0

i am facing a problem that I could not resolve so i have to turn to the community to help me out. The problem is related to PPC function hooking.

The area where i am hooking is this.

.text:8220D810                 mflr      r12
.text:8220D814                 bl        __savegprlr_20
.text:8220D818                 stfd      f31, var_70(r1)
.text:8220D81C                 stwu      r1, -0x100(r1)
.text:8220D820                 lis       r11, off_82A9CCC0@ha   // => This is where i am hooking the function
.text:8220D824                 lis       r22, dword_82BBAE68@ha // These 4 instructions are overwritt
.text:8220D828                 lis       r10, 8 # 0x87700       //Patched
.text:8220D82C                 mr        r26, r3                //Patched
.text:8220D830                 li        r20, 0
.text:8220D834                 lwz       r9, off_82A9CCC0@l(r11)
.text:8220D838                 ori       r23, r10, 0x7700 # 0x87700
.text:8220D83C                 lwz       r11, dword_82BBAE68@l(r22)
.text:8220D840                 cmplwi    cr6, r11, 0
.text:8220D844                 stw       r9, 0x100+var_7C(r1)
.text:8220D848                 bne       cr6, loc_8220D854
.text:8220D84C                 mr        r30, r20
.text:8220D850                 b         loc_8220D85C

Here it jumps to my code cave that is mentioned below. The patched instructions are correctly written in the PredictPlayerHook function and is not the problem.

The problem here is if i call a function in the hook e.g here i call "GetCurrentCmdNumber(0);" it causes the game to crash. Now without calling any functions the game doesn't crash and the code cave works without any issues. but if I try to call any function within the code cave(PredictPlayerHook) it just crashes. I cant debug it so i dont know where it crashes.

void __declspec(naked) PredictPlayerHook(){
    DWORD R11,Return,cmdNumber;

    __asm lis r11, 0x82AA //patched instructions
    __asm lis r22, 0x82BC //patched instructions
    __asm lis r10, 0x8    //patched instructions
    __asm mr r26, r3      //patched instructions


     __asm mflr   r0 ; //mflr grabs the link register, and stores it into the first operand. r0 is now the link register
     __asm stw  r0, -0x14(r1) ; //Save the link register inside the stack frame
     __asm stwu  r1, -0x90(r1) ;// This is pushing the stack (hence push)

    // cmdNumber = GetCurrentCmdNumber(0);

     __asm addi r1, r1, 0x90 ;//popping the stack frame
     __asm lwz r0,-0x14(r1) ; //Reading the link register from the sack
     __asm mtlr r0

    __asm stw r11,R11
    //Return = 0x82200230;
    __asm lis r11,0x8220  //Return Address is correct. The difference is in IDA segment, it is +0xD600 ahead of the original address.
    __asm ori r11,r11,0x0230
    __asm mtctr r11
    __asm lwz r11,R11
    __asm bctr
}

Here is the function itself and its correct. I can use it in a hook placed else where in the game so it has no issues.

typedef int (__cdecl* CL_GetCurrentCmdNumber)(int localClientNum);
CL_GetCurrentCmdNumber GetCurrentCmdNumber = (CL_GetCurrentCmdNumber)0x82261F90;
Arsalan Awan
  • 1
  • 1
  • Last time I checked, Xbox 360 game/app development was under NDA? – Neil Turner May 20 '16 at 14:55
  • @NeilTurner This for Modified Xbox Consoles, from what i can see is that this is CODE for a Mod Menu/Hook inside Call of Duty from the ```CL_GetCurrentCmdNumber``` function and the ```PredictPlayerHook``` So the application is compiled in ARM. – Callum Jun 01 '16 at 20:44
  • Ahh, understood :) – Neil Turner Jun 02 '16 at 10:07

0 Answers0