OMG!!! - Full Debug Info

steddy · Post by **steddy** » Mon Jun 13, 2005 6:21 am

Just discovered that Puzzle Bobble JAP has full debug information in the BOOT.BIN file :)

Steddy

Post by **TyRaNiD** » Mon Jun 13, 2005 6:48 am

My, you do have a large game collection ;)

steddy · Post by **steddy** » Mon Jun 13, 2005 6:51 am

Yep

I got two very close friends both got PSP's the same time as me and we never get the same stuff. Probably got every release there is.

What is the best tool to show the structures from the debug information including all the function calls and parameters?

ee-readelf -w seems to tell me that just about every Struct and Type in the PSP API is defined in there, but its not very readable.

Steddy

steddy · Post by **steddy** » Mon Jun 13, 2005 7:01 am

Here an example of some code :)

Code: Select all

00000464 <main>&#58;
     464&#58;       27bdffc0        addiu   sp,sp,-64
     468&#58;       3c050000        lui     a1,0x0
     46c&#58;       3c040003        lui     a0,0x3
     470&#58;       24a5042c        addiu   a1,a1,1068
     474&#58;       27a60010        addiu   a2,sp,16
     478&#58;       2484dd04        addiu   a0,a0,-8956
     47c&#58;       24020100        li      v0,256
     480&#58;       afbf0028        sw      ra,40&#40;sp&#41;
     484&#58;       afb10024        sw      s1,36&#40;sp&#41;
     488&#58;       3c110000        lui     s1,0x0
     48c&#58;       e7b60038        swc1    $f22,56&#40;sp&#41;
     490&#58;       e7b50034        swc1    $f21,52&#40;sp&#41;
     494&#58;       e7b40030        swc1    $f20,48&#40;sp&#41;
     498&#58;       afb00020        sw      s0,32&#40;sp&#41;
     49c&#58;       0c00b568        jal     2d5a0 <sceKernelCreateCallback>
     4a0&#58;       afa20010        sw      v0,16&#40;sp&#41;
     4a4&#58;       0c00b532        jal     2d4c8 <sceKernelRegisterExitCallback>
     4a8&#58;       00402021        move    a0,v0
     4ac&#58;       0c00b5a2        jal     2d688 <sceCtrlSetSamplingCycle>
     4b0&#58;       00002021        move    a0,zero
     4b4&#58;       0c00b5a4        jal     2d690 <sceCtrlSetSamplingMode>
     4b8&#58;       24040001        li      a0,1
     4bc&#58;       0c006a76        jal     1a9d8 <sceGuInit>
     4c0&#58;       00000000        nop
     4c4&#58;       3c050002        lui     a1,0x2
     4c8&#58;       24a53c50        addiu   a1,a1,15440
     4cc&#58;       00002021        move    a0,zero
     4d0&#58;       0c006ab3        jal     1aacc <sceGuStart>
     4d4&#58;       3c060008        lui     a2,0x8
     4d8&#58;       24040003        li      a0,3
     4dc&#58;       00002821        move    a1,zero
     4e0&#58;       0c0071b6        jal     1c6d8 <sceGuDrawBuffer>
     4e4&#58;       24060200        li      a2,512
     4e8&#58;       3c060008        lui     a2,0x8
     4ec&#58;       34c68000        ori     a2,a2,0x8000
     4f0&#58;       24070200        li      a3,512
     4f4&#58;       240401e0        li      a0,480
     4f8&#58;       0c00722d        jal     1c8b4 <sceGuDispBuffer>
     4fc&#58;       24050110        li      a1,272
     500&#58;       3c040011        lui     a0,0x11
     504&#58;       0c00720e        jal     1c838 <sceGuDepthBuffer>
     508&#58;       24050200        li      a1,512
     50c&#58;       24040710        li      a0,1808
     510&#58;       0c007302        jal     1cc08 <sceGuOffset>
     514&#58;       24050778        li      a1,1912
     518&#58;       240601e0        li      a2,480
     51c&#58;       24070110        li      a3,272
     520&#58;       24040800        li      a0,2048
     524&#58;       0c007298        jal     1ca60 <sceGuViewport>
     528&#58;       24050800        li      a1,2048
     52c&#58;       3404c350        li      a0,0xc350
     530&#58;       0c0072bd        jal     1caf4 <sceGuDepthRange>
     534&#58;       24052710        li      a1,10000
     538&#58;       00002821        move    a1,zero
     53c&#58;       240601e0        li      a2,480
     540&#58;       24070110        li      a3,272
     544&#58;       0c007611        jal     1d844 <sceGuScissor>
     548&#58;       00002021        move    a0,zero
     54c&#58;       0c006c85        jal     1b214 <sceGuEnable>
     550&#58;       24040002        li      a0,2
     554&#58;       00004021        move    t0,zero
     558&#58;       00003821        move    a3,zero
     55c&#58;       24050002        li      a1,2

