Hey guys, I need some help again. This time, it´s a one hit kill ASM code for the conduit.
The value at adress 8081BA18 in the memory viewer shows 00000100. If I set it to 0000011D, it´s a one hit kill for the enemies.
Unfortunatelly, the adresse keeps moving and I need an assembly code for this.
Here is a picture from breakpoint read:
(http://i33.servimg.com/u/f33/13/33/97/73/ohk_co11.png)
Please help me, how to write 0000011D instead of 00000100 via assembly... Idk that in this situation! :o
(Breakpoint write and execute never broke)
Greetings!! ;)
You can pick your way through this thread.
http://wiird.l0nk.org/forum/index.php/topic,6466.msg54897.html#msg54897
You'll need a C2 hook on the lwz r0, with something like
li r12,0x11D
stw r12,8196(r3)
lwz r0,8196(r3)
okay thanks.
As I inserted the li thingy, the game already froze.
But maybe it doesn´t when I use the entire C2 code... ::)
EDIT:
It froze when I applyed the code in the mainmenu...
What could I else do?
dcx2 the same happens to me.
none of these registers would work
assembly:
C20E476C 00000002
3980011D 91832004
80032004 00000000
it froze...
You could try to replace the lwz r0 with li r0,0x11D. Although if anything else is reading that memory address, it won't see the new value.
You can also try to use r0 instead of r12. r0 is safe because it is being loaded, and none of the instructions used are "(RA|0)" instructions. But if r12 freezes then I doubt r0 will work any better.
Are you sure you're doing the right thing? Set your breakpoint, and when you hit it, step over the lwz, and then over-write the value in r0 with your 0x11D. Then hit Run. This will be like a one-time code.
Also, consider stepping through your C2. Set an execute breakpoint on the instruction before your C2. Once it is hit, THEN apply your C2 code. Switch back to breakpoint tab and step through your C2 code. Make sure it's doing what you think it should do.
Another common ASM problem is that the code which is being executed is run more than once. For instance, the same code might run when you shoot an enemy, or an enemy shoots you. This could also cause a problem, by giving your enemies the one-hit-kill power too. Set multiple breakpoints and make sure that the breakpoint is only hit when you shoot, and not when an enemy shoots, etc.
When the game freezes, try to press "Get BP Data". Then post the registers/disassembly. A lot of crashes can be diagnosed and even recovered this way, if you can see what went wrong and how to fix it.
If I set the read breakpoint, it always breaks immediately (I don´t have other codes activated).
If I set the write or execute breakpoint, it does not break.
lol, you're never going to execute data, so of course that won't work.
I see that you have the Exact Match checkbox checked. You might be having the Inverse Exact Breakpoint Fail. If the lower 16-bits of the value are being written to with a sth, you will never hit that breakpoint.
In other words, an Exact Match will only break it the address matches EXACTLY. You set your BP to 8081BA18, however if it's using a 16-bit value then a sth would be using 8081BA1A, which is not the same as 8081BA18 and therefore wouldn't stop.
You should still try my other suggestions in my previous post. Particularly the one-time modification to r0, and stepping through your C2 code to make sure it does what you want it to do.
Quote from: dcx2 on July 23, 2010, 11:22:17 PM
You could try to replace the lwz r0 with li r0,0x11D.
You can also try to use r0 instead of r12.
I set the read BP on the one hit kill adress. It immediately broke and I replaced the lwz instruction with
li r0,0x11D. Then I hit run, but the game was frozen... :o
Quote from: dcx2 on July 23, 2010, 11:22:17 PM
Are you sure you're doing the right thing? Set your breakpoint, and when you hit it, step over the lwz, and then over-write the value in r0 with your 0x11D. Then hit Run.
That´s what I did, I also got the same BP when NOT using the exact match.
Quote from: dcx2 on July 23, 2010, 11:22:17 PM
Another common ASM problem is that the code which is being executed is run more than once. For instance, the same code might run when you shoot an enemy, or an enemy shoots you. This could also cause a problem, by giving your enemies the one-hit-kill power too. Set multiple breakpoints and make sure that the breakpoint is only hit when you shoot, and not when an enemy shoots, etc.
