Hi
I want to set my own value to a C2 code like base address with 63 (99) lives. [game new super mario bros PAL]
the base address of lives = 80355193
breakpoint (write) says:
CR : 28000888 XER : 20000000 CTR : 80272D30 DSIS: 02400000
DAR : 80355190 SRR0: 8006066C SRR1: 0000B032 LR : 80060630
r0 : 00000003 r1 : 8043FC18 r2 : 80433360 r3 : 80355190
r4 : 00000000 r5 : 00000004 r6 : 00000000 r7 : 00000000
r8 : 00000000 r9 : 00000000 r10 : 00000000 r11 : 8043FC18
r12 : 80272D30 r13 : 8042F980 r14 : 00000000 r15 : 00000000
r16 : 00000000 r17 : 00000000 r18 : 00000000 r19 : 00000008
r20 : 00000000 r21 : 40E00000 r22 : 40800000 r23 : 8154B94C
r24 : 81541448 r25 : 00000001 r26 : 00000001 r27 : 00000001
r28 : 8154B804 r29 : 8154B804 r30 : 8154CC34 r31 : 8154B804
f0 : 00000000 f1 : 00000000 f2 : 59800004 f3 : 41700000
f4 : 00000000 f5 : 41400000 f6 : BF800000 f7 : 00000000
f8 : 00000000 f9 : 00000000 f10 : 00000000 f11 : 3F800000
f12 : 3F5B14A0 f13 : 3ED2F6DA f14 : 00000000 f15 : 00000000
f16 : 00000000 f17 : 00000000 f18 : 00000000 f19 : 00000000
f20 : 00000000 f21 : 00000000 f22 : 00000000 f23 : 00000000
f24 : 00000000 f25 : 00000000 f26 : 00000000 f27 : 00000000
f28 : 00000000 f29 : 00000000 f30 : 00000000 f31 : 00000000
800060670
8006066C: 7C03212E stwx r0,r3,r4
80060670: 4082000C bne- 0x8006067c
80060674: 38000000 li r0,0
80060678: 900DA648 stw r0,-22968(r13)
8006067C: 3865FFFF subi r3,r5,1
80060680: 80010014 lwz r0,20(r1)
80060684: 7C0803A6 mtlr r0
80060688: 38210010 addi r1,r1,16
8006068C: 4E800020 blr
80060690: 9421FFE0 stwu r1,-32(r1)
80060694: 7C0802A6 mflr r0
80060698: 90010024 stw r0,36(r1)
8006069C: 93E1001C stw r31,28(r1)
800606A0: 7C7F1B78 mr r31,r3
800606A4: 800DA620 lwz r0,-23008(r13)
800606A8: 80AD8288 lwz r5,-32120(r13)
hook address = C206066C
now I don't know how to set the value like a base address.
thanks for help
The "hook" address is the instruction you want to replace, not the address you want to write to. In your case, I think you want to replace 8006066C.
You also didn't hit a Read breakpoint. You hit a Write breakpoint. Notice how the instruction at 8006066C is stwx = STore Word indeXed. Pretend it is like stw r0,r4(r3); r4 is the index.
What instructions are before a hook is almost more important than what is after the hook. Please provide some extra disassembly, like ten instructions before 8006066C.
Also, everything after the blr is unnecessary. Functions usually begin with stwu r1/mflr r0 and end with mtlr r0/addi r1/blr. (rarely, there will be no stwu/mflr, or mtlr/addi, but there is ALWAYS a blr at the end)
(this is the end of the function we care about. We want the beginning of it...preferably everything up to its stwu r1/mflr r0)
8006066C: 7C03212E stwx r0,r3,r4
80060670: 4082000C bne- 0x8006067c
80060674: 38000000 li r0,0
80060678: 900DA648 stw r0,-22968(r13)
8006067C: 3865FFFF subi r3,r5,1
80060680: 80010014 lwz r0,20(r1)
80060684: 7C0803A6 mtlr r0
80060688: 38210010 addi r1,r1,16
8006068C: 4E800020 blr
(this is part of the next function; we don't care about it)
80060690: 9421FFE0 stwu r1,-32(r1)
80060694: 7C0802A6 mflr r0
80060698: 90010024 stw r0,36(r1)
8006069C: 93E1001C stw r31,28(r1)
800606A0: 7C7F1B78 mr r31,r3
800606A4: 800DA620 lwz r0,-23008(r13)
800606A8: 80AD8288 lwz r5,-32120(r13)
80060630: 80010008 lwz r0,8(r1)
80060634: 3C808035 lis r4,-32715
80060638: 3C608035 lis r3,-32715
8006063C: 5400103A rlwinm r0,r0,2,0,29
80060640: 38845160 addi r4,r4,20832
80060644: 7C04002E lwzx r0,r4,r0
80060648: 38635190 addi r3,r3,20880
8006064C: 5404103A rlwinm r4,r0,2,0,29
80060650: 7CA3202E lwzx r5,r3,r4
80060654: 2C050000 cmpwi r5,0
80060658: 4181000C bgt- 0x80060664
8006065C: 38600000 li r3,0
80060660: 48000020 b 0x80060680
80060664: 2C000000 cmpwi r0,0
80060668: 3805FFFF subi r0,r5,1
8006066C: 7C03212E stwx r0,r3,r4
80060670: 4082000C bne- 0x8006067c
80060674: 38000000 li r0,0
80060678: 900DA648 stw r0,-22968(r13)
8006067C: 3865FFFF subi r3,r5,1
80060680: 80010014 lwz r0,20(r1)
80060684: 7C0803A6 mtlr r0
80060688: 38210010 addi r1,r1,16
8006068C: 4E800020 blr
80060690: 9421FFE0 stwu r1,-32(r1)
80060694: 7C0802A6 mflr r0
80060698: 90010024 stw r0,36(r1)
8006069C: 93E1001C stw r31,28(r1)
800606A0: 7C7F1B78 mr r31,r3
800606A4: 800DA620 lwz r0,-23008(r13)
800606A8: 80AD8288 lwz r5,-32120(r13)
Okay, I think this is what is happening. NSMB is a multi-player game, so they probably store the lives near each other, and use stwx to get to player x's life count.
The base pointer for the lives appears to be 80355190. Each player's life value should be here, and based on the player number the stwx will index to the correct player's life.
80060638: 3C608035 lis r3,-32715
...
80060648: 38635190 addi r3,r3,20880
Eventually, we load the current life count
80060650: 7CA3202E lwzx r5,r3,r4
and then, if it is greater than 0
80060654: 2C050000 cmpwi r5,0
80060658: 4181000C bgt- 0x80060664
we subtract 1 from it and store the new value
80060668: 3805FFFF subi r0,r5,1
8006066C: 7C03212E stwx r0,r3,r4
Therefore, if you want to always give 99 lives, replace subi r0,r5,1 with li r0,0x63. Then the stwx will store the 99 instead of r5-1
syntax error
li r0,99
Do you mean that li r0,99 works, but li r0,0x63 does not?
if I change it to li r0,99 and I lose a live, the game freez.
and if I change it to li r0,0x63, it says error (assembled instruction is li r0,99)
You are replacing the subi, not the stwx, right?
That's weird. The ASM must be running more than once. Set an Execute breakpoint on 80060668 and see what else causes it to hit...
yes on subi r0,r5,1
execute says:
80060640: 38845160 addi r4,r4,20832
80060644: 7C04002E lwzx r0,r4,r0
80060648: 38635190 addi r3,r3,20880
8006064C: 5404103A rlwinm r4,r0,2,0,29
80060650: 7CA3202E lwzx r5,r3,r4
80060654: 2C050000 cmpwi r5,0
80060658: 4181000C bgt- 0x80060664
8006065C: 38600000 li r3,0
80060660: 48000020 b 0x80060680
80060664: 2C000000 cmpwi r0,0
80060668: 3805FFFF subi r0,r5,1
8006066C: 7C03212E stwx r0,r3,r4
80060670: 4082000C bne- 0x8006067c
80060674: 38000000 li r0,0
80060678: 900DA648 stw r0,-22968(r13)
80060668: 3805FFFF subi r0,r5,1
8006066C: 7C03212E stwx r0,r3,r4
80060670: 4082000C bne- 0x8006067c
80060674: 38000000 li r0,0
80060678: 900DA648 stw r0,-22968(r13)
8006067C: 3865FFFF subi r3,r5,1
80060680: 80010014 lwz r0,20(r1)
80060684: 7C0803A6 mtlr r0
80060688: 38210010 addi r1,r1,16
8006068C: 4E800020 blr
80060690: 9421FFE0 stwu r1,-32(r1)
80060694: 7C0802A6 mflr r0
80060698: 90010024 stw r0,36(r1)
8006069C: 93E1001C stw r31,28(r1)
800606A0: 7C7F1B78 mr r31,r3
800606A4: 800DA620 lwz r0,-23008(r13)
That instruction must be doing more than just lives. The execute BP will say the same instructions every time, but you are more interested in what actions trigger the execute BP.
