Universal button activator/mapper/spoofer (now with shaking!)

[biolizard89]

Also, the behavior resulting from poking the pad data depends on your hook type.  If the code handler executes after the pad data has been processed, poking it won't have any effect.  If the code handler instead executes between the PadRead routine and the first time the pad data is read from the master pad data address, then poking will work.  (As you might be able to guess, the PadRead hooktype is optimal, if it hooks.  But since you're trying to find the PadRead function, I'm guessing that the PadRead hooktype didn't hook, otherwise you'd be using that result.)

This is not entirely true.  During a breakpoint, the code handler is running non-stop.  So if you poke during a breakpoint, the poke happens immediately.  You can also change the registers during a breakpoint, which is kinda like poking.

Also, what signature does the PadRead hook look for?

I'm aware that BP's would act differently from my description; I was referring to standard pokes (not during a BP).  This made a difference with GeckoTunnel (GeckoTunnel pokes the pad data each time the code handler runs, which is why it only works properly with the PadRead hook).  Obviously if you're in a BP then this isn't an issue.  Sorry for any ambiguity.

Here are the PadRead hooks for GC games, from Neogamma (I assume GeckoOS Mod is the same):

Code Select Expand

const u32 hook0[11] = {
0x38000000, 0x9815000A, 0xA0150000, 0x5400066E, 0xB0150000, 0x3AF70001, 0x2C170004, 0x3B7B0004, 0x3B5A0002, 0x3B39000C, 0x3AB5000C
};

const u32 hook1[11] = {
0x38000000, 0x981F000A, 0xA01F0000, 0x5400066E, 0xB01F0000, 0x3AB50001, 0x2C150004, 0x3B18000C, 0x3BFF000C, 0x4180FCC0, 0x7EC3B378
};

const u32 hook2[11] = {
0x38000000, 0x981F000A, 0xA01F0000, 0x5400066E, 0xB01F0000, 0x3AB50001, 0x2C150004, 0x3B18000C, 0x3BFF000C, 0x4180FCC8, 0x7EC3B378
};

const u32 hook3[11] = {
0x38000000, 0x9817000A, 0xA0170000, 0x5400066E, 0xB0170000, 0x3B390001, 0x2C190004, 0x3B9C000C,0x3AF7000C, 0x4180FD6C, 0x7F43D378
};

And here are the Wii equivalents, also from Neogamma (probably the same as GeckoOS)

Code Select Expand

const u32 kpadhooks[4] = {
0x9A3F005E,0x38AE0080,0x389FFFFC,0x7E0903A6
};

const u32 kpadoldhooks[6] = {
0x801D0060, 0x901E0060, 0x801D0064, 0x901E0064, 0x801D0068, 0x901E0068
};

const u32 joypadhooks[4] = {
0x3AB50001, 0x3A73000C, 0x2C150004, 0x3B18000C
};

const u32 wpadbuttonsdownhooks[4] = {
0x7D6B4A14, 0x816B0010, 0x7D635B78, 0x4E800020
};

const u32 wpadbuttonsdown2hooks[4] = {
0x7D6B4A14, 0x800B0010, 0x7C030378, 0x4E800020
};

[daijoda]

So I couldn't find the padread function... but I'd like to revisit this idea with a different approach. Can I use one of those "universal" padread hooks to do a similar job? A few questions:

1. Could someone please briefly explain what a "pad hook" does? Is it an address for recording which buttons are pressed?

2. What do you mean by "hook"? When something is hooked, does it mean you now have recorded 1 of its addresses' location, and you can calculate all its other addresses' locations based on their relative location from that known address?

For the following example code:

Universal GC Pad hook[XeR]
4A000000 CD000000
14006430 A895A2F0
E0008000 80008000

3. Can I see what's at CD006430 in MemView? Even if I couldn't visually see what's at the address, a "14" code can write to it?

4. Why is the last line "E0008000", not "E0000000"?

5. Is a "one shot button" the same as a "delta activator"?

Thanks!

[dcx2]

2) A hook is something that runs with something else.

For instance, assume you found the ASM address that decreases Mario's lives by 1 whenever he dies.  You can then write a C2 code that "hooks" this ASM, and does something else (e.g. gives him 1 life).  The "hook" means that the C2 code will run when that ASM address is executed.

Hooks are a prominent concept in programming.

