how to include a button activator in ASM?
I've seen all the time this:
94210000 9161YYYY
example:
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
lis r14,0x4100
ori r14,r14,0x0000
stw r14,428(r28)
lwz r6,428(r28)
button activator:
2840A5E0 0000YYYY
and if I don't press the button, it should change it back.
I know the -HACKING GUIDE- ASM example, making moon jump codes but it doesn't work
for me.
you could do something like:
if button not pressed
write original instruction (with a normal ramwrite)
endif, if button pressed
the C2 code
or you could read this (http://wiird.l0nk.org/forum/index.php/topic,1454.0.html) tutorial, its about making a moonjump code in ASM but it also explains how to make the button activator in ASM
thanks.
btw:
lis r0, 0x8049 //Loads first 2 bytes of Control address
lwz r1, 0x6AC0(r0) //Loads the full value of the control address into r1
li r2, 0x00000200 //Loads the value for the button we want to be the activator into r2
lis r3, 0x80CC //Loads first 2 bytes of co-ords
lwz r4, 0x4584(r3) //Loads the full value of the z-co-ords into r4
li r5, 0x0000004C //Loads the value we want to add to co-ords (jump speed) into r5
cmpw r1, r2 //Compares the BUTTON value and the CONTROLLER address (check if we are holding our activator or not)
bne +0x12 //If we are NOT holding the button activator, jump to the end i.e cancel
add r6, r4, r5 // If we ARE, add 0x004C to our z-co-ord value (increase our height)
stw r6, 0x4584(r3) //Store the modified co-ords back to their address!
lis r0, 0x8049 and lwz r1, 0x6AC0(r0) load the button address?
li r2, 0x00000200 = store the button value 0200 into r2?
lis r3, 0x80CC and lwz r4, 0x4584(r3) load the address we wan to change into r4?
li r5, 0x0000004C = load the value 4C into r5?
cmpw r1, r2 = looks if it pressed and activate it if pressed?
bne +0x12 = looks if not pressed and cancel it?
add r6, r4, r5 = add 4C?
stw r6, 0x4584(r3) = store it back?
so ok I've assembled one.
81236B24=jump address. write= 803CA34C: 987D06A0 stb r3,1696(r29)
80756100= button address. write= 805484D0: 90030000 stw r0,0(r3)
code:
lis r0, 0x8054
lwz r1, 0xFFFF849C(r0)
li r2, 0x00000800
lis r3, 0x803C
lwz r4, 0xFFFFA34C(r3)
li r5, 0x00000040
cmpw r1, r2
bne +0x12
add r6, r4, r5
stw r6, 0xFFFFA34C(r3)
assembly:
C2000000 00000006 <-- what address should I use?
3C008054 8020849C
38400800 3C60803C
8083A34C 38A00040
7C011000 40820010
7CC42A14 90C3A34C
60000000 00000000
Quote from: Deathwolf on July 21, 2010, 07:27:14 PM
how to include a button activator in ASM?
example:
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
lis r14,0x4100
ori r14,r14,0x0000
stw r14,428(r28)
lwz r6,428(r28)
button activator:
2840A5E0 0000YYYY
Romaap is right, one way to do it is to use normal WiiRD codes.
2840A5E0 0000YYYY # if button activator
C2056578 00000003 # C2 hook
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
E2100000 00000000 # else
04056578 ZZZZZZZZ # Z = original instruction at 80056578
E0000000 80008000
When the button is pressed, the C2 hook is run. When the button is not pressed, Z is run instead.
---
You can also do it in pure ASM.
lis r12,0x8040 # r12 = controller pointer
ori r12,r12,0xA5E0
lhz r12,0(r12) # r12 = controller value
cmpwi r12,YYYY # compare r12 to YYYY
bne- 0x0C # if Not Equal, branch
lis r12,0x4100 # if equal, write 41000000...
stw r12,428(r28) # ...to 428(r28)
lwz r6,428(r28) # bne- would take you here
I have a few comments about this.
1) What did I tell you about using r12? Your original code uses r14.
2) lis writes 0 to the lower 16-bits automatically. You only need to use ori if the lower 16-bits are not 0.
