Lord of the Rings R8JPWR Hacking help

Started by Patedj, June 09, 2011, 05:08:36 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions

Patedj

June 09, 2011, 05:08:36 AM Last Edit: June 09, 2011, 06:24:26 AM by Patedj
I began to do tests on the avatar's (Frodo Gamgee) y axis so that he can jump.
I've noticed that almost all addresses are executed by psq.
Nonetheless I persevered and found something correlated. The speed address.

Well not exactly, if I nop the actual address, nothing seems to happen.[spoiler]800DFD70:  D01E0064   stfs   f0,100(r30) bp writes here only if I'm walking not when I'm standing[/spoiler] I walked the stack and found
800DFD44:  EFE700B2   fmuls   f31,f7,f2 and nopping this stops all the avatars from moving

There seems to be some addresses that are only executable when walking. I'll abreviate with EWW

Function
[spoiler]

800DFB74:  9421FF30   stwu   r1,-208(r1)
800DFB78:  7C0802A6   mflr   r0
800DFB7C:  900100D4   stw   r0,212(r1)
800DFB80:  DBE100C0   stfd   f31,192(r1)
800DFB84:  F3E100C8   psq_st   f31,200(r1),0,0
800DFB88:  DBC100B0   stfd   f30,176(r1)
800DFB8C:  F3C100B8   psq_st   f30,184(r1),0,0
800DFB90:  DBA100A0   stfd   f29,160(r1)
800DFB94:  F3A100A8   psq_st   f29,168(r1),0,0
800DFB98:  DB810090   stfd   f28,144(r1)
800DFB9C:  F3810098   psq_st   f28,152(r1),0,0
800DFBA0:  93E1008C   stw   r31,140(r1)
800DFBA4:  93C10088   stw   r30,136(r1)
800DFBA8:  7C7E1B78   mr   r30,r3 r30 for psq_l   f7 and psq_l f9
800DFBAC:  93A10084   stw   r29,132(r1)
800DFBB0:  83E301B4   lwz   r31,436(r3)
800DFBB4:  819F0010   lwz   r12,16(r31)
800DFBB8:  7FE3FB78   mr   r3,r31
800DFBBC:  818C0340   lwz   r12,832(r12)
800DFBC0:  7D8903A6   mtctr   r12
800DFBC4:  4E800421   bctrl   
800DFBC8:  801F0014   lwz   r0,20(r31)
800DFBCC:  7C7D1B78   mr   r29,r3
800DFBD0:  540004E7   rlwinm.   r0,r0,0,19,19
800DFBD4:  4082025C   bne-   0x800dfe30
800DFBD8:  819E0000   lwz   r12,0(r30)
800DFBDC:  7FC3F378   mr   r3,r30
800DFBE0:  818C00B0   lwz   r12,176(r12)
800DFBE4:  7D8903A6   mtctr   r12
800DFBE8:  4E800421   bctrl   
800DFBEC:  C11F002C   lfs   f8,44(r31)
800DFBF0:  39410038   addi   r10,r1,56
800DFBF4:  C3E29480   lfs   f31,-27520(r2)
800DFBF8:  38E10040   addi   r7,r1,64
800DFBFC:  C0FF003C   lfs   f7,60(r31)
800DFC00:  39210048   addi   r9,r1,72 r9 for psq_l   f1
800DFC04:  C09F004C   lfs   f4,76(r31)
800DFC08:  38C10050   addi   r6,r1,80
800DFC0C:  D0E1003C   stfs   f7,60(r1)
800DFC10:  39010058   addi   r8,r1,88 r8 for  psq_l f11 for or ps_madds0 fr9
800DFC14:  C05F0030   lfs   f2,48(r31)
800DFC18:  38A10060   addi   r5,r1,96 r5 for psq_l f11
800DFC1C:  D1010038   stfs   f8,56(r1)
800DFC20:  38810068   addi   r4,r1,104
800DFC24:  C03F0040   lfs   f1,64(r31)
800DFC28:  38610028   addi   r3,r1,40
800DFC2C:  C01F0050   lfs   f0,80(r31)
800DFC30:  D0410048   stfs   f2,72(r1)
800DFC34:  C0DF0034   lfs   f6,52(r31)
800DFC38:  D021004C   stfs   f1,76(r1)
800DFC3C:  C0BF0044   lfs   f5,68(r31)
800DFC40:  D0010050   stfs   f0,80(r1)
800DFC44:  C07F0054   lfs   f3,84(r31)
800DFC48:  D3E10054   stfs   f31,84(r1)
