I think this code has been made over and over again but I'm a little stuck find the value. What I do is get the Smash Ball and do a 32 bit unknown equals search. Use it then do a 32 bit not equal to search. I got down to a bunch of values that change each time you use a final smash(they change permently so it might be counting the amount of final smashs I use) not each time you get a smash ball. So I'm wondering how to find the value of having the smash ball.
well if you found a counter.. set a Write BP on that address then track the ASM to find out what causes it to write/when you actually have a Smash ball. then with a little tweaking (aka making sure you are writing the correct value) you can force the game into thinking you have a smash ball 24/7
I'll give it a shot
Not working, or it might be but I can't do asm
check which lwz assigns the register being used in the stw. and see if that helps you find an area you can poke and achieve what you are looking for.
honestly.. sometimes these codes are a huge headache to do :/ and im just guessing at what is possible.
Quote from: toonlink444 on January 19, 2011, 11:45:22 PM
Not working, or it might be but I can't do asm
No Final Smash: 00000000
Have Final Smash: 00000001
Adress different for every character
this code was made, but enjoy finding it, lol :p
I know it was made that's what I said in the first post
Don't think that's right did a search for that like 10 time and nothing. but if you get it with break points I need help
Where is an existing code? We'll use one that is already made and work backward, because we know it works already. That way we don't go on any wild goose chases by using breakpoints on the wrong data.
Dunno it's one of those non released ones or the ones that don't use wiird/Gecko dNet. Can you use those with wiird to track down the value?
You said this code has been made. Since it already exists, you should be able to copy/paste it into this forum.
I think this is for Smash Bros but I don't have that game and know nothing about it. I can, however, work backward from a given code. But I need a code first so I have an address to work with!
think I found it. Need to test it first
DO NOT POST UNCREDITED CODES
Edit: Works.
Quote from: toonlink444 on January 25, 2011, 09:31:15 PM
think I found it. Need to test it first
DO NOT POST UNCREDITED CODES
the original value of this address is 8803001F.
go to the memory viewer and search for 8803001F.
if found, your code is ported.
DO NOT POST UNCREDITED CODES
or set "execute" on this address [8081C934] and read out the value and address
Don't post uncredited codes. Who is the original author?
---
Here's a breakdown of this code...
Taunt for Final Smash(by Y.S)
0481C934 8803001F # write anti-code to hook address 8081C934
4A000000 90180F38 # set PO to 90180F38
3A000002 FF00003D # if [po+2] == 3D
C281C934 00000005 # hook
8803001F 2C0000F8
4182001C 38000038
2C1B010C 40820008
38000078 9803001F
48000004 00000000
E0000000 80008000
I don't have a disassembler handy at the moment, so I can't disassemble the C2 code and explain what's going on. However, this does give us a starting point.
Two things of interest here. 1) The ASM address 8081C934, which does the hack. 2) The data address 90180F38, which turns the hack on and off.
Set an execute breakpoint on the address 8081C934. Then copy/paste the registers and disassembly into a spoiler.
It wasn't off the database it was just floating around in some other forum.
I just did that and it froze before I executed it. I also followed nutmegs tut that talked about finding the register to see if it was the right value and It didn't look like it
here... I've ported it for you
04817968 8803001F
4A000000 90180F38
3A000002 FF00003D
C2817968 00000005
8803001F 2C0000F8
4182001C 38000038
2C1B010C 40820008
38000078 9803001F
48000004 00000000
E0000000 80008000
original by Y.S.
search value to port: 806300008803001F5403D7FE
It doesn't matter where you found the code. Always post the author of the code.
When you hit a breakpoint, the game will freeze. This is normal.