3) Be careful when calculating the branch distance. In this case, it is 0x0C = 12. 4 would branch to the next instruction (i.e. skip 0 instructions), 8 skips 1 instruction, C skips 2 instructions.
4) Do you use PyiiASMH or Link's ASMWiiRD? PyiiASMH supports "branch labels", which automatically calculate branch distance. This is very, very helpful!
5) If you want to copy the Mask behavior of the 28 code type (i.e. 2840A5E0 FFFE0001), you can use andi. to do the masking. Make sure you remember that there is a . after andi.!! The . means "update the Condition Register"; the Condition Register is used when comparing values.
6) I assume that
lwz r6,428(r28) is the original instruction. Therefore I made sure it is *always* executed. If you're pressing the button, we "fall through" after the stw. If you are NOT pressing the button, we branch over the stw.
---
Quote from: Deathwolf on July 21, 2010, 08:14:34 PM
lis r0, 0x8049 //Loads first 2 bytes of Control address
lwz r1, 0x6AC0(r0) //Loads the full value of the control address into r1
li r2, 0x00000200 //Loads the value for the button we want to be the activator into r2
lis r3, 0x80CC //Loads first 2 bytes of co-ords
lwz r4, 0x4584(r3) //Loads the full value of the z-co-ords into r4
li r5, 0x0000004C //Loads the value we want to add to co-ords (jump speed) into r5
cmpw r1, r2 //Compares the BUTTON value and the CONTROLLER address (check if we are holding our activator or not)
bne +0x12 //If we are NOT holding the button activator, jump to the end i.e cancel
add r6, r4, r5 // If we ARE, add 0x004C to our z-co-ord value (increase our height)
stw r6, 0x4584(r3) //Store the modified co-ords back to their address!
lis r0, 0x8049 and lwz r1, 0x6AC0(r0) load the button address?
li r2, 0x00000200 = store the button value 0200 into r2?
lis r3, 0x80CC and lwz r4, 0x4584(r3) load the address we wan to change into r4?
li r5, 0x0000004C = load the value 4C into r5?
cmpw r1, r2 = looks if it pressed and activate it if pressed?
bne +0x12 = looks if not pressed and cancel it?
add r6, r4, r5 = add 4C?
stw r6, 0x4584(r3) = store it back?
Where did you get this? It's very, very bad.
1) You should never, ever write to r1 or r2.
2) It's longer than necessary; you don't need to put your button value (0200) into r2, you can just use cmpwi.
3) It does a bne 0x12, which is not aligned (remember alignment?)
4) lwz (http://pds.twi.tudelft.nl/vakken/in1200/labcourse/instruction-set/lwz.html) is one of those odd instructions that uses (rA|0). This means that if you use r0 as the address for lwz, it will ignore the value in r0 and use the value 0 instead.
look here: http://wiird.l0nk.org/forum/index.php/topic,1454.0.html
Quote from: dcx2 on July 21, 2010, 09:11:02 PM
Where did you get this? It's very, very bad.
1) You should never, ever write to r1 or r2.
2) It's longer than necessary; you don't need to put your button value (0200) into r2, you can just use cmpwi.
3) It does a bne 0x12, which is not aligned (remember alignment?)
4) lwz (http://pds.twi.tudelft.nl/vakken/in1200/labcourse/instruction-set/lwz.html) is one of those odd instructions that uses (rA|0). This means that if you use r0 as the address for lwz, it will ignore the value in r0 and use the value 0 instead.