If it gives my enemy the ability for that,too, it doesn´t matter. I have Inf. Health for such things.
Quote from: dcx2 on July 23, 2010, 11:22:17 PM
When the game freezes, try to press "Get BP Data". Then post the registers/disassembly. A lot of crashes can be diagnosed and even recovered this way, if you can see what went wrong and how to fix it.
CR:84000048 XER:00000000 CTR:800E426C DSIS:04000000
DAR:00000119 SRR0:800E4278 SRR1:00008032 LR:800E5620
r0:00000000 r1:80768900 r2:8075A6E0 r3:00000000
r4:FFFFFFFF r5:0000011D r6:000000FE r7:800E426C
r8:000000FD r9:FFFFFFF9 r10:90F0C46C r11:FFFFFFF9
r12:8012DC0C r13:80752260 r14:0000245F r15:0000002B
r16:80560000 r17:00000000 r18:FFFFFFFF r19:80000000
r20:80560000 r21:80560000 r22:80530000 r23:80DC48D0
r24:90F0BDF4 r25:00000001 r26:90E86984 r27:00000000
r28:00000001 r29:90F0BA00 r30:90F0BA00 r31:90F0BA00
f0:FFC00000 f1:42FE0000 f2:59800004 f3:3F800000
f4:428942E1 f5:C14DA775 f6:42C2EA45 f7:00000000
f8:00000000 f9:00000000 f10:00000000 f11:00000000
f12:00000000 f13:80000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:3F800000
f28:59800004 f29:59800000 f30:3E000000 f31:00000000
800E4278: 8065FFFC lwz r3,-4(r5)
800E427C: 2C04FFFF cmpwi r4,-1
800E4280: 7C668670 srawi r6,r3,16
800E4284: 7C0031D6 mullw r0,r0,r6
800E4288: 41820010 beq- 0x800e4298
800E428C: 9241000C stw r18,12(r1)
800E4290: 7F86E378 mr r6,r28
800E4294: 7C002214 add r0,r0,r4
800E4298: 2F060000 cmpwi cr6,r6,0
800E429C: 38E00000 li r7,0
800E42A0: 4099F590 ble+ cr6,0x800e3830
800E42A4: 2C060008 cmpwi r6,8
800E42A8: 3926FFF8 subi r9,r6,8
800E42AC: 40810094 ble- 0x800e4340
800E42B0: 38800000 li r4,0
800E42B4: 41980014 blt- cr6,0x800e42c8
800E42B8: 3873FFFE subi r3,r19,2
800E42BC: 7C061800 cmpw r6,r3
800E42C0: 41810008 bgt- 0x800e42c8
800E42C4: 38800001 li r4,1
800E42C8: 2C040000 cmpwi r4,0
800E42CC: 41820074 beq- 0x800e4340
800E42D0: 39090007 addi r8,r9,7
800E42D4: 5403103A rlwinm r3,r0,2,0,29
800E42D8: 5508E8FE rlwinm r8,r8,29,3,31
800E42DC: 7F04C378 mr r4,r24
800E42E0: 7C651A14 add r3,r5,r3
800E42E4: 7D0903A6 mtctr r8
800E42E8: 2C090000 cmpwi r9,0
800E42EC: 40810054 ble- 0x800e4340
800E42F0: 81030000 lwz r8,0(r3)
800E42F4: 38E70008 addi r7,r7,8
800E42F8: 91040000 stw r8,0(r4)
800E42FC: 81030004 lwz r8,4(r3)
800E4300: 91040004 stw r8,4(r4)
800E4304: 81030008 lwz r8,8(r3)
800E4308: 91040008 stw r8,8(r4)
800E430C: 8103000C lwz r8,12(r3)
800E4310: 9104000C stw r8,12(r4)
800E4314: 81030010 lwz r8,16(r3)
-----------------
BP execute on the adress before lwz (add r3,r3,r0) It always broke immediately.
