Hey guys,
always when I use assembly instructions 1 line codes (li, nop,...) or maybe more lines and there are for example computer players, they also gain the effect from this code! I nop the health, they are invincible,too! >:D But how can I force an ASM code to only work/gain the effect on myself? This was a big problem for me till now, hopefully someone can explain the way I need to look through disassembly or to structure the code. It doesn´t matter, how long the code will be, it only needs to work "player specific"
Example breakpoint and disassembly are coming later, IF I don´t understand it yet!
Thanks for answers :smileyface:
http://wiird.l0nk.org/forum/index.php/topic,6535.msg57443.html#msg57443 (http://wiird.l0nk.org/forum/index.php/topic,6535.msg57443.html#msg57443)
but if the adress from your health is moving, it won´t work like this, will it?
Well does the game have a player HP pointer? I could show an example if you like...
edit: due to my lazyness, I will repost a moded version of my post that I linked you to.
Ok, lets say r30 is free, r29 has the HP value, and r28 contains the pointer made by the game
Player HP Pointer: 0x80123337
Pointer offset : 0x000C
lis r30, 0x8012 # loads upper half of HP pointer
addi r30, r30, 0x3337 # adds lower half of HP pointer
lwz r30 , 0(r30) # loads the value of the HP pointer (player HP address)
addi r30, r30 0x000C # adds pointer offset
cmpw r30, r28 # compairs address
beq- 0x0008 # if addresses are the same, skip address storing (no dmg taken)
stw r29, 0(r28) # otherwise, store HP
As you can see, only two extra lines of ASM, or one if there is no offset.
and you need to use pointer search to find out the pointer offset, am I right? ^-^
the offset is the number after the pointer address in the pointer search :S
ex:
[80000000] + 1000
argh, then you need to do this ASWELL.
But thanks for the answers ;)
Quote from: Bully@Wiiplaza on September 18, 2010, 12:32:29 AM
Hey guys,
always when I use assembly instructions 1 line codes (li, nop,...) or maybe more lines and there are for example computer players, they also gain the effect from this code! I nop the health, they are invincible,too! >:D But how can I force an ASM code to only work/gain the effect on myself? This was a big problem for me till now, hopefully someone can explain the way I need to look through disassembly or to structure the code. It doesn´t matter, how long the code will be, it only needs to work "player specific"
Example breakpoint and disassembly are coming later, IF I don´t understand it yet!
Thanks for answers :smileyface:
There are other ways to do this using ASM >.
99% of the time if it uses the same Function for both then there is normaly a Branch or a Compare that will be above it or it be on the Branch Return Op ..
looking for this could help u look for the example of Swords . it also used the same address for the HP but it had a Compare and jumped to another area :P
another way to do it is to look threw the Player section From offset 0 and then compare it to the Enemy section from offset 0 and u might find something Stating CPU controlled and Player controlled i did this with a game but i cant remember what one lol
then all u do is make a SUb code that checks that offset for player controlled and your set ..
could you give a code example with line explanations?
That would be great :D
I was also wondering this. How would this be done for a game that doesn't use pointers?
Yes, Mathew_Wi is right, all games use pointers in ASM, it's how the ASM knows where to write the data in memory :p
do also all use moving adresses?
Because Fifa didn´t as I hacked it, not a single time.
I like this behaviour 8) I could hack this game like crazy... ;D
Ahh. I see. I thought matt was talking about regular pointers :p
alright. since i can't tell what is what, what would be the asm pointer? :(
the "asm pointer" is the register in the brackets on the stw instruction and the offset is the number (NOT the register) outside the brackets.
oh. well thanks! i tried. the code didn't work e_e
what code, what game? Did you change the registers?
can someone help me again pls? :(
Let´s say, r12 is free, r0 contains the hp value from the last hit player, r4 holds the player/enemy hp pointer (last hit), need more infos?
lis r12, 0x9248 --> loads first half of adress
addi r12, r12, 0x1660 --> loads second half
lwz r12, 0 (r12) ---> stores the adress
cmpw r12, r4 --> compare to r4
... ---> now here I want to insert an "if equal, skip next line" op code, but how can I calculate it? pls help!
(note: PyiiASMH works for me) if addresses are the same, skip address storing (no dmg taken)
stw r0,11660(r4)
will this work for "player inf. health" only?
[spoiler]CR:44000000 XER:00000000 CTR:803CB5B4 DSIS:00000000
DAR:00000000 SRR0:803CB64C SRR1:0000B032 LR:803CB5F4
r0:00000148 r1:80F650E8 r2:80648600 r3:0000014C
r4:92481660 r5:00000000 r6:FFFFFFFC r7:FFFFFFFC
r8:00000000 r9:00000004 r10:00000004 r11:80F650E8
r12:803CB5B4 r13:806452C0 r14:00000008 r15:00000002
r16:00000000 r17:00000004 r18:00000000 r19:00000004
r20:0000F100 r21:00000010 r22:00000003 r23:00010000
r24:918E83A0 r25:00000000 r26:8048CDB4 r27:9247F240
r28:00000004 r29:918E83B4 r30:9247F240 r31:92481660
f0:00000000 f1:3F000000 f2:00000000 f3:00000000
f4:00000000 f5:00000000 f6:00000000 f7:00000000
f8:00000000 f9:00000000 f10:00000000 f11:3F800000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:00000000
803CB5B4: 9421FFF0 stwu r1,-16(r1)
803CB5B8: 7C0802A6 mflr r0
803CB5BC: 90010014 stw r0,20(r1)
803CB5C0: 93E1000C stw r31,12(r1)
803CB5C4: 7C9F2378 mr r31,r4
803CB5C8: 93C10008 stw r30,8(r1)
803CB5CC: 7C7E1B78 mr r30,r3
803CB5D0: 7FE3FB78 mr r3,r31
803CB5D4: 80A400B4 lwz r5,180(r4)
803CB5D8: 38050001 addi r0,r5,1
803CB5DC: 900400B4 stw r0,180(r4)
803CB5E0: 4800B88D bl 0x803d6e6c
803CB5E4: 7C651B78 mr r5,r3
803CB5E8: 7FC3F378 mr r3,r30
803CB5EC: 7FE4FB78 mr r4,r31
803CB5F0: 4800CA4D bl 0x803d803c
803CB5F4: 1D0300C0 mulli r8,r3,192
803CB5F8: 80FF215C lwz r7,8540(r31)
803CB5FC: 7C651B78 mr r5,r3
803CB600: 7C9F4214 add r4,r31,r8
803CB604: 80C42D8C lwz r6,11660(r4)
803CB608: 7C073215 add. r0,r7,r6
803CB60C: 41810010 bgt- 0x803cb61c
803CB610: 7C0600D0 neg r0,r6
803CB614: 901F2148 stw r0,8520(r31)
803CB618: 48000008 b 0x803cb620
803CB61C: 90FF2148 stw r7,8520(r31)
803CB620: 80DF2148 lwz r6,8520(r31)
803CB624: 2C060000 cmpwi r6,0
803CB628: 40800018 bge- 0x803cb640
803CB62C: 5460103A rlwinm r0,r3,2,0,29
803CB630: 7C7F0214 add r3,r31,r0
803CB634: 80030164 lwz r0,356(r3)
803CB638: 7C060050 sub r0,r0,r6
803CB63C: 90030164 stw r0,356(r3)
803CB640: 80642D8C lwz r3,11660(r4)
803CB644: 801F215C lwz r0,8540(r31)
803CB648: 7C030215 add. r0,r3,r0
803CB64C: 90042D8C stw r0,11660(r4) --> was going to be executed
803CB650: 40800010 bge- 0x803cb660
803CB654: 38000000 li r0,0
803CB658: 90042D8C stw r0,11660(r4)
803CB65C: 48000018 b 0x803cb674
803CB660: 7C7F4214 add r3,r31,r8
803CB664: 80632D90 lwz r3,11664(r3)
803CB668: 7C001840 cmplw r0,r3
803CB66C: 40810008 ble- 0x803cb674
803CB670: 90642D8C stw r3,11660(r4)
803CB674: 7FC3F378 mr r3,r30
803CB678: 7FE4FB78 mr r4,r31
803CB67C: 4BFF1CF9 bl 0x803bd374
803CB680: 83E1000C lwz r31,12(r1)
803CB684: 38600000 li r3,0
803CB688: 83C10008 lwz r30,8(r1)
803CB68C: 80010014 lwz r0,20(r1)
803CB690: 7C0803A6 mtlr r0
803CB694: 38210010 addi r1,r1,16
803CB698: 4E800020 blr
[/spoiler]
You don't want lwz r12,0(r12). That would be like [0x92481660]. From the breakpoint tab, though, it looks like your pointer is actually 0x92481660.
The general template looks correct, though. After the cmpw, you will want "beq- 0x08". That will skip over the stw.
However, I am concerned about that pointer. It will probably change when you restart the game or change levels. I think it's very rare for something in MEM2 to be static.
Quote from: dcx2 on October 08, 2010, 09:34:13 PM
You don't want lwz r12,0(r12). That would be like [0x92481660]. From the breakpoint tab, though, it looks like your pointer is actually 0x92481660.
The general template looks correct, though. After the cmpw, you will want "beq- 0x08". That will skip over the stw.
However, I am concerned about that pointer. It will probably change when you restart the game or change levels. I think it's very rare for something in MEM2 to be static.
yeah, it changed after restarting, I noticed it atm, what now... o.o
Walk the stack to the caller and figure out where r4 came from. If you don't know how to walk the stack, use the latest Gecko.NET, hit the breakpoint, go to the disassembly tab, and then double-click the Call Stack list box. The top address is the currently executing instruction. The address below it is the caller. Double-click the caller and look around before the bl. You may find a clue as to where r4 comes from.
