I'm trying to hack toy story 3 (NTSC), but it freezes when it dumps certain blocks.
I can only dump blocks 1-9 in the 80 mem range. In the 90 mem range it's much smaller.
I've tried almost everything, it's all blocked off with freezing if you try and dump it.
Tested with Gecko dot NET and WiiRd GUI. (Used OSSleep and GXFlush, both did same thing.)
I have the same problem here with the PAL version of the game.
It hangs after block 10
Has anyone of the more experience hackers an idea ??
oh wow. what a coincidence. At the moment, I am having the same problem. just with another game.
WiiRD freezes on me after dumping block 52, rather, it doesn't load the addresses :(
Strange thing is that I can search anywhere else just fine, just in this one location I do the search, it hangs up -__-
I don't think that the actual RAM is protected. Especially for Toy Story 3 in your case.
Well, I do search in the safe range. The thing is that I did one search for player 1 in the game, and it worked fine. For player 2, its not.
Anyways, I'll just have to try searching 92000000 to 93000000 since the address I want lies there. If it freezes then I'm all out of ideas :|
I wonder if the game is somehow hitting a Breakpoint.
1) Can you look at the allegedly protected memory areas with Memory Viewer?
2) Can you switch to the Breakpoint tab with WiiRDGUI and hit Get BP Data? If so, copy/paste the registers/disassembly into a reply. If not, then I'm assuming that WiiRDGUI is frozen because of the dump. In that case, can you shut WiiRDGUI down and restart it and then go to the Breakpoint tab?
3) Try setting a dummy breakpoint, in case they somehow set up a read breakpoint. Something like an execute on 80000000 - it would never happen. Then cancel the breakpoint. This would interrupt any pending breakpoints.
DEADBABE is the kind of thing I usually see when there is stack or heap protection. What you do is fill a bunch of memory with a particular value, like DEADBABE, and then later you can go look over the memory and if anything isn't DEADBABE then you know someone wrote something that they shouldn't have.
This is interesting. There's not much that should cause a trap on a read...
Can you read the end of memory? That is, is it a "protected hole"? Or is everything after 809A9000 off limits?
Can you poke 809A9000 to 0? If the poke is successful, does it still freeze back in the disassembler?
Okay, this next test is somewhat exotic...
Make a code that writes 0 to the DEADBABE address. Pause the game. Apply the code. Note that because the game is paused, the memory has not been written to yet.
Go looking for the code data in memory. It's prefixed with C0DE, around 80002xxx. Once you find your code, set a Read breakpoint on it. You should end up in the Code Handler. Follow along by stepping and you should eventually land on a stw (after maybe 20-30 instructions) that writes 0 to the DEADBABE address. What happens when you press Step while the active instruction is that write?
That sounds right; r4 would have the second code word, which is a 0. r12 is I think where the ba + address ends up; it should be 809A9000
If you stepped over that stw successfully, then that's very, very interesting...
After you step over stw r4,0(r12), hit Run. Is the game frozen? If the game freezes, press Get BP Data and post the registers/disassembly.
Wait, so you applied the code before the intro screen? What about after?
That's very freaky..it's frozen on stw r4,0(r12), but r12 is a valid pointer.
And if r1 had a corrupted value like all 1's, then I wonder if Gecko OS is getting screwed up. brkirch might have some insights...but I think I'm all out of suggestions.
I've seen the registers all say 1 before on a crash. I don't remember any other details though.
Anyway, this is interesting.
Well thanks for the help, i'm done messing around with the game. i was able to get a full complete dump of the 80 and 90 mem Ranges though, by a pause on start.
Wait, so if you pause before you dump then it's okay? I thought I made Gecko.NET pause before doing dumps automatically...
Or...do you mean like start the game paused before it even gets to the strap screen?
I mean setting the debugger to pause on start. or gecko pause start
Oh! That reminds me, Twilight Princess has some strange problems that I was able to get around by pausing the game- as in, bringing up the game's pause menu before searching. ...or maybe it was by pressing Home before searching?
If you have a chance, maybe you could check those possibilities out?
lol after 9 it really freez...
80C-80D works but at 80E-80F it freez again.
even memory range 81 wont work
I hope it's not on every new game.
it's unhackable right?
This is the end of ocarina codes... and I just started learning how to make some good codes.... :-[
Let´s check newer games, if it was just a coincidence at this game.
Enough with the doomsday talk. I highly doubt that game makers (especially those whose games are not even online or multi-player) will bother with making their games "unhackable". They have a hard enough time getting games out the door without trying to make things more complicated...this is probably a technical glitch that affects just Toy Story 3. You're making a mountain out of a mole hill.
---
DEADBABE, DEADBEEF, and certain other values are used by games to represent certain areas. I'm not surprised to see these values in other games (you will find them in the RAM of your PC, too)...I am surprised that it's even in the vicinity of the dump crashing.
