I've been playing the Wii Sports + Wii Sports Resort bundle disc that came with my black Wii and had a blast.
Decided to throw my USBGecko in and see if I can apply my project I previously had to this instead.
Something I've been trying to work on is modifying the max "forward" speed of the plane in Air Sports. I've found the X/Y/Z Coords and the speeds for each one, but I can't seem to find the value that says how fast you are going forwards...
1: I started a 32bit unknown search while flying level.
2: Pulled up vertical and waited a few seconds, then searched for "less than" (the plane, in theory, would be going slightly slower)
3: Then pointed the nose of the plane down, boosted, and searched for "greater than"
repeat steps 2 and 3 but never find anything.
I've looked around the addresses for the X/Y/Z Coords but can't find anything that seems to affect the speed, accept for X/Y/Z speed, the same that's used for moonjump codes (moon jump in the plane is pretty funny)
anybody out there able to help?
Note, the GameID for the bundle disc is SP2P01 (PAL version).
Yeah I think, I know what you mean. Try to search for 3F800000 and do a hug Multi-Poke.
There is a address which is for the full player and allows you to speed up everything.
BTW I'm going to help you if you want.
Help would be gretly appreciated, thanks Deathwolf.
I can't get to the Wii right now, but I'll give that a try when I can.
I'm not sure if it will work like that, though. Think of it like a speedometer that gives a current forward speed - just like the address you write to when you make a Y-Coord Moon jump.
It's proving tough to find and I'm not exactly sure that it is how I'm predicting it to be...
Would setting a "write" breakpoint on the Y-Coord while traveling vertically help to backtrack and reveal this location?
I did have a peek at doing this...but my PPC ASM knowledge is severly limited :(
you can use a float increase on the Z coordinte to make yourself move forward.
The higher the added value, the faster you will go.
Don´t forget to add a float to a float and NOT a HEX value!
I've tried modifying the X/Y/Z coord speed addresses, but it only gave the result I expected would happen.
It's only like modifying the Y-Coord speed to create a moonjump code.
I've been looking around the memory surrounding the X/Y/Z addresses and found the addresses that show your planes direction, pitch and yaw.
Also found the modifier for how fast your plane turns on the X/Y plane based on the Motion+ angle. I can give myself hyper-sensitive controls and insane turning speeds.
finding everythign except the speed >:(
What I'm hoping, is that there is an address somewhere that gives a "forward" speed (kinda like acceleration). This is then used to calculate and modify the X/Y/Z coord speeds. I'm not totally sure on the 3D programming, but this is how I'm hoping it was done.
My goal is to, obviously, be able to adjust how fast you go, maybe assigning it to a button conditional so that you fly faster when it's held down.
I'm assuming that what's happening is you are finding everything but the velocity. Scroll up in the memory tab it should be around there (3-6 windows up).
I can now find velocity and scroll down and the xyz axis are stacked below it. (or above it could happen).
I can only assume that it is a positive float...
I've looked up and down in mem viewer, but can't seem to find anything that handles the velocity :(
I did find a value that, when set high, it makes you sit in the water without moving and without cutting the engine.
Set it high and it kills you, leaving the screen all messed up lol
Damn, I'm rusty :(
How did you manage to find the velocity?
Can you set a breakpoint on the co-ords to see what is writing to them which technically should be the speed calculation as it's telling where its going to be next?
Write breakpoint on 80D34394 (X Co-ord)
Registers:
[spoiler] CR:44000888 XER:00000000 CTR:8033A3A0 DSIS:02400000
DAR:80D34394 SRR0:803397F4 SRR1:0000B032 LR:8033A3B8
r0:8033A3B8 r1:807ECEB0 r2:80700D20 r3:80D342FC
r4:80D343B8 r5:807D81D0 r6:00003E9D r7:00000000
r8:2D016C21 r9:2D016C22 r10:1680B612 r11:005A05B0
r12:8033A3A0 r13:806FADA0 r14:00000001 r15:817F6CA8
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:00000000 r23:00000000
r24:00000000 r25:00000000 r26:929E00A8 r27:00000002
r28:807ED114 r29:80D33C04 r30:80D343A0 r31:80D342FC
f0:BC79D1D6 f1:B9259C0E f2:3F7D70A4 f3:3C95001B
f4:3C4E8546 f5:3C950047 f6:393EA273 f7:3C4EA326
f8:38F98F0F f9:460919EC f10:C01D1F67 f11:4488DCA8
f12:3FA6A852 f13:BE6D491A f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:3F800000
f28:3B3F667B f29:3E800000 f30:4006188C f31:3E800000[/spoiler]
ASM:
[spoiler]803397CC: C00300B8 lfs f0,184(r3)
803397D0: EC230132 fmuls f1,f3,f4
803397D4: D3C300A4 stfs f30,164(r3)
803397D8: ED43537A fmadds f10,f3,f13,f10
803397DC: ED234B3A fmadds f9,f3,f12,f9
803397E0: D1A300A8 stfs f13,168(r3)
803397E4: EC8740BA fmadds f4,f7,f2,f8
803397E8: EC6530BA fmadds f3,f5,f2,f6
803397EC: D18300AC stfs f12,172(r3)
803397F0: EC0008BA fmadds f0,f0,f2,f1
803397F4: D1630098 stfs f11,152(r3) <-------- the write?
803397F8: D143009C stfs f10,156(r3)
803397FC: D12300A0 stfs f9,160(r3)
80339800: D08300B0 stfs f4,176(r3)
80339804: D06300B4 stfs f3,180(r3)
80339808: D00300B8 stfs f0,184(r3)
8033980C: 4BFFFEC9 bl 0x803396d4
80339810: FC20F890 fmr f1,f31
80339814: 7FE3FB78 mr r3,r31
80339818: 38810008 addi r4,r1,8
8033981C: 38BF00BC addi r5,r31,188
80339820: 4BFFFE39 bl 0x80339658
80339824: 7FE3FB78 mr r3,r31
80339828: 38810008 addi r4,r1,8
8033982C: 4BFFFA35 bl 0x80339260
80339830: C002D4F0 lfs f0,-11024(r2)
80339834: D01F00D0 stfs f0,208(r31)
80339838: D01F00CC stfs f0,204(r31)
8033983C: D01F00C8 stfs f0,200(r31)
80339840: D01F00DC stfs f0,220(r31)
80339844: D01F00D8 stfs f0,216(r31)
80339848: D01F00D4 stfs f0,212(r31)
8033984C: E3E10038 psq_l f31,56(r1),0,0
80339850: CBE10030 lfd f31,48(r1)
80339854: E3C10028 psq_l f30,40(r1),0,0
80339858: CBC10020 lfd f30,32(r1)
8033985C: 83E1001C lwz r31,28(r1)
80339860: 80010044 lwz r0,68(r1)
80339864: 7C0803A6 mtlr r0
80339868: 38210040 addi r1,r1,64
8033986C: 4E800020 blr
80339870: 9421FFF0 stwu r1,-16(r1)
80339874: 7C0802A6 mflr r0
80339878: C002D4E4 lfs f0,-11036(r2)
8033987C: 90010014 stw r0,20(r1)
80339880: 93E1000C stw r31,12(r1)
80339884: 7C7F1B78 mr r31,r3
80339888: D0030000 stfs f0,0(r3)
8033988C: 38630004 addi r3,r3,4
80339890: 4BE02841 bl 0x8013c0d0
80339894: 387F0028 addi r3,r31,40
80339898: 4BE02839 bl 0x8013c0d0
8033989C: 3C80807E lis r4,-32642
803398A0: 387F005C addi r3,r31,92
803398A4: C0048288 lfs f0,-32120(r4)
803398A8: 38848288 subi r4,r4,32120
803398AC: D01F004C stfs f0,76(r31)
803398B0: C0040004 lfs f0,4(r4)
803398B4: D01F0050 stfs f0,80(r31)
803398B8: C0040008 lfs f0,8(r4)[/spoiler]
Do a read this time.
