I actually posted this in another thread somewhere, but it was actually a decent little guide when I was done, so i figured I should post here lol.
first off you wanted the button right, well its pretty easy really, you can usually find the hex for button presses somewhere (ex on psp LTrigger = 0x0100) so if you DO know that, just hold that button and search the value, hold a different button and search its value.
If you CAN"T however, you can do an unknown value search, hold nothing, hold a button seach increase. Hold that button THEN another button, search increase, let go of the first button, search decrease etc. Remember generally the buttons ADD together when a combo is held.
Now there are 2 popular methods for a moon jump code, one is generally easier than the other, but the address is hard to find.
The first method is a simple button activated gravity mod. You hold a button, gravity is lessened. Now finding gravity can be a chore, generally it can be found as a float 1 value (0x3f800000) HOWEVER try finding co-ordinates and experimenting with the area around it.
Now the SECOND method is to use the Z co-ordinates (height) to make a custom "jump" routine in asm. I generally use this is I can't find the gravity modifier, but it nevertheless works in a similar manner.
Basically, you're going to need to inject a subroutine that does the following
Loads controller address's value
Loads the value of the BUTTON you want
Branches to the end if these are different
Loads the Z Co-ordinates
Loads what you want to ADD to them (try experimenting with pokes first, remember if you HOLD the button, it will continually increase, so a small value is usually good)
Add them together
Store the modded co-ords back at their address. In modern powerpc asm it would look like this. For this example the
-co-ordinates are at 0x80CC4584
-controller address is at 0x80496AC0
-The button we want to activate has a value of 0x00000200
-We want to add 0x004C to the Z Co-ords
- We are injecting our routine at the address 0x804568C8
lis r0, 0x8049 //Loads first 2 bytes of Control address
lwz r1, 0x6AC0(r0) //Loads the full value of the control address into r1
li r2, 0x00000200 //Loads the value for the button we want to be the activator into r2
lis r3, 0x80CC //Loads first 2 bytes of co-ords
lwz r4, 0x4584(r3) //Loads the full value of the z-co-ords into r4
li r5, 0x0000004C //Loads the value we want to add to co-ords (jump speed) into r5
cmpw r1, r2 //Compares the BUTTON value and the CONTROLLER address (check if we are holding our activator or not)
bne +0x12 //If we are NOT holding the button activator, jump to the end i.e cancel
add r6, r4, r5 // If we ARE, add 0x004C to our z-co-ord value (increase our height)
stw r6, 0x4584(r3) //Store the modified co-ords back to their address!
And thats pretty much it lol. In theory this should increase our height if holding a button, therefore "jumping" into the air. Now there might be some mistakes in the above routine, I'm very new to this type of asm, I'm good at mips but some of the syntaxes are very confusing, so bear with me if there some errors. This should however, give you a fair idea of how its done.
This is exactly how my ASM program looked:
(http://img129.imageshack.us/img129/1983/asmea1.th.png) (http://img129.imageshack.us/my.php?image=asmea1.png)(http://img129.imageshack.us/images/thpix.gif) (http://g.imageshack.us/thpix.php)
Thanks for this nice Tutorial Black_Wolf.
Just a question, how do you come up with the address, where the sub-routine ends?
Other than that, I can pretty much follow your steps.
oh lol that was just an example, basically if you're using the asm code type, you just jump to the END of your code, so like skip 10 lines or whatever.
Sorry should have explained that better, I was using oldskool method lol. But yeah the C2 code type, just jump over everthying so in this case it would be bne -0x12, would jump over the stw!
Thanks for explaining...
Can you use this "bne"-command to skip just a certain amount of lines (for example, just skip the next line)?
oh yeah definitely. That would just be bne -0x08. Simple as that lol. Following that template, button activation is just simply loading the button you want, and the button address and comparing them, if they are not the same, just exit, if they are, just write you're code in there!
What would happen if you did NOT add a button activator in there?
Would you have constant low grav?
with this asm example, seeing as it is the actual co-ordinates being increased, rather than gravity (more of a manual method, meaning you can make jump codes for games without a jump function!), without a button activation you would just fly straight up continuosly till the game froze or you died if they game has a boundary check lol.
