Games such as Mario Galaxy, Mickey Mouse, Little ninjas, etc. have troubled me since the beginning. I look up everyone's moon jump codes but I don't understand why they did what they did.
At the moment I'm working on a moon jump for Okami pal, but can't get my mind around it.
What I want now is a step by step plan to get to the moon jump code.
1a. what am I searching for: y axis, speed, inverted?
b. how do you get to the address: equal, not equal, greater, less
2a. Once there I want ASM
b. what asm am I looking for. addi,fads,subi,etc
3a. how to write it up.: completely
the more answers I get the better off I am.
then, let´s start improving, Patedj
---------------------------
When you found the moonjump adress (NOT your y heigh coordinate, it also works but it´s harder!!), set a read breakpoint on it.
Now, if you got a lfs or lwz check if it´s refering to the right place.
Example:
lfs f0, 10 (r3)
r3 shows: 81234567
Now we add r3 + 10 (converted to hex)
-> 81234567 + 0A = 81234571
If the result is EXACTLY the same as our moonjump adress, we can use this instruction, if it´s not the same, set another breakpoint read.
Next step, writing the ASM:
For that, you just need to do an ASM RAM Write with lis, ori and stw.
You should write a float like 44000000, the higher the float the faster the jumping speed!
[spoiler]28XXXXXX YYYYZZZZ
ASM HERE
E2100000 00000000
ANTI CODE HERE
E0000000 80008000[/spoiler]
" If jump button is pressed, moonjump"
Moonjump:
1. Search for Equal
2. Search for Greather than
3. Search for Less than
4. Search for Equal
Do it x4-5 and then do a huge Multi-Poke.
If found, set breakpoint write or read on this address. It will give you a lfs or stfs instruction.
Now you are able to write your own value to a register.
Example:
You get this instruction, stfs f0,46(r31)
f0 is the value and r31 is your address.
Write 40000000 to register 12 and store it into address.
lis r12,0x4000
ori r12,r12,0x0000
stw r12,46(r31)
code:
C2000000 00000002
3D804000 618C0000
919F002E 00000000
There are a few different methods to making moonjump, either modding gravity or the y-coord or the y-speed modifier. I believe the last one is what bully is refering to.
For methods on finding the moonjump address try googling "glee method moonjump"
You can look at this thread also for info http://wiird.l0nk.org/forum/index.php?topic=1454.0
The template that bully posted in his spoiler looks like how ZiT made his moodjump code for the jap version of this game.
Quote from: Deathwolf on March 11, 2011, 03:37:15 PM
Example:
You get this instruction, lfs f0,46(r31)
f0 is the value and r31 is your address.
Write 40000000 to register 12 and store it into address.
lis r12,0x4000
ori r12,r12,0x0000
lfs r12,46(r31)
code:
C2000000 00000002
3D804000 618C0000
C19F002E 00000000
A lfs must have a float register!
The ASM can *for example* look like this (that´s how I do it)
stwu r1,-16(r1) # stack frame
stw r11,8(r1)
lis r11,0xHHHH # write upper value
ori r11,r11,0xLLLL # write lower value
stw r11,d(rA)
lwz r11,8(r1)
addi r1,r1,16 # end stack frame
lfs fD,d(rA) # lfs instruction
Quote from: strakn on March 11, 2011, 03:39:52 PM
The template that bully posted in his spoiler looks like how ZiT made his moodjump code for the jap version of this game.
That´s the most common template, because it´s very good aswell :p
It´s also possible to do it in pure ASM, but never mind.
right right thanks bully.
sometimes you just can use another float register.
f0:00000000 f1:3FCCCCCC f3: 41000000
stfs f0,46(r31) to stfs f3,46(r31)
Quote from: Deathwolf on March 11, 2011, 03:44:39 PM
right right thanks bully.
sometimes you just can use another float register.
f0:00000000 f1:3FCCCCCC f3: 41000000
stfs f0,46(r31) to stfs f3,46(r31)
but that´s critical, since the content of the register may change and your moonjump gets a surprise at speed.
The best way is to contantly write his own value to the adress.
Quote from: Bully@Wiiplaza on March 11, 2011, 03:47:42 PM
Quote from: Deathwolf on March 11, 2011, 03:44:39 PM
right right thanks bully.
sometimes you just can use another float register.
f0:00000000 f1:3FCCCCCC f3: 41000000
stfs f0,46(r31) to stfs f3,46(r31)
but that´s critical, since the content of the register may change and your moonjump gets a surprise at speed.
The best way is to contantly write his own value to the adress.
yes doesn't work everytime but ZiT used it.
here for example my bo moonjump ASM code:
28200F40 00000008
04390F24 D0430034
E2100000 00000000
04390F24 D0030034
E0000000 80008000
stfs f0,52(r3) and stfs f2,52(r3)
Dude, I *love* Okami. If you want any help porting any of my codes (like Always Have All Holy Artifacts Equipped), I'll be more than happy to help. Same goes for Tales of Symphonia, another game I'd gladly help port awesome codes to.
Regarding the moon jump, brkirch made a moon jump for Super Mario Galaxy 2, and he posted the disassembly with comments. That code was the first time I ever saw the bl trick for creating small data areas inside a C2 code. The bl trick is a bit different now (I put the data after the bl, to save a branch), but you can get the point.
http://wiird.l0nk.org/forum/index.php/topic,5791.msg50630.html#msg50630
http://wiird.l0nk.org/forum/index.php/topic,5791.msg50650.html#msg50650
Basically, when you start jumping, he records the jump velocity in the first C2 code, and then the second C2 code will continually overwrite the actual velocity with the initial velocity. This keeps you jumping forever.
However, one problem I *always* see with moon jump codes is a total lack of air control. This is why I prefer infinite double jump codes to moon jump.
can´t it be done with the templates above?
I once tried it out, *not believing* that it isn´t that easy and I couldn´t do it.
SMG2 is weird with Moonjump and brkirchs Moonjump may look like a "fail" code for people not knowing the bl trick (like me ._.)
That's awesome guys. And dcx2 let's port both!. What do you need from me to start porting, or what can you give me to start porting?
I'm going to read up every link you guys sent me and then I'll reply on what I understood.
For now, I understand that I've always been looking for the y axis while understanding that there are 2-3 other ways of creating a jump code.
Y axis is easy to find. Find a ramp, and jump while searching for greater and less and equal.
Quote from: strakn on March 11, 2011, 03:39:52 PM
You can look at this thread also for info http://wiird.l0nk.org/forum/index.php?topic=1454.0
but I have no success with this in 3d games. Y axis seems to work ok in 2d platforms such as the old super mario worlds.
I had a look at
http://wiird.l0nk.org/forum/index.php/topic,5791.msg50630.html#msg50630
I think I'll try velocity. I couldn't picture how it was going about it before.
[spoiler]
This belongs to http://doc.kodewerx.org/generic_code_hacking.html#mega_jump
"The GLEE Method
The "GLEE" method was pioneered by macrox. The basic theory at the time was that the player's Y speed increases when not on the ground (whether rising or falling). This may seem to contradict the theory above, but it's still technically true. This is because the GLEE method treats moon jumps like most other basic codes: it uses unsigned searches. The steps are outlined below. It's probably best to set whatever search tool is being used to compare 32-bit values first, if available. If that option is unavailable or doesn't work, try 16-bit and so on.
