Pointer in Pointer [in] Pointer problem

Deathwolf · October 10, 2010, 02:39:48 PM

okay I've a problem by a pointer in pointer code.

here are 3 results:
[[8043DD04]+F4]+3624
[[80452AC8]+F4]+3624
[[80BA962C]+8704]+16CC

48000000 8043DD04 <--- load into pointer
DE000000 80008180 <--- check line
58010000 00000000 <--- load into pointer 2*
4A100000 000000F4 <-- go F4 bytes forward
58010000 00000000 <-- load into pointer 3*
4A100000 00003624 <-- go 3624 bytes forward
14000000 40100000 <-- write 40100000
14000004 40100000
14000008 40100000
E0000000 80008000 <-- end

and the result: freez....

what's wrong? o,o

Deathwolf · October 10, 2010, 03:03:23 PM

hmmm yep thanks but it freez too....

what about this?

48000000 8043DD04 <--- load into pointer
DE000000 80008180 <--- check line
4A100000 000000F4 <--- go F4 bytes forward
58010000 00000000 <--- load into pointer 2*
4A100000 00003624 <--- go 3624 bytes forward
16000000 0000000C <-- write 40100000
40100000 40100000
40100000 00000000
E0000000 80008000 <-- end

now it works, but in level 2 it freez....

Deathwolf · October 10, 2010, 03:17:00 PM

Invisible [Deathwolf]
282DBEC2 0000YYYY
48000000 80C8FF44
DE000000 80008180
58010000 00000000
1400000D 00000000
E0000000 80008000
282DBEC2 0000YYYY
48000000 80C8FF44
DE000000 80008180
58010000 00000000
1400000D 00000101
E0000000 80008000

lol yes, my fail thanks xD

Deathwolf · October 10, 2010, 03:31:36 PM

yes pointer in pointer doesn't work always. ASM is sometimes better than 48 but it doesn't work by this. it change more floatings by one ASM code. so it fails....

dcx2 · October 10, 2010, 04:35:20 PM

There are ways to do it in ASM. You could add a check that makes sure you're only writing to the float you want. You could walk the stack and use a different C2 hook address. You could find a totally unrelated hook that only runs for the object you're interested in and use that hook instead.

---

However, you can check your pointer-in-pointer. I added a new feature recently that makes following pointers easier. Load the latest Gecko.NET (the one from Google Code). Go to Memory Viewer.

Go to address 8043DD04. 8043DD04

Double-click it. [8043DD04]

Right-click on the new address -> "Add Offset" -> F4. [8043DD04]+F4

Double click it. [[8043DD04]+F4]

Right-click on the new address -> "Add Offset" -> 3624. [[8043DD04]+F4]+3624

Now, make sure you're looking at the floats you want.

---

Alternatively, I could guide you through using the disassembler's Copy Function and Call Stack list box.

Deathwolf · October 10, 2010, 05:07:24 PM

okay lets break those 3 floatings.

80A9F7B4 80A9F7B8 80A9F7BC
3F800000 3F800000 3F800000

read on 80A9F7B4:

Code Select

801183BC:  C03F0008	lfs	f1,8(r31)
801183C0:  4809A0F9	bl	0x801b24b8
801183C4:  FFA00890	fmr	f29,f1
801183C8:  C03F0000	lfs	f1,0(r31)
801183CC:  4809A0C5	bl	0x801b2490
801183D0:  FFC00890	fmr	f30,f1
801183D4:  C03F0004	lfs	f1,4(r31)
801183D8:  4809A0B9	bl	0x801b2490
801183DC:  FFE00890	fmr	f31,f1
801183E0:  C03F0008	lfs	f1,8(r31)
801183E4:  4809A0AD	bl	0x801b2490
801183E8:  ECFD07B2	fmuls	f7,f29,f30
801183EC:  C002AD10	lfs	f0,-21232(r2)
801183F0:  ED0106F2	fmuls	f8,f1,f27
801183F4:  EC4107F2	fmuls	f2,f1,f31
801183F8:  D01E000C	stfs	f0,12(r30)

read on 80A9F7B8:

