Alright! So, hi to everyone!! You'd have no idea who I am, but I love you, you're awesome ! O0
Anyways, so here's the thing. This is Bass Pro Shops, the Strike (Pal). Got it for Christmas. Awesome game.
These codes are written by me Patedj. Although, I'd love to give thanks to dexter0, Romaap, Zit, and all the inspiring others.
So, if you could read them over for mistakes, that would make you guys even awesomer!
I also left you with my thought processes. I'm currently checking up boats and maps. I've tried for the no snap code but I got too tired.
[Millionaire]
* 42000000 80000000 ----> reset 8000 0000 (load ba to xxxxxxxx)
* CE000000 80008100 ----> check if the ba will be in-between 8000 and 8100
* 04574EDC 49742400 ----> load ba ( 80574edc ) to 1 million
* E0000000 80008000 ----> reset 8000 8000 ( I'm thinking why wouldn't this be 80000000
[rep]
* 20616218 00004000 ----> if then at Controller 80616218 at the 16 bit value of 400 ( B )
* 42000000 80000000 ----> As above
* CE000000 80008100 ----> As above
00574F17 00000031 ----> This was my first find. for the first level.
* 005ABE07 00000031 ----> Set ba 805abe07 to xx at 8 bit of value. ( I chose 49 instead of
* E0000000 80008000 50 because I couldn't find the value for accessing the tournament. I also
didn't search for it individually. I suppose I could. They might be easy to
activate if they are all paralleled like the lures, rods, and wires.)
80574FB3 00000049 ----> Lake Wylie's Rep address
28111111 00000000 ----> I was going to do a button activator to increase the value.
This is for the tournament. Every time you press 1400 it stops the tournament. Unfortunately it puts you in penalty :).
[Time]
* 20616218 00001400
* 42000000 80000000
* CE000000 80008100
04A8E100 00000000 ----> first timer
* 04A8E0FF 00000000
04A8E0F8 ----> lake wylie
This time the time code puts you back at 20 minutes if you push A+B
* E0000000 80008000
* 20616218 00000C00
* 42000000 80000000
* CE000000 80008100
* 04A8E0FF 000004B1
04A8E100 000004B1
* E0000000 80008000
[penalty]
80A8E10C 0000003E ----> this is the code line for the penalty time :)
* 42000000 80000000
* CE000000 80008100
* 04A8E104 FFFFFFFF ----> this stops the time
* 04A8E108 FFFFFFFF ----> and this stop the point deduction
* E0000000 80008000
[New Code 11]
04DA26E4 00000004 ----> ???
[end]
* F0000000 00000000 ----> this finishes a the code section
[controller/Starts/ Ends]
80616218 00000000 ----> Controller 1
42000000 80000000 ----> yep. 4a for pointer addresses
CE000000 80008100 ----> that's right. DE for pointer addresses
E0000000 80008000 ----> ...
[lure]
812052C7 00000001 ----> I tried a 08 Slider/Multi Skip (Serial) and it looked like this
082052C7 00000001
20030015 00000001 ----> the 003 is to test if it works there was actually 115 I think lures and each of
them had there 32 bit value for having it bought and quantity. As for the 0005,
there are 4 ba between each so... *Shrug* And the 00000000 Well I don't quite
understand it. Does it add directly to the ba again? So 1 + 00000001 = 00000002
[lines]
81204A5F 00000001 ----> same things as above
[reels]
81203CD3 00000001 ----> yep
[rods]
81203ABB 00000000 ----> :)
There you have it.
To come...
Fish weight total MAX
Boats
Tension/no snap
Maps
Boat Speed
I'm up for favors people!! Ask me anything to do with Wii Games! PM Me! or not, whatever... O0
So thanks in advance! I'm Grateful! O0
Welcome to the forum. We like you to. As for the codes I don't have the game personaly so I can't really help you. But Wecome.
Welcome!
* 42000000 80000000 ----> Not needed, by standards, you assume BA and PO are set to 0x80000000 at the start of your code
* CE000000 80008100 ----> You just set it to 80000000 (even though it was already set to that) so it is undoubtedly between 8000 and 8100 (so you do not need this line)
* 04574EDC 49742400 ----> The only line needed for this code!
* E0000000 80008000 ----> This is only necessary if you changed BA or PO to anything different than 80000000
[end]
* F0000000 00000000 ----> The code handler does this, you do not need it! =)
[rods]
81203ABB 00000000 <- 81 is the start of the address, for a code, this needs to be a code type instead. If this is 8bits, 01. If this is 16bits, 03. If this is 32 bits, 05. (these are the 00,02, and 04 codetypes with the high address bit set. see for more info: http://geckocodes.org/index.php?arsenal=1#CodetypeDetail )
Thank you.
The thing with the rods is that it needs a sweep code, or else I'd have to write them all individually and that'll be a headache. If I can't use a 09 Slider/Multi Skip for lures at 81203A60 then I'd rather poke them to 00000001 :D
Here's a jpg of the memory for the rods. You'll understand me.
For the update on the codes. Thanks. I'm glad that the GUI does it all for us!
Cool cool. Are you looking for help on how to do the 'slider' formatting?
The CE code type is used when getting an address from a pointer. It makes sure that the value retrieved is a valid address. This is because pointers can point to a 0 when loading a map or something like that, and 0 is not a valid address.
If you explicitly set the ba or po, you don't need a CE.
I'm looking for all types of help.
So, can you help me with sliders? I would like to create my first slider code.
Thanks for the CE info. That makes a lot of sense.
Ultimately I would like to know how to move the camera around when In the water.
That would make the game so much more fun.
Alright, so. I couldn't find the other codes. But I'll keep on trekking for everyone.
On the other hand, here's a new one that I didn't propose on finding. I was looking for the hook option being available in the tournament section. What I found was the attraction degree of the fish.
Now what happens is that this address when tweaked, provokes all the fish around to spot the lure and attack it.
Botton C conditioned to provoke. It resets to normal. No crashes with this code :)
[Fish Magnet]
20616218 00004000
04CB2DDC 01599999
04CB2DD8 3F599999
E0000000 80008000
Unfortunately I figured that the Time codes freeze the game when you load out of the Start Fishing section. So Make sure you have that code off at that point. No probs in the tournament Section :) :cool:
So, Thanks again to the pros!! You guys are definitely awesomer!! O0
Anybody up for a camera control code? Any of you guys own the game?
Or perhaps, know how to create one?
Tournament tip.
Activate stop tournament immediately allows you to get first place. O0
Found the Boats!!
The first Boat is at this address 81204EE0 The boat's name is 811EB560.
The last boat is at this address 81204F80 The boat's name is 81202560
Update: the codes shifted. I know this because each item group precedes with 80000118 and this was a few steps back. but they shifted back when I crashed the game. I think it's the Slider code's fault.
There are 4 addresses between each of these 9 boats and the first one is the equip line.
I assume the Slider could look like this
09204EE8 00000001 ----> I want to add 1 to the addresses
2026???? ???????? ----> 026= 9 addresses x 3 addresses between them right? as a word =00000001
???? is the number of increments skipped... I can interpret this in two ways, but I'm not sure which way is the correct way.