Steddy

inomine · Post by **inomine** » Mon Jun 13, 2005 7:15 am

Off topic, is Puzzle Bobble any good? I've been wasting enourmous amounts of time playing with the SNES version but it's not all that smooth and does not really do the PSP justice.

annerajb · Post by **annerajb** » Mon Jun 13, 2005 7:20 am

i think that you didnt read right puzzle boble for PSP jap has debug in in the boot.bin
that can help find some functions

steddy · Post by **steddy** » Mon Jun 13, 2005 7:21 am

The graphics aren't great for a PSP game, but it makes full use of the screen and is very smooth.

Puzzle Bobble is always great on any platform. I prefer Lumines and Mercury though.

Steddy

Lex · Post by **Lex** » Mon Jun 13, 2005 7:37 am

Puzzle Bobble comes with a newer Atrac3plus-lib and audiocodec prx.
Not so many functions to discover (sure except for the parameters),
a few sceAtrac-stuff (with two new hashes because of the new lib and
a yet unseen sceGu..., and we could correct a function name in sceCtrl)

djhuevo · Post by **djhuevo** » Mon Jun 13, 2005 7:40 am

sceGu is a library that compile static, not a module.

anybody has figured PRX versioning flags?

steddy · Post by **steddy** » Mon Jun 13, 2005 8:09 am

Lex wrote:Puzzle Bobble comes with a newer Atrac3plus-lib and audiocodec prx.
Not so many functions to discover (sure except for the parameters),
a few sceAtrac-stuff (with two new hashes because of the new lib and
a yet unseen sceGu..., and we could correct a function name in sceCtrl)

Well it Imports lots of other libraries that are present in the firmware and calls functions present in those too. So it is somewhat more useful than you may realize.

Steddy

Vampire · Post by **Vampire** » Mon Jun 13, 2005 8:26 am

djhuevo wrote:anybody has figured PRX versioning flags?

in the ~psp header:
ver_lo is at offset 0x08
ver_hi is at offset 0x09

steddy · Post by **steddy** » Mon Jun 13, 2005 8:35 am

Ps2Dis really doesn't seem to like debug information. It fills most of the files with 0x88 when loaded :(

I am having to use ee-objdump but that doesn't do analysis of pointers to string sections. Anyone know of anything else for debuging that will show me what parameters are actually pointing at?

Steddy

0xdeadface · Post by **0xdeadface** » Mon Jun 13, 2005 8:41 am

If you know the object file format it's fairly easy to write your own disassembler. It's a bit of a crappy job, but pretty straightforward.

0xdf

Vampire · Post by **Vampire** » Mon Jun 13, 2005 8:43 am

Vampire wrote:
djhuevo wrote:anybody has figured PRX versioning flags?
in the ~psp header:
ver_lo is at offset 0x08
ver_hi is at offset 0x09

in sceModuleInfo:
ver_lo is at offset 0x02
ver_hi is at offset 0x03

Marco_N · Post by **Marco_N** » Mon Jun 13, 2005 8:57 am

Maybe this is n00b but in the filelist.txt (posted on another site) for Twisted Metal Head On there's a rinit.prx.nodebug and a rinit.prx; perhaps this rinit.prx contains some debug information as well and it was forgotten to delete it and replace it with the nodebug version?

Edit: clarification / typo

steddy · Post by **steddy** » Mon Jun 13, 2005 8:58 am

djhuevo wrote:sceGu is a library that compile static, not a module.

Yep, and that means the source to those functions is present in the debug output.

