How to hook sceGSSyncVCallback?

[doctorxyz]

Dears coders,

I need to replace (patch) return value of the sceGSSyncVCallback function, based on the return value of a CPUTimer Handler I implemented on my private release of GSM (Graphics Synthesizer Mode Selector):

http://psx-scene.com/forums/f19/gs-m...eedback-61808/

Do you have some ready (or almost ready) code for searching for sceGSSyncVCallback pattern (signature), in order to hook it more easily?

Any help would very appreciated, since this should help on BSOD and freezing issues on some interlaced games when enforced to progressive video modes.

Thanks in advance,

doctorxyz

[kevstah2004]

Codemasters Project: content / how to create a pattern

When you press spacebar and F3 on the sceGSSyncVCallback label in ps2dis, it should bring you to possible places where it can be hooked from.

http://www.codemasters-project.net/p...hp?content.145

[doctorxyz]

Tks a lot but in fact I'm looking for a C source code, close to those ones which OPL uses to make IGR possible, etc. but made specifically for hooking sceGSSyncVCallback.

[kevstah2004]

You got a memory dump that contains it?

[SP193]

Tks a lot but in fact I'm looking for a C source code, close to those ones which OPL uses to make IGR possible, etc. but made specifically for hooking sceGSSyncVCallback.

Given that the pattern for that function is known, I can provide you the patch engine of PS2ESDL to achieve that.

The patch engine of PS2ESDL takes in a pattern, scans through EE RAM for that pattern, and does something based on the data included within the patch itself.

Yes, it can install a function hook too.

That should be something like what you're looking for, right?
Then the only thing left would be to get a sample of sceGSSyncVCallback() in binary form.

[doctorxyz]

Guys,

I really expect I can acompplish this task before giving up of GSM due to my real life obligations. Thanks for your support.

You got a memory dump that contains it?

Not yet.

Given that the pattern for that function is known, I can provide you the patch engine of PS2ESDL to achieve that.

The patch engine of PS2ESDL takes in a pattern, scans through EE RAM for that pattern, and does something based on the data included within the patch itself.

Yes, it can install a function hook too.

That should be something like what you're looking for, right?
Then the only thing left would be to get a sample of sceGSSyncVCallback() in binary form.

SP193,
That's it I need.
Please post here or send me your patch engine by PM okay.
In parallel I will inspect some ISOs in order to get a sample of sceGSSyncVCallback.
Thanks a lot.
BR,

[SP193]

definitions in the included header file:

Code:

/* Some macros used for patching. */
#define JAL(addr)	(0x0c000000|(0x3ffffff&((addr)>>2)))
#define GETJADDR(addr)	((addr&0x03FFFFFF)<<2)

/* Structures */
struct EE_ELF_patch_data{
	u32 mode;		/* How the patch should be applied. */
	u32 src[4];		/* Offset (Only the 1st element is used, the other 3 are ignored)/sample of the original data that needs to be patched, and is to be search for. */
	u32 mask[4];		/* Source pattern Mask (Optional; If unneeded, just fill it with 0xFF bytes). */
	u32 patchData[4];
};

Main code:

Code:

static int (*pCdRead)(u32 lsn, u32 nSectors, void *buffer, u32 *mode);
static int delayed_cdRead(u32 lsn, u32 nSectors, void *buffer, u32 *mode);

/*----------------------------------------------------------------------------------------*/
/* Patch an ELF that has been loaded into memory.                                         */
/*----------------------------------------------------------------------------------------*/
inline void patch_ELF(void *buffer, struct EE_ELF_patch_data *patch){
	u32 *ptr, i;

	DEBUG_PRINTF("PS2ESDL_EE_CORE: Patching ELF. Start offset: %p. Mode: 0x%02x.\n", buffer, patch->mode);

	/* patchData[0] -> Offset relative to the current offset to patch. */
			
	DEBUG_PRINTF("PS2ESDL_EE_CORE: Applying delayed read patch.\n");
	ptr=scan_pattern(patch->src, patch->mask, (void *)0x000D0000, (void *)0x02000000);
	if(ptr!=NULL){
		DEBUG_PRINTF("PS2ESDL_EE_CORE: Patching index 0x%04x relative to %p.\n", patch->patchData[0], ptr);

		pCdRead=(void *)GETJADDR(ptr[patch->patchData[0]]);
		ptr[patch->patchData[0]]=JAL((u32)&delayed_cdRead);
	}
	else DEBUG_PRINTF("PS2ESDL_EE_CORE: Warning! Error looking for the section to patch.\n");

	DEBUG_PRINTF("PS2ESDL_EE_CORE: Completed patching operation.\n");
}

static void *scan_pattern(u32 *pattern, u32 *mask, void *start, void *end){
		u32 *ptr;

		for(ptr=start; ptr<(u32 *)end; ptr++){
			if(
				((ptr[0]&mask[0])==pattern[0])&&
				((ptr[1]&mask[1])==pattern[1])&&
				((ptr[2]&mask[2])==pattern[2])&&
				((ptr[3]&mask[3])==pattern[3])
			){
				DEBUG_PRINTF("PS2ESDL_EE_CORE: Pattern found at %p.\n", ptr);

				return((void *)ptr);
			}
		}

	return NULL;
}

static int delayed_cdRead(u32 lsn, u32 nSectors, void *buffer, u32 *mode)
{
	int result;
	u32 i;

	result=pCdRead(lsn, nSectors, buffer, mode);
	for(i=0; i<0x0100000; i++) __asm("\tnop\n\tnop\n\tnop\n\tnop\n");

	return(result);
}

The code searches EE RAM for a jump to sceCdRead(), and replaces the jump to the original sceCdRead to a function that causes a delay before jumping back to the original sceCdRead function.

If you plan to overwrite the original sceGSSyncVCallback() function with another function or need to replace multiple jumps to sceGSSyncVCallback(), then you might need to make some additional modifications (Like adding a loop).

But if you need to achieve the latter, I could probably add in some more code for you (Since it was part of the engine too, but of a different part of the engine).

This was what I did in 5 minutes, since I don't think that the other parts of the patch engine will be of use to you.

Feel free to ask questions if the code seems complicated.
After all, I'm bad at explaining things in an easy way to others.

[doctorxyz]

Great! Now it seems I got almost everything I need from Kevstah2004 and SP193. I'll work on it ASAP. Tks for your support. BR,

[doctorxyz]

Tks a lot but in fact I'm looking for a C source code, close to those ones which OPL uses to make IGR possible, etc. but made specifically for hooking sceGSSyncVCallback.

I decided to replace sceGSSyncV function.

You got a memory dump that contains it?

Now I have memory dumps from two different games: Woody Woodpecker and Persona 4. I have made an asm function based on the ideas from you two and I think I am almost there. What a pitty I find myself without time to test it. But I hope soon give you good news (here or into GSM thread).
BR,