One hit kill code, need help!

[Bully@Wiiplaza]

Hey guys, I need some help again. This time, it´s a one hit kill ASM code for the conduit.
The value at adress 8081BA18 in the memory viewer shows 00000100. If I set it to 0000011D, it´s a one hit kill for the enemies.
Unfortunatelly, the adresse keeps moving and I need an assembly code for this.
Here is a picture from breakpoint read:



Please help me, how to write 0000011D instead of 00000100 via assembly... Idk that in this situation! :o
(Breakpoint write and execute never broke)

Greetings!! ;)

[dcx2]

You can pick your way through this thread.

http://wiird.l0nk.org/forum/index.php/topic,6466.msg54897.html#msg54897

You'll need a C2 hook on the lwz r0, with something like

li r12,0x11D
stw r12,8196(r3)
lwz r0,8196(r3)

[Bully@Wiiplaza]

okay thanks.
As I inserted the li thingy, the game already froze.
But maybe it doesn´t when I use the entire C2 code... ::)

EDIT:
It froze when I applyed the code in the mainmenu...
What could I else do?

[Deathwolf]

dcx2 the same happens to me.
none of these registers would work

assembly:

C20E476C 00000002
3980011D 91832004
80032004 00000000

it froze...

[Bully@Wiiplaza]

aarggh there must be a way, please respond quickly dcx2 :o
I faild since 1 hour... Already the first edited instruction freezes...! >:D

[dcx2]

You could try to replace the lwz r0 with li r0,0x11D.  Although if anything else is reading that memory address, it won't see the new value.

You can also try to use r0 instead of r12.  r0 is safe because it is being loaded, and none of the instructions used are "(RA|0)" instructions.  But if r12 freezes then I doubt r0 will work any better.

Are you sure you're doing the right thing?  Set your breakpoint, and when you hit it, step over the lwz, and then over-write the value in r0 with your 0x11D.  Then hit Run.  This will be like a one-time code.

Also, consider stepping through your C2.  Set an execute breakpoint on the instruction before your C2.  Once it is hit, THEN apply your C2 code.  Switch back to breakpoint tab and step through your C2 code.  Make sure it's doing what you think it should do.

Another common ASM problem is that the code which is being executed is run more than once.  For instance, the same code might run when you shoot an enemy, or an enemy shoots you.  This could also cause a problem, by giving your enemies the one-hit-kill power too.  Set multiple breakpoints and make sure that the breakpoint is only hit when you shoot, and not when an enemy shoots, etc.

When the game freezes, try to press "Get BP Data".  Then post the registers/disassembly.  A lot of crashes can be diagnosed and even recovered this way, if you can see what went wrong and how to fix it.

[Deathwolf]

you mean this?
C20E476C 00000002
3800011D 90032004
80032004 00000000

li r0,285
stw r0,8196(r3)
lwz r0,8196(r3)

[Bully@Wiiplaza]

If I set the read breakpoint, it always breaks immediately (I don´t have other codes activated).
If I set the write or execute breakpoint, it does not break.

[dcx2]

lol, you're never going to execute data, so of course that won't work.

I see that you have the Exact Match checkbox checked.  You might be having the Inverse Exact Breakpoint Fail.  If the lower 16-bits of the value are being written to with a sth, you will never hit that breakpoint.

In other words, an Exact Match will only break it the address matches EXACTLY.  You set your BP to 8081BA18, however if it's using a 16-bit value then a sth would be using 8081BA1A, which is not the same as 8081BA18 and therefore wouldn't stop.

You should still try my other suggestions in my previous post.  Particularly the one-time modification to r0, and stepping through your C2 code to make sure it does what you want it to do.

[Bully@Wiiplaza]

You could try to replace the lwz r0 with li r0,0x11D.
You can also try to use r0 instead of r12.

I set the read BP on the one hit kill adress. It immediately broke and I replaced the lwz instruction with
li r0,0x11D. Then I hit run, but the game was frozen... :o

Are you sure you're doing the right thing?  Set your breakpoint, and when you hit it, step over the lwz, and then over-write the value in r0 with your 0x11D.  Then hit Run.

That´s what I did, I also got the same BP when NOT using the exact match.

Another common ASM problem is that the code which is being executed is run more than once.  For instance, the same code might run when you shoot an enemy, or an enemy shoots you.  This could also cause a problem, by giving your enemies the one-hit-kill power too.  Set multiple breakpoints and make sure that the breakpoint is only hit when you shoot, and not when an enemy shoots, etc.