Nuke made the USB Gecko, but he's gone now. In theory you might be able to update the CPLD inside of it, but there's no reason to. The USB Gecko is just a glorified serial port. All of the intelligence is inside Gecko OS.
Neither OSProtectRange nor the DBAT registers appear to be responsible for the memory protection. Although I haven't gotten around to figuring out the exact details yet, it looks like a page table is being setup so I would guess some of the PTEs may have their page protection bits set to 0.
it is so? When i spamming always shells in MKWii and the game frozen. i have Destroyed a register from Shell spaming? as Example ^^
...
Some parts of memory still dump. Others don't. Thomas got all of memory to dump by pausing on start, so you could browse disassembly. I wouldn't call this unhackable until brkirch throws in the towel.
Seach and Memory Viewer are dump functions and they freeze in a specific range in mem80.
Then the disassembler should do aswell, I guess...
However, I am interested in hacking this game, just wondering... :confused:
Have you tried just not searching the areas that freeze? Maybe the game doesn't even use those regions.
Seems like TS3 uses virtual memory (BAT), and protects the memory region (so the game hangs when dumping the ram)... Means not much "easy" codes/hacking for this game for now (unless the code search tools are updated).
Only some kind of asm hacking can be done, for exemple on a memory ram dump taken before the game starts (ie. do a pause start), and even with that results are not guarenteed.
Proof that the game uses virtual memory (for the EU version, but it might also work on US):
I made a full ram dump, and after a few searches found the starting life value of the first level : 8077EA00 42C80000. Then I put a bpr on it, and found the instruction at 0x80395334 where the value was readen, then copied to another place.
So, start the game, but a bpr on 8077EA00 until it breaks on 0x80395334. See that instruction at 0x8039535C, "stfs f1,20(r31)" ? Now look at r31 value... 0xB40D6720 ? 0xA11D0B70 ?... (changes each time you start the level). Not a "normal" address. And no crash when the instruction is executed, so the adress is valid. So these 0xA/0xB adresses are in virtual memory (the "real" place of the life value is in the 0x926... area, which isn't accessible as the memory is protected).
Also still as a proof of concept, here is a kinda useless code that gives you 1000000 life point instead of 100 when you start a level :
0477EA00 49742400
And here is a patch, that you'll have to apply manually (means do a poke) before starting the game (when you do a paused start) :
801FA2E4 48000180
This allows you to dump all the MEM1/MEM2 (can be useful to find some values but the game stills use virtual memory, means for exemple no breakpoints).
Yes, it is possible to translate, but it would be needed to get a dump of the registers used for vm (in geckoos that would add 64+ opcodes just to dump the needed registers (about 33 registers) into ram).
But once the registers are dumped, I have all the address translation implemented in delphi in gcnrdgui source code, thanks to Parasyte back then (once you analyze the register dump you then dump the table, and you can translate the adress properly). So the code could be ported to wiirdgui, wiird, gecko.net kinda easily.
About the "patch" I made. I'm honestly not 100% sure of what happens. I mean I first I didn't think the game was actually using VM, and all I was doing it paused start the game, then followed the asm until memory area 81000000 would stop being accessible. Then I found out which instructions were causing the trouble, and I skipped them. After further analysis, it seems skipping these instructions actually disable the memory protection set by the virtual memory (when you set it, you can choose to protect or not the memory region), and it looks like the game is actually using vm. But it's been a very long time since I hacked virtual memory games, so I'm not 100% sure of what's going on.
And it has nothing to do with metroid. Metroid use 2 protections : timer based protection, and "data integrity" protection. But nothing close to virtual memory.
Found another Game using Virtual Memory Cars 2 USA
Cars 2 [SCYE4Q]Enable Code Search (function ported from Kenobi) [Thomas83Lin]
0419CB1C 48000180
*Must be enabled as a Sd-Cheat or poked in on a Pause Start*
Quote
this allows you to dump all the MEM1/MEM2 (can be useful to find some values but the game stills use virtual memory, means for exemple no breakpoints).
