Code freezes game when not active

goemon_guy · October 05, 2011, 09:05:13 PM

I didn't really want to make a new topic for this, but either way, this:

Press Z+X to empty Enemy Health Bar [goemon_guy]
282A3292 00000410
068429CC 00000010
00000000 00000000
00000000 00000000
E0000000 80008000

Crashes the game for some reason, right when I send the code, the game crashes - When the conditional isn't even active. o.o

dcx2 · October 05, 2011, 09:13:24 PM

Is it the only code you're applying? I take it this is a GC game.

Can you send codes with no codes enabled?

What happens if you put FFFFFFFF FFFFFFFF as the first line of your code? This should prevent the code from even being processed by the code handler.

goemon_guy · October 05, 2011, 09:40:48 PM

That's the only code I applied.
It is a GC game. (Loaded with NeoGamma, if it's relevant.)

The "FFFFFFFF FFFFFFFF" line didn't crash the game.

If it's helpful, I also checked the Disassembler tab, and there was an exception. I went to it, and copied the BP tab.

[spoiler]

[spoiler]
CR:44200088 XER:20000000 CTR:800335DC DSIS:04000000
DAR:00000014 SRR0:8003F468 SRR1:00001030 LR:80003118
r0:00000014 r1:800D4DD0 r2:800CC680 r3:00000000
r4:04000000 r5:8003F4E0 r6:800A78AF r7:00000000
r8:00000000 r9:00000000 r10:00000000 r11:00000280
r12:00000000 r13:800CBE60 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:80F181B0
r20:80F2FAD0 r21:80F2FB24 r22:80F2FA8C r23:80F4B6AC
r24:00000000 r25:00000000 r26:00000000 r27:812442C0
r28:00000200 r29:00000005 r30:800A64F0 r31:00000040

f0:3F800000 f1:00000000 f2:BF066CB1 f3:00000000
f4:3F4008FD f5:BB19A0CA f6:41913958 f7:41A15C29
f8:C199374C f9:C199374C f10:40C74BC8 f11:C061CAC0
f12:40BAC084 f13:C07AE147 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:00000000[/spoiler]

8003F440: 7C800038   and   r0,r4,r0
8003F444: 28000000   cmplwi   r0,0
8003F448: 41820010   beq-   0x8003f458
8003F44C: 7C000034   cntlzw   r0,r0
8003F450: 7C1D0734   extsh   r29,r0
8003F454: 4800000C   b   0x8003f460
8003F458: 38630004   addi   r3,r3,4
8003F45C: 4BFFFFE0   b   0x8003f43c
8003F460: 806D85D8   lwz   r3,-31272(r13)
8003F464: 57A0103A   rlwinm   r0,r29,2,0,29
8003F468: 7FE3002E   lwzx   r31,r3,r0
8003F46C: 281F0000   cmplwi   r31,0
8003F470: 4182004C   beq-   0x8003f4bc
8003F474: 2C1D0004   cmpwi   r29,4
8003F478: 4081001C   ble-   0x8003f494
8003F47C: B3AD85E0   sth   r29,-31264(r13)
8003F480: 480037E5   bl   0x80042c64
8003F484: 908D85EC   stw   r4,-31252(r13)
8003F488: 906D85E8   stw   r3,-31256(r13)
8003F48C: 801E0198   lwz   r0,408(r30)
8003F490: 900D85DC   stw   r0,-31268(r13)
8003F494: 480026B1   bl   0x80041b44
8003F498: 7FA3EB78   mr   r3,r29
8003F49C: 7FC4F378   mr   r4,r30
8003F4A0: 7FECFB78   mr   r12,r31
8003F4A4: 7D8803A6   mtlr   r12
8003F4A8: 4E800021   blrl
8003F4AC: 480026D9   bl   0x80041b84
8003F4B0: 48002BA1   bl   0x80042050
8003F4B4: 7FC3F378   mr   r3,r30
8003F4B8: 4BFFDECD   bl   0x8003d384
8003F4BC: 7FC3F378   mr   r3,r30
8003F4C0: 4BFFDEC5   bl   0x8003d384
8003F4C4: 8001002C   lwz   r0,44(r1)
8003F4C8: 83E10024   lwz   r31,36(r1)
8003F4CC: 83C10020   lwz   r30,32(r1)
8003F4D0: 83A1001C   lwz   r29,28(r1)
8003F4D4: 38210028   addi   r1,r1,40
8003F4D8: 7C0803A6   mtlr   r0
8003F4DC: 4E800020   blr
8003F4E0: 90040000   stw   r0,0(r4)
8003F4E4: 90240004   stw   r1,4(r4)
8003F4E8: 90440008   stw   r2,8(r4)
8003F4EC: BCC40018   stmw   r6,24(r4)
8003F4F0: 7C11E2A6   mfspr   r0,913
8003F4F4: 900401A8   stw   r0,424(r4)
8003F4F8: 7C12E2A6   mfspr   r0,914
8003F4FC: 900401AC   stw   r0,428(r4)
8003F500: 7C13E2A6   mfspr   r0,915
8003F504: 900401B0   stw   r0,432(r4)
8003F508: 7C14E2A6   mfspr   r0,916
8003F50C: 900401B4   stw   r0,436(r4)
8003F510: 7C15E2A6   mfspr   r0,917
8003F514: 900401B8   stw   r0,440(r4)
8003F518: 7C16E2A6   mfspr   r0,918
8003F51C: 900401BC   stw   r0,444(r4)
8003F520: 7C17E2A6   mfspr   r0,919
8003F524: 900401C0   stw   r0,448(r4)
8003F528: 9421FFF8   stwu   r1,-8(r1)
8003F52C: 4BFFFC70   b   0x8003f19c[/spoiler]

dcx2 · October 05, 2011, 09:49:26 PM

Yeah, that's helpful.

regs -
r0:00000014 ... r3:00000000

disasm -
8003F460: 806D85D8 lwz r3,-31272(r13) [800C4440] = ??
...
8003F468: 7FE3002E lwzx r31,r3,r0

You got an illegal address exception. It tried to access address 00000014. It looks like r3 came from -31272(r13) = 800C4440, however without the whole function there's no way to know.

Something is nulling out a pointer.

EDIT:

wtf?

8003F4A0: 7FECFB78 mr r12,r31
8003F4A4: 7D8803A6 mtlr r12
8003F4A8: 4E800021 blrl

Usually the compiler would prefer bctrl. I've only seen blrl in the code handler and in hack protections.

goemon_guy · October 05, 2011, 09:53:38 PM

You think there's Hack Protection in the game?

I'll check the Master Code, and see if it does anything to clear any sort of protection.

EDIT:
It doesn't.

EDIT2:
I used a different activator, and the game didn't give an exception, but still crashes in the same manner.

2874C870 00000410
068429CC 00000010
00000000 00000000
00000000 00000000
E0000000 80008000

dcx2 · October 05, 2011, 09:57:25 PM

Well, it still smells a little bit like a compiler, seeing as how it used r12. But it does look weird.

If it was hack protection, why would it work with the F's (which in effect disable all codes after that line), but crash immediately without them on a code that isn't modifying anything?

Unless, somehow the effect of reading 802A3292 causes the crash.

goemon_guy · October 05, 2011, 10:01:13 PM

Yeah, but it crashes no matter what activator I use. :/

Quote from: dcx2 on October 05, 2011, 09:57:25 PM
If it was hack protection, why would it work with the F's (which in effect disable all codes after that line), but crash immediately without them on a code that isn't modifying anything?

EDIT:

Wait, the code doesn't work when I put the FFFFFFFF codeline. It just doesn't crash the game.

dcx2 · October 05, 2011, 10:08:06 PM

lol, yeah, all F's is the "end of codes" code type. Nothing after that code will be executed, hence why your code doesn't work. By "work" I meant it didn't crash.