1. If the character is stands totally still on the ground, it's a reasonable assumption that Y speed isn't changing. Start a an unknown value search (initial dump). If the character jitters while standing or something, the Equal To searches mentioned here may need to be skipped. This makes it more difficult to narrow the results, but it's still possible.
2. Move around a bit, then stand still again. Search Equal To. Repeat this step a couple times to eliminate some junk results.
3. Now jump, or fall from a high place if the game has no jumping. While in the air and rising/falling, search Greater Than. Even if the game does allow jumping, falling from something instead to do the Greater Than might shave some extra results off the list.
4. Once the player lands on the ground again and is standing still, search Less Than.
5. Repeat the steps above until the results list is narrowed considerably.
6. When ready to test some results, jump again (if possible) and do a Greater Than while still rising. Catching the value when just beginning to rise is best, though not always easy. The current value should give an idea of what to use for a moon jump value. Turn on a result at a time and look for effects on the player's Y speed.
7. Once the correct address is found, try different values until the desired rising effect is reached. A value too high can orbit the player instantly (and even crash the game), and a value too low will force the player to the ground or perhaps keep the play from falling. On games that don't allow jumping, try freezing the value of each address to 0 and attempting to fall until an effect is noticed. Note that getting the rising effect on games which don't allow jumping sometimes still requires falling off something.
* If the game doesn't allow rising without falling off something, then be possible to hack a code to tell the game the player is in the air. This can be hard or next to impossible on some games, but it works on others.
* The idea is to start a new search while standing still. Then move to a different position, and search Equal To.
* Fall off something, and search Different To while in the air. Following this up with an Equal To while still in the air might help cut down the results.
* Once the player in back on the ground, search Different To again. Repeat these 3 steps until the results are narrowed.
* Try the results with addresses nearest the Y speed address first. Doing this can sometimes save time, especially when it gets hard to reduce the amount of results and there are still a lot left. When testing results use the value from when the player was in the air along with the Y speed code to attempt forcing the player to rise.
8. After locating the Y speed and the right value to get the player rising up without actually jumping to the moon, look up the button activator/joker for the game and the button value desired for the moon jump code. Using the same button the game does to jump is the preferred choice.
9. Put the Y speed code with the activator and test it. If a code was hacked to tell the game the player is in the air, put this on an activator for the same button.
10. Enjoy the new moon jump code.".[/spoiler]
I'm actually still unsure of what I'll be searching for.
1. Search: floor: equal/unknown
walk and stop: equal/new
jump: greater:new
floor: less
(jump: greater
floor: less)
x2-5 times
mega(multiple) poke on jump or floor? both would work, but which would work easiest? (how do you poke mp address + mp values with .net? cause right clicking on each is counter productive)
2. Is there two types of velocities? An on/off type where it tells the avatar that going up is ok. (base address valued 0-1) and an actual accelerator with floats as a usual design (ie: 42C80000 or 3F800000).
With this search I would be able to poke for both. I can also figure that this would also find the Y axis. So 3 things to look at now.
I also read something that dcx2 wrote; something with 0 when at maximum height?
Here I go... Okami [R0(O)2P08] I'm not sure if it's an 0 or o
velocity addresses next reply
Yeah, SMG2 was special because "up" could be any direction due to the weird gravity and planets. Games where "up" is always positive are easier.
So I've done some searches but without luck.
Which brings me to the next question.
What am I doing wrong when searching.
I start with standing still equal/unknown
stop somewhere else equal/new
camera move x axis equal/new
camera move y axis equal/new
then I jump greater/new (doesn't matter if I'm falling right?)
then I land less/new
I end up with nothing in the 80s, 81s
1. start with an unknown search
2. dont move - search equal to
3. jump - while in the air - search greater than
4. land - search less than
5. dont move after landing - search equal to
6. goto 3.
You cant move and then do an equal search, you may think the surface your on is flat but if its off by a hair you will lose a possible value that your looking for.
If your character does any kind of bobbing or movement when standing still you may have eliminate the equal to searches.
Also in some games up may be a lower value than down, you might try searching less than when in the air and greater than after landing.
results with strakn's method
[spoiler]80C9FEE4 80493EA0 00000000 7FB6C160
80C9FEC8 59800004 00000000 A67FFFFC
80C9FEAC 80493EA0 00000000 7FB6C160
80C9FE0C 80C9FF30 80034184 FF394254
808D5C5C 910164A0 00000000 6EFE9B60
808D5C54 0000001D 00000000 FFFFFFE3
808D5C50 0000008C 00000000 FFFFFF74
808D5C4C 0000008B 00000000 FFFFFF75
808D5C48 91015D00 00000000 6EFEA300
808D5C44 91015960 00000000 6EFEA6A0
808D5C30 00000001 00000000 FFFFFFFF
808D5C2C 00000001 00000000 FFFFFFFF
808D5C24 00000059 00000000 FFFFFFA7
808D5C20 01000000 00000000 FF000000
808D5BFC 3F8147AE 00000000 C07EB852
808D5BF8 3F800000 00000000 C0800000
808D5BF4 3F800000 00000000 C0800000
808D5BF0 3F800000 00000000 C0800000
808D5BEC 3F800000 00000000 C0800000
808D5BD8 3F800000 00000000 C0800000
808D5BD0 00000001 00000000 FFFFFFFF
808D5BCC 00005622 00000000 FFFFA9DE
808D5BC4 0000C5C0 00000000 FFFF3A40
808D5BC0 911E62A0 00000000 6EE19D60
808D5BBC 8023C490 00000000 7FDC3B70 ---> freeze poke
808D471C 0000054F 00000000 FFFFFAB1
808D2AEC 10000008 00000000 EFFFFFF8
808D2AE8 00000002 00000000 FFFFFFFE
808D2AE4 10000008 00000000 EFFFFFF8
808D2AE0 00000002 00000000 FFFFFFFE
808D2ADC 10000008 00000000 EFFFFFF8
808D2AD8 00000002 00000000 FFFFFFFE
80286FB8 00000001 00000000 FFFFFFFF
80286BDC 8020A260 00000000 7FDF5DA0
80286B94 000A0A0A 00000000 FFF5F5F6
80275F0C 00000001 00000000 FFFFFFFF
801B592C 0000003C 00000000 FFFFFFC4
801B58FC 00007100 00000000 FFFF8F00
80002774 00000002 00000001 FFFFFFFF[/spoiler]
Poked everything but nothing happens.
I'll try 81 now and the 90s next
Edit: nothing in 81s
Edit: over 383 results after 5 repeated times.
Mostly 3fc00000 to 42xxxxxx
and fff6fff6 to fff7fff7
If I do this technic in super mario Galaxy, but for step
Quote from: strakn on March 12, 2011, 10:20:25 PM
1. start with an unknown search
2. dont move - search equal to
3. jump - while in the air - search greater than
4. land - search less than
5. dont move after landing - search equal to
6. goto 3.
You cant move and then do an equal search, you may think the surface your on is flat but if its off by a hair you will lose a possible value that your looking for.
If your character does any kind of bobbing or movement when standing still you may have eliminate the equal to searches.
Also in some games up may be a lower value than down, you might try searching less than when in the air and greater than after landing.
If I do this technic in super mario Galaxy, but for step 5 Mario falls asleep, would that lose my address? I'm asking this because in most games, the avatar changes position when in idle.
This whole painstaking voodoo surrounding this search method is why I prefer a different approach to this sort of thing. Especially with SMG, you have no idea which direction "up" is because the world can be upside down.
We can exploit spatial locality to find something near the coordinates that is easier to find and then browse around Memory Viewer looking for something that behaves like coordinates. For example, the floats which control size are usually located near floats for coordinates. How do you find the size floats?
1) Find it yourself.
a) Memory Viewer -> Search type Hex -> 3F8000003F8000003F800000 (1.0, 1.0, 1.0 = normal size)
b) Memory Viewer -> Poke (Write) 40000000 (2.0, 1.0, 1.0 = fat along one axis)
c) If your avatar didn't wasn't affected, go back to 1a (note: this is a good way to find avatars!)
OR
2) Search tab for all 3F800000's in memory and Serial Poke them. Once you set the Serial Poke up you can just rapid-fire poke one at a time until you get to the float you're interested in (but you'll touch a lot of floats you aren't interested in, for better or for worse, which is why Memory Viewer's search is more reliable than, because it can search for more than 4 bytes)
OR
3) Use someone else's code. Normally, you could just get the hook from the C2, but brkirch has a region free size modifier for SMG1. It's a bit messy to explain how to turn an F6 code into a proper hook, but if you MemView Search Hex for C03E0024 7C7D1B78 (the second line of brkirch's SMG1 Size Modifier code) you will find the hook.
a) BPTab -> Set an execute BP on the hook
b) Step until you are on the instruction which reads or writes the size (may have to look around a bit, and/or activate the code itself)
c) Click Show Mem (-> switches to Memory Viewer tab)
---
Once you are in Memory Viewer looking at the size floats
a) Change View Mode to Single
b) Enable auto-update
c) Walk. Run. Jump. Look for something nearby that behaves like coordinates or velocity. Sometimes you may have to go up a few pages, or down a few pages.
If you can't find it, you may have to look for something else that would be nearby your coordinates.
Why is brkirchs code sooo large?
Could be done with just lis,ori and stfs :-\
Quote from: dcx2 on March 13, 2011, 05:29:46 PM
a) Memory Viewer -> Search type Hex -> 3F8000003F8000003F800000 (1.0, 1.0, 1.0 = normal
Finding the size data via memory viewer is too difficult. Sometimes you get:
3F8000003F8000003F8000003F8000003F8000003F800000
3F8000003F8000003F8000003F8000003F8000003F800000 and and and.
That's not a good idea.
Using a Multi-Poke by searching for 3F800000 is very dangerous. Because it freez at some addresses and sometimes you have to poke over 100 pages.
(At The Conduit the size value was 4013F333)
Try to search for Speed or Jump address. The Size data is near speed and jump.
If you find a long string of 3F800000, that's probably not the size. Skip further down until you're beyond that portion, and then keep searching.
Yes, multi-poke all 3F800000's can be dangerous. That's why I said Memory Viewer is more reliable.
The point behind finding the size (in this example) is so you can find coordinates and/or velocity. Depending on the game, size can be something easier to find than coordinates. The point is to look for something that would probably be located close to your actual target.
For example, with Resident Evil 4, the sniper rifle shakes when in the scope. How would you find the shake, a random value that is not displayed and cannot be controlled? Search for sniper rifle zoom (very easy to find since you can control), switch View Mode to single, auto-update, and the shaking can be found right next to the zoom.
Yes that's it. On SMG2 it's 3F8000003F8000003F800000 but not on every game.
QuoteFor example, with Resident Evil 4, the sniper rifle shakes when in the scope. How would you find the shake, a random value that is not displayed and cannot be controlled? Search for sniper rifle zoom (very easy to find since you can control), switch View Mode to single, auto-update, and the shaking can be found right next to the zoom.
Ok then how would you do a Walk Through Walls code? It can be everywhere! On Resident Evil 4 it was far away from the size data. This is the only code which I don't understand how to search. On Call of Duty it was a default value like 000000001 and on Resident Evil 4 it was a floating value like 4064CCCC. I already read the TUT on kodewerx but that is completly wrong. Would be very interesting how to search for it.
Walk through walls is my next challenge. So, I guess I have to go one step at a time.
If my avatar falls asleep, couldn't I find that address to locate the others?
If the sleep variable is near the coordinates, yeah.
While most of Mario's data might be in the Mario object, there might be a separate "position object" and the Mario object has a pointer to the position object. So finding the sleeping variable may or may not help you find coordinates.
Good to know. Awesome guys.
Alright I came up with two addresses.
1. the address' value starts at 0 when jumping and ends at 24 when landing.
2. this address' value changes when I move around + when I jump. It looks like an axis address but without be specifically towards one axis. Could be velocity.
I'm curious to what the first address is doing but won't focus on it right now.
Registers
[spoiler]CR:48200088 XER:20000000 CTR:00000000 DSIS:02400000
DAR:807A61E4 SRR0:800018A8 SRR1:0000B032 LR:806085FC
