WiiRd forum

Hi again.

how to use a F6 search codetype?
does it works on lives?

for example new super mario bros PAL.
address of live is 80355193.

break point write says:
[spoiler]CR  : 28000888  XER : 20000000  CTR : 80272D30  DSIS: 02400000
DAR : 80355190  SRR0: 8006066C  SRR1: 0000B032  LR  : 80060630
r0  : 00000003  r1  : 8043FC18  r2  : 80433360  r3  : 80355190
r4  : 00000000  r5  : 00000004  r6  : 00000000  r7  : 00000000
r8  : 00000000  r9  : 00000000  r10 : 00000000  r11 : 8043FC18
r12 : 80272D30  r13 : 8042F980  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000008
r20 : 00000000  r21 : 40E00000  r22 : 40800000  r23 : 8154B94C
r24 : 81541448  r25 : 00000001  r26 : 00000001  r27 : 00000001
r28 : 8154B804  r29 : 8154B804  r30 : 8154CC34  r31 : 8154B804

f0  : 00000000  f1  : 00000000  f2  : 59800004  f3  : 41700000
f4  : 00000000  f5  : 41400000  f6  : BF800000  f7  : 00000000
f8  : 00000000  f9  : 00000000  f10 : 00000000  f11 : 3F800000
f12 : 3F6604EC  f13 : 3EBBDD95  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 00000000
f28 : 00000000  f29 : 00000000  f30 : 00000000  f31 : 00000000
[/spoiler]

[spoiler]8006066C:  7C03212E   stwx   r0,r3,r4
80060670:  4082000C   bne-   0x8006067c
80060674:  38000000   li   r0,0
80060678:  900DA648   stw   r0,-22968(r13)
8006067C:  3865FFFF   subi   r3,r5,1
80060680:  80010014   lwz   r0,20(r1)
80060684:  7C0803A6   mtlr   r0
80060688:  38210010   addi   r1,r1,16
8006068C:  4E800020   blr   
80060690:  9421FFE0   stwu   r1,-32(r1)
80060694:  7C0802A6   mflr   r0
80060698:  90010024   stw   r0,36(r1)
8006069C:  93E1001C   stw   r31,28(r1)
800606A0:  7C7F1B78   mr   r31,r3
800606A4:  800DA620   lwz   r0,-23008(r13)
800606A8:  80AD8288   lwz   r5,-32120(r13)

[/spoiler]

[spoiler]´8006064C:  5404103A   rlwinm   r4,r0,2,0,29
80060650:  7CA3202E   lwzx   r5,r3,r4
80060654:  2C050000   cmpwi   r5,0
80060658:  4181000C   bgt-   0x80060664
8006065C:  38600000   li   r3,0
80060660:  48000020   b   0x80060680
80060664:  2C000000   cmpwi   r0,0
80060668:  3805FFFF   subi   r0,r5,1
8006066C:  7C03212E   stwx   r0,r3,r4
80060670:  4082000C   bne-   0x8006067c
80060674:  38000000   li   r0,0
80060678:  900DA648   stw   r0,-22968(r13)
8006067C:  3865FFFF   subi   r3,r5,1
80060680:  80010014   lwz   r0,20(r1)
80060684:  7C0803A6   mtlr   r0
80060688:  38210010   addi   r1,r1,16

[/spoiler]

how to do this?

thanks alot!!

brkrich made a guide (http://wiird.l0nk.org/forum/index.php/topic,2289.0.html) on how to convert codes to F6 codes, you might want to check it out

thx I've tried it but it doesn't work by step 2...

code:

[spoiler]CR  : 24000888  XER : 20000000  CTR : 803BDD84  DSIS: 00400000
DAR : 81236B30  SRR0: 803CE208  SRR1: 00008032  LR  : 803CE208
r0  : 803CE208  r1  : 807F8710  r2  : 807E43A0  r3  : 81165958
r4  : 0000003D  r5  : 807F86A8  r6  : 812B0658  r7  : 0000013E
r8  : 00000002  r9  : 00000001  r10 : 00000000  r11 : 807F86F0
r12 : 803C1BE0  r13 : 807DCA20  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000000
r20 : 00000000  r21 : 00000000  r22 : 00000000  r23 : 00000000
r24 : 00000000  r25 : 00000000  r26 : 00000000  r27 : 00000000
r28 : 00000000  r29 : 81081D94  r30 : 81236480  r31 : 81236480

f0  : 3F800000  f1  : 3DE70A27  f2  : 3DCA985E  f3  : 3C638E39
f4  : 3EEAEAEB  f5  : 00000000  f6  : 3EAAAAAB  f7  : 59800000
f8  : 00000000  f9  : 3F800000  f10 : 00000000  f11 : 3B808100
f12 : 00000000  f13 : 00000000  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 00000000
f28 : 00000000  f29 : 00000000  f30 : 00000000  f31 : 00000000[/spoiler]

