Need Help on Asm again

Crapulecorp · May 07, 2011, 02:40:25 AM

I'm trying to make codes for Man VS Wild Starring Bear Grylls [SMWE4Z]

In the Hud of the game there in blue its the Hydratation Bar.
in brown its the Energy Bar.
in green its the Health Bar.
in yellow its the Adventure Meter.

I'm starting to search the hydratation bar and found it in 90 range (the full bar value is 3F7F)

909745F4 in breakpoint tab :

80227FE4: D3E30000 stfs f31,0(r3)

I search the energy Bar and found it in90 range too (the full bar value is 3F7F too)

909768F0 in breakpoint tab :

80227FE4: D3E30000 stfs f31,0(r3)

So there is the same asm code for the two i get to Asmwiird

80227FE4

lis r12,0x3F7F
stw r12,0(r3)

I get

C2227FE4 00000002
3D803F7F 91830000
60000000 00000000

The code works but the game is acting very wierd when the code is activate (the game will not go to the next checkpoint. and some other bugs)

So i use an activator

04227FE4 D3E30000
2837AFF2 FDFF0200
CC000000 00000000
C2227FE4 00000002
3D803F7F 91830000
60000000 00000000
E0000000 80008000

And when the code is activate the game acts wierd and when its off no problem.

If someone can help me thanks in advance

dcx2 · May 07, 2011, 03:46:42 AM

1) You are actually finding "floating point" data. Floats are 32 bits, not 16 bits. The full value is probably 3F800000.

2) Your breakpoint instruction does more than one thing. So it probably does many, many things. We need to find a different instruction that only does one thing.

Set the write breakpoint on your hydration bar. When it hits, go to ~~Breakpoint~~Disassembly tab. Right-click, "Copy All Frames". The text will be VERY long. Paste it into a text file and attach it to a forum post.

Then, set the write breakpoint on your energy bar, and Copy All Frames again. Put that into a separate text file and upload it too.

Crapulecorp · May 07, 2011, 04:35:55 AM

Thanks dcx2 to help me again,i made another search in 32 bits.And you were right the full value is 3F800000.

I have just one problem i found the Right-click, "Copy All Frames" in the disassembler tab not the breakpoints tab.Except this i made all your told me to do.

I cant post the file as a txt i must make two zip files.

dcx2 · May 07, 2011, 06:10:46 AM

Oops, my bad. Copy All Frames is on the Disassembly tab.

Wow! That is the deepest call stack I've ever seen on a Wii game. 40 levels deep at the breakpoint! :o

This game's ASM is very weird. Probably because it's ported from the 360 or PS3.

With the Hydration "Copy All Frames", the action happens around lines 2600 to 2700 of the text file.

---

It looks like there is a loop. It processes many results. The top of the loop is 80158DB0: 807B0000 lwz r3,0(r27) and the bottom of the loop is 80158E2C: 4180FF84 blt+ 0x80158db0. At the bottom of the loop, you can see the test, cmpw r28,r3. This compare determines when the loop is done. This means r28 is probably our discriminator.

For the Hydration Bar breakpoint, look at r28. It is 5 for that breakpoint. So try this.

80227FE4

stfs f31,0(r3) # always do original instruction
cmpwi r28,5 # are we hydration bar?
bne- _END # if not hydration bar, skip to end
lis r12,0x3F80 # over-write hydration bar with 0x3F800000 = 1.0
stw r12,0(r3)
_END:

C2227FE4 00000003
D3E30000 2C1C0005
4082000C 3D803F80
91830000 00000000

Crapulecorp · May 07, 2011, 02:42:52 PM

Thanks again for eveything dcx2.I have tested your code and in the hud the bar is still full but in the game the hydratation is decreasing so i m afraid that

cmpwi r28,5 # are we hydration bar? is just the Hud visualistation of the jauge.