800DFC4C:  E13E0254   psq_l   f9,596(r30),0,0 f9 for ps_madds1f10      and ps_muls0   f10
800DFC50:  E10A0000   psq_l   f8,0(r10),0,0 f8 for ps_muls0   f10
800DFC54:  E39F005C   psq_l   f28,92(r31),0,0
800DFC58:  D0810040   stfs   f4,64(r1)
800DFC5C:  11480258   ps_muls0   f10,f8,f9 f10 for ps_madds1   f10
800DFC60:  11A80718   ps_muls0   f13,f8,f28
800DFC64:  E0290000   psq_l   f1,0(r9),0,0 f1 for ps_madds1   f10
800DFC68:  D3E10044   stfs   f31,68(r1)
800DFC6C:  E3C60000   psq_l   f30,0(r6),0,0
800DFC70:  1141525E   ps_madds1   f10,f1,f9,f10 f10 for for ps_madds0 fr9
800DFC74:  E0870000   psq_l   f4,0(r7),0,0
800DFC78:  11A16F1E   ps_madds1   f13,f1,f28,f13
800DFC7C:  D0C10058   stfs   f6,88(r1)
800DFC80:  11640258   ps_muls0   f11,f4,f9
800DFC84:  E0FE025C   psq_l   f7,604(r30),0,0 f7 for ps_madds0 fr9
800DFC88:  11840718   ps_muls0   f12,f4,f28
800DFC8C:  D0A1005C   stfs   f5,92(r1)
800DFC90:  10DE5A5E   ps_madds1   f6,f30,f9,f11
800DFC94:  E1680000   psq_l   f11,0(r8),0,0 f11 for ps_madds0 fr9
800DFC98:  C11F0068   lfs   f8,104(r31)
800DFC9C:  10BE671E   ps_madds1   f5,f30,f28,f12
800DFCA0:  112B51DC   ps_madds0   f9,f11,f7,f10f9 for ps_mul f12
800DFCA4:  C09E0260   lfs   f4,608(r30)
800DFCA8:  E3BF0064   psq_l   f29,100(r31),0,0
800DFCAC:  D0610060   stfs   f3,96(r1)[/spoiler]  
800DFCB0:  11890272   ps_mul   f12,f9,f9 f12?
800DFCB4:  106B6F5C   ps_madds0   f3,f11,f29,f13
800DFCB8:  C0429498   lfs   f2,-27496(r2) f2
800DFCBC:  D3E10064   stfs   f31,100(r1)
800DFCC0:  118C6314   ps_sum0   f12,f12,f12,f12 f12? for fadds f7
800DFCC4:  C0029490   lfs   f0,-27504(r2)
800DFCC8:  E1650000   psq_l   f11,0(r5),0,0f11 for fadds f3
800DFCCC:  F0640000   psq_st   f3,0(r4),0,0
800DFCD0:  114B31DC   ps_madds0   f10,f11,f7,f6
800DFCD4:  C0229494   lfs   f1,-27500(r2)
800DFCD8:  10AB2F5C   ps_madds0   f5,f11,f29,f5
800DFCDC:  C0610068   lfs   f3,104(r1)
800DFCE0:  C0C1006C   lfs   f6,108(r1)
800DFCE4:  FCE01850   fneg   f7,f3
800DFCE8:  FD605018   frsp   f11,f10
800DFCEC:  D1010074   stfs   f8,116(r1)
800DFCF0:  FCA02818   frsp   f5,f5
800DFCF4:  FCC03050   fneg   f6,f6
800DFCF8:  D0E10068   stfs   f7,104(r1)
800DFCFC:  EC6B02F2   fmuls   f3,f11,f11 heres f3 for fadds f7
800DFD00:  FCA02850   fneg   f5,f5
800DFD04:  D0C1006C   stfs   f6,108(r1)
800DFD08:  ECE3602A   fadds   f7,f3,f12 here's f7 (cmp f7)
800DFD0C:  D0A10070   stfs   f5,112(r1)
800DFD10:  F1230000   psq_st   f9,0(r3),0,0
800DFD14:  FC071040   fcmpo   cr0,f7,f2 is this comparing?
800DFD18:  D1410030   stfs   f10,48(r1)
800DFD1C:  D0810034   stfs   f4,52(r1)
800DFD20:  4C401382   cror   2,0,2
800DFD24:  40820008   bne-   0x800dfd2c what was compared?
800DFD28:  48000020   b   0x800dfd48 hmm
800DFD2C:  FC403834   fsqrte   f2,f7 f2 start (bne-) EWW
800DFD30:  EC6200B2   fmuls   f3,f2,f2
800DFD34:  EC020032   fmuls   f0,f2,f0
800DFD38:  EC6309FC   fnmsubs   f3,f3,f7,f1
800DFD3C:  EC430032   fmuls   f2,f3,f0 EWW
800DFD40:  FC4238AE   fsel   f2,f2,f2,f7 here's f2 EWW
800DFD44:  EFE700B2   fmuls   f31,f7,f2nopping this stops all the avatars from moving EWW