r0:806085FC r1:80287048 r2:8027E5E0 r3:00000000
r4:00003032 r5:0000B032 r6:801BB6FC r7:801BB700
r8:801BB638 r9:0083CB6E r10:00001083 r11:00001000
r12:00000000 r13:8027D600 r14:808D2940 r15:808D2D00
r16:80752728 r17:808D0000 r18:00000004 r19:00000000
r20:0000001E r21:0000003C r22:00000002 r23:00000001
r24:80790000 r25:808D2940 r26:80790000 r27:80790000
r28:E0E3951F r29:01000000 r30:808D3D58 r31:808D3D58
f0:00000000 f1:4B00001E f2:FFC00000 f3:4F800000
f4:4F000000 f5:477FFF00 f6:477FFF00 f7:59800004
f8:BE7E0F86 f9:3DBA2E6E f10:3D886B35 f11:3D4BDA5B
f12:3205A3F2 f13:350037BF f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:3F800000 f31:3F000000[/spoiler]
Funnction : bp starts at the first address: stwu
[spoiler]800018A8: 9421FF58 stwu r1,-168(r1) Breaks here on write
800018AC: 90010008 stw r0,8(r1)
800018B0: 7C0802A6 mflr r0
800018B4: 900100AC stw r0,172(r1)
800018B8: 7C000026 mfcr r0
800018BC: 9001000C stw r0,12(r1)
800018C0: 7C0902A6 mfctr r0
800018C4: 90010010 stw r0,16(r1)
800018C8: 7C0102A6 mfxer r0
800018CC: 90010014 stw r0,20(r1)
800018D0: BC610018 stmw r3,24(r1)
800018D4: 7F2000A6 mfmsr r25
800018D8: 633A2000 ori r26,r25,8192
800018DC: 735AF9FF andi. r26,r26,63999
800018E0: 7F400124 mtmsr r26
800018E4: D8410098 stfd f2,152(r1)
800018E8: D86100A0 stfd f3,160(r1)
800018EC: 3FE08000 lis r31,-32768
800018F0: 3E80CC00 lis r20,-13312
800018F4: A3944010 lhz r28,16400(r20)
800018F8: 639500FF ori r21,r28,255
800018FC: B2B44010 sth r21,16400(r20)
80001900: 48000655 bl 0x80001f54
80001904: 3AA00000 li r21,0
80001908: 3AC00019 li r22,25
8000190C: 3AE000D0 li r23,208
80001910: 3F00CD00 lis r24,-13056
80001914: 63F22774 ori r18,r31,10100
80001918: 800100AC lwz r0,172(r1)
8000191C: 90120004 stw r0,4(r18)
80001920: 92B8643C stw r21,25660(r24)
80001924: 4800042D bl 0x80001d50
80001928: 418205A4 beq- 0x80001ecc
8000192C: 2C1D0004 cmpwi r29,4
80001930: 40800010 bge- 0x80001940
80001934: 2C1D0001 cmpwi r29,1
80001938: 41800594 blt- 0x80001ecc
8000193C: 4800034C b 0x80001c88
80001940: 418204F0 beq- 0x80001e30
80001944: 2C1D0006 cmpwi r29,6
80001948: 4182008C beq- 0x800019d4
8000194C: 2C1D0007 cmpwi r29,7
80001950: 41820330 beq- 0x80001c80
80001954: 2C1D0008 cmpwi r29,8
80001958: 41820580 beq- 0x80001ed8
8000195C: 2C1D0009 cmpwi r29,9
80001960: 418200A0 beq- 0x80001a00
80001964: 2C1D0010 cmpwi r29,16
80001968: 41820098 beq- 0x80001a00
8000196C: 2C1D002F cmpwi r29,47
80001970: 41820070 beq- 0x800019e0
80001974: 2C1D0030 cmpwi r29,48
80001978: 41820078 beq- 0x800019f0
8000197C: 2C1D0038 cmpwi r29,56
80001980: 41820528 beq- 0x80001ea8
80001984: 2C1D0040 cmpwi r29,64
80001988: 41820340 beq- 0x80001cc8
8000198C: 2C1D0041 cmpwi r29,65
80001990: 41820358 beq- 0x80001ce8
80001994: 2C1D0044 cmpwi r29,68
80001998: 41820068 beq- 0x80001a00
8000199C: 2C1D0050 cmpwi r29,80
800019A0: 41820020 beq- 0x800019c0
800019A4: 2C1D0060 cmpwi r29,96
800019A8: 41820024 beq- 0x800019cc
800019AC: 2C1D0089 cmpwi r29,137
800019B0: 41820050 beq- 0x80001a00
800019B4: 2C1D0099 cmpwi r29,153
800019B8: 4182050C beq- 0x80001ec4
800019BC: 48000510 b 0x80001ecc
800019C0: 80720000 lwz r3,0(r18)
800019C4: 48000429 bl 0x80001dec
800019C8: 48000504 b 0x80001ecc
800019CC: 48000589 bl 0x80001f54
800019D0: 480004FC b 0x80001ecc
800019D4: 38800001 li r4,1
800019D8: 90920000 stw r4,0(r18)
800019DC: 480004F0 b 0x80001ecc
800019E0: 48000409 bl 0x80001de8
800019E4: 3A0000A0 li r16,160
800019E8: 63EC2798 ori r12,r31,10136
800019EC: 48000314 b 0x80001d00
800019F0: 38600120 li r3,288
800019F4: 63EC2798 ori r12,r31,10136
800019F8: 480003C9 bl 0x80001dc0
800019FC: 480004D0 b 0x80001ecc
80001A00: 2F1D0010 cmpwi cr6,r29,16
80001A04: 2E9D0044 cmpwi cr5,r29,68
80001A08: 63E41AB4 ori r4,r31,6836
80001A0C: 3C608000 lis r3,-32768
80001A10: 60630300 ori r3,r3,768
80001A14: 48000509 bl 0x80001f1c
80001A18: 38630A00 addi r3,r3,2560
80001A1C: 48000501 bl 0x80001f1c
80001A20: 38630600 addi r3,r3,1536
80001A24: 480004F9 bl 0x80001f1c
80001A28: 63EC2788 ori r12,r31,10120
80001A2C: 92AC0000 stw r21,0(r12)
80001A30: 92AC0004 stw r21,4(r12)
80001A34: 92AC0008 stw r21,8(r12)
80001A38: 63E42798 ori r4,r31,10136
80001A3C: 81240018 lwz r9,24(r4)
80001A40: 80720000 lwz r3,0(r18)
80001A44: 2C030002 cmpwi r3,2
80001A48: 4082000C bne- 0x80001a54
80001A4C: 4196000C beq- cr5,0x80001a58
80001A50: 48000020 b 0x80001a70
80001A54: 38600000 li r3,0
80001A58: 906C000C stw r3,12(r12)
80001A5C: 40820014 bne- 0x80001a70
80001A60: 40960010 bne- cr5,0x80001a70
80001A64: 61290400 ori r9,r9,1024
80001A68: 91240018 stw r9,24(r4)
80001A6C: 48000214 b 0x80001c80
80001A70: 552905A8 rlwinm r9,r9,0,22,20
80001A74: 91240018 stw r9,24(r4)
80001A78: 41960454 beq- cr5,0x80001ecc
80001A7C: 419A0008 beq- cr6,0x80001a84
80001A80: 398C0004 addi r12,r12,4
80001A84: 38600004 li r3,4
80001A88: 48000309 bl 0x80001d90
80001A8C: 40990010 ble- cr6,0x80001a9c
80001A90: 398C0004 addi r12,r12,4
80001A94: 38600004 li r3,4
80001A98: 480002F9 bl 0x80001d90
80001A9C: 63E42788 ori r4,r31,10120
80001AA0: 80640000 lwz r3,0(r4)
80001AA4: 80840004 lwz r4,4(r4)
80001AA8: 7C72FBA6 mtspr 1010,r3
80001AAC: 7C95FBA6 mtdabr r4
80001AB0: 4800041C b 0x80001ecc
80001AB4: 7C3243A6 mtsprg 2,r1
80001AB8: 7C3A02A6 mfsrr0 r1
80001ABC: 7C7343A6 mtsprg 3,r3
80001AC0: 7C7B02A6 mfsrr1 r3
80001AC4: 546305A8 rlwinm r3,r3,0,22,20
