Free Fly - Plane speed mod

[Dude]

I've been playing the Wii Sports + Wii Sports Resort bundle disc that came with my black Wii and had a blast.

Decided to throw my USBGecko in and see if I can apply my project I previously had to this instead.

Something I've been trying to work on is modifying the max "forward" speed of the plane in Air Sports.  I've found the X/Y/Z Coords and the speeds for each one, but I can't seem to find the value that says how fast you are going forwards...

1: I started a 32bit unknown search while flying level.
2: Pulled up vertical and waited a few seconds, then searched for "less than" (the plane, in theory, would be going slightly slower)
3: Then pointed the nose of the plane down, boosted, and searched for "greater than"

repeat steps 2 and 3 but never find anything.

I've looked around the addresses for the X/Y/Z Coords but can't find anything that seems to affect the speed, accept for X/Y/Z speed, the same that's used for moonjump codes (moon jump in the plane is pretty funny)

anybody out there able to help?

Note, the GameID for the bundle disc is SP2P01 (PAL version).

[Deathwolf]

Yeah I think, I know what you mean. Try to search for 3F800000 and do a hug Multi-Poke.
There is a address which is for the full player and allows you to speed up everything.

BTW I'm going to help you if you want.

[Dude]

Help would be gretly appreciated, thanks Deathwolf.

I can't get to the Wii right now, but I'll give that a try when I can.

I'm not sure if it will work like that, though.  Think of it like a speedometer that gives a current forward speed - just like the address you write to when you make a Y-Coord Moon jump.

It's proving tough to find and I'm not exactly sure that it is how I'm predicting it to be...

Would setting a "write" breakpoint on the Y-Coord while traveling vertically help to backtrack and reveal this location?
I did have a peek at doing this...but my PPC ASM knowledge is severly limited :(

[Bully@Wiiplaza]

you can use a float increase on the Z coordinte to make yourself move forward.
The higher the added value, the faster you will go.
Don´t forget to add a float to a float and NOT a HEX value!

[Dude]

I've tried modifying the X/Y/Z coord speed addresses, but it only gave the result I expected would happen.
It's only like modifying the Y-Coord speed to create a moonjump code.

I've been looking around the memory surrounding the X/Y/Z addresses and found the addresses that show your planes direction, pitch and yaw.

Also found the modifier for how fast your plane turns on the X/Y plane based on the Motion+ angle.  I can give myself hyper-sensitive controls and insane turning speeds.

finding everythign except the speed  >:(

What I'm hoping, is that there is an address somewhere that gives a "forward" speed (kinda like acceleration).  This is then used to calculate and modify the X/Y/Z coord speeds.  I'm not totally sure on the 3D programming, but this is how I'm hoping it was done.

My goal is to, obviously, be able to adjust how fast you go, maybe assigning it to a button conditional so that you fly faster when it's held down.

[Patedj]

I'm assuming that what's happening is you are finding everything but the velocity. Scroll up in the memory tab it should be around there (3-6 windows up).

I can now find velocity and scroll down and the xyz axis are stacked below it. (or above it could happen).

[Dude]

I can only assume that it is a positive float...

I've looked up and down in mem viewer, but can't seem to find anything that handles the velocity :(

I did find a value that, when set high, it makes you sit in the water without moving and without cutting the engine.
Set it high and it kills you, leaving the screen all messed up lol

Damn, I'm rusty :(

How did you manage to find the velocity?

[Panda On Smack]

Can you set a breakpoint on the co-ords to see what is writing to them which technically should be the speed calculation as it's telling where its going to be next?

[Dude]

Write breakpoint on 80D34394 (X Co-ord)

Registers:
[spoiler] CR:44000888  XER:00000000  CTR:8033A3A0 DSIS:02400000
DAR:80D34394 SRR0:803397F4 SRR1:0000B032   LR:8033A3B8
 r0:8033A3B8   r1:807ECEB0   r2:80700D20   r3:80D342FC
 r4:80D343B8   r5:807D81D0   r6:00003E9D   r7:00000000
 r8:2D016C21   r9:2D016C22  r10:1680B612  r11:005A05B0
r12:8033A3A0  r13:806FADA0  r14:00000001  r15:817F6CA8
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:00000000
r24:00000000  r25:00000000  r26:929E00A8  r27:00000002
r28:807ED114  r29:80D33C04  r30:80D343A0  r31:80D342FC

 f0:BC79D1D6   f1:B9259C0E   f2:3F7D70A4   f3:3C95001B
 f4:3C4E8546   f5:3C950047   f6:393EA273   f7:3C4EA326
 f8:38F98F0F   f9:460919EC  f10:C01D1F67  f11:4488DCA8
f12:3FA6A852  f13:BE6D491A  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:3F800000
f28:3B3F667B  f29:3E800000  f30:4006188C  f31:3E800000[/spoiler]