800DFD48:  C0029480   lfs   f0,-27520(r2) here's the bl NO EWW
[spoiler]800DFD4C:  FC1F0000   fcmpu   cr0,f31,f0
800DFD50:  418200A8   beq-   0x800dfdf8
800DFD54:  C05D04A4   lfs   f2,1188(r29)
800DFD58:  FC001000   fcmpu   cr0,f0,f2
800DFD5C:  4182001C   beq-   0x800dfd78
800DFD60:  C00294C8   lfs   f0,-27448(r2)
800DFD64:  EC3F07F2   fmuls   f1,f31,f31
800DFD68:  EC0000B2   fmuls   f0,f0,f2
800DFD6C:  EC010032   fmuls   f0,f1,f0
800DFD70:  D01E0064   stfs   f0,100(r30) bp writes here only if I'm walking not when I'm standing
800DFD74:  48000008   b   0x800dfd7c
800DFD78:  D01E0064   stfs   f0,100(r30)
800DFD7C:  807E01B4   lwz   r3,436(r30)
800DFD80:  38A10008   addi   r5,r1,8
800DFD84:  E03E0254   psq_l   f1,596(r30),0,0
800DFD88:  38810010   addi   r4,r1,16
800DFD8C:  C04300C8   lfs   f2,200(r3)
800DFD90:  38C10018   addi   r6,r1,24
800DFD94:  E01E025C   psq_l   f0,604(r30),0,0
800DFD98:  38610020   addi   r3,r1,32
800DFD9C:  10210098   ps_muls0   f1,f1,f2
800DFDA0:  E0BF005C   psq_l   f5,92(r31),0,0
800DFDA4:  10000098   ps_muls0   f0,f0,f2
800DFDA8:  E09F0064   psq_l   f4,100(r31),0,0
800DFDAC:  F0250000   psq_st   f1,0(r5),0,0
800DFDB0:  F0040000   psq_st   f0,0(r4),0,0
800DFDB4:  C0610008   lfs   f3,8(r1)
800DFDB8:  C041000C   lfs   f2,12(r1)
800DFDBC:  C0210010   lfs   f1,16(r1)
800DFDC0:  C0010014   lfs   f0,20(r1)
800DFDC4:  D0610018   stfs   f3,24(r1)
800DFDC8:  D041001C   stfs   f2,28(r1)
800DFDCC:  E0460000   psq_l   f2,0(r6),0,0
800DFDD0:  D0210020   stfs   f1,32(r1)
800DFDD4:  1025102A   ps_add   f1,f5,f2
800DFDD8:  D0010024   stfs   f0,36(r1)
800DFDDC:  E0030000   psq_l   f0,0(r3),0,0
800DFDE0:  F03F005C   psq_st   f1,92(r31),0,0
800DFDE4:  1004002A   ps_add   f0,f4,f0
800DFDE8:  D01F0064   stfs   f0,100(r31)
800DFDEC:  801F0014   lwz   r0,20(r31)
800DFDF0:  64000006   oris   r0,r0,6
800DFDF4:  901F0014   stw   r0,20(r31)
800DFDF8:  E03F0064   psq_l   f1,100(r31),0,0
800DFDFC:  7FE3FB78   mr   r3,r31
800DFE00:  E01F005C   psq_l   f0,92(r31),0,0
800DFE04:  389E0254   addi   r4,r30,596
800DFE08:  F01F00D0   psq_st   f0,208(r31),0,0
800DFE0C:  F03F00D8   psq_st   f1,216(r31),0,0
800DFE10:  481E4599   bl   0x802c43a8
800DFE14:  38610028   addi   r3,r1,40
800DFE18:  38810030   addi   r4,r1,48
800DFE1C:  E0030000   psq_l   f0,0(r3),0,0
800DFE20:  F01F032C   psq_st   f0,812(r31),0,0
800DFE24:  E0040000   psq_l   f0,0(r4),0,0
800DFE28:  F01F0334   psq_st   f0,820(r31),0,0
800DFE2C:  D3FF037C   stfs   f31,892(r31)
800DFE30:  800100D4   lwz   r0,212(r1)
800DFE34:  E3E100C8   psq_l   f31,200(r1),0,0
800DFE38:  CBE100C0   lfd   f31,192(r1)
800DFE3C:  E3C100B8   psq_l   f30,184(r1),0,0
800DFE40:  CBC100B0   lfd   f30,176(r1)
800DFE44:  E3A100A8   psq_l   f29,168(r1),0,0
800DFE48:  CBA100A0   lfd   f29,160(r1)
800DFE4C:  E3810098   psq_l   f28,152(r1),0,0
800DFE50:  CB810090   lfd   f28,144(r1)
800DFE54:  83E1008C   lwz   r31,140(r1)
800DFE58:  83C10088   lwz   r30,136(r1)
800DFE5C:  83A10084   lwz   r29,132(r1)
800DFE60:  7C0803A6   mtlr   r0
800DFE64:  382100D0   addi   r1,r1,208
800DFE68:  4E800020   blr   
[/spoiler]