Actually, load the stacks in the dissasembly bottom left corner box.
Then right click on the bp address assembly lines on the right, copy all frames and post a .txt so we can see everything.
As requested, I've set a READ BP on the X Co-ord and copied everything to this text file:
http://www.mediafire.com/?awly5rvnqtathl0
This is turning into quite a hunt :p
Got a good feeling that I might learn a good deal from this!
Thanks so much for your help.
That's not "everything". You did a plain old Copy, which only gives a snippet. Minimally, you should right click and "Copy Function" to put the whole thing in the clipboard. Usually it can be pasted into a forum post, but sometimes it's too big.
What Patedj was asking you to do was "Copy All Frames". This gives us a more complete picture of what's going on. It requires Gecko.NET 0.64.6 or newer. It will make a very large text file dump into the clipboard. The text file will not fit in the forum post. However, if you click the "Additional Options..." dropdown below a forum post you're writing, you can attach the txt file.
I used your text file as an example, even though it's small enough to be posted on the forum.
Really sorry about that.
I have to say though, I am damn impressed with the coding Gecko.NET. My hat off to you, dcx2.
The frames copied remind me of the windows debuggers that I use :o loving it!
I've attached the new text file, as you've shown, and dumped the frames. I've noted the BP type and the address I used.
Can you Copy Function the stfs (803397F4) into a spoiler? Also, set your write breakpoint on the coords and copy the call stack, but that doesn't need to be spoilered because it's small.
stfs (803397F4) from disassembler during READ BP (X co-ord) :
[spoiler]8033973C: 9421FFC0 stwu r1,-64(r1)
80339740: 7C0802A6 mflr r0
80339744: 388300BC addi r4,r3,188
80339748: 90010044 stw r0,68(r1)
8033974C: DBE10030 stfd f31,48(r1)
80339750: F3E10038 psq_st f31,56(r1),0,0
80339754: FFE01890 fmr f31,f3
80339758: DBC10020 stfd f30,32(r1)
8033975C: F3C10028 psq_st f30,40(r1),0,0
80339760: 93E1001C stw r31,28(r1)
80339764: 7C7F1B78 mr r31,r3
80339768: C0030000 lfs f0,0(r3)
8033976C: C10300C8 lfs f8,200(r3)
80339770: EDA30024 fdivs f13,f3,f0
80339774: C0E300CC lfs f7,204(r3)
80339778: C0C300D0 lfs f6,208(r3)
8033977C: C16300A4 lfs f11,164(r3)
80339780: C0A300D4 lfs f5,212(r3)
80339784: C00300D8 lfs f0,216(r3)
80339788: ED8D0232 fmuls f12,f13,f8
8033978C: C08300DC lfs f4,220(r3)
80339790: ED4D01F2 fmuls f10,f13,f7
80339794: C12300A8 lfs f9,168(r3)
80339798: ED0D01B2 fmuls f8,f13,f6
8033979C: C0E300AC lfs f7,172(r3)
803397A0: EDA9507A fmadds f13,f9,f1,f10
803397A4: C143009C lfs f10,156(r3)
803397A8: EFCB607A fmadds f30,f11,f1,f12
803397AC: C0C30098 lfs f6,152(r3)
803397B0: ED87407A fmadds f12,f7,f1,f8
803397B4: C12300A0 lfs f9,160(r3)
803397B8: ED6337BA fmadds f11,f3,f30,f6
803397BC: C0E300B0 lfs f7,176(r3)
803397C0: ED030172 fmuls f8,f3,f5
803397C4: C0A300B4 lfs f5,180(r3)
803397C8: ECC30032 fmuls f6,f3,f0
803397CC: C00300B8 lfs f0,184(r3)
803397D0: EC230132 fmuls f1,f3,f4