???????? is the additional values added after the code has been written.... then I guess it would be 00000000
s0 16 bytes or should it be converted to hex = 10
2026016 00000000
Is that right?
Ok Right, the 81204F80 ( Last Boat ) is equipped when the address beside it is at 00000001. The next address is the qty address/available. 00000001. After that the address likes to be at FFFFFFFF and the next at 00000000. I think it has to do with being available at the New game option.
so If the slider is correct. this should write the codes like in the jpg right up to the 4 address after the last boat's.
Update: the code freezes the game so I've done it wrong. It's either because of the 3rd address being a default option or it's the second part of the code that's wrong.
Alternative boat code available for the last boat.
05204EE4 00000000
05204EEC FFFFFFFF
05204F84 00000001
05204F88 00000001
05204F8C 00000001
This un-equips the first boat + changes the default equip
then it equips then adds the last boat and sets it as default.
Maps are unlocked!!
Plus Tournaments Available
No problem with this code even though it could have been easier Multi/Sliding it.
[ All Maps Unlocked ]
045750F4 01010101
045750F8 01010101
045750FC 01010101
04575100 01010101
04575104 01010101
Still to come
Fish codes!
O0
no taking any credit here, just for learning purpose
can someone check if this is the correct fill code for Patedj [All Maps Unlocked]
005750F4 00130001
Hey Jackal it works.
So, the 0013 value allows me to write consecutively for 13 bytes. how nice
here I thought that only Multi/Sliders did that.
O0
I haven't been using this codetype
I was reading through the documentation when I write it
the 0013 means it will write 0x13 (19) +1 times = 20 times of 0x01 from 805750F4
which should be the same as yours if I understand the documentation correctly
Silly me, I managed to talk in hex instead of Decimal. Of course 13 = 19
It works perfectly!
The code would take already into consideration the initial code.
Alright so here's an update for the magnet code
I've noticed something too. Not only does this allow you to attract the fish but it also gives you a reward...
how nice is that!
This is for the last Map.
* 20616218 00004000
* 04C95D18 3F599999
* 04C95D1C 01599999
* E0000000 80008000
Unfortunately, I can't find the tension line, nor the fish exhaustion.
Ill keep trekking!
I have a question for my button activator,
I'm interested into converting it into an activator for the button C (4000) but I also would like, anything besides that pressed with the C allows the code to be written anyways.
The reason for this is that, the icon allows you to know if there are fish around, and thus my code and this one would satisfy the need to know if there are any fish around.
You know what? I guess an on off button should do the trick even nicer.
[Fish Mag V.2]
20616218 00004000
04C95D18 3F599999
0404C95D1C 01599999
CC000000 00000000
04C95D18 DEFAULT ----> what's the series of HEX to enable default?
0404C95D1C DEFAULT
E0000000 80008000
Without the default, It'll just bring it back to 00000000 and that's bad. The magnet is actually a fish radar, and so it's sort of a counter. Keeping it at 00000000 will simply make my fish go away!
ASM would be something like this right
lis r0, 0x8061 ----> controller
ori r0,r0, 0x6218
lwz r1, 0x0(r0)
li r2, 0x00004000 ----> C button
cmpw r1, r2
bne +20
lis r3, 0x80C9
ori r3,r3, 0x5D18
li r4, 0x3f599999 ----> can't convert properly help please
stw r4, 0(r0)
lis r5, 0x80C9
ori r5, r5, 0x5D1C
li r6, 0x01599999 ----> can't convert properly help please
stw r7, 0(r5)
"li r4, 0x3f599999 ----> can't convert properly help please"
lis r4,0x3f59
ori r4,r4,0x9999
"button C (4000) but I also would like, anything besides that pressed with the C allows the code to be written anyways."
http://geckocodes.org/index.php?arsenal=2
Tick "C" in the top-left "Wii Remote + Nunchuck" box.
Check "Inclusive (use mask)" on top-right area.
"Result (wii)" shows the value: BFFF4000
Normally the first 2bytes of a button activator are 0's. This tells the code that when you press the button (C in this case), you cannot be pressing other ones. The bit mask makes it so you can ignore any set of other buttons. (in this case, all but the one you're checking for)
Quote from: Patedj on January 22, 2011, 11:00:10 AM
ASM would be something like this right
lis r0, 0x8061 ----> controller
ori r0,r0, 0x6218
lwz r1, 0x0(r0)
li r2, 0x00004000 ----> C button
cmpw r1, r2
bne +20
lis r3, 0x80C9
ori r3,r3, 0x5D18
li r4, 0x3f599999 ----> can't convert properly help please
stw r4, 0(r0)
lis r5, 0x80C9
ori r5, r5, 0x5D1C
li r6, 0x01599999 ----> can't convert properly help please
stw r7, 0(r5)
YIKES! Don't do this for so many reasons.
1) Never write to r1. It's the stack pointer. It must be handled a certain way, with stwu and addi.
2) Never write to r2 (or r13). Period.
3) I doubt the rest of the registers are safe. You have to be very careful about when you use registers like that. It might be best if you just create a stack frame instead of trying to use safe registers. Just use the stuff above the first --- from here. http://wiird.l0nk.org/forum/index.php/topic,6555.0.html
4) When using r0, it's helpful to double check the instruction's data sheet. http://pds.twi.tudelft.nl/vakken/in101/labcourse/instruction-set/ Go click on stw. The datasheet says "EA is the sum of (rA|0) + d". EA means Effective Address. rA|0 means that it will NOT look at the contents of r0 if you specify it for the rA operand of the instruction (making it rB or rD etc is okay). Essentially, for the purpose of this instruction, r0 always holds 0, even though it might hold something else. There are some other common instructions that have this restriction with r0, like addi. Many instructions don't.
5) ASM instructions are only 32-bits. So we can't make an instruction that writes a 32-bit immediate, because there would be no bits left to specify the instruction! Thus, most immediates are only 16-bits. That's why we need lis (to load the upper 16 bits) and ori (to merge the lower 16 bits in)
6) Use branch labels. Instead of bne+ 20, use bne+ BRANCH_DESTINATION. Then add a BRANCH_DESTINATION: (<--- see the colon?) before the place you want the branch to land. No more counting instructions!
7) + and - after branches don't mean what you think they mean. They are branch hints; + means the branch will be taken most of the time and - means it won't be taken most of the time. This helps the CPU run faster sometimes. Usually, branch hints with + go backward, while - goes forward.
That was just pseudo code, dcx2. lol (he just used the registers in order for simplicity's sake) =P
@7: ....Really?? I had no idea that was the case... From observation, I just assumed + meant backwards and - meant forward. (so they seemed pointless since you could see that anyway)
And given that (new-to-me) info, it makes perfect sense that + more likely to go backwards because of the nature of looping.
Ahahaha, This is great! Thanks, dcx2, and James0x57. That explains a lot. So Let me get this straight.
Button Activator, inclusive mask does the trick.