Quote from: dcx2 on October 08, 2010, 09:47:54 PM
Walk the stack to the caller and figure out where r4 came from. If you don't know how to walk the stack, use the latest Gecko.NET, hit the breakpoint, go to the disassembly tab, and then double-click the Call Stack list box. The top address is the currently executing instruction. The address below it is the caller. Double-click the caller and look around before the bl. You may find a clue as to where r4 comes from.
oh, I will try that and download the new version, don´t go away pls xD
I was in the breakpoint and call stack showed me some adresses:
VERY big spoiler:
[spoiler]1.)
803CB64C: 90042D8C stw r0,11660(r4) -> don´t we know that first one already?
803CB650: 40800010 bge- 0x803cb660
803CB654: 38000000 li r0,0
803CB658: 90042D8C stw r0,11660(r4)
803CB65C: 48000018 b 0x803cb674
803CB660: 7C7F4214 add r3,r31,r8
803CB664: 80632D90 lwz r3,11664(r3)
803CB668: 7C001840 cmplw r0,r3
803CB66C: 40810008 ble- 0x803cb674
803CB670: 90642D8C stw r3,11660(r4)
803CB674: 7FC3F378 mr r3,r30
803CB678: 7FE4FB78 mr r4,r31
803CB67C: 4BFF1CF9 bl 0x803bd374
803CB680: 83E1000C lwz r31,12(r1)
803CB684: 38600000 li r3,0
803CB688: 83C10008 lwz r30,8(r1)
803CB68C: 80010014 lwz r0,20(r1)
803CB690: 7C0803A6 mtlr r0
803CB694: 38210010 addi r1,r1,16
803CB698: 4E800020 blr
803CB69C: 9421FFE0 stwu r1,-32(r1)
803CB6A0: 7C0802A6 mflr r0
803CB6A4: 90010024 stw r0,36(r1)
803CB6A8: 39610020 addi r11,r1,32
803CB6AC: 4BDFBA85 bl 0x801c7130
803CB6B0: 80A400B4 lwz r5,180(r4)
803CB6B4: 7C9F2378 mr r31,r4
803CB6B8: 7C7D1B78 mr r29,r3
803CB6BC: 38050001 addi r0,r5,1
803CB6C0: 7FE3FB78 mr r3,r31
803CB6C4: 900400B4 stw r0,180(r4)
803CB6C8: 4800B7A5 bl 0x803d6e6c
803CB6CC: 7C651B78 mr r5,r3
803CB6D0: 7FA3EB78 mr r3,r29
803CB6D4: 7FE4FB78 mr r4,r31
803CB6D8: 4800C965 bl 0x803d803c
803CB6DC: 7C7E1B78 mr r30,r3
803CB6E0: 7FA3EB78 mr r3,r29
803CB6E4: 7FE4FB78 mr r4,r31
803CB6E8: 7FC5F378 mr r5,r30
803CB6EC: 4BFE59A5 bl 0x803b1090
803CB6F0: 801F215C lwz r0,8540(r31)
803CB6F4: 2C007FFF cmpwi r0,32767
803CB6F8: 41820130 beq- 0x803cb828
803CB6FC: 1C1E00C0 mulli r0,r30,192
803CB700: 3C608049 lis r3,-32695
803CB704: 93C3CDE8 stw r30,-12824(r3)
803CB708: 3863CDE8 subi r3,r3,12824
803CB70C: 7C9F0214 add r4,r31,r0
803CB710: 80042D8C lwz r0,11660(r4)
803CB714: 90030004 stw r0,4(r3)
803CB718: 80042D90 lwz r0,11664(r4)
803CB71C: 90030008 stw r0,8(r3)
803CB720: 80BF215C lwz r5,8540(r31)
803CB724: 2C050000 cmpwi r5,0
803CB728: 408200C8 bne- 0x803cb7f0
803CB72C: 3C608049 lis r3,-32695
803CB730: 3863CE28 subi r3,r3,12760
803CB734: 8003001C lwz r0,28(r3)
803CB738: 28000001 cmplwi r0,1
2.)
803B6A78: 48012A55 bl 0x803c94cc
803B6A7C: 2C030001 cmpwi r3,1
803B6A80: 40820014 bne- 0x803b6a94
803B6A84: 801F000C lwz r0,12(r31)
803B6A88: 38600000 li r3,0
803B6A8C: 907F00B4 stw r3,180(r31)
803B6A90: 901F0008 stw r0,8(r31)
803B6A94: 80010014 lwz r0,20(r1)
803B6A98: 83E1000C lwz r31,12(r1)
803B6A9C: 7C0803A6 mtlr r0
803B6AA0: 38210010 addi r1,r1,16
803B6AA4: 4E800020 blr
803B6AA8: 9421FFC0 stwu r1,-64(r1)
803B6AAC: 7C0802A6 mflr r0
803B6AB0: 90010044 stw r0,68(r1)
803B6AB4: 39610040 addi r11,r1,64
803B6AB8: 4BE10655 bl 0x801c710c
803B6ABC: 80040048 lwz r0,72(r4)
803B6AC0: 7C751B78 mr r21,r3
803B6AC4: 7C962378 mr r22,r4
803B6AC8: 28000006 cmplwi r0,6
803B6ACC: 41810E44 bgt- 0x803b7910
803B6AD0: 3C608047 lis r3,-32697
803B6AD4: 5400103A rlwinm r0,r0,2,0,29
803B6AD8: 3863345C addi r3,r3,13404
803B6ADC: 7C63002E lwzx r3,r3,r0
803B6AE0: 7C6903A6 mtctr r3
803B6AE4: 4E800420 bctr
803B6AE8: 7EC3B378 mr r3,r22
803B6AEC: 38800002 li r4,2
803B6AF0: 38A00116 li r5,278
803B6AF4: 48003EE1 bl 0x803ba9d4
803B6AF8: 80760048 lwz r3,72(r22)
803B6AFC: 38800015 li r4,21
803B6B00: 80B60008 lwz r5,8(r22)
803B6B04: 38030001 addi r0,r3,1
803B6B08: 90B6000C stw r5,12(r22)
803B6B0C: 90960008 stw r4,8(r22)
803B6B10: 90160048 stw r0,72(r22)
803B6B14: 48000E8C b 0x803b79a0
803B6B18: 80042184 lwz r0,8580(r4)
803B6B1C: 5400077B rlwinm. r0,r0,0,29,29
803B6B20: 4082095C bne- 0x803b747c
803B6B24: 80043044 lwz r0,12356(r4)
803B6B28: 3C608049 lis r3,-32695
803B6B2C: 3B83CE28 subi r28,r3,12760
803B6B30: 3B000000 li r24,0
803B6B34: 54002036 rlwinm r0,r0,4,0,27
803B6B38: 3B600015 li r27,21
803B6B3C: 7C640214 add r3,r4,r0
803B6B40: 3B400026 li r26,38
803B6B44: A2E303DE lhz r23,990(r3)
803B6B48: 3BA00005 li r29,5
803B6B4C: 3BC00001 li r30,1
803B6B50: 3A800000 li r20,0
803B6B54: 3BE00021 li r31,33
803B6B58: 3F208047 lis r25,-32697
803B6B5C: 80960050 lwz r4,80(r22)
803B6B60: 28040010 cmplwi r4,16
803B6B64: 418108CC bgt- 0x803b7430
3.)
803B2CA8: 4E800421 bctrl
803B2CAC: 807F0008 lwz r3,8(r31)
803B2CB0: 83E1000C lwz r31,12(r1)
803B2CB4: 3803FFD5 subi r0,r3,43
803B2CB8: 83C10008 lwz r30,8(r1)
803B2CBC: 7C000034 cntlzw r0,r0
803B2CC0: 5403D97E rlwinm r3,r0,27,5,31
803B2CC4: 80010014 lwz r0,20(r1)
803B2CC8: 7C0803A6 mtlr r0
803B2CCC: 38210010 addi r1,r1,16
803B2CD0: 4E800020 blr
803B2CD4: 9421FFF0 stwu r1,-16(r1)
803B2CD8: 7C0802A6 mflr r0
803B2CDC: 90010014 stw r0,20(r1)
803B2CE0: 93E1000C stw r31,12(r1)
803B2CE4: 7C7F1B78 mr r31,r3
803B2CE8: 80632120 lwz r3,8480(r3)
803B2CEC: 4BDBB3B5 bl 0x8016e0a0
803B2CF0: 7FE3FB78 mr r3,r31
803B2CF4: 4BDBB3AD bl 0x8016e0a0
803B2CF8: 80010014 lwz r0,20(r1)
803B2CFC: 83E1000C lwz r31,12(r1)
803B2D00: 7C0803A6 mtlr r0
803B2D04: 38210010 addi r1,r1,16
803B2D08: 4E800020 blr
803B2D0C: 9421FFE0 stwu r1,-32(r1)
803B2D10: 7C0802A6 mflr r0
803B2D14: 90010024 stw r0,36(r1)
803B2D18: 39610020 addi r11,r1,32
803B2D1C: 4BE1440D bl 0x801c7128
803B2D20: 7C7B1B78 mr r27,r3
803B2D24: 7C9C2378 mr r28,r4
803B2D28: 7CBD2B78 mr r29,r5
803B2D2C: 7CDE3378 mr r30,r6
803B2D30: 7CFF3B78 mr r31,r7
803B2D34: 48003601 bl 0x803b6334
803B2D38: 7F63DB78 mr r3,r27
803B2D3C: 7F84E378 mr r4,r28
803B2D40: 7FA5EB78 mr r5,r29
803B2D44: 7FC6F378 mr r6,r30
803B2D48: 7FE7FB78 mr r7,r31
803B2D4C: 48003A89 bl 0x803b67d4
803B2D50: 39610020 addi r11,r1,32
803B2D54: 4BE14421 bl 0x801c7174
803B2D58: 80010024 lwz r0,36(r1)
803B2D5C: 7C0803A6 mtlr r0
803B2D60: 38210020 addi r1,r1,32
803B2D64: 4E800020 blr
803B2D68: 9421FFE0 stwu r1,-32(r1)
803B2D6C: 7C0802A6 mflr r0
803B2D70: 90010024 stw r0,36(r1)
803B2D74: 39610020 addi r11,r1,32
803B2D78: 4BE143B5 bl 0x801c712c
803B2D7C: 7C7C1B78 mr r28,r3
803B2D80: 7C9D2378 mr r29,r4
803B2D84: 4BFF9ADD bl 0x803ac860
803B2D88: 7C7F1B78 mr r31,r3
803B2D8C: 3BC00000 li r30,0
803B2D90: 48000020 b 0x803b2db0
803B2D94: 7C9DF214 add r4,r29,r30
4.)