Code Select

801182E8:  C1240004	lfs	f9,4(r4)
801182EC:  ED030272	fmuls	f8,f3,f9
801182F0:  C0230014	lfs	f1,20(r3)
801182F4:  C0030024	lfs	f0,36(r3)
801182F8:  EC810272	fmuls	f4,f1,f9
801182FC:  C0C30008	lfs	f6,8(r3)
80118300:  EC200272	fmuls	f1,f0,f9
80118304:  C0E40008	lfs	f7,8(r4)
80118308:  C0630018	lfs	f3,24(r3)
8011830C:  C0030028	lfs	f0,40(r3)
80118310:  ECC601F2	fmuls	f6,f6,f7
80118314:  EC6301F2	fmuls	f3,f3,f7
80118318:  D1430000	stfs	f10,0(r3)
8011831C:  EC0001F2	fmuls	f0,f0,f7
80118320:  D1030004	stfs	f8,4(r3)
80118324:  D0C30008	stfs	f6,8(r3)

read on 80A9F7BC:

Code Select

801182E8:  C1240004	lfs	f9,4(r4)
801182EC:  ED030272	fmuls	f8,f3,f9
801182F0:  C0230014	lfs	f1,20(r3)
801182F4:  C0030024	lfs	f0,36(r3)
801182F8:  EC810272	fmuls	f4,f1,f9
801182FC:  C0C30008	lfs	f6,8(r3)
80118300:  EC200272	fmuls	f1,f0,f9
80118304:  C0E40008	lfs	f7,8(r4)
80118308:  C0630018	lfs	f3,24(r3)
8011830C:  C0030028	lfs	f0,40(r3)
80118310:  ECC601F2	fmuls	f6,f6,f7
80118314:  EC6301F2	fmuls	f3,f3,f7
80118318:  D1430000	stfs	f10,0(r3)
8011831C:  EC0001F2	fmuls	f0,f0,f7
80118320:  D1030004	stfs	f8,4(r3)
80118324:  D0C30008	stfs	f6,8(r3)

so 80A9F7B8 and 80A9F7BC are the same.
try the first C2 on 801183BC.

stwu r1,-80(r1) <-- make space 12-31 free (stack frame)
stmw r14,8(r1)
lis r12,0x4000 <-- write 40000000
ori r12,r12,0x0000
stw r12,8(r31) <-- store form 12 into 31
lfs f1,8(r31)
lmw r14,8(r1)
addi r1,r1,80

assembly:

C21183BC 00000005
9421FFB0 BDC10008
3D804000 618C0000
919F0008 C03F0008
B9C10008 38210050
60000000 00000000

now the first fail:
it's a wrong address. it writes 4 bytes backward. (40000000 3F800000 3F800000 3F800000)

dcx2 · October 10, 2010, 06:56:45 PM

You aren't using Exact breakpoint. That is why you have trouble.

Set your Read breakpoint on 80A9F7B4. Once it hits, right-click Show Mem. I bet you the address is actually 80A9F7B0.

If Exact is not checked, then a breakpoint will hit anywhere within an 8-byte range. So when you specify 80A9F7B4, you will actually hit any time any address from 80A9F7B0 to 80A9F7B7 is read.

Deathwolf · October 10, 2010, 07:34:44 PM

so okay, I've tried what you said dcx2.

new address:
801182CC: C0440000 lfs f2,0(r4)

stwu r1,-80(r1)
stmw r14,8(r1)
lis r12,0x4000
ori r12,r12,0x0000
stw r12,0(r4)
lfs f2,0(r4)
lmw r14,8(r1)
addi r1,r1,80

C21182CC 00000005
9421FFB0 BDC10008
3D804000 618C0000
91840000 C0440000
B9C10008 38210050
60000000 00000000

yes, now it changes the right address, BUT there is another problem....
it also changes some other floatings! that's the problem by this and ASM.

dcx2 · October 10, 2010, 07:41:21 PM

Now you have a better hook.