803397D4: D3C300A4 stfs f30,164(r3)
803397D8: ED43537A fmadds f10,f3,f13,f10
803397DC: ED234B3A fmadds f9,f3,f12,f9
803397E0: D1A300A8 stfs f13,168(r3)
803397E4: EC8740BA fmadds f4,f7,f2,f8
803397E8: EC6530BA fmadds f3,f5,f2,f6
803397EC: D18300AC stfs f12,172(r3)
803397F0: EC0008BA fmadds f0,f0,f2,f1
803397F4: D1630098 stfs f11,152(r3)
803397F8: D143009C stfs f10,156(r3)
803397FC: D12300A0 stfs f9,160(r3)
80339800: D08300B0 stfs f4,176(r3)
80339804: D06300B4 stfs f3,180(r3)
80339808: D00300B8 stfs f0,184(r3)
8033980C: 4BFFFEC9 bl 0x803396d4
80339810: FC20F890 fmr f1,f31
80339814: 7FE3FB78 mr r3,r31
80339818: 38810008 addi r4,r1,8
8033981C: 38BF00BC addi r5,r31,188
80339820: 4BFFFE39 bl 0x80339658
80339824: 7FE3FB78 mr r3,r31
80339828: 38810008 addi r4,r1,8
8033982C: 4BFFFA35 bl 0x80339260
80339830: C002D4F0 lfs f0,-11024(r2)
80339834: D01F00D0 stfs f0,208(r31)
80339838: D01F00CC stfs f0,204(r31)
8033983C: D01F00C8 stfs f0,200(r31)
80339840: D01F00DC stfs f0,220(r31)
80339844: D01F00D8 stfs f0,216(r31)
80339848: D01F00D4 stfs f0,212(r31)
8033984C: E3E10038 psq_l f31,56(r1),0,0
80339850: CBE10030 lfd f31,48(r1)
80339854: E3C10028 psq_l f30,40(r1),0,0
80339858: CBC10020 lfd f30,32(r1)
8033985C: 83E1001C lwz r31,28(r1)
80339860: 80010044 lwz r0,68(r1)
80339864: 7C0803A6 mtlr r0
80339868: 38210040 addi r1,r1,64
8033986C: 4E800020 blr
[/spoiler]
Stack from disassembler during WRITE BP (X co-ord):
803397F4
8033A3B4
8033A3B4
803674B4
80431B64
80362048
8033B4A4
8022F73C
802683A4
80269784
8022FDB4
802306CC
801C35EC
8023828C
8022E90C
80006470
I wasn't sure if you wanted the stack from all of the X, Y, Z co-ords?
if 803397F4: D1630098 stfs f11,152(r3) is the X coordinate, then
803397F8: D143009C stfs f10,156(r3)
803397FC: D12300A0 stfs f9,160(r3)
are probably Y and Z, so we don't need them. We can work with this, however you should also do a Copy All Frames on this breakpoint too, because it's a little different than the read.
---
803397F4: D1630098 stfs f11,152(r3) # writes X coordinate
Where did f11 come from?
---
803397B8: ED6337BA fmadds f11,f3,f30,f6 # f11 = f3 * f30 + f6
Where did f3, f30, and f6 come from?
---
f3 comes from the caller, so we need Copy All Frames to answer that
803397AC: C0C30098 lfs f6,152(r3) # NOTE: X COORDINATE
803397A8: EFCB607A fmadds f30,f11,f1,f12 # f30 = f11 * f1 + f12
Note how f6 loads the "original coordinates", then some time later after some multiplies and adds, we write back to the coordinates at the breakpoint. This looks like a good place to be.
Where do f11, f1, and f12 come from?
---
8033977C: C16300A4 lfs f11,164(r3)
f1 comes from caller
80339788: ED8D0232 fmuls f12,f13,f8 # f12 = f13 * f8
f13, and f8?
---
8033976C: C10300C8 lfs f8,200(r3)
80339770: EDA30024 fdivs f13,f3,f0 # f13 = f3 / f0
---
f3 comes from the caller
80339768: C0030000 lfs f0,0(r3)
---
So we have
((f3 / f0) * f8 + f11 * f1) * f3 + f6
((f3 / 0[r3]) * 200[r3] + 164[r3] * f1) * f3 + 152[r3]
A similar pattern can be seen for the Y and Z coords. The only known quantity is that 152[r3] = X coord.
