Convert Speed Hack to ASM Instructions [mh3]

[Bully@Wiiplaza]

Hello,
I am trying to convert the offline speed hack from mh3 to an assembly instruction that I don´t need to find a few more adresses...

42000000 90000000
0414AE94 40A00000
E0000000 80008000

I breakpoint wrote the 9014AE94 address and got this:

CR  : 44000488  XER : 00000000  CTR : 80264024  DSIS: 02400000
DAR : 9014AE94  SRR0: 802757EC  SRR1: 0000B032  LR  : 802757E4
r0  : 00002FB5  r1  : 807AFA80  r2  : 8079FF60  r3  : 00002FB5
r4  : 00000029  r5  : 00291400  r6  : 8065AA62  r7  : 00000000
r8  : 807AFBB0  r9  : 807AFBAC  r10 : 00000000  r11 : 807AFB40
r12 : 8007DE60  r13 : 8079B2E0  r14 : 00000009  r15 : 9014AB40
r16 : 00000000  r17 : 00000022  r18 : 00000000  r19 : 0000FFFF
r20 : 00000000  r21 : 805BE6F4  r22 : 9014AB62  r23 : 00000000
r24 : 901480C0  r25 : 00000000  r26 : 00010000  r27 : 00000001
r28 : 00000046  r29 : 00000004  r30 : 9014AB40  r31 : 00000000

f0  : 3F800000  f1  : 43460000  f2  : 41F00000  f3  : 42000000
f4  : 3F000000  f5  : 3F800000  f6  : 3B4CCCCD  f7  : 3F800000
f8  : 00000000  f9  : 40000000  f10 : 3F800000  f11 : BB088889
f12 : 3ACCCCCD  f13 : 3425185C  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 59800004  f27 : 4479C000
f28 : 00000000  f29 : 43460000  f30 : 59800000  f31 : 3F800000

802757EC:  D01E0354   stfs   f0,852(r30)
802757F0:  38000000   li   r0,0
802757F4:  901E0318   stw   r0,792(r30)
802757F8:  981E0313   stb   r0,787(r30)
802757FC:  981E0314   stb   r0,788(r30)
80275800:  B01E031C   sth   r0,796(r30)
80275804:  B01E0320   sth   r0,800(r30)
80275808:  B01E031E   sth   r0,798(r30)
8027580C:  981E036A   stb   r0,874(r30)
80275810:  981E0388   stb   r0,904(r30)
80275814:  981E0322   stb   r0,802(r30)
80275818:  981E0323   stb   r0,803(r30)
8027581C:  981E0324   stb   r0,804(r30)
80275820:  981E0325   stb   r0,805(r30)
80275824:  981E0326   stb   r0,806(r30)
80275828:  981E0327   stb   r0,807(r30)

f0 seems to include the speed.

I hope you can help me with making the assembly code ;)
Tell me, if you need to view more things.

Greets :rolleyes:

[dcx2]

You can't write into the float registers directly.  Fortunately for you, there's an li r0,0 right after the instruction you're replacing, so that means r0 is safe.

You can load the float value you want (40A00000) into r0, and then write r0 to 852(r30).  You will need to use a C2 code to do this, because you need more than one instruction.  Use PyiiASMH to help you turn this into a C2 code.

To specify a float value XXXXYYYY

lis r0,0xXXXX
ori r0,r0,0xYYYY
stw r0,852(r30)

In this example, XXXX = 40A0 and YYYY = 0000

lis r0,0x40A0
ori r0,r0,0x0000
stw r0,852(r30)

It should turn into this C2 code

C22757EC 00000002
3C00XXXX 6000YYYY
901E0354 00000000

C22757EC 00000002
3C0040A0 60000000
901E0354 00000000

[dcx2]

Okay, so I just remembered that r0 is a bad register.  Sometimes r0 is treated as a 0 instead of r0.

r12 is usually pretty safe, so use this instead.

lis r12,0x40A0
ori r12,r12,0x0000
stw r12,852(r30)

C22757EC 00000002
3D8040A0 618C0000
919E0354 00000000

[Bully@Wiiplaza]

well you can pick a register you want for this?
But it shouldn´t be used. ;)
Pretty easy though, now I try out the code, if it really works like this :o
Thanks for this great help ^^

[dcx2]

Yes, you can use a regular register to write to memory.  You must, since you cannot load float registers.

Yes, the register you choose should not be used.  r12 is only used in very specific circumstances, as part of loading the CTR register before doing a bctr/bctrl.  I don't think I've ever seen r12 used anywhere else.  That is why it's pretty safe.

r0 has some special meaning for certain instructions, like addi.

http://pds.twi.tudelft.nl/vakken/in1200/labcourse/instruction-set/addi.html

"The sum ( rA | 0 ) + SIMM is placed into rD"

Any time you see "rA | 0", that means "rA or 0".  This means that instead of using the value in r0, it uses the actual value 0, but for all other registers r1-r31 it will use the value in the register.

SIMM = Signed IMMediate

However, it looks like I was mistaken.  ori does not have the rA | 0 part, so it treats r0 normally.

http://pds.twi.tudelft.nl/vakken/in1200/labcourse/instruction-set/ori.html

[Bully@Wiiplaza]

nice, everything worked great! :p
And thanks for the detailled instructions ;)

[dughug]

nice, everything worked great! :p
And thanks for the detailled instructions ;)

-removed-

don't ask for online codes

[Bully@Wiiplaza]

-closed-