Log Attached (This log is 10xexecuted at every highlighted address except the bl (bne is insteresting) when standing and then 10xwalking )

Once in a while at the add r5,[r1,96] address [8069F2C6] the value equals 801A51B0 and the other times 00000000

In summury, I can walk this function back to mr r30,r3 and  to r1 (I'm assuming that's the stwu) Ill post a function for r3 (I think it comes from the caller.)
You can pm me, I've got time for your troubles.

Patedj

#1
June 09, 2011, 06:36:26 AM Last Edit: June 09, 2011, 06:47:51 AM by Patedj
[spoiler]800DFA34:  9421FFF0   stwu   r1,-16(r1)
800DFA38:  7C0802A6   mflr   r0
800DFA3C:  90010014   stw   r0,20(r1)
800DFA40:  93E1000C   stw   r31,12(r1)
800DFA44:  93C10008   stw   r30,8(r1)
800DFA48:  7C7E1B78   mr   r30,r3
800DFA4C:  80A301B4   lwz   r5,436(r3)
800DFA50:  80050454   lwz   r0,1108(r5)
800DFA54:  54000631   rlwinm.   r0,r0,0,24,24
800DFA58:  41820048   beq-   0x800dfaa0
800DFA5C:  3C808064   lis   r4,-32668
800DFA60:  38847040   addi   r4,r4,28736
800DFA64:  E0240000   psq_l   f1,0(r4),0,0
800DFA68:  E0040008   psq_l   f0,8(r4),0,0
800DFA6C:  F003025C   psq_st   f0,604(r3),0,0
800DFA70:  F0230254   psq_st   f1,596(r3),0,0
800DFA74:  80850558   lwz   r4,1368(r5)
800DFA78:  80040004   lwz   r0,4(r4)
800DFA7C:  2C000007   cmpwi   r0,7
800DFA80:  40820020   bne-   0x800dfaa0
800DFA84:  800504B4   lwz   r0,1204(r5)
800DFA88:  2C000001   cmpwi   r0,1
800DFA8C:  4182000C   beq-   0x800dfa98
800DFA90:  2C000002   cmpwi   r0,2
800DFA94:  4082000C   bne-   0x800dfaa0
800DFA98:  C0029480   lfs   f0,-27520(r2)
800DFA9C:  D0030250   stfs   f0,592(r3)
800DFAA0:  806301B4   lwz   r3,436(r3)
800DFAA4:  80030484   lwz   r0,1156(r3)
800DFAA8:  2C000000   cmpwi   r0,0
800DFAAC:  41820018   beq-   0x800dfac4
800DFAB0:  80630484   lwz   r3,1156(r3)
800DFAB4:  3C630001   addis   r3,r3,1
800DFAB8:  8803A038   lbz   r0,-24520(r3)
800DFABC:  2C000000   cmpwi   r0,0
800DFAC0:  4182000C   beq-   0x800dfacc
800DFAC4:  7FC3F378   mr   r3,r30
800DFAC8:  48004D5D   bl   0x800e4824
800DFACC:  801E0004   lwz   r0,4(r30)
800DFAD0:  3BE00000   li   r31,0
800DFAD4:  9BFE024B   stb   r31,587(r30)
800DFAD8:  2C000000   cmpwi   r0,0
800DFADC:  4182004C   beq-   0x800dfb28
800DFAE0:  819E0000   lwz   r12,0(r30)
800DFAE4:  7FC3F378   mr   r3,r30
800DFAE8:  818C002C   lwz   r12,44(r12)
800DFAEC:  7D8903A6   mtctr   r12
800DFAF0:  4E800421   bctrl   
800DFAF4:  2C030000   cmpwi   r3,0
800DFAF8:  41820020   beq-   0x800dfb18
800DFAFC:  819E0000   lwz   r12,0(r30)
800DFB00:  7FC3F378   mr   r3,r30
800DFB04:  818C00A0   lwz   r12,160(r12)
800DFB08:  7D8903A6   mtctr   r12
800DFB0C:  4E800421   bctrl   
800DFB10:  987E024A   stb   r3,586(r30)
[/spoiler]800DFB14:  48000018   b   0x800dfb2c ---> let's have a look here next.
800DFB18:  7FC3F378   mr   r3,r30 this is the r3 for the next r30
800DFB1C:  48000059   bl   0x800dfb74  this is the stwu of the speed function
800DFB20:  9BFE024A   stb   r31,586(r30)
800DFB24:  48000008   b   0x800dfb2c
800DFB28:  9BFE024A   stb   r31,586(r30)
800DFB2C:  819E0000   lwz   r12,0(r30) this is the b
800DFB30:  7FC3F378   mr   r3,r30
800DFB34:  818C0064   lwz   r12,100(r12)
800DFB38:  7D8903A6   mtctr   r12
800DFB3C:  4E800421   bctrl    ---> 802D75BC....
800DFB40:  80010014   lwz   r0,20(r1)
800DFB44:  83E1000C   lwz   r31,12(r1)
800DFB48:  83C10008   lwz   r30,8(r1)
800DFB4C:  7C0803A6   mtlr   r0
800DFB50:  38210010   addi   r1,r1,16
800DFB54:  4E800020   blr   