.....
omg now it works....
I have made one for coins.
base address : 803551A3
CR : 88000888 XER : 00000000 CTR : 80038FD0 DSIS: 02400000
DAR : 803551A0 SRR0: 8006043C SRR1: 0000B032 LR : 80060288
r0 : 0000000B r1 : 8043FB18 r2 : 80433360 r3 : 0000000A
r4 : 803551A0 r5 : 00000000 r6 : 00000002 r7 : 00000000
r8 : 00000001 r9 : 815E4478 r10 : 7D4256F0 r11 : 8043FB58
r12 : 80038FD0 r13 : 8042F980 r14 : 00000000 r15 : 00000000
r16 : 00000000 r17 : 00000000 r18 : 00000000 r19 : 00000000
r20 : 00000000 r21 : 00000000 r22 : 00000000 r23 : 00000000
r24 : 00000000 r25 : 00000002 r26 : 00000000 r27 : 00000000
r28 : 00000000 r29 : 8154B9F0 r30 : 8043FBE0 r31 : 80355110
f0 : 00000000 f1 : C402E351 f2 : 44B9DA47 f3 : C0E00000
f4 : 41300000 f5 : C3FFC6A2 f6 : 00000000 f7 : 00000000
f8 : 43800000 f9 : 46361A2A f10 : 43800000 f11 : 80000000
f12 : 3F800000 f13 : 00000000 f14 : 00000000 f15 : 00000000
f16 : 00000000 f17 : 00000000 f18 : 00000000 f19 : 00000000
f20 : 00000000 f21 : 00000000 f22 : 00000000 f23 : 00000000
f24 : 00000000 f25 : 00000000 f26 : 00000000 f27 : 00000000
f28 : 00000000 f29 : 00000000 f30 : 44B9DA47 f31 : C402E351
800603FC: 7CC5012E stwx r6,r5,r0
80060400: 5484103A rlwinm r4,r4,2,0,29
80060404: 5503103A rlwinm r3,r8,2,0,29
80060408: 54E0103A rlwinm r0,r7,2,0,29
8006040C: 7CC5212E stwx r6,r5,r4
80060410: 7CC5192E stwx r6,r5,r3
80060414: 7CC5012E stwx r6,r5,r0
80060418: 48000028 b 0x80060440
8006041C: 80010008 lwz r0,8(r1)
80060420: 387F0050 addi r3,r31,80
80060424: 389F0090 addi r4,r31,144
80060428: 5400103A rlwinm r0,r0,2,0,29
8006042C: 7C03002E lwzx r0,r3,r0
80060430: 5405103A rlwinm r5,r0,2,0,29
80060434: 7C64282E lwzx r3,r4,r5
80060438: 38030001 addi r0,r3,1
8006043C: 7C04292E stwx r0,r4,r5
80060440: 39610040 addi r11,r1,64
80060444: 4827CC6D bl 0x802dd0b0
80060448: 80010044 lwz r0,68(r1)
8006044C: 7C0803A6 mtlr r0
80060450: 38210040 addi r1,r1,64
80060454: 4E800020 blr
80060458: 00000000 .word 0x00000000
8006045C: 00000000 .word 0x00000000
80060460: 9421FFC0 stwu r1,-64(r1)
80060464: 7C0802A6 mflr r0
80060468: 90010044 stw r0,68(r1)
8006046C: 93E1003C stw r31,60(r1)
80060470: 93C10038 stw r30,56(r1)
80060474: 7CBE2B78 mr r30,r5
80060478: 93A10034 stw r29,52(r1)
C2060438 00000002
380000XX 7C04292E
60000000 00000000
E0000000 80008000
or 04060438 380000XX
Glad to hear it works. :)
The "hook address" is the address you're replacing. C2060438 00000002 = address 80060438 = hook address
oh that is it ;D
but yea thanks alot! :)
but how to use it on a 32 bit code?
