WiiRd forum

Hey guys,
I tried to make profile name changer code for PBR, and I found it with unicode search!
My problem: everytime I turn the wii off, the adress of the name moves.
I set a breakpoint READ on it and connected to WiFi and it broke (The instruction was always this, meaning that it´s the right BP)

8025E7E8:  A0040000   lhz   r0,0(r4)
8025E7EC:  38840002   addi   r4,r4,2
8025E7F0:  2C000000   cmpwi   r0,0
8025E7F4:  B0030000   sth   r0,0(r3)
8025E7F8:  38630002   addi   r3,r3,2
8025E7FC:  41820008   beq-   0x8025e804
8025E800:  4200FFE8   bdnz+   0x8025e7e8
8025E804:  7CC33378   mr   r3,r6
8025E808:  4E800020   blr   
8025E80C:  7CA903A6   mtctr   r5
8025E810:  2C050000   cmpwi   r5,0
8025E814:  40810030   ble-   0x8025e844
8025E818:  A0040000   lhz   r0,0(r4)
8025E81C:  A0A30000   lhz   r5,0(r3)
8025E820:  7C050040   cmplw   r5,r0
8025E824:  4182000C   beq-   0x8025e830

CR  : 42000000  XER : 20000000  CTR : 00000008  DSIS: 00400000
DAR : 918F6FD0  SRR0: 8025E7E8  SRR1: 0000B032  LR  : 8025E8BC
r0  : 8025E8AC  r1  : 80C39A38  r2  : 80648600  r3  : 80BF4144
r4  : 918F6FD0  r5  : 00000008  r6  : 80BF4144  r7  : 00000000
r8  : 000024C0  r9  : 00000004  r10 : B6780000  r11 : 80C39AD8
r12 : 80264504  r13 : 806452C0  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000000
r20 : 00000000  r21 : 00000000  r22 : 00000001  r23 : 00000000
r24 : 00000AF2  r25 : 00000AF2  r26 : 80485E00  r27 : 000000FF
r28 : 80C16330  r29 : 80BF4140  r30 : 918F6FD0  r31 : 00000008

f0  : 00000001  f1  : 00000000  f2  : 00000000  f3  : 41800000
f4  : 00000000  f5  : C1102FE8  f6  : 413CA8A1  f7  : 412AE285
f8  : 00000000  f9  : 00000000  f10 : 00000000  f11 : 00000000
f12 : 4144A968  f13 : 3F800000  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 00000000
f28 : 00000000  f29 : 00000000  f30 : 00000000  f31 : 00000000

what I noticed: r4 always shows the adress, from where the name is loaded. When I BP read the first adress of the name, it shows 918F6FD0, the 2. it shows 918F6FD2, the 3. it shows 918F6FD4. the 4. 918F6FD8 and so on!

Now I would like to know, how I can write an assembly code, which writes my selected name to this adresses.
I tried with:

li r12, 0x0053
sth r12, 0(r4)
lhz r0,0(r4)

C225E7E8 00000002
39800053 B1840000
A0040000 00000000

53 writes letter S.
But when I looked at my name, it was SSSSSSSSSSSSSS.
Please help me, to write for example USBGECKO :p

http://www.dolcevie.com/js/converter.html

Don´t suggest pointer, it sucks!!!

(http://img836.imageshack.us/img836/8868/pbr003.png)

@dcx2: Please don´t hesitate helping, you are the best help, someone could get if he has a problem like me :)

8025E7E8:  A0040000   lhz   r0,0(r4)            # load Unicode character into r0
8025E7EC:  38840002   addi   r4,r4,2           # Adjust r4 to point at next unicode character
8025E7F0:  2C000000   cmpwi   r0,0            # did we load the null terminator (i.e. end of string)
8025E7F4:  B0030000   sth   r0,0(r3)           # store the Unicode char at r3
8025E7F8:  38630002   addi   r3,r3,2           # Adjust r3 to point at the next Unicode char
8025E7FC:  41820008   beq-   0x8025e804    # if the Unicode char was a null terminator, exit the loop
8025E800:  4200FFE8   bdnz+   0x8025e7e8  # loop back to 8025E7E8
8025E804:  7CC33378   mr   r3,r6                # return the pointer from r6 in r3
8025E808:  4E800020   blr                          # return to caller