I'm starting to think that a copy all frames should do the trick...

All frames attached.
You can pm me, I've got time for your troubles.

Patedj

#2
June 09, 2011, 09:05:20 AM
By the way, the feel for speed for this game is identical to Okami. Once you get to a certain amount of speed you accelerate again with a blurred vision.

For now I'm letting go of the speed and looking into a local y axis.
I'm determined to make frodo Gamgee Jump for my son. What kind of boy doesn't jump!! Come on!
You can pm me, I've got time for your troubles.

Patedj

#3
June 09, 2011, 09:20:19 AM
I found the corresponding Y axis. BUT, it's activated when the avatar walks, and not by the button. PLUS, the avatars float right up to the sky and stay there... I have put a -1 float whenever I don't push the button but that doesn't seem to affect the avatar whatsoever ( the button condition that is)
Nonetheless, it's the right address. Now to find the Avatar(HERO).... I'll post an all frame next.

bl NO_DATA
.float 0x100
NO_DATA:
mflr r12
lfs f1,56(r3)
lfs f0,4(r28)
fadds f0,f0,f1
stfs   f0,4(r28)

4E00000C 00000000
C2425ED4 00000004
48000009 42C80000
7D8802A6 C0230038
C01C0004 EC00082A
D01C0004 00000000
14000000 BF800000
2861F69A FBFF0400
14000000 42C80000
E0000000 80008000
You can pm me, I've got time for your troubles.

Patedj

#4
June 09, 2011, 09:47:42 AM Last Edit: June 09, 2011, 10:27:07 AM by Patedj
All frames too large. Download here [spoiler]http://www.mediafire.com/?j4oh9t2a18i0qd0[/spoiler] Function Log attached.

It seems to me that
80425D6C:  C002D54C   lfs   f0,-10932(r2)   f0 = 0   r2 = 80662DC0   [8066030C] = B8D1B717
80425D70:  FFE00890   fmr   f31,f1     f31 = 4001   f1 = -2.12205
80425D74:  FC010040   fcmpo   cr0,f1,f0   f1 = -2.12205   f0 = -0.0001   r0 = 804262E8
80425D78:  41800018   blt-   0x80425d90
influences the right branch to the AVATAR(HERO)
so 80425D78 = AvatarBranch()

Hero's address is at r0= 804262E8 = 2C030000
r4 seems to be important! [spoiler]This is the discriminator or it r0. If r4 is the discriminator then Hero's discriminator = 00000001 [/spoiler]
80425D64:  38810158   addi   r4,r1,344   r4 = 806A0DB8   r1 = 806A0C50
80425D68:  480003B9   bl   0x80426120
|  80426120:  E0030000   psq_l   f0,0(r3),0,0   f0 = -21050.7   r3 = 806A0F38   [806A0F38] = 00000000
|  80426124:  E0240000   psq_l   f1,0(r4),0,0   f1 = 2.12205   r4 = 806A0DA8   [806A0DA8] = C6A475B8
You can pm me, I've got time for your troubles.

