Free Fly - Plane speed mod

[dcx2]

if   803397F4:  D1630098   stfs   f11,152(r3)   is the X coordinate, then

803397F8:  D143009C   stfs   f10,156(r3)
803397FC:  D12300A0   stfs   f9,160(r3)

are probably Y and Z, so we don't need them.  We can work with this, however you should also do a Copy All Frames on this breakpoint too, because it's a little different than the read.

---

803397F4:  D1630098   stfs   f11,152(r3)  # writes X coordinate

Where did f11 come from?

---

803397B8:  ED6337BA   fmadds   f11,f3,f30,f6  # f11 = f3 * f30 + f6

Where did f3, f30, and f6 come from?

---

f3 comes from the caller, so we need Copy All Frames to answer that
803397AC:  C0C30098   lfs   f6,152(r3)  # NOTE: X COORDINATE
803397A8:  EFCB607A   fmadds   f30,f11,f1,f12 # f30 = f11 * f1 + f12

Note how f6 loads the "original coordinates", then some time later after some multiplies and adds, we write back to the coordinates at the breakpoint.  This looks like a good place to be.

Where do f11, f1, and f12 come from?

---

8033977C:  C16300A4   lfs   f11,164(r3)
f1 comes from caller
80339788:  ED8D0232   fmuls   f12,f13,f8 # f12 = f13 * f8

f13, and f8?

---

8033976C:  C10300C8   lfs   f8,200(r3)
80339770:  EDA30024   fdivs   f13,f3,f0 # f13 = f3 / f0

---

f3 comes from the caller
80339768:  C0030000   lfs   f0,0(r3)

---

So we have

((f3 / f0) * f8 + f11 * f1) * f3 + f6

((f3 / 0[r3]) * 200[r3] + 164[r3] * f1) * f3 + 152[r3]

A similar pattern can be seen for the Y and Z coords.  The only known quantity is that 152[r3] = X coord.

---

Things to try:  nop the stfs for the X coord and see if you can't move along that axis.  Try setting 164[r3] to zero, to see what the effect of the (164[r3] * f1) term is.  Try setting 200[r3] to zero, to see what the effect of the (f3 / 0[r3]) * 200[r3] term is.

[Dude]

I'ved wanted to get into ASM and I might have just stumbled on the correct challenge to do it....only I've jumped into the deep end lol

I have attached the frames for the WRITE BP on the X Coord.

803397F4: stfs f11,152(r3)  - nop prevents moving along X Axis.
803397F8: stfs f10,156(r3)  - nop prevents moving along Y axis.
803397FC: stfs f9,160(r3)    - nop prevents moving along Z axis.

I followed 164[r3] (80D35384+164) and it's already showing as zero.  I viewed it in memviewer with auto update on.  changing the value appaered to do nothing.

I followed 200[r3] (80D35384+200) and it was set to 0000002C, unchanging.  Changing to 00000000 appeared to do nothing and setting random values did nothing at all.

I went about this the correct way?

---------------------------------------------------------------------------------
I stand by what I said about wanting to download a portion of your brain.  It's mind blowing how you seem to cruise this ASM with ease without having access to the debugger  8)

[dcx2]

Be careful.  The displacement operand is usually specified in decimal, but we usually specify addresses in hex, with a bad habit of dropping the hex notation 0x.

164(r3) = 0x80D35384 + 0xA4 = 0x80D35428

[dcx2]

I actually started adding features to Gecko.NET not because I needed them, but because they helped other people collect the information that I look for automatically.

we wanted to know where f3 comes from

8033A360:  C00681D0   lfs   f0,-32304(r6)
...
8033A368:  FC600018   frsp   f3,f0

Where did r6 come from?

---

8033A320:  3CC0807E   lis   r6,-32642

0x807E0000 - 0x10000 + 0x81D0 = 0x807D81D0

So that's interesting.  frsp = Floating point Round to Single Precision; f0 is already single precision (lfs), so this just moves f0 to f3.  And f0 comes from 807D81D0.  I bet this is a very interesting value to play with.  Also, it will never move, so you won't need a C2 code to change it.  However, it will be different for other regions (PAL, NTSC-J)

---

We were also interested in f1.  f1 comes from way far back, though.  It would be difficult to explain how to trace back to f1.  You can try to set a breakpoint on 80367498:  C0230000   lfs   f1,0(r3), but you might get false positives.

[Dude]

I wasn't aware that the displacement operand was decimal value!  This could well be somthing that crippled most of what I've tried in the past!

dcx2, you are a star.

I've found two addresses that seem to be modifiers for the main "forward" velocity.
The address found with 200[r3] (80D35384+200) was only filled during the initial take off and then was zeroed during flight.
It turned out to be the X velocity multiplier.  Basically, setting this float would make the plane "accelerate" to the side (depending on it being a positive or negative float)

The following address handled the Y velocity multiplier and and the next was the Z velocity, speeding up the plane.

They would all immediatly return to zero after being poked, but it is obviously read and used for calculations.

As I said, there were two possibilites and both addresses are rapidly returned to zero after being poked, a constant write using a float gives the affect needed.