CR:88000088 XER:20000000 CTR:800E4760 DSIS:00400000
DAR:8081BA18 SRR0:800E4768 SRR1:0000A032 LR:800E37B0
r0:00000024 r1:80768900 r2:8075A6E0 r3:808196C0
r4:90D32A74 r5:90D32C10 r6:00000009 r7:800E4694
r8:0000004F r9:8082F3AC r10:8082F160 r11:80768980
r12:00000000 r13:80752260 r14:00002DD2 r15:807A6C60
r16:80560000 r17:00000000 r18:FFFFFFFF r19:80000000
r20:80560000 r21:80560000 r22:80530000 r23:80E4AEF0
r24:90D32B8C r25:00000001 r26:90912FB4 r27:00000000
r28:00000001 r29:90D32A50 r30:90D32A50 r31:90D32A50
f0:00000000 f1:00000000 f2:00000000 f3:4F800000
f4:4F000000 f5:41DA87DA f6:3F800000 f7:4265DD4B
f8:C061CC10 f9:C0C3B88C f10:3F6B0EA8 f11:419E4268
f12:00000000 f13:3FC00000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:3F800000
f28:59800004 f29:59800000 f30:3E000000 f31:00000000
800E4768: 7C630214 add r3,r3,r0
800E476C: 80032004 lwz r0,8196(r3)
800E4770: 90180000 stw r0,0(r24)
800E4774: 4BFFF0BC b 0x800e3830
800E4778: 90D80000 stw r6,0(r24)
800E477C: 4BFFF0B4 b 0x800e3830
800E4780: 7D000774 extsb r0,r8
800E4784: A861000A lha r3,10(r1)
800E4788: 90010010 stw r0,16(r1)
800E478C: 3B010010 addi r24,r1,16
800E4790: 546F053E rlwinm r15,r3,0,20,31
800E4794: 48000044 b 0x800e47d8
800E4798: 9101001C stw r8,28(r1)
800E479C: 3B010010 addi r24,r1,16
800E47A0: A801000A lha r0,10(r1)
800E47A4: C8010018 lfd f0,24(r1)
800E47A8: 540F053E rlwinm r15,r0,0,20,31
800E47AC: EC00E828 fsubs f0,f0,f29
800E47B0: EC0007B2 fmuls f0,f0,f30
800E47B4: D0010010 stfs f0,16(r1)
800E47B8: 48000020 b 0x800e47d8
800E47BC: A801000A lha r0,10(r1)
800E47C0: 7F58D378 mr r24,r26
800E47C4: 3B5A0004 addi r26,r26,4
800E47C8: 540F053E rlwinm r15,r0,0,20,31
800E47CC: 4800000C b 0x800e47d8
800E47D0: A801000A lha r0,10(r1)
800E47D4: 540F053E rlwinm r15,r0,0,20,31
800E47D8: 54C0E73E rlwinm r0,r6,28,28,31
800E47DC: 2800000F cmplwi r0,15
800E47E0: 4181F050 bgt+ 0x800e3830
800E47E4: 3875D7A8 subi r3,r21,10328
800E47E8: 5400103A rlwinm r0,r0,2,0,29
800E47EC: 7C63002E lwzx r3,r3,r0
800E47F0: 7C6903A6 mtctr r3
800E47F4: 4E800420 bctr
800E47F8: 7EE3BB78 mr r3,r23
800E47FC: 7EE4BB78 mr r4,r23
800E4800: 7DE57B78 mr r5,r15
800E4804: 7F06C378 mr r6,r24
Set lots of execute breakpoints there and see if you notice any patterns that you could test for.
No, don't write anything because it's crashing the game when you do that. We want to observe this creature in its natural habitat before trying to capture and domesticate it.
Without any codes active, just do an execute breakpoint on the address you would *like* to hook. Pay attention to the values in the registers when you're doing this. Even better, copy/paste them into a file so you can compare against them later.
Look for patterns. Try to identify a register that contains a value that will help you identify the appropriate time to apply the hook. Then add a conditional branch to your code so that it skips the hook unless a specific register has a magic value.
I stumbled on this earlier today and it is a good read for this purpose, too. http://wiird.l0nk.org/forum/index.php/topic,5836.msg50772.html#msg50772
The code will do the normal, un-hacked instruction (stfs)...unless r19 = 3, in which case it will run the hook instead (lis/stw). The hack was "domesticated" by watching r19. Like a leash, so that it doesn't jump out and bite innocent callers.