Trying to find pad address for P5 and P6 in Smash Bros Melee

[biolizard89]

As you may know, Super Smash Bros Melee has a debug code which allows 6-player matches.  Unfortunately, even though you can set P5 and P6 to human-controlled, they obviously do not have controller ports, so there's no way to control them.  I'm trying to find an address for P5 and P6 which, if poked, would simulate button presses and joystick motion on their virtual controllers.  I'm not a god in ASM reverse-engineering, so this is a bit of a challenge for me.

My approach that I've tried so far is to find every address where P1's pad data is stored (based on the digital buttons), and setting a read BP on each of them.  I then set an execute BP on each resulting address, and looked at the registers to see if there's an obvious register that's cycling from 0 to 5 (not 0 to 3).  There were a few that looked promising.  However, when I tried to poke the addresses that those pointers were using for P5 and P6, nothing happened, and the value didn't change.  I tried noping the instruction that wrote to those addresses, and while I was then able to poke the addresses, they didn't seem to have any effect.  I gather that some more sophisticated ASM wizardry is required.  Any suggestions for where to go from here would be greatly appreciated.  Is my method a good one, or should I be trying something totally different?  I can provide register dumps, disassembly, etc., upon request.

Thanks!

[Nutmeg]

Okay.  Is this what you are trying to do?  Control p5 and p6 with another controller  ???
-Please post the DASM :)

If so:

Your poking probably did not work because games store many button activators.  I believe that all but one of the activators are copies of a "master" activator.  (If this is incorrect, somebody tell me, please)  The poke was, most likely, immediately over-written the "master" activator.

How is this fixed?  You need to find the "master" activator.  To do this, set a "write" breakpoint on what you think a p5/p6 button activator is.  It should break on a stw/sth  rA,D(rS).  Back-trace the disassembly until you find where a new value is loaded into rA.  The command will be a lwz/lhz  rA,D(rS).  Note what address is being loaded into rA.  Then, set a "write" breakpoint on that addres.  Again, it should be a stw/sth.  Again, backtrace the DASM to find the lwz/lhz.  You should follow this pattern until you find the activator which is not a copy of another address.

Once you have found the "master" address, you can write buttons to it.  It would then copy that button to all the other p5/p6 button activators, thus, the game would think you are using controller 5/6.

After the master address is found, it is simple ASM to copy buttons from p1 to the "master" address for p5/p6.

The key idea is the "master" activator.  Here are some other code examples that are similar to your scenario.

God's Controller [XeR]
C21B323C 00000003
2C080000 40A2000C
90C40000 90C40008
60000000 00000000

Allows you to control 2 players with only one GC controller
You need to plug the controller

Key remapper for GC controller [mdmwii]
C21afb58 00000005
39C0XXXX 7DCF0038
7C0F7000 40A20010
7C0F0050 39E0YYYY
7C007A14 B0040000
60000000 00000000

XXXX = key you want to change
YYYY = key assigned
Values:
0081 = D-Pad Left
0082 = D-Pad Right
0084 = D-Pad Down
0088 = D-Pad Up
0090 = Z
00A0 = R
00C0 = L
0180 = A
0280 = B
0480 = X
0880 = Y
1080 = Start
---------------------------
Hope that helped! :D  ...or it could've been far off with the idea of a "master" activator.

[Romaap]

Maybe the p1, p2, p3 and p4 controller address all have the same offset?
If so, you can try if the same offset applies to calculate p5 and p6.

[biolizard89]

Thanks Nutmeg, that did it.  I took the P5 and P6 addresses that I had previously obtained by looking for a register that cycled through pad data from 0 to 5, and set a write BP on each of those two addresses.  Conveniently, the real addresses were loaded from exactly 1 instruction prior to where the BP hit.  I now have pad addresses for P5 and P6, which do work when poked.

Thanks for your help!