If it gives my enemy the ability for that,too, it doesn´t matter. I have Inf. Health for such things.

When the game freezes, try to press "Get BP Data".  Then post the registers/disassembly.  A lot of crashes can be diagnosed and even recovered this way, if you can see what went wrong and how to fix it.

CR:84000048  XER:00000000  CTR:800E426C DSIS:04000000
DAR:00000119 SRR0:800E4278 SRR1:00008032   LR:800E5620
 r0:00000000   r1:80768900   r2:8075A6E0   r3:00000000
 r4:FFFFFFFF   r5:0000011D   r6:000000FE   r7:800E426C
 r8:000000FD   r9:FFFFFFF9  r10:90F0C46C  r11:FFFFFFF9
r12:8012DC0C  r13:80752260  r14:0000245F  r15:0000002B
r16:80560000  r17:00000000  r18:FFFFFFFF  r19:80000000
r20:80560000  r21:80560000  r22:80530000  r23:80DC48D0
r24:90F0BDF4  r25:00000001  r26:90E86984  r27:00000000
r28:00000001  r29:90F0BA00  r30:90F0BA00  r31:90F0BA00

 f0:FFC00000   f1:42FE0000   f2:59800004   f3:3F800000
 f4:428942E1   f5:C14DA775   f6:42C2EA45   f7:00000000
 f8:00000000   f9:00000000  f10:00000000  f11:00000000
f12:00000000  f13:80000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:3F800000
f28:59800004  f29:59800000  f30:3E000000  f31:00000000

800E4278:  8065FFFC   lwz   r3,-4(r5)
800E427C:  2C04FFFF   cmpwi   r4,-1
800E4280:  7C668670   srawi   r6,r3,16
800E4284:  7C0031D6   mullw   r0,r0,r6
800E4288:  41820010   beq-   0x800e4298
800E428C:  9241000C   stw   r18,12(r1)
800E4290:  7F86E378   mr   r6,r28
800E4294:  7C002214   add   r0,r0,r4
800E4298:  2F060000   cmpwi   cr6,r6,0
800E429C:  38E00000   li   r7,0
800E42A0:  4099F590   ble+   cr6,0x800e3830
800E42A4:  2C060008   cmpwi   r6,8
800E42A8:  3926FFF8   subi   r9,r6,8
800E42AC:  40810094   ble-   0x800e4340
800E42B0:  38800000   li   r4,0
800E42B4:  41980014   blt-   cr6,0x800e42c8
800E42B8:  3873FFFE   subi   r3,r19,2
800E42BC:  7C061800   cmpw   r6,r3
800E42C0:  41810008   bgt-   0x800e42c8
800E42C4:  38800001   li   r4,1
800E42C8:  2C040000   cmpwi   r4,0
800E42CC:  41820074   beq-   0x800e4340
800E42D0:  39090007   addi   r8,r9,7
800E42D4:  5403103A   rlwinm   r3,r0,2,0,29
800E42D8:  5508E8FE   rlwinm   r8,r8,29,3,31
800E42DC:  7F04C378   mr   r4,r24
800E42E0:  7C651A14   add   r3,r5,r3
800E42E4:  7D0903A6   mtctr   r8
800E42E8:  2C090000   cmpwi   r9,0
800E42EC:  40810054   ble-   0x800e4340
800E42F0:  81030000   lwz   r8,0(r3)
800E42F4:  38E70008   addi   r7,r7,8
800E42F8:  91040000   stw   r8,0(r4)
800E42FC:  81030004   lwz   r8,4(r3)
800E4300:  91040004   stw   r8,4(r4)
800E4304:  81030008   lwz   r8,8(r3)
800E4308:  91040008   stw   r8,8(r4)
800E430C:  8103000C   lwz   r8,12(r3)
800E4310:  9104000C   stw   r8,12(r4)
800E4314:  81030010   lwz   r8,16(r3)

-----------------
BP execute on the adress before lwz (add r3,r3,r0) It always broke immediately.