I can ori anything to add the extra 16 byte info :)
and only inject to non-volatile registers thanks dcx2. ( He was right to correct me James0x57. I didn't know any better and now I'm stronger than ever) O0
So, in this case...
[spoiler]CR:28200888 XER:00000000 CTR:801CAA4C DSIS:00400000
DAR:80CB2DD8 SRR0:801CAAE0 SRR1:0000B032 LR:801CAA70
r0:00000007 r1:80630578 r2:80624240 r3:8055491C
r4:00000000 r5:80CABA00 r6:00000000 r7:CC010000
r8:00000000 r9:0011C264 r10:0011C26C r11:806305B8
r12:801CAA4C r13:806208E0 r14:00000000 r15:FFFFFF00
r16:80325C98 r17:FF5C5CFC r18:FFAAA0AC r19:FF0A0000
r20:FFBEAAC8 r21:FF640000 r22:00000001 r23:80325C98
r24:80575F64 r25:80595F64 r26:805AE8F8 r27:00000001
r28:00000000 r29:805A99A8 r30:0000000E r31:805AC66C
f0:00000000 f1:00000000 f2:3EF80000 f3:3F8CCCCD
f4:80000000 f5:3F800000 f6:40000000 f7:4131B91B
f8:42F33333 f9:41800000 f10:3F1E2CCE f11:3EDDB7F9
f12:3F49499A f13:3F0E931C f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:59800004 f31:3F000000[/spoiler]
stwu starts at 801CAA4C and finishes at 801CAE10
unfortunately I can't select copy/paste so I have 5 jpg filled with assembly.
[Fish Magnet for the maps except last map V.2] (Thanks to James0x57)
2861621B BFFFF4000
04CB2DDC 01599999
04CB2DD8 3F599999
E0000000 80008000
[Fish Magnet for the Last map V.2]
2861621B BFFF4000
04C5BA78 3F599999
04C5BA7C 01599999
E0000000 80008000
[Maps unlocked V.2] (Thanks to Jackal)
005750F4 00130001
I'm still working on the assembly
You can copy and paste. Right click in the disassembly and hit "Copy Function". Sometimes these can be long, so I usually spoiler functions.
BTW, you can only use non-volatiles after you make a stack frame. Volatiles are usually a lot safer, but you need to be careful to avoid using one before it's going to be used as a source operand.
Thanks dcx2. Yay!!
I was sure you guys had thought of that!
Here's the disassembler for the fish magnet code
[spoiler]801CA978: 9421FFE0 stwu r1,-32(r1)
801CA97C: 7C0802A6 mflr r0
801CA980: 90010024 stw r0,36(r1)
801CA984: DBE10010 stfd f31,16(r1)
801CA988: F3E10018 psq_st f31,24(r1),0,0
801CA98C: 93E1000C stw r31,12(r1)
801CA990: 7C7F1B78 mr r31,r3
801CA994: 808DAEEC lwz r4,-20756(r13)
801CA998: 2C040000 cmpwi r4,0
801CA99C: 41820094 beq- 0x801caa30
801CA9A0: 800473A8 lwz r0,29608(r4)
801CA9A4: 2C000007 cmpwi r0,7
801CA9A8: 41820008 beq- 0x801ca9b0
801CA9AC: 48000084 b 0x801caa30
801CA9B0: 880473DC lbz r0,29660(r4)
801CA9B4: C08473D8 lfs f4,29656(r4) ----> it *reads* here
801CA9B8: 2C000000 cmpwi r0,0
801CA9BC: C0A2AAEC lfs f5,-21780(r2)
801CA9C0: C0C2A864 lfs f6,-22428(r2)
801CA9C4: 4182000C beq- 0x801ca9d0
801CA9C8: C0A2A970 lfs f5,-22160(r2)
801CA9CC: C0C2AA38 lfs f6,-21960(r2)
801CA9D0: C042A858 lfs f2,-22440(r2)
801CA9D4: C00300AC lfs f0,172(r3)
801CA9D8: EC622028 fsubs f3,f2,f4
801CA9DC: C842AAF0 lfd f2,-21776(r2)
801CA9E0: EC210032 fmuls f1,f1,f0
801CA9E4: C00300A8 lfs f0,168(r3)
801CA9E8: FC6320AE fsel f3,f3,f2,f4
801CA9EC: EC240072 fmuls f1,f4,f1
801CA9F0: FC601818 frsp f3,f3
801CA9F4: EC46007A fmadds f2,f6,f1,f0
801CA9F8: EFE500F2 fmuls f31,f5,f3
801CA9FC: FC60F890 fmr f3,f31
801CAA00: FC20F850 fneg f1,f31
801CAA04: 4BE873FD bl 0x80051e00
801CAA08: FC000818 frsp f0,f1
801CAA0C: D03F00A8 stfs f1,168(r31)
801CAA10: FC000210 fabs f0,f0
801CAA14: FC000018 frsp f0,f0
801CAA18: FC1F0000 fcmpu cr0,f31,f0
801CAA1C: 40820014 bne- 0x801caa30
801CAA20: C03F00AC lfs f1,172(r31)
801CAA24: C002AAF8 lfs f0,-21768(r2)
801CAA28: EC010032 fmuls f0,f1,f0
801CAA2C: D01F00AC stfs f0,172(r31)
801CAA30: 80010024 lwz r0,36(r1)
801CAA34: E3E10018 psq_l f31,24(r1),0,0
801CAA38: CBE10010 lfd f31,16(r1)
801CAA3C: 83E1000C lwz r31,12(r1)
801CAA40: 7C0803A6 mtlr r0
801CAA44: 38210020 addi r1,r1,32
801CAA48: 4E800020 blr
801CAA4C: 9421FFA0 stwu r1,-96(r1)
801CAA50: 7C0802A6 mflr r0
801CAA54: 90010064 stw r0,100(r1)
801CAA58: 39610040 addi r11,r1,64
801CAA5C: DBE10050 stfd f31,80(r1)
801CAA60: F3E10058 psq_st f31,88(r1),0,0
801CAA64: DBC10040 stfd f30,64(r1)
801CAA68: F3C10048 psq_st f30,72(r1),0,0