sorry for the hi-jack but i could shorten some of my codes up a bit with your help, using just the lwz without the ori and just using a cmpwi here is one of my examples of how i normally write them up
[spoiler]
Pac'n-Roll Moon Jump Press(1)
C209B7C8 00000009
9421FFE0 91610008
91810010 3D608041
616B18F0 816B0000
3D800000 618C0200
7C0B6000 40820010
3D603DAF 616B3D1A
91770234 81610008
81810010 38210020
C0170234 00000000
stwu r1,-32(r1)
stw r11,8(r1)
stw r12,16(r1)
lis r11,-32703
ori r11,r11,6384
lwz r11,0(r11)
lis r12,0
ori r12,r12,512
cmpw r11,r12
bne- 0x10
lis r11,15791
ori r11,r11,15642
stw r11,564(r23)
lwz r11,8(r1)
lwz r12,16(r1)
addi r1,r1,32
lfs f0,564(r23)
using your idea i get something like this
C209B7C8 00000007
9421FFF0 91610008
3D608041 816B18F0
2C0B0200 40820010
3D603DAF 616B3D1A
91770234 81610008
38210010 C0170234
60000000 00000000
stwu r1,-16(r1)
stw r11,8(r1)
lis r11,-32703
lwz r11,6384(r11)
cmpwi r11,512
bne- 0x10
lis r11,15791
ori r11,r11,15642
stw r11,564(r23)
lwz r11,8(r1)
addi r1,r1,16
lfs f0,564(r23)
[/spoiler]
Does this look ok, and do you have any more pointers to make it smaller? Thanks
I see you're building a stack frame to store your registers for safety. You don't actually need to do that. r12 is almost always safe; I have only seen r12 used in one type of situation, which is loading the CTR register immediately before a bctr or bctrl.
Seeing as how you're down to one register, you can get rid of the stack frame altogether.
This reduces your code to
lis r12,-32703
lwz r12,6384(r12)
cmpwi r12,512
bne- THE_END
lis r12,15791
ori r12,r12,15642
stw r12,564(r23)
THE_END:
lfs f0,564(r23)
Note that I used a branch label. You will need PyiiASMH to convert this to a C2 code. But I like branch labels because they spare me counting instructions, and if you add something between the branch and its destination then you don't have to re-count everything.
---
Regarding a stack frame for safety, I do believe I once read that you can use negative offsets on the stack pointer to store data on the unallocated part of the stack. I was concerned whether or not an interrupt service routine might eventually stomp on that part of the stack, but then I read somewhere that the PPC ISR's leave some room in case the current function is using unallocated stack...
so no tut how to do?
no examples?
that's bad... :-[
http://wiird.l0nk.org/forum/index.php/topic,6496.msg55147.html#msg55147
are you sure this will work?
2840A5E0 0000YYYY # if button activator
C2056578 00000003 # C2 hook
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
E2100000 00000000 # else
04056578 ZZZZZZZZ # Z = original instruction at 80056578
E0000000 80008000
I can't be sure without having the game and testing it myself. But the general template will work.
28-if-equal button activator
C2 hook
else
04 write original instruction
terminator
lol ok but thanks.
I'll put this instrucion into ASM to WiiRd ;D
code:
28-if-equal button activator
C2 hook
else
04 write original instruction
terminator
assembly should be :
2840A5E0 0000YYYY
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
E2100000 00000000
04056578 ZZZZZZZZ
E0000000 80008000
Two little things bug me, though.
1) button activators are usually a multiple of 2. Are you sure it shouldn't be 2840A5E2?
2) Make sure you replace Z with the original instruction that the hook will be over-writing.
E0 is 16 bit = 28
Alright, fine, don't listen to me, but don't act surprised if your code doesn't work.
The vast majority of button activators I ever see are the last 16-bits of their corresponding 32-bit word. For instance, SMG2 is 28750A02. SMG is 2861D342. And so on.
0 1 2 3
i.e. 0000XXXX where XXXX is the buttons.
A 16-bit code reading E0 will read the 0000 and not the XXXX.
it's like codetype 02 but only IF equal.
every button address is anywhere on every game.
28 is reading the last 4 bytes by E0.
do u think this works too?
2840A5E0 0000YYYY
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
E2100000 00000000
C2056578 00000003
3DC080DC 61CE01AC
91DC01AC 80DC01AC
60000000 00000000
You're missing the terminator.
now?
2840A5E0 0000YYYY
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
E2100000 00000000
C2056578 00000003
3DC080DC 61CE01AC
91DC01AC 80DC01AC
60000000 00000000
E0000000 80008000
I think 60000000 and E0000000 will freez?