803AC518: 48006725 bl 0x803b2c3c
803AC51C: 987B23C2 stb r3,9154(r27)
803AC520: 7F63DB78 mr r3,r27
803AC524: 48002F21 bl 0x803af444
803AC528: 881B23C0 lbz r0,9152(r27)
803AC52C: 2C000000 cmpwi r0,0
803AC530: 41820034 beq- 0x803ac564
803AC534: 3B400000 li r26,0
803AC538: 3BC00000 li r30,0
803AC53C: 4800001C b 0x803ac558
803AC540: 7C9BF214 add r4,r27,r30
803AC544: 7F63DB78 mr r3,r27
803AC548: 80840034 lwz r4,52(r4)
803AC54C: 4BFF9BED bl 0x803a6138
803AC550: 3B5A0001 addi r26,r26,1
803AC554: 3BDE0004 addi r30,r30,4
803AC558: 801B0044 lwz r0,68(r27)
803AC55C: 7C1A0000 cmpw r26,r0
803AC560: 4180FFE0 blt+ 0x803ac540
803AC564: 881B23C2 lbz r0,9154(r27)
803AC568: 2C000001 cmpwi r0,1
803AC56C: 40820068 bne- 0x803ac5d4
803AC570: 3800000A li r0,10
803AC574: 901D0000 stw r0,0(r29)
803AC578: 4800005C b 0x803ac5d4
803AC57C: 3800000B li r0,11
803AC580: 901D0000 stw r0,0(r29)
803AC584: 48000050 b 0x803ac5d4
803AC588: 38600002 li r3,2
803AC58C: 4802D2C9 bl 0x803d9854
803AC590: 3860003E li r3,62
803AC594: 4802D2D9 bl 0x803d986c
803AC598: 3800000C li r0,12
803AC59C: 901D0000 stw r0,0(r29)
803AC5A0: 48000034 b 0x803ac5d4
803AC5A4: 3860003E li r3,62
803AC5A8: 4802D2BD bl 0x803d9864
803AC5AC: 2C030000 cmpwi r3,0
803AC5B0: 41820024 beq- 0x803ac5d4
803AC5B4: 3800000F li r0,15
803AC5B8: 901D0000 stw r0,0(r29)
803AC5BC: 48000018 b 0x803ac5d4
803AC5C0: 3800000F li r0,15
803AC5C4: 901D0000 stw r0,0(r29)
803AC5C8: 4800000C b 0x803ac5d4
803AC5CC: 38600001 li r3,1
803AC5D0: 48000008 b 0x803ac5d8
803AC5D4: 38600000 li r3,0
803AC5D8: 39610050 addi r11,r1,80
803AC5DC: 4BE1AB8D bl 0x801c7168
803AC5E0: 80010054 lwz r0,84(r1)
803AC5E4: 7C0803A6 mtlr r0
803AC5E8: 38210050 addi r1,r1,80
803AC5EC: 4E800020 blr
803AC5F0: 9421FFE0 stwu r1,-32(r1)
803AC5F4: 7C0802A6 mflr r0
803AC5F8: 90010024 stw r0,36(r1)
803AC5FC: 39610020 addi r11,r1,32
803AC600: 4BE1AB29 bl 0x801c7128
803AC604: 4802D845 bl 0x803d9e48
5.)
803D9CF8: 4BFD183D bl 0x803ab534
803D9CFC: 3003FFFF subic r0,r3,1
803D9D00: 7C601910 subfe r3,r0,r3
803D9D04: 80010014 lwz r0,20(r1)
803D9D08: 7C0803A6 mtlr r0
803D9D0C: 38210010 addi r1,r1,16
803D9D10: 4E800020 blr
803D9D14: 38600001 li r3,1
803D9D18: 4E800020 blr
803D9D1C: 9421FFF0 stwu r1,-16(r1)
803D9D20: 7C0802A6 mflr r0
803D9D24: 90010014 stw r0,20(r1)
803D9D28: 4BFFFE95 bl 0x803d9bbc
803D9D2C: 48005179 bl 0x803deea4
803D9D30: 4BFFFEE9 bl 0x803d9c18
803D9D34: 808DB334 lwz r4,-19660(r13)
803D9D38: 3C608040 lis r3,-32704
803D9D3C: 38635BD0 addi r3,r3,23504
803D9D40: 38A0001B li r5,27
803D9D44: 80040000 lwz r0,0(r4)
803D9D48: 80840004 lwz r4,4(r4)
803D9D4C: 90040000 stw r0,0(r4)
803D9D50: 808DB334 lwz r4,-19660(r13)
803D9D54: 80840004 lwz r4,4(r4)
803D9D58: 48004FA5 bl 0x803decfc
803D9D5C: 808DB334 lwz r4,-19660(r13)
803D9D60: 90640014 stw r3,20(r4)
803D9D64: 806DB334 lwz r3,-19660(r13)
803D9D68: 80010014 lwz r0,20(r1)
803D9D6C: 80630000 lwz r3,0(r3)
803D9D70: 7C0803A6 mtlr r0
803D9D74: 38210010 addi r1,r1,16
803D9D78: 4E800020 blr
803D9D7C: 9421FFF0 stwu r1,-16(r1)
803D9D80: 7C0802A6 mflr r0
803D9D84: 90010014 stw r0,20(r1)
803D9D88: 806DB334 lwz r3,-19660(r13)
803D9D8C: 80630014 lwz r3,20(r3)
803D9D90: 2C030000 cmpwi r3,0
803D9D94: 41820014 beq- 0x803d9da8
803D9D98: 48004FE1 bl 0x803ded78
803D9D9C: 806DB334 lwz r3,-19660(r13)
803D9DA0: 38000000 li r0,0
803D9DA4: 90030014 stw r0,20(r3)
803D9DA8: 806DB334 lwz r3,-19660(r13)
803D9DAC: 80630008 lwz r3,8(r3)
803D9DB0: 2C030000 cmpwi r3,0
803D9DB4: 41820014 beq- 0x803d9dc8
803D9DB8: 4BD942E9 bl 0x8016e0a0
803D9DBC: 806DB334 lwz r3,-19660(r13)
803D9DC0: 38000000 li r0,0
803D9DC4: 90030008 stw r0,8(r3)
803D9DC8: 806DB330 lwz r3,-19664(r13)
803D9DCC: 2C030000 cmpwi r3,0
803D9DD0: 41820010 beq- 0x803d9de0
803D9DD4: 4BE00CE5 bl 0x801daab8
803D9DD8: 38000000 li r0,0
803D9DDC: 900DB330 stw r0,-19664(r13)
803D9DE0: 806DB334 lwz r3,-19660(r13)
803D9DE4: 2C030000 cmpwi r3,0
.......
[/spoiler]
second part:
[spoiler]6.)
803DEE44: 4E800421 bctrl
803DEE48: 2C030001 cmpwi r3,1
803DEE4C: 40820038 bne- 0x803dee84
803DEE50: 38600003 li r3,3
803DEE54: 38000000 li r0,0
803DEE58: 907F0010 stw r3,16(r31)
803DEE5C: 901F0014 stw r0,20(r31)
803DEE60: 48000024 b 0x803dee84
803DEE64: 81830008 lwz r12,8(r3)
803DEE68: 38830014 addi r4,r3,20
803DEE6C: 7D8903A6 mtctr r12
803DEE70: 4E800421 bctrl
803DEE74: 2C030001 cmpwi r3,1
803DEE78: 4082000C bne- 0x803dee84
803DEE7C: 38600001 li r3,1
803DEE80: 48000008 b 0x803dee88
803DEE84: 38600000 li r3,0
803DEE88: 80010014 lwz r0,20(r1)
803DEE8C: 83E1000C lwz r31,12(r1)
803DEE90: 7C0803A6 mtlr r0
803DEE94: 38210010 addi r1,r1,16
803DEE98: 4E800020 blr
803DEE9C: 80630014 lwz r3,20(r3)
803DEEA0: 4E800020 blr
803DEEA4: 9421FFE0 stwu r1,-32(r1)
803DEEA8: 7C0802A6 mflr r0
803DEEAC: 90010024 stw r0,36(r1)
803DEEB0: 39610020 addi r11,r1,32
803DEEB4: 4BDE827D bl 0x801c7130
803DEEB8: 3FC08064 lis r30,-32668
803DEEBC: 3BA00000 li r29,0
803DEEC0: 3BDED230 subi r30,r30,11728
803DEEC4: 3BE00000 li r31,0
803DEEC8: 7C7EFA14 add r3,r30,r31
803DEECC: 38800000 li r4,0
803DEED0: 38A00008 li r5,8
803DEED4: 4BC25231 bl 0x80004104
803DEED8: 3BBD0001 addi r29,r29,1
803DEEDC: 3BFF0008 addi r31,r31,8
803DEEE0: 2C1D0010 cmpwi r29,16
803DEEE4: 4180FFE4 blt+ 0x803deec8
803DEEE8: 39610020 addi r11,r1,32
803DEEEC: 4BDE8291 bl 0x801c717c
803DEEF0: 80010024 lwz r0,36(r1)
803DEEF4: 7C0803A6 mtlr r0
803DEEF8: 38210020 addi r1,r1,32
803DEEFC: 4E800020 blr
803DEF00: 3CA08064 lis r5,-32668
803DEF04: 38000010 li r0,16
803DEF08: 38A5D230 subi r5,r5,11728
803DEF0C: 7C0903A6 mtctr r0
803DEF10: 80050000 lwz r0,0(r5)
803DEF14: 2C000000 cmpwi r0,0
803DEF18: 40820014 bne- 0x803def2c
803DEF1C: 90650000 stw r3,0(r5)
803DEF20: 7CA32B78 mr r3,r5
803DEF24: 90850004 stw r4,4(r5)
803DEF28: 4E800020 blr
803DEF2C: 38A50008 addi r5,r5,8
803DEF30: 4200FFE0 bdnz+ 0x803def10
7.)