Do you mean, for instance, to make r0 = 0xFFFFFFFF?
lis r0,0xFFFF
ori r0,r0,0xFFFF
If it gives you a syntax error, try -1 instead of 0xFFFF
lis = Load Immediate Shifted = fill the upper 16 bits with this
ori = OR with Immediate = fill the lower 16 bits with this
???
yes 32 bit value
r0 = 0xFFFFFFFF
Quote from: Deathwolf on June 21, 2010, 05:23:50 PM
if I change it to li r0,99 and I lose a live, the game freez.
and if I change it to li r0,0x63, it says error (assembled instruction is li r0,99)
WiiRd does that, it makes you type it in decimal even though it's clear from the message that it understands 0x63
Quote from: wiiztec on June 21, 2010, 08:03:52 PM
Quote from: Deathwolf on June 21, 2010, 05:23:50 PM
if I change it to li r0,99 and I lose a live, the game freez.
and if I change it to li r0,0x63, it says error (assembled instruction is li r0,99)
WiiRd does that, it makes you type it in decimal even though it's clear from the message that it understands 0x63
they could just try to do this .
80060674 38000063 li r0,99
This should set there lives to 99 once it hits 0 ..
or if they want always 99 ..
80060670 40820000 bne- 0x80060674
80060674 38000063 li r0,63
U could just nop the Bne but Meh :P
thanks but how to write a 32 bit code...
Quote from: Deathwolf on June 22, 2010, 01:10:41 PM
thanks but how to write a 32 bit code...
here's your answer:
Quote from: dcx2 on June 21, 2010, 07:12:28 PM
Do you mean, for instance, to make r0 = 0xFFFFFFFF?
lis r0,0xFFFF
ori r0,r0,0xFFFF
If it gives you a syntax error, try -1 instead of 0xFFFF
lis = Load Immediate Shifted = fill the upper 16 bits with this
ori = OR with Immediate = fill the lower 16 bits with this
For writing 0x12345678 you would do:
lis r0,0x1234
ori r0,r0,0x5678
but this should also work or maybe not?
li r0,0x1234
lis r0,0x5678
Pretend that r0 already has 0x87654321
The safest way to load a register with a 32-bit value is lis/ori.
nop => r0: 0x87654321
lis r0,0x1234 => r0: 0x12340000 <--- lis erased the lower 16 bits for us
ori r0,r0,0x5678 => r0: 0x12345678 <--- ori does not erase the upper 16 bits, so we keep 0x1234
Using lis/li together will not work. lis always erases the lower 16 bits. li always erases the upper 16 bits.
nop => r0: 0x87654321
lis r0,0x1234 => r0: 0x12340000 <--- lis erased the lower 16 bits for us
li r0,0x5678 => r0: 0x00005678 <--- oh no! li erased the upper 16 bits! We lost 0x1234!
---
(detailed technical explanation below!)
li and lis are "mnemonics" or "shortcuts"; they are actually addi and addis.
li r3,4 => addi r3,r0,4
lis r12,63 => addis r12,r0,63
addi and addis are two instructions that behave differently when the source operand is r0. Instead of using the value in r0, they use the actual value 0.
li r3,4 => addi r3,r0,4 => 0 + 4 -> r3
lis r12,63 => addis r12,r0,63 => (0 + 63)<<16 -> r12
(<< means "left shift", <<16 means left shift by 16 bits)
addi r0,r0,1 will not increment r0! It will set r0 to 1 no matter what was in r0 before. If you try to put this asm into WiiRD, it will complain.
hmm another quick question [super mario galaxy 2 ntsc]
starbits
address = 80E40E7A
breakpoint:
804DE06C: 4E800020 blr
804DE070: A063000A lhz r3,10(r3)
804DE074: 38800000 li r4,0
804DE078: 38A0270F li r5,9999
804DE07C: 4BB3BD84 b 0x80019e00
804DE080: 9421FFF0 stwu r1,-16(r1)
804DE084: 7C0802A6 mflr r0
804DE088: 38A0270F li r5,9999
804DE08C: 90010014 stw r0,20(r1)
804DE090: 93E1000C stw r31,12(r1)
804DE094: 7C7F1B78 mr r31,r3
804DE098: A003000A lhz r0,10(r3)
804DE09C: 7C602214 add r3,r0,r4
804DE0A0: 38800000 li r4,0
804DE0A4: 4BB3BD5D bl 0x80019e00
804DE0A8: B07F000A sth r3,10(r31)
804DE0AC: 83E1000C lwz r31,12(r1)
804DE0B0: 80010014 lwz r0,20(r1)
804DE0B4: 7C0803A6 mtlr r0
804DE0B8: 38210010 addi r1,r1,16
804DE0BC: 4E800020 blr
804DE0C0: A063000C lhz r3,12(r3)
804DE0C4: 38800000 li r4,0
804DE0C8: 38A0270F li r5,9999
804DE0CC: 4BB3BD34 b 0x80019e00
804DE0D0: 9421FFE0 stwu r1,-32(r1)
804DE0D4: 7C0802A6 mflr r0
804DE0D8: 90010024 stw r0,36(r1)
804DE0DC: 39610020 addi r11,r1,32
804DE0E0: 48150089 bl 0x8062e168
804DE0E4: A003000C lhz r0,12(r3)
I'm a little confussed because nothing will work....