Patedj

#5
June 09, 2011, 10:15:00 AM Last Edit: June 09, 2011, 10:28:26 AM by Patedj
I've recently utilized an avatar discriminator for ff4 After Years which I think will be useful here

[spoiler]C2095D68 00000005
800400A0 3D800009
618C0100 7C006000
4082000C 3980270F
91840014 540004E7
800400BC 00000000[/spoiler]

So

lwz r0,160(r4)
lis r12,9
ori r12,r12,256
cmpw r0,r12
bne- 0x0C
li r12,9999
stw r12,20(r4)
rlwinm. r0,r0,0,19,19
lwz r0,188(r4)

And So

Load discriminator register
lis r12, with discriminator
ori r12, with disriminator end
cmpw r0 with r12
bne- _NOHERO
ASM
_NOHERO:
normal y axis address
You can pm me, I've got time for your troubles.

Patedj

#6
June 09, 2011, 10:33:27 AM Last Edit: June 09, 2011, 10:46:48 AM by Patedj
hmmm r4 at the original bpwrite is always 00000001
and r0 = 00000004 all the time too... Even when I execute the asm address. not the real address (Avatar's y axis address).
so why is it that I trigger the y axis and it affects everyone?

Good thing that the original address only triggers when the avatar walks. If he stands then nothing happens.
Here are the cells
[spoiler] CR:44200488  XER:20000000  CTR:00000000 DSIS:02400000
DAR:81549370 SRR0:80425ED4 SRR1:0000B032   LR:80425ECC
 r0:00000004   r1:8069EA70   r2:80662DC0   r3:8069EBB8
 r4:00000001   r5:42480000   r6:4236FFB8   r7:8069EA60
 r8:8069EF58   r9:8069ED48  r10:8069ED58  r11:8069EC60
r12:8069ED68  r13:80659220  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:8069EE08  r23:8069EE18
r24:8069EF58  r25:8154936C  r26:0000000F  r27:0000000F
r28:8154936C  r29:8069EEA8  r30:8069EEB8  r31:8069EFF8

 f0:42480000   f1:423FAEFC   f2:42480000   f3:4236FFB8
 f4:34A20800   f5:00000000   f6:40AAAAA8   f7:00000000
 f8:424C0000   f9:42240000  f10:42440000  f11:42200000
f12:3F800000  f13:00000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:457A1001  f29:3F10306F  f30:3C730C05  f31:3ED806C2
[/spoiler]

When the actual address is bp write then only r5 and r6 change ( I assume they're axis). And f28 doesn't move
[spoiler]hehe replacing stfs f0,4(r28)  with stfs f28,4(r28) brings everyone to heaven! lol. Once reactivated, everyone comes down to earth. It sure seems like they think they're going to hell with all of their arms wailing about like that.[/spoiler]
You can pm me, I've got time for your troubles.

Patedj

#7
June 09, 2011, 11:14:27 AM
I think I figured it out. It was underneath my nose all the time. It's r28 the discriminator. I can compare r28 with the actual address for instance the hero's 8154936C -4 = 81549369 and if it equals it then activate flight.
Let's try it out

lfs   f0,4(r28)
lis r12, 0x8154
ori r12, r12, 0x9370
fcmpw r0, r12
bne- _NOHERO
[spoiler]hmm, I guess I need to stack this... I'd have to load a button activator (2861F69A FBFF0400) cmpw it and then fadd float (so 4E00000x 00000000 at the beginning of the code)...[/spoiler]
_NOHERO:
stfs   f0,4(r28)


does this work?
lfs   f0,4(r28)
lis r12, 0x8154
ori r12, r12, 0x9370
fcmpo f1, f0,r12
bne- _NOHERO

bl NO_DATA
.float 0x100

NO_DATA:
mflr r12
lfs f1,0(r12)
lfs f0,4(r28)
fadds f0,f0,f1
stfs   f0,4(r28)

_NOHERO:
stfs   f0,4(r28)

Result
[spoiler]4E000024 00000000
C2425ED4 00000007
C01C0004 3D808154
618C9370 FC806040
40820020 48000009
42C80000 7D8802A6
C02C0000 C01C0004
EC00082A D01C0004
D01C0004 00000000
14000000 BF800000
2861F69A FBFF0400
14000000 42C80000
E0000000 80008000[/spoiler]
Makes only the Hero avatar walk (can't accelerate anymore)  and all the avatars including the hero pass through hills... Almost..
You can pm me, I've got time for your troubles.