1) A pad hook can either refer to the code handler's hook (i.e. call the code handler whenever the game reads from the pad), or in XeR's case it just means that he's forcing the pad to be read.

3) You may be able to see CD006430 in memview, but I'm not sure what you'd get.  Look at YAGCD http://hitmen.c02.at/files/yagcd/yagcd/chap5.html#sec5.9 to see what this address does.  It's the Serial Interface Poll Register.

4) I don't know why.  Typo?

5) "one shot" is a generic term that means something happens the first time an event happens, but does not happen until the event stops.  In the case of buttons, it means when you press the button, the effect only happens once.  There are several ways to do one-shot activators.  One of them are what I call "delta activators".  Delta comes from the generic science term meaning 'difference'.  Delta activators are calculated by XORing the last frame's button states with the current frames button states to detect what buttons changed (the "delta mask").  Delta activators are easy to use, but if the code handler's hook runs more than once per frame, delta activators can cause glitches where the activator runs twice (because the delta mask is only changed once per frame).

[daijoda]

Thanks very much for answering all the questions, dcx2, even though I've never figured out how you manage to find the time to do that with everyone's on this forum!

If a pad hook works like the _______ in a C2______ code, then, I presume one could find relevant information pertaining to the pad around the hook. If so, some of that information might be hijacked into creating button spoofers... I suppose this was what biolizard89 was saying earlier. This sounds incredibly useful. And a lot of the PadRead hooks have already been found. Have you ever considered using one of those for the mapper/spoofer?

[dcx2]

You're still a little confused, I think.

The GameCube controller is a very special case.  XeR's "pad hook" is a misnomer; it just enables the serial subsystem in the Wii so that it is allowed to read from the GameCube controller.  It is not ASM, all it does is enable the controller for reading; some other ASM must still do the reading.  If a game has no ASM for reading the controller and formatting the data, then nothing will happen.

[Deathwolf]

Wait, is there a specific value for shaking?

[dcx2]

Kinda?

The shake value in the Wiimote pad data is a vector sum of the XYZ accelerations.  Typically, the sum is about 1.0.  I found that modifying the sum directly didn't work very well.  However, if you modify one of the base accelerations before the sum is calculated, you can cause the game to think you jerked the controller in that frame.  The nunchuck also has a separate shake vector as well.

In this code, the Y axis acceleration is cranked up to 100 when a shake is spoofed.

[Deathwolf]

uff I tried to find the shaking activator with greather and less than searches but I just failed. The original button activator hasn't the shaking values. How have you found them and what about XYZ? The shaking address is completely different from the wiimote PAD address or? I don't really get it :/

[dcx2]

Look around the normal button activators in Memory Viewer with Auto Update on.  Rotate and shake the controller and nunchuck.  They jump right out at you.  It may help to set Memory Viewer View Mode to Single.

[Deathwolf]

uff thats not easy or maybe I understand it wrong. If I don't shake the wiimote, it should be 1.0? Because there are more than 20 addresses which changes their values when I shake it. However, I tried to nop them and it effected the wiimote buttons too.

[Bully@Wiiplaza]

what dcx2 said.
Find the delta activator first (the one that only uses the button values and it´s 32bit).
If you´ve found it, there should be the one shot button activator +4 bytes.
Below that area should be some random floats. Keep an eye on them with auto-update on.
There´s stuff like shaking wiimote/nunchuck, twisting wiimote and a nunchuck stick activator can be found there, too. It consists of two addresses that change when you move the stick. ;)

You could also take one of dcx2´s shake nunchuck codes and analyse the address.
It´s almost equal for most games!

[Deathwolf]

So it should be a 32 bit float and not only 16 bit like 0000FFFF and so on?

[Bully@Wiiplaza]

So it should be a 32 bit float and not only 16 bit like 0000FFFF and so on?

the delta activator always looks like this:

0000XXXX where XXXX is the button(s) that were pressed.

There should only be ONE in memory that´s like this (except for the one shot button activator(s))

[Deathwolf]

Alright, I'm going to try that again. Thanks!

[dcx2]

There are no 16 bit floats.  Floats are either 32-bit (single precision) or 64-bit (double precision).

Do NOT use the Search tab to look for this.  It will be very hard.  Just go to the memview tab, go to the button activator address, change view mode to Single, enable auto-update, and shake the Wiimote.  You'll see the values appear.

For instance, the new Kirby's activator address is 8080D08A.  So go there and do the MemView auto-update Single thing.