801CAA6C: 480B1155 bl 0x8027bbc0
801CAA70: 80ADAEEC lwz r5,-20756(r13)
801CAA74: 3C004330 lis r0,17200
801CAA78: 90010018 stw r0,24(r1)
801CAA7C: 7C7F1B78 mr r31,r3
801CAA80: 2C050000 cmpwi r5,0
801CAA84: 90010020 stw r0,32(r1)
801CAA88: 41820364 beq- 0x801cadec
801CAA8C: 8062A1A0 lwz r3,-24160(r2)
801CAA90: 38800000 li r4,0
801CAA94: 88030008 lbz r0,8(r3)
801CAA98: 2C000000 cmpwi r0,0
801CAA9C: 40820014 bne- 0x801caab0
801CAAA0: 8062A1A4 lwz r3,-24156(r2)
801CAAA4: 88030000 lbz r0,0(r3)
801CAAA8: 2C000000 cmpwi r0,0
801CAAAC: 41820008 beq- 0x801caab4
801CAAB0: 38800001 li r4,1
801CAAB4: 2C040000 cmpwi r4,0
801CAAB8: 41820008 beq- 0x801caac0
801CAABC: 48000330 b 0x801cadec
801CAAC0: 800573A8 lwz r0,29608(r5)
801CAAC4: 2C000007 cmpwi r0,7
801CAAC8: 40820324 bne- 0x801cadec
801CAACC: 8B8573DC lbz r28,29660(r5)
801CAAD0: 2C1C0000 cmpwi r28,0
801CAAD4: 4182000C beq- 0x801caae0
801CAAD8: C802AB00 lfd f0,-21760(r2)
801CAADC: 48000008 b 0x801caae4
801CAAE0: C00573D8 lfs f0,29656(r5)
801CAAE4: FFE00018 frsp f31,f0
801CAAE8: 38610014 addi r3,r1,20
801CAAEC: 3881000C addi r4,r1,12
801CAAF0: 38A10010 addi r5,r1,16
801CAAF4: 38C10008 addi r6,r1,8
801CAAF8: 4BF300ED bl 0x800fabe4
801CAAFC: 806D91D0 lwz r3,-28208(r13)
801CAB00: 4BEF8775 bl 0x800c3274
801CAB04: 6C608000 xoris r0,r3,32768
801CAB08: 9001001C stw r0,28(r1)
801CAB0C: C842A8C8 lfd f2,-22328(r2)
801CAB10: C8210018 lfd f1,24(r1)
801CAB14: C0010014 lfs f0,20(r1)
801CAB18: EC211028 fsubs f1,f1,f2
801CAB1C: 806D91D0 lwz r3,-28208(r13)
801CAB20: EC00082A fadds f0,f0,f1
801CAB24: D0010014 stfs f0,20(r1)
801CAB28: 4BEF874D bl 0x800c3274
801CAB2C: 6C608000 xoris r0,r3,32768
801CAB30: 90010024 stw r0,36(r1)
801CAB34: C842A8C8 lfd f2,-22328(r2)
801CAB38: C8210020 lfd f1,32(r1)
801CAB3C: C0010010 lfs f0,16(r1)
801CAB40: EC211028 fsubs f1,f1,f2
801CAB44: 806D91D0 lwz r3,-28208(r13)
801CAB48: EC000828 fsubs f0,f0,f1
801CAB4C: D0010010 stfs f0,16(r1)
801CAB50: 4BEF8769 bl 0x800c32b8
801CAB54: 6C608000 xoris r0,r3,32768
801CAB58: 9001001C stw r0,28(r1)
801CAB5C: C842A8C8 lfd f2,-22328(r2)
801CAB60: C8210018 lfd f1,24(r1)
801CAB64: C001000C lfs f0,12(r1)
801CAB68: EC211028 fsubs f1,f1,f2
801CAB6C: 806D91D0 lwz r3,-28208(r13)
801CAB70: EC00082A fadds f0,f0,f1
801CAB74: D001000C stfs f0,12(r1)
801CAB78: 4BEF8741 bl 0x800c32b8
801CAB7C: C0210010 lfs f1,16(r1)
801CAB80: 6C608000 xoris r0,r3,32768
801CAB84: C0010014 lfs f0,20(r1)
801CAB88: 387F00B0 addi r3,r31,176
801CAB8C: 90010024 stw r0,36(r1)
801CAB90: EC210028 fsubs f1,f1,f0
801CAB94: C002AB08 lfs f0,-21752(r2)
801CAB98: C862A8C8 lfd f3,-22328(r2)
801CAB9C: C8410020 lfd f2,32(r1)
801CABA0: EFC10024 fdivs f30,f1,f0
801CABA4: C0010008 lfs f0,8(r1)
801CABA8: EC221828 fsubs f1,f2,f3
801CABAC: EC000828 fsubs f0,f0,f1
801CABB0: D0010008 stfs f0,8(r1)
801CABB4: 4BE78FC1 bl 0x80043b74
801CABB8: C002AB0C lfs f0,-21748(r2)
801CABBC: 38DF012C addi r6,r31,300
801CABC0: C0C2A870 lfs f6,-22416(r2)
801CABC4: 3BA00001 li r29,1
801CABC8: ED2007B2 fmuls f9,f0,f30
801CABCC: C882AB10 lfd f4,-21744(r2)
801CABD0: C0A2A8D4 lfs f5,-22316(r2)
801CABD4: 3BC00000 li r30,0
801CABD8: D13F00BC stfs f9,188(r31)
801CABDC: 3800FFFF li r0,-1
801CABE0: D13F00C0 stfs f9,192(r31)
801CABE4: 387F00B0 addi r3,r31,176
801CABE8: C062AA90 lfs f3,-21872(r2)
801CABEC: 38800001 li r4,1
801CABF0: C0010010 lfs f0,16(r1)
801CABF4: 38A00000 li r5,0
801CABF8: C1010014 lfs f8,20(r1)
801CABFC: C042AB18 lfs f2,-21736(r2)
801CAC00: ECE04028 fsubs f7,f0,f8
801CAC04: C022AB1C lfs f1,-21732(r2)
801CAC08: C002AB20 lfs f0,-21728(r2)
801CAC0C: ECC73024 fdivs f6,f7,f6
801CAC10: FC8441BA fmadd f4,f4,f6,f8
801CAC14: FC802018 frsp f4,f4
801CAC18: D09F00B4 stfs f4,180(r31)
801CAC1C: C0810008 lfs f4,8(r1)
801CAC20: EC85227C fnmsubs f4,f5,f9,f4
801CAC24: 93BF0108 stw r29,264(r31)
801CAC28: D09F00B8 stfs f4,184(r31)
801CAC2C: 93BF010C stw r29,268(r31)
801CAC30: 9BDF00F4 stb r30,244(r31)
801CAC34: 90DF0110 stw r6,272(r31)
801CAC38: D07F00D8 stfs f3,216(r31)
801CAC3C: D05F00DC stfs f2,220(r31)
801CAC40: D03F00E0 stfs f1,224(r31)
801CAC44: D01F00E4 stfs f0,228(r31)