I may need more from before 8025E7E8.  Remember, what comes *before* the breakpoint address is *more* important than what comes after (but what comes after is still important)

The reason you saw SSSSSSSS is because the instruction @8025E7E8 is executed once per character.  Your approach is bad, because your string will never read the null terminator, so the loop will never end, and your game should freeze.

This chunk of code is copying the string from the pointer in r4 to the pointer in r3.  So you have two options: over-write the stuff at r4 before it is read, or over-write the stuff at r3 after it is written.  Since I can't see anything before 8025E7E8, we'll go with a post-fix.

Notice that the pointer we are copying to is also stored in r6 (so that it is not lost while we are doing things like addi r3,r3,2).  This pointer is returned in r3.  So we can hook 8025E804 instead and have access to the destination string.  Then you can write whatever you want.

li r12, 0x0053
sth r12, 0(r6)
li r12, 0x0054
sth r12, 2(r6)
li r12, 0x004F
sth r12, 4(r6)
li r12, 0x0050
sth r12, 6(r6)
li r12, 0x0000
sth r12, 8(r6)
mr r3,r6


It is VERY IMPORTANT that you include the bolded line.  This is the null terminator.  If you don't include the 0 at the end of your string, then the string will not end

li r12, 0x0053
sth r12, 0(r6) <--- writes XXXX0000
li r12, 0x0054
sth r12, 2(r6) <--- Writes 0000XXXX
li r12, 0x004F
sth r12, 4(r6) <--- writes XXXX0000
li r12, 0x0050
sth r12, 6(r6) <--- writes 0000XXXX
li r12, 0x0000
sth r12, 8(r6) <--- writes XXXX0000
mr r3,r6 <--- move register

you told me:

sth r12,0 = XXXX0000
sth r12,2 = 0000XXXX

stw r12,0= XXXXXXXX

stb r12,0 = XX000000
stb r12,1 = 00XX0000
stb r12,2 = 0000XX00
stb r12,3 = 000000XX


is it maybe another way to write 32 bit with lhz?

Alright dcx2, thanks for the help, here are the instructions before:
[spoiler]
(http://img823.imageshack.us/img823/5341/zwischenablage03.png)[/spoiler]

Sry for the fail picture placement, but I can´t fix it now.
I used WiiRD because with it I can search for more than 8 characters in the Memory Viewer.

That beginning doesn't change much.  Although it does explain why your SSSS didn't crash.  mtctr r5/bdnz+ ensure that you only read a maximum of 8 characters.

This is probably called by a bunch of other places.  So you will change more than just your name.  Since this is a leaf function (it creates no stack frame), you can look at the LR to determine who is calling it.  That may help you find your name.

Quote from: dcx2 on August 26, 2010, 12:55:50 AM
hook adress: 8025E804

li r12, 0x0053
sth r12, 0(r6)
li r12, 0x0054
sth r12, 2(r6)
li r12, 0x004F
sth r12, 4(r6)
li r12, 0x0050
sth r12, 6(r6)
li r12, 0x0000
sth r12, 8(r6)
mr r3,r6

Code:
C225E804 00000006
39800053 B1860000
39800054 B1860002
3980004F B1860004
39800050 B1860006
39800000 B1860008
7CC33378 00000000

Well, I tried out this assembled code, but it didn´t change anything, even when the adress was executed (while connecting online)
Shouldn´t I use sth r12, X(r4) because the lwz is r0,0 (r4) and r4 is the destination register.
Just wondering, why your code base was not working yet.

r4 is *not* the destination.  The code is copying the Unicode characters from r4 to r3.  We are lhz'ing from r4 and sth'ing into r3.  That means r4 is the *source*, and r3 is the destination.