I think its pretty cool, that i found a similar function in this game as in T3 but i was expecting to, sense its made by the same people
edit: Toy Story 3's function for future reference
[spoiler]
801FA070: 9421FFE0 stwu r1,-32(r1)
801FA074: 7C0802A6 mflr r0
801FA078: 90010024 stw r0,36(r1)
801FA07C: BFA10014 stmw r29,20(r1)
801FA080: 7C7E1B78 mr r30,r3
801FA084: 7C9F2378 mr r31,r4
801FA088: 389E0020 addi r4,r30,32
801FA08C: 8003000C lwz r0,12(r3)
801FA090: 540000BE rlwinm r0,r0,0,2,31
801FA094: 9003000C stw r0,12(r3)
801FA098: 38632620 addi r3,r3,9760
801FA09C: 4BFFFF49 bl 0x801f9fe4
801FA0A0: 387E2628 addi r3,r30,9768
801FA0A4: 389E0320 addi r4,r30,800
801FA0A8: 4BFFFF3D bl 0x801f9fe4
801FA0AC: 387E2630 addi r3,r30,9776
801FA0B0: 389E0620 addi r4,r30,1568
801FA0B4: 4BFFFF31 bl 0x801f9fe4
801FA0B8: 387E2638 addi r3,r30,9784
801FA0BC: 389E1620 addi r4,r30,5664
801FA0C0: 4BFFFF25 bl 0x801f9fe4
801FA0C4: 387E2620 addi r3,r30,9760
801FA0C8: 389F0020 addi r4,r31,32
801FA0CC: 4BFFFF51 bl 0x801fa01c
801FA0D0: 387E2620 addi r3,r30,9760
801FA0D4: 389F0050 addi r4,r31,80
801FA0D8: 4BFFFF45 bl 0x801fa01c
801FA0DC: 387E2620 addi r3,r30,9760
801FA0E0: 389F0060 addi r4,r31,96
801FA0E4: 4BFFFF39 bl 0x801fa01c
801FA0E8: 387E2620 addi r3,r30,9760
801FA0EC: 389F00A0 addi r4,r31,160
801FA0F0: 4BFFFF2D bl 0x801fa01c
801FA0F4: 387E2620 addi r3,r30,9760
801FA0F8: 389F00D0 addi r4,r31,208
801FA0FC: 4BFFFF21 bl 0x801fa01c
801FA100: 387E2620 addi r3,r30,9760
801FA104: 389F00E0 addi r4,r31,224
801FA108: 4BFFFF15 bl 0x801fa01c
801FA10C: 387E2620 addi r3,r30,9760
801FA110: 389F0100 addi r4,r31,256
801FA114: 4BFFFF09 bl 0x801fa01c
801FA118: 387E2630 addi r3,r30,9776
801FA11C: 389F0110 addi r4,r31,272
801FA120: 4BFFFEFD bl 0x801fa01c
801FA124: 387E2630 addi r3,r30,9776
801FA128: 389F0150 addi r4,r31,336
801FA12C: 4BFFFEF1 bl 0x801fa01c
801FA130: 801E0008 lwz r0,8(r30)
801FA134: 80DE000C lwz r6,12(r30)
801FA138: 5400103A rlwinm r0,r0,2,0,29
801FA13C: 7C0000D0 neg r0,r0
801FA140: 7C060214 add r0,r6,r0
801FA144: 54030026 rlwinm r3,r0,0,0,19
801FA148: 907E2644 stw r3,9796(r30)
801FA14C: 3803A000 subi r0,r3,24576
801FA150: 54030026 rlwinm r3,r0,0,0,19
801FA154: 907E2640 stw r3,9792(r30)
801FA158: 7FA33050 sub r29,r6,r3
801FA15C: 7FA4EB78 mr r4,r29
801FA160: 484BE051 bl 0x806b81b0
801FA164: 807E2640 lwz r3,9792(r30)
801FA168: 7FA4EB78 mr r4,r29
801FA16C: 484BDFB5 bl 0x806b8120
801FA170: 881E0000 lbz r0,0(r30)
801FA174: 80DE0010 lwz r6,16(r30)
801FA178: 807E000C lwz r3,12(r30)
801FA17C: 2C800000 cmpwi cr1,r0,0
801FA180: 801E2640 lwz r0,9792(r30)
801FA184: 7C633214 add r3,r3,r6
801FA188: 4186001C beq- cr1,0x801fa1a4
801FA18C: 5466A43E rlwinm r6,r3,20,16,31
801FA190: 807E2634 lwz r3,9780(r30)
801FA194: 38A6FFFF subi r5,r6,1
801FA198: 5404A43E rlwinm r4,r0,20,16,31
801FA19C: 4BFE338D bl 0x801dd528
801FA1A0: 48000018 b 0x801fa1b8
801FA1A4: 5466A43E rlwinm r6,r3,20,16,31
801FA1A8: 807E2624 lwz r3,9764(r30)
801FA1AC: 38A6FFFF subi r5,r6,1
801FA1B0: 5404A43E rlwinm r4,r0,20,16,31