Does it crash on a simple RAM write? Try writing the game ID to 80001800 (it should already be there).

goemon_guy · October 05, 2011, 10:12:59 PM

I thought you thought that the code worked with the FF... line.
XD

It does in fact crash on any RAM write.

04001800 47585345

crashed the game.

*The game is Sonic Adventure DX, in case you've been wondering.

BP data:

[spoiler]

[spoiler]
CR:84200088 XER:20000000 CTR:80032CEC DSIS:06000000
DAR:81800000 SRR0:8000318C SRR1:00009032 LR:80003118
r0:03FB570D r1:800D5080 r2:800CC680 r3:FFF8A8F3
r4:817FFFFC r5:00088000 r6:80951E5F r7:00000000
r8:00000008 r9:00000007 r10:800A4248 r11:00000020
r12:00000008 r13:800CBE60 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:00000000 r23:00000000
r24:00000000 r25:00000000 r26:00000000 r27:8074A7BC
r28:80845654 r29:80845478 r30:8074CD2A r31:80951E60

f0:59800004 f1:BF800000 f2:00000000 f3:3F19999A
f4:00000000 f5:59800004 f6:3E99999A f7:00000000
f8:00000000 f9:00000000 f10:59800004 f11:FFC00000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:00000000
[/spoiler]

80003164: 4182001C   beq-   0x80003180
80003168: 54E3C00E   rlwinm   r3,r7,24,0,7
8000316C: 54E0801E   rlwinm   r0,r7,16,0,15
80003170: 54E4402E   rlwinm   r4,r7,8,0,23
80003174: 7C600378   or   r0,r3,r0
80003178: 7C800378   or   r0,r4,r0
8000317C: 7CE70378   or   r7,r7,r0
80003180: 5400D97F   rlwinm.   r0,r0,27,5,31
80003184: 3886FFFD   subi   r4,r6,3
80003188: 4182002C   beq-   0x800031b4
8000318C: 90E40004   stw   r7,4(r4)
80003190: 3463FFFF   subic.   r3,r3,1
80003194: 90E40008   stw   r7,8(r4)
80003198: 90E4000C   stw   r7,12(r4)
8000319C: 90E40010   stw   r7,16(r4)
800031A0: 90E40014   stw   r7,20(r4)
800031A4: 90E40018   stw   r7,24(r4)
800031A8: 90E4001C   stw   r7,28(r4)
800031AC: 94E40020   stwu   r7,32(r4)
800031B0: 4082FFDC   bne+   0x8000318c
800031B4: 54A3F77F   rlwinm.   r3,r5,30,29,31
800031B8: 41820010   beq-   0x800031c8
800031BC: 3463FFFF   subic.   r3,r3,1
800031C0: 94E40004   stwu   r7,4(r4)
800031C4: 4082FFF8   bne+   0x800031bc
800031C8: 38C40003   addi   r6,r4,3
800031CC: 54A507BE   rlwinm   r5,r5,0,30,31
800031D0: 28050000   cmplwi   r5,0
800031D4: 4D820020   beqlr-
800031D8: 34A5FFFF   subic.   r5,r5,1
800031DC: 9CE60001   stbu   r7,1(r6)
800031E0: 4082FFF8   bne+   0x800031d8
800031E4: 4E800020   blr
800031E8: 7C041840   cmplw   r4,r3
800031EC: 41800028   blt-   0x80003214
800031F0: 3884FFFF   subi   r4,r4,1
800031F4: 38C3FFFF   subi   r6,r3,1
800031F8: 38A50001   addi   r5,r5,1
800031FC: 4800000C   b   0x80003208
80003200: 8C040001   lbzu   r0,1(r4)
80003204: 9C060001   stbu   r0,1(r6)
80003208: 34A5FFFF   subic.   r5,r5,1
8000320C: 4082FFF4   bne+   0x80003200
80003210: 4E800020   blr
80003214: 7C842A14   add   r4,r4,r5
80003218: 7CC32A14   add   r6,r3,r5
8000321C: 38A50001   addi   r5,r5,1
80003220: 4800000C   b   0x8000322c
80003224: 8C04FFFF   lbzu   r0,-1(r4)
80003228: 9C06FFFF   stbu   r0,-1(r6)
8000322C: 34A5FFFF   subic.   r5,r5,1
80003230: 4082FFF4   bne+   0x80003224
80003234: 4E800020   blr
80003238: 9421FFF0   stwu   r1,-16(r1)
8000323C: 7C0802A6   mflr   r0
80003240: 90010014   stw   r0,20(r1)
80003244: 93E1000C   stw   r31,12(r1)
80003248: 7C7F1B78   mr   r31,r3
8000324C: 48015A79   bl   0x80018cc4
80003250: 80010014   lwz   r0,20(r1)
[/spoiler]

dcx2 · October 05, 2011, 10:15:02 PM

What about just sending a full terminator and nothing else?

goemon_guy · October 05, 2011, 10:17:00 PM

A Full Terminator would be E0000000 80008000. Right?

I sent it, and it crashed.

Same exception as the last post.

dcx2 · October 05, 2011, 10:25:52 PM

WTF? There isn't supposed to be any ASM there. Dolphin OS global variables are located there.

http://wiibrew.org/wiki/Memory_Map

I see what happened, though. r7 is being used to clear a bunch of memory, 32 bytes per loop. r3 is supposed to keep track of how much memory is left to clear. It starts at r6-3 = 80951E5C and goes until r3 hits 0. Problem is that it looks like r3 was initialized to 0, for some reason. So it started counting down from FFFFFFFF instead, and eventually it ran out of memory to clear.

EDIT:

whoops, looking at YAGCD, it looks like this area of memory is laid out differently in GC mode...

http://hitmen.c02.at/files/yagcd/yagcd/chap4.html

goemon_guy · October 05, 2011, 10:33:03 PM

Hmm. So, there *can* be ASM there?

This is so weird, because GSCentral has a bunch of codes for this game, that I remember using that are all pretty much RAM writes, but they don't work in WiiRd. :/

EDIT:

I'm having trouble with another code, for another game now.
This one's for Tales of Symphonia.

[spoiler]
stwu r1,-80(r1) #Stack frame
stmw r14,8(r1)

lis r28,-32466
ori r28,r28,12704
lis r14,-32467
ori r14,r14,57484
lis r16,-32677
ori r16,r16,28532
lhz r17,0(r16)
lha r22,216(r4)
lbz r25,4222(r28)
lbz r26,4221(r28)
#^Loads a bunch of stuff into the registers

cmpwi r22,114 # Check to see if RAY is being casted
bne- 0x38 # If not, go to the original instruction
li r22,222 # If so, intercept what's being casted, and load Sacred Light instead

rlwinm r25,r25,28,28,31
cmplwi r25,4 # Is Raine casting the spell?
bne- 0x28 # If not, go to the original instruction
li r22,222 # If so, intercept what's being casted, and load Sacred Light instead

rlwinm r26,r26,0,29,31
cmplwi r26,4 # Is Raine in Overlimit?
bne- 0x18 # If not, go to the original instruction
li r22,222 # If so, intercept what's being casted, and load Sacred Light instead

cmpwi r17,50 # Has RAY been casted 50+ times?
blt- 0x0C # If not, go to the original instruction
li r22,222 # If so, intercept what's being casted, and load Sacred Light instead++

lha r22,216(r4) # Original instruction

lmw r14,8(r1)
addi r1,r1,80 #Stack frame end
[/spoiler]

It leads to a crash, leading to this exception:

[spoiler]
[spoiler]
CR:44200088 XER:00000000 CTR:81230C38 DSIS:04000000
DAR:00000540 SRR0:8123A30C SRR1:0000B032 LR:81230CDC
r0:00000000 r1:8036E118 r2:80362E40 r3:812DDEC0
r4:00000540 r5:00004182 r6:3FF921FB r7:3FF00000
r8:00000000 r9:00000000 r10:C435132D r11:C61C4000
r12:81230C38 r13:80362000 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000000 r21:802CB57C r22:802CA730 r23:812E31A0
r24:812E31B0 r25:812EA020 r26:812C0260 r27:00000000
r28:00000000 r29:81336238 r30:813364C8 r31:812DDEC0

f0:B33BBD2E f1:B33BBD2E f2:184EBA3F f3:BE2AAAAA
f4:B2D72F34 f5:1AC9EF96 f6:333BBD2E f7:2709ADED
f8:BF7CD1D9 f9:2DC80000 f10:80000000 f11:00000000
f12:4360F1D6 f13:33306ABD f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:00000000
[/spoiler]
8123A2E4: 3884DFA0   subi   r4,r4,8288
8123A2E8: A0A31176   lhz   r5,4470(r3)
8123A2EC: 2805012C   cmplwi   r5,300
8123A2F0: 4180002C   blt-   0x8123a31c
8123A2F4: 38840234   addi   r4,r4,564
8123A2F8: 54A013BA   rlwinm   r0,r5,2,14,29
8123A2FC: 7C840214   add   r4,r4,r0
8123A300: 880301AD   lbz   r0,429(r3)
8123A304: 8084FB50   lwz   r4,-1200(r4)
8123A308: 5400103A   rlwinm   r0,r0,2,0,29
8123A30C: 7D84002E   lwzx   r12,r4,r0
8123A310: 7D8903A6   mtctr   r12
8123A314: 4E800421   bctrl
8123A318: 48000048   b   0x8123a360
8123A31C: 280500C8   cmplwi   r5,200
8123A320: 40800028   bge-   0x8123a348
8123A324: 880301AD   lbz   r0,429(r3)
8123A328: 54A513BA   rlwinm   r5,r5,2,14,29
8123A32C: 38840000   addi   r4,r4,0
8123A330: 7C84282E   lwzx   r4,r4,r5
8123A334: 5400103A   rlwinm   r0,r0,2,0,29
8123A338: 7D84002E   lwzx   r12,r4,r0
8123A33C: 7D8903A6   mtctr   r12
8123A340: 4E800421   bctrl
8123A344: 4800001C   b   0x8123a360
8123A348: 880301AD   lbz   r0,429(r3)
8123A34C: 38840474   addi   r4,r4,1140
8123A350: 5400103A   rlwinm   r0,r0,2,0,29
8123A354: 7D84002E   lwzx   r12,r4,r0
8123A358: 7D8903A6   mtctr   r12
8123A35C: 4E800421   bctrl
8123A360: 80010014   lwz   r0,20(r1)
8123A364: 7C0803A6   mtlr   r0
8123A368: 38210010   addi   r1,r1,16
8123A36C: 4E800020   blr
8123A370: 9421FFF0   stwu   r1,-16(r1)
8123A374: 7C0802A6   mflr   r0
8123A378: 38800000   li   r4,0
8123A37C: 90010014   stw   r0,20(r1)
8123A380: 93E1000C   stw   r31,12(r1)
8123A384: 7C7F1B78   mr   r31,r3
8123A388: 4BFF2319   bl   0x8122c6a0
8123A38C: 7C630774   extsb   r3,r3
8123A390: 546007FF   rlwinm.   r0,r3,0,31,31
8123A394: 4182002C   beq-   0x8123a3c0
8123A398: 5460077B   rlwinm.   r0,r3,0,29,29
8123A39C: 41820018   beq-   0x8123a3b4
8123A3A0: 7FE3FB78   mr   r3,r31
8123A3A4: 38800000   li   r4,0
8123A3A8: 4BFEDEDD   bl   0x81228284
8123A3AC: 38600004   li   r3,4
8123A3B0: 4800002C   b   0x8123a3dc
8123A3B4: A87F01BE   lha   r3,446(r31)
8123A3B8: 38030001   addi   r0,r3,1
8123A3BC: B01F01BE   sth   r0,446(r31)
8123A3C0: A87F01BE   lha   r3,446(r31)
8123A3C4: A81F01C0   lha   r0,448(r31)
8123A3C8: 7C030000   cmpw   r3,r0
8123A3CC: 4180000C   blt-   0x8123a3d8
8123A3D0: 38600001   li   r3,1[/spoiler]

