Initial commit

2025-01-13 19:39:44 +00:00 · 2025-01-13 19:39:44 +00:00 · 5a9c66ea87
commit 5a9c66ea87
2 changed files with 238 additions and 0 deletions
--- a/build.sh
+++ b/build.sh
@ -0,0 +1,7 @@
 #!/bin/sh
 fcx-as -o cause360error.o -mregnames -a32 -mppc64 cause360error.s
 fcx-ld --accept-unknown-input-arch --oformat=pei-i386 --subsystem xbox --major-subsystem-version 1 --minor-subsystem-version 0 --major-os-version 0 --minor-os-version 0 --section-alignment=0x10000 --file-alignment 512 --disable-dynamicbase --image-base 0x82000000 --disable-long-section-names -e _start -o cause360error.exe cause360error.o
 synthxex --skip-machine-check --input cause360error.exe --output cause360error.xex
--- a/cause360error.s
+++ b/cause360error.s
@ -0,0 +1,231 @@
 # Assembly program to make the Xbox 360 display an error code
 #
 # Copyright (c) 2025 Aiden Isik
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Affero General Public License for more details.
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 .global _start
 # Code
 .text
 # Read 32-bit little endian value and byte-swap it 
 # IN: r4 == base address of little endian value
 # IN: LR == address to return to
 # OUT: r4 == read and byteswapped value
 get32BitLittleEndian:
 	# r5 == how many bytes to left shift each value read
 	# r6 == working register used to store currently retrieved bytes
 	# r7 == register to store current byte before shift
 	li r5, 24 # Register storing how many bits to shift each value 
 	# Most significant byte
 	lbz r6, 3(r4)
 	slw r6, r6, r5
 	subi r5, r5, 8
 	lbz r7, 2(r4)
 	slw r7, r7, r5
 	subi r5, r5, 8
 	or r6, r6, r7
 	lbz r7, 1(r4)
 	slw r7, r7, r5
 	or r6, r6, r7 
 	# Least significant byte
 	lbz r7, 0(r4)
 	or r6, r6, r7
 	mr r4, r6 # Final value
 	blr
 # If the function was not found, return 0 (set r3 = 0, then return) 
 # IN: r12 == address to return to
 # OUT: r3 == 0 
 kernelFunctionNotFound:
 	li r3, 0
 	mtlr r12
 	blr
 # So I don't know if this works or not: it turns out the kernel does NOT have an export name table
 # Keeping this here in case it's useful in the future for something else
 # Getting function address by name 
 # IN: r3 == address of name string of function
 # IN: LR == address to return to
 # OUT: r3 == address of kernel function (or 0 if it could not be found)
 getKernelFunctionAddrByName:
 	mflr r12
 	# Getting the address of the PE header
 	lis r4, 0x8004
 	ori r4, r4, 0x3C
 	bl get32BitLittleEndian
 	addis r4, r4, 0x8004 # Final address (RVA + kernel base address) 
 	# Getting the address of the export directory table
 	addi r4, r4, 0x78
 	bl get32BitLittleEndian
 	addis r4, r4, 0x8004 # Final address (RVA + kernel base address)