801CAC48: 901F00F0 stw r0,240(r31)
801CAC4C: 4BE78FB5 bl 0x80043c00
801CAC50: 387F00B0 addi r3,r31,176
801CAC54: 4BE78F21 bl 0x80043b74
801CAC58: C002AB0C lfs f0,-21748(r2)
801CAC5C: 2C1C0000 cmpwi r28,0
801CAC60: C042A870 lfs f2,-22416(r2)
801CAC64: 381F012C addi r0,r31,300
801CAC68: ECA007B2 fmuls f5,f0,f30
801CAC6C: C802AB10 lfd f0,-21744(r2)
801CAC70: C022A8D4 lfs f1,-22316(r2)
801CAC74: D0BF00BC stfs f5,188(r31)
801CAC78: D0BF00C0 stfs f5,192(r31)
801CAC7C: C0610010 lfs f3,16(r1)
801CAC80: C0810014 lfs f4,20(r1)
801CAC84: EC632028 fsubs f3,f3,f4
801CAC88: EC431024 fdivs f2,f3,f2
801CAC8C: FC0020BA fmadd f0,f0,f2,f4
801CAC90: FC000018 frsp f0,f0
801CAC94: D01F00B4 stfs f0,180(r31)
801CAC98: C0010008 lfs f0,8(r1)
801CAC9C: EC01017C fnmsubs f0,f1,f5,f0
801CACA0: 93BF0108 stw r29,264(r31)
801CACA4: D01F00B8 stfs f0,184(r31)
801CACA8: 93BF010C stw r29,268(r31)
801CACAC: 9BDF00F4 stb r30,244(r31)
801CACB0: 901F0110 stw r0,272(r31)
801CACB4: 41820018 beq- 0x801caccc
801CACB8: C022AB24 lfs f1,-21724(r2)
801CACBC: C062AB28 lfs f3,-21720(r2)
801CACC0: C0C2AB2C lfs f6,-21716(r2)
801CACC4: C0E2AB30 lfs f7,-21712(r2)
801CACC8: 48000014 b 0x801cacdc
801CACCC: C022AB34 lfs f1,-21708(r2)
801CACD0: C062AB28 lfs f3,-21720(r2)
801CACD4: C0C2AB38 lfs f6,-21704(r2)
801CACD8: C0E2AB30 lfs f7,-21712(r2)
801CACDC: C0A2AA8C lfs f5,-21876(r2)
801CACE0: C042A8E8 lfs f2,-22296(r2)
801CACE4: EC810172 fmuls f4,f1,f5
801CACE8: C01F00A8 lfs f0,168(r31)
801CACEC: EC6300B2 fmuls f3,f3,f2
801CACF0: C022A85C lfs f1,-22436(r2)
801CACF4: ECA60172 fmuls f5,f6,f5
801CACF8: D09F00D8 stfs f4,216(r31)
801CACFC: EC8700B2 fmuls f4,f7,f2
801CAD00: D07F00DC stfs f3,220(r31)
801CAD04: EC5F002A fadds f2,f31,f0
801CAD08: C062A864 lfs f3,-22428(r2)
801CAD0C: D0BF00E0 stfs f5,224(r31)
801CAD10: D09F00E4 stfs f4,228(r31)
801CAD14: 4BE870ED bl 0x80051e00
801CAD18: C002A868 lfs f0,-22424(r2)
801CAD1C: EC200072 fmuls f1,f0,f1
801CAD20: 480B0D75 bl 0x8027ba94
801CAD24: 5460C00E rlwinm r0,r3,24,0,7
801CAD28: 387F00B0 addi r3,r31,176
801CAD2C: 640000FF oris r0,r0,255
801CAD30: 38800001 li r4,1
801CAD34: 6000FFFF ori r0,r0,65535
801CAD38: 901F00F0 stw r0,240(r31)
801CAD3C: 38A00000 li r5,0
801CAD40: 4BE78EC1 bl 0x80043c00
801CAD44: 387F00B0 addi r3,r31,176
801CAD48: 4BE78E2D bl 0x80043b74
801CAD4C: C002AB0C lfs f0,-21748(r2)
801CAD50: 38DF012C addi r6,r31,300
801CAD54: C0C2A870 lfs f6,-22416(r2)
801CAD58: 39000001 li r8,1
801CAD5C: ED2007B2 fmuls f9,f0,f30
801CAD60: C882AB10 lfd f4,-21744(r2)
801CAD64: C0A2A8D4 lfs f5,-22316(r2)
801CAD68: 38E00000 li r7,0
801CAD6C: D13F00BC stfs f9,188(r31)
801CAD70: 3800FFFF li r0,-1
801CAD74: D13F00C0 stfs f9,192(r31)
801CAD78: 387F00B0 addi r3,r31,176
801CAD7C: C062AB3C lfs f3,-21700(r2)
801CAD80: 38800001 li r4,1
801CAD84: C0010010 lfs f0,16(r1)
801CAD88: 38A00000 li r5,0
801CAD8C: C1010014 lfs f8,20(r1)
801CAD90: C042AB18 lfs f2,-21736(r2)
801CAD94: ECE04028 fsubs f7,f0,f8
801CAD98: C022AB40 lfs f1,-21696(r2)
801CAD9C: C002AB20 lfs f0,-21728(r2)
801CADA0: ECC73024 fdivs f6,f7,f6
801CADA4: FC8441BA fmadd f4,f4,f6,f8
801CADA8: FC802018 frsp f4,f4
801CADAC: D09F00B4 stfs f4,180(r31)
801CADB0: C0810008 lfs f4,8(r1)
801CADB4: EC85227C fnmsubs f4,f5,f9,f4
801CADB8: 911F0108 stw r8,264(r31)
801CADBC: D09F00B8 stfs f4,184(r31)
801CADC0: 911F010C stw r8,268(r31)
801CADC4: 98FF00F4 stb r7,244(r31)
801CADC8: 90DF0110 stw r6,272(r31)
801CADCC: D07F00D8 stfs f3,216(r31)
801CADD0: D05F00DC stfs f2,220(r31)
801CADD4: D03F00E0 stfs f1,224(r31)
801CADD8: D01F00E4 stfs f0,228(r31)
801CADDC: 901F00F0 stw r0,240(r31)
801CADE0: 4BE78E21 bl 0x80043c00
801CADE4: 7FE3FB78 mr r3,r31
801CADE8: 480012E5 bl 0x801cc0cc
801CADEC: 39610040 addi r11,r1,64
801CADF0: E3E10058 psq_l f31,88(r1),0,0
801CADF4: CBE10050 lfd f31,80(r1)
801CADF8: E3C10048 psq_l f30,72(r1),0,0
801CADFC: CBC10040 lfd f30,64(r1)
801CAE00: 480B0E0D bl 0x8027bc0c
801CAE04: 80010064 lwz r0,100(r1)
801CAE08: 7C0803A6 mtlr r0
801CAE0C: 38210060 addi r1,r1,96
801CAE10: 4E800020 blr
[/spoiler]
Would you look at that!! HA! You guys seem to never stop impressing!