801FA1B4: 4BFE3375 bl 0x801dd528
801FA1B8: 809E2640 lwz r4,9792(r30)
801FA1BC: 387E2648 addi r3,r30,9800
801FA1C0: 38A00000 li r5,0
801FA1C4: 38C017FF li r6,6143
801FA1C8: 48001F59 bl 0x801fc120
801FA1CC: 80DF0064 lwz r6,100(r31)
801FA1D0: 387E2648 addi r3,r30,9800
801FA1D4: 80FF0060 lwz r7,96(r31)
801FA1D8: 389E2630 addi r4,r30,9776
801FA1DC: 38060001 addi r0,r6,1
801FA1E0: 80DF0140 lwz r6,320(r31)
801FA1E4: 7C070050 sub r0,r0,r7
801FA1E8: 3CA01000 lis r5,4096
801FA1EC: 7CE03214 add r7,r0,r6
801FA1F0: 38E7FFFF subi r7,r7,1
801FA1F4: 48001F55 bl 0x801fc148
801FA1F8: 801F00F0 lwz r0,240(r31)
801FA1FC: 387E2670 addi r3,r30,9840
801FA200: 901E2660 stw r0,9824(r30)
801FA204: 809E2644 lwz r4,9796(r30)
801FA208: 801F00F4 lwz r0,244(r31)
801FA20C: 901E2664 stw r0,9828(r30)
801FA210: 80BF0120 lwz r5,288(r31)
801FA214: 80DF0124 lwz r6,292(r31)
801FA218: 48001F09 bl 0x801fc120
801FA21C: 809E2644 lwz r4,9796(r30)
801FA220: 387E2698 addi r3,r30,9880
801FA224: 80BF0130 lwz r5,304(r31)
801FA228: 80DF0134 lwz r6,308(r31)
801FA22C: 48001EF5 bl 0x801fc120
801FA230: 80DF0064 lwz r6,100(r31)
801FA234: 387E26C0 addi r3,r30,9920
801FA238: 80FF0060 lwz r7,96(r31)
801FA23C: 38C60001 addi r6,r6,1
801FA240: 801F0140 lwz r0,320(r31)
801FA244: 7CE73050 sub r7,r6,r7
801FA248: 809E2644 lwz r4,9796(r30)
801FA24C: 80DF0144 lwz r6,324(r31)
801FA250: 7CA03A14 add r5,r0,r7
801FA254: 48001ECD bl 0x801fc120
801FA258: 38800000 li r4,0
801FA25C: 3CA00004 lis r5,4
801FA260: 7C002264 tlbie r4
801FA264: 38841000 addi r4,r4,4096
801FA268: 7C042800 cmpw r4,r5
801FA26C: 4180FFF4 blt+ 0x801fa260
801FA270: 7C0004AC sync
801FA274: 801E0014 lwz r0,20(r30)
801FA278: 7C0004AC sync
801FA27C: 7C1903A6 mtsdr1 r0
801FA280: 4C00012C isync
801FA284: 3C006000 lis r0,24576
801FA288: 60000008 ori r0,r0,8
801FA28C: 7C0801A4 mtsr 8,r0
801FA290: 4C00012C isync
801FA294: 5400000E rlwinm r0,r0,0,0,7
801FA298: 60000009 ori r0,r0,9
801FA29C: 7C0901A4 mtsr 9,r0
801FA2A0: 4C00012C isync
801FA2A4: 3C007000 lis r0,28672
801FA2A8: 6000000A ori r0,r0,10
801FA2AC: 7C0A01A4 mtsr 10,r0
801FA2B0: 4C00012C isync
801FA2B4: 5400000E rlwinm r0,r0,0,0,7
801FA2B8: 6000000B ori r0,r0,11
801FA2BC: 7C0B01A4 mtsr 11,r0
801FA2C0: 4C00012C isync
801FA2C4: 5400000E rlwinm r0,r0,0,0,7
801FA2C8: 6000000E ori r0,r0,14
801FA2CC: 7C0E01A4 mtsr 14,r0
801FA2D0: 4C00012C isync
801FA2D4: 5400000E rlwinm r0,r0,0,0,7
801FA2D8: 6000000F ori r0,r0,15
801FA2DC: 7C0F01A4 mtsr 15,r0
801FA2E0: 4C00012C isync
801FA2E4: 801F01F4 lwz r0,500(r31)
801FA2E8: 807F01F8 lwz r3,504(r31)
801FA2EC: 7C0004AC sync
801FA2F0: 7C168BA6 mtspr 566,r0
801FA2F4: 7C778BA6 mtspr 567,r3
801FA2F8: 4C00012C isync
801FA2FC: 801F01E0 lwz r0,480(r31)
801FA300: 807F01E4 lwz r3,484(r31)
801FA304: 7C0004AC sync
801FA308: 7C148BA6 mtspr 564,r0
801FA30C: 7C758BA6 mtspr 565,r3
801FA310: 4C00012C isync
801FA314: 801F01CC lwz r0,460(r31)
801FA318: 807F01D0 lwz r3,464(r31)
801FA31C: 7C0004AC sync
801FA320: 7C128BA6 mtspr 562,r0
801FA324: 7C738BA6 mtspr 563,r3
801FA328: 4C00012C isync
801FA32C: 801F01B8 lwz r0,440(r31)
801FA330: 807F01BC lwz r3,444(r31)
801FA334: 7C0004AC sync
801FA338: 7C108BA6 mtspr 560,r0
801FA33C: 7C718BA6 mtspr 561,r3
801FA340: 4C00012C isync
801FA344: 801F01A4 lwz r0,420(r31)
801FA348: 807F01A8 lwz r3,424(r31)
801FA34C: 7C0004AC sync
801FA350: 7C1683A6 mtibatu 3,r0
801FA354: 7C7783A6 mtibatl 3,r3
801FA358: 4C00012C isync
801FA35C: 801F0190 lwz r0,400(r31)
801FA360: 807F0194 lwz r3,404(r31)
801FA364: 7C0004AC sync
801FA368: 7C1483A6 mtibatu 2,r0
801FA36C: 7C7583A6 mtibatl 2,r3
801FA370: 4C00012C isync
801FA374: 801F017C lwz r0,380(r31)
801FA378: 807F0180 lwz r3,384(r31)
801FA37C: 7C0004AC sync
801FA380: 7C1283A6 mtibatu 1,r0
801FA384: 7C7383A6 mtibatl 1,r3
801FA388: 4C00012C isync
801FA38C: 801F0168 lwz r0,360(r31)
801FA390: 807F016C lwz r3,364(r31)
801FA394: 7C0004AC sync
801FA398: 7C1083A6 mtibatu 0,r0
801FA39C: 7C7183A6 mtibatl 0,r3
801FA3A0: 4C00012C isync
801FA3A4: 801F0294 lwz r0,660(r31)
801FA3A8: 807F0298 lwz r3,664(r31)
801FA3AC: 7C0004AC sync
801FA3B0: 7C1E8BA6 mtspr 574,r0
801FA3B4: 7C7F8BA6 mtspr 575,r3
801FA3B8: 4C00012C isync
801FA3BC: 801F0280 lwz r0,640(r31)
801FA3C0: 807F0284 lwz r3,644(r31)
801FA3C4: 7C0004AC sync
801FA3C8: 7C1C8BA6 mtspr 572,r0
801FA3CC: 7C7D8BA6 mtspr 573,r3
801FA3D0: 4C00012C isync
801FA3D4: 801F026C lwz r0,620(r31)
801FA3D8: 807F0270 lwz r3,624(r31)
801FA3DC: 7C0004AC sync
801FA3E0: 7C1A8BA6 mtspr 570,r0
801FA3E4: 7C7B8BA6 mtspr 571,r3
801FA3E8: 4C00012C isync
801FA3EC: 801F0258 lwz r0,600(r31)
801FA3F0: 807F025C lwz r3,604(r31)
801FA3F4: 7C0004AC sync
801FA3F8: 7C188BA6 mtspr 568,r0
801FA3FC: 7C798BA6 mtspr 569,r3
801FA400: 4C00012C isync
801FA404: 801F0244 lwz r0,580(r31)
801FA408: 807F0248 lwz r3,584(r31)
801FA40C: 7C0004AC sync
801FA410: 7C1E83A6 mtdbatu 3,r0
801FA414: 7C7F83A6 mtdbatl 3,r3
801FA418: 4C00012C isync
801FA41C: 801F0230 lwz r0,560(r31)
801FA420: 807F0234 lwz r3,564(r31)
801FA424: 7C0004AC sync
801FA428: 7C1C83A6 mtdbatu 2,r0
801FA42C: 7C7D83A6 mtdbatl 2,r3
801FA430: 4C00012C isync
801FA434: 801F021C lwz r0,540(r31)
801FA438: 807F0220 lwz r3,544(r31)
801FA43C: 7C0004AC sync
801FA440: 7C1A83A6 mtdbatu 1,r0
801FA444: 7C7B83A6 mtdbatl 1,r3
801FA448: 4C00012C isync
801FA44C: 801F0208 lwz r0,520(r31)
801FA450: 807F020C lwz r3,524(r31)
801FA454: 7C0004AC sync
801FA458: 7C1883A6 mtdbatu 0,r0
801FA45C: 7C7983A6 mtdbatl 0,r3
801FA460: 4C00012C isync
801FA464: 3FE00180 lis r31,384
801FA468: 3FC00001 lis r30,1
801FA46C: 387F8000 subi r3,r31,32768
801FA470: 389E8000 subi r4,r30,32768
801FA474: 48000A5D bl 0x801faed0
801FA478: 387F8000 subi r3,r31,32768
801FA47C: 389E8000 subi r4,r30,32768
801FA480: 48000A7D bl 0x801faefc
801FA484: BBA10014 lmw r29,20(r1)
801FA488: 80010024 lwz r0,36(r1)
801FA48C: 7C0803A6 mtlr r0
801FA490: 38210020 addi r1,r1,32
801FA494: 4E800020 blr
[/spoiler]
Cars 2 Function
[spoiler]
8019C8E0: 9421FFE0 stwu r1,-32(r1)
8019C8E4: 7C0802A6 mflr r0
8019C8E8: 90010024 stw r0,36(r1)
8019C8EC: BFA10014 stmw r29,20(r1)
8019C8F0: 7C7D1B78 mr r29,r3
8019C8F4: 7C9F2378 mr r31,r4
8019C8F8: 8063000C lwz r3,12(r3)
8019C8FC: 4BFFFF41 bl 0x8019c83c
8019C900: 907D000C stw r3,12(r29)
8019C904: 387D2620 addi r3,r29,9760
8019C908: 389D0020 addi r4,r29,32
8019C90C: 4BFFFF0D bl 0x8019c818
8019C910: 387D2628 addi r3,r29,9768
8019C914: 389D0320 addi r4,r29,800
8019C918: 4BFFFF01 bl 0x8019c818
8019C91C: 387D2630 addi r3,r29,9776
8019C920: 389D0620 addi r4,r29,1568
8019C924: 4BFFFEF5 bl 0x8019c818
8019C928: 387D2638 addi r3,r29,9784
8019C92C: 389D1620 addi r4,r29,5664
8019C930: 4BFFFEE9 bl 0x8019c818
8019C934: 387D2620 addi r3,r29,9760
8019C938: 389F0010 addi r4,r31,16
8019C93C: 4BFFFF09 bl 0x8019c844
8019C940: 387D2620 addi r3,r29,9760
8019C944: 389F0040 addi r4,r31,64
8019C948: 4BFFFEFD bl 0x8019c844
8019C94C: 387D2620 addi r3,r29,9760
8019C950: 389F0050 addi r4,r31,80
8019C954: 4BFFFEF1 bl 0x8019c844
8019C958: 387D2620 addi r3,r29,9760
8019C95C: 389F0090 addi r4,r31,144
8019C960: 4BFFFEE5 bl 0x8019c844
8019C964: 387D2620 addi r3,r29,9760
8019C968: 389F00C0 addi r4,r31,192
8019C96C: 4BFFFED9 bl 0x8019c844
8019C970: 387D2620 addi r3,r29,9760
8019C974: 389F0110 addi r4,r31,272
8019C978: 4BFFFECD bl 0x8019c844
8019C97C: 387D2630 addi r3,r29,9776
8019C980: 389F0130 addi r4,r31,304
8019C984: 4BFFFEC1 bl 0x8019c844
8019C988: 387D2630 addi r3,r29,9776
8019C98C: 389F0170 addi r4,r31,368
8019C990: 4BFFFEB5 bl 0x8019c844
8019C994: 801D0008 lwz r0,8(r29)
8019C998: 807D000C lwz r3,12(r29)
8019C99C: 5400103A rlwinm r0,r0,2,0,29
8019C9A0: 907D2644 stw r3,9796(r29)
8019C9A4: 7C8000D0 neg r4,r0
8019C9A8: 4BFE3075 bl 0x8017fa1c
8019C9AC: 907D2644 stw r3,9796(r29)
8019C9B0: 3880000C li r4,12
8019C9B4: 4BFF52C9 bl 0x80191c7c
8019C9B8: 907D2644 stw r3,9796(r29)
8019C9BC: 3880A000 li r4,-24576
8019C9C0: 4BFE305D bl 0x8017fa1c
8019C9C4: 907D2640 stw r3,9792(r29)
8019C9C8: 3880000C li r4,12
8019C9CC: 4BFF52B1 bl 0x80191c7c
8019C9D0: 907D2640 stw r3,9792(r29)
8019C9D4: 809D000C lwz r4,12(r29)
8019C9D8: 4BFE303D bl 0x8017fa14
8019C9DC: 7C7E1B78 mr r30,r3
8019C9E0: 807D2640 lwz r3,9792(r29)
8019C9E4: 7FC4F378 mr r4,r30
8019C9E8: 485B9E29 bl 0x80756810
8019C9EC: 807D2640 lwz r3,9792(r29)
8019C9F0: 7FC4F378 mr r4,r30
8019C9F4: 485B9D8D bl 0x80756780
8019C9F8: 881D0000 lbz r0,0(r29)
8019C9FC: 80DD0010 lwz r6,16(r29)
8019CA00: 807D000C lwz r3,12(r29)
8019CA04: 2C800000 cmpwi cr1,r0,0
8019CA08: 801D2640 lwz r0,9792(r29)
8019CA0C: 7C633214 add r3,r3,r6
8019CA10: 4186001C beq- cr1,0x8019ca2c
8019CA14: 5466A43E rlwinm r6,r3,20,16,31
8019CA18: 387D2630 addi r3,r29,9776
8019CA1C: 5404A43E rlwinm r4,r0,20,16,31
8019CA20: 38A6FFFF subi r5,r6,1
8019CA24: 4BFFFE81 bl 0x8019c8a4
8019CA28: 48000018 b 0x8019ca40
8019CA2C: 5466A43E rlwinm r6,r3,20,16,31
8019CA30: 387D2620 addi r3,r29,9760
8019CA34: 5404A43E rlwinm r4,r0,20,16,31
8019CA38: 38A6FFFF subi r5,r6,1
8019CA3C: 4BFFFE69 bl 0x8019c8a4
8019CA40: 809D2640 lwz r4,9792(r29)
8019CA44: 387D2648 addi r3,r29,9800