[spoiler]803CE208:  809E06B0   lwz   r4,1712(r30)
803CE20C:  7C7F1B78   mr   r31,r3
803CE210:  480A35F1   bl   0x80471800
803CE214:  807E0584   lwz   r3,1412(r30)
803CE218:  48020539   bl   0x803ee750
803CE21C:  5460043E   rlwinm   r0,r3,0,16,31
803CE220:  28000004   cmplwi   r0,4
803CE224:  4082004C   bne-   0x803ce270
803CE228:  80DE0590   lwz   r6,1424(r30)
803CE22C:  3CA08065   lis   r5,-32667
803CE230:  809E0584   lwz   r4,1412(r30)
803CE234:  7FE3FB78   mr   r3,r31
803CE238:  8006000C   lwz   r0,12(r6)
803CE23C:  A0840402   lhz   r4,1026(r4)
803CE240:  5400103A   rlwinm   r0,r0,2,0,29
803CE244:  9081000C   stw   r4,12(r1)
[/spoiler]

lwz   r4,1712(r30):


lis r4,0x0000
ori r4,r4,0x0003
stw r4,896(r31)


C23CE208 00000002
3C800000 60840003
909E06B0 00000000

F6000001 80238055
907F0564 4BF6B55D
D2000048 00000002
3C800000 60840003
909E06B0 00000000
E0000000 80008000

803CE208-803CE1C0= 48

and the result= fail²

The F6 code is useful when the address you want to change moves around in memory.  You know how PAL codes and USA codes have an "offset"?  The F6 code will search for the address and overcome the offset.  It does this because the stuff before the address should be the same for PAL and USA, so the code looks for that stuff before the address.  That is how it finds the right address for PAL and NTSC.

If your address isn't moving, and you're not trying to make a region-free code that works for PAL and USA, there's no reason to use an F6 search.

maybe but I want to do this with a F6 code...
it's hard to understand brkirch's tut.

if I don't understand this, I'm a noob :'(

it's a registered codetype and everyone can use it.

I don't think failing at an F6 code makes you a noob.  F6 codes are hard.  ZiT and I had thread about four pages long where we were just trying to figure out how to use the F6 code!

Do you mean you want to do a RAM write with a C2 code?

lol yes but it's much easlier if u can speak english perfect***

RAM to C2 and then to F6

First, get your C2 code working.  You said you're using this...

lis r4,0x0000
ori r4,r4,0x0003
stw r4,896(r31)

And that you're replacing this...

lwz   r4,1712(r30)

(note: these are not the same addresses you gave in your first post!)

Remember that you need to include the instruction your C2 code is replacing!  It should be this instead

lis r4,0x0000
ori r4,r4,0x0003
stw r4,896(r31)
lwz r4,1712(r30)

C23CE208 00000003
3C800000 60840003
909E06B0 809E06B0
60000000 00000000

To Create F6 Codes
Find a sequence of two or more unique values of ASM code before your C2 code that is also in close proximity to it.  Make sure you aren't including a bl instruction or any instructions involving big numbers (greater than 0x1000). Test the values by putting them into the memory viewer search and searching from 80000000, the values should only exist once in memory; at the location you got them from.   For the infinite health example the values 93C10018 90010008, starting at 802BCE98, are unique.  To create the F6 code you need to first write F60000XX, with XX being the number of code lines the unique values take up (so for the infinite health code example, F6000001), and then decide the range you want to scan; I would recommend you take the first four digits of the target address, substract 8, then take the four digits from the target address again and add 8, then put those two values together to get the second part of the F6 code (for the infinite health code example, 802B-8=8023 and 802B+8=8033 so the second part of the F6 code will be 80238033).  After the F6 code lines you write code lines with the values for the F6 code, so for the infinite health code example:
F6000001 80238033
93C10018 90010008

I used 907F0564 4BF6B55D.
lol don't understand this a little bit

okay NEW example.

super mario galaxy 2 health.
address : 81236B33

beakpoint read:

CR  : 24000888  XER : 20000000  CTR : 803BDD84  DSIS: 00400000
DAR : 81236B30  SRR0: 803CE208  SRR1: 0000A032  LR  : 803CE208
r0  : 803CE208  r1  : 807F8710  r2  : 807E43A0  r3  : 81165958
r4  : 0000003D  r5  : 807F86A8  r6  : 812B0658  r7  : 0000013E
r8  : 00000002  r9  : 00000001  r10 : 00000000  r11 : 807F86F0
r12 : 803C1BE0  r13 : 807DCA20  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000000
r20 : 00000000  r21 : 00000000  r22 : 00000000  r23 : 00000000
r24 : 00000000  r25 : 00000000  r26 : 00000000  r27 : 00000000
r28 : 00000000  r29 : 81081D94  r30 : 81236480  r31 : 81236480

f0  : 3F800000  f1  : 3F7FBE77  f2  : 59800004  f3  : 59800004
f4  : 3F7FFFFB  f5  : 3F7FBE77  f6  : 3FFFFF80  f7  : C6A37933
f8  : 46F6D485  f9  : 479D515A  f10 : 3F800000  f11 : 00000000
f12 : 80000000  f13 : BDB20E01  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 00000000
f28 : 00000000  f29 : 00000000  f30 : 00000000  f31 : 00000000


803CE208:  809E06B0 lwz r4,1712(r30)
803CE20C:  7C7F1B78 mr r31,r3
803CE210:  480A35F1 bl 0x80471800
803CE214:  807E0584 lwz r3,1412(r30)
803CE218:  48020539 bl 0x803ee750
803CE21C:  5460043E rlwinm r0,r3,0,16,31
803CE220:  28000004 cmplwi r0,4
803CE224:  4082004C bne- 0x803ce270
803CE228:  80DE0590 lwz r6,1424(r30)
803CE22C:  3CA08065 lis r5,-32667
803CE230:  809E0584 lwz r4,1412(r30)
803CE234:  7FE3FB78 mr r3,r31
803CE238:  8006000C lwz r0,12(r6)
803CE23C:  A0840402 lhz r4,1026(r4)
803CE240:  5400103A rlwinm r0,r0,2,0,29
803CE244:  9081000C stw r4,12(r1)



lwz   r4,1712(r30):
lis r4,0x0000
ori r4,r4,0x0003
stw r4,1712(r30)

When assembled you get:
C23CE208 00000002
3C800000 60840003
909E06B0 00000000


Test the values by putting them into the memory viewer search and searching from 80000000, the values should only exist once in memory.

I used 90010010 480A3A3D starting 803CE200.

803C-8=8034 and 803C+8=8044
the second part of the F6 code will be 80348044.

F6000001 80348044
90010010 480A3A3D


D2:
803CE208 -803CE200=0x08

F6000001 80348044
90010010 480A3A3D
D2000008 00000002
3C800000 60840003
909E06B0 00000000
E0000000 80008000

and then it doesn't work....

First, before an F6 code, you must make sure the C2 code works.

C23CE208 00000002
3C800000 60840003
909E06B0 00000000

How do you know a C2 code works?  One way to test it is to step through the first time it is executed.

0) Do NOT apply the code yet!

1) You want to hook 803CE208.  So set an execute breakpoint on 803CE208.

2) Switch to GCT Codes tab and Apply Codes.

3) Back to Breakpoint tab.  The game has not yet bit the hook.

4) Hit Step; you should see the current instruction change to 803CE208 + 4.  Hopefully, the game bit...

5) Switch to disassembly.  Scroll up so you can see 803CE208.

5a) It should be something like b 0x8000xxxx.  This means the game bit the hook; go to step 6.

5b) If it's the same thing it was before (lwz r4...), the game did not bite, so you must repeat step 2-5 again.

6) Once the game has bit, set another execute breakpoint on 803CE208.  You should see your hook (b 0x8000xxxx).

7) Hit Step.  You can "walk" through your C2 code.  Make sure it does what you think it should do.  Is it writing the value that you want to the place that you want?

8 ) Notice that it doesn't end with 00000000.  It should end with b 0x803ce20c ( = 803CE208 + 4).  This gets us back to the game code.  (EDIT: the code handler, not you, will automatically replace 00000000 with the b 0x803ce20c)

9) If you got this far, your code should be working.  Unless you didn't use a safe register, then it can still fail.  When in doubt r12 is usually the safest register.  But in this case you know you want r4 because you are replacing lwz r4.

I tested your C2 code.  And I can say that it does in fact work correctly.  When I get more time, I'll look into the F6 thing and see why it didn't work.

WOW thanks dcx2.

btw brkirch said:
I would recommend you take the first four digits of the target address, substract 8.

wth he means!?

