All frames for [WF4P] for damage(heros) functions

[dcx2]

Are you sure about that?

80095CE8:  7F64DB78   mr   r4,r27

The value in r4 is lost at this instruction.  If it had a value, that value came from the bl just before it, so you should look there to see how r4 came to have this value that you believe discriminates between friend and foe.

80095CE0:  48001315   bl   0x80096ff4

[Patedj]

ok I will,
how about this if I'm right

80095CE8

stwu r1,-80(r1)
stmw r14,8(r1)
lis r14,-32678
ori r14,r14,48544
stw r14,0(r15)
cmpwi r4,15
mr r4,r27
beq- NO_ADD
lmw r14,8(r1)
addi r1,r1,80
NO_ADD:
lis r30,1

[dcx2]

That will definitely crash.  You created a stack frame, and then sometimes you don't release it.

[Patedj]

yeah I see that, hmmm

here's the function:[spoiler]80096FF4:  9421FFE0   stwu   r1,-32(r1)
80096FF8:  7C0802A6   mflr   r0
80096FFC:  90010024   stw   r0,36(r1)
80097000:  BF410008   stmw   r26,8(r1)
80097004:  7C7A1B78   mr   r26,r3
80097008:  7C9B2378   mr   r27,r4
8009700C:  3B800000   li   r28,0
80097010:  8004009C   lwz   r0,156(r4)
80097014:  83E40558   lwz   r31,1368(r4)
80097018:  540003DF   rlwinm.   r0,r0,0,15,15
8009701C:  83A40548   lwz   r29,1352(r4)
80097020:  83DF0078   lwz   r30,120(r31)
80097024:  41820018   beq-   0x8009703c
80097028:  80040098   lwz   r0,152(r4)
8009702C:  3BA0000A   li   r29,10
80097030:  540006B9   rlwinm.   r0,r0,0,26,28
80097034:  41820008   beq-   0x8009703c
80097038:  3BA00000   li   r29,0
8009703C:  80040514   lwz   r0,1300(r4)
80097040:  2C000000   cmpwi   r0,0
80097044:  40820154   bne-   0x80097198
80097048:  800400A0   lwz   r0,160(r4)
8009704C:  54000529   rlwinm.   r0,r0,0,20,20
80097050:  4082001C   bne-   0x8009706c
80097054:  8004000C   lwz   r0,12(r4)
80097058:  2C000001   cmpwi   r0,1
8009705C:  40820024   bne-   0x80097080
80097060:  80040098   lwz   r0,152(r4)
80097064:  54000529   rlwinm.   r0,r0,0,20,20
80097068:  41820018   beq-   0x80097080
8009706C:  7FE3FB78   mr   r3,r31
80097070:  38800010   li   r4,16
80097074:  4BFCC251   bl   0x800632c4
80097078:  3B800001   li   r28,1
8009707C:  48000010   b   0x8009708c
80097080:  7FE3FB78   mr   r3,r31
80097084:  38800010   li   r4,16
80097088:  4BFCC24D   bl   0x800632d4
8009708C:  807B0098   lwz   r3,152(r27)
80097090:  70603CC0   andi.   r0,r3,15552
80097094:  40820010   bne-   0x800970a4
80097098:  801B009C   lwz   r0,156(r27)
8009709C:  70000082   andi.   r0,r0,130
800970A0:  41820008   beq-   0x800970a8
800970A4:  3B800001   li   r28,1
800970A8:  54600631   rlwinm.   r0,r3,0,24,24
800970AC:  4182000C   beq-   0x800970b8
800970B0:  3BA00009   li   r29,9
800970B4:  4800001C   b   0x800970d0
800970B8:  7060B347   andi.   r0,r3,45895
800970BC:  40820010   bne-   0x800970cc
800970C0:  801B009C   lwz   r0,156(r27)
800970C4:  70000181   andi.   r0,r0,385
800970C8:  41820008   beq-   0x800970d0
800970CC:  3BA00003   li   r29,3
800970D0:  801B000C   lwz   r0,12(r27)
800970D4:  38600000   li   r3,0
800970D8:  907B051C   stw   r3,1308(r27)
800970DC:  2C000000   cmpwi   r0,0
800970E0:  40820050   bne-   0x80097130
800970E4:  807B009C   lwz   r3,156(r27)
800970E8:  546007BD   rlwinm.   r0,r3,0,30,30
800970EC:  40820044   bne-   0x80097130
800970F0:  546003DF   rlwinm.   r0,r3,0,15,15
800970F4:  4082003C   bne-   0x80097130
800970F8:  801B040C   lwz   r0,1036(r27)
800970FC:  2C000000   cmpwi   r0,0
80097100:  40820030   bne-   0x80097130
80097104:  801A3EC0   lwz   r0,16064(r26)
80097108:  540007FF   rlwinm.   r0,r0,0,31,31
8009710C:  41820024   beq-   0x80097130
80097110:  2C1C0000   cmpwi   r28,0
80097114:  4082001C   bne-   0x80097130
80097118:  38000001   li   r0,1
8009711C:  901B051C   stw   r0,1308(r27)
80097120:  7FE3FB78   mr   r3,r31
80097124:  38800010   li   r4,16
80097128:  4BFCC19D   bl   0x800632c4
8009712C:  3BA0000D   li   r29,13
80097130:  801B009C   lwz   r0,156(r27)
80097134:  540007BD   rlwinm.   r0,r0,0,30,30
80097138:  41820030   beq-   0x80097168
8009713C:  2C1D0009   cmpwi   r29,9
80097140:  4182000C   beq-   0x8009714c
80097144:  2C1D0003   cmpwi   r29,3
80097148:  40820010   bne-   0x80097158
8009714C:  7FC3F378   mr   r3,r30
80097150:  7FA4EB78   mr   r4,r29
80097154:  4BFE02E5   bl   0x80077438
80097158:  7FC3F378   mr   r3,r30
8009715C:  38800010   li   r4,16
80097160:  4BFDFAC9   bl   0x80076c28
80097164:  4800001C   b   0x80097180
80097168:  7FC3F378   mr   r3,r30
8009716C:  7FA4EB78   mr   r4,r29
80097170:  4BFE02C9   bl   0x80077438
80097174:  7FC3F378   mr   r3,r30
80097178:  38800010   li   r4,16
8009717C:  4BFDFABD   bl   0x80076c38
80097180:  801B040C   lwz   r0,1036(r27)
80097184:  2C000000   cmpwi   r0,0
80097188:  40820010   bne-   0x80097198
8009718C:  7F43D378   mr   r3,r26
80097190:  7F64DB78   mr   r4,r27
80097194:  4BFF7091   bl   0x8008e224
80097198:  BB410008   lmw   r26,8(r1)
8009719C:  80010024   lwz   r0,36(r1)
800971A0:  7C0803A6   mtlr   r0
800971A4:  38210020   addi   r1,r1,32
800971A8:  4E800020   blr   
[/spoiler]

