Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Why psp is modifying a mips instruction?
08-15-2016, 06:42 PM (This post was last modified: 08-15-2016 06:44 PM by dreambottle.)
Post: #1
Why psp is modifying a mips instruction?
Hi PSP experts and hackers!

I am making a few mips assembly patches for the Remember11 translation port, that I'm currently working on (https: //github.com/dreambottle/R11-psp-english , game id: ULJM05444). What I noticed in the debugger, is that the instruction at address 0x0881A990 (Physical 0x16A30 in the BOOT.BIN file) is transformed before runtime into something else (for example 'nop' becomes 'sll v0, zero, 0'). It doesn't depend on what the instruction is and what other instructions surround it.

I am using armips for compiling/patching the assembly, but I am sure that it works correctly - I checked the resulting file, and the hex values are correct.
In fact, even when I'm filling the whole subroutine with nop's, when I launch the game, in the debugger, I see:

Code:
0881A984:
    nop    
    nop    
    nop    
    sll    v0,zero,0x0
    nop    
    nop    
    nop    
    ...

A few other observations:
- It's not just what debugger shows - it's how it actually works. If I place some instruction in that place, it will mess it up and, in the worst case, hang the game.
- It works in the same way both on the ppsspp emulator and on the real psp, so this is not a ppsspp issue.
- I thought - "maybe the game can modify it's own code?" - this is not the case, the read/write breakpoint at 0x0881A990 is never triggered.

While I managed to work this around, I am still curious what kind of magic this is. It seems to me that this is a feature, not a bug. Can anyone explain it?
Find all posts by this user
Quote this message in a reply
08-15-2016, 08:50 PM
Post: #2
RE: Why psp is modifying a mips instruction?
Ok, I figured this out.

BOOT.BIN is a relocatable ELF file, so jump addresses are modified using the .rel table when it is loaded. And there was a jump instruction at the 0x0881A990 address in the original subroutine.

How to fix this:
1. Find the relocation table offset and size using `readelf -a BOOT.BIN` command in bash terminal.
2. Every table entry consists of 2 uint32's: r_offset and r_info . (spec: sco.com/developers/gabi/latest/ch4.reloc.html#reloc_types )
3. In the table, find the entry for the offset of the relocated instruction. In my case the "problematic" instruction offset is 0x16990 (0x16A30 address in file - 0xA0 section offset in file) and replace the r_info value from 4 to 0.
Find all posts by this user
Quote this message in a reply
08-16-2016, 02:23 AM
Post: #3
RE: Why psp is modifying a mips instruction?
Beware, some PSP ELFs have custom relocation types, I believe. Also, some games will modify their MIPS instructions otherwise at runtime. But probably this game doesn't.

In a perfect world, modifications would be re-linked into the executable, adjusting the relocation table as necessary.

-[Unknown]
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: