okay I've a problem by a pointer in pointer code.
here are 3 results:
[[8043DD04]+F4]+3624
[[80452AC8]+F4]+3624
[[80BA962C]+8704]+16CC
48000000 8043DD04 <--- load into pointer
DE000000 80008180 <--- check line
58010000 00000000 <--- load into pointer 2*
4A100000 000000F4 <-- go F4 bytes forward
58010000 00000000 <-- load into pointer 3*
4A100000 00003624 <-- go 3624 bytes forward
14000000 40100000 <-- write 40100000
14000004 40100000
14000008 40100000
E0000000 80008000 <-- end
and the result: freez....
what's wrong? o,o
hmmm yep thanks but it freez too....
what about this?
48000000 8043DD04 <--- load into pointer
DE000000 80008180 <--- check line
4A100000 000000F4 <--- go F4 bytes forward
58010000 00000000 <--- load into pointer 2*
4A100000 00003624 <--- go 3624 bytes forward
16000000 0000000C <-- write 40100000
40100000 40100000
40100000 00000000
E0000000 80008000 <-- end
now it works, but in level 2 it freez....
Invisible [Deathwolf]
282DBEC2 0000YYYY
48000000 80C8FF44
DE000000 80008180
58010000 00000000
1400000D 00000000
E0000000 80008000
282DBEC2 0000YYYY
48000000 80C8FF44
DE000000 80008180
58010000 00000000
1400000D 00000101
E0000000 80008000
lol yes, my fail thanks xD
yes pointer in pointer doesn't work always. ASM is sometimes better than 48 but it doesn't work by this. it change more floatings by one ASM code. so it fails....
There are ways to do it in ASM. You could add a check that makes sure you're only writing to the float you want. You could walk the stack and use a different C2 hook address. You could find a totally unrelated hook that only runs for the object you're interested in and use that hook instead.
---
However, you can check your pointer-in-pointer. I added a new feature recently that makes following pointers easier. Load the latest Gecko.NET (the one from Google Code). Go to Memory Viewer.
Go to address 8043DD04. 8043DD04
Double-click it. [8043DD04]
Right-click on the new address -> "Add Offset" -> F4. [8043DD04]+F4
Double click it. [[8043DD04]+F4]
Right-click on the new address -> "Add Offset" -> 3624. [[8043DD04]+F4]+3624
Now, make sure you're looking at the floats you want.
---
Alternatively, I could guide you through using the disassembler's Copy Function and Call Stack list box.
okay lets break those 3 floatings.
80A9F7B4 80A9F7B8 80A9F7BC
3F800000 3F800000 3F800000
read on 80A9F7B4:
801183BC: C03F0008 lfs f1,8(r31)
801183C0: 4809A0F9 bl 0x801b24b8
801183C4: FFA00890 fmr f29,f1
801183C8: C03F0000 lfs f1,0(r31)
801183CC: 4809A0C5 bl 0x801b2490
801183D0: FFC00890 fmr f30,f1
801183D4: C03F0004 lfs f1,4(r31)
801183D8: 4809A0B9 bl 0x801b2490
801183DC: FFE00890 fmr f31,f1
801183E0: C03F0008 lfs f1,8(r31)
801183E4: 4809A0AD bl 0x801b2490
801183E8: ECFD07B2 fmuls f7,f29,f30
801183EC: C002AD10 lfs f0,-21232(r2)
801183F0: ED0106F2 fmuls f8,f1,f27
801183F4: EC4107F2 fmuls f2,f1,f31
801183F8: D01E000C stfs f0,12(r30)
read on 80A9F7B8:
801182E8: C1240004 lfs f9,4(r4)
801182EC: ED030272 fmuls f8,f3,f9
801182F0: C0230014 lfs f1,20(r3)
801182F4: C0030024 lfs f0,36(r3)
801182F8: EC810272 fmuls f4,f1,f9
801182FC: C0C30008 lfs f6,8(r3)
80118300: EC200272 fmuls f1,f0,f9
80118304: C0E40008 lfs f7,8(r4)
80118308: C0630018 lfs f3,24(r3)
8011830C: C0030028 lfs f0,40(r3)
80118310: ECC601F2 fmuls f6,f6,f7
80118314: EC6301F2 fmuls f3,f3,f7
80118318: D1430000 stfs f10,0(r3)
8011831C: EC0001F2 fmuls f0,f0,f7
80118320: D1030004 stfs f8,4(r3)
80118324: D0C30008 stfs f6,8(r3)
read on 80A9F7BC:
801182E8: C1240004 lfs f9,4(r4)
801182EC: ED030272 fmuls f8,f3,f9
801182F0: C0230014 lfs f1,20(r3)
801182F4: C0030024 lfs f0,36(r3)
801182F8: EC810272 fmuls f4,f1,f9
801182FC: C0C30008 lfs f6,8(r3)
80118300: EC200272 fmuls f1,f0,f9
80118304: C0E40008 lfs f7,8(r4)
80118308: C0630018 lfs f3,24(r3)
8011830C: C0030028 lfs f0,40(r3)
80118310: ECC601F2 fmuls f6,f6,f7
80118314: EC6301F2 fmuls f3,f3,f7
80118318: D1430000 stfs f10,0(r3)
8011831C: EC0001F2 fmuls f0,f0,f7
80118320: D1030004 stfs f8,4(r3)
80118324: D0C30008 stfs f6,8(r3)
so 80A9F7B8 and 80A9F7BC are the same.