What are you trying to do? What have you tried?
I noticed that you highlighted r0 in the add instruction. add actually uses the value in r0; addi does not use the value in r0.
By the way, this is the complete "function". Note that it begins with stwu/mflr ("Function Prologue") and ends with mtlr/addi/blr ("Function Epilogue"). The whole function is below
804DE080: 9421FFF0 stwu r1,-16(r1)
804DE084: 7C0802A6 mflr r0
804DE088: 38A0270F li r5,9999
804DE08C: 90010014 stw r0,20(r1)
804DE090: 93E1000C stw r31,12(r1)
804DE094: 7C7F1B78 mr r31,r3
804DE098: A003000A lhz r0,10(r3)
804DE09C: 7C602214 add r3,r0,r4
804DE0A0: 38800000 li r4,0
804DE0A4: 4BB3BD5D bl 0x80019e00
804DE0A8: B07F000A sth r3,10(r31)
804DE0AC: 83E1000C lwz r31,12(r1)
804DE0B0: 80010014 lwz r0,20(r1)
804DE0B4: 7C0803A6 mtlr r0
804DE0B8: 38210010 addi r1,r1,16
804DE0BC: 4E800020 blr
Can you provide a copy of the values in the Registers at the instruction 804DE09C?
I think I see what's happening. The current star bit value is put into r0, using a pointer in r3 that was provided by the caller. r4 contains the number of star bits to add; 1 when you pick up a star bit and 0xFFFFFFFF when you shoot a star bit. It is an "argument" - the caller loaded r4 with the value before calling this function, that's why you don't see it being loaded here. You would need to follow the blr to see who loads r4.
bl 0x80019e00 is probably some function that makes sure your starbits are >= 0 (newly loaded in r4) and <= 9999 (in r5).
80E40E7A:
CR : 88000822 XER : 00000000 CTR : 80314DA0 DSIS: 02400000
DAR : 80E40E7A SRR0: 804DE0A8 SRR1: 0000A032 LR : 804DE0A8
r0 : 00000456 r1 : 807F2F10 r2 : 807DECA0 r3 : 00000455
r4 : 00000455 r5 : 0000270F r6 : 80727A68 r7 : 00000000
r8 : 636B0000 r9 : 0011C264 r10 : 0011C26C r11 : 807F2F10
r12 : 80314DA0 r13 : 807D7320 r14 : 00000000 r15 : 00000000
r16 : 00000000 r17 : 00000000 r18 : 00000000 r19 : 00000000
r20 : 00000000 r21 : 00000000 r22 : 00000000 r23 : 00000000
r24 : 00000000 r25 : 00000000 r26 : 00000000 r27 : 00000000
r28 : 81243B68 r29 : 807F2FCC r30 : FFFFFFFF r31 : 80E40E70
f0 : C4B3715E f1 : 42200000 f2 : C3992203 f3 : 00000000
f4 : 00000000 f5 : 00000000 f6 : 00000000 f7 : 00000000
f8 : BD89A4B9 f9 : 3E810440 f10 : 3E7EC2B4 f11 : BF6ECB1A
f12 : 3E77DFB8 f13 : 3D843960 f14 : 00000000 f15 : 00000000
f16 : 00000000 f17 : 00000000 f18 : 00000000 f19 : 00000000
f20 : 00000000 f21 : 00000000 f22 : 00000000 f23 : 00000000
f24 : 00000000 f25 : 00000000 f26 : 00000000 f27 : 00000000
f28 : 00000000 f29 : 00000000 f30 : 00000000 f31 : 43C80000
r0 : 00000456
r3 : 00000455
r4 : 00000455
-1 different
r5 : 0000270F <-- maximal 9999
we need r0 for add the value to the real register
804DE0A8: B07F0000 <--sth r3,10(r31)
r3 : 00000455
r31 : 80E40E70 <-- address
mtlr r0
r0 : 00000456 <-- real
addi r1,r1,16 <-- r1 : 807F2F10
blr
What do you want to do? Max starbits? Replace
804DE0A4: 4BB3BD5D bl 0x80019e00
with
804DE0A4: 7CA32B78 mr r3,r5
This will copy r5 = 0x270F = 9999 into r3 every time.