80001AC8: 906027B0 stw r3,10160(r0)
80001ACC: 5463061E rlwinm r3,r3,0,24,15
80001AD0: 60632000 ori r3,r3,8192
80001AD4: 7C7B03A6 mtsrr1 r3
80001AD8: 3C608000 lis r3,-32768
80001ADC: 60631AE8 ori r3,r3,6888
80001AE0: 7C7A03A6 mtsrr0 r3
80001AE4: 4C000064 rfi
80001AE8: 3C608000 lis r3,-32768
80001AEC: 60632798 ori r3,r3,10136
80001AF0: 90230014 stw r1,20(r3)
80001AF4: 7C611B78 mr r1,r3
80001AF8: 7C7342A6 mfsprg r3,3
80001AFC: BC410024 stmw r2,36(r1)
80001B00: 7C240B78 mr r4,r1
80001B04: 7C3242A6 mfsprg r1,2
80001B08: 9004001C stw r0,28(r4)
80001B0C: 90240020 stw r1,32(r4)
80001B10: 7C6802A6 mflr r3
80001B14: 9064009C stw r3,156(r4)
80001B18: 7C600026 mfcr r3
80001B1C: 90640000 stw r3,0(r4)
80001B20: 7C6102A6 mfxer r3
80001B24: 90640004 stw r3,4(r4)
80001B28: 7C6902A6 mfctr r3
80001B2C: 90640008 stw r3,8(r4)
80001B30: 7C7202A6 mfdsisr r3
80001B34: 9064000C stw r3,12(r4)
80001B38: 7C7302A6 mfdar r3
80001B3C: 90640010 stw r3,16(r4)
80001B40: 39200000 li r9,0
80001B44: 7D32FBA6 mtspr 1010,r9
80001B48: 7D35FBA6 mtdabr r9
80001B4C: 3CA08000 lis r5,-32768
80001B50: 60A51B70 ori r5,r5,7024
80001B54: 3FE0D004 lis r31,-12284
80001B58: 63FF00A0 ori r31,r31,160
80001B5C: 93E50000 stw r31,0(r5)
80001B60: 7C00286C dcbst r0,r5
80001B64: 7C0004AC sync
80001B68: 7C002FAC icbi r0,r5
80001B6C: 4C00012C isync
80001B70: D3E4011C stfs f31,284(r4)
80001B74: 3BFF0004 addi r31,r31,4
80001B78: 3FFF0020 addis r31,r31,32
80001B7C: 57F0014B rlwinm. r16,r31,0,5,5
80001B80: 4182FFDC beq+ 0x80001b5c
80001B84: 3FE08000 lis r31,-32768
80001B88: 63E52788 ori r5,r31,10120
80001B8C: 82050000 lwz r16,0(r5)
80001B90: 82250004 lwz r17,4(r5)
80001B94: 8265000C lwz r19,12(r5)
80001B98: 2C130000 cmpwi r19,0
80001B9C: 41820074 beq- 0x80001c10
80001BA0: 2C130002 cmpwi r19,2
80001BA4: 40820018 bne- 0x80001bbc
80001BA8: 81240014 lwz r9,20(r4)
80001BAC: 39330003 addi r9,r19,3
80001BB0: 91250000 stw r9,0(r5)
80001BB4: 9125000C stw r9,12(r5)
80001BB8: 4800006C b 0x80001c24
80001BBC: 7C109800 cmpw r16,r19
80001BC0: 41820038 beq- 0x80001bf8
80001BC4: 7C119800 cmpw r17,r19
80001BC8: 41820030 beq- 0x80001bf8
80001BCC: 7D308A14 add r9,r16,r17
80001BD0: 9125000C stw r9,12(r5)
80001BD4: 82050008 lwz r16,8(r5)
80001BD8: 2C100000 cmpwi r16,0
80001BDC: 41820048 beq- 0x80001c24
80001BE0: 80640010 lwz r3,16(r4)
80001BE4: 7C101800 cmpw r16,r3
80001BE8: 40820010 bne- 0x80001bf8
80001BEC: 3A000000 li r16,0
80001BF0: 92050008 stw r16,8(r5)
80001BF4: 48000030 b 0x80001c24
80001BF8: 3A200000 li r17,0
80001BFC: 9225000C stw r17,12(r5)
80001C00: 81240018 lwz r9,24(r4)
80001C04: 61290400 ori r9,r9,1024
80001C08: 91240018 stw r9,24(r4)
80001C0C: 48000030 b 0x80001c3c
80001C10: 7E12FBA6 mtspr 1010,r16
80001C14: 7E35FBA6 mtdabr r17
80001C18: 39200001 li r9,1
80001C1C: 9125000C stw r9,12(r5)
80001C20: 4800001C b 0x80001c3c
80001C24: 38A00002 li r5,2
80001C28: 63E42774 ori r4,r31,10100
80001C2C: 90A40000 stw r5,0(r4)
80001C30: 38600011 li r3,17
80001C34: 480001B9 bl 0x80001dec
80001C38: 4BFFFC71 bl 0x800018a8
80001C3C: 7C2000A6 mfmsr r1
80001C40: 542107FA rlwinm r1,r1,0,31,29
80001C44: 5421045E rlwinm r1,r1,0,17,15
80001C48: 7C200124 mtmsr r1
80001C4C: 63E12798 ori r1,r31,10136
80001C50: 80610000 lwz r3,0(r1)
80001C54: 7C6FF120 mtcr r3
80001C58: 80610014 lwz r3,20(r1)
80001C5C: 7C7A03A6 mtsrr0 r3
80001C60: 80610018 lwz r3,24(r1)
80001C64: 7C7B03A6 mtsrr1 r3
80001C68: 8061009C lwz r3,156(r1)
80001C6C: 7C6803A6 mtlr r3
80001C70: B8410024 lmw r2,36(r1)
80001C74: 8001001C lwz r0,28(r1)
80001C78: 80210020 lwz r1,32(r1)
80001C7C: 4C000064 rfi
80001C80: 92B20000 stw r21,0(r18)
80001C84: 48000254 b 0x80001ed8
80001C88: 2E9D0002 cmpwi cr5,r29,2
80001C8C: 38600008 li r3,8
80001C90: 63EC277C ori r12,r31,10108
80001C94: 480000FD bl 0x80001d90
80001C98: 80AC0000 lwz r5,0(r12)
80001C9C: 806C0004 lwz r3,4(r12)
80001CA0: 98650000 stb r3,0(r5)
80001CA4: 41940010 blt- cr5,0x80001cb4
80001CA8: B0650000 sth r3,0(r5)
80001CAC: 41960008 beq- cr5,0x80001cb4
80001CB0: 90650000 stw r3,0(r5)
80001CB4: 7C0028AC dcbf r0,r5
80001CB8: 7C0004AC sync
80001CBC: 7C002FAC icbi r0,r5
80001CC0: 4C00012C isync
80001CC4: 48000208 b 0x80001ecc
80001CC8: 48000121 bl 0x80001de8
80001CCC: 38600004 li r3,4
80001CD0: 63EC277C ori r12,r31,10108
80001CD4: 480000BD bl 0x80001d90
80001CD8: 820C0000 lwz r16,0(r12)
80001CDC: 3D808000 lis r12,-32768
80001CE0: 618C28B8 ori r12,r12,10424
80001CE4: 4800001C b 0x80001d00
80001CE8: 48000101 bl 0x80001de8
80001CEC: 38600008 li r3,8
80001CF0: 63EC277C ori r12,r31,10108
80001CF4: 4800009D bl 0x80001d90
80001CF8: 820C0004 lwz r16,4(r12)
80001CFC: 818C0000 lwz r12,0(r12)
80001D00: 63FB2784 ori r27,r31,10116
80001D04: 3A200F80 li r17,3968
80001D08: 48000239 bl 0x80001f40
80001D0C: 41820020 beq- 0x80001d2c
80001D10: 7E238B78 mr r3,r17
80001D14: 4800007D bl 0x80001d90
80001D18: 480000D1 bl 0x80001de8
80001D1C: 4182FFFC beq+ 0x80001d18
80001D20: 7D8C7214 add r12,r12,r14
80001D24: 356BFFFF subic. r11,r11,1
80001D28: 4181FFE8 bgt+ 0x80001d10
80001D2C: 807B0000 lwz r3,0(r27)
80001D30: 2C030000 cmpwi r3,0
80001D34: 41820008 beq- 0x80001d3c
80001D38: 48000059 bl 0x80001d90
80001D3C: 7C0060AC dcbf r0,r12
80001D40: 7C0004AC sync
80001D44: 7C0067AC icbi r0,r12
80001D48: 4C00012C isync
80001D4C: 48000180 b 0x80001ecc
80001D50: 7FC802A6 mflr r30
80001D54: 3C60A000 lis r3,-24576