It seems like you did everything right ;D , but I don't know what your hooks are.
Advice: The bolded parts will usually be the same for all codes. The not bolded parts will change depending on what the code should do (health, ammo, time, etc). The not bolded parts can be C2 codes or 04 RAM writes or any other WiiRD codes; be creative. The addresses should match.
2840A5E0 0000YYYY # if (button YYYY)
C2056578 00000003 # {
3DC04100 61CE0000 # C2Hook1();
91DC01AC 80DC01AC
60000000 00000000 # }
E2100000 00000000 # else
C2056578 00000003 # {
3DC080DC 61CE01AC # C2Hook2();
91DC01AC 80DC01AC
60000000 00000000
E0000000 80008000 # }
lol I noticed that it was your moonjump code for Water Warfare.
Here you go:
[Moonjump [Deathwolf] modded by Bully@Wiiplaza
04056578 80DC01AC --> writes back original instruction if button is not pressed
2840A5E0 DFFF2000 --> Button Activator Z
C2056578 00000003 --> (C2 code with lis, ori,stw blabla)
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
You can force the game to write the original instruction to adress xxxxxxxx, if you use the 04 line above your code, which restores original instruction at this adress (branch). This is, what I did, before I read this topic :P
-Tested, works-
without any if else?lol
Thanks, Bully, for actually giving the necessary details. One thing...you forgot the terminator. You need one because you used an if code. Without the terminator, any codes after that code will get screwed up.
I've done that basic approach with CC codes too. I call it "pre-patching the anti-code", because you write the original instruction (or anti-code, as wiiztec referred to it) every frame, and then conditionally over-write the anti-code with your code based on a button activator. To verify, you can set a write breakpoint on 8040A5E0 and you will see that it writes once when the activator is not true and twice when the activator is true.
Here's that same code, in if-else format. In contrast, the if-else format will only write one or the other, but not both in the same frame. However, it requires an additional line. Since it's functionally identical to Bully's code, this code is only good for practice with else.
2840A5E0 DFFF2000
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
E2100000 00000000
04056578 80DC01AC
E0000000 80008000
---
Here's that code, in ASM format. Notice that the original code used the mask DFFF. In order to do the same with ASM we will use andi.. Notice the . at the end of andi., because it is required. Also note that when Z is not pressed, the andi. results in a 0, and 0 is tested for with beq-.
lis r12,0x8040 # r12 = controller pointer
ori r12,r12,0xA5E0
lhz r12,0(r12) # r12 = controller value
andi. r12,0x2000 # mask Z bit
beq- 0x0C # if equal to 0, no Z bit, branch
lis r12,0x4100 # if not equal, Z bit is set, write 41000000...
stw r12,428(r28) # ...to 428(r28)
lwz r6,428(r28) # original instruction; bne- would take you here
you can't assembly this:
lis r12,0x8040
ori r12,r12,0xA5E0
lhz r12,0(r12)
andi. r12,0x2000
beq- 0x0C
lis r12,0x4100
stw r12,428(r28)
lwz r6,428(r28)
operand out of range (0x00002000 is not between 0x00000000 and 0x0000001f)
Doh! Forgot the source register.
lis r12,0x8040
ori r12,r12,0xA5E0
lhz r12,0(r12)
andi. r12,r12,0x2000
beq- 0x0C
lis r12,0x4100
stw r12,428(r28)
lwz r6,428(r28)
assembly:
C2000000 00000005
3D808040 618CA5E0
A18C0000 718C2000
4182000C 3D804100
919C01AC 80DC01AC
60000000 00000000
and which hook address?
It's your code that I modified...you should already know the hook address.
not really because there are 2 addresses.
one for the button and the second of the address.
Are you even trying? Or do you just expect me to do all of the work for you?
Adding a button activator doesn't change the hook address.
You wrote the original C2 code! You should know what address you want to hook. I don't even have this game.
....