 	# Get number of name pointers (and put it in CTR)
 	mr r8, r4
 	addi r4, r4, 0x18
 	bl get32BitLittleEndian
 	mtctr r4
 	# Get addresses of the name pointer table and the ordinal table
 	addi r9, r8, 0x20 # Name pointer table RVA address
 	addi r4, r8, 0x24 # Ordinal table RVA address
 	bl get32BitLittleEndian
 	addis r10, r4, 0x8004 # Ordinal table address 
 	mr r4, r9
 	bl get32BitLittleEndian
 	addis r4, r4, 0x8004 # Name pointer table address
 	# At this point, r4 contains the name pointer table address, and r10 contains the ordinal table address
 	# r0 (with care), r8, r9 and r11 are free to use. r5, r6 and r7 are used by get32BitLittleEndian,
 	# r12 is used for our return address, and r3 contains the function name's address.
 	# We *could* do a binary search here, since this table is alphabetically sorted.
 	# However, I don't see the marginal speed increase being worth the effort in this case.
 	# We're also looping backwards here, just because it's easier.
 namePointerTableLoop:
 	# Getting the address to the current name and putting it in r8
 	mfctr r8
 	subi r8, r8, 1
 	mulli r8, r8, 4
 	add r8, r4, r8
 	li r11, 0
 functionNameLoop:
 	# Putting characters to compare in r8 and r9, respectively
 	# r11 is our character offset
 	lbzx r8, r4, r11
 	lbzx r9, r3, r11
 	addi r11, r11, 1
 	# Checking if characters match, if they don't, move onto the next entry
 	cmpw cr0, r8, r9
 	bne checkNextNameEntry
 	# If both characters are \0, we found our function in the table (as the whole string matches)
 	cmpwi cr0, r8, 0
 	beq getCorrespondingOrdinalToNameEntry
 	# Next character
 	beq functionNameLoop
 checkNextNameEntry:	
 	bdnz namePointerTableLoop
 	# If we get here, we didn't find the function name in the table. 
 	b kernelFunctionNotFound
 getCorrespondingOrdinalToNameEntry:	
 	# At this point, we have our entry to the ordinal table in CTR.
 	# Convert it to the address of the entry in the ordinal table
 	mfctr r8
 	subi r8, r8, 1
 	mulli r8, r8, 4
 	add r4, r8, r10
 	# Get the ordinal at that address in the ordinal table
 	bl get32BitLittleEndian
 	# Finally, get the address of the function using the ordinal
 	mr r3, r4
 	mtlr r12
 	b getKernelFunctionAddrByOrdinal
 # Getting function address by ordinal
 # IN: r3 == ordinal number
 # IN: LR == address to return to
 # OUT: r3 == address of kernel function (or 0 if it could not be found)
 getKernelFunctionAddrByOrdinal:
 	mflr r12
 	# Getting the address of the PE header
 	lis r4, 0x8004
 	ori r4, r4, 0x3C
 	bl get32BitLittleEndian
 	addis r4, r4, 0x8004 # Final address (RVA + kernel base address) 
 	# Getting the address of the export directory table
 	addi r4, r4, 0x78
 	bl get32BitLittleEndian
 	addis r4, r4, 0x8004 # Final address (RVA + kernel base address)
 	# Making sure the ordinal exists (ordinal is not greater than or equal to export count)
 	mr r8, r4 # Putting export directory table address into a register unused by get32BitLittleEndian
 	addi r4, r4, 0x14 # Address of export count 
 	bl get32BitLittleEndian # Get export count	
 	cmpw r3, r4
 	bgt kernelFunctionNotFound # Ordinal does not exist
 	# Get address of the export address table, and retrieve the address of our function
 	subi r3, r3, 1 # Converting ordinal into kernel EAT index
 	addi r4, r8, 0x1C # Put address of RVA to EAT into r4
 	bl get32BitLittleEndian # Get RVA to EAT
 	addis r4, r4, 0x8004 # Address
 	# Finally, read our address from the export address table and return it
 	mulli r3, r3, 4 # Multiply index by 4 to get export offset
 	add r4, r4, r3 # Add export offset to EAT address to get export address
 	bl get32BitLittleEndian
 	addis r3, r4, 0x8004 # Finally, the address of our function 
 	mtlr r12
 	blr
 _start:	
 	# Getting address of VdDisplayFatalError function and putting it in CTR to call
 	li r3, 434 # Ordinal 434 == VdDisplayFatalError
 	bl getKernelFunctionAddrByOrdinal
 	mtctr r3 # Put our acquired address into CTR for calling
 	# Clearing the argument-passing registers so we don't pass anything we don't want
 	# We don't use these for anything else, so it's safe.
 	li r4, 0
 	li r5, 0
 	li r6, 0
 	li r7, 0
 	li r8, 0
 	li r9, 0
 	li r10, 0
 	# Call with E74
 	lis r3, 0x0001
 	ori r3, r3, 0x244A
 	bctr
 	# Exit code
 	# Not implemented yet, and not relevant here specifically, but this is probably what I'll do
 	# Call XexGetModuleHandle(0 (current executable), address to put handle)
 	# Then call XexUnloadImage(AndExitThread?)(handle address), to exit
 	# Would that actually work to stop the program? If it does it could save a lot of effort.