80001D58: 48000015 bl 0x80001d6c
80001D5C: 76030800 andis. r3,r16,2048
80001D60: 561D863E rlwinm r29,r16,16,24,31
80001D64: 7FC803A6 mtlr r30
80001D68: 4E800020 blr
[/spoiler]
Reading the address results to a totally different location. (8049319C near the end)
[spoiler]8049315C: 542B073E rlwinm r11,r1,0,28,31
80493160: 7C2C0B78 mr r12,r1
80493164: 216BFFC0 subfic r11,r11,-64
80493168: 7C21596E stwux r1,r1,r11
8049316C: 7C0802A6 mflr r0
80493170: 900C0004 stw r0,4(r12)
80493174: DBECFFF0 stfd f31,-16(r12)
80493178: F3EC0FF8 psq_st f31,4088(r12),0,0
8049317C: DBCCFFE0 stfd f30,-32(r12)
80493180: F3CC0FE8 psq_st f30,4072(r12),0,0
80493184: C0C50000 lfs f6,0(r5)
80493188: C0040000 lfs f0,0(r4)
8049318C: C0440004 lfs f2,4(r4)
80493190: C0240008 lfs f1,8(r4)
80493194: ED460032 fmuls f10,f6,f0
80493198: ECE600B2 fmuls f7,f6,f2
8049319C: C1250004 lfs f9,4(r5) ----> breaks here on read
804931A0: C0840010 lfs f4,16(r4)
804931A4: ECA60072 fmuls f5,f6,f1
804931A8: C004000C lfs f0,12(r4)
804931AC: ED090132 fmuls f8,f9,f4
804931B0: EC260032 fmuls f1,f6,f0
804931B4: C0640014 lfs f3,20(r4)
804931B8: C0440018 lfs f2,24(r4)
804931BC: ED6A402A fadds f11,f10,f8
804931C0: C004001C lfs f0,28(r4)
804931C4: EC8900B2 fmuls f4,f9,f2
804931C8: ECC900F2 fmuls f6,f9,f3
804931CC: C1A50008 lfs f13,8(r5)
804931D0: EC090032 fmuls f0,f9,f0
804931D4: C1240020 lfs f9,32(r4)
804931D8: EC85202A fadds f4,f5,f4
804931DC: C044002C lfs f2,44(r4)
804931E0: ED8D0272 fmuls f12,f13,f9
804931E4: C1040024 lfs f8,36(r4)
804931E8: C3C5000C lfs f30,12(r5)
804931EC: EC4D00B2 fmuls f2,f13,f2
804931F0: ED2D0232 fmuls f9,f13,f8
804931F4: C1440034 lfs f10,52(r4)
804931F8: ED07302A fadds f8,f7,f6
804931FC: C0640028 lfs f3,40(r4)
80493200: EC01002A fadds f0,f1,f0
80493204: C3E40030 lfs f31,48(r4)
80493208: ECCD00F2 fmuls f6,f13,f3
8049320C: C0E40038 lfs f7,56(r4)
80493210: C064003C lfs f3,60(r4)
80493214: EDBE07F2 fmuls f13,f30,f31
80493218: ECAC582A fadds f5,f12,f11
8049321C: 38810010 addi r4,r1,16
80493220: EC29402A fadds f1,f9,f8
80493224: 38A00010 li r5,16
80493228: ED5E02B2 fmuls f10,f30,f10
8049322C: ED0D282A fadds f8,f13,f5
80493230: EC86202A fadds f4,f6,f4
80493234: ECCA082A fadds f6,f10,f1
80493238: D1010010 stfs f8,16(r1)
8049323C: ECBE01F2 fmuls f5,f30,f7
80493240: EC02002A fadds f0,f2,f0
80493244: D0C10014 stfs f6,20(r1)
80493248: EC3E00F2 fmuls f1,f30,f3
8049324C: EC45202A fadds f2,f5,f4
80493250: EC01002A fadds f0,f1,f0
80493254: D0410018 stfs f2,24(r1)
80493258: D001001C stfs f0,28(r1)
8049325C: 4BB73011 bl 0x8000626c
80493260: 81410000 lwz r10,0(r1)
80493264: 3800FFF8 li r0,-8
80493268: 13EA000C psq_lx f31,r10,r0,0,0
8049326C: CBEAFFF0 lfd f31,-16(r10)
80493270: 3800FFE8 li r0,-24
80493274: 13CA000C psq_lx f30,r10,r0,0,0
80493278: 800A0004 lwz r0,4(r10)
8049327C: CBCAFFE0 lfd f30,-32(r10)
80493280: 7C0803A6 mtlr r0
80493284: 7D415378 mr r1,r10
80493288: 4E800020 blr
[/spoiler]
I tried lfs f31, 4(r5) and it changed all of the floor and background to a transparent floor type... kind of cool.
Anyways, when I take a bp in the air it comes up with this function instead.
Searched address = 807A61E4 breaks at 800018A8 at the beginning of the jump and 80006288 in the air
[spoiler]80006238: 7C5143A6 mtsprg 1,r2
8000623C: 7C7243A6 mtsprg 2,r3
80006240: 7C9343A6 mtsprg 3,r4
80006244: 7C5A02A6 mfsrr0 r2
80006248: 7C9B02A6 mfsrr1 r4
8000624C: 7C6000A6 mfmsr r3
80006250: 60630030 ori r3,r3,48
80006254: 7C7B03A6 mtsrr1 r3
80006258: 3C60800A lis r3,-32758
8000625C: 60639170 ori r3,r3,37232
80006260: 7C7A03A6 mtsrr0 r3
80006264: 38601F00 li r3,7936
80006268: 4C000064 rfi
8000626C: 7C041840 cmplw r4,r3
80006270: 41800028 blt- 0x80006298
80006274: 3884FFFF subi r4,r4,1
80006278: 38C3FFFF subi r6,r3,1
8000627C: 38A50001 addi r5,r5,1
80006280: 4800000C b 0x8000628c
80006284: 8C040001 lbzu r0,1(r4)
80006288: 9C060001 stbu r0,1(r6)
8000628C: 34A5FFFF subic. r5,r5,1
80006290: 4082FFF4 bne+ 0x80006284
80006294: 4E800020 blr [/spoiler]
Code
Button condition +
ASM:
stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8000 to 807A
ori r11, r11, 0x6288 to to 61e4
stw r11, 0(r12) to lwz r12, 0(r11)
addi r12,r12,11
stw r12, 0(r11)
lwz r11,8(r1)
addi r1,r1,16
Edit: bolded change
Edit: both crash and the gecko looses connecting to the wii
Edit: silly me I forgot to find an empty address to inject into
Results: nothing...? I was so pepped for it too!
This was for write... I'll try the floats for read now.
injected at empty address (.word 00000000) 80006234
28215000 00000800 (button at the first 16 bytes not the last 16 byte)
C2006234 00000005
9421FFF0 91610008
3D608049 616B319C
C12B0000 918B0000
81610008 38210010
60000000 00000000
E2100000 00000000
0449319C C1250004
E0000000 80008000
ASM:stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8049 ----> lfs break (read)
ori r11, r11, 0x319C
lfs f9, 0(r11)
stw r12, 0(r11)
lwz r11,8(r1)
addi r1,r1,16
nothing...:(
.........
I've started with the 3f80 search eventually it just sends me into a loop... with no success. Searching for 3f800000 in the search tab comes up with 350+ PAGES....
In the memory tab it brings me to page 34 and loops around pages 30-35
but
There's some tripped out stuff in Okami!!
Graphic warp
042766B0 30000000
Light/Flames modifier
04276698 xxx00000
Does the camera influence the velocity addresses?