The bl 0x80019e00 is supposed to make sure r3 is between r4 = 0 and r5 = 9999. It makes sure we do not have less than 0 star bits or more than 9999 star bits. r3 will have the result. So instead of bl 0x80019e00, when we mr r3,r5 we're copying the maximum (r5 = 9999) over top of the result (in your case, 0x455).
and r0? ???
I want to set 9999 to r0
No, you don't need to set r0 = 9999. r0 is a temporary register that's used to load your current star bit value. r3 is later used to write your new star bit value.
li r3,9999 would not working?
There are many ways to do it. li r3,9999 may work. I like mr r3,r5 better, because r5 is what the max should be. The max may not always be 9999.
what does bl do?
The bl 'branches' to the address given (which means the next instruction being executed is the one at the address specified) and stores the address after the bl in the Link Register.
At the end of the subroutine where you just branched to is the instruction blr, this instructions branches to the address in the Link Register which should be the address after the bl.
thanks.
btw here another way.
change
804DE09C: 7C602214 add r3,r0,r4
to
804DE09C: 38600000 li r3,99
bl "calls functions"
When you pick up a star bit, the game "calls" me. It tells me to add 1 to Mario's Star Bits. So I add one.
But then we have to make sure we don't go over 9999. So I "call" Romaap, and Romaap makes sure that Mario's Star Bits are 0 <= starbits <= 9999. Then Romaap "hangs up" ( = blr), and then I "hang up". Then the game continues.
Using Gecko.NET's Logging, here's what it looks like. I had 0x816 star bits, and I was picking one up (note how r4 = 1 @ 804DE09C)
804DE080: 9421FFF0 stwu r1,-16(r1) r1 = 807F2FD0 r1 = 807F2FD0
804DE084: 7C0802A6 mflr r0 LR = 804D3BA8 r0 = 80023A20
804DE088: 38A0270F li r5,9999 r5 = 8065BA70
804DE08C: 90010014 stw r0,20(r1) r0 = 804D3BA8 r1 = 807F2FC0
804DE090: 93E1000C stw r31,12(r1) r31 = 00000001 r1 = 807F2FC0
804DE094: 7C7F1B78 mr r31,r3 r31 = 00000001 r3 = 80E40E70
804DE098: A003000A lhz r0,10(r3) r0 = 804D3BA8 r3 = 80E40E70
804DE09C: 7C602214 add r3,r0,r4 r3 = 80E40E70 r0 = 00000816 r4 = 00000001
804DE0A0: 38800000 li r4,0 r4 = 00000001
804DE0A4: 4BB3BD5D bl 0x80019e00
80019E00: 7C032000 cmpw r3,r4 r3 = 00000817 r4 = 00000000
80019E04: 40800008 bge- 0x80019e0c
80019E0C: 7C032800 cmpw r3,r5 r3 = 00000817 r5 = 0000270F
80019E10: 40810008 ble- 0x80019e18
80019E18: 7C641B78 mr r4,r3 r4 = 00000000 r3 = 00000817
80019E1C: 7C832378 mr r3,r4 r3 = 00000817 r4 = 00000817
80019E20: 4E800020 blr LR = 804DE0A8
804DE0A8: B07F000A sth r3,10(r31) r3 = 00000817 r31 = 80E40E70
804DE0AC: 83E1000C lwz r31,12(r1) r31 = 80E40E70 r1 = 807F2FC0
804DE0B0: 80010014 lwz r0,20(r1) r0 = 00000816 r1 = 807F2FC0
804DE0B4: 7C0803A6 mtlr r0 LR = 804DE0A8 r0 = 804D3BA8
804DE0B8: 38210010 addi r1,r1,16 r1 = 807F2FC0 r1 = 807F2FC0
804DE0BC: 4E800020 blr LR = 804D3BA8
ohh makes sense for me.
thanks alot
@dcx2, I liked your telephone analogy...
In my mind Romaap and you broke out into a Lady Gaga tune that I can't recall the name of right now...
Very catchy... Also you and Romaap Murdered a bunch of functions :o
[/ladygagajokes]
Still a good analogy. Although that really is what the game does if you think about it.