I find it very odd that this did not work.  You should set a breakpoint on your C2 code, and when it gets to the final line (mr), then you should make sure that the Unicode you want is at the address in r6.

If your characters are written correctly, then someone else must be reading the Unicode from r4 at some other time.  If this is the case, we can just run the hack before the loop, and we'll over-write the source string, instead of over-writing the destination string after copying.


hook 8025E7D8

li r12, 0x0053
sth r12, 0(r4)
li r12, 0x0054
sth r12, 2(r4)
li r12, 0x004F
sth r12, 4(r4)
li r12, 0x0050
sth r12, 6(r4)
li r12, 0x0000
sth r12, 8(r4)
mr r6,r3

Hmm... I used your last code idea for testing purposes and the game froze with a blackscreen when I wanted to connect to WFC.
I´ve set a breakpoint on it to see what happened:

CR:42000000  XER:00000000  CTR:8036916C DSIS:04000000
DAR:00000067 SRR0:803693DC SRR1:00001032   LR:80369180
 r0:00000001   r1:80C39650   r2:80648600   r3:80C07BC0
 r4:00000003   r5:80C39658   r6:8051CBC0   r7:8051B9C0
 r8:00000000   r9:00000000  r10:8051B9C0  r11:80C39690
r12:00000053  r13:806452C0  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000001  r23:00000000
r24:00000AF2  r25:80620000  r26:80370000  r27:80620000
r28:00000001  r29:80621904  r30:80C07BC4  r31:00000003

 f0:FFC00000   f1:40490FD8   f2:41700000   f3:59800000
 f4:59800004   f5:00000000   f6:00000000   f7:3E71E3C8
 f8:00000000   f9:3F800000  f10:00000000  f11:3F800000
f12:00000000  f13:00000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:00000000  f29:00000000  f30:00000000  f31:00000000

803693DC:  818C0014   lwz   r12,20(r12)
803693E0:  38C00180   li   r6,384
803693E4:  C022A55C   lfs   f1,-23204(r2)
803693E8:  38E00000   li   r7,0
803693EC:  8119184C   lwz   r8,6220(r25)
803693F0:  7D8903A6   mtctr   r12
803693F4:  4E800421   bctrl   
803693F8:  83DE0000   lwz   r30,0(r30)
803693FC:  880DB1D8   lbz   r0,-20008(r13)
80369400:  7C000775   extsb.   r0,r0
80369404:  40820020   bne-   0x80369424
80369408:  3879184C   addi   r3,r25,6220
8036940C:  4BFFEBA1   bl   0x80367fac
80369410:  3879184C   addi   r3,r25,6220
80369414:  389A8528   subi   r4,r26,31448
80369418:  38BB1840   addi   r5,r27,6208
8036941C:  4BE5D82D   bl   0x801c6c48
80369420:  9B8DB1D8   stb   r28,-20008(r13)
80369424:  7C1EE840   cmplw   r30,r29
80369428:  4082FF7C   bne+   0x803693a4
8036942C:  39610040   addi   r11,r1,64
80369430:  4BE5DD3D   bl   0x801c716c
80369434:  80010044   lwz   r0,68(r1)
80369438:  7C0803A6   mtlr   r0
8036943C:  38210040   addi   r1,r1,64
80369440:  4E800020   blr   
80369444:  9421FFE0   stwu   r1,-32(r1)
80369448:  7C0802A6   mflr   r0
8036944C:  90010024   stw   r0,36(r1)
80369450:  93E1001C   stw   r31,28(r1)
80369454:  7C7F1B78   mr   r31,r3
80369458:  8003004C   lwz   r0,76(r3)
8036945C:  2C000000   cmpwi   r0,0
80369460:  40820098   bne-   0x803694f8
80369464:  80A30044   lwz   r5,68(r3)
80369468:  80030048   lwz   r0,72(r3)
8036946C:  7C002800   cmpw   r0,r5
80369470:  4180000C   blt-   0x8036947c
80369474:  C0230040   lfs   f1,64(r3)
80369478:  4800004C   b   0x803694c4

r12 is 0x53 now, but it was supposed to be a pointer I guess :confused:

It's odd because the last thing in r12 is 0, not 0x53.  What was the assembled code you used?