[spoiler]CR:22200488 XER:00000000 CTR:801CA978 DSIS:00400000
DAR:80C5BA7C SRR0:801CA9B0 SRR1:0000B032 LR:801C5470
r0:00000007 r1:80630608 r2:80624240 r3:805AC66C
r4:80C546A0 r5:00000000 r6:00000000 r7:414B4500
r8:414B4500 r9:00000000 r10:80630628 r11:80630618
r12:801CA978 r13:806208E0 r14:00000000 r15:FFFFFF00
r16:80325C98 r17:FF5C5CFC r18:FFAAA0AC r19:FF0A0000
r20:FFBEAAC8 r21:FF640000 r22:00000001 r23:80325C98
r24:80575F64 r25:80595F64 r26:00000000 r27:80595F64
r28:80575F64 r29:805A99A8 r30:0000000E r31:805AC66C
f0:00000000 f1:3D0A1000 f2:00000000 f3:BD0A1000
f4:4F000000 f5:BD8F5C29 f6:3F6DB8FB f7:3F7DBD7B
f8:3D480EB9 f9:3E080C91 f10:BF7DBB02 f11:00000000
f12:00000000 f13:BF8FAE2A f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:3D0A1000[/spoiler]
[spoiler]801CA978: 9421FFE0 stwu r1,-32(r1)
801CA97C: 7C0802A6 mflr r0
801CA980: 90010024 stw r0,36(r1)
801CA984: DBE10010 stfd f31,16(r1)
801CA988: F3E10018 psq_st f31,24(r1),0,0
801CA98C: 93E1000C stw r31,12(r1)
801CA990: 7C7F1B78 mr r31,r3
801CA994: 808DAEEC lwz r4,-20756(r13)
801CA998: 2C040000 cmpwi r4,0
801CA99C: 41820094 beq- 0x801caa30
801CA9A0: 800473A8 lwz r0,29608(r4)
801CA9A4: 2C000007 cmpwi r0,7
801CA9A8: 41820008 beq- 0x801ca9b0
801CA9AC: 48000084 b 0x801caa30
801CA9B0: 880473DC lbz r0,29660(r4)
801CA9B4: C08473D8 lfs f4,29656(r4)
801CA9B8: 2C000000 cmpwi r0,0
801CA9BC: C0A2AAEC lfs f5,-21780(r2)
801CA9C0: C0C2A864 lfs f6,-22428(r2)
801CA9C4: 4182000C beq- 0x801ca9d0
801CA9C8: C0A2A970 lfs f5,-22160(r2)
801CA9CC: C0C2AA38 lfs f6,-21960(r2)
801CA9D0: C042A858 lfs f2,-22440(r2)
801CA9D4: C00300AC lfs f0,172(r3)
801CA9D8: EC622028 fsubs f3,f2,f4
801CA9DC: C842AAF0 lfd f2,-21776(r2)
801CA9E0: EC210032 fmuls f1,f1,f0
801CA9E4: C00300A8 lfs f0,168(r3)
801CA9E8: FC6320AE fsel f3,f3,f2,f4
801CA9EC: EC240072 fmuls f1,f4,f1
801CA9F0: FC601818 frsp f3,f3
801CA9F4: EC46007A fmadds f2,f6,f1,f0
801CA9F8: EFE500F2 fmuls f31,f5,f3
801CA9FC: FC60F890 fmr f3,f31
801CAA00: FC20F850 fneg f1,f31
801CAA04: 4BE873FD bl 0x80051e00
801CAA08: FC000818 frsp f0,f1
801CAA0C: D03F00A8 stfs f1,168(r31)
801CAA10: FC000210 fabs f0,f0
801CAA14: FC000018 frsp f0,f0
801CAA18: FC1F0000 fcmpu cr0,f31,f0
801CAA1C: 40820014 bne- 0x801caa30
801CAA20: C03F00AC lfs f1,172(r31)
801CAA24: C002AAF8 lfs f0,-21768(r2)
801CAA28: EC010032 fmuls f0,f1,f0
801CAA2C: D01F00AC stfs f0,172(r31)
801CAA30: 80010024 lwz r0,36(r1)
801CAA34: E3E10018 psq_l f31,24(r1),0,0
801CAA38: CBE10010 lfd f31,16(r1)
801CAA3C: 83E1000C lwz r31,12(r1)
801CAA40: 7C0803A6 mtlr r0
801CAA44: 38210020 addi r1,r1,32
801CAA48: 4E800020 blr
[/spoiler]
stwu r1,-80(r1)
stmw r14,8(r1)
lis r15, 0x8061 ----> controller
ori r15,r15, 0x621B
lwz r16, 0x0(r15)
li r17, 0x00004000 ----> C button
cmpw r16, r17
*bne- 0x801caab0 ---->?? I chose this cause the disassembler branches there if negative. Do I load it
first? Something like lis r18, 0x801c
ori r18, r18, 0xaab0
Then bne- r18
if that's the case then ...
cmpw r16, r17
bne- r18
lis r19, 0x80C5
ori r19,r19, 0xBA78
li r20, 0x3f59
ori r20, r20, 0x9999
stw r20, 0(r19)
lmw r14,8(r1)
addi r1,r1,80
that's my code but I have no idea where to inject into. or to branch it to. I'm thinking of injecting it to r12 = 80048D3C
and branching it to the functions bne - address.
I really think I'm complicating my code though
maybe something like this should work
injecting at 80C5BA78 for the last map's hook magnet
stwu r1,-80(r1)
stmw r14,8(r1)
li r26, 0x3f59 ----> r26 it had 00000000. I know it's not a valid address for safety but it's between 14 and
31 and its not demonstrated on the function copied here
ori r26, r26, 0x9999
stw r26,0x73D8(r4)
lmw r14,8(r1)
addi r1,r1,80
unfortunately it does not work right, itll come up with 4b3a6e60 stuff but it doesn't freeze the game and it lights up the magnet... to 4b3a6e60 instead of 3f599999 :)
My code looks like this
[spoiler]2861621B BFFF4000
C2C5BA78 00000004
9421FFB0 BDC10008
3B403F59 635A9999
934473D8 B9C10008
38210050 00000000
E0000000 80008000
[/spoiler]
Okay, there's a lot to address here.
1) ori r15,r15, 0x621B
This is the lower 16-bits of your button activator address. The value is odd (ends with 0xB = 11). This means the address is byte-aligned. Alignment is a difficult concept to explain; basically, any variable's address must be divisible by that variable's size. So a 4-byte variable should be divisible by 4 (ends in 0, 4, 8, or C). A 2-byte variable should be divisible by 2 (0, 2, 4, 6, ..., C, E). A 1-byte variable is divisible by anything. I think you meant 0x621A here.
2) lwz r16, 0x0(r15)
Button activator addresses are 16-bit half-words. So you should use lhz (maybe even lha), and the value in r15 should be divisible by 2.
3) li r17, 0x00004000
The vast majority of ASM instructions use 16-bit immediate values. You specified a 32-bit value, but it worked because the upper 16-bits are 0.
4) cmpw r16, r17
Because you're only testing against a 16-bit value, you can use cmpwi instead of cmpw. This allows you do to your cmp without loading r17 with the button mask you're activating on.
5) bne- 0x801caab0
You can't do this. Remember, Wii ASM is 32-bits per instruction. You gave a 32-bit absolute address. That leaves no bits for assigning op codes and such.
In the Wii's ASM, all branches that you see will be relative branches. That is, their destination is determined by adding the branch displacement to the address of the branch itself. This is why we write "bne- 8" to skip one instruction; the CPU typically adds 4 to the Instruction Pointer after every instruction executes, so that we go to the next one. However, a bne- 8 will add 8 to the IP, skipping the next instruction. A bne- -4 would branch backwards to the previous instruction. bne- 0 would be an infinite loop, constantly adding 0 to the IP.