CR:88000088  XER:20000000  CTR:800E4760 DSIS:00400000
DAR:8081BA18 SRR0:800E4768 SRR1:0000A032   LR:800E37B0
 r0:00000024   r1:80768900   r2:8075A6E0   r3:808196C0
 r4:90D32A74   r5:90D32C10   r6:00000009   r7:800E4694
 r8:0000004F   r9:8082F3AC  r10:8082F160  r11:80768980
r12:00000000  r13:80752260  r14:00002DD2  r15:807A6C60
r16:80560000  r17:00000000  r18:FFFFFFFF  r19:80000000
r20:80560000  r21:80560000  r22:80530000  r23:80E4AEF0
r24:90D32B8C  r25:00000001  r26:90912FB4  r27:00000000
r28:00000001  r29:90D32A50  r30:90D32A50  r31:90D32A50

 f0:00000000   f1:00000000   f2:00000000   f3:4F800000
 f4:4F000000   f5:41DA87DA   f6:3F800000   f7:4265DD4B
 f8:C061CC10   f9:C0C3B88C  f10:3F6B0EA8  f11:419E4268
f12:00000000  f13:3FC00000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:3F800000
f28:59800004  f29:59800000  f30:3E000000  f31:00000000

800E4768:  7C630214   add   r3,r3,r0
800E476C:  80032004   lwz   r0,8196(r3)
800E4770:  90180000   stw   r0,0(r24)
800E4774:  4BFFF0BC   b   0x800e3830
800E4778:  90D80000   stw   r6,0(r24)
800E477C:  4BFFF0B4   b   0x800e3830
800E4780:  7D000774   extsb   r0,r8
800E4784:  A861000A   lha   r3,10(r1)
800E4788:  90010010   stw   r0,16(r1)
800E478C:  3B010010   addi   r24,r1,16
800E4790:  546F053E   rlwinm   r15,r3,0,20,31
800E4794:  48000044   b   0x800e47d8
800E4798:  9101001C   stw   r8,28(r1)
800E479C:  3B010010   addi   r24,r1,16
800E47A0:  A801000A   lha   r0,10(r1)
800E47A4:  C8010018   lfd   f0,24(r1)
800E47A8:  540F053E   rlwinm   r15,r0,0,20,31
800E47AC:  EC00E828   fsubs   f0,f0,f29
800E47B0:  EC0007B2   fmuls   f0,f0,f30
800E47B4:  D0010010   stfs   f0,16(r1)
800E47B8:  48000020   b   0x800e47d8
800E47BC:  A801000A   lha   r0,10(r1)
800E47C0:  7F58D378   mr   r24,r26
800E47C4:  3B5A0004   addi   r26,r26,4
800E47C8:  540F053E   rlwinm   r15,r0,0,20,31
800E47CC:  4800000C   b   0x800e47d8
800E47D0:  A801000A   lha   r0,10(r1)
800E47D4:  540F053E   rlwinm   r15,r0,0,20,31
800E47D8:  54C0E73E   rlwinm   r0,r6,28,28,31
800E47DC:  2800000F   cmplwi   r0,15
800E47E0:  4181F050   bgt+   0x800e3830
800E47E4:  3875D7A8   subi   r3,r21,10328
800E47E8:  5400103A   rlwinm   r0,r0,2,0,29
800E47EC:  7C63002E   lwzx   r3,r3,r0
800E47F0:  7C6903A6   mtctr   r3
800E47F4:  4E800420   bctr   
800E47F8:  7EE3BB78   mr   r3,r23
800E47FC:  7EE4BB78   mr   r4,r23
800E4800:  7DE57B78   mr   r5,r15
800E4804:  7F06C378   mr   r6,r24

[dcx2]

Are you sure you're doing the right thing?  Set your breakpoint, and when you hit it, step over the lwz, and then over-write the value in r0 with your 0x11D.  Then hit Run.

That´s what I did, I also got the same BP when NOT using the exact match.

Do not assume that your first breakpoint is the one that you want.  There are many places in the game that can be reading/writing to this variable.  You may or may not want the first one, or a later one.

For instance, some games will stw the value 0 to initialize memory, and then later will sth or stb the *real* value.

Another common ASM problem is that the code which is being executed is run more than once.  For instance, the same code might run when you shoot an enemy, or an enemy shoots you.  This could also cause a problem, by giving your enemies the one-hit-kill power too.  Set multiple breakpoints and make sure that the breakpoint is only hit when you shoot, and not when an enemy shoots, etc.

If it gives my enemy the ability for that,too, it doesn´t matter. I have Inf. Health for such things.

You may still need to care about this.  Some instructions serve double-duty, doing more than one thing.

Set an execute BP on 800E476C.  Then hit Set Breakpoint.  Keep hitting Set Breakpoint, and pay attention to r3.  If the pointer in r3 keeps changing every time you hit Set Breakpoint, those instructions are affecting more than one thing, and the other things are getting FUBARed by your 0x11D.