ASM:
[spoiler]803397CC:  C00300B8   lfs   f0,184(r3)
803397D0:  EC230132   fmuls   f1,f3,f4
803397D4:  D3C300A4   stfs   f30,164(r3)
803397D8:  ED43537A   fmadds   f10,f3,f13,f10
803397DC:  ED234B3A   fmadds   f9,f3,f12,f9
803397E0:  D1A300A8   stfs   f13,168(r3)
803397E4:  EC8740BA   fmadds   f4,f7,f2,f8
803397E8:  EC6530BA   fmadds   f3,f5,f2,f6
803397EC:  D18300AC   stfs   f12,172(r3)
803397F0:  EC0008BA   fmadds   f0,f0,f2,f1
803397F4:  D1630098   stfs   f11,152(r3)                <-------- the write?
803397F8:  D143009C   stfs   f10,156(r3)
803397FC:  D12300A0   stfs   f9,160(r3)
80339800:  D08300B0   stfs   f4,176(r3)
80339804:  D06300B4   stfs   f3,180(r3)
80339808:  D00300B8   stfs   f0,184(r3)
8033980C:  4BFFFEC9   bl   0x803396d4
80339810:  FC20F890   fmr   f1,f31
80339814:  7FE3FB78   mr   r3,r31
80339818:  38810008   addi   r4,r1,8
8033981C:  38BF00BC   addi   r5,r31,188
80339820:  4BFFFE39   bl   0x80339658
80339824:  7FE3FB78   mr   r3,r31
80339828:  38810008   addi   r4,r1,8
8033982C:  4BFFFA35   bl   0x80339260
80339830:  C002D4F0   lfs   f0,-11024(r2)
80339834:  D01F00D0   stfs   f0,208(r31)
80339838:  D01F00CC   stfs   f0,204(r31)
8033983C:  D01F00C8   stfs   f0,200(r31)
80339840:  D01F00DC   stfs   f0,220(r31)
80339844:  D01F00D8   stfs   f0,216(r31)
80339848:  D01F00D4   stfs   f0,212(r31)
8033984C:  E3E10038   psq_l   f31,56(r1),0,0
80339850:  CBE10030   lfd   f31,48(r1)
80339854:  E3C10028   psq_l   f30,40(r1),0,0
80339858:  CBC10020   lfd   f30,32(r1)
8033985C:  83E1001C   lwz   r31,28(r1)
80339860:  80010044   lwz   r0,68(r1)
80339864:  7C0803A6   mtlr   r0
80339868:  38210040   addi   r1,r1,64
8033986C:  4E800020   blr   
80339870:  9421FFF0   stwu   r1,-16(r1)
80339874:  7C0802A6   mflr   r0
80339878:  C002D4E4   lfs   f0,-11036(r2)
8033987C:  90010014   stw   r0,20(r1)
80339880:  93E1000C   stw   r31,12(r1)
80339884:  7C7F1B78   mr   r31,r3
80339888:  D0030000   stfs   f0,0(r3)
8033988C:  38630004   addi   r3,r3,4
80339890:  4BE02841   bl   0x8013c0d0
80339894:  387F0028   addi   r3,r31,40
80339898:  4BE02839   bl   0x8013c0d0
8033989C:  3C80807E   lis   r4,-32642
803398A0:  387F005C   addi   r3,r31,92
803398A4:  C0048288   lfs   f0,-32120(r4)
803398A8:  38848288   subi   r4,r4,32120
803398AC:  D01F004C   stfs   f0,76(r31)
803398B0:  C0040004   lfs   f0,4(r4)
803398B4:  D01F0050   stfs   f0,80(r31)
803398B8:  C0040008   lfs   f0,8(r4)[/spoiler]

[Patedj]

Do a read this time.
Actually, load the stacks in the dissasembly bottom left corner box.
Then right click on the bp address assembly lines on the right, copy all frames and post a .txt so we can see everything.

[Dude]

As requested, I've set a READ BP on the X Co-ord and copied everything to this text file:

http://www.mediafire.com/?awly5rvnqtathl0

This is turning into quite a hunt :p

Got a good feeling that I might learn a good deal from this!
Thanks so much for your help.

[dcx2]

That's not "everything".  You did a plain old Copy, which only gives a snippet.  Minimally, you should right click and "Copy Function" to put the whole thing in the clipboard.  Usually it can be pasted into a forum post, but sometimes it's too big.

What Patedj was asking you to do was "Copy All Frames".  This gives us a more complete picture of what's going on.  It requires Gecko.NET 0.64.6 or newer.  It will make a very large text file dump into the clipboard.  The text file will not fit in the forum post.  However, if you click the "Additional Options..." dropdown below a forum post you're writing, you can attach the txt file.

I used your text file as an example, even though it's small enough to be posted on the forum.

[Dude]

Really sorry about that.

I have to say though, I am damn impressed with the coding Gecko.NET.  My hat off to you, dcx2.

The frames copied remind me of the windows debuggers that I use  :o loving it!

I've attached the new text file, as you've shown, and dumped the frames.  I've noted the BP type and the address I used.

[dcx2]

Can you Copy Function the stfs (803397F4) into a spoiler?  Also, set your write breakpoint on the coords and copy the call stack, but that doesn't need to be spoilered because it's small.