8019CA48: 80BF0100 lwz r5,256(r31)
8019CA4C: 80DF0104 lwz r6,260(r31)
8019CA50: 4800203D bl 0x8019ea8c
8019CA54: 809D2644 lwz r4,9796(r29)
8019CA58: 387D2670 addi r3,r29,9840
8019CA5C: 80BF0140 lwz r5,320(r31)
8019CA60: 80DF0144 lwz r6,324(r31)
8019CA64: 48002029 bl 0x8019ea8c
8019CA68: 809D2644 lwz r4,9796(r29)
8019CA6C: 387D2698 addi r3,r29,9880
8019CA70: 80BF0150 lwz r5,336(r31)
8019CA74: 80DF0154 lwz r6,340(r31)
8019CA78: 48002015 bl 0x8019ea8c
8019CA7C: 809D2644 lwz r4,9796(r29)
8019CA80: 387D26C0 addi r3,r29,9920
8019CA84: 80BF0160 lwz r5,352(r31)
8019CA88: 80DF0164 lwz r6,356(r31)
8019CA8C: 48002001 bl 0x8019ea8c
8019CA90: 38800000 li r4,0
8019CA94: 3CA00004 lis r5,4
8019CA98: 7C002264 tlbie r4
8019CA9C: 38841000 addi r4,r4,4096
8019CAA0: 7C042800 cmpw r4,r5
8019CAA4: 4180FFF4 blt+ 0x8019ca98
8019CAA8: 7C0004AC sync
8019CAAC: 801D0014 lwz r0,20(r29)
8019CAB0: 7C0004AC sync
8019CAB4: 7C1903A6 mtsdr1 r0
8019CAB8: 4C00012C isync
8019CABC: 3C006000 lis r0,24576
8019CAC0: 60000008 ori r0,r0,8
8019CAC4: 7C0801A4 mtsr 8,r0
8019CAC8: 4C00012C isync
8019CACC: 5400000E rlwinm r0,r0,0,0,7
8019CAD0: 60000009 ori r0,r0,9
8019CAD4: 7C0901A4 mtsr 9,r0
8019CAD8: 4C00012C isync
8019CADC: 3C007000 lis r0,28672
8019CAE0: 6000000A ori r0,r0,10
8019CAE4: 7C0A01A4 mtsr 10,r0
8019CAE8: 4C00012C isync
8019CAEC: 5400000E rlwinm r0,r0,0,0,7
8019CAF0: 6000000B ori r0,r0,11
8019CAF4: 7C0B01A4 mtsr 11,r0
8019CAF8: 4C00012C isync
8019CAFC: 5400000E rlwinm r0,r0,0,0,7
8019CB00: 6000000E ori r0,r0,14
8019CB04: 7C0E01A4 mtsr 14,r0
8019CB08: 4C00012C isync
8019CB0C: 5400000E rlwinm r0,r0,0,0,7
8019CB10: 6000000F ori r0,r0,15
8019CB14: 7C0F01A4 mtsr 15,r0
8019CB18: 4C00012C isync
8019CB1C: 801F0214 lwz r0,532(r31)
8019CB20: 807F0218 lwz r3,536(r31)
8019CB24: 7C0004AC sync
8019CB28: 7C168BA6 mtspr 566,r0
8019CB2C: 7C778BA6 mtspr 567,r3
8019CB30: 4C00012C isync
8019CB34: 801F0200 lwz r0,512(r31)
8019CB38: 807F0204 lwz r3,516(r31)
8019CB3C: 7C0004AC sync
8019CB40: 7C148BA6 mtspr 564,r0
8019CB44: 7C758BA6 mtspr 565,r3
8019CB48: 4C00012C isync
8019CB4C: 801F01EC lwz r0,492(r31)
8019CB50: 807F01F0 lwz r3,496(r31)
8019CB54: 7C0004AC sync
8019CB58: 7C128BA6 mtspr 562,r0
8019CB5C: 7C738BA6 mtspr 563,r3
8019CB60: 4C00012C isync
8019CB64: 801F01D8 lwz r0,472(r31)
8019CB68: 807F01DC lwz r3,476(r31)
8019CB6C: 7C0004AC sync
8019CB70: 7C108BA6 mtspr 560,r0
8019CB74: 7C718BA6 mtspr 561,r3
8019CB78: 4C00012C isync
8019CB7C: 801F01C4 lwz r0,452(r31)
8019CB80: 807F01C8 lwz r3,456(r31)
8019CB84: 7C0004AC sync
8019CB88: 7C1683A6 mtibatu 3,r0
8019CB8C: 7C7783A6 mtibatl 3,r3
8019CB90: 4C00012C isync
8019CB94: 801F01B0 lwz r0,432(r31)
8019CB98: 807F01B4 lwz r3,436(r31)
8019CB9C: 7C0004AC sync
8019CBA0: 7C1483A6 mtibatu 2,r0
8019CBA4: 7C7583A6 mtibatl 2,r3
8019CBA8: 4C00012C isync
8019CBAC: 801F019C lwz r0,412(r31)
8019CBB0: 807F01A0 lwz r3,416(r31)
8019CBB4: 7C0004AC sync
8019CBB8: 7C1283A6 mtibatu 1,r0
8019CBBC: 7C7383A6 mtibatl 1,r3
8019CBC0: 4C00012C isync