---
Things to try: nop the stfs for the X coord and see if you can't move along that axis. Try setting 164[r3] to zero, to see what the effect of the (164[r3] * f1) term is. Try setting 200[r3] to zero, to see what the effect of the (f3 / 0[r3]) * 200[r3] term is.
I'ved wanted to get into ASM and I might have just stumbled on the correct challenge to do it....only I've jumped into the deep end lol
I have attached the frames for the WRITE BP on the X Coord.
803397F4: stfs f11,152(r3) - nop prevents moving along X Axis.
803397F8: stfs f10,156(r3) - nop prevents moving along Y axis.
803397FC: stfs f9,160(r3) - nop prevents moving along Z axis.
I followed 164[r3] (80D35384+164) and it's already showing as zero. I viewed it in memviewer with auto update on. changing the value appaered to do nothing.
I followed 200[r3] (80D35384+200) and it was set to 0000002C, unchanging. Changing to 00000000 appeared to do nothing and setting random values did nothing at all.
I went about this the correct way?
---------------------------------------------------------------------------------
I stand by what I said about wanting to download a portion of your brain. It's mind blowing how you seem to cruise this ASM with ease without having access to the debugger 8)
Be careful. The displacement operand is usually specified in decimal, but we usually specify addresses in hex, with a bad habit of dropping the hex notation 0x.
164(r3) = 0x80D35384 + 0xA4 = 0x80D35428
I actually started adding features to Gecko.NET not because I needed them, but because they helped other people collect the information that I look for automatically.
we wanted to know where f3 comes from
8033A360: C00681D0 lfs f0,-32304(r6)
...
8033A368: FC600018 frsp f3,f0
Where did r6 come from?
---
8033A320: 3CC0807E lis r6,-32642
0x807E0000 - 0x10000 + 0x81D0 = 0x807D81D0
So that's interesting. frsp = Floating point Round to Single Precision; f0 is already single precision (lfs), so this just moves f0 to f3. And f0 comes from 807D81D0. I bet this is a very interesting value to play with. Also, it will never move, so you won't need a C2 code to change it. However, it will be different for other regions (PAL, NTSC-J)
---
We were also interested in f1. f1 comes from way far back, though. It would be difficult to explain how to trace back to f1. You can try to set a breakpoint on 80367498: C0230000 lfs f1,0(r3), but you might get false positives.
I wasn't aware that the displacement operand was decimal value! This could well be somthing that crippled most of what I've tried in the past!
dcx2, you are a star.
I've found two addresses that seem to be modifiers for the main "forward" velocity.
The address found with 200[r3] (80D35384+200) was only filled during the initial take off and then was zeroed during flight.
It turned out to be the X velocity multiplier. Basically, setting this float would make the plane "accelerate" to the side (depending on it being a positive or negative float)
The following address handled the Y velocity multiplier and and the next was the Z velocity, speeding up the plane.
They would all immediatly return to zero after being poked, but it is obviously read and used for calculations.
As I said, there were two possibilites and both addresses are rapidly returned to zero after being poked, a constant write using a float gives the affect needed.
One address provides a gradual acceleration. the address appears to be read and the value added to the OTHER address, giving acceleration. A negative float acts like deceleration or "break". It's even possible to reverse ;)
The other address gives a sudden speed jump. A negative value on this acts like a sudden "break" yet does not allow you to reverse.
Constantly writing to either address does not mean that you just keep gaining speed, but will reach whatever speed you have set. You need to add with a higher float in order to reach higher speeds.
------------------------------------------------------------------------------------------------------------------
I'd like to release this code but the credit goes to you, dcx2. I'll PM you the code I created with the details. All I found for this code was the controller address.
I'm planning on using this to hopefully find another address that handles the "current" speed and, next, player 2 speed for dogfighting. I'm sure there are people out there that would love the crazy dogfights that can be had with increased time and awesome speeds O0
I would like to ask for your help with walking through the ASM and following the steps you used to reach this result, if that's ok?