The next step is to test the F6 code.  It seems like you mostly understand what you're doing; your F6 code works too.

F60000NN XXXXYYYY
ZZZZZZZZ ZZZZZZZZ

F6000001 80348044
90010010 480A3A3D
E0000000 80008000


N = the number of Z lines = 1

Z = values to search for = 90010010 480A3A3D

XXXX and YYYY are the range to search through.  It starts searching at XXXX0000 and stops searching at YYYY0000.

Quote from: Deathwolf on July 04, 2010, 08:38:56 PMbtw brkirch said:
I would recommend you take the first four digits of the target address, substract 8.

wth he means!?

This is because F6 codes are meant to be region free.  The search range must be big enough to find the PAL/USA offset.  That is why brkirch recommends subtracting 8 from XXXX and adding 8 to YYYY - this should be big enough to find Z no matter what the offset is.

However, your Z values include a bl.  This won't work for region-free codes because the bl changes between PAL/USA.  But to demonstrate the F6 code, this will be okay.

---

When an F6 code runs, it changes itself.  It is actually F6000QNN XXXXYYYY.

1) Q = 0 = "did not search yet".  when searching, start searching at XXXX0000 and stop at YYYY0000.

2) if search is successful; it found Z values at address SSSSSSSS.  Replace Q with a 3 = "search successful".  Replace XXXXYYYY with SSSSSSSS.  Place SSSSSSSS into po.  This is what allows a D2 code to work - the F6 code loads the po for the D2 code.

3) if search is not successful; it did not find Z anywhere.  Replace Q with 1 = "search failed".  Do not change po.

---

Time to test just the F6 code!  Before the F6 code runs, this is in Memory Viewer

800028B0   00000000   00000000   00D0C0DE   00D0C0DE
800028C0   F6000001   80348044   90010010   480A3A3D
800028D0   E0000000   80008000   FFFFFFFF   FFFFFFFF

After the F6 code runs, Memory Viewer will change

800028B0   00000000   00000000   00D0C0DE   00D0C0DE
800028C0   F6000301   803CE200   90010010   480A3A3D
800028D0   E0000000   80008000   FFFFFFFF   FFFFFFFF

Q = 3 = successful search

SSSSSSSS = 803CE200 = the address where we found Z values

The F6 code is working.  Next time I will explain how to put the C2 and F6 codes together.

okay...!?

thanks for explaining.
so you mean my F6 is maybe wrong because it includes bl?


btw it writes:

800027F0: F6000001 80348044 90010010 480A3A3D
80002800: D2000008 00000002 3C800000 60840003
80002810: 909E06B0 00000000 E0000000 80008000

Remember, the F6 code was originally intended for region free codes.  Therefore, your Z values should contain instructions that are not likely to be different in PAL/USA.

Unfortunately, the destination of a bl is probably different in other regions.  So, an F6 code that included a bl in the Z values would work for the one region, but not the other, because the bl isn't the same.

---

Yes, your code will write F6000001...at first.  After your code is run the first time, it will search.  After the search, it will change to either F6000301 (if it succeeded) or F6000101 (if it failed).  Look in Memory Viewer again after the game is running and you will see that your code has changed.

If it succeeded (Q = 3) then the next value is replaced with the address where the search found the Z values.  This address is then placed into the po; there is no way for the F6 code to use ba.

Your D2 code will add 8 to the value in the po and then hook.  For this example we want the Z values to be found at 803CE200, because we want to hook 803CE208 = 803CE200 (from po) + 8 (from D2 code).

it's only F6000001...

whatever the code doesnt work. :'(

F6000001 80348044
90010010 480A3A3D
D2000008 00000002
3C800000 60840006
909E06B0 00000000
E0000000 80008000

lol dcx2 I tried brkirch's code and it also doesn't work.

can I apply it via usb gecko!???

I just tested it, your code does work.  Here's the result...

800028B0   00000000   00000000   00D0C0DE   00D0C0DE
800028C0   F6000301   803CE200   90010010   480A3A3D
800028D0   D2000008   00000002   3C800000   60840006
800028E0   909E06B0   483CB928   E0000000   80008000
800028F0   FFFFFFFF   FFFFFFFF   00000000   00000000

Note that it succeeded, Q = 3, and it found the Z values at SSSSSSSS = 803CE200.

Are you sure you're using the latest version of Gecko OS?  Do you have the game at a breakpoint or paused when you apply the code?

lol I activate it via usb gecko and usb loader because my wii laser is broken