803D9E1C: 48004FA5 bl 0x803dedc0
803D9E20: 2C030000 cmpwi r3,0
803D9E24: 4182000C beq- 0x803d9e30
803D9E28: 38600001 li r3,1
803D9E2C: 4800000C b 0x803d9e38
803D9E30: 48005141 bl 0x803def70
803D9E34: 38600000 li r3,0
803D9E38: 80010014 lwz r0,20(r1)
803D9E3C: 7C0803A6 mtlr r0
803D9E40: 38210010 addi r1,r1,16
803D9E44: 4E800020 blr
803D9E48: 806DB334 lwz r3,-19660(r13)
803D9E4C: 80630014 lwz r3,20(r3)
803D9E50: 4E800020 blr
803D9E54: 9421FFF0 stwu r1,-16(r1)
803D9E58: 7C0802A6 mflr r0
803D9E5C: 90010014 stw r0,20(r1)
803D9E60: 93E1000C stw r31,12(r1)
803D9E64: 806DB334 lwz r3,-19660(r13)
803D9E68: 80630014 lwz r3,20(r3)
803D9E6C: 48005031 bl 0x803dee9c
803D9E70: 7C7F1B78 mr r31,r3
803D9E74: 4BFD29BD bl 0x803ac830
803D9E78: 7FE01A78 xor r0,r31,r3
803D9E7C: 7C030E70 srawi r3,r0,1
803D9E80: 7C00F838 and r0,r0,r31
803D9E84: 83E1000C lwz r31,12(r1)
803D9E88: 7C001850 sub r0,r3,r0
803D9E8C: 54030FFE rlwinm r3,r0,1,31,31
803D9E90: 80010014 lwz r0,20(r1)
803D9E94: 7C0803A6 mtlr r0
803D9E98: 38210010 addi r1,r1,16
803D9E9C: 4E800020 blr
803D9EA0: 386DB328 subi r3,r13,19672
803D9EA4: 38800001 li r4,1
803D9EA8: 38A00004 li r5,4
803D9EAC: 38C00000 li r6,0
803D9EB0: 4BC4AA64 b 0x80024914
803D9EB4: 2C030020 cmpwi r3,32
803D9EB8: 41820148 beq- 0x803da000
803D9EBC: 40800040 bge- 0x803d9efc
803D9EC0: 2C030004 cmpwi r3,4
803D9EC4: 418200CC beq- 0x803d9f90
803D9EC8: 4080001C bge- 0x803d9ee4
803D9ECC: 2C030000 cmpwi r3,0
803D9ED0: 41820068 beq- 0x803d9f38
803D9ED4: 4180013C blt- 0x803da010
803D9ED8: 2C030003 cmpwi r3,3
803D9EDC: 40800134 bge- 0x803da010
803D9EE0: 48000084 b 0x803d9f64
803D9EE4: 2C030010 cmpwi r3,16
803D9EE8: 4182007C beq- 0x803d9f64
803D9EEC: 40800124 bge- 0x803da010
803D9EF0: 2C030008 cmpwi r3,8
803D9EF4: 418200A4 beq- 0x803d9f98
803D9EF8: 48000118 b 0x803da010
803D9EFC: 2C030100 cmpwi r3,256
803D9F00: 418200C4 beq- 0x803d9fc4
803D9F04: 4080001C bge- 0x803d9f20
803D9F08: 2C030080 cmpwi r3,128
8.)
8016E680: 4826B789 bl 0x803d9e08
8016E684: 2C030000 cmpwi r3,0
8016E688: 41820014 beq- 0x8016e69c
8016E68C: 38600006 li r3,6
8016E690: 4BFFFC55 bl 0x8016e2e4
8016E694: 38600006 li r3,6
8016E698: 48000008 b 0x8016e6a0
8016E69C: 806D9F0C lwz r3,-24820(r13)
8016E6A0: 80010014 lwz r0,20(r1)
8016E6A4: 7C0803A6 mtlr r0
8016E6A8: 38210010 addi r1,r1,16
8016E6AC: 4E800020 blr
8016E6B0: 800D9F0C lwz r0,-24820(r13)
8016E6B4: 2C000000 cmpwi r0,0
8016E6B8: 4182004C beq- 0x8016e704
8016E6BC: 3400FFFF subic. r0,r0,1
8016E6C0: 3D008049 lis r8,-32695
8016E6C4: 8068CDD8 lwz r3,-12840(r8)
8016E6C8: 900D9F0C stw r0,-24820(r13)
8016E6CC: 4182002C beq- 0x8016e6f8
8016E6D0: 38E8CDD8 subi r7,r8,12840
8016E6D4: 38000000 li r0,0
8016E6D8: 80C70004 lwz r6,4(r7)
8016E6DC: 80A70008 lwz r5,8(r7)
8016E6E0: 8087000C lwz r4,12(r7)
8016E6E4: 90C8CDD8 stw r6,-12840(r8)
8016E6E8: 90A70004 stw r5,4(r7)
8016E6EC: 90870008 stw r4,8(r7)
8016E6F0: 9007000C stw r0,12(r7)
8016E6F4: 4E800020 blr
8016E6F8: 38000000 li r0,0
8016E6FC: 9008CDD8 stw r0,-12840(r8)
8016E700: 4E800020 blr
8016E704: 38600000 li r3,0
8016E708: 4E800020 blr
8016E70C: 9421FFF0 stwu r1,-16(r1)
8016E710: 7C0802A6 mflr r0
8016E714: 90010014 stw r0,20(r1)
8016E718: 48000015 bl 0x8016e72c
8016E71C: 80010014 lwz r0,20(r1)
8016E720: 7C0803A6 mtlr r0
8016E724: 38210010 addi r1,r1,16
8016E728: 4E800020 blr
8016E72C: 9421FF90 stwu r1,-112(r1)
8016E730: 7C0802A6 mflr r0
8016E734: 90010074 stw r0,116(r1)
8016E738: 39610070 addi r11,r1,112
8016E73C: 480589B9 bl 0x801c70f4
8016E740: 7C6F1B78 mr r15,r3
8016E744: 4BEC7659 bl 0x80035d9c
8016E748: 4BED6E49 bl 0x80045590
8016E74C: 7C7C1B78 mr r28,r3
8016E750: 4BE9C3ED bl 0x8000ab3c
8016E754: 7C6E1B78 mr r14,r3
8016E758: 4BFAE21D bl 0x8011c974
8016E75C: 80030010 lwz r0,16(r3)
8016E760: 7C7D1B78 mr r29,r3
8016E764: 3A000000 li r16,0
8016E768: 280003EF cmplwi r0,1007
8016E76C: 40820034 bne- 0x8016e7a0
9.)