And it happens some bugs when the code is activate but less than my first code.

dcx2 · May 07, 2011, 05:47:25 PM

:( This game is hard.

Please enable Step Log. Then set an execute BP on 80165BF8: 7C00FA14 add r0,r0,r31. Hit "Set" a bunch of times, and post the result here.

Crapulecorp · May 07, 2011, 06:02:34 PM

Yes this game seems to be hard to find codes.
Its likes bear grylls lol.Hard and difficult to find ;D.

So I BreakPoint on 80165BF8: 7C00FA14 add r0,r0,r31. I hit "Set" a bunch of times, and here are the result :

[spoiler]80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000080D4   r0 = 000080D4   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000080E8   r0 = 000080E8   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000080FC   r0 = 000080FC   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00008110   r0 = 00008110   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00008124   r0 = 00008124   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000081EC   r0 = 000081EC   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00008264   r0 = 00008264   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000082DC   r0 = 000082DC   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00008354   r0 = 00008354   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000083F4   r0 = 000083F4   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 0000846C   r0 = 0000846C   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000089F8   r0 = 000089F8   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00008A98   r0 = 00008A98   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00008B60   r0 = 00008B60   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00009434   r0 = 00009434   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 000094AC   r0 = 000094AC   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00009B64   r0 = 00009B64   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 00009C04   r0 = 00009C04   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 0000A2BC   r0 = 0000A2BC   r31 = 00000014

80165BF8: 7C00FA14   add   r0,r0,r31   r0 = 0000A35C   r0 = 0000A35C   r31 = 00000014[/spoiler]

Thanks again for helping me dcx2.

dcx2 · May 07, 2011, 09:52:14 PM

Weird...

This game uses r13 a lot. r13 is a read/write anchor pointer. It is odd to see it used so much. And makes it hard to find follow the code.

This game passes a lot of data on the stack. In other words, lots of stuff referenced with r1, or a pointer derived from r1. That is also odd. And it also makes it particularly hard to follow the code.

---

I found this section. It looks interesting. Any time a constant pointer is loaded, it is interesting.

| | | | | | | 80206390: 3FC08041   lis   r30,-32703
| | | | | | | 80206394: 800D9D70   lwz   r0,-25232(r13)   # r0 = ?
| | | | | | | 80206398: 3BDEBF00   subi   r30,r30,16640   # r30 = 8040BF00
| | | | | | | 8020639C: 3BA00000   li   r29,0         # r29 = 0 (loop counter)
| | | | | | | 802063A0: 3BE00000   li   r31,0         # r31 = 0 (loop pointer offset)
| | | | | | | 802063A4: 7C001A14   add   r0,r0,r3
| | | | | | | 802063A8: 900D9D70   stw   r0,-25232(r13)
| | | | | | | 802063AC: 48000054   b   0x80206400      # branch to bottom of loop; next instruction is top of loop
| | | | | | | 802063B0: 7F9EF82E   lwzx   r28,r30,r31      # Process a list of pointers that starts at 8040BF00

It seems like everything that happens afterward is controlled by whatever gets put into r28 here. If we are lucky, somewhere in the list of pointers will be a pointer to the real values.

Can you do Step Log again? Execute BP 802063B0: 7F9EF82E   lwzx   r28,r30,r31. Then Set a bunch of times. This will give us the list of pointers

---

You said that it only affects the hydration HUD. It sounds like you had the wrong address; sometimes there is a "real value" and a "HUD value". Worse, they may be different types. The real value may be integer, but the HUD value may be a float. With this game who knows. ???

Did you try poking the value that you found to make sure it is the real value and not the HUD value?

Sometimes the game can over-write your poke. In that case, set a write breakpoint. When it hits, press Step Into once, so that it does the write. Then switch back to Memory Viewer. You can poke the game now and it can't over-write your value.