When writing an ASM code, we often add or remove lines inbetween a branch and it's destination. This requires the non-trivial act of counting instructions and turning it into a displacement, and making sure you remembered to check all your branches, etc. That's why we prefer branch destination labels. You can use a branch label as the operand for a branch and the assembler will automatically calculate the correct displacement for you. Yay!
6) bne- r18
You can't do this. Registers can't be arguments for branches. You can, however, load the CTR register with a 32-bit address, and the CTR register can be an operand for a branch using bctr-type instructions. You should make sure there's nothing important in CTR (usually there isn't, because it's volatile and the value becomes insignificant after any bl or blr, but sometimes it can be in use during your code's hook)
However, I definitely would NOT recommend using that kind of long-distance branch for this code. You'll miss the ASM that pops your stack frame! (lmw/addi) If your C2 is executed, it will probably cause a crash. Instead, your bne- should land on the lmw.
7) li r20, 0x3f59
Should be lis, like 8 below
8 ) li r26, 0x3f59 ----> r26 it had 00000000. I know it's not a valid address for safety but it's between 14 and
31 and its not demonstrated on the function copied here
You made a stack frame, so all registers 14-31 are safe to use within the frame. The value inside a register never determines whether it is safe to use. The non-volatile registers (r14-r31, the ones we backed up at the beginning with stmw and restore at the end lmw) usually contain either local variables that this function may be using right now; or it contains local variables for one of the stack frames before this one that that might *also* be used right now, and the ASM for that frame may be very far away from this ASM so we wouldn't know if it was or wasn't being used.
---
...your hook address for the C2, which is 80C5BA78, is not a value that's listed in your disassembly. C2 should hook ASM, not data. That explains the strange value that you're seeing on your screen; the code handler is writing a hook to the ASM where the game wants data, and the value that you see is, 4b3a6e60, is machine code for b 0x6E60; the branch that the code handler wrote while attempting to hook the game.
I think you said your original ASM read breakpoint was 801CA9B4: lfs f4,29656(r4)
We only need one register. In instances like this, r12 is safe to use 99.99% of the time, with no stack frame. From the Copy Function you provided, it looks like pretty much everything from r5-r11 *should* be safe to use, assuming the game was compiled without any fancy tricks that might skirt the basic rules a bit.
lis r12, 0x3f59 # load r12 with our desired value
ori r12, r12, 0x9999
stw r12,29656(r4) # store using game's pre-existing pointer
lfs f4,29656(r4) # insert anti-code so we don't interfere with game execution
nop # probably unnecessary; the ASM-to-WiiRD converter will probably insert this if you don't
Note that you can still use a stack frame if you want. The use of r12 here makes some assumptions about the compiler's settings that are almost always true. In this case, given the values in the register listing, you'll see that r12 was probably used as part of loading up the CTR register for a bctrl at 801C546C (the function that called the one we're in). The value in r12 lost significance back in the old stack frame.
You can probably use r10 to load the button activator address and cmpwi to check for the C button. I shy away from r11; it's usually used for stack-like things and as a general rule I try to be extra super careful with things relating to the stack. Especially since r11 looks like it was used in the previous stack frame.
Thank you.
For the button condition, I understand you completely, unfortunately for us the code addresses are 80616218-9-a-b when I put my mouse over the pairs of bites.
For the ASM, for some reason the game doesn't load the last map the same...
[spoiler]CR:44200488 XER:00000000 CTR:802021F4 DSIS:00400000
DAR:80CB2DD8 SRR0:801DB468 SRR1:0000B032 LR:801DB460
r0:80000003 r1:80630488 r2:80624240 r3:43300000
r4:8000000F r5:805739B4 r6:00000000 r7:00000000
r8:00000042 r9:FFFFFFFF r10:80630488 r11:80630008
r12:802021F4 r13:806208E0 r14:00000000 r15:FFFFFF00
r16:80325C98 r17:FF5C5CFC r18:FFAAA0AC r19:FF0A0000
r20:FFBEAAC8 r21:00000003 r22:0000000F r23:00000003
r24:00000000 r25:80F941A0 r26:00000003 r27:80630490
r28:805AD880 r29:815C2340 r30:0000000C r31:80CABA00
f0:BE924924 f1:3F36DB6E f2:3F800000 f3:3F800000
f4:3D0A1000 f5:59800004 f6:42339000 f7:4226D000
f8:C08E0000 f9:BFB60000 f10:00000000 f11:C1C4BBC0
f12:C21C3820 f13:48B2F3FE f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:3D0A1000[/spoiler]
Function
[spoiler]801DB288: 9421FEE0 stwu r1,-288(r1)
801DB28C: 7C0802A6 mflr r0
801DB290: 90010124 stw r0,292(r1)
801DB294: 39610110 addi r11,r1,272
801DB298: DBE10110 stfd f31,272(r1)
801DB29C: F3E10118 psq_st f31,280(r1),0,0
801DB2A0: 480A0905 bl 0x8027bba4
801DB2A4: 800373A8 lwz r0,29608(r3)
801DB2A8: FFE00890 fmr f31,f1
801DB2AC: 7C7F1B78 mr r31,r3
801DB2B0: 2C000007 cmpwi r0,7
801DB2B4: 41820010 beq- 0x801db2c4
801DB2B8: C002ACD0 lfs f0,-21296(r2)
801DB2BC: D00373D8 stfs f0,29656(r3)
801DB2C0: 480001B4 b 0x801db474
801DB2C4: 80637328 lwz r3,29480(r3)
801DB2C8: 4801CFB5 bl 0x801f827c
801DB2CC: C002AE7C lfs f0,-20868(r2)
801DB2D0: FC000840 fcmpo cr0,f0,f1
801DB2D4: 4080000C bge- 0x801db2e0
801DB2D8: 3B000003 li r24,3
801DB2DC: 48000030 b 0x801db30c
801DB2E0: C002AEAC lfs f0,-20820(r2)
801DB2E4: FC000840 fcmpo cr0,f0,f1
801DB2E8: 4080000C bge- 0x801db2f4
801DB2EC: 3B000002 li r24,2
801DB2F0: 4800001C b 0x801db30c
801DB2F4: C002ACD0 lfs f0,-21296(r2)
