Text only | Text with Images

WiiRd forum

Wii & Gamecube Hacking => Wii Game hacking help => Topic started by: Bully@Wiiplaza on October 22, 2010, 02:20:53 PM

Title: Help with writing a branch code...
Post by: Bully@Wiiplaza on October 22, 2010, 02:20:53 PM
Hi,
I found out something interesting in a game, that I want to create a special code now.

If I am shooting:
[spoiler]  CR:84200048  XER:00000000  CTR:800E5B10 DSIS:02400000
DAR:90F0BD1C SRR0:800E5B14 SRR1:0000A032   LR:800E5620
 r0:00000002   r1:80768900   r2:8075A6E0   r3:00000069
 r4:90F0C7A4   r5:90F0BDFC   r6:000000FF   r7:800E5B10
 r8:000000C7   r9:FFFFFFF9  r10:90F0C46C  r11:FFFFFFF9
r12:8012DC0C  r13:80752260  r14:000029D8 ?? r15:0000002B
r16:80560000  r17:00000000  r18:FFFFFFFF  r19:80000000
r20:80560000  r21:80560000  r22:80530000  r23:80DB9B00[/spoiler]

If I am doing something else (here it was jumping):
[spoiler]CR:84200048  XER:00000000  CTR:800E5B10 DSIS:02400000
DAR:90F0BD1C SRR0:800E5B14 SRR1:0000A032   LR:800E5620
 r0:00000007   r1:80768900   r2:8075A6E0   r3:00000069
 r4:90F0C7A4   r5:90F0BDFC   r6:000000FF   r7:800E5B10
 r8:000000C7   r9:FFFFFFF9  r10:90F0C46C  r11:FFFFFFF9
r12:8006785C  r13:80752260  r14:0000280A ?? r15:0000002B
r16:80560000  r17:00000000  r18:FFFFFFFF  r19:80000000
r20:80560000  r21:80560000  r22:80530000  r23:80DB9B00[/spoiler]

Executed instruction on breakpoint write bolded:
[spoiler]
800E5AC8:  80040000   lwz   r0,0(r4)
800E5ACC:  7C000034   cntlzw   r0,r0
800E5AD0:  5400D97E   rlwinm   r0,r0,27,5,31
800E5AD4:  90180000   stw   r0,0(r24)
800E5AD8:  4BFFDD58   b   0x800e3830
800E5ADC:  80040000   lwz   r0,0(r4)
800E5AE0:  6C008000   xoris   r0,r0,32768
800E5AE4:  90010024   stw   r0,36(r1)
800E5AE8:  C8010020   lfd   f0,32(r1)
800E5AEC:  EC00E028   fsubs   f0,f0,f28
800E5AF0:  D0180000   stfs   f0,0(r24)
800E5AF4:  4BFFDD3C   b   0x800e3830
800E5AF8:  C0040000   lfs   f0,0(r4)
800E5AFC:  FC00001E   fctiwz   f0,f0
800E5B00:  D8010028   stfd   f0,40(r1)
800E5B04:  8001002C   lwz   r0,44(r1)
800E5B08:  90180000   stw   r0,0(r24)
800E5B0C:  4BFFDD24   b   0x800e3830
800E5B10:  80040000   lwz   r0,0(r4)
800E5B14:  90180000   stw   r0,0(r24)
800E5B18:  4BFFDD18   b   0x800e3830
800E5B1C:  7C600774   extsb   r0,r3
800E5B20:  90180000   stw   r0,0(r24)
800E5B24:  4BFFDD0C   b   0x800e3830
800E5B28:  9061001C   stw   r3,28(r1)
800E5B2C:  C8010018   lfd   f0,24(r1)
800E5B30:  EC00E828   fsubs   f0,f0,f29
800E5B34:  EC0007B2   fmuls   f0,f0,f30
800E5B38:  D0180000   stfs   f0,0(r24)
800E5B3C:  4BFFDCF4   b   0x800e3830
800E5B40:  801A0000   lwz   r0,0(r26)
800E5B44:  3B5A0004   addi   r26,r26,4
800E5B48:  90180000   stw   r0,0(r24)
800E5B4C:  4BFFDCE4   b   0x800e3830
800E5B50:  2C030000   cmpwi   r3,0
800E5B54:  4182DCDC   beq+   0x800e3830
800E5B58:  5460E8FF   rlwinm.   r0,r3,29,3,31
800E5B5C:  7C0903A6   mtctr   r0
800E5B60:  41820058   beq-   0x800e5bb8
800E5B64:  80050000   lwz   r0,0(r5)
800E5B68:  90180000   stw   r0,0(r24)
800E5B6C:  80050004   lwz   r0,4(r5)
800E5B70:  90180004   stw   r0,4(r24)
800E5B74:  80050008   lwz   r0,8(r5)
800E5B78:  90180008   stw   r0,8(r24)
800E5B7C:  8005000C   lwz   r0,12(r5)
800E5B80:  9018000C   stw   r0,12(r24)
800E5B84:  80050010   lwz   r0,16(r5)
800E5B88:  90180010   stw   r0,16(r24)
800E5B8C:  80050014   lwz   r0,20(r5)
800E5B90:  90180014   stw   r0,20(r24)
800E5B94:  80050018   lwz   r0,24(r5)
800E5B98:  90180018   stw   r0,24(r24)
800E5B9C:  8005001C   lwz   r0,28(r5)
800E5BA0:  38A50020   addi   r5,r5,32
800E5BA4:  9018001C   stw   r0,28(r24)
800E5BA8:  3B180020   addi   r24,r24,32
800E5BAC:  4200FFB8   bdnz+   0x800e5b64
800E5BB0:  70630007   andi.   r3,r3,7
800E5BB4:  4182DC7C   beq+   0x800e3830
[/spoiler]
I noticed that r0 shows what you have "done", so if I am shooting it´s value 02 and jumping 07.
The funny part is, if I am changing the value in the memory viewer with poke, my character does the exact same thing without me pushing a button ;) And r12 shows a special adress for every "action" I do.

r12 is used!!! No wonder, why it crashed the last time I tried to load anything to that adress...

--------------------

If r0 is 02 / if r12 is 8012DC0C
load immediate value 00 to rX
store value from rX to r0
if not equal
use stw r0,0(r24)

Please show me the instructions for this specific branch and/or how you can let PyiiASMH calculate them for you...
Title: Re: Help with writing a branch code...
Post by: dcx2 on October 22, 2010, 03:12:49 PM
My guess is that r12 isn't being used like you think it's being used...if you looked through the call stack a bit you'll probably see a mtctr r12; bctrl.  r12 is only unsafe for those two instructions...after the bctrl executes, r12 is safe again.

You might notice that CTR doesn't match r12, though...but that's okay, CTR is really close to SRR0, which means there was a bctr above that was probably a switch statement in C++.  You could right-click and then "Go to function start" and you'll probably see the bctr somewhere.

Finally...it looks like you want this.  It's simpler than you thought it would be.  I didn't bother using branch labels.

cmpwi r0,2
bne- 0x08
li r0,0
stw r0,0(r24)
Title: Re: Help with writing a branch code...
Post by: Bully@Wiiplaza on October 22, 2010, 04:12:20 PM
thanks, it works ;D
Now if you only could also make an freefly on The Conduit...
like you did on Mario Galaxy 2 :eek:
I failed at finding the coordinates... ???
It would be sooo cool... :(
Text only | Text with Images