s6,		112($sp)
	lq $s5,		96($sp)
	lq $s4,		80($sp)
	lq $s3,		64($sp)
	lq $s2,		48($sp)
	lq $s1,		32($sp)
	lq $s0,		16($sp)
	lq $ra,		0($sp)
	addiu $sp, $sp,	240
	j_defhandler:
	nop
	nop
	jr $ra
	nop
	.end systemHook

	.global readPad
	.ent	readPad
readPad:
	addiu $sp, $sp,	-240
	sq $ra,		0($sp)
	sq $s0,		16($sp)
	sq $s1,		32($sp)
	sq $s2,		48($sp)
	sq $s3,		64($sp)
	sq $s4,		80($sp)
	sq $s5,		96($sp)
	sq $s6,		112($sp)
	sq $s7,		128($sp)
	sq $a0,		144($sp)
	sq $a1,		160($sp)
	sq $a2,		176($sp)
	sq $v0,		192($sp)
	sq $v1,		208($sp)
	
	# -- read joker --
	lui		$t7,	0x0044
	lh		$t8,	0xd81c($t7)
	# -- read joker --
	
	# L2 + RIGHT
	addiu	$t7,	$zero,	0xFEDF
	bne		$t7,	$t8,	end
	nop
	# DI
	mfc0	$v1,	$12
	lui		$v0,	0x0001
	and		$v1,	$v1, $v0
	daddu	$a0,	$zero, $zero
	beq		$v1,	$zero, end
	sltu	$a1,	$zero, $v1
	lui		$v0,	0x0001
	nop
	loop:
	di
	sync.p
	mfc0	$v1,	$12
	nop
	and		$v1,	$v1, $v0
	nop
	bne		$v1,	$zero, loop
	nop
	daddu	$a0,	$a1, $zero
	
	
	#jal		dump_memory
	nop
	
	# EI
	mfc0	$v0,	$12
	lui		$v1,	0x0001
	and		$v0,	$v0, $v1
	ei
	
end:
	lq $v1,		208($sp)
	lq $v0,		192($sp)
	lq $a2,		176($sp)
	lq $a1,		160($sp)
	lq $a0,		144($sp)
	lq $s7,		128($sp)
	lq $s6,		112($sp)
	lq $s5,		96($sp)
	lq $s4,		80($sp)
	lq $s3,		64($sp)
	lq $s2,		48($sp)
	lq $s1,		32($sp)
	lq $s0,		16($sp)
_orig_jal:
	nop
	nop
	lq $ra,		0($sp)
	jr $ra
	addiu $sp, $sp, 240
	.end	readPad

**cYs Driver** · 11-14-2006, 12:05:03 PM

Code:

makefile
EE_BIN  = Dumper.elf
EE_OBJS = main.o systemHook.s
EE_LIBS = -lpad -ldebug -lcdvd -lc

all: $(EE_BIN)

release: $(EE_BIN)
	 sjcrunch $(EE_BIN) packed.elf

clean:
	rm -f *.elf *.o

install:

include $(PS2SDK)/samples/Makefile.pref
include $(PS2SDK)/samples/Makefile.eeglobal

Now this all compiles fine! runs ok until i press L2+Right to dump the game. This is where it freezes! Its something about the memory section its located i think.
The main entry point for main C is 0x00090000 this is one of the few where i could actually get it to run with out causing errors. The only way i could get the game to load was by placing the system call hook at 0x0008000 which is just really odd!! But i reckon its the call to "dump_memory" that causes the error because its around the 0x00090000 section, i thought maybe disabling interrupts would help as i called "dump_memory" as i thought it was something as silly as that but obviously notHopefully someone can shed some light on this

**Lazy Bastard** · 11-14-2006, 12:50:55 PM

So it initializes and remains in memory after a game is started? I'll take a thorough look after work today.

**Lazy Bastard** · 05-21-2007, 10:33:33 AM

Did you ever get any further with this?

And, I guess I should compile a copy of this, and take a look at it.

**cYs Driver** · 05-21-2007, 02:06:29 PM

nope never!

**Lazy Bastard** · 01-24-2008, 09:55:49 AM

I really need to take a look at this. It appears it should work...so I wonder why it didn't. You're 90% of the way to properly dumping memory, I believe.

Heh @ const u32 magic[2] = { 0x1337C0DE, 0xB16B00B5 };

Have you tried dumping various sized pieces of memory?

As a matter of fact, would you mind sending me a copy of the entire source via email, so I might play with it [LBGSHI@GMAIL.COM]? I don't quite follow what file the second piece of code is supposed to be (systemHook.s?), and some of the include dependencies in main.c (r5900_reg.h, namely) don't exist in the PS2SDK...

**Lazy Bastard** · 01-24-2008, 10:37:03 AM

Ah, I managed to get it to compile, using the r5900_regs.h file you included in your older "How a cheat engine works" release. I'll play with it a bit later.

**ugetab** · 01-24-2008, 04:03:20 PM

If there's a way to dump output to the screen or a device during the program's process, try tagging key points in code to find out what spot in code isn't running, so you can determine the spot to look at, and what variables to dump, if any.

Start in int main(void), and move the code down into functions from there.

It's rather simplistic to do this, but I've often just overlooked stuff, and dumping variables or checking to see if something runs at all has helped me enough that it's one of the first things I think try.

**Lazy Bastard** · 01-24-2008, 07:03:33 PM

It executes fine in PCSX2t, but only gives a black screen on my PS2. Though, I'm running it from CDROM rather than via a remote system such as Naplink, and I'm not sure if you wrote it to run from CDROM...let me know.

**Lazy Bastard** · 01-28-2008, 12:29:15 PM

And yes @ ugetab...I should try that.

Thread: (Artemis) My disfunctional memory dumper

Thread Tools

Search Thread

Display

(Artemis) My disfunctional memory dumper

Thread Information

Users Browsing this Thread

Similar Threads

PSX memory dumping

Memory Dropper v1.0a

PS2 Optical Memory Dumper

An ASM Memory Scanner

PS2 Memory Card help

Visitors found this page by searching for:

0xB16B00B5

cdTrayReq

disfunctional memory

Posting Permissions