801DB2F8: FC000840 fcmpo cr0,f0,f1
801DB2FC: 4080000C bge- 0x801db308
801DB300: 3B000001 li r24,1
801DB304: 48000008 b 0x801db30c
801DB308: 3B000000 li r24,0
801DB30C: 80BF7328 lwz r5,29480(r31)
801DB310: 3C808033 lis r4,-32717
801DB314: 3884A3B8 subi r4,r4,23624
801DB318: 806D84C4 lwz r3,-31548(r13)
801DB31C: 83251930 lwz r25,6448(r5)
801DB320: 38E4079D addi r7,r4,1949
801DB324: C022ADC4 lfs f1,-21052(r2)
801DB328: 38A10008 addi r5,r1,8
801DB32C: 38990050 addi r4,r25,80
801DB330: 38C00032 li r6,50
801DB334: 3900FFFF li r8,-1
801DB338: 4BF07545 bl 0x800e287c
801DB33C: 3AE00000 li r23,0
801DB340: 3F80805B lis r28,-32677
801DB344: 9AFF73DC stb r23,29660(r31)
801DB348: 7C7A1B78 mr r26,r3
801DB34C: 3B610008 addi r27,r1,8
801DB350: 3B9CD880 subi r28,r28,10112
801DB354: 3AC00000 li r22,0
801DB358: 3AA00000 li r21,0
801DB35C: 3BC00000 li r30,0
801DB360: 48000094 b 0x801db3f4
801DB364: 7C7BF02E lwzx r3,r27,r30
801DB368: 809C0010 lwz r4,16(r28)
801DB36C: 4BE7B68D bl 0x800569f8
801DB370: 80034294 lwz r0,17044(r3)
801DB374: 7C7D1B78 mr r29,r3
801DB378: 2C000008 cmpwi r0,8
801DB37C: 41820070 beq- 0x801db3ec
801DB380: 2C00000C cmpwi r0,12
801DB384: 41820068 beq- 0x801db3ec
801DB388: 80633BF0 lwz r3,15344(r3)
801DB38C: 38800005 li r4,5
801DB390: 4802D3A1 bl 0x80208730
801DB394: 2C030000 cmpwi r3,0
801DB398: 41820010 beq- 0x801db3a8
801DB39C: 38000001 li r0,1
801DB3A0: 981F73DC stb r0,29660(r31)
801DB3A4: 48000058 b 0x801db3fc
801DB3A8: 801D4330 lwz r0,17200(r29)
801DB3AC: 2C000003 cmpwi r0,3
801DB3B0: 41820010 beq- 0x801db3c0
801DB3B4: 2C000004 cmpwi r0,4
801DB3B8: 41820010 beq- 0x801db3c8
801DB3BC: 48000014 b 0x801db3d0
801DB3C0: 38A00001 li r5,1
801DB3C4: 48000010 b 0x801db3d4
801DB3C8: 38A00002 li r5,2
801DB3CC: 48000008 b 0x801db3d4
801DB3D0: 38A00000 li r5,0
801DB3D4: 80791AE0 lwz r3,6880(r25)
801DB3D8: 7F06C378 mr r6,r24
801DB3DC: 809D4294 lwz r4,17044(r29)
801DB3E0: 4BFE7091 bl 0x801c2470
801DB3E4: 7ED61A14 add r22,r22,r3
801DB3E8: 3AF70001 addi r23,r23,1
801DB3EC: 3AB50001 addi r21,r21,1
801DB3F0: 3BDE0004 addi r30,r30,4
801DB3F4: 7C15D000 cmpw r21,r26
801DB3F8: 4180FF6C blt+ 0x801db364
801DB3FC: 881F73DC lbz r0,29660(r31)
801DB400: C022ACD0 lfs f1,-21296(r2)
801DB404: 2C000000 cmpwi r0,0
801DB408: 4182000C beq- 0x801db414
801DB40C: C022AEB0 lfs f1,-20816(r2)
801DB410: 48000050 b 0x801db460
801DB414: 2C170000 cmpwi r23,0
801DB418: 40810048 ble- 0x801db460
801DB41C: 3C604330 lis r3,17200
801DB420: 6EC48000 xoris r4,r22,32768
801DB424: 908100D4 stw r4,212(r1)
801DB428: 6EE08000 xoris r0,r23,32768
801DB42C: C8A2AD28 lfd f5,-21208(r2)
801DB430: 906100D0 stw r3,208(r1)
801DB434: C002AEB4 lfs f0,-20812(r2)
801DB438: C84100D0 lfd f2,208(r1)
801DB43C: 900100DC stw r0,220(r1)
801DB440: EC822828 fsubs f4,f2,f5
801DB444: C062ACD4 lfs f3,-21292(r2)
801DB448: 906100D8 stw r3,216(r1)
801DB44C: C84100D8 lfd f2,216(r1)
801DB450: EC422828 fsubs f2,f2,f5
801DB454: EC441024 fdivs f2,f4,f2
801DB458: EC420024 fdivs f2,f2,f0
801DB45C: 4BE769A5 bl 0x80051e00
801DB460: FC80F890 fmr f4,f31
801DB464: C042ACD4 lfs f2,-21292(r2)
801DB468: C07F73D8 lfs f3,29656(r31) ----> breaks here
801DB46C: 4BE97AA1 bl 0x80072f0c
801DB470: D03F73D8 stfs f1,29656(r31)
801DB474: 39610110 addi r11,r1,272
801DB478: E3E10118 psq_l f31,280(r1),0,0
801DB47C: CBE10110 lfd f31,272(r1)
801DB480: 480A0771 bl 0x8027bbf0
801DB484: 80010124 lwz r0,292(r1)
801DB488: 7C0803A6 mtlr r0
801DB48C: 38210120 addi r1,r1,288
801DB490: 4E800020 blr
[/spoiler]
ASM
[spoiler]
Address 801DB468
lis r12, 0x3f59
ori r12, r12, 0x9999
stw r12,29656(r31)
lfs f3,29656(r31)
[/spoiler]
Code
[spoiler]
2861621a BFFF4000
C21DB468 00000003
3D803F59 618C9999
918473D8 C08473D8
60000000 00000000
E0000000 80008000
[/spoiler]
Unfortunately, this crashes the game... I'm thinking it's because of the r31... not supposed to right to this right? so what now...
Anyways, I'm done trying asm for this game (unless I get more help that is).
The button activator works nicely so, on to the next game. Any recommendations (PAL of course)?
Button conditionals: when the mouse is over the A, you're probably on the first of the two button bytes. To see what I mean, go to the button activator address in Memory Viewer, check auto-update, and then press some buttons. You'll see the bytes changing. A is the one divisible by 2.
When you say the game crashes...when does it crash? Immediately upon applying the code? When you press the button? When the map changes? When the game crashes, you can press Step Into and it should show you the instruction that caused the crash.
You're in luck, though, I figured out why you crashed anyway. The problem is that your C2 code does not disassemble into the ASM you wanted. You used the ASM from the first example, which was r4 and f4, when this is now r31 and f3.
[spoiler]C21DB468 00000003
3D803F59 618C9999
918473D8 C08473D8
60000000 00000000
lis r12,16217
ori r12,r12,39321
stw r12,29656(r4)
lfs f4,29656(r4)[/spoiler]
Also, your button activator on the C2 code won't work unless you write the anti-code first. The anti-code is the original value that was at the hook address before it was changed to a branch. In this case, it's C07F73D8. This will "unhook" the C2 when you aren't pressing the button activator.
This is the code you want. Notice how it's assembled with the ASM you intended in your previous post, using r31 as the pointer and loading f3 as the destination register.
041DB468 C07F73D8 # anti-code
2861621A BFFF4000 # button activator
C21DB468 00000003 # hook
3D803F59 618C9999
919F73D8 C07F73D8
60000000 00000000
E0000000 80008000
Aha!. You're an ASM GOD!!!
It works like a charm!!!
The anti-code really makes a lot of sense!
Thank you, you've helped me to really understand what was necessary for me to grow, oh Grand one! O0