For example:

Code: Select all

0001c974 <sceGuDisplay>&#58;
   1c974&#58;	27bdfff0 	addiu	sp,sp,-16
   1c978&#58;	3c090052 	lui	t1,0x52
   1c97c&#58;	afb00000 	sw	s0,0&#40;sp&#41;
   1c980&#58;	00002821 	move	a1,zero
   1c984&#58;	00003021 	move	a2,zero
   1c988&#58;	afbf0004 	sw	ra,4&#40;sp&#41;
   1c98c&#58;	24070001 	li	a3,1
   1c990&#58;	00808021 	move	s0,a0
   1c994&#58;	10800008 	beqz	a0,1c9b8 <sceGuDisplay+0x44>
   1c998&#58;	25287a90 	addiu	t0,t1,31376
   1c99c&#58;	3c020052 	lui	v0,0x52
   1c9a0&#58;	8c447a30 	lw	a0,31280&#40;v0&#41;
   1c9a4&#58;	8d03000c 	lw	v1,12&#40;t0&#41;
   1c9a8&#58;	8d050004 	lw	a1,4&#40;t0&#41;
   1c9ac&#58;	8d267a90 	lw	a2,31376&#40;t1&#41;
   1c9b0&#58;	00832021 	addu	a0,a0,v1
   1c9b4&#58;	24070001 	li	a3,1
   1c9b8&#58;	0c00b5aa 	jal	2d6a8 <sceDisplaySetFrameBuf>
   1c9bc&#58;	00000000 	nop
   1c9c0&#58;	3c030052 	lui	v1,0x52
   1c9c4&#58;	8c627a84 	lw	v0,31364&#40;v1&#41;
   1c9c8&#58;	8fbf0004 	lw	ra,4&#40;sp&#41;
   1c9cc&#58;	ac707a84 	sw	s0,31364&#40;v1&#41;
   1c9d0&#58;	8fb00000 	lw	s0,0&#40;sp&#41;
   1c9d4&#58;	03e00008 	jr	ra
   1c9d8&#58;	27bd0010 	addiu	sp,sp,16

The source to all the stdlib / stdio functions is present too.

Here are all the module imports it contains:-

Code: Select all

0002d480 <sceIoRead>&#58;
0002d488 <sceIoWrite>&#58;
0002d490 <sceIoLseek>&#58;
0002d498 <sceIoDevctl>&#58;
0002d4a0 <sceIoClose>&#58;
0002d4a8 <sceIoOpen>&#58;
0002d4b0 <sceKernelCpuSuspendIntr>&#58;
0002d4b8 <sceKernelCpuResumeIntr>&#58;
0002d4c0 <sceKernelExitGame>&#58;
0002d4c8 <sceKernelRegisterExitCallback>&#58;
0002d4d0 <sceKernelLoadModuleByID>&#58;
0002d4d8 <sceKernelLoadModule>&#58;
0002d4e0 <sceKernelStartModule>&#58;
0002d4e8 <sceKernelStopModule>&#58;
0002d4f0 <sceKernelUnloadModule>&#58;
0002d4f8 <sceKernelSelfStopUnloadModule>&#58;
0002d500 <sceKernelStdin>&#58;
0002d508 <sceKernelStdout>&#58;
0002d510 <sceKernelStderr>&#58;
0002d518 <sceKernelAllocPartitionMemory>&#58;
0002d520 <sceKernelFreePartitionMemory>&#58;
0002d528 <sceKernelGetBlockHeadAddr>&#58;
0002d530 <sceKernelCreateThread>&#58;
0002d538 <sceKernelDeleteThread>&#58;
0002d540 <sceKernelStartThread>&#58;
0002d548 <sceKernelExitThread>&#58;
0002d550 <sceKernelExitDeleteThread>&#58;
0002d558 <sceKernelWaitThreadEnd>&#58;
0002d560 <sceKernelDelayThread>&#58;
0002d568 <sceKernelDelayThreadCB>&#58;
0002d570 <sceKernelCreateEventFlag>&#58;
0002d578 <sceKernelDeleteEventFlag>&#58;
0002d580 <sceKernelSetEventFlag>&#58;
0002d588 <sceKernelClearEventFlag>&#58;
0002d590 <sceKernelWaitEventFlag>&#58;
0002d598 <sceKernelPollEventFlag>&#58;
0002d5a0 <sceKernelCreateCallback>&#58;
0002d5a8 <sceKernelGetSystemTimeLow>&#58;
0002d5b0 <sceKernelLibcClock>&#58;
0002d5b8 <sceKernelLibcTime>&#58;
0002d5c0 <sceKernelLibcGettimeofday>&#58;
0002d5c8 <sceKernelDcacheWritebackAll>&#58;
0002d5d0 <sceAtracReleaseAtracID>&#58;
0002d5d8 <sceAtracSetDataAndGetID>&#58;
0002d5e0 <sceAtracDecodeData>&#58;
0002d5e8 <sceAtracGetRemainFrame>&#58;
0002d5f0 <sceAtracGetStreamDataInfo>&#58;
0002d5f8 <sceAtracAddStreamData>&#58;
0002d600 <sceAtracGetSecondBufferInfo>&#58;
0002d608 <sceAtracSetSecondBuffer>&#58;
0002d610 <sceAtracGetNextDecodePosition>&#58;
0002d618 <sceAtracGetSoundSample>&#58;
0002d620 <sceAtracSetLoopNum>&#58;
0002d628 <sceAtracGetBufferInfoForReseting>&#58;
0002d630 <sceAtracResetPlayPosition>&#58;
0002d638 <sceAtracGetInternalErrorInfo>&#58;
0002d640 <sceAudioOutputBlocking>&#58;
0002d648 <sceAudioOutputPanned>&#58;
0002d650 <sceAudioOutputPannedBlocking>&#58;
0002d658 <sceAudioChReserve>&#58;
0002d660 <sceAudioChRelease>&#58;
0002d668 <sceAudioGetChannelRestLen>&#58;
0002d670 <sceAudioSetChannelDataLen>&#58;
0002d678 <sceAudioChangeChannelConfig>&#58;
0002d680 <sceAudioChangeChannelVolume>&#58;
0002d688 <sceCtrlSetSamplingCycle>&#58;
0002d690 <sceCtrlSetSamplingMode>&#58;
0002d698 <sceCtrlReadBufferPositive>&#58;
0002d6a0 <sceDisplaySetMode>&#58;
0002d6a8 <sceDisplaySetFrameBuf>&#58;
0002d6b0 <sceDisplayGetVcount>&#58;
0002d6b8 <sceDisplayWaitVblankCB>&#58;
0002d6c0 <sceDisplayWaitVblankStart>&#58;
0002d6c8 <sceGeEdramGetAddr>&#58;
0002d6d0 <sceGeListEnQueue>&#58;
0002d6d8 <sceGeListEnQueueHead>&#58;
0002d6e0 <sceGeListUpdateStallAddr>&#58;
0002d6e8 <sceGeListSync>&#58;
0002d6f0 <sceGeDrawSync>&#58;
0002d6f8 <sceGeBreak>&#58;
0002d700 <sceGeContinue>&#58;
0002d708 <sceGeSetCallback>&#58;
0002d710 <sceGeUnsetCallback>&#58;
0002d718 <sceUmdActivate>&#58;
0002d720 <sceUmdGetDriveStat>&#58;
0002d728 <sceUtilitySavedataInitStart>&#58;
0002d730 <sceUtilitySavedataShutdownStart>&#58;
0002d738 <sceUtilitySavedataUpdate>&#58;
0002d740 <sceUtilitySavedataGetStatus>&#58;