try the first C2 on 801183BC.
stwu r1,-80(r1) <-- make space 12-31 free (stack frame)
stmw r14,8(r1)
lis r12,0x4000 <-- write 40000000
ori r12,r12,0x0000
stw r12,8(r31) <-- store form 12 into 31
lfs f1,8(r31)
lmw r14,8(r1)
addi r1,r1,80
assembly:
C21183BC 00000005
9421FFB0 BDC10008
3D804000 618C0000
919F0008 C03F0008
B9C10008 38210050
60000000 00000000
now the first fail:
it's a wrong address. it writes 4 bytes backward. (40000000 3F800000 3F800000 3F800000)
You aren't using Exact breakpoint. That is why you have trouble.
Set your Read breakpoint on 80A9F7B4. Once it hits, right-click Show Mem. I bet you the address is actually 80A9F7B0.
If Exact is not checked, then a breakpoint will hit anywhere within an 8-byte range. So when you specify 80A9F7B4, you will actually hit any time any address from 80A9F7B0 to 80A9F7B7 is read.
so okay, I've tried what you said dcx2.
new address:
801182CC: C0440000 lfs f2,0(r4)
stwu r1,-80(r1)
stmw r14,8(r1)
lis r12,0x4000
ori r12,r12,0x0000
stw r12,0(r4)
lfs f2,0(r4)
lmw r14,8(r1)
addi r1,r1,80
C21182CC 00000005
9421FFB0 BDC10008
3D804000 618C0000
91840000 C0440000
B9C10008 38210050
60000000 00000000
yes, now it changes the right address, BUT there is another problem....
it also changes some other floatings! that's the problem by this and ASM.
Now you have a better hook.
What are you trying to do? A size modifier? What other floats are being affected?
Go to 801182CC in disassembler, right-click, Copy Function, and paste that into a spoiler here.
Also, double-click the Call Stack list box, wait for it to fill up, right click, Copy All, and paste that too.
yes a partial size modifier.
[spoiler]801182C8: C0630000 lfs f3,0(r3)
801182CC: C0440000 lfs f2,0(r4)
801182D0: C0230010 lfs f1,16(r3)
801182D4: ED4300B2 fmuls f10,f3,f2
801182D8: C0030020 lfs f0,32(r3)
801182DC: ECA100B2 fmuls f5,f1,f2
801182E0: C0630004 lfs f3,4(r3)
801182E4: EC4000B2 fmuls f2,f0,f2
801182E8: C1240004 lfs f9,4(r4)
801182EC: ED030272 fmuls f8,f3,f9
801182F0: C0230014 lfs f1,20(r3)
801182F4: C0030024 lfs f0,36(r3)
801182F8: EC810272 fmuls f4,f1,f9
801182FC: C0C30008 lfs f6,8(r3)
80118300: EC200272 fmuls f1,f0,f9
80118304: C0E40008 lfs f7,8(r4)
80118308: C0630018 lfs f3,24(r3)
8011830C: C0030028 lfs f0,40(r3)
80118310: ECC601F2 fmuls f6,f6,f7
80118314: EC6301F2 fmuls f3,f3,f7
80118318: D1430000 stfs f10,0(r3)
8011831C: EC0001F2 fmuls f0,f0,f7
80118320: D1030004 stfs f8,4(r3)
80118324: D0C30008 stfs f6,8(r3)
80118328: D0A30010 stfs f5,16(r3)
8011832C: D0830014 stfs f4,20(r3)
80118330: D0630018 stfs f3,24(r3)
80118334: D0430020 stfs f2,32(r3)
80118338: D0230024 stfs f1,36(r3)
8011833C: D0030028 stfs f0,40(r3)
80118340: 4E800020 blr
[/spoiler]
Call Stack:
[spoiler]801182CC
80044C04
80119D7C
8011CF58
800681D4
80067A78
80067854
80099140
8009946C
80098DA0
80106B5C
80105B4C
80151EEC
8017EBC8
[/spoiler]
MOD EDIT: spoilers are easier to read. code block has tiny print, makes me go blind
Okay. Go to breakpoint tab, click "Log Steps". Save the file somewhere and remember it.
Set an execute on 80118340. Then press "Set" again. And again. Do this about 20 times. We are collecting LR values in the log to see if there are others calling this function. Once you've set about 20 execute breakpoints on 80118340, copy and paste the log to a spoiler
vdappc.exe not found!
You should have vdappc already. Make sure it's in the same folder as the Gecko.NET you're running. If you need, it should be in the same directory as WiiRD, too.
Wait...how did you do Copy Function without vdappc?!
EDIT: thinking about this...did you put the log in a folder that wasn't the same folder that you run Gecko.NET from?
oh lol now it works.
BPSteps:
[spoiler]80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08
80118340: 4E800020 blr LR = 80044C08[/spoiler]
Quote from: dcx2 on October 10, 2010, 08:14:32 PM
Wait...how did you do Copy Function without vdappc?!
EDIT: thinking about this...did you put the log in a folder that wasn't the same folder that you run Gecko.NET from?
yes, first I saved it in another folder but now it works.
Weird, I'll look into that. Anyway...
It's always the same caller. The pointer we want is in r4...but how did it get there? Copy Function on 80044C04 - that is who gave us r4.
wrong address?
btw it's for resident evil...
Functions call functions call functions call functions call...
There is a list. We call it the Call Stack. It shows who called who. You pasted it a few posts back...if you look at it, you'll see that 80044C04 is who called the function that your breakpoint finds.
You need to step back to the caller and see what's going on. So go to disassembler, go to 80044C04 , and Copy Function, then paste that into a spoiler.
[spoiler]80044BD0: 9421FFF0 stwu r1,-16(r1)
80044BD4: 7C0802A6 mflr r0
80044BD8: 90010014 stw r0,20(r1)
80044BDC: 93E1000C stw r31,12(r1)
80044BE0: 7C7F1B78 mr r31,r3
80044BE4: 3863003C addi r3,r3,60
80044BE8: 389F00A0 addi r4,r31,160
80044BEC: 480D3775 bl 0x80118360
80044BF0: 387F003C addi r3,r31,60
80044BF4: 389F0094 addi r4,r31,148
80044BF8: 480D374D bl 0x80118344
80044BFC: 387F003C addi r3,r31,60
80044C00: 389F00AC addi r4,r31,172
80044C04: 480D36C5 bl 0x801182c8
80044C08: 387F003C addi r3,r31,60
80044C0C: 389F000C addi r4,r31,12
80044C10: 4813CE45 bl 0x80181a54
80044C14: 80010014 lwz r0,20(r1)
80044C18: 83E1000C lwz r31,12(r1)
80044C1C: 7C0803A6 mtlr r0
80044C20: 38210010 addi r1,r1,16
80044C24: 4E800020 blr
[/spoiler]
Awesome. Now, look carefully at this.
[spoiler]
80044BD0: 9421FFF0 stwu r1,-16(r1)
80044BD4: 7C0802A6 mflr r0
80044BD8: 90010014 stw r0,20(r1)
80044BDC: 93E1000C stw r31,12(r1)
80044BE0: 7C7F1B78 mr r31,r3
80044BE4: 3863003C addi r3,r3,60
80044BE8: 389F00A0 addi r4,r31,160
80044BEC: 480D3775 bl 0x80118360
80044BF0: 387F003C addi r3,r31,60
80044BF4: 389F0094 addi r4,r31,148
80044BF8: 480D374D bl 0x80118344
80044BFC: 387F003C addi r3,r31,60
80044C00: 389F00AC addi r4,r31,172
80044C04: 480D36C5 bl 0x801182c8
80044C08: 387F003C addi r3,r31,60
80044C0C: 389F000C addi r4,r31,12
80044C10: 4813CE45 bl 0x80181a54
80044C14: 80010014 lwz r0,20(r1)
80044C18: 83E1000C lwz r31,12(r1)
80044C1C: 7C0803A6 mtlr r0
80044C20: 38210010 addi r1,r1,16
80044C24: 4E800020 blr
[/spoiler]
Do you remember the function you found with the read breakpoint? It starts with 801182C8. Do you see the bolded bl in the spoiler? That's the call! That is how this function connects to the other function.