Quote from: Patedj on March 14, 2011, 02:47:05 AM
injected at empty address (.word 00000000) 80006234
28215000 00000800 (button at the first 16 bytes not the last 16 byte)
C2006234 00000005
9421FFF0 91610008
3D608049 616B319C
C12B0000 918B0000
81610008 38210010
60000000 00000000
E2100000 00000000
0449319C C1250004
E0000000 80008000
ASM:stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8049 ----> lfs break (read)
ori r11, r11, 0x319C
lfs f9, 0(r11)
stw r12, 0(r11)
lwz r11,8(r1)
addi r1,r1,16
nothing...:(
no you have to use your REAL hook address.
for loading into address use C0 codetype.
Don't use the else code type, E21. I've been told that it doesn't work right.
aha I used it everytime and never had any problems. A8 is the codetype right?
btw this works fine too:
28215000 00000800
C2006234 00000005
9421FFF0 91610008
3D608049 616B319C
C12B0000 918B0000
81610008 38210010
60000000 00000000
2A215000 00000800 <-- if not equal with 00000800
0449319C C1250004
E0000000 80008000
2A215000 00000800 <-- if not equal with 00000800
should it be 2A215001
then it will end the first if statement
Quote from: strakn on March 14, 2011, 09:47:05 PM
2A215000 00000800 <-- if not equal with 00000800
should it be 2A215001
then it will end the first if statement
no 28 is 16 bit equal.
2A is 16 bit not equal.
Alright I found the address. I worked out that the speed modifier that dcx2 has ported is just a couple 32 bytes after. Thank you dcx2!!
Registers[spoiler] CR:24000048 XER:00000000 CTR:00000000 DSIS:02400000
DAR:92B949C4 SRR0:80612A44 SRR1:0000B032 LR:80612A10
r0:00000000 r1:80CA03D0 r2:8027E5E0 r3:808D2940
r4:00000038 r5:00000000 r6:00000008 r7:806ECDC0
r8:00000000 r9:00000004 r10:80CA03D0 r11:80CA0340
r12:0023F091 r13:8027D600 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:00000000 r23:00000000
r24:92B947E0 r25:00000000 r26:80020000 r27:00000000
r28:806ECAD8 r29:808D3FA0 r30:806C21C0 r31:00000280
f0:3FB0A3E8 f1:3FB0A3E8 f2:3F333333 f3:40051EC1
f4:458FC245 f5:C2759E44 f6:BFBF62C0 f7:C5453000
f8:C2759E44 f9:00000000 f10:42EA0000 f11:C36C6791
f12:00000000 f13:432F0000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:BFBF62C0 f31:3F800000[/spoiler]
Can't find Function So I simply copied everything below the register and a couple before in the dissasembly:
[spoiler]
80612A04: 38C00008 li r6,8
80612A08: 4CC63182 crclr 6,6
80612A0C: 4BF51545 bl 0x80563f50
80612A10: 801801C0 lwz r0,448(r24)
80612A14: C07801E4 lfs f3,484(r24)
80612A18: 540007BD rlwinm. r0,r0,0,30,30
80612A1C: D0780374 stfs f3,884(r24)
80612A20: 40820028 bne- 0x80612a48
80612A24: 3C60808D lis r3,-32627
80612A28: C05E0084 lfs f2,132(r30)
80612A2C: 38632940 addi r3,r3,10560
80612A30: C01801DC lfs f0,476(r24)
80612A34: C0230010 lfs f1,16(r3)
80612A38: EC220072 fmuls f1,f2,f1
80612A3C: EC230828 fsubs f1,f3,f1
80612A40: EC01002A fadds f0,f1,f0
80612A44: D01801E4 stfs f0,484(r24)
80612A48: C07E0000 lfs f3,0(r30)
80612A4C: 3C60808D lis r3,-32627
80612A50: D07801DC stfs f3,476(r24)
80612A54: 38632940 addi r3,r3,10560
80612A58: 809800A4 lwz r4,164(r24)
80612A5C: C05801E4 lfs f2,484(r24)
80612A60: C0230010 lfs f1,16(r3)
80612A64: C0040004 lfs f0,4(r4)
80612A68: EC220072 fmuls f1,f2,f1
80612A6C: EC3F0072 fmuls f1,f31,f1
80612A70: EC00082A fadds f0,f0,f1
80612A74: D0040004 stfs f0,4(r4)
80612A78: 807800A4 lwz r3,164(r24)
80612A7C: C01801E0 lfs f0,480(r24)
80612A80: C0230004 lfs f1,4(r3)
80612A84: FC000840 fcmpo cr0,f0,f1
80612A88: 4C411382 cror 2,1,2
80612A8C: 40820074 bne- 0x80612b00
80612A90: C0180384 lfs f0,900(r24)
80612A94: FC000840 fcmpo cr0,f0,f1
80612A98: 4C401382 cror 2,0,2
80612A9C: 4082000C bne- 0x80612aa8
80612AA0: D07801E4 stfs f3,484(r24)
80612AA4: 48000014 b 0x80612ab8
80612AA8: C03801E4 lfs f1,484(r24)
80612AAC: C01E00CC lfs f0,204(r30)
80612AB0: EC010032 fmuls f0,f1,f0
80612AB4: D01801E4 stfs f0,484(r24)
80612AB8: 807800A4 lwz r3,164(r24)
80612ABC: C01801E0 lfs f0,480(r24)
80612AC0: D0030004 stfs f0,4(r3)
80612AC4: 80180358 lwz r0,856(r24)
80612AC8: 2C000000 cmpwi r0,0
80612ACC: 41820024 beq- 0x80612af0
80612AD0: 80180350 lwz r0,848(r24)
80612AD4: 2C000000 cmpwi r0,0
80612AD8: 41820018 beq- 0x80612af0
80612ADC: 807800A4 lwz r3,164(r24)
80612AE0: C0180354 lfs f0,852(r24)
80612AE4: C0230004 lfs f1,4(r3)
80612AE8: FC010000 fcmpu cr0,f1,f0
80612AEC: 41820014 beq- 0x80612b00
80612AF0: C03801E4 lfs f1,484(r24)
80612AF4: C01E00D0 lfs f0,208(r30)
80612AF8: EC010032 fmuls f0,f1,f0
80612AFC: D01801E4 stfs f0,484(r24)
80612B00: C03801E4 lfs f1,484(r24)
80612B04: C01E0000 lfs f0,0(r30)
80612B08: FC010040 fcmpo cr0,f1,f0
80612B0C: 40800010 bge- 0x80612b1c
80612B10: C01E00D4 lfs f0,212(r30)
80612B14: EC010032 fmuls f0,f1,f0
80612B18: D01801E4 stfs f0,484(r24)
80612B1C: 881801C4 lbz r0,452(r24)
80612B20: 28000001 cmplwi r0,1
80612B24: 40820010 bne- 0x80612b34
80612B28: 881801C5 lbz r0,453(r24)
80612B2C: 28000046 cmplwi r0,70
80612B30: 41820024 beq- 0x80612b54[/spoiler]
I'm putting the first version in
04612A3C EC230828
28215000 00000C00
C2612A3C 00000001
EC23082A 00000000
E0000000 80008000
next version implies a new stack.
