Hey its imok comming at you guys with another rainy day tutorial and well this time Im going to teach you how to find a real pointer. What is a pointer? A pointer can be used to "carry" data to a new function etc. Also pointers move around so sometimes you will need to use an offset in eh code or the subrotuine. Pointers also have the opcode of a j(jump) and fnc's have the opcode of jals. Now many people use their own methods such as searching the value in real addressing through nitePR or WhitePR/MKULTRA etc. You can really just play around in ps2dis or find a pointer by luck but in this method I will instruct you how to a find a pointer via ps2dis using the function and fnc's.
::What is Required:
1. Some basic MIPS knowledge about jumps, functions and overall a decent understanding of what a jump is and does.
2. ps2dis which is all over the web, just google it if you dont already have it.
3. A dump of the games memory, doesn't matter on type can be a .bin, .pis, or .ram doesnt matter. Though make sure its not edited so it would be the best to make you'r own.
4. A function or address that you want to find a pointer for or just a general area.
5. Your favorite hex calculator
::The Process:
Okay this is the easiest step once you have everything you need and your dump open it up in ps2dis or drag it in and then there is going to be a popup asking you where you want to load it from. Load it from 88 like so.
Once ps2dis is opened up there is another nessecary step we must complete before we get rockin so here is our next step.. invoke. We need to invoke our dump so we can trace the jals and find the fnc's so lets get to it.When ps2dis is open go to Analyzer and click the first one invoke analyzer and then let it load. This may take several seconds to a minute and here is a picture of it
loaded. INVOKE YOUR ANALYZER TO AROUND THIS POINT!
Now time to start the real process once you have your address or function its time to prepare it for the method. For this example Im going to use the function located at the address 00175994 and since we loaded at 08800000 which is REAL addressing so we need to add real addressing for it to find the data value. So take out your hex calculator and lets so some simple math! 00175994 +08800000 = 08975994 there is the address we are going too. So press G and do the following with your function.
Now once your there you are going to hit ctrl+up and that will take you to your first FNC woot congratulations dude you did the first real step.
FNC(in real addressing)
08975814 27bdff60
Once you've done that it is time to highlight that fnc by hitting the SPACE bar on your keyboard and it will make it gray. Time to do the next step which is to hit control up once that jal is highlighted until you find all the refferers which are jals so repeat until you find each one and here are the ones I found for my address after my FNC.
08972c3c 0e25d605
08971aac 0e25d605
08972af4 0e25d605
after that you will go to each one of your addressing like those three I posted above(there can be two or up to three refs) And then go to each one and hit shift+3 at each one of those addresses and one of them should get your pointer. But first you are going to have to fill in the hex with the current address you are located at like so.
So then once you finally get one of those three fncs then one or more of them should lead you to a pointer. If you dont get one right away play around and you should eventually find one. And here is what I found after doing this pointer method. After cycling thro all the refers using F3 it cycles back and its only those three
pointer
08c966a0 08973b94 fake= 004966A0
Now to test it highlight the address location that you think the pointer is and hit w to make that possible pointer a .word and hit the right arrows key and see if it goes back to your original function. Well best of luck and here is what I got, i NEVER tested it.. just an example. =/
#DMA pointer code
;I think
0xFFFFFFFF 0x004966A0
0x00000000 0x00
Well if you have ANY questions, suggestions etc then feel free to let me know by replying to this thread. Thanks for reading and look out for some more tutorials from me imok in the future.
:Credits:
IMOK-Writer of guide also took snapshots
Omega2058-Helping me awhile back with some stacks and this method
~imok out!
Reply With Quote
!
Originally Posted by mr.criminal
Bookmarks