8016C154: 48002519 bl 0x8016e66c
8016C158: 2C030000 cmpwi r3,0
8016C15C: 4182FFF8 beq+ 0x8016c154
8016C160: 806D9F08 lwz r3,-24824(r13)
8016C164: 4800254D bl 0x8016e6b0
8016C168: 80010014 lwz r0,20(r1)
8016C16C: 7C0803A6 mtlr r0
8016C170: 38210010 addi r1,r1,16
8016C174: 4E800020 blr
8016C178: 9421FFF0 stwu r1,-16(r1)
8016C17C: 7C0802A6 mflr r0
8016C180: 90010014 stw r0,20(r1)
8016C184: 93E1000C stw r31,12(r1)
8016C188: 806D9F08 lwz r3,-24824(r13)
8016C18C: 48002525 bl 0x8016e6b0
8016C190: 2C030000 cmpwi r3,0
8016C194: 7C7F1B78 mr r31,r3
8016C198: 4082001C bne- 0x8016c1b4
8016C19C: 480024D1 bl 0x8016e66c
8016C1A0: 2C030000 cmpwi r3,0
8016C1A4: 4182FFF8 beq+ 0x8016c19c
8016C1A8: 806D9F08 lwz r3,-24824(r13)
8016C1AC: 48002505 bl 0x8016e6b0
8016C1B0: 7C7F1B78 mr r31,r3
8016C1B4: 2C1F0003 cmpwi r31,3
8016C1B8: 41820054 beq- 0x8016c20c
8016C1BC: 2C1F000F cmpwi r31,15
8016C1C0: 4182004C beq- 0x8016c20c
8016C1C4: 2C1F000B cmpwi r31,11
8016C1C8: 41820044 beq- 0x8016c20c
8016C1CC: 2C1F0006 cmpwi r31,6
8016C1D0: 4182003C beq- 0x8016c20c
8016C1D4: 2C1F000D cmpwi r31,13
8016C1D8: 41820034 beq- 0x8016c20c
8016C1DC: 2C1F0007 cmpwi r31,7
8016C1E0: 4082001C bne- 0x8016c1fc
8016C1E4: 4825CF2D bl 0x803c9110
8016C1E8: 7C641B78 mr r4,r3
8016C1EC: 7FE3FB78 mr r3,r31
8016C1F0: 38A00000 li r5,0
8016C1F4: 48001A1D bl 0x8016dc10
8016C1F8: 48000014 b 0x8016c20c
8016C1FC: 7FE3FB78 mr r3,r31
8016C200: 38800000 li r4,0
8016C204: 38A00000 li r5,0
8016C208: 48001A09 bl 0x8016dc10
8016C20C: 806DA340 lwz r3,-23744(r13)
8016C210: 480B8379 bl 0x80224588
8016C214: 4BFFC5C5 bl 0x801687d8
8016C218: 2C030000 cmpwi r3,0
8016C21C: 40820010 bne- 0x8016c22c
8016C220: 48240609 bl 0x803ac828
8016C224: 38800007 li r4,7
8016C228: 48241AB9 bl 0x803adce0
8016C22C: 7FE3FB78 mr r3,r31
8016C230: 83E1000C lwz r31,12(r1)
8016C234: 80010014 lwz r0,20(r1)
8016C238: 7C0803A6 mtlr r0
8016C23C: 38210010 addi r1,r1,16
8016C240: 4E800020 blr
10.)
8016A8DC: 48001825 bl 0x8016c100
8016A8E0: 7C721B78 mr r18,r3
8016A8E4: 2C120000 cmpwi r18,0
8016A8E8: 4182FFCC beq+ 0x8016a8b4
8016A8EC: 80AD9EDC lwz r5,-24868(r13)
8016A8F0: 54A007BD rlwinm. r0,r5,0,30,30
8016A8F4: 418200E0 beq- 0x8016a9d4
8016A8F8: 800D9EC8 lwz r0,-24888(r13)
8016A8FC: 54040318 rlwinm r4,r0,0,12,12
8016A900: 500404E6 rlwimi r4,r0,0,19,19
8016A904: 3C04FFF8 subis r0,r4,8
8016A908: 28001000 cmplwi r0,4096
8016A90C: 418200C8 beq- 0x8016a9d4
8016A910: 2C120087 cmpwi r18,135
8016A914: 418200C0 beq- 0x8016a9d4
8016A918: 2C120086 cmpwi r18,134
8016A91C: 418200B8 beq- 0x8016a9d4
8016A920: 70A00050 andi. r0,r5,80
8016A924: 408200B0 bne- 0x8016a9d4
8016A928: 4BEEDD39 bl 0x80058660
8016A92C: 2C030000 cmpwi r3,0
8016A930: 418200A4 beq- 0x8016a9d4
8016A934: 4BEEDAC1 bl 0x800583f4
8016A938: 4BEEDAD1 bl 0x80058408
8016A93C: 80AD9EC8 lwz r5,-24888(r13)
8016A940: 800D9EDC lwz r0,-24868(r13)
8016A944: 54A4035A rlwinm r4,r5,0,13,13
8016A948: 50A404A5 rlwimi. r4,r5,0,18,18
8016A94C: 600400F0 ori r4,r0,240
8016A950: 41820008 beq- 0x8016a958
8016A954: 60040050 ori r4,r0,80
8016A958: 54A0035B rlwinm. r0,r5,0,13,13
8016A95C: 908D9EDC stw r4,-24868(r13)
8016A960: 41820028 beq- 0x8016a988
8016A964: 38600084 li r3,132
8016A968: 48011B15 bl 0x8017c47c
8016A96C: 48001FA9 bl 0x8016c914
8016A970: 808D9EDC lwz r4,-24868(r13)
8016A974: 3800FF0D li r0,-243
8016A978: 93AD9ECC stw r29,-24884(r13)
8016A97C: 7C800038 and r0,r4,r0
8016A980: 900D9EDC stw r0,-24868(r13)
8016A984: 48001750 b 0x8016c0d4
8016A988: 54A004A5 rlwinm. r0,r5,0,18,18
8016A98C: 41820018 beq- 0x8016a9a4
8016A990: 38600083 li r3,131
8016A994: 38800000 li r4,0
8016A998: 38A00000 li r5,0
8016A99C: 48003275 bl 0x8016dc10
8016A9A0: 48001F75 bl 0x8016c914
8016A9A4: 800D9EC8 lwz r0,-24888(r13)
8016A9A8: 54000529 rlwinm. r0,r0,0,20,20
8016A9AC: 41820028 beq- 0x8016a9d4
8016A9B0: 800D9EDC lwz r0,-24868(r13)
8016A9B4: 540007FA rlwinm r0,r0,0,31,29
8016A9B8: 900D9EDC stw r0,-24868(r13)
8016A9BC: 48003731 bl 0x8016e0ec
8016A9C0: 2C030000 cmpwi r3,0
8016A9C4: 4182000C beq- 0x8016a9d0
8016A9C8: 3A400086 li r18,134
11.)
80271B48: 4E800020 blr
80271B4C: 9421FFE0 stwu r1,-32(r1)
80271B50: 7C0802A6 mflr r0
80271B54: 90010024 stw r0,36(r1)
80271B58: 93E1001C stw r31,28(r1)
80271B5C: 93C10018 stw r30,24(r1)
80271B60: 93A10014 stw r29,20(r1)
80271B64: 93810010 stw r28,16(r1)
80271B68: 7C7C1B78 mr r28,r3
80271B6C: 4BFFCBF1 bl 0x8026e75c
80271B70: 3FE08000 lis r31,-32768
80271B74: 7C7D1B78 mr r29,r3
80271B78: 83DF00E4 lwz r30,228(r31)
80271B7C: 7FC3F378 mr r3,r30
80271B80: 4BFF9511 bl 0x8026b090
80271B84: A01E02CA lhz r0,714(r30)
80271B88: 540007FF rlwinm. r0,r0,0,31,31
80271B8C: 41820044 beq- 0x80271bd0
80271B90: 809E02FC lwz r4,764(r30)
80271B94: 807E0300 lwz r3,768(r30)
80271B98: 2C040000 cmpwi r4,0
80271B9C: 4082000C bne- 0x80271ba8
80271BA0: 907F00E0 stw r3,224(r31)
80271BA4: 48000008 b 0x80271bac
80271BA8: 90640300 stw r3,768(r4)
80271BAC: 2C030000 cmpwi r3,0
80271BB0: 40820010 bne- 0x80271bc0
80271BB4: 3C608000 lis r3,-32768
80271BB8: 908300DC stw r4,220(r3)
80271BBC: 48000008 b 0x80271bc4
80271BC0: 908302FC stw r4,764(r3)
80271BC4: 38000000 li r0,0
80271BC8: B01E02C8 sth r0,712(r30)
80271BCC: 48000010 b 0x80271bdc
80271BD0: 38000008 li r0,8
80271BD4: B01E02C8 sth r0,712(r30)
80271BD8: 939E02D8 stw r28,728(r30)
80271BDC: 7FC3F378 mr r3,r30
80271BE0: 4BFFDF0D bl 0x8026faec
80271BE4: 387E02E8 addi r3,r30,744
80271BE8: 48000879 bl 0x80272460
80271BEC: 38000001 li r0,1
80271BF0: 900DA82C stw r0,-22484(r13)
80271BF4: 800DA82C lwz r0,-22484(r13)
80271BF8: 2C000000 cmpwi r0,0
80271BFC: 4182000C beq- 0x80271c08
80271C00: 38600000 li r3,0
80271C04: 4BFFFA61 bl 0x80271664
80271C08: 7FA3EB78 mr r3,r29
80271C0C: 4BFFCB79 bl 0x8026e784
80271C10: 80010024 lwz r0,36(r1)
80271C14: 83E1001C lwz r31,28(r1)
80271C18: 83C10018 lwz r30,24(r1)
80271C1C: 83A10014 lwz r29,20(r1)
80271C20: 83810010 lwz r28,16(r1)
80271C24: 7C0803A6 mtlr r0
80271C28: 38210020 addi r1,r1,32
80271C2C: 4E800020 blr
80271C30: 9421FFF0 stwu r1,-16(r1)
80271C34: 7C0802A6 mflr r0[/spoiler]
after double-clicking the second top adress from the stw r0,11660(r4) (first walk on stack adress)
[spoiler]803CB660: 7C7F4214 add r3,r31,r8
803CB664: 80632D90 lwz r3,11664(r3)
803CB668: 7C001840 cmplw r0,r3
803CB66C: 40810008 ble- 0x803cb674
803CB670: 90642D8C stw r3,11660(r4) ?!
803CB674: 7FC3F378 mr r3,r30
803CB678: 7FE4FB78 mr r4,r31
803CB67C: 4BFF1CF9 bl 0x803bd374
803CB680: 83E1000C lwz r31,12(r1)
803CB684: 38600000 li r3,0
803CB688: 83C10008 lwz r30,8(r1)
803CB68C: 80010014 lwz r0,20(r1)
803CB690: 7C0803A6 mtlr r0
803CB694: 38210010 addi r1,r1,16
803CB698: 4E800020 blr
803CB69C: 9421FFE0 stwu r1,-32(r1)
803CB6A0: 7C0802A6 mflr r0
803CB6A4: 90010024 stw r0,36(r1)
803CB6A8: 39610020 addi r11,r1,32
803CB6AC: 4BDFBA85 bl 0x801c7130
803CB6B0: 80A400B4 lwz r5,180(r4) ?!