I can't thank you enough for your help, once again!
You can post the code as yours, just make a note "with assistance from dcx2"
After all, you did the breakpoint on the XYZ coordinates. For me, that's the hard part. Reading the ASM is much easier than finding the right ASM to look at.
You also played around with the data to verify which addresses did what, something I couldn't do without the game.
---
As far as the steps that I used, this previous post outlined them. http://wiird.l0nk.org/forum/index.php/topic,8093.msg68073.html#msg68073
Essentially you start with your breakpoint, which was a stfs f11. And then work backwards through the ASM to figure out where f11 came from. In this case, f11 came from multiple calculations, so you just need to work backwards through the ASM to figure out where each part came from. Then comes the trial-and-error part, where you change one term in the equation and see what the result is, so that you can identify what a given term does.
---
BTW, regarding this part: 200[r3] (80D35384+200)
I only used [r3] because there were other ()'s being used for their mathematical meaning (Order of Operations) when I was working out how the floats are processed. In general, you should use (r3) instead.
And again, if the displacement operand is 200, then what you actually add is 0xC8
200(r3) = 0x80D35384 + 0xC8
Also...did you try testing the static float that's loaded from 807D81D0? I'm interested in what happens when you change that float.
I will definatly be sure to make it known that you helped me with this.
I don't really feel that I deserve the credit...the most crucial part is understanding the ASM and I'm not as good yet as I hope to be :(
i'm definatley going to be looking over your notes and applying it to what I discovered.
Will be well worth going back to searching for the coords and acting like I didn't find the code, just to see if I can follow and understand it more.
i'll be remembering that the displacement operand is in decimal form, for sure. I feel that it's that little detail that was defeating me everytime I tried to follow the ASM and getting nowhere.
I can't remember if I checked 807D81D0, but I'll be looking at that the next chance I get to connect my gecko, hopefully today. Not yet done with exploring all the possibilites and finding, creating all the ideas that I planned for the plane before moving on to the next segment of my challenges :D
-------
I wasn't really going to pursue the release of codes. I didn't want to step on peoples toes if I make something that they made, etc. But I've got a great selection of codes made, some that have not been created yet, even after this time, so might go ahead for the hacker status.
Where would be the best place to release this code and the others?
You said the game id was SP2P01?
You can make a post in the PAL Wii Codes section. Give it the title of the game and make sure to include the game id. http://wiird.l0nk.org/forum/index.php/board,28.0.html
Once you post five codes, make another post in the Code Database Access thread with a link to your posts. I will give you Hacker status and James will create a GeckoCodes account for you so you can share your codes with the world. http://wiird.l0nk.org/forum/index.php/topic,267.0.html
:D I'll get a list of codes ready. Thanks for the help.
There is one little snag that I need to check for the disc, though.
When booting the disc, I have to pick between Wii Sports or Wii Sports Resort.
I can't hook into Wii Sports Resort until I've picked that game, then I'll connected Gecko.Net.
Not tried using just GeckOS yet, but I'll do that today when I get the chance.
No sense releasing codes for a game that requires a delayed hook with a USBGecko :-\
At the least, maybe others will be able to reproduce the codes on the other versions or I can port them over when I find them. i've got my nephews Wii Sports Resort Disc I can use to test the ports.
Ok, I've tested using only GeckOS with some of the cheats enabled and everything worked fine O0
Kinda stupid of me to think otherwise :p
Also, I've looked into address 807D81D0 and poked a few floats into it. It modifies the planes X speed, positive and negative floats dictating the direction. Would make sense as all breakpoints and ASM was pointing at the X coord.
I looked right next to it and found both the Y (807D81D4) and Z (807D81D8) speeds as expected.
Interesting, though, is that any float poked into these addresses remain without decreasing/increasing like the other two that I found do and require higher value floats to achieve any considerable speed.
A negative on the Z speed also allows backwards flight, just like one of the others.
It's interesting that these X/Y/Z addresses are referenced in the calculation, seeing as the values do not change at all during flight...
That's going to leave me wondering for a while...