Breakpoint tab
[spoiler]CR:28000088 XER:00000000 CTR:8081DA00 DSIS:00000000
DAR:00000000 SRR0:8081C934 SRR1:0000B032 LR:80838E20
r0:00000000 r1:805B4E30 r2:805A9320 r3:812DCE30
r4:00040000 r5:00000000 r6:00000000 r7:81533160
r8:00000120 r9:00000036 r10:81533160 r11:805B4E50
r12:8081DA00 r13:805A4420 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
8081C934: 8803001F lbz r0,31(r3)
8081C938: 5403D7FE rlwinm r3,r0,26,31,31
8081C93C: 7C0300D0 neg r0,r3
8081C940: 7C001B78 or r0,r0,r3
8081C944: 54030FFE rlwinm r3,r0,1,31,31
8081C948: 4E800020 blr[/spoiler]
Disassembler tab
[spoiler]8081C934: 8803001F lbz r0,31(r3)
8081C938: 5403D7FE rlwinm r3,r0,26,31,31
8081C93C: 7C0300D0 neg r0,r3
8081C940: 7C001B78 or r0,r0,r3
8081C944: 54030FFE rlwinm r3,r0,1,31,31
8081C948: 4E800020 blr
8081C94C: 80630000 lwz r3,0(r3)
8081C950: 8803001F lbz r0,31(r3)
8081C954: 50802EB4 rlwimi r0,r4,5,26,26
8081C958: 9803001F stb r0,31(r3)
8081C95C: 4E800020 blr
8081C960: 80630000 lwz r3,0(r3)
8081C964: 8803001F lbz r0,31(r3)
8081C968: 5403DFFE rlwinm r3,r0,27,31,31
8081C96C: 7C0300D0 neg r0,r3
8081C970: 7C001B78 or r0,r0,r3
8081C974: 54030FFE rlwinm r3,r0,1,31,31
8081C978: 4E800020 blr
8081C97C: 80630000 lwz r3,0(r3)
8081C980: 8803001F lbz r0,31(r3)
8081C984: 50801F38 rlwimi r0,r4,3,28,28
8081C988: 9803001F stb r0,31(r3)
8081C98C: 4E800020 blr
8081C990: 80630000 lwz r3,0(r3)
8081C994: 8803001F lbz r0,31(r3)
8081C998: 5403EFFE rlwinm r3,r0,29,31,31
8081C99C: 7C0300D0 neg r0,r3
8081C9A0: 7C001B78 or r0,r0,r3
8081C9A4: 54030FFE rlwinm r3,r0,1,31,31
8081C9A8: 4E800020 blr
8081C9AC: 80630000 lwz r3,0(r3)
8081C9B0: 8803001F lbz r0,31(r3)
8081C9B4: 5080177A rlwimi r0,r4,2,29,29
8081C9B8: 9803001F stb r0,31(r3)
8081C9BC: 4E800020 blr
8081C9C0: 80630000 lwz r3,0(r3)
8081C9C4: 8803001F lbz r0,31(r3)
8081C9C8: 5403F7FE rlwinm r3,r0,30,31,31
8081C9CC: 7C0300D0 neg r0,r3
8081C9D0: 7C001B78 or r0,r0,r3
8081C9D4: 54030FFE rlwinm r3,r0,1,31,31
8081C9D8: 4E800020 blr
8081C9DC: 80030000 lwz r0,0(r3)
8081C9E0: 38A00001 li r5,1
8081C9E4: 7C602214 add r3,r0,r4
8081C9E8: 98A30070 stb r5,112(r3)
8081C9EC: 4E800020 blr
8081C9F0: 80830000 lwz r4,0(r3)
8081C9F4: 38600000 li r3,0
8081C9F8: 88040070 lbz r0,112(r4)
8081C9FC: 2C000000 cmpwi r0,0
8081CA00: 40820008 bne- 0x8081ca08
8081CA04: 38600001 li r3,1
8081CA08: 88040071 lbz r0,113(r4)
8081CA0C: 2C000000 cmpwi r0,0
8081CA10: 4082000C bne- 0x8081ca1c
8081CA14: 38030001 addi r0,r3,1
8081CA18: 5403063E rlwinm r3,r0,0,24,31
8081CA1C: 88040072 lbz r0,114(r4)
8081CA20: 2C000000 cmpwi r0,[/spoiler]
Ok the post where I found the code was by pyromasterom egaz. Don't know if he made the code.
Deathwolf a little confused on how you ported it
original by Y.S.
Ok here's the code.
Taunt for Final Smash(by Y.S)
0481C934 8803001F
4A000000 90180F38
3A000002 FF00003D
C281C934 00000005
8803001F 2C0000F8
4182001C 38000038
2C1B010C 40820008
38000078 9803001F
48000004 00000000
E0000000 80008000
You chopped off some registers. You should post the all the registers, all the way up to r31.
Also, a function ends after a blr. So everything after the blr is an unrelated function. It's just clutter. In Gecko.NET, you can choose "Copy Function" from the right-click menu in the disassembler and it will copy only that function and ignore everything else.
It looks like this was just a convenient instruction that had access to some important pointer in r3. The C2 writes a different value to the address in r3, after doing something. I bet r3 is a pointer to your character.
I don't know why there's an if that patches the anti-code based on some 8-bit value in the MEM2 90xxxxxx range.
---
Repeat this process. That is, set an execute breakpoint on 8081C934 again. Get the address in r3 (this time, it's 812DCE30, however it might have changed if you use a different character, level, etc). Then look at that address in memory viewer with Auto Update enabled while you're trying to do this Final Smash thing. See if any of the addresses are changing in a predictable manner in the Memory Viewer around the pointer you got from r3.