[Dude]

stfs (803397F4) from disassembler during READ BP (X co-ord) :
[spoiler]8033973C:  9421FFC0   stwu   r1,-64(r1)
80339740:  7C0802A6   mflr   r0
80339744:  388300BC   addi   r4,r3,188
80339748:  90010044   stw   r0,68(r1)
8033974C:  DBE10030   stfd   f31,48(r1)
80339750:  F3E10038   psq_st   f31,56(r1),0,0
80339754:  FFE01890   fmr   f31,f3
80339758:  DBC10020   stfd   f30,32(r1)
8033975C:  F3C10028   psq_st   f30,40(r1),0,0
80339760:  93E1001C   stw   r31,28(r1)
80339764:  7C7F1B78   mr   r31,r3
80339768:  C0030000   lfs   f0,0(r3)
8033976C:  C10300C8   lfs   f8,200(r3)
80339770:  EDA30024   fdivs   f13,f3,f0
80339774:  C0E300CC   lfs   f7,204(r3)
80339778:  C0C300D0   lfs   f6,208(r3)
8033977C:  C16300A4   lfs   f11,164(r3)
80339780:  C0A300D4   lfs   f5,212(r3)
80339784:  C00300D8   lfs   f0,216(r3)
80339788:  ED8D0232   fmuls   f12,f13,f8
8033978C:  C08300DC   lfs   f4,220(r3)
80339790:  ED4D01F2   fmuls   f10,f13,f7
80339794:  C12300A8   lfs   f9,168(r3)
80339798:  ED0D01B2   fmuls   f8,f13,f6
8033979C:  C0E300AC   lfs   f7,172(r3)
803397A0:  EDA9507A   fmadds   f13,f9,f1,f10
803397A4:  C143009C   lfs   f10,156(r3)
803397A8:  EFCB607A   fmadds   f30,f11,f1,f12
803397AC:  C0C30098   lfs   f6,152(r3)
803397B0:  ED87407A   fmadds   f12,f7,f1,f8
803397B4:  C12300A0   lfs   f9,160(r3)
803397B8:  ED6337BA   fmadds   f11,f3,f30,f6
803397BC:  C0E300B0   lfs   f7,176(r3)
803397C0:  ED030172   fmuls   f8,f3,f5
803397C4:  C0A300B4   lfs   f5,180(r3)
803397C8:  ECC30032   fmuls   f6,f3,f0
803397CC:  C00300B8   lfs   f0,184(r3)
803397D0:  EC230132   fmuls   f1,f3,f4
803397D4:  D3C300A4   stfs   f30,164(r3)
803397D8:  ED43537A   fmadds   f10,f3,f13,f10
803397DC:  ED234B3A   fmadds   f9,f3,f12,f9
803397E0:  D1A300A8   stfs   f13,168(r3)
803397E4:  EC8740BA   fmadds   f4,f7,f2,f8
803397E8:  EC6530BA   fmadds   f3,f5,f2,f6
803397EC:  D18300AC   stfs   f12,172(r3)
803397F0:  EC0008BA   fmadds   f0,f0,f2,f1
803397F4:  D1630098   stfs   f11,152(r3)
803397F8:  D143009C   stfs   f10,156(r3)
803397FC:  D12300A0   stfs   f9,160(r3)
80339800:  D08300B0   stfs   f4,176(r3)
80339804:  D06300B4   stfs   f3,180(r3)
80339808:  D00300B8   stfs   f0,184(r3)
8033980C:  4BFFFEC9   bl   0x803396d4
80339810:  FC20F890   fmr   f1,f31
80339814:  7FE3FB78   mr   r3,r31
80339818:  38810008   addi   r4,r1,8
8033981C:  38BF00BC   addi   r5,r31,188
80339820:  4BFFFE39   bl   0x80339658
80339824:  7FE3FB78   mr   r3,r31
80339828:  38810008   addi   r4,r1,8
8033982C:  4BFFFA35   bl   0x80339260
80339830:  C002D4F0   lfs   f0,-11024(r2)
80339834:  D01F00D0   stfs   f0,208(r31)
80339838:  D01F00CC   stfs   f0,204(r31)
8033983C:  D01F00C8   stfs   f0,200(r31)
80339840:  D01F00DC   stfs   f0,220(r31)
80339844:  D01F00D8   stfs   f0,216(r31)
80339848:  D01F00D4   stfs   f0,212(r31)
8033984C:  E3E10038   psq_l   f31,56(r1),0,0
80339850:  CBE10030   lfd   f31,48(r1)
80339854:  E3C10028   psq_l   f30,40(r1),0,0
80339858:  CBC10020   lfd   f30,32(r1)
8033985C:  83E1001C   lwz   r31,28(r1)
80339860:  80010044   lwz   r0,68(r1)
80339864:  7C0803A6   mtlr   r0
80339868:  38210040   addi   r1,r1,64
8033986C:  4E800020   blr   
[/spoiler]

Stack from disassembler during WRITE BP (X co-ord):
803397F4
8033A3B4
8033A3B4
803674B4
80431B64
80362048
8033B4A4
8022F73C
802683A4
80269784
8022FDB4
802306CC
801C35EC
8023828C
8022E90C
80006470

I wasn't sure if you wanted the stack from all of the X, Y, Z co-ords?