One address provides a gradual acceleration.  the address appears to be read and the value added to the OTHER address, giving acceleration.  A negative float acts like deceleration or "break".  It's even possible to reverse ;)

The other address gives a sudden speed jump.  A negative value on this acts like a sudden "break" yet does not allow you to reverse.

Constantly writing to either address does not mean that you just keep gaining speed, but will reach whatever speed you have set.  You need to add with a higher float in order to reach higher speeds.

------------------------------------------------------------------------------------------------------------------
I'd like to release this code but the credit goes to you, dcx2.  I'll PM you the code I created with the details.  All I found for this code was the controller address.

I'm planning on using this to hopefully find another address that handles the "current" speed and, next, player 2 speed for dogfighting.  I'm sure there are people out there that would love the crazy dogfights that can be had with increased time and awesome speeds  O0

I would like to ask for your help with walking through the ASM and following the steps you used to reach this result, if that's ok?

I can't thank you enough for your help, once again!

[dcx2]

You can post the code as yours, just make a note "with assistance from dcx2"

After all, you did the breakpoint on the XYZ coordinates.  For me, that's the hard part.  Reading the ASM is much easier than finding the right ASM to look at.

You also played around with the data to verify which addresses did what, something I couldn't do without the game.

---

As far as the steps that I used, this previous post outlined them.  http://wiird.l0nk.org/forum/index.php/topic,8093.msg68073.html#msg68073

Essentially you start with your breakpoint, which was a stfs f11.  And then work backwards through the ASM to figure out where f11 came from.  In this case, f11 came from multiple calculations, so you just need to work backwards through the ASM to figure out where each part came from.  Then comes the trial-and-error part, where you change one term in the equation and see what the result is, so that you can identify what a given term does.

---

BTW, regarding this part: 200[r3] (80D35384+200)

I only used [r3] because there were other ()'s being used for their mathematical meaning (Order of Operations) when I was working out how the floats are processed.  In general, you should use (r3) instead.

And again, if the displacement operand is 200, then what you actually add is 0xC8

200(r3) = 0x80D35384 + 0xC8

Also...did you try testing the static float that's loaded from 807D81D0?  I'm interested in what happens when you change that float.

[Dude]

I will definatly be sure to make it known that you helped me with this.
I don't really feel that I deserve the credit...the most crucial part is understanding the ASM and I'm not as good yet as I hope to be :(

i'm definatley going to be looking over your notes and applying it to what I discovered.
Will be well worth going back to searching for the coords and acting like I didn't find the code, just to see if I can follow and understand it more.

i'll be remembering that the displacement operand is in decimal form, for sure.  I feel that it's that little detail that was defeating me everytime I tried to follow the ASM and getting nowhere.

I can't remember if I checked 807D81D0, but I'll be looking at that the next chance I get to connect my gecko, hopefully today.  Not yet done with exploring all the possibilites and finding, creating all the ideas that I planned for the plane before moving on to the next segment of my challenges :D

-------

I wasn't really going to pursue the release of codes.  I didn't want to step on peoples toes if I make something that they made, etc.  But I've got a great selection of codes made, some that have not been created yet, even after this time, so might go ahead for the hacker status.

Where would be the best place to release this code and the others?

[dcx2]

You said the game id was SP2P01?

You can make a post in the PAL Wii Codes section.  Give it the title of the game and make sure to include the game id.  http://wiird.l0nk.org/forum/index.php/board,28.0.html

Once you post five codes, make another post in the Code Database Access thread with a link to your posts.  I will give you Hacker status and James will create a GeckoCodes account for you so you can share your codes with the world.  http://wiird.l0nk.org/forum/index.php/topic,267.0.html

[Dude]

 :D  I'll get a list of codes ready.  Thanks for the help.

There is one little snag that I need to check for the disc, though.
When booting the disc, I have to pick between Wii Sports or Wii Sports Resort.

I can't hook into Wii Sports Resort until I've picked that game, then I'll connected Gecko.Net.
Not tried using just GeckOS yet, but I'll do that today when I get the chance.

No sense releasing codes for a game that requires a delayed hook with a USBGecko  :-\
At the least, maybe others will be able to reproduce the codes on the other versions or I can port them over when I find them.  i've got my nephews Wii Sports Resort Disc I can use to test the ports.

[Dude]

Ok, I've tested using only GeckOS with some of the cheats enabled and everything worked fine  O0
Kinda stupid of me to think otherwise :p

Also, I've looked into address 807D81D0 and poked a few floats into it.  It modifies the planes X speed, positive and negative floats dictating the direction.  Would make sense as all breakpoints and ASM was pointing at the X coord.

I looked right next to it and found both the Y (807D81D4) and Z (807D81D8) speeds as expected.
Interesting, though, is that any float poked into these addresses remain without decreasing/increasing like the other two that I found do and require higher value floats to achieve any considerable speed.
A negative on the Z speed also allows backwards flight, just like one of the others.

It's interesting that these X/Y/Z addresses are referenced in the calculation, seeing as the values do not change at all during flight...
That's going to leave me wondering for a while...