I've done one for Infinitiy Health with button activator.
button activator: 282F6DDA 0000YYYY
Infinity Health [Deathwolf]
C203CAE8 00000005
3D80802F 618C6DDA
A18C0000 718C2000
4182000C 3D800000
618C0BB8 919C01AC
80DC01AC 00000000
code:
lis r12,0x802F
ori r12,r12,0x6DDA
lhz r12,0(r12)
andi. r12,0x2000
beq- 0x0C
lis r12,0x0000
ori r12,r12,0x0BB8
stw r12,428(r28)
lwz r6,428(r28)
does it looks right?
dcx2 I've tried your code and it freez....
No, your code doesn't look right.
1) andi. has three operands. It should be "andi. r12,r12,0x2000". You pointed this error out before.
2) lis r12, 0 is redundant. li r12, 0xBB8 will clear the upper 16 bits to 0 for you.
3) More importantly, the branch distance was changed because you added another instruction after the branch. The beq- must point to the final instruction (the one which is replaced by the hook). Right now, with 0xC, it points to the stw.
4) You used 428(r28) in your previous code. Is this code supposed to write to the same place?
5) You should learn how to step through your ASM codes so you can spot these kinds of problems.
Quote from: dcx2 on July 22, 2010, 07:25:42 PM
Doh! Forgot the source register.
lis r12,0x8040
ori r12,r12,0xA5E0
lhz r12,0(r12)
andi. r12,r12,0x2000
beq- 0x0C
lis r12,0x4100
stw r12,428(r28)
lwz r6,428(r28)
I mean this.
it freez
Quote from: dcx2 on July 22, 2010, 10:42:05 PM
No, your code doesn't look right.
1) andi. has three operands. It should be "andi. r12,r12,0x2000". You pointed this error out before.
2) lis r12, 0 is redundant. li r12, 0xBB8 will clear the upper 16 bits to 0 for you.
3) More importantly, the branch distance was changed because you added another instruction after the branch. The beq- must point to the final instruction (the one which is replaced by the hook). Right now, with 0xC, it points to the stw.
4) You used 428(r28) in your previous code. Is this code supposed to write to the same place?
5) You should learn how to step through your ASM codes so you can spot these kinds of problems.
Don't understand anything more...
btw you are soo good in ASM.
another problem. not fucking register will works.
breakpoint read:
800E5B10: 80040000 lwz r0,0(r4)
lis rXX,0x40A0
stw rXX,0(r4)
lwz r0,0(r4)
I've tried r12,13 and 14....
none of them will works
Without the game, I can't tell you why it froze, especially if you don't give me any details like what the registers and disassembly you're trying to hook, and what the registers/disassembly say when it freezes.
If you want my help, you have to put forth some effort. If you don't start giving me enough details I will stop helping you.
Quote from: Deathwolf on July 22, 2010, 10:48:32 PM
lis rXX,0x40A0
stw rXX,0(r4)
lwz r0,0(r4)
r0 is safe in this case (the original instruction, lwz r0,0(r4), writes to r0 without reading it).
lis r0,0x40A0
stw r0,0(r4)
Note that we don't need the original instruction anymore, because r0 already has the value we want in it, which was the purpose of the lwz r0.
However...0x40A00000 looks like a float. Why are you lwz'ing a float? The game should lfs floats.
Details, details, details!!! What are you trying to do? What's the complete disassembly? etc.
omfg what's going on?
first you say li lis ori stw blr lwz lhz and....
suddenly without lwz and only r0.
I tought u should NEVER save it to r0.
yes it's a breaked moonjump codes.
FLOATING VALUE u can see. that's right
ok...