In the function you just pasted, look at 80044BE0. It takes the value given to it by r3 and puts it into r31. This is your pointer! If you were to Log Steps with an Execute Breakpoint on 80044BE0, you could compile a list of all the pointers that are used by this function.
Look at 80044C00. It takes the pointer in r31, adds 172 (that's your offset!), and puts the new pointer into r4. Then it calls 0x801182c8, which is your read-breakpoint function.
---
We need to walk the stack more. Where did r3 come from? Go back to the call stack; the third entry is 80119D7C, so go to that in disassembler and Copy Function again.
---
BTW: what are you trying to do? A size modifier? What other floats are being affected? Other players?
[spoiler]80119D60: 9421FFF0 stwu r1,-16(r1)
80119D64: 7C0802A6 mflr r0
80119D68: 90010014 stw r0,20(r1)
80119D6C: 93E1000C stw r31,12(r1)
80119D70: 83E300F4 lwz r31,244(r3)
80119D74: 48000010 b 0x80119d84
80119D78: 7FE3FB78 mr r3,r31
80119D7C: 4BF2AE55 bl 0x80044bd0
80119D80: 83FF00F4 lwz r31,244(r31)
80119D84: 2C1F0000 cmpwi r31,0
80119D88: 4082FFF0 bne+ 0x80119d78
80119D8C: 80010014 lwz r0,20(r1)
80119D90: 83E1000C lwz r31,12(r1)
80119D94: 7C0803A6 mtlr r0
80119D98: 38210010 addi r1,r1,16
80119D9C: 4E800020 blr
[/spoiler]
what are you trying to do? / partial size modifier for resident evil 4
What other floats are being affected?Other players? / yes, it changes some other floatings near the real address. it only should change one address and one thing of this part.
[spoiler]80119D60: 9421FFF0 stwu r1,-16(r1)
80119D64: 7C0802A6 mflr r0
80119D68: 90010014 stw r0,20(r1)
80119D6C: 93E1000C stw r31,12(r1)
80119D70: 83E300F4 lwz r31,244(r3)
80119D74: 48000010 b 0x80119d84
80119D78: 7FE3FB78 mr r3,r31
80119D7C: 4BF2AE55 bl 0x80044bd0
80119D80: 83FF00F4 lwz r31,244(r31)
80119D84: 2C1F0000 cmpwi r31,0
80119D88: 4082FFF0 bne+ 0x80119d78
80119D8C: 80010014 lwz r0,20(r1)
80119D90: 83E1000C lwz r31,12(r1)
80119D94: 7C0803A6 mtlr r0
80119D98: 38210010 addi r1,r1,16
80119D9C: 4E800020 blr
[/spoiler]
Now this is getting hard. Do you see the bne+ @ '88? That means there's a loop. That's why this function is being called so much, and writing to many floats.
Do you see the lwz r31 @ '80? That's a high-level programming structure called a "Linked List". It will be very, very hard to do this hack. Each time '80 is executed, your pointer search becomes pointer-in-pointer. If '80 is executed again, we are now pointer-in-pointer-in-pointer. If '80 executes again....four pointers.
---
You may want to abandon this hack. It is becoming very difficult to do. But hopefully you learned a lot...at least how to deal with Exact breakpoints.
Or you can try to Log Steps and set a lot of Execute Breakpoints on 80119D78. Then look at the log. You will have a bunch of pointers. Look at these pointers in Memory Viewer. See if there's any way you can tell them apart. Maybe there is some value at a memory address that you can use to guess when you're processing the right pointer.
hmm okay, yep I trought that it would be very hard to do this but thanks a lot for your help and time!
so maybe it's impossible to hack this?
48 is my last codetype....
It's not impossible, but it's uber-hard, and I don't think I could walk you through it. Sorry...
I hope you have learned some things, though. So that it is not a total loss.
heh, if you still have wiird on your PC then get it from that folder