Announcement

Collapse
No announcement yet.

PS2 ASM hacking malloc and free function

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PS2 ASM hacking malloc and free function

    A game that I am hacking (SD HCTP) has the malloc and free function that I would like to call to create usable spaces for some data (around 629kb so I can't find the static address for it) then release it.
    Since you guys might not have HCTP I will provide the link to the Label Mates where they got a similar malloc and free function.(They have same registers just different static address)
    http://dlevere1.proboards.com/thread...abel-mates-gmo
    Its in the file CmpLabelsXxX2
    I do not know what are the parameters of those function, what I think I know is that malloc return the pointer as v0 when the function ends.
    I would like to know:
    + What registers are the size of the memory in malloc and free?
    + What register is the pointer of the address to be freed in the free function?
    Any help would be grateful.
    Last edited by eatrawmeat391; 11-15-2017, 08:41:10 AM.

  • #2
    Could you post some screen shots of the function in the ps2dis as well as an example of it being used.

    Comment


    • #3
      In MIPS assembly, the parameters passed to a function are respectively stored to the registers a0-a3 (a0 being the first parameter, a1 the second, etc).
      The temporary registers are also used to pass parameters when a function takes more than 4. For instance, let's say you have a function taking 6 parameters :

      a0 for param.1
      a1 for param.2
      a2 for param.3
      a3 for param.4
      t0 for param. 5
      t1 for param. 6

      v0-v1 is a function's return value.
      A void function that returns nothing can still use v0-v1 as temp registers.

      Q: What registers are the size of the memory in malloc and free?
      malloc has only 1 parameter, that is the number of bytes to allocate.
      Therefore, a0 is the number of bytes.
      After the call, v0 contains the allocated address (or it is null if malloc failed).

      Q: What register is the pointer of the address to be freed in the free function?
      free has only 1 parameter, that is the allocated address to free.
      a0 is that address.


      Let's see a concrete example that needs a big buffer to perform tasks, and release that buffer when done.
      Note : make sure to use the appropriate instructions if you are working with double words (64 bits) ie daddiu, ld, sd, etc.

      ; beginning of our function.
      ; We will call malloc and perhaps other functions later on, therefore we have to save our function's return address beforehand
      ; since each function call changes that return address (register ra).
      ; Where do we store it though? in the stack, whose purpose it to save temporary data (aka local variables in high level languages).
      ; Each new call to a function will (most likely) overwrite the contents of v0.
      ; We don't wanna lose our buffer address (returned by malloc in v0), so we will copy v0 into a saved register, let's choose s0.
      ; s0-s7 is a register whose contents is guaranteed to be exactly the same after a function call (unlike v0, t0-t7, etc). Perfect.
      ; Let's say we need 32 bytes max of temp memory ie 8 words

      addiu sp, sp, -32
      ; save the return address in the stack at offset 0
      sw ra, 0(sp)
      ; we must save the contents of a saved register before using it, that's what we do here; at offset 4 in the stack.
      sw s0, 4(sp)
      ; now we're all good

      ; we allocate 1024 bytes.
      jal malloc
      ; delay slot instruction (executed before malloc is called)
      ori a0, zero, 1024

      ; v0 now contains an address with 1024 bytes available, or NULL if an error occured.
      ; copy v0 into s0, therefore it's safe to call other function afterwards.

      or s0, v0, zero
      ; of course, you can and should save v0 somewhere in the RAM if you need your buffer in external functions.

      ; test if the allocation failed (note at this point s0 and v0 are the same),
      ; assuming we are going to perform tasks that require our allocated buffer.

      beq s0, zero, end

      ; ...do awesome tasks

      end :
      ; assuming we no longer need our buffer, we can free it.

      ; note you don't need to worry about s0 being null, as free usually checks for it.
      jal free
      ; delay slot instruction; copy s0 into a0 ie passes our buffer address as the first argument.
      or a0, s0, zero

      ; free has been called, our buffer no longer exists.
      ; we're done, now we must restore the return address and s0.
      ; notice this is symetric with the beginning, except it's a lw instruction.

      lw ra, 0(sp)
      lw s0, 4(sp)
      ; good, we finally quit
      jr ra
      ; delay slot instruction; restore the stack as it were.
      addiu sp, sp, 32
      Last edited by Linblow; 12-17-2017, 02:34:55 AM.

      Comment

      Working...
      X