Patedj

#8
June 09, 2011, 11:27:16 AM
Do I have the 4E000024 right??
I'm thinking 24 because I'm triggering the 42C80000 and so 9x4 = 36=24 in hex.

If I am right, why the hell isn't it triggering!!! I've got the button address correct too.

16 byte if equal then (28) with mask on for button B=400 ( mask FBFF) at the second half of the 32 byte  (8061F698 = 8061F69A) = 2861F69A FBFF0400
Could it be the game that doesn't allow me?
You can pm me, I've got time for your troubles.

Patedj

#9
June 09, 2011, 11:50:34 AM Last Edit: June 09, 2011, 12:21:58 PM by Patedj
I thought about the fcmpo and I changed it to a normal cmpw with a loaded r14 instead of comparing the float.

[spoiler]lfs   f0,4(r28)
lwz   r14,4(r28)
lis r12, 0x8154
ori r12, r12, 0x9370
cmpwi r14,r12[/spoiler]Edit
lis r14, 0x8154
ori r14, r14, 0x936C
cmpw r28,r14
bne- _NOHERO

bl NO_DATA
.float 0x100

NO_DATA:
mflr r12
lfs f1,0(r12)
lfs f0,4(r28)
fadds f0,f0,f1
stfs   f0,4(r28)

_NOHERO:
stfs   f0,4(r28)

Original Code:
[spoiler]4E000028 00000000
C2425ED4 00000008
C01C0004 81DC0004
3D808154 618C9370
2C0E000C 40820020
48000009 42C80000
7D8802A6 C02C0000
C01C0004 EC00082A
D01C0004 D01C0004
60000000 00000000
14000000 BF800000
2861F69A FBFF0400
14000000 42C80000
E0000000 80008000[/spoiler]

Ill post a log of the code...
You can pm me, I've got time for your troubles.

Patedj

#10
June 09, 2011, 11:55:43 AM
[spoiler]