Here are are the registers
[spoiler]CR:28000088 XER:00000000 CTR:8081DA00 DSIS:00000000
DAR:00000000 SRR0:8081C934 SRR1:0000B032 LR:80838E20
r0:00000000 r1:805B4E30 r2:805A9320 r3:812DCE30
r4:00040000 r5:00000000 r6:00000000 r7:81533160
r8:00000120 r9:00000036 r10:81533160 r11:805B4E50
r12:8081DA00 r13:805A4420 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000001 r21:43300000 r22:80000000 r23:805B4FD8
r24:00000000 r25:805B8A00 r26:00000001 r27:00000000
r28:10000000 r29:812BAA80 r30:812DCE20 r31:812BB5E4
f0:3D8F5C29 f1:42480000 f2:3E4CCCCD f3:3E4CCCCD
f4:423D8000 f5:429C1604 f6:C28C0000 f7:00000000
f8:3F800000 f9:C1A00000 f10:C1A00000 f11:431C0000
f12:3F800000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:3F8123AD
f28:59800004 f29:42480000 f30:42480000 f31:00000000[/spoiler]
Quote from: dcx2 on January 25, 2011, 09:51:07 PM
I don't have a disassembler handy at the moment, so I can't disassemble the C2 code and explain what's going on. However, this does give us a starting point.
hey,
I was also wondering what´s going on on this code, pretty nice one!
Assembly:
8081C934
lbz r0,31(r3)
cmpwi r0,248
beq- 0x1C
li r0,56
cmpwi r27,268
bne- 0x08
li r0,120
stb r0,31(r3)
b 0x04
Not what I got. Where are you testing?
Edit: Nothing was changing. I feel like a noob
Quote from: toonlink444 on January 25, 2011, 10:32:35 PM
Not what I got. Where are you testing?
Edit: Nothing was changing. I feel like a noob
I´ll take my hands on that code soon, if it´isn´t solved...
Do you want to have that all characters have final smash?
I think that the "taunt enables final smash" is only made to work for the taunting player.
It would be a lot easier to make it write to all players all the time.
That´s what I could maybe do... I need to view the behaviour of the adress first
If the value in 31(r3) is 0xF8, skip to the very end, i.e. do not execute the stb!
If it's not 0xF8, load r0 with 0x38. Then, check r27 for 0x10C.
If r27 is not 0x10C, stb the 0x38.
If r27 is 0x10C, load r0 with 0x78 and stb the 0x78.
---
It looks like these are being used as bit fields.
0x38 = 0011 1000
0x78 = 0111 1000
0xF8 = 1111 1000
The first two bits probably indicate something related to whether you can Final Smash. That's why everything is skipped if the first bit is set.
---
Not sure why r27 is there. Might be how the code knows you're taunting. Or it might be the if code that's testing MEM2.
Quote from: Bully@Wiiplaza on January 25, 2011, 10:37:29 PM
Quote from: toonlink444 on January 25, 2011, 10:32:35 PM
Not what I got. Where are you testing?
Edit: Nothing was changing. I feel like a noob
I´ll take my hands on that code soon, if it´isn´t solved...
Do you want to have that all characters have final smash?
I think that the "taunt enables final smash" is only made to work for the taunting player.
It would be a lot easier to make it write to all players all the time.
That´s what I could maybe do... I need to view the behaviour of the adress first
I know all that, I'm just wanting to know how to make this code with asm for the learning experience
If you want to just practice something like that, it might be better to start with something simpler. How about this?
Always have 99 lives [REDSOXROX]
1528AE64 00000063
Finding the address for your lives shouldn't be too hard. But this code gives it away; your life count is stored at 8128AE64.
Try to make this code with ASM.
I'll try that. Then I'll come back to this. I'll post again when I think I'll try again. Thank you for helping me. :)
Nice to see the old code of mine is getting attention ;D
This code isn't directly writing final smash value. Instead, it's writing "Infinite final smash flag", which is used in an event match.
The game writes 0xF8 to a certain address to give infinite final smash to a player.
However, the actual flag is 0x40. i.e. writing 0x78 also gives infinite final smash (The default value of the address is 0x38).
Quote> If the value in 31(r3) is 0xF8, skip to the very end, i.e. do not execute the stb!
If infinite final smash is already given by the game, skip the rest of the code.
>If it's not 0xF8, load r0 with 0x38. Then, check r27 for 0x10C.
Load r0 with the default value, and check if the player is taunting.
>If r27 is not 0x10C, stb the 0x38.
If the player is not taunting, write default value in order not to give multiple final smash per taunt.
>If r27 is 0x10C, load r0 with 0x78 and stb the 0x78.
If the player is taunting, write the flag to give final smash.
The MEM2 check is to prevent the game from crashing, because final smash cannot be loaded in SSE mode.
0481C934 8803001F anti-code(original instruction)
4A000000 90180F38 Set po to 0x90180F38
3A000002 FF00003D Check if the game is NOT in SSE mode
C281C934 00000005
8803001F 2C0000F8
4182001C 38000038
2C1B010C 40820008
38000078 9803001F
48000004 00000000
E0000000 80008000
So an enterprising hacker could use a read breakpoint on the address that has the "can final smash flag". Then, look for a read breakpoint that is checking bits 6 or 7 (that is, 0x80 or 0x40, the first two bits in the 8-bit field). There will probably be a branch near the read breakpoint. There will probably be code that gives you final smash around there.
You could also set a write breakpoint on the final smash flag byte. Then, try to get the game to give you a final smash. This should give you a breakpoint where the game sets the final smash flag on its own.