Could you please explain how to find the Z-Co-ordinates :D?
first use the unkown value search, the jump, while jumping search for the greater tha previous search, then search for lower than previous when you landed, use some equal than previous, repeat those steps and then you will end up with a few addressses
ive tried that but it doesnt seem to work, when i poke it does nothing
hmm, sometimes the jump is actually handled seperately.
Try finding a hill in the game and walk up and down in searching greater and less
OR if its still not working, find x/y co-ords, so just move around searching unequal, stand still, equal etc.
Co-ords are very likely to be dynamically allocated so you will probably need a pointer too!
I want to make a moon jump for Bully, but what data size do I have to use and in what memory range? does anybody have an idea?
try you're standard ranges I guess. There's a fair chance it could be in the 90 area as its accessed very frequently, but I'm not sure, probably varies game to game.
I'm trying to adapt the asm-code of Black_Wolf.
I've come up with the following:
lis r0, $805D
lwz r1, $4FDA(r0)
li r2, $00001000
lis r3, $8049
lwz r4, $80F6(r3)
li r5, $00002000
cmpw r1, r2
bne -0x12
add r6, r4, r5
stw r6, $80F6(r3)
But for some reason, when I try to convert it with the ASM-to-WiiRD-Converter,
it just gives me the following errors:
\asmhelp-tmpout.txt:1: Error: unsupported relocation against $805D
\asmhelp-tmpout.txt:3: Error: unsupported relocation against $00001000
\asmhelp-tmpout.txt:4: Error: unsupported relocation against $8049
\asmhelp-tmpout.txt:6: Error: unsupported relocation against $00002000
Can someone, who knows ASM tell me, what that means and how to solve these
problems?
I tried it too, but I don't understand the subroutine part?
this is what i've got:
0x92A8F314 coordinate
0x806BA780 controller
0x00000100 value of the button
0x01000000 value I want to add to the coordinate
lis r0, 0x806B
lwz r1, 0xA780(r0)
li r2, 0x00000100
lis r3, 92A8
lwz r4, F28C(r3)
li r5, 0x01000000
cmpw r1, r2
bne 0x80FF50C8 //???
add r6, r4, r5
stw r6, 0xF28C(r3)
anyways, when I try to make it a code, it gives me this error:
C:\DOCUME~1\ADMINI~1\Desktop\WIIRD0~1.1\asmhelp-tmpout.txt: Assembler messages:
C:\DOCUME~1\ADMINI~1\Desktop\WIIRD0~1.1\asmhelp-tmpout.txt:2: Error: operand out of range (0x0000a780 is not between 0xffff8000 and 0x00007fff)
C:\DOCUME~1\ADMINI~1\Desktop\WIIRD0~1.1\asmhelp-tmpout.txt:4: Error: syntax error; found `A' but expected `,'
C:\DOCUME~1\ADMINI~1\Desktop\WIIRD0~1.1\asmhelp-tmpout.txt:4: Error: junk at end of line: `A8'
C:\DOCUME~1\ADMINI~1\Desktop\WIIRD0~1.1\asmhelp-tmpout.txt:6: Error: operand out of range (0x01000000 is not between 0xffff8000 and 0x00007fff)
C:\DOCUME~1\ADMINI~1\Desktop\WIIRD0~1.1\asmhelp-tmpout.txt:8: Error: operand out of range (0x80ff50c8 is not between 0xffff8000 and 0x00007fff)
C:\DOCUME~1\ADMINI~1\Desktop\WIIRD0~1.1\asmhelp-tmpout.txt:10: Error: operand out of range (0x0000f28c is not between 0xffff8000 and 0x00007fff)
oh with the bne, you just use the SKIP LINES kind of thing, so in your'e code it would be
bne +0x12
Also, make sure you put 0x where ever I had the dollar sign (i'll fix it up now, its just a different way of writing hex)
EDIT: Ok guide fix, and added screenshot of exactly what you're prog should look like!
Thanks, now its a lot clearer.
Unfortunatly, I still get 2 errors:
My Code:
Address for Button-Check: 805D4FDA
Address to add a value: 804980F6
lis r0, 0x805D
lwz r1, 0x4FDA(r0)
li r2, 0x00001000
lis r3, 0x8049
lwz r4, 0x80F6(r3)
li r5, 0x00001000
cmpw r1, r2
bne +0x12
add r6, r4, r5
stw r6, 0x80F6(r3)
The errors:
\asmhelp-tmpout.txt:5: Error: operand out of range (0x000080f6 is not between 0xffff8000 and 0x00007fff)
\asmhelp-tmpout.txt:10: Error: operand out of range (0x000080f6 is not between 0xffff8000 and 0x00007fff)
Hope, you know a solution for this problem too, Black_Wolf.
ok lol I REALLY hoped this wouldn't happen, but I guess I do need to explain this.
When you are LOADING based off another register (lwz) if the offset is over 0x00008000 it actually will MINUS 1 from the base (the lis), the asm thing doens't really like this, which is fair enough, so what you need to do to compensate for this, is put an FFFF in front of the offset if it is BIGGER than 0x00008000. Its very complex to explain this in detail, but just remember that as a basic rule. Its confusing I know, but this will actually be you're subroutine. It should compile under the asm converter
lis r0, 0x805D
lwz r1, 0x4FDA(r0)
li r2, 0x00001000
lis r3, 0x8049
lwz r4, 0xFFFF80F6(r3)
li r5, 0x00001000
cmpw r1, r2
bne +0x12
add r6, r4, r5
stw r6, 0xFFFF80F6(r3)
In MIPS (the language I'm fluent in) we actually just ADD one to our base lis, so it would be 804A, but the converter doesn't seem to like this at all, so this method SHOULD work as its really just the same thing backwards. If it doesn't though, let me know and you can actually change the 8049 to 804A without the converter to make it work properly.
Thanks a lot, now it works...
Btw. Maybe this is a stupid question, but what is the "Address"
at the top of the converter for (by default it shows 80000000,
in your screenshot, you put 804568C8 there)?
ok this is where the subroutine is "injected"
So you know that the game runs lines an lines of this code right? Well basically what we need to do is INTERUPT the basic game code, and link to our little routine, then when its done, it jumps back so the game keeps running as per usual.
Now usually the whole idea of a function is to edit a ROUTINE, so like you set a breakpoint on you're ammo, find the area of code that handles the gun losing ammo and taking damage off enemy, and you can RE WRITE IT to do heaps of damage, and not take ammo (see dr.pepper red steel thread in PAL codes section) So in this case we would inject our routine there, BUT with codes like moon jump, we are kind of making our own function, so we need to inject our routine in a place that the RAM constantly uses (like every frame)
To do this, Try setting a breakpoint ON you're controller address, it should take you to the area where the WPAD is read over and over, try injecting you're routine there. Remember, the LAST line of you're subroutine should be the ORIGINAL data of where you injected, so that it makes everything the way it should be before continueing
Ok, now I understand it.
Btw. What happens, when there is allready a routine, that you could edit, but for whatever
reason, you write a new one that basically does the same, as the existing one, just with other
values.
Could there be conflicts or gets one of these routines (original vs. injected) priority?
ok, what you want to do there, just nop the whole original routine, and rewrite it. So still use the C2 code type, but also have a bunch of 32bit writes, and just nop it all (00000000) and that way you won't get any conflicts!
nop is 60000000
not 00000000
Quote from: Black_Wolf on October 10, 2008, 09:55:13 AMNow there are 2 popular methods for a moon jump code, one is generally easier than the other, but the address is hard to find.
The first method is a simple button activated gravity mod. You hold a button, gravity is lessened. Now finding gravity can be a chore, generally it can be found as a float 1 value (0x3f800000) HOWEVER try finding co-ordinates and experimenting with the area around it.
Now the SECOND method is to use the Z co-ordinates (height) to make a custom "jump" routine in asm. I generally use this is I can't find the gravity modifier, but it nevertheless works in a similar manner.
The best way I have found to make a moon jump code is to just locate the character's z-axis velocity address. Then you only need to set the value to a constant when the jump button is held down. Also that prevents the game physics from getting screwed up, which could happen with the methods you suggested (gravity could affect more than just the character you play as, and modifying the z coords could cause you to go through solid objects).
lol stupid PPC asm, 60000000 then.
So with the z-axis velocity, you could find by just jump, increase, at the peak of the jump (character slows) decrease etc?
I prefer actual z-axis modding, even though its more work, i just love working with co-ords, its incredibly easy to make teleport, mark and recall, walk through walls etc with the co-ordinates, I just really like the control. If you do have gravity though, setting it to 0 helps too, because you can make a full fledged FLIGHT code, with complete control over all the axises, to just hover anywhere you want!
Hi again...
I've come up with the following code, which (at least) does something without freezing the game:
lis r0, 0x8049
lwz r1, 0xFFFF80F6(r0)
lis r2, 0x805D
lwz r3, 0x4FDA(r2)
li r4, 0x00001000
li r5, 0x00000100
cmpw r3, r4
bne +0x12
add r6, r5, r1
stw r6, 0xFFFF80F6(r0)
Problem: The code should add 100 to the value stored in register 1 as soon as I press the (-) button.
Unfortunatly, when I activate the code in WiiRD, the value jumps from 000002F4 to 4BB6A72C without pressing
any button.
I hope, someone can point out a mistake I made.
Easiest way for you to debug, is just to add breakpoint in the beginning of that asm code and step through line by line and see when does the register value turn to wrong one.
Most of the time you have to be careful not to use too many registers, as game might use same registers for other purposes, ie, you have to be sure that register value is always unused ie 00000000, or store and restore the register value inside your asm code. As if your asm uses registers that game is using simultaneously on different part of the game, you might end in in freezing or other unforseen situations. Same thing is about memory locations, game can use some location to store value 2F4, but it can use the same location to store value 4BB6A72C etc during animations etc.
Sorry to bother you again.
I made sure, that the registers, I write to, are not in use, so this shouldn't be the problem.
Animations and such weren't played, while I tested the code.
How do I add a breakpoint to the asm code?
The whole "breakpoint"-tab in WiiRD is pretty confusing for me...
I understand, that you set the address you want to watch as breakpoint and the game
should stop running, when something read or writes to this address.
But what then, where can I see what reads or writes to my address?
I can't figure out, what to do with this assembler-window at the bottom.
Edit: I figured out, how it works in WiiRD, but I still don't know, how to breakpoint in an asm-code.
you put your asm code address, and instead of read or write, you mark the execute option, and wiird will stop when your codeline is runned.
I htink it could be the FFFF thing screwing it up, seems to be sensitive. There's a slightly longer way to do it though, load the FULL address into a register, and then do the lwz, you can use ORI for this!
lis r0, 0x8049
ori r0,r0,0x80F6
lwz r1, 0x0(r0)
lis r2, 0x805D
lwz r3, 0x4FDA(r2)
li r4, 0x00001000
li r5, 0x00000100
cmpw r3, r4
bne +0x12
add r6, r5, r1
stw r6, 0(r0)
This way, every time you refer to 0(r0) its the address 0x804980F6
See if that routine works better
Thanks for the code, but unfortunatly that didn't work.
I've tried to leave out the button-activator, to rule out this as cause.
lis r0, 0x8049
ori r0,r0,0x80F6
lwz r1, 0x0(r0)
li r2, 0x00000100
add r3, r1, r2
stw r3, 0(r0)
But that didn't work either.
I can't use this execute option for breakpoints, because as soon, as I activate the code in WiiRD,
it writes this high number. It doesn't wait for any buttons. So I have no time, to switch to the
breakpoint-tab and search for executions.
Edit: By using a button-activator before the asm-code itself, I managed to do the breakpoint thing.
For some reason, this 4BB6A72C (which is allways the same) is written to r5 and then to my address.
I've tried to nop this, but now, the asm-code does nothing...
Maybe you have injected the code more than once without rebooting, or removing(NOP)ing the injection point away, before applying changes again. ie you have the old r5 addition code running already.
Have you rebooted/resetted the game before applying changes? As clearly that code that does not touch r5. Or you are giving examples that are not real / too much stuff edited away.
If you breakpoint and go through the code line by line, does it jump to your injection space and back to injection point + 4 after the injection? As if you are giving too little information there is no way to tell whats wrong. (you didnt tell what line of your code example the value R5 changes while stepping the breakpoint).
Sorry, that it seems, as if I hold back useful information, but I'm a bloody noob to asm and breakpoints.
I've rebooted my Wii several times between testing. The code itself is as you see
(I haven't left out anything and I'm not touching r5). The only bit of information,
I could add is, that I'm injecting the code at 804980F6 (the same address, that is loaded
into register 0), but I tried other addresses with the same result.
Thanks for the advice with "stepping the breakpoint". I don't know, why I didn't try that allready to see,
what happens. But I'll test it, as soon as I get back to my Wii. I hope, I can provide more information then.