ASM:address: no matter where I put it it doesn't seem to work.
stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8061
ori r11, r11, 0x2A3C
lis r12, 0xBDCC
ori r12,r12,0xCCCD
lfs f3,0(r12)
fadds f1,f3,f1
lwz r11,8(r1)
addi r1,r1,16
nop
i did this because I wanted the moon jump to be smoother (slower) so I thought a smaller f3 would do the trick.
lis r12, 0xBDCC
ori r12,r12,0xCCCD
lfs f3,0(r12)
Will crash
0xBDCCCCCD is not a valid pointer. lfs doesn't work that way. It will load the 4 bytes at the address into the specified float register. That's why you need the bl trick - you need an area of memory where you can load your float from.
Quote from: dcx2 on March 19, 2011, 04:59:39 PM
lis r12, 0xBDCC
ori r12,r12,0xCCCD
lfs f3,0(r12)
Will crash
0xBDCCCCCD is not a valid pointer. lfs doesn't work that way. It will load the 4 bytes at the address into the specified float register. That's why you need the bl trick - you need an area of memory where you can load your float from.
Why lfs? lwz or stw works the same way :-\
BTW How does this work? :eek:
stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8061
ori r11, r11, 0x2A3C
lis r12, 0xBDCC
ori r12,r12,0xCCCD
lfs f3,0(r12)
fadds f1,f3,f1
lwz r11,8(r1)
addi r1,r1,16
nop
Why are you loading into an address? You already have a hook address at the begining of C2?! I think this doesn't work. Please correct me if I'm wrong but I already tried this and nothing happened.
I forgot to store it into a float. It was 12am and my brain shut down I went to bed after that. I did think of that float trick though, so thanks dcx2 I'm glad I was right. It's always nice getting confirmation!
so the bl trick is the same as what dcx2 taught me for eldar saga's moon jump.
http://wiird.l0nk.org/forum/index.php/topic,7858.msg66288.html#msg66288 (http://wiird.l0nk.org/forum/index.php/topic,7858.msg66288.html#msg66288)
IE:
[spoiler]4E00000C 00000000 # put a pointer to the float in po
ASM here # hook that constantly adds float to Y axis
14000000 00000000 # make hook add 0.0
283CB80A BFFF4000 # if holding C
14000000 42C80000 # make hook add 100.0
E0000000 80008000 # terminator
ASM:bl NO_DATA
.float 14
NO_DATA:
mflr r12
lfs f0,0(r12)
lfs f26,448(r1)
fadds f26,f0,f26
stfs f26,448(r1)
[/spoiler]
Here it is for Okami. But has to be revised b/c it doesn't work, the avatar vanishes.
[spoiler]code:
4E00000C 00000000
C2612A44 00000004
48000009 3F800000
7D8802A6 C06C0000
C01801E4 EC00182A
D01801E4 00000000
14000000 00000000
28215000 00000C00
14000000 42C80000
E0000000 80008000
asm:(address 80612A3C :stfs f0,484(r24) )
bl NO_DATA
.float 14
NO_DATA:
mflr r12
lfs f3,0(r12)
lfs f0,484(r24)
fadds f0,f0,f3
stfs f0,484(r24)
[/spoiler]
lfd = load float double-precision. double = 8 bytes.
lfs = load float single-precision. single = 4 bytes
You're mixing lfd (load float double), fadds (float add single), and stfs (store float single). This may or may not cause problems, I'm not 100% sure.
Quote from: dcx2 on March 19, 2011, 11:02:40 PM
lfd = load float double-precision. double = 8 bytes.
lfs = load float single-precision. single = 4 bytes
You're mixing lfd (load float double), fadds (float add single), and stfs (store float single). This may or may not cause problems, I'm not 100% sure.
Ha! Of course!
see edited version below. Bolded areas are revised.
There's one thing that I'd like to mention, this makes him fly, not moon jump. How do I go about converting the code for a moon jump instead dcx2?
making a negative float would work no?
Yes it did!!
YAY! My first working 3d Moon Jump code
Moon Jump Okami v3
4E00000C 00000000
C2612A44 00000004
48000009 3E800000 ----> changing this float value will change the avatar's place in space
7D8802A6 C06C0000
C01801E4 EC00182A
D01801E4 00000000
14000000 BF800000 ---> negative float to stick him on the ground
28215000 00000800
14000000 3E800000 ----> changing this float value will accelerate/decelerate the jump
E0000000 80008000
What's bolded is recommended
bl NO_DATA
.float 14
NO_DATA:
mflr r12
lfs f3,0(r12)
lfs f0,484(r24)
fadds f0,f0,f3
stfs f0,484(r24)
what does the bl NO_DATA do? is it something like THE_END ?
This is a way to easily calculate the branch that is needed.
so this branch will not execute the data underneath the NO_DATA: section
is it a if-instruction? what does it actually do? execute if equal?
Edit: Exactly! It's a conditional branch.
lol really? awesome.
I'm now back on Eldar Saga.
See post
http://wiird.l0nk.org/forum/index.php/topic,7858.msg66306.html#msg66306 (http://wiird.l0nk.org/forum/index.php/topic,7858.msg66306.html#msg66306)
Now that I can find the addresses properly, I can start working on eldar saga again.
bl is not a conditional branch. it's not a "branch less than". That's blt-
bl is an unconditional branch. It always takes the branch regardless of the CR. bl = Branch and Link. It is just like a normal b, except the address of the next instruction is placed into the LR. This is why mflr gives us a pointer to the data.
Quote from: dcx2 on March 20, 2011, 01:43:41 AM
bl is not a conditional branch. it's not a "branch less than". That's blt-
bl is an unconditional branch. It always takes the branch regardless of the CR. bl = Branch and Link. It is just like a normal b, except the address of the next instruction is placed into the LR. This is why mflr gives us a pointer to the data.
Ok but isn't the mflr for moving ASM datas? And what does the bl branch exactly do?
lhz r12,0(12)
andi r12,r12 0x3EF0
blt- THE END
---ASM DATA---
THE END:
original instruction
The bl will branch in the 4e000000 that is loaded.
The bl will branch over the 4e000000 that is loaded and put a pointer to the 4e000000 into the LR
Quote from: dcx2 on March 20, 2011, 04:43:57 PM
The bl will branch over the 4e000000 that is loaded and put a pointer to the 4e000000 into the LR
For what is the Link Register? Why couldn't it be done with just standart instructions?
it's just easier this way no, deathwolf?
Anybody have de Blob 2? Moon Jump on de blob2 seems to be quite complicated... I've been trying to figure it out... they are all wierd...
Why doesn't this work?
4E00000C 00000000
C22B7114 00000004
48000009 42C80000
7D8802A6 C02C0000
C0030054 EC00082A
D0030054 00000000
14000000 BF800000
2861F69A 00000400
14000000 42C80000
E0000000 80008000
Hook Address 802B7114: D0030054 stfs f0,84(r3)
bl NO_DATA
.float 0x100
NO_DATA:
mflr r12
lfs f1,0(r12)
lfs f0,84(r3)
fadds f0,f0,f1
stfs f0,84(r3)
And this...
042B7114 80850000
2861F69A 00000400
C22B7114 00000005
9421FFB0 BDC10008
39C00009 61CE0457
80850000 7C847214
90850000 81C10008
38210050 00000000
E0000000 80008000
802B7114
stwu r1,-80(r1)
stmw r14,8(r1)
li r14,0011
ori r14,r14,1111
lwz r4,0(r5)
add r4,r4,r14
stw r4,0(r5)
lwz r14,8(r1)
addi r1,r1,80
"doesn't work"?
Freezes?
Does nothing?
Does insane things?
Does nothing.