803CB6B4: 7C9F2378 mr r31,r4 !
803CB6B8: 7C7D1B78 mr r29,r3
803CB6BC: 38050001 addi r0,r5,1
803CB6C0: 7FE3FB78 mr r3,r31
803CB6C4: 900400B4 stw r0,180(r4) ?!
803CB6C8: 4800B7A5 bl 0x803d6e6c
803CB6CC: 7C651B78 mr r5,r3
803CB6D0: 7FA3EB78 mr r3,r29
803CB6D4: 7FE4FB78 mr r4,r31
803CB6D8: 4800C965 bl 0x803d803c
803CB6DC: 7C7E1B78 mr r30,r3
803CB6E0: 7FA3EB78 mr r3,r29
803CB6E4: 7FE4FB78 mr r4,r31
803CB6E8: 7FC5F378 mr r5,r30
803CB6EC: 4BFE59A5 bl 0x803b1090
803CB6F0: 801F215C lwz r0,8540(r31)
803CB6F4: 2C007FFF cmpwi r0,32767
803CB6F8: 41820130 beq- 0x803cb828
803CB6FC: 1C1E00C0 mulli r0,r30,192
803CB700: 3C608049 lis r3,-32695
803CB704: 93C3CDE8 stw r30,-12824(r3)
803CB708: 3863CDE8 subi r3,r3,12824
803CB70C: 7C9F0214 add r4,r31,r0
803CB710: 80042D8C lwz r0,11660(r4) ?!
803CB714: 90030004 stw r0,4(r3)
803CB718: 80042D90 lwz r0,11664(r4) ?!
803CB71C: 90030008 stw r0,8(r3)
803CB720: 80BF215C lwz r5,8540(r31)
803CB724: 2C050000 cmpwi r5,0
803CB728: 408200C8 bne- 0x803cb7f0
803CB72C: 3C608049 lis r3,-32695
803CB730: 3863CE28 subi r3,r3,12760
803CB734: 8003001C lwz r0,28(r3)
803CB738: 28000001 cmplwi r0,1
803CB73C: 41820098 beq- 0x803cb7d4
803CB740: 801F00AC lwz r0,172(r31)
803CB744: 2C000002 cmpwi r0,2
803CB748: 4182000C beq- 0x803cb754
803CB74C: 38000000 li r0,0
[/spoiler]
You're showing too much after, not enough before. bl and bctrl "do stuff". The stuff they do depends on what is passed to them in r3/r4/r5/r6/r7/r8/r9/r10. I don't know what they're doing if I don't know what is being passed into them.
When double-clicking an address in the call stack, right-click the disassembly and click "Copy Function". That will grab all the whole function and put it into the clipboard.
You only really need to show the disasm for the top function, and probably the two functions below it. That is, 803CB64C, 803B6A78, and 803B2CA8.
EDIT: regarding your edit, the other bolded lines are after the end of the function. Remember, stuff after blr does not belong to the same function.
Quote from: dcx2 on October 08, 2010, 10:09:08 PM
You only really need to show the disasm for the top function, and probably the two functions below it. That is, 803CB64C, 803B6A78, and 803B2CA8.
okay, take a look at this please:
803B6A78
[spoiler]
803B6A64: 9421FFF0 stwu r1,-16(r1)
803B6A68: 7C0802A6 mflr r0
803B6A6C: 90010014 stw r0,20(r1)
803B6A70: 93E1000C stw r31,12(r1)
803B6A74: 7C9F2378 mr r31,r4
803B6A78: 48012A55 bl 0x803c94cc 803B6A7C: 2C030001 cmpwi r3,1
803B6A80: 40820014 bne- 0x803b6a94
803B6A84: 801F000C lwz r0,12(r31)
803B6A88: 38600000 li r3,0
803B6A8C: 907F00B4 stw r3,180(r31)
803B6A90: 901F0008 stw r0,8(r31)
803B6A94: 80010014 lwz r0,20(r1)
803B6A98: 83E1000C lwz r31,12(r1)
803B6A9C: 7C0803A6 mtlr r0
803B6AA0: 38210010 addi r1,r1,16
803B6AA4: 4E800020 blr
[/spoiler]
803CB64C
[spoiler]803CB5B4: 9421FFF0 stwu r1,-16(r1)
803CB5B8: 7C0802A6 mflr r0
803CB5BC: 90010014 stw r0,20(r1)
803CB5C0: 93E1000C stw r31,12(r1)
803CB5C4: 7C9F2378 mr r31,r4
803CB5C8: 93C10008 stw r30,8(r1)
803CB5CC: 7C7E1B78 mr r30,r3
803CB5D0: 7FE3FB78 mr r3,r31
803CB5D4: 80A400B4 lwz r5,180(r4)
803CB5D8: 38050001 addi r0,r5,1
803CB5DC: 900400B4 stw r0,180(r4)
803CB5E0: 4800B88D bl 0x803d6e6c
803CB5E4: 7C651B78 mr r5,r3
803CB5E8: 7FC3F378 mr r3,r30
803CB5EC: 7FE4FB78 mr r4,r31
803CB5F0: 4800CA4D bl 0x803d803c
803CB5F4: 1D0300C0 mulli r8,r3,192
803CB5F8: 80FF215C lwz r7,8540(r31)
803CB5FC: 7C651B78 mr r5,r3
803CB600: 7C9F4214 add r4,r31,r8
803CB604: 80C42D8C lwz r6,11660(r4)
803CB608: 7C073215 add. r0,r7,r6
803CB60C: 41810010 bgt- 0x803cb61c
803CB610: 7C0600D0 neg r0,r6
803CB614: 901F2148 stw r0,8520(r31)
803CB618: 48000008 b 0x803cb620
803CB61C: 90FF2148 stw r7,8520(r31)
803CB620: 80DF2148 lwz r6,8520(r31)
803CB624: 2C060000 cmpwi r6,0
803CB628: 40800018 bge- 0x803cb640
803CB62C: 5460103A rlwinm r0,r3,2,0,29
803CB630: 7C7F0214 add r3,r31,r0
803CB634: 80030164 lwz r0,356(r3)
803CB638: 7C060050 sub r0,r0,r6
803CB63C: 90030164 stw r0,356(r3)
803CB640: 80642D8C lwz r3,11660(r4)
803CB644: 801F215C lwz r0,8540(r31)
803CB648: 7C030215 add. r0,r3,r0
803CB64C: 90042D8C stw r0,11660(r4)803CB650: 40800010 bge- 0x803cb660
803CB654: 38000000 li r0,0
803CB658: 90042D8C stw r0,11660(r4)
803CB65C: 48000018 b 0x803cb674
803CB660: 7C7F4214 add r3,r31,r8
803CB664: 80632D90 lwz r3,11664(r3)
803CB668: 7C001840 cmplw r0,r3
803CB66C: 40810008 ble- 0x803cb674
803CB670: 90642D8C stw r3,11660(r4)
803CB674: 7FC3F378 mr r3,r30
803CB678: 7FE4FB78 mr r4,r31
803CB67C: 4BFF1CF9 bl 0x803bd374
803CB680: 83E1000C lwz r31,12(r1)
803CB684: 38600000 li r3,0
803CB688: 83C10008 lwz r30,8(r1)
803CB68C: 80010014 lwz r0,20(r1)
803CB690: 7C0803A6 mtlr r0
803CB694: 38210010 addi r1,r1,16
803CB698: 4E800020 blr [/spoiler]
803B2CA8
[spoiler]803B2C3C: 9421FFF0 stwu r1,-16(r1)
803B2C40: 7C0802A6 mflr r0
803B2C44: 90010014 stw r0,20(r1)
803B2C48: 93E1000C stw r31,12(r1)
803B2C4C: 7C9F2378 mr r31,r4
803B2C50: 93C10008 stw r30,8(r1)
803B2C54: 7C7E1B78 mr r30,r3
803B2C58: 8804311F lbz r0,12575(r4)
803B2C5C: 2C000000 cmpwi r0,0
803B2C60: 40820028 bne- 0x803b2c88
803B2C64: 4BFFB075 bl 0x803adcd8
803B2C68: 5460063F rlwinm. r0,r3,0,24,31
803B2C6C: 4182001C beq- 0x803b2c88
803B2C70: 7FC3F378 mr r3,r30
803B2C74: 4BFFB065 bl 0x803adcd8
803B2C78: 54600673 rlwinm. r0,r3,0,25,25
803B2C7C: 4082000C bne- 0x803b2c88
803B2C80: 38000029 li r0,41
803B2C84: 901F0008 stw r0,8(r31)
803B2C88: 801F0008 lwz r0,8(r31)
803B2C8C: 3CA08040 lis r5,-32704
803B2C90: 38A55178 addi r5,r5,20856
803B2C94: 7FC3F378 mr r3,r30
803B2C98: 5400103A rlwinm r0,r0,2,0,29
803B2C9C: 7FE4FB78 mr r4,r31
803B2CA0: 7D85002E lwzx r12,r5,r0
803B2CA4: 7D8903A6 mtctr r12
803B2CA8: 4E800421 bctrl 803B2CAC: 807F0008 lwz r3,8(r31)
803B2CB0: 83E1000C lwz r31,12(r1)
803B2CB4: 3803FFD5 subi r0,r3,43
803B2CB8: 83C10008 lwz r30,8(r1)
803B2CBC: 7C000034 cntlzw r0,r0
803B2CC0: 5403D97E rlwinm r3,r0,27,5,31
803B2CC4: 80010014 lwz r0,20(r1)
803B2CC8: 7C0803A6 mtlr r0
803B2CCC: 38210010 addi r1,r1,16
803B2CD0: 4E800020 blr
[/spoiler]
Interesting...