[dcx2]

If you're sure r4 discriminates, then you could try this.  This assumes 0x10 = friend.  If that's wrong, you'll need to switch the bne- to beq- instead.

hook 80095CE8:  7F64DB78   mr   r4,r27

cmpwi r4,0x10
bne- _ENEMY
lwz r12,160(r27)   # load word with invincibility flag
oris r12,r12,0x80  # set invincibility, bit 23
stw r12,160(r27)  # store new word
_ENEMY:
mr r4,r27           # original instruction


EDIT: upon closer inspection, that might not work.  The invincibility test is performed before the hook.

[Patedj]

when the enemy attacks r4 is 20

[dcx2]

0x20, or 0x14?

[Patedj]

[spoiler]  CR:82000428  XER:00000000  CTR:00000000 DSIS:02400000
DAR:805AD524 SRR0:80095CE4 SRR1:0000A032   LR:80095CE4
  r0:80095CE4   r1:802BA680   r2:802B2020   r3:805AE128
  r4:00000020   r5:00000000   r6:000000FF   r7:00000000
  r8:00000000   r9:0011C264  r10:0011C26C  r11:000000CF
r12:80EF74E0  r13:802B0C80  r14:00020000  r15:802A9570
r16:00000273  r17:000001BE  r18:00000006  r19:0000000D
r20:801FAF80  r21:00000000  r22:801FE200  r23:00010000
r24:801FE1C0  r25:801B9330  r26:80555CA8  r27:805ADB20
r28:00000004  r29:00001AC0  r30:00000000  r31:7FFFCE00

  f0:00000000   f1:42040241   f2:424303C6   f3:87454387
  f4:00800080   f5:00000000   f6:00000000   f7:59800004
  f8:00000000   f9:00000000  f10:BF7FFFFE  f11:3B888889
f12:3B4CCCCD  f13:00000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:3FAF286C  f27:3F800000
f28:3F99999A  f29:59800000  f30:3F000000  f31:59800004[/spoiler]

[dcx2]

The ONLY time you're allowed to drop hex notation is with an address.

Every single other time a number is in hex you must prefix with 0x or you will confuse the hell out of me.

---

Nothing puts 32 = 0x20 into r4 in the function you pasted.  We need more info.

Use the Step Log.  Set an XBP on 80095CDC first.  Then set a Breakpoint Condition SRR0 == 80095CE4.  Then press Step Until.  This will show us where 0x20 comes from.

[Patedj]

it skips it

[dcx2]

You have to make sure Active Conditions is NOT checked when you set the first execute BP.  Otherwise, your BP address is 80095CDC  but it won't break until SRR0 = 80095CE4, which can't possibly happen because every time it breaks it will break at 80095CDC.

AFTER you hit the breakpoint, then you can check the checkbox and press Step Until.

[Patedj]

That's not what I meant, I meant that when I bp without the condition and  then step until it won't stop, it skips the mark

[dcx2]

It "skips the mark"?  Even if it went past when it was supposed to stop, the Step Log will still have valid data.

It will stop, eventually.  It might take a long time, depending on how complex the function is.  But there's no possible way that you can set XBP on 80095CDC, and it won't execute 80095CE4 sooner or later.

[Patedj]

it keeps going in loops

[dcx2]

Yeah, it will go in loops sometimes.  A branch with a + hint marker is a sure sign of a branch that is going backwards as part of a loop.

Go make some coffee or something.  It's not stuck and it will finish eventually.