By the way, you generally don't need to copy and paste any more disassembly after a blr.  And once again you cut off the disassembly at the breakpoint.

Quote from: dcx2 on August 26, 2010, 02:51:55 PM
It's odd because the last thing in r12 is 0, not 0x53.  What was the assembled code you used?

By the way, you generally don't need to copy and paste any more disassembly after a blr.  And once again you cut off the disassembly at the breakpoint.

Sry, I thought it´s enough.
I´ll apreciate that I cut it off after blr next time.
And the code was:

C225E7D8 00000006
39800053 B1840000
39800054 B1840002
3980004F B1840004
39800050 B1840006
39800000 B1840008
7C661B78 00000000

[spoiler]li r12, 0x0053
sth r12, 0(r4)
li r12, 0x0054
sth r12, 2(r4)
li r12, 0x004F
sth r12, 4(r4)
li r12, 0x0050
sth r12, 6(r4)
li r12, 0x0000
sth r12, 8(r4)
mr r6,r3
[/spoiler]

If that doesn't work, I don't know what to suggest.  Perhaps there are many people calling 8025E7D8.  Set an execute breakpoint and see who else comes up.  If anyone comes up, take a look in Memory Viewer at the string pointed to by r4.  Is it anything interesting?  During the breakpoint, you can try poking the string at r4 to make it something else.  You can also Step until 8025E804 and check out the string pointed at by r6.  You can also try poking that string too.

You could also try using r6 instead of r12 when writing your string to r4.  This is okay right here, because r6 is being over-written at the end anyway (by mr r6,r3 which puts r3 into r6, over-writing whatever junk we put in r6)  But after 8025E7D8, r6 isn't safe anymore, so if your hook address changes then you can't use r6 anymore.

hmm I am at least a bit nearer... :eek:

[spoiler]
li r6, 0x0053
sth r6, 0(r4)
li r6, 0x0054
sth r6, 2(r4)
li r6, 0x004F
sth r6, 4(r4)
li r6, 0x0050
sth r6, 6(r4)
li r6, 0x0000
sth r6, 8(r4)
lhz r0,0(r4)

C225E7D8 00000006
38C00053 B0C40000
38C00054 B0C40002
38C0004F B0C40004
38C00050 B0C40006
38C00000 B0C40008
A0040000 00000000
[/spoiler]

And how it looked like in the game:

(http://img839.imageshack.us/img839/8884/rpbp02006.png)

But why so much SSS again and then TOP normally... I thought it´s working now  :(
How does the code has to look like again that every letter is written once? :confused:

li r6, 0x0053
sth r6, 0(r4)
li r6, 0x0054
sth r6, 2(r4)
li r6, 0x004F
sth r6, 4(r4)
li r6, 0x0050
sth r6, 6(r4)
li r6, 0x0000
sth r6, 8(r4)
lhz r0,0(r4)

C225E7D8 00000006
38C00053 B0C40000
38C00054 B0C40002
38C0004F B0C40004
38C00050 B0C40006
38C00000 B0C40008
A0040000 00000000


8025E7D8:  7C661B78   mr   r6,r3


Do you see what is wrong?

Quote from: dcx2 on August 27, 2010, 03:45:07 PM
Do you see what is wrong?

Yes... I used the hook adresse from mr r6,r3 and had lwz r0,0 (r4) as the last instruction, which carelessness.

adress: 8025E7D8

li r6, 0x0053
sth r6, 0(r4)
li r6, 0x0054
sth r6, 2(r4)
li r6, 0x004F
sth r6, 4(r4)
li r6, 0x0050
sth r6, 6(r4)
li r6, 0x0000
sth r6, 8(r4)
mr r6,r3

---------
Tested AND works!
Awesome, thank you dcx2!! :D

(http://img801.imageshack.us/img801/180/rpbp02009.png)

8)