dcx2 · October 08, 2011, 02:46:06 AM

Wow, I totally lost this reply. Sorry I didn't get back to it sooner.

There are two major errors with your ASM.

The first is that your branch destinations were over-shooting the target instructions by an instruction.

b 0 = branch to the same instruction = inf loop

b 4 = branch to the next instruction = nop

b 8 = branch over the next instruction = skip one instruction

etc. Humans are just bad at counting instructions. Branch labels are much better.

The other problem is that your original instruction was included "inside" the stack frame. So when you lmw'd, whatever was lha r22'd was over-written. lmw overwrites all registers from rD up through r31.

[spoiler].set ADDR1,0x812E31A0
# there was an ADDR2 here, but you didn't use it...
.set ADDR3,0x805B6F74

lha r22,216(r4) # Original instruction

stwu r1,-80(r1) #Stack frame
stmw r14,8(r1)

lis r28,ADDR1@h
ori r28,r28,ADDR1@l
lis r16,ADDR3@h
ori r16,r16,ADDR3@l
lhz r17,0(r16)
lbz r25,4222(r28)
lbz r26,4221(r28)
# Loads a bunch of stuff into the registers

cmpwi r22,114 # Check to see if RAY is being casted
bne- _NO_HACK # If not, do nothing

rlwinm r25,r25,28,28,31
cmplwi r25,4 # Is Raine casting the spell?
bne- _NO_HACK # If not, do nothing

rlwinm r26,r26,0,29,31
cmplwi r26,4 # Is Raine in Overlimit?
bne- _NO_HACK # If not, do nothing

cmpwi r17,50 # Has RAY been casted 50+ times?
blt- _NO_HACK # If not, do nothing
li r22,222 # If so, intercept what's being casted, and load Sacred Light instead

_NO_HACK:
lmw r14,8(r1)
addi r1,r1,80 #Stack frame end[/spoiler]

I also tried to optimize the code a bit. I think this will do the same thing, but without the hook I couldn't test it myself.

[spoiler].set ADDR1,0x812E31A0+4220
.set ADDR3,0x805B6F74

lha r22,216(r4) # Original instruction

cmpwi r22,114 # Check to see if RAY is being casted
bne- _NO_HACK # If not, do nothing

lis r12,ADDR1@ha # load r12 with Raine/Overlimit
lwz r12,ADDR1@l(r12)

rlwinm r12,r12,20,25,31 # rotate and mask off Raine and Overlimit values
cmplwi r12,0x44 # Is it Raine in overlimit?
bne- _NO_HACK # if not, do nothing

lis r12,ADDR3@ha
lwz r12,ADDR3@l(r12) # load casting count
cmplwi r12,50
blt- _NO_HACK # if casted less than 50 times, do nothing
li r22,222 # otherwise, load Sacred Light instead

_NO_HACK:
[/spoiler]

daijoda · October 08, 2011, 05:45:37 AM

Lol, I get the feeling maybe goemon_guy didn't know you could write English words as branch labels in those apps, either; hence doing everything by hand.

WiiRd forum

News:

Code freezes game when not active

goemon_guy

dcx2

goemon_guy

dcx2

goemon_guy

dcx2

goemon_guy

dcx2

goemon_guy

dcx2

goemon_guy

dcx2

goemon_guy

dcx2

daijoda