That sounds like trouble, if you are injecting code to 804980F6, then the value of that address is replaced with "b 0x800xxxx" (branch jump to injection place), so if you injection code loads into that address, then it will not load the earlier value of 804980F6, as that value does not exist anymore its replaced with the branch jump. So you cannot inject code to the same memory address that you read the value from, so you need to inject code to some other position. As now if you are adding 0x100 value to the branch code (b 0x800x[x+1]xx), it just branches to +100 position of your injected asm code on next time it loops to that address -> undefined location -> crashes the game.
Ie if the 804980F6 address value is the value that you want to modify, you need to put write breakpoint there and see where it breaks, and then do the asm injection to the asm code memory location (which is on different memory location) that does the actual writing to 804980F6. Usually its the memory location of line like "stw r30,0(r1)" or similar that you need to inject your code to (and not the location of the value that you want to modify).
i really cant udnerstand the 2nd method can someone please help
Quote from: Jassim on April 19, 2009, 10:33:33 PM
i really cant udnerstand the 2nd method can someone please help
Do you understand Assembly code?
sorry about the bump but where can you download the program?
http://usbgecko.com/manual.htm (http://usbgecko.com/manual.htm)
3rd party applications -> WiiRD ASM Helper Tool By Link
thank you :D
Nice guide, but what do I have to set in the "adress" line in WiiRD <-> ASM?
I left 80000000 in, but if I go on quest in the game (Monster Hunter 3), it will give me a black screen.
Quote from: _Vuze_ on September 27, 2009, 11:50:25 AM
Nice guide, but what do I have to set in the "adress" line in WiiRD <-> ASM?
I left 80000000 in, but if I go on quest in the game (Monster Hunter 3), it will give me a black screen.
Here's your answer
Quote from: Black_Wolf on October 10, 2008, 09:55:13 AM
- We are injecting our routine at the address 0x804568C8
Niiicce with all those videos, i am learning really fast mehehe!!
@Romaap: Yeah, thank you, got it while reading through the guide once again offline ::)
It is not working for me though, even though the adresses should be correct... well, I gotta try some more.
Oh, and am I not allowed to use a register over r30 (or r31)? The converter always gives me an error. If not, what is the easiest way to find unused registers yet?
Sorry, I am really, really new to ASM, never dealt with it before...
Quote from: lindtec on October 12, 2008, 10:23:20 PM
Thanks, now its a lot clearer.
Unfortunatly, I still get 2 errors:
My Code:
Address for Button-Check: 805D4FDA
Address to add a value: 804980F6
lis r0, 0x805D
lwz r1, 0x4FDA(r0)
li r2, 0x00001000
lis r3, 0x8049
lwz r4, 0x80F6(r3)
li r5, 0x00001000
cmpw r1, r2
bne +0x12
add r6, r4, r5
stw r6, 0x80F6(r3)
The errors:
\asmhelp-tmpout.txt:5: Error: operand out of range (0x000080f6 is not between 0xffff8000 and 0x00007fff)
\asmhelp-tmpout.txt:10: Error: operand out of range (0x000080f6 is not between 0xffff8000 and 0x00007fff)
Hope, you know a solution for this problem too, Black_Wolf.
lis r0,-32675
lwz r1,20442(r0)
li r2,4096
lis r3,-32688
lwz r4,11(r3)
li r5,4096
cmpw r1,r2
bne- 0x10
add r6,r4,r5
stw r6,-32522(r3)
I just fixed your error but I don't know if it will work because you're using many registers. I would do it like this:
lis r15,0x805d
lwz r15,0x4fda(r15)
cmpwi r15,0x1000
bne- 0x14
lis r15,0x8050
lwz r16,-32522(r15)
addi r16,r16,0x1000
stw r16,-32522(r15)
nop <-- put here instruction replaced by hook (C2/D2)
Check if r15 and r16 are free and be sure that 0x805d4fda is a word.
Since your all hacking geniuses :) , can ya'll make a code for disabling the one hit ko code? Its saved on my file, and now its really annoying me. lol
which game, region etc.
Oh wow, That was stupid. My badd. loll. The game is Bully Scholarship edition, Its pal, but patched to ntsc-u. Can you make a code to disable the instant ko? because its saved to my file, and i tried removing it and it wont work. Thankss. alott. I didnt even think i was gonna get a reply. loll.