address of moonjump: 90F0BC00
breakpoint read:
CR : 84000048 XER : 00000000 CTR : 800E5B10 DSIS: 00400000
DAR : 90F0BC04 SRR0: 800E5B10 SRR1: 0000A032 LR : 800E5620
r0 : 00000028 r1 : 80768900 r2 : 8075A6E0 r3 : 00000081
r4 : 90F0BC04 r5 : 90F0BDFC r6 : 000000FF r7 : 800E5B10
r8 : 0000005B r9 : 8082F4A8 r10 : 8082F358 r11 : 80768980
r12 : 8008405C r13 : 80752260 r14 : 0000317A r15 : 0000002A
r16 : 80560000 r17 : 00000000 r18 : FFFFFFFF r19 : 80000000
r20 : 80560000 r21 : 80560000 r22 : 80530000 r23 : 80D87B00
r24 : 90F0C76C r25 : 00000001 r26 : 90E859D4 r27 : 00000000
r28 : 00000001 r29 : 90F0BA00 r30 : 90F0BA00 r31 : 90F0C600
f0 : 00000000 f1 : 80000000 f2 : 3F400000 f3 : 3F800000
f4 : 441F2A0C f5 : C1DC1E00 f6 : 4423A677 f7 : 00000000
f8 : 00000000 f9 : 00000000 f10 : 00000000 f11 : 00000000
f12 : 00000000 f13 : 80000000 f14 : 00000000 f15 : 00000000
f16 : 00000000 f17 : 00000000 f18 : 00000000 f19 : 00000000
f20 : 00000000 f21 : 00000000 f22 : 00000000 f23 : 00000000
f24 : 00000000 f25 : 00000000 f26 : 00000000 f27 : 3F800000
f28 : 59800004 f29 : 59800000 f30 : 3E000000 f31 : 00000000
800E5B10: 80040000 lwz r0,0(r4)
800E5B14: 90180000 stw r0,0(r24)
800E5B18: 4BFFDD18 b 0x800e3830
800E5B1C: 7C600774 extsb r0,r3
800E5B20: 90180000 stw r0,0(r24)
800E5B24: 4BFFDD0C b 0x800e3830
800E5B28: 9061001C stw r3,28(r1)
800E5B2C: C8010018 lfd f0,24(r1)
800E5B30: EC00E828 fsubs f0,f0,f29
800E5B34: EC0007B2 fmuls f0,f0,f30
800E5B38: D0180000 stfs f0,0(r24)
800E5B3C: 4BFFDCF4 b 0x800e3830
800E5B40: 801A0000 lwz r0,0(r26)
800E5B44: 3B5A0004 addi r26,r26,4
800E5B48: 90180000 stw r0,0(r24)
800E5B4C: 4BFFDCE4 b 0x800e3830
Exact Breakpoint Fail.
Quoteaddress of moonjump: 90F0BC00
Quoter4 : 90F0BC04
Quote800E5B10: 80040000 lwz r0,0(r4)
Do you see anything wrong here?
---
Quote from: Deathwolf on July 22, 2010, 11:03:22 PM
first you say li lis ori stw blr lwz lhz and....
suddenly without lwz and only r0.
I tought u should NEVER save it to r0.
yes it's a breaked moonjump codes.
FLOATING VALUE u can see. that's right
1) li/lis/ori depend on whether you're doing 32- or 16-bit values. Sometimes some of them are unnecessary if one half or the other is 0000.
2) I never said use blr. Ever. In fact, I said you should NEVER use a blr in a C2 code.
3) I said you can't use r0
with certain instructions as an address register. You have to look up an ASM reference and see if it has "(rA|0)" to know whether you can use r0.
4) The value that you broke on is NOT A FLOAT. Floats use lfs, stfs, fmuls, fsubs, fadds, etc. Floats
do not use lwz or stw!!!
oh no....
please give me just the code and I'll assembly it.
thanks alot but maybe I'm too stupid.
I gave you as much as I can. You found the wrong breakpoint. This happens a lot if you don't use Exact.
You said your breakpoint is on 90F0BC00, right? But lwz r0,0(r4), and r4 is 90F0BC04.
BTW, if you would use Gecko.NET and you pressed "Show Mem" then you would see that your breakpoint isn't on the right address.
a example code:
Moonjump
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
code:
lis r14,0x4100
ori r14,r14,0x0000
stw r14,428(r28)
lwz r6,428(r28)
Button address
2840A5E0 0000YYYY
C2056578 00000003
3DC04100 61CE0000
91DC01AC 80DC01AC
60000000 00000000
button address should be in ASM?
button ASM:
801C5EE8: A0E50000 lhz r7,0(r5)
code:
lis r12,0x8040
ori r12,r12,0xA5E0
lhz r7,0(r5)