What are you trying to do? A size modifier? What other floats are being affected?

Go to 801182CC in disassembler, right-click, Copy Function, and paste that into a spoiler here.

Also, double-click the Call Stack list box, wait for it to fill up, right click, Copy All, and paste that too.

Deathwolf · October 10, 2010, 07:54:31 PM

yes a partial size modifier.

[spoiler]801182C8: C0630000   lfs   f3,0(r3)
801182CC: C0440000   lfs   f2,0(r4)
801182D0: C0230010   lfs   f1,16(r3)
801182D4: ED4300B2   fmuls   f10,f3,f2
801182D8: C0030020   lfs   f0,32(r3)
801182DC: ECA100B2   fmuls   f5,f1,f2
801182E0: C0630004   lfs   f3,4(r3)
801182E4: EC4000B2   fmuls   f2,f0,f2
801182E8: C1240004   lfs   f9,4(r4)
801182EC: ED030272   fmuls   f8,f3,f9
801182F0: C0230014   lfs   f1,20(r3)
801182F4: C0030024   lfs   f0,36(r3)
801182F8: EC810272   fmuls   f4,f1,f9
801182FC: C0C30008   lfs   f6,8(r3)
80118300: EC200272   fmuls   f1,f0,f9
80118304: C0E40008   lfs   f7,8(r4)
80118308: C0630018   lfs   f3,24(r3)
8011830C: C0030028   lfs   f0,40(r3)
80118310: ECC601F2   fmuls   f6,f6,f7
80118314: EC6301F2   fmuls   f3,f3,f7
80118318: D1430000   stfs   f10,0(r3)
8011831C: EC0001F2   fmuls   f0,f0,f7
80118320: D1030004   stfs   f8,4(r3)
80118324: D0C30008   stfs   f6,8(r3)
80118328: D0A30010   stfs   f5,16(r3)
8011832C: D0830014   stfs   f4,20(r3)
80118330: D0630018   stfs   f3,24(r3)
80118334: D0430020   stfs   f2,32(r3)
80118338: D0230024   stfs   f1,36(r3)
8011833C: D0030028   stfs   f0,40(r3)
80118340: 4E800020   blr
[/spoiler]

Call Stack:
[spoiler]801182CC
80044C04
80119D7C
8011CF58
800681D4
80067A78
80067854
80099140
8009946C
80098DA0
80106B5C
80105B4C
80151EEC
8017EBC8
[/spoiler]

MOD EDIT: spoilers are easier to read. code block has tiny print, makes me go blind

dcx2 · October 10, 2010, 08:02:10 PM

Okay. Go to breakpoint tab, click "Log Steps". Save the file somewhere and remember it.

Set an execute on 80118340. Then press "Set" again. And again. Do this about 20 times. We are collecting LR values in the log to see if there are others calling this function. Once you've set about 20 execute breakpoints on 80118340, copy and paste the log to a spoiler

Deathwolf · October 10, 2010, 08:08:58 PM

vdappc.exe not found!

dcx2 · October 10, 2010, 08:12:51 PM

You should have vdappc already. Make sure it's in the same folder as the Gecko.NET you're running. If you need, it should be in the same directory as WiiRD, too.

dcx2 · October 10, 2010, 08:14:32 PM

Wait...how did you do Copy Function without vdappc?!

EDIT: thinking about this...did you put the log in a folder that wasn't the same folder that you run Gecko.NET from?

Deathwolf · October 10, 2010, 08:16:22 PM

oh lol now it works.

BPSteps:
[spoiler]80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08

80118340: 4E800020   blr        LR = 80044C08[/spoiler]

WiiRd forum

News:

Pointer in Pointer [in] Pointer problem

Deathwolf

Deathwolf

Deathwolf

Deathwolf

dcx2

Deathwolf

dcx2

Deathwolf

dcx2

Deathwolf

dcx2

Deathwolf

dcx2

dcx2

Deathwolf