Steddy

Shine · Post by **Shine** » Mon Jun 13, 2005 11:18 pm

That's interesting. Perhaps you can find out the parameters for sceUtilitySavedataInitStart and the other savegame functions? If we can reverse engineering it, it would be possible to write PSP programs, which modify savegames for creating exploits or even cheats :-)

subbie · Post by **subbie** » Tue Jun 14, 2005 1:45 am

any chance of finding out some gu commands for drawing and rendering polygons or surfaces?

As for the person asking about puzzle bobble. The classic arcade versions are the best. So the Neo CD ver of puzzle bobble 1 is the best one posible on the psp. Have not played the psp version but was not to keen on its looks & cost.

steddy · Post by **steddy** » Tue Jun 14, 2005 3:48 am

Shine wrote:That's interesting. Perhaps you can find out the parameters for sceUtilitySavedataInitStart and the other savegame functions? If we can reverse engineering it, it would be possible to write PSP programs, which modify savegames for creating exploits or even cheats :-)

I already know the answer to that one and its pretty complex.

static SceUtilitySavedataParam save_param;
int retval = sceUtilitySavedataInitStart(&save_param);

The trick is in working out the format of SceUtilitySavedataParam without access to the devkit.

Steddy

Guest · Post by **Guest** » Tue Jun 14, 2005 9:05 am

steddy wrote:The trick is in working out the format of SceUtilitySavedataParam without access to the devkit.

Thats where using a disassembler comes in handy ;)

Shine · Post by **Shine** » Sat Jun 18, 2005 7:41 pm

steddy wrote: I already know the answer to that one and its pretty complex.

static SceUtilitySavedataParam save_param;
int retval = sceUtilitySavedataInitStart(&save_param);

Edited: see http://forums.ps2dev.org/viewtopic.php?t=2218