80425ED4:  4BBDCA8C   b   0x80002960
   ...   ...   ...   ...
80002960:  C01C0004   lfs   f0,4(r28)   f0 = 49.3577   r28 = 806A10BC   [806A10C0] = BF800000
80002964:  81DC0004   lwz   r14,4(r28)   r14 = BF800000   r28 = 806A10BC   [806A10C0] = BF800000
80002968:  3D808154   lis   r12,-32428   r12 = 806A0A88
8000296C:  618C9370   ori   r12,r12,37744   r12 = 81540000   r12 = 81540000
80002970:  2C0E000C   cmpwi   r14,12     r14 = BF800000
80002974:  40820020   bne-   0x80002994
   ...   ...   ...   ...
80002994:  D01C0004   stfs   f0,4(r28)   f0 = -1   r28 = 806A10BC   [806A10C0] = BF800000
80002998:  60000000   nop           
8000299C:  4842353C   b   0x80425ed8
   ...   ...   ...   ...
80425ED8:  38800002   li   r4,2       r4 = 00000001
80425EDC:  4BFFF439   bl   0x80425314
|  80425314:  5480103A   rlwinm   r0,r4,2,0,29   r0 = 00000004   r4 = 00000002
|  80425318:  7C630214   add   r3,r3,r0   r3 = 806A08D8   r3 = 806A08D8   r0 = 00000008
|  8042531C:  4E800020   blr              LR = 80425EE0
80425EE0:  C0030000   lfs   f0,0(r3)   f0 = -1   r3 = 806A08E0   [806A08E0] = 42210F34
80425EE4:  D01C0008   stfs   f0,8(r28)   f0 = 40.2649   r28 = 806A10BC   [806A10C4] = 00000000
80425EE8:  C002D4D8   lfs   f0,-11048(r2)   f0 = 40.2649   r2 = 80662DC0   [80660298] = 3F800000
80425EEC:  D01C000C   stfs   f0,12(r28)   f0 = 1   r28 = 806A10BC   [806A10C8] = 3F800000
80425EF0:  5760077B   rlwinm.   r0,r27,0,29,29   r0 = 00000008   r27 = 0000000F
80425EF4:  41820114   beq-   0x80426008
80425EF8:  FC20F090   fmr   f1,f30     f1 = 40.2649   f30 = 0.450341
80425EFC:  635A0004   ori   r26,r26,4   r26 = 0000000F   r26 = 0000000F
80425F00:  38610028   addi   r3,r1,40   r3 = 806A08E0   r1 = 806A0790
80425F04:  4800030D   bl   0x80426210
|  80426210:  D0230000   stfs   f1,0(r3)   f1 = 0.450341   r3 = 806A07B8   [806A07B8] = 00000000
|  80426214:  D0230004   stfs   f1,4(r3)   f1 = 0.450341   r3 = 806A07B8   [806A07BC] = 00000000
|  80426218:  D0230008   stfs   f1,8(r3)   f1 = 0.450341   r3 = 806A07B8   [806A07C0] = 00000000
|  8042621C:  D023000C   stfs   f1,12(r3)   f1 = 0.450341   r3 = 806A07B8   [806A07C4] = 00000000
|  80426220:  4E800020   blr              LR = 80425F08
80425F08:  7C641B78   mr   r4,r3      r4 = 00000002   r3 = 806A07B8
80425F0C:  7F05C378   mr   r5,r24     r5 = 42456E4A   r24 = 806A0C78
80425F10:  38610038   addi   r3,r1,56   r3 = 806A07B8   r1 = 806A0790
80425F14:  480002A9   bl   0x804261bc
|  804261BC:  E0040000   psq_l   f0,0(r4),0,0   f0 = 1   r4 = 806A07B8   [806A07B8] = 3EE6930A
|  804261C0:  9421FFE0   stwu   r1,-32(r1)   r1 = 806A0790   r1 = 806A0790   [806A0770] = 80000000
|  804261C4:  E0450000   psq_l   f2,0(r5),0,0   f2 = 49.3577   r5 = 806A0C78   [806A0C78] = 4247E81D[/spoiler]
You can pm me, I've got time for your troubles.

Patedj

#11
June 09, 2011, 11:59:43 AM Last Edit: June 09, 2011, 12:11:18 PM by Patedj
by removing the first lfs f0 it allowed everything to be back to normal again... Why is it that the 4(r28)=bf800000 and never 42C80000?
You can pm me, I've got time for your troubles.

Patedj

#12
June 09, 2011, 12:36:17 PM
It seems to me that each time I reload, the address is the same. Perhaps simply working with the gecko registers could work.

82200001 81549370
2861F69A FBFF0400
86000001 00001111
84200001 81549370

Even though the address seems to increase (remote address is correct) the Hero avatar doesn't lift/move/twitch.
You can pm me, I've got time for your troubles.

Patedj

#13
June 09, 2011, 12:43:15 PM Last Edit: June 09, 2011, 01:06:35 PM by Patedj
82200001 81548A9C
2861F69A FBFF0400
86000001 00111111
84200001 81548A9C

It works at this address though!! yay!
Let's look for speed now. And I'll modify the jump (perhaps put a if greater than nop which would give it a jumping feel)

hmmm, what I'm looking for is if gr1 > then +100 than nop... Is that possible


You can pm me, I've got time for your troubles.

Patedj

#14
June 10, 2011, 02:09:30 AM Last Edit: June 10, 2011, 02:31:32 AM by Patedj
Well, it seems that any address that implicates velocity has to be manipulated via ASM. Gecko Registers influence the address but not the Avatar. In fact the address' values turn right back to "normal" as soon as I activate the code. In conclusion, changing the values through ASM is a must.

As for the Jump(y axis) ASM would definately improve the quality (smoothness) of the jump. The game prefers having all Avatars stick to the ground. So If I make the hero jump a meter high, it twitches. Sometimes he doesn't jump at all (value to small). Utlimately, the avatar has to jump into the sky to have some smoothness to it...

Nonetheless, it's the right address.

For Now enjoy Levitation
82200001 81548A9C
2861F69A FBFF0400
86000001 000F0000
E2000001 80008000
84200001 81548A9C
25548A9C 42EFFFFF
80000001 42EFFFFF
84200001 81548A9C
E0000000 80008000
pressing B levitates the hero to 42EFFFFF (Change this if needed due to certain cliffs; the avatar will pass through them)
You can pm me, I've got time for your troubles.
Print
Go Up Pages1 2
User actions