Crapulecorp · May 08, 2011, 01:29:20 AM

Maybe you're right i probably didn't search the right code, i remeber that 2 other codes had the same value of the hydratation bar.
I will make a new search and breakpoints the three codes, maybe we will be lucky.
So i have Executed Breakpoint on 802063B0: 7F9EF82E lwzx r28,r30,r31. And "Set" a bunch of times.

[spoiler]802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000

802063B0: 7F9EF82E   lwzx   r28,r30,r31   r28 = 80400000   r30 = 8040BF00   r31 = 00000000
[/spoiler]

If i you have loosing your time with a wrong code.I m really sorry.

Crapulecorp · May 08, 2011, 02:39:34 AM

So I have made another search on 32 bits and i get (for hydratation and energy i post you the 2 possibility for each )
The two results had the same value.(For hydratation and energy too).

----
[spoiler]90973D10 hydratation 1st result in the same search.
8022A234: D3E30070   stfs   f31,112(r3)

90973DA0 hydratation 2nd result in the same search.
80015918: D0630000   stfs   f3,0(r3)

---

909735B0 energy 1st result in the same search.
8022A234: D3E30070   stfs   f31,112(r3)

90973640 energy 2nd result in the same search.
80015918: D0630000   stfs   f3,0(r3)[/spoiler]

---
And i made a "Copy All Frames" for the two hydratation and the second energy results. I hope it will help you.

I have tested my first code and you were right, the hud is full but in the game its decrease.
Sorry a lot. :'( :'(

dcx2 · May 08, 2011, 02:47:00 AM

You don't have to apologize. It's not your fault this game is weird.

Did you try poking your search results to see which one is real?

I'll take a look at your Copy All Frames and see if anything stands out.

Crapulecorp · May 18, 2011, 04:01:50 PM

Hi dcx2 i'm back lol. :) :) :)
I made a lot of search and i found for the hydratation bar this code who seems to be the good one:

90 range 32 bits search

9097ABE8 42E2CF20 === hydratation bar full

So i breakpoint it and get :

80237E14: D3E30000 stfs f31,0(r3)

I test the 9097ABE8 42E2CF20 and works but change in a new level so the breakpoint will be good to find for all stage.

So i try to make like the first code

80237E14

lis r12,0x42E2
stw r12,0(r3)

i get

C2237E14 00000002
3D8042E2 91830000
60000000 00000000

and like the first code the game act really weird but funny lol ;D ;D (Bear grills vomit and after jump consistantly lol)

i tried to make with the instructions you said before

stfs f31,0(r3) # always do original instruction
cmpwi r28,5 # are we hydration bar?
bne- _END # if not hydration bar, skip to end
lis r12,0x42E2 # over-write hydration bar with 0x42E20000 = 1.0
stw r12,0(r3)
_END:

C2237E14 00000003
D3E30000 2C1C0005
4082000C 3D8042E2
91830000 00000000

The game acts not weird but the hydratation bar still decrease so i think cmpwi r28,5 is not the hydratation bar.

I made a copy all frames i dont know if it can help you.

dcx2 · May 18, 2011, 04:56:31 PM

Hydration bar is at 9097ABE8 for one level? And a different address for a different level?

Have you tried using Pointer Search? ASM for this game may be too weird.

Also, 0x42E2CF20 = 113.40454101562 http://www.geckocodes.org/index.php?arsenal=3

I'll take another look at the ASM frames.

EDIT: these frames look much easier to follow. This might work after all. Try cmpwi r28,6

toonlink444 · June 10, 2011, 09:13:18 PM

My Flat code for MKWii is the same way. One race the value is one thing the next it's different. Use a pointer like dcx2 said. (unless his idea works (which it very well may. He's usally right about these things))

WiiRd forum

News:

Need Help on Asm again

Crapulecorp

dcx2

Crapulecorp

dcx2

Crapulecorp

dcx2

Crapulecorp

dcx2

Crapulecorp

Crapulecorp

dcx2

Crapulecorp

dcx2

toonlink444