8019CBC4: 801F0188 lwz r0,392(r31)
8019CBC8: 807F018C lwz r3,396(r31)
8019CBCC: 7C0004AC sync
8019CBD0: 7C1083A6 mtibatu 0,r0
8019CBD4: 7C7183A6 mtibatl 0,r3
8019CBD8: 4C00012C isync
8019CBDC: 801F02B4 lwz r0,692(r31)
8019CBE0: 807F02B8 lwz r3,696(r31)
8019CBE4: 7C0004AC sync
8019CBE8: 7C1E8BA6 mtspr 574,r0
8019CBEC: 7C7F8BA6 mtspr 575,r3
8019CBF0: 4C00012C isync
8019CBF4: 801F02A0 lwz r0,672(r31)
8019CBF8: 807F02A4 lwz r3,676(r31)
8019CBFC: 7C0004AC sync
8019CC00: 7C1C8BA6 mtspr 572,r0
8019CC04: 7C7D8BA6 mtspr 573,r3
8019CC08: 4C00012C isync
8019CC0C: 801F028C lwz r0,652(r31)
8019CC10: 807F0290 lwz r3,656(r31)
8019CC14: 7C0004AC sync
8019CC18: 7C1A8BA6 mtspr 570,r0
8019CC1C: 7C7B8BA6 mtspr 571,r3
8019CC20: 4C00012C isync
8019CC24: 801F0278 lwz r0,632(r31)
8019CC28: 807F027C lwz r3,636(r31)
8019CC2C: 7C0004AC sync
8019CC30: 7C188BA6 mtspr 568,r0
8019CC34: 7C798BA6 mtspr 569,r3
8019CC38: 4C00012C isync
8019CC3C: 801F0264 lwz r0,612(r31)
8019CC40: 807F0268 lwz r3,616(r31)
8019CC44: 7C0004AC sync
8019CC48: 7C1E83A6 mtdbatu 3,r0
8019CC4C: 7C7F83A6 mtdbatl 3,r3
8019CC50: 4C00012C isync
8019CC54: 801F0250 lwz r0,592(r31)
8019CC58: 807F0254 lwz r3,596(r31)
8019CC5C: 7C0004AC sync
8019CC60: 7C1C83A6 mtdbatu 2,r0
8019CC64: 7C7D83A6 mtdbatl 2,r3
8019CC68: 4C00012C isync
8019CC6C: 801F023C lwz r0,572(r31)
8019CC70: 807F0240 lwz r3,576(r31)
8019CC74: 7C0004AC sync
8019CC78: 7C1A83A6 mtdbatu 1,r0
8019CC7C: 7C7B83A6 mtdbatl 1,r3
8019CC80: 4C00012C isync
8019CC84: 801F0228 lwz r0,552(r31)
8019CC88: 807F022C lwz r3,556(r31)
8019CC8C: 7C0004AC sync
8019CC90: 7C1883A6 mtdbatu 0,r0
8019CC94: 7C7983A6 mtdbatl 0,r3
8019CC98: 4C00012C isync
8019CC9C: 3FC00180 lis r30,384
8019CCA0: 3FE00001 lis r31,1
8019CCA4: 387E8000 subi r3,r30,32768
8019CCA8: 389F8000 subi r4,r31,32768
8019CCAC: 480009F1 bl 0x8019d69c
8019CCB0: 387E8000 subi r3,r30,32768
8019CCB4: 389F8000 subi r4,r31,32768
8019CCB8: 48000A11 bl 0x8019d6c8
8019CCBC: BBA10014 lmw r29,20(r1)
8019CCC0: 80010024 lwz r0,36(r1)
8019CCC4: 7C0803A6 mtlr r0
8019CCC8: 38210020 addi r1,r1,32
8019CCCC: 4E800020 blr
[/spoiler]
Interesting, thanks for sharing the code. We'll have to keep an eye out...I wonder if this is in Nintendo's latest SDK, or if this is some custom API used only by this developer.
hehe this won´t be hard to port to different games from that publisher now.
These two functions are VERY similar.
Unfortunately, each developer has it´s own protection method (if there are any) so that there won´t be a final solution to it.
Did I get it right?
- Metroid other M: Pause Game protection, Health Write protection + Savegame modification protection #cracked insane, at least the in-game hacking
- Toy Story 3/Cars 2: Memory Access Protection # cracked pretty well
- Conduit 2: ammo, health, name, gamespeed, ... Write Protection + Savegame copy/modification protection # in-game hacking partly cracked with a loss at possibilities, the anti-protection methods of the other 2 games fail here ;D
More to come? ???