When the game freezes, try to press "Get BP Data".  Then post the registers/disassembly.  A lot of crashes can be diagnosed and even recovered this way, if you can see what went wrong and how to fix it.

r4:FFFFFFFF   r5:0000011D   r6:000000FE   r7:800E426C

800E4278:  8065FFFC   lwz   r3,-4(r5)

Bingo!  That's why you're freezing.  r5 is supposed to be a pointer, but it's 0x11D right now.  That's bad, and will cause the CPU to trap an illegal memory access (i.e. freeze).  Your C2 code is probably screwing up other callers, and you need to make sure that it changes memory only for your one-shot-kill code.

Here's an ASM black magic tip, by the way...if we knew what value belonged in r5, you could replace r5 with the right pointer and hit "Run" and the game would un-freeze!  I've done this while debugging C2 codes before.

[Bully@Wiiplaza]

Are you sure you're doing the right thing?  Set your breakpoint, and when you hit it, step over the lwz, and then over-write the value in r0 with your 0x11D.  Then hit Run.

That´s what I did, I also got the same BP when NOT using the exact match.

Do not assume that your first breakpoint is the one that you want.  There are many places in the game that can be reading/writing to this variable.  You may or may not want the first one, or a later one.

I tried multiple times and r0,r3 are always the same. Some registers are changing, but they aren´t important for now.

Another common ASM problem is that the code which is being executed is run more than once.  For instance, the same code might run when you shoot an enemy, or an enemy shoots you.  This could also cause a problem, by giving your enemies the one-hit-kill power too.  Set multiple breakpoints and make sure that the breakpoint is only hit when you shoot, and not when an enemy shoots, etc.

If it gives my enemy the ability for that,too, it doesn´t matter. I have Inf. Health for such things.

You may still need to care about this.  Some instructions serve double-duty, doing more than one thing.

Set an execute BP on 800E476C.  Then hit Set Breakpoint.  Keep hitting Set Breakpoint, and pay attention to r3.  If the pointer in r3 keeps changing every time you hit Set Breakpoint, those instructions are affecting more than one thing, and the other things are getting FUBARed by your 0x11D.

YES, it keeps changing all the time! What should we do now? :/

When the game freezes, try to press "Get BP Data".  Then post the registers/disassembly.  A lot of crashes can be diagnosed and even recovered this way, if you can see what went wrong and how to fix it.

r4:FFFFFFFF   r5:0000011D   r6:000000FE   r7:800E426C

800E4278:  8065FFFC   lwz   r3,-4(r5)

Bingo!  That's why you're freezing.  r5 is supposed to be a pointer, but it's 0x11D right now.  That's bad, and will cause the CPU to trap an illegal memory access (i.e. freeze).  Your C2 code is probably screwing up other callers, and you need to make sure that it changes memory only for your one-shot-kill code.
Here's an ASM black magic tip, by the way...if we knew what value belonged in r5, you could replace r5 with the right pointer and hit "Run" and the game would un-freeze!  I've done this while debugging C2 codes before.

Cool, but how could I intend to do this? Give me an idea xD
Thanks for helping ;)

[dcx2]

Set lots of execute breakpoints there and see if you notice any patterns that you could test for.

[Bully@Wiiplaza]

well, do you mean doing something like that:

li r12,0x11D
stw r12,8196(r3)
lwz r0,8196(r3)

on registers, which do not change, while hitting BP execute on adress 800E476C? :cool:

[dcx2]

No, don't write anything because it's crashing the game when you do that.  We want to observe this creature in its natural habitat before trying to capture and domesticate it.

Without any codes active, just do an execute breakpoint on the address you would *like* to hook.  Pay attention to the values in the registers when you're doing this.  Even better, copy/paste them into a file so you can compare against them later.

Look for patterns.  Try to identify a register that contains a value that will help you identify the appropriate time to apply the hook.  Then add a conditional branch to your code so that it skips the hook unless a specific register has a magic value.

I stumbled on this earlier today and it is a good read for this purpose, too.  http://wiird.l0nk.org/forum/index.php/topic,5836.msg50772.html#msg50772

The code will do the normal, un-hacked instruction (stfs)...unless r19 = 3, in which case it will run the hook instead (lis/stw).  The hack was "domesticated" by watching r19.  Like a leash, so that it doesn't jump out and bite innocent callers.