803CB5C4: 7C9F2378 mr r31,r4
803CB5C8: 93C10008 stw r30,8(r1)
803CB5CC: 7C7E1B78 mr r30,r3
803CB5D0: 7FE3FB78 mr r3,r31
803CB5D4: 80A400B4 lwz r5,180(r4)
803CB5D8: 38050001 addi r0,r5,1
803CB5DC: 900400B4 stw r0,180(r4)
803CB5E0: 4800B88D bl 0x803d6e6c
803CB5E4: 7C651B78 mr r5,r3
803CB5E8: 7FC3F378 mr r3,r30
803CB5EC: 7FE4FB78 mr r4,r31
803CB5F0: 4800CA4D bl 0x803d803c
803CB5F4: 1D0300C0 mulli r8,r3,192
803CB5F8: 80FF215C lwz r7,8540(r31)
803CB5FC: 7C651B78 mr r5,r3
803CB600: 7C9F4214 add r4,r31,r8
This is what creates your r4 pointer. First, a pointer is passed to the function in r4 from the caller. Then, instruction 5C4 (I refer to them using the last three digits) will cache the pointer in r31. Later, the bl 5F0 gets some mysterious value and puts it into r3. 5F4 then multiplies this mysterious value by 192, and then instruction 600 will add that product to the original pointer.
My guess is that, at instruction 5F4, r3 contains an index into the array pointed to by r31. This index could very well be the player number! Note that 5FC copies this mysterious number into r5. At your breakpoint (64C) the value in r5 is still whatever came from r3. This value is 0. I bet for other players/COM, the value will be non-zero.
Try this code and see if it works.
cmpwi r5, 0
beq- 8
stw r0,11660(r4)
Quote from: dcx2 on October 08, 2010, 10:56:13 PM
My guess is that, at instruction 5F4, r3 contains an index into the array pointed to by r31. This index could very well be the player number! Note that 5FC copies this mysterious number into r5. At your breakpoint (64C) the value in r5 is still whatever came from r3. This value is 0. I bet for other players/COM, the value will be non-zero.
Try this code and see if it works.
cmpwi r5, 0
beq- 8
stw r0,11660(r4)
I used 803CB64C as the "Hook Adress"
wooooowww!!!
this strategy valid, you did it!!! :) it showed value 00000001 in r5 if I attack an ememy, and if he does, it´s 00000000!
Effect: He takes damage, I don´t.... :o
But wait, I discovered something bad:
If an enemy would go KO, the health gets maximised (aka full health) again, but why? Hmmm... he can´t be KO´ed with this code enabled... does it happen, because I don´t store his health or anything?? Yeah the game is very crazy... but a challenge :P
Crap, so near, got an idea?
-> If I am using the anti code <before> killing him, he dies, but when the code is <still enabled>, he doesn´t die...
---------------------------
EDIT: I solved it by myself!!!Aha, found another adress which was with the health code (no damage + no die)
that´s 2 lines (adresses), if I do the same cmpwi thingy with the "no die" line, I don´t die, but my oponnent does!
Yay (it used exactly the same registers and had the same instruction!)
I am so happy, thanks for your help, finally I got it, it was very time consuming, but worth it! I could say it took houres all in all including "all my fails" from direct RAM write and Pointer up to now with the victorious ASM code! >:D
I was able to work it out by looking at the ASM. However, you could brute-force it in the future.
When you use a read/write breakpoint to find an ASM address, you can find instructions that are run by multiple people. It is a good idea to turn your R/W BP into an execute BP and see if the code runs for anyone else. If it does, then look for some other register that will give you a clue.
Sometimes, this is as simple as comparing against a static pointer. However, if your pointer moves, you have to look for something else. Copy and paste the results of a few BPs into notepad and stare at it for a few hours. You might see something...like how r5 is different when different people get hit.
---
You owe me. :) So you should do me a favor.
Remember the call stack? You said the one on top was 803CB64C, and the one underneath it was 803B6A78? (better yet, could you copy and paste the whole call stack too? right click the call stack -> copy)
The function you are in during breakpoint:
803CB5B4: 9421FFF0 stwu r1,-16(r1)
...
803CB64C: 90042D8C stw r0,11660(r4)
The caller:
803B6A78: 48012A55 bl 0x803c94cc
The red addresses are supposed to match. But they don't. :confused: They are off by a very large amount - over 2000 instructions! Much larger than most functions. I want to know why.
Could you Copy (not the Copy Function, the regular Copy) 0x803c94c0, and 0x803CB520? (and don't forget the call stack!)
It took me a moment, but I understand why your opponent was not dying.
803CB640: 80642D8C lwz r3,11660(r4)
803CB644: 801F215C lwz r0,8540(r31)
803CB648: 7C030215 add. r0,r3,r0
803CB64C: 90042D8C stw r0,11660(r4) # hook
803CB650: 40800010 bge- 0x803cb660
803CB654: 38000000 li r0,0
803CB658: 90042D8C stw r0,11660(r4)
'40 loads the character's health. '44 loads the change in health (probably damage? could be healing, too...). '48 adds the health. However, look carefully at '48. Do you see the . after add? The . means that the Condition Register (CR) is updated; the . is like a free cmpwi 0 built into the add!
'4C stores the new health. This is the instruction you hooked, yes? But very important...'50 does a branch that is based on the result of '48! However, your hook uses cmpwi, which changes the CR, which affects the branch!
Pretend we are at instruction '48. Consider the case where enemy health r3 = 5, and they got hit for r0 = -7. The result will be -2. This is Less Than 0, so the LT bit of the CR is set, and the EQ and GT bits are cleared.
This is very important! If the enemies' health is negative, the branch at '50 will NOT be taken. Look what '54 and '58 do...they load r0 with 0, and then write that to the health. So they prevent the enemies' health from becoming negative if you do more damage to them than they have health. If their health is not 0, they are not dead! Negative health is like a zombie!
But your hook was changing that. The enemy's r5 == 1, so your cmpwi r5,0 will always set the GT bit, and you will always skip over '54 and '58. That is why you can't kill enemies.
---
This can be solved by moving the hook so that your cmpwi is not between the add. (which writes to the CR) and the bge- (which reads from the CR). I will also make it so that your health can only go up, but never down. It's possible this function could also give you health and you would prevent it from doing so!
hook address 803CB648
cmpwi r5,0 # are we player 1?
bne- THE_END # if not, branch to the end
cmpwi r0,0 # are we hurting player 1? (is r0 negative)
bge- THE_END # if not, branch to the end
li r0,0 # don't hurt player 1!
THE_END:
add. r0,r3,r0 # original instruction
Quote from: dcx2 on October 09, 2010, 05:08:35 AM
hook address 803CB648
cmpwi r5,0 # are we player 1?
bne- THE_END # if not, branch to the end
cmpwi r0,0 # are we hurting player 1? (is r0 negative)
bge- THE_END # if not, branch to the end
li r0,0 # don't hurt player 1!
THE_END:
add. r0,r3,r0 # original instruction
yeah, I really do owe you something, your explanations are perfectly fitting to the game and you helped me a lot :p
As you thought, healing is also implemented in this, meaning that if it´s e.g. NOP´ed you can´t heal.
Idk, but you could send me a PM with something I can help you with... I can´t try the code now, but I´ll do later, does the code look like this now?
hook address 803CB648
cmpwi r5,0
bne- THE_END # is the THE_END supposed to be in there? Just wondering...
cmpwi r0,0
bge- THE_END # is the THE_END supposed to be in there? Just wondering...
li r0,0
add. r0,r3,r0
In the future, I´ll stare at the register when the breakpoint hits, that I may be able to "see" that r5 was connected to players... :D
Quote from: Bully@Wiiplaza on October 09, 2010, 11:26:42 AM
Quote from: dcx2 on October 09, 2010, 05:08:35 AM
hook address 803CB648
cmpwi r5,0 # are we player 1?
bne- THE_END # if not, branch to the end
cmpwi r0,0 # are we hurting player 1? (is r0 negative)
bge- THE_END # if not, branch to the end
li r0,0 # don't hurt player 1!
THE_END:
add. r0,r3,r0 # original instruction
hook address 803CB648
cmpwi r5,0
bne- THE_END # is the THE_END supposed to be in there? Just wondering...
cmpwi r0,0
bge- THE_END # is the THE_END supposed to be in there? Just wondering...
li r0,0
add. r0,r3,r0
THE_END is a branch label. When a branch is taken, execution will "jump" over some instructions, and execution "lands" where the label is. This allows us to "skip" the li r0,0 if we are hurting an enemy OR if we are healing the player. For instance, the assembled code is
C23CB648 00000004
2C050000 40820010
2C000000 40800008
38000000 7C030215
60000000 00000000
If you run that backwards through PyiiASMH, you get
cmpwi r5,0
bne-
0x0010cmpwi r0,0
bge-
0x0010li r0,0
add. r0,r3,r0
Now, let's say you put something else in.
cmpwi r5,0 # are we player 1?
bne- THE_END # if not, branch to the end
cmpwi r0,0 # are we hurting player 1? (is r0 negative)
nopbge- THE_END # if not, branch to the end
li r0,0 # don't hurt player 1!
THE_END:
add. r0,r3,r0 # original instruction
This becomes
C23CB648 00000004
2C050000 40820014
2C000000 60000000
40800008 38000000
7C030215 00000000
Which, when re-converted to ASM
cmpwi r5,0
bne-
0x0014cmpwi r0,0
nop
bge-
0x0014li r0,0
add. r0,r3,r0
---
If you insert another instruction, you may change your branch displacements. Modifying them by hand is very error prone. The branch labels remove the burden of calculating the branch displacement in the event that it changes.
@Sharkbyte - I'm going to use branch labels, so you may need to use PyiiASMH to convert this. Others have had success with Link's ASMWiiRD converter.
cmpwi r19,3
beq- MOON_JUMP # make player 4 moon jump
cmpwi r19,2
beq- MOON_JUMP # make player 3 moon jump
cmpwi r19,1
beq- NO_MOON_JUMP # player 2 gets normal jump
b NO_MOON_JUMP # player 1 gets normal jump
MOON_JUMP:
lis r12,16752
stw r12,88(r26)
lfs f2,88(r26)
NO_MOON_JUMP:
stfs f2,88(r26)
Change the branch label next to the player you want to give or remove moon jump from.
Nono, you should AVOID using hex values with branch displacements. Read the post before the one addressed to you. Calculating branch displacements by hand is tedious and error prone.
When a branch is taken, execution will "jump" over some instructions, and execution "lands" where the label is. For instance, let's walk through the code and pretend that r19 has a 1 in it. The bold instructions will be executed; the non-bold instructions will be skipped over.
cmpwi r19,3 # is r19 == 3?
beq- MOON_JUMP # no; branch not taken; go to next instruction
cmpwi r19,2 # is r19 == 3?
beq- MOON_JUMP # no; branch not taken; go to next instruction
cmpwi r19,1 # is r19 == 1?
beq- NO_MOON_JUMP # yes! branch taken; go to instruction after NO_MOON_JUMP!
| b NO_MOON_JUMP # these instructions are skipped
| MOON_JUMP: # these instructions are skipped
| lis r12,16752 # these instructions are skipped
| stw r12,88(r26) # these instructions are skipped
v lfs f2,88(r26) # these instructions are skipped
NO_MOON_JUMP:
stfs f2,88(r26)
Let's look at if r19 == 3
cmpwi r19,3 # is r19 == 3?
beq- MOON_JUMP # yes! branch taken; go to instruction after MOON_JUMP!
| cmpwi r19,2 # is r19 == 3? # these instructions are skipped
| beq- MOON_JUMP # these instructions are skipped
| cmpwi r19,1 # these instructions are skipped
| beq- NO_MOON_JUMP # these instructions are skipped
v b NO_MOON_JUMP # these instructions are skipped
MOON_JUMP:
lis r12,16752 # load your new float
stw r12,88(r26) # store it to memory
lfs f2,88(r26) # make sure the new float is also in f2!
NO_MOON_JUMP:
stfs f2,88(r26) # this is unnecessary because the value is already there, but it won't hurt
---
The beauty of the branch labels...if you want to give only player 1 moon jump, make everyone else's branch label NO_MOON_JUMP. If you want everyone but player 1 to have moon jump, give him NO_MOON_JUMP and everyone else MOON_JUMP. Just change the branch labels and the assembler will do all the hard work for you.
Quote from: dcx2 on October 10, 2010, 12:05:35 AM
THE_END is a branch label. When a branch is taken, execution will "jump" over some instructions, and execution "lands" where the label is. This allows us to "skip" the li r0,0 if we are hurting an enemy OR if we are healing the player. For instance, the assembled code is
C23CB648 00000004
2C050000 40820010
2C000000 40800008
38000000 7C030215
60000000 00000000
If you run that backwards through PyiiASMH, you get
cmpwi r5,0
bne- 0x0010
cmpwi r0,0
bge- 0x0010
li r0,0
add. r0,r3,r0
refering to that, it is working like charme.
Thx for letting me know the branch label stuff.
If you need help with anything, don´t hesitate to PM me (if I can help you there)
... I am stuck again. :(
[spoiler]Breakpoint Execute: 803B7648
If the player does something....
CR:44000000 XER:00000000 CTR:00000004 DSIS:00000000
DAR:00000000 SRR0:803B7648 SRR1:00009032 LR:803B75F0
r0:0000001E r1:80F66328 r2:80648600 r3:00000000
r4:92485320 r5:92485320 r6:00000000 r7:00000000
r8:00000000 r9:00000000 r10:92488060 r11:80F66328
r12:803B6AA8 r13:806452C0 r14:00000008 r15:00000002
r16:00000000 r17:00000004 r18:00000000 r19:00000004
r20:00000000 r21:92482F00 r22:92485320 r23:00000001
If an enemy does something...
CR:44000000 XER:00000000 CTR:00000002 DSIS:00000000
DAR:00000000 SRR0:803B7648 SRR1:00009032 LR:803B75F0
r0:00000004 r1:80F66328 r2:80648600 r3:00000002
r4:924853E2 r5:92485360 r6:00000001 r7:00000002
r8:00000000 r9:00000000 r10:91C8E1D4 r11:80F66328
r12:803B6AA8 r13:806452C0 r14:00000008 r15:00000002
r16:00000000 r17:00000004 r18:00000000 r19:00000004
r20:00000000 r21:92482F00 r22:92485320 r23:00000001
803B7648: 7C170050 sub r0,r0,r23
803B764C: 98042D6C stb r0,11628(r4)
803B7650: 4800000C b 0x803b765c
803B7654: 38000000 li r0,0
803B7658: 98042D6C stb r0,11628(r4)[/spoiler]
Let´s say that r6 is the right register for the compares.
My code should do the following:
If r6 is 0
nop the instruction (sub r0,r0,r23)
if it´s not 0, go to the next line
if r6 is 1
load immediate r0 with a value of 0 and do
sub r0,r0,r23
the end
-> this code should allow me infinite "attacks" , but when my enemy attacks, they go to 0 and ran out next time.
my attemps:
[spoiler]
cmpwi r6, 0
beq- NOP
cmpwi r6, 1
beq- NO_AP
NOP:
nop
NO_AP:
li r0, 0
sub r0, r0, r23[/spoiler]
Quotecmpwi r6, 0
beq- NOP
cmpwi r6, 1
beq- NO_AP
NOP:
nop
NO_AP:
li r0, 0
sub r0, r0, r23
In the code you made, instructions after NO_AP: will be executed regardless of r6 :(
If you want to give infinite attacks to the player, and finite attacks to enemies, the code would be like this:
cmpwi r6, 1
bne- _end
sub r0, r0, r23
_end:
cmpwi r6, 1
bne- _end
sub r0, r0, r23
_end:
wait, the code should give the player infinite attacks and the opponnent 0 (li r0,0 in this case) !
How would it look like then?
Quote from: Bully@Wiiplaza on October 31, 2010, 11:40:09 AM
the code should give the player infinite attacks and the opponnent 0 (li r0,0 in this case) !
Okay, then the code becomes:
cmpwi r6, 1
bne- _end
li r0,0
_end:
In the case where r6 is 0, it will branch over the instruction, effectively "doing nothing". You don't need to manually insert a nop.
Note that this is a special case where the anti-code (sub r0,r0,r23) is not required to be in the code. Normally we are very careful to include the anti-code. However, the destination register rD of the anti-code is r0, so as long as r0 has a valid value in it by the end of the code, it won't crash. If r6 is 0, the value in r0 is unchanged (i.e. no more sub -> infinite player attacks). If r6 is 1, the value in r0 becomes 0 (i.e. li replaces sub -> zero enemy attacks)
yes nice work :)
does his job properly.
[spoiler]
C23B7648 00000002
2C060001 40820008
38000000 00000000
[/spoiler]
another game:
[spoiler]player attacks and hurts the enemy:
CR:44004488 XER:00000000 CTR:80096060 DSIS:02400000
DAR:80D6039C SRR0:8009606C SRR1:0000B032 LR:80083214
r0:00000001 r1:8049A4E8 r2:8048FA20 r3:80D603C4
r4:00000002 r5:0001005F r6:803778FC r7:00000005
r8:00000000 r9:803A21F0 r10:80499FE4 r11:FFFFFFFF
r12:80096060 r13:8048BDA0 r14:00000008 r15:8049A5F0
r16:00000001 r17:00000001 r18:80375038 r19:80373D00
r20:8036F2F0 r21:00000002 r22:00000002 r23:80320000
r24:80318CBC r25:00000003 r26:00000000 r27:80318C80
r28:80D49914 r29:80C65064 r30:80C2A864 r31:0000000F
enemy attacks, hurts the player:
CR:44004488 XER:00000000 CTR:80096060 DSIS:02400000
DAR:80D6039C SRR0:8009606C SRR1:0000B032 LR:80083214
r0:00000001 r1:8049A4E8 r2:8048FA20 r3:80D603C4
r4:800E08D8 r5:00000000 r6:00000001 r7:00001479
r8:D9900051 r9:00001479 r10:D9900051 r11:8049A398
r12:80096060 r13:8048BDA0 r14:00000008 r15:8049A5F0
r16:00000000 r17:00000000 r18:80375038 r19:80373D00
r20:8036F2F0 r21:00000002 r22:00000002 r23:80320000
r24:80318CBC r25:00000003 r26:00000000 r27:80318C80
r28:80D49914 r29:80C65064 r30:80C2A864 r31:0000000F[/spoiler]
8009606C: stfs f1,8(r3) -> Health instruction
r17 seems to be a good candidate... it always matched to the players pattern above.
cmpwi r17, 1
bne- _end
stfs f1,8(r3)
_end:
C209606C 00000002
2C110001 40820008
D0230008 00000000
this code should give the player infinite health and the enemy normal health, but somehow the code makes both players invincible even with the bne in it... but why? :eek: