I believe this code should work for a variety of Wii games, but not all of them. I've tested it on Wii Play and Super Mario Galaxy, and the function that reads the buttons is identical for both games. I've attached the dump for SMG.
This code does three five things:
1) it puts a copy of the real buttons into gr10, which can then be used as a button activator by using 28001830 MMMMXXXX
2) it tests the Wiimote and Nunchuck for shaking, and sets unused buttons 0x20 and 0x40. These can be used for "shake button activators" or just shake activators. They can be used in combination with other buttons, so a "hold A and shake nunchuck" button activator would be 28001830 00000840
3) it can be used to customize the controller layout by mapping buttons to other buttons, mapping buttons to shakes, or mapping shakes to buttons. For instance, pressing the Home key can instead press A and B at the same time, with no home menu. You could also swap the left and right/up and down arrows. You could press A to shake, or shake to press A (and then use A for something else). You can make any button into any other button or combination of buttons, pretty much without restriction. The remapped buttons are available via gr11 = 28001834 MMMMXXXX.
4) it can be used to spoof button presses by writing a button mask to gr12 = 04001838 0000XXXX. So you could poke 0x00000C00 and this would hold A and B down.
5) it can be used to spoof shakes much like how it spoofs buttons, again by poking gr12 with 0x20 or 0x40 for Wiimote or Nunchuck.
You can use the button activators and spoofing together. For instance, this is a button activator on CZA that will shake the Wiimote
28001830 00006800
04001838 00000020
E0000000 80008000
---
The vast majority of the code handles mapping the buttons. A simpler version without mapping could be made. It can also be made 2 lines shorter by porting it to a particular game, which would get rid of the F6 part.
Here's the standard code template, you'll need to replace each button with the remapped mask. For instance, to map the Home key to A and B, replace the "HOME" in the code below with "0C00"
F6000001 80048100
2809FFFF 40820008
D200000C 0000001B
9421FFB0 BDC10008
3D808000 48000025
00010002 00040008 # LLLLRRRR DDDDUUUU
00100000 00000080 # ++++WWWW NNNNXXXX
01000200 04000800 # 22221111 BBBBAAAA
10002000 40008000 # ----ZZZZ CCCCHOME
39C00010 39E00001
3A000000 3A200000
7E4802A6 A27F0018
2C133FDA 41800008
51E72EB4 A27F0074
2C133FDA 41800008
51E73672 7CF37839
4182000C 7E728A2E
7E109B78 3A310002
55EF083C 35CEFFFF
40A2FFE4 828C1838
72930060 7E109B78
72130020 4182000C
3E6042C8 927F0010
72130040 4182000C
3E6042C8 927F0070
70F30060 7E109B78
90EC1830 920C1834
7E878378 B9C10008
38210050 70E09FFF
60000000 00000000
E0000000 80008000
Here's the source (updated with shaking code)
[spoiler]
# ------------------------------------------
# Initialize a stack frame, data table, etc
.set gr0, 0x1808 # gr0 is 80001808 for Gecko 1.9.1+
.set gr10, gr0+4*10 # original buttons
.set gr11, gr0+4*11 # remapped buttons
.set gr12, gr0+4*12 # spoofed buttons
stwu r1,-80(r1) # make space for 18 registers
stmw r14,8(r1) # push r14-r31 onto the stack
lis r12,0x8000 # load r12 with base pointer
# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001 # Left
.short 0x0002 # Right
.short 0x0004 # Down
.short 0x0008 # Up
.short 0x0010 # Plus
.short 0x0000 # Wiimote Shake (unmapped, 0x20)
.short 0x0000 # Nunchuck Shake (unmapped, 0x40)
.short 0x0080 #
.short 0x0100 # 2
.short 0x0200 # 1
.short 0x0400 # B
.short 0x0800 # A
.short 0x1000 # -
.short 0x2000 # Z
.short 0x4000 # C
.short 0x8000 # Home
_SKIP_DATA:
li r14,16 # loop 16 times
li r15,1 # sliding bitmask
li r16,0 # remapped buttons ORed into this
li r17,0 # index into button map table
mflr r18 # data table pointer
# r7 has current buttons
# r19 is a temp variable
# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons
# Wiimote shake
lhz r19,24(31) # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26 # insert a 1 at 0x20
# Nunchuck shake
0:
lhz r19,116(31) # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25 # insert a 1 at 0x40
# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15 # is the sliding bit set? r19 is unused
beq- 1f # if not, skip to the next bit
lhzx r19,r18,r17 # r19 loads remapped button mask
or r16,r16,r19 # or the table's mask into the remapped buttons
1:
addi r17,r17,2 # increment table index
slwi r15,r15,1 # shift bitmask to the left by 1 bit
subic. r14,r14,1 # decrement counter
bne- 0b # go back to top of loop if not 0
# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake
lwz r20,gr12(r12) # load spoof buttons
andi. r19,r20,0x60 # mask off spoof shakes
or r16,r16,r19 # insert any spoofed shakes into remap
# test the spoof-map for shakes
andi. r19,r16,0x0020 # Wiimote shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,16(r31) # tickle the y Wiimote sensor
0:
andi. r19,r16,0x0040 # nunchuck shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,112(r31) # tickle the y nunchuck sensor
0:
# ------------------------------------------
# Store the activators, combining spoofs as necessary
andi. r19,r7,0x60 # copy any real shakes back into the spoof-map
or r16,r16,r19 # since they are originally "unmapped"
stw r7,gr10(r12) # store real activator
stw r16,gr11(r12) # store remapped activator
or r7,r20,r16 # combine spoof buttons with remapped buttons
# The real buttons are now replaced with the spoof-map
lmw r14,8(r1) # pop r14-r31 off the stack
addi r1,r1,80 # release the space
andi. r0,r7,40959 # original instruction[/spoiler]
Very interesting. I never thought there would be a universal line to search for (2809FFFF 40820008).
It's also interesting that you can poke gr10 and it will also write to the actual button in the game. Does that mean that 2809FFFF 40820008 with an offset of 0xC will always go to the "master button activtor." (Sorry if you don't understand my terminology. I'm just making up words...)
Nintendo publishes an SDK to help game developers make games for the Wii. There's probably a standard "read pad" function in this SDK. Anyone who builds a game against their SDK will probably have that pad function. And the line that I look for is pretty unique.
F6000001 80048100
2809FFFF 40820008
D200000C 000000NN
should always find this line
andi. r0,r7,40959
At this point, r7 will have a valid copy of the buttons. If you over-write r7 at this point, the game will see that new value as what buttons the player pushed.
I was trying to find a way to map shake to a button, so we could be even lazier. Unfortunately I'm having trouble finding the right place to inject the "shake" value.
Updated first post with support for shake activators and shake spoofing
Brilliant, will try this tomorrow.
Ta
Does this work for any player, or just P1? Is there anything interesting necessary to run this for all 4 players at once?
Here's the modified version of the code. Not only does it store all 4 players' pad data, it stores one-shot button activators as well.
Huge thanks for the original code, dcx2 :)
F6000001 80048100
2809FFFF 40820008
D200000C 0000001E
9421FFB0 BDC10008
3D808000 618C181C
1E7B000A 7D8C9A14
48000025 00010002
00040008 00100000
00000080 01000200
04000800 10002000
40008000 39C00010
39E00001 3A000000
3A200000 7E4802A6
A2BF0006 A27F0018
2C133FDA 4180000C
51E72EB4 51F52EB4
A27F0074 2C133FDA
4180000C 51E73672
51F53672 7CF37839
4182000C 7E728A2E
7E109B78 3A310002
55EF083C 35CEFFFF
40A2FFE4 A28C0006
72930060 7E109B78
72130020 4182000C
3E6042C8 927F0010
72130040 4182000C
3E6042C8 927F0070
70F30060 7E109B78
B0EC0000 B20C0002
7E878378 B2AC0004
B9C10008 38210050
70E09FFF 00000000
E0000000 80008000
P1 buttons
80001824
P1 buttons (remapped)
80001826
P1 one-shot buttons (remapped)
80001828
P1 button spoofer
8000182A
P2 buttons
8000182C
P2 buttons (remapped)
8000182E
P2 one-shot buttons (remapped)
80001830
P2 button spoofer
80001832
P3 buttons
80001834
P3 buttons (remapped)
80001836
P3 one-shot buttons (remaped)
80001838
P3 button spoofer
8000183A
P4 buttons
8000183C
P4 buttons (remapped)
8000183E
P4 one-shot buttons (remapped)
80001840
P4 button spoofer
80001842
[spoiler]#------------------------------------------------------------
.macro lwi reg, value
lis \reg, \value@h
ori \reg, \reg, \value@l
.endm
# ------------------------------------------
# Initialize a stack frame, data table, etc
/*
original buttons
remapped buttons
remapped buttons (one shot)
spoofed buttons
*/
stwu r1,-80(r1) # make space for 18 registers
stmw r14,8(r1) # push r14-r31 onto the stack
lwi r12,0x80001808+4*7 # load r12 with base pointer
mulli r19,r27,2*4
add r12,r12,r19
# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001 # Left
.short 0x0002 # Right
.short 0x0004 # Down
.short 0x0008 # Up
.short 0x0010 # Plus
.short 0x0000 # Wiimote Shake (unmapped, 0x20)
.short 0x0000 # Nunchuck Shake (unmapped, 0x40)
.short 0x0080 #
.short 0x0100 # 2
.short 0x0200 # 1
.short 0x0400 # B
.short 0x0800 # A
.short 0x1000 # -
.short 0x2000 # Z
.short 0x4000 # C
.short 0x8000 # Home
_SKIP_DATA:
li r14,16 # loop 16 times
li r15,1 # sliding bitmask
li r16,0 # remapped buttons ORed into this
li r17,0 # index into button map table
mflr r18 # data table pointer
# r7 has current buttons
# r19 is a temp variable
# r21 holds one-shot button
lhz r21,6(r31)
# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons
# Wiimote shake
lhz r19,24(31) # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26 # insert a 1 at 0x20
rlwimi r21,r15,5,26,26 # insert a 1 at 0x20
# Nunchuck shake
0:
lhz r19,116(31) # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25 # insert a 1 at 0x40
rlwimi r21,r15,6,25,25 # insert a 1 at 0x40
# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15 # is the sliding bit set? r19 is unused
beq- 1f # if not, skip to the next bit
lhzx r19,r18,r17 # r19 loads remapped button mask
or r16,r16,r19 # or the table's mask into the remapped buttons
1:
addi r17,r17,2 # increment table index
slwi r15,r15,1 # shift bitmask to the left by 1 bit
subic. r14,r14,1 # decrement counter
bne- 0b # go back to top of loop if not 0
# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake
lhz r20,6(r12) # load spoof buttons
andi. r19,r20,0x60 # mask off spoof shakes
or r16,r16,r19 # insert any spoofed shakes into remap
# test the spoof-map for shakes
andi. r19,r16,0x0020 # Wiimote shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,16(r31) # tickle the y Wiimote sensor
0:
andi. r19,r16,0x0040 # nunchuck shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,112(r31) # tickle the y nunchuck sensor
0:
# ------------------------------------------
# Store the activators, combining spoofs as necessary
andi. r19,r7,0x60 # copy any real shakes back into the spoof-map
or r16,r16,r19 # since they are originally "unmapped"
sth r7,0(r12) # store real activator
sth r16,2(r12) # store remapped activator
or r7,r20,r16 # combine spoof buttons with remapped buttons
sth r21,4(r12)
# The real buttons are now replaced with the spoof-map
lmw r14,8(r1) # pop r14-r31 off the stack
addi r1,r1,80 # release the space
andi. r0,r7,40959 # original instruction
#-------------------------------------------------------------[/spoiler]
Nice job Y.S. ;D r27 tells us what player we're processing.
biolizard, I have looked at the Wiimote pointer data before. It's two floats, -1 < x,y < 1. The center of the screen is 0,0. It's been this way for all Wii games that I have seen. The Wiimote pointer data is always stored next to the "real" pad data. Switch MemView View Mode to "Single" and aim around the screen and it jumps out at you.
I think I could do proof-of-concept. I could add a tab to Gecko.NET, that's just a big blank box. When you mouse over this box, it turns the mouse-over coordinates into a Wiimote pointer and spoofs the Wiimote pointer value. A few more edits, and keyboard keys could spoof buttons. Bam! Mouse and keyboard for the Wii.
---
Unfortunately, I don't think this is truly "universal". Not only has it not worked for VC (expected; the Classic Controller pad func is probably different)...it doesn't work for Super Mario Galaxy 2. =( This is unexpected, because it works for SMG1. I bet Nintendo updated their SDK at some point and completely refactored the pad func.
Quote from: dcx2 on April 30, 2011, 02:00:28 PM
Nice job Y.S. ;D r27 tells us what player we're processing.
biolizard, I have looked at the Wiimote pointer data before. It's two floats, -1 < x,y < 1. The center of the screen is 0,0. It's been this way for all Wii games that I have seen. The Wiimote pointer data is always stored next to the "real" pad data. Switch MemView View Mode to "Single" and aim around the screen and it jumps out at you.
I think I could do proof-of-concept. I could add a tab to Gecko.NET, that's just a big blank box. When you mouse over this box, it turns the mouse-over coordinates into a Wiimote pointer and spoofs the Wiimote pointer value. A few more edits, and keyboard keys could spoof buttons. Bam! Mouse and keyboard for the Wii.
---
Unfortunately, I don't think this is truly "universal". Not only has it not worked for VC (expected; the Classic Controller pad func is probably different)...it doesn't work for Super Mario Galaxy 2. =( This is unexpected, because it works for SMG1. I bet Nintendo updated their SDK at some point and completely refactored the pad func.
Cool, yeah, the pointer data should be easy to integrate into PadSim. I'll play around with it once my real-life obligations quiet down a bit (finals coming up soon).
And yeah, Nintendo updates their SDK every now and then... I think GameCube has at least 4 different PadRead revisions.
I have an additional idea:
Can you remind of a "rapidfire button/shaking" code?
-> As long as the button is pressed, the game thinks that you push it very fast/slow (changable with a value for instance)
Mdmwii made such a code for MKWii and I know that it´s a breakpoint on the BA Adress ;D
Just saw this today- freaking awesome hack!!
Nice move man.
Added turbo buttons ;)
F6000001 80048100
2809FFFF 40820008
D200000C 00000024
9421FFB0 BDC10008
3D808000 618C1810
1E7B000C 7D8C9A14
48000025 00010002
00040008 00100000
00000080 01000200
04000800 10002000
40008000 39C00010
39E00001 3A000000
3A200000 7E4802A6
A2BF0006 8A6C000A
8A8C000B 3A940001
7C13A000 3A730001
9A6C000A 40820014
3A600000 9A6C000A
A26C0008 7CE79878
A27F0018 2C133FDA
4180000C 51E72EB4
51F52EB4 A27F0074
2C133FDA 4180000C
51E73672 51F53672
7CF37839 4182000C
7E728A2E 7E109B78
3A310002 55EF083C
35CEFFFF 40A2FFE4
A28C0006 72930060
7E109B78 72130020
4182000C 3E6042C8
927F0010 72130040
4182000C 3E6042C8
927F0070 70F30060
7E109B78 B0EC0000
B20C0002 7E878378
B2AC0004 B9C10008
38210050 70E09FFF
60000000 00000000
E0000000 80008000
P1 buttons 80001818
P1 buttons (remapped) 8000181A
P1 one-shot buttons (remapped) 8000181C
P1 button spoofer 8000181E
P1 turbo buttons 80001820
P1turbo interval 80001823
P2 buttons 80001824
P2 buttons (remapped) 80001826
P2 one-shot buttons (remapped) 80001828
P2 button spoofer 8000182A
P2 turbo buttons 8000182C
P2turbo interval 8000182F
P3 buttons 80001830
P3 buttons (remapped) 80001832
P3 one-shot buttons (remapped) 80001834
P3 button spoofer 80001836
P3 turbo buttons 80001838
P3turbo interval 8000183B
P4 buttons 8000183C
P4 buttons (remapped) 8000183E
P4 one-shot buttons (remapped) 80001840
P4 button spoofer 80001842
P4 turbo buttons 80001844
P4turbo interval 80001847
Source code
[spoiler]#------------------------------------------------------------
.macro lwi reg, value
lis \reg, \value@h
ori \reg, \reg, \value@l
.endm
# ------------------------------------------
/*
original buttons / remapped buttons
remapped buttons (one shot) / spoofed buttons
turbo buttons / turbo counters
*/
# Initialize a stack frame, data table, etc
stwu r1,-80(r1) # make space for 18 registers
stmw r14,8(r1) # push r14-r31 onto the stack
lwi r12,0x80001818 # load r12 with base pointer
mulli r19,r27,2*6
add r12,r12,r19
# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001 # Left
.short 0x0002 # Right
.short 0x0004 # Down
.short 0x0008 # Up
.short 0x0010 # Plus
.short 0x0000 # Wiimote Shake (unmapped, 0x20)
.short 0x0000 # Nunchuck Shake (unmapped, 0x40)
.short 0x0080 #
.short 0x0100 # 2
.short 0x0200 # 1
.short 0x0400 # B
.short 0x0800 # A
.short 0x1000 # -
.short 0x2000 # Z
.short 0x4000 # C
.short 0x8000 # Home
_SKIP_DATA:
li r14,16 # loop 16 times
li r15,1 # sliding bitmask
li r16,0 # remapped buttons ORed into this
li r17,0 # index into button map table
mflr r18 # data table pointer
# r7 has current buttons
# r19 is a temp variable
# r21 holds one-shot button
lhz r21,6(r31)
# load turbo
lbz r19,10(r12)
lbz r20,11(r12)
addi r20,r20,1
cmpw r19,r20
addi r19,r19,1
stb r19,10(r12)
bne- _Skip_turbo
li r19,0
stb r19,10(r12)
lhz r19,8(r12)
andc r7,r7,r19
_Skip_turbo:
# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons
# Wiimote shake
lhz r19,24(31) # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26 # insert a 1 at 0x20
rlwimi r21,r15,5,26,26 # insert a 1 at 0x20
# Nunchuck shake
0:
lhz r19,116(31) # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25 # insert a 1 at 0x40
rlwimi r21,r15,6,25,25 # insert a 1 at 0x40
# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15 # is the sliding bit set? r19 is unused
beq- 1f # if not, skip to the next bit
lhzx r19,r18,r17 # r19 loads remapped button mask
or r16,r16,r19 # or the table's mask into the remapped buttons
1:
addi r17,r17,2 # increment table index
slwi r15,r15,1 # shift bitmask to the left by 1 bit
subic. r14,r14,1 # decrement counter
bne- 0b # go back to top of loop if not 0
# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake
# load spoof buttons
lhz r20,6(r12)
andi. r19,r20,0x60 # mask off spoof shakes
or r16,r16,r19 # insert any spoofed shakes into remap
# test the spoof-map for shakes
andi. r19,r16,0x0020 # Wiimote shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,16(r31) # tickle the y Wiimote sensor
0:
andi. r19,r16,0x0040 # nunchuck shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,112(r31) # tickle the y nunchuck sensor
0:
# ------------------------------------------
# Store the activators, combining spoofs as necessary
andi. r19,r7,0x60 # copy any real shakes back into the spoof-map
or r16,r16,r19 # since they are originally "unmapped"
sth r7,0(r12) # store real activator
sth r16,2(r12) # store remapped activator
or r7,r20,r16 # combine spoof buttons with remapped buttons
sth r21,4(r12) # store real one-shot activator
# The real buttons are now replaced with the spoof-map
lmw r14,8(r1) # pop r14-r31 off the stack
addi r1,r1,80 # release the space
andi. r0,r7,40959 # original instruction
#-------------------------------------------------------------[/spoiler]
Quote from: dcx2 on April 20, 2011, 05:19:19 AM
I believe this code should work for all Wii games. I've tested it on Wii Play and Super Mario Galaxy, and the function that reads the buttons is identical for both games. I've attached the dump for SMG.
This code does three five things:
1) it puts a copy of the real buttons into gr10, which can then be used as a button activator by using 28001830 MMMMXXXX
2) it tests the Wiimote and Nunchuck for shaking, and sets unused buttons 0x20 and 0x40. These can be used for "shake button activators" or just shake activators. They can be used in combination with other buttons, so a "hold A and shake nunchuck" button activator would be 28001830 00000840
3) it can be used to customize the controller layout by mapping buttons to other buttons, mapping buttons to shakes, or mapping shakes to buttons. For instance, pressing the Home key can instead press A and B at the same time, with no home menu. You could also swap the left and right/up and down arrows. You could press A to shake, or shake to press A (and then use A for something else). You can make any button into any other button or combination of buttons, pretty much without restriction. The remapped buttons are available via gr11 = 28001834 MMMMXXXX.
4) it can be used to spoof button presses by writing a button mask to gr12 = 04001838 0000XXXX. So you could poke 0x00000C00 and this would hold A and B down.
5) it can be used to spoof shakes much like how it spoofs buttons, again by poking gr12 with 0x20 or 0x40 for Wiimote or Nunchuck.
You can use the button activators and spoofing together. For instance, this is a button activator on CZA that will shake the Wiimote
28001830 00006800
04001838 00000020
E0000000 80008000
---
The vast majority of the code handles mapping the buttons. A simpler version without mapping could be made. It can also be made 2 lines shorter by porting it to a particular game, which would get rid of the F6 part.
Here's the standard code template, you'll need to replace each button with the remapped mask. For instance, to map the Home key to A and B, replace the "HOME" in the code below with "0C00"
F6000001 80048100
2809FFFF 40820008
D200000C 0000001B
9421FFB0 BDC10008
3D808000 48000025
00010002 00040008 # LLLLRRRR DDDDUUUU
00100000 00000080 # ++++WWWW NNNNXXXX
01000200 04000800 # 22221111 BBBBAAAA
10002000 40008000 # ----ZZZZ CCCCHOME
39C00010 39E00001
3A000000 3A200000
7E4802A6 A27F0018
2C133FDA 41800008
51E72EB4 A27F0074
2C133FDA 41800008
51E73672 7CF37839
4182000C 7E728A2E
7E109B78 3A310002
55EF083C 35CEFFFF
40A2FFE4 828C1838
72930060 7E109B78
72130020 4182000C
3E6042C8 927F0010
72130040 4182000C
3E6042C8 927F0070
70F30060 7E109B78
90EC1830 920C1834
7E878378 B9C10008
38210050 70E09FFF
60000000 00000000
E0000000 80008000
Here's the source (updated with shaking code)
[spoiler]
# ------------------------------------------
# Initialize a stack frame, data table, etc
.set gr0, 0x1808 # gr0 is 80001808 for Gecko 1.9.1+
.set gr10, gr0+4*10 # original buttons
.set gr11, gr0+4*11 # remapped buttons
.set gr12, gr0+4*12 # spoofed buttons
stwu r1,-80(r1) # make space for 18 registers
stmw r14,8(r1) # push r14-r31 onto the stack
lis r12,0x8000 # load r12 with base pointer
# button map table
# shakes are unmapped by default to prevent spoofing from
# accidentally over-writing shake values when actually shaking
bl _SKIP_DATA
.short 0x0001 # Left
.short 0x0002 # Right
.short 0x0004 # Down
.short 0x0008 # Up
.short 0x0010 # Plus
.short 0x0000 # Wiimote Shake (unmapped, 0x20)
.short 0x0000 # Nunchuck Shake (unmapped, 0x40)
.short 0x0080 #
.short 0x0100 # 2
.short 0x0200 # 1
.short 0x0400 # B
.short 0x0800 # A
.short 0x1000 # -
.short 0x2000 # Z
.short 0x4000 # C
.short 0x8000 # Home
_SKIP_DATA:
li r14,16 # loop 16 times
li r15,1 # sliding bitmask
li r16,0 # remapped buttons ORed into this
li r17,0 # index into button map table
mflr r18 # data table pointer
# r7 has current buttons
# r19 is a temp variable
# ------------------------------------------
# test for shaking and set an unused bit in the buttons
# we do this first so shaking can activate buttons
# Wiimote shake
lhz r19,24(31) # upper 16 bits of Wiimote shake magnitude
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,5,26,26 # insert a 1 at 0x20
# Nunchuck shake
0:
lhz r19,116(31) # upper 16 bits of Nunchuck shake vector float
cmpwi r19,0x3FDA # is it < 1.7?
blt- 0f
rlwimi r7,r15,6,25,25 # insert a 1 at 0x40
# ------------------------------------------
# Process the real buttons in a loop
0:
and. r19,r7,r15 # is the sliding bit set? r19 is unused
beq- 1f # if not, skip to the next bit
lhzx r19,r18,r17 # r19 loads remapped button mask
or r16,r16,r19 # or the table's mask into the remapped buttons
1:
addi r17,r17,2 # increment table index
slwi r15,r15,1 # shift bitmask to the left by 1 bit
subic. r14,r14,1 # decrement counter
bne- 0b # go back to top of loop if not 0
# ------------------------------------------
# Spoof shakes
# note that a button may have been remapped to shake
lwz r20,gr12(r12) # load spoof buttons
andi. r19,r20,0x60 # mask off spoof shakes
or r16,r16,r19 # insert any spoofed shakes into remap
# test the spoof-map for shakes
andi. r19,r16,0x0020 # Wiimote shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,16(r31) # tickle the y Wiimote sensor
0:
andi. r19,r16,0x0040 # nunchuck shake?
beq- 0f
lis r19,0x42C8 # r19 = 100.0
stw r19,112(r31) # tickle the y nunchuck sensor
0:
# ------------------------------------------
# Store the activators, combining spoofs as necessary
andi. r19,r7,0x60 # copy any real shakes back into the spoof-map
or r16,r16,r19 # since they are originally "unmapped"
stw r7,gr10(r12) # store real activator
stw r16,gr11(r12) # store remapped activator
or r7,r20,r16 # combine spoof buttons with remapped buttons
# The real buttons are now replaced with the spoof-map
lmw r14,8(r1) # pop r14-r31 off the stack
addi r1,r1,80 # release the space
andi. r0,r7,40959 # original instruction[/spoiler]
Attachments is no longer there. Any chance for a re-up?
ack wtf?
Yeah I'll try to do it again tonight.
whoa. This is a lot to take in. If I made home be 0000, would this make home do nothing? I always wanted to take the home function off the wiimote or classic controller. I could use one of the homes for something else.
Er...I don't think that the forum supports attachments anymore.
Quote from: The Forum said...Cannot access attachments upload path!
Let's see if it can be a spoiler in this post!
[spoiler]804506D8: 9421FF40 stwu r1,-192(r1)
804506DC: 7C0802A6 mflr r0
804506E0: 900100C4 stw r0,196(r1)
804506E4: 396100C0 addi r11,r1,192
804506E8: 480C6E15 bl 0x805174fc
804506EC: 1C031BF8 mulli r0,r3,7160
804506F0: 3CE04330 lis r7,17200
804506F4: 3CC08062 lis r6,-32670
804506F8: 90E10050 stw r7,80(r1)
804506FC: 7C7B1B78 mr r27,r3
80450700: 38C6D340 subi r6,r6,11456
80450704: 90E10058 stw r7,88(r1)
80450708: 7C9C2378 mr r28,r4
8045070C: 7CAE2B78 mr r14,r5
80450710: 7FE60214 add r31,r6,r0
80450714: 3BC00000 li r30,0
80450718: 48087109 bl 0x804d7820
8045071C: 2C030003 cmpwi r3,3
80450720: 4182000C beq- 0x8045072c
80450724: 38600000 li r3,0
80450728: 480006C4 b 0x80450dec
8045072C: 480579BD bl 0x804a80e8
80450730: 881F1BDC lbz r0,7132(r31)
80450734: 7C711B78 mr r17,r3
80450738: 2C000000 cmpwi r0,0
8045073C: 41820010 beq- 0x8045074c
80450740: 480579D1 bl 0x804a8110
80450744: 38600000 li r3,0
80450748: 480006A4 b 0x80450dec
8045074C: 3A000001 li r16,1
80450750: 7F63DB78 mr r3,r27
80450754: 9A1F1BDC stb r16,7132(r31)
80450758: 38800000 li r4,0
8045075C: 48088371 bl 0x804d8acc
80450760: 2C03FFFF cmpwi r3,-1
80450764: 7C6F1B78 mr r15,r3
80450768: 40820058 bne- 0x804507c0
8045076C: 801F1B98 lwz r0,7064(r31)
80450770: 2C800000 cmpwi cr1,r0,0
80450774: 4186004C beq- cr1,0x804507c0
80450778: 881F1BE2 lbz r0,7138(r31)
8045077C: 2C000000 cmpwi r0,0
80450780: 41820040 beq- 0x804507c0
80450784: 881F1BE3 lbz r0,7139(r31)
80450788: 2C000000 cmpwi r0,0
8045078C: 40820034 bne- 0x804507c0
80450790: 41860028 beq- cr1,0x804507b8
80450794: 40820024 bne- 0x804507b8
80450798: 9A1F1BE3 stb r16,7139(r31)
8045079C: 7F63DB78 mr r3,r27
804507A0: 38800001 li r4,1
804507A4: 819F1B98 lwz r12,7064(r31)
804507A8: 7D8903A6 mtctr r12
804507AC: 4E800421 bctrl
804507B0: 38000000 li r0,0
804507B4: 981F1BE2 stb r0,7138(r31)
804507B8: 38000000 li r0,0
804507BC: 981F1BDF stb r0,7135(r31)
804507C0: 7E238B78 mr r3,r17
804507C4: 4805794D bl 0x804a8110
804507C8: 881F1BDD lbz r0,7133(r31)
804507CC: 2C000000 cmpwi r0,0
804507D0: 41820010 beq- 0x804507e0
804507D4: 99FF005D stb r15,93(r31)
804507D8: 7FE3FB78 mr r3,r31
804507DC: 4BFFDBD1 bl 0x8044e3ac
804507E0: 3C808045 lis r4,-32699
804507E4: 7F63DB78 mr r3,r27
804507E8: 38841198 addi r4,r4,4504
804507EC: 4808836D bl 0x804d8b58
804507F0: 881F010F lbz r0,271(r31)
804507F4: 2C000000 cmpwi r0,0
804507F8: 418205E8 beq- 0x80450de0
804507FC: 2C1C0000 cmpwi r28,0
80450800: 418205E0 beq- 0x80450de0
80450804: 2C0E0000 cmpwi r14,0
80450808: 418205D8 beq- 0x80450de0
8045080C: 480578DD bl 0x804a80e8
80450810: 8BBF010F lbz r29,271(r31)
80450814: 7C1D7040 cmplw r29,r14
80450818: 7FBEEB78 mr r30,r29
8045081C: 40810008 ble- 0x80450824
80450820: 7DDE7378 mr r30,r14
80450824: 38800000 li r4,0
80450828: 7FC0F378 mr r0,r30
8045082C: 989F010F stb r4,271(r31)
80450830: 1CBE0084 mulli r5,r30,132
80450834: 889F010E lbz r4,270(r31)
80450838: 7CBC2A14 add r5,r28,r5
8045083C: 7CDE2051 sub. r6,r4,r30
80450840: 40800008 bge- 0x80450848
80450844: 38C60078 addi r6,r6,120
80450848: 38A5FF7C subi r5,r5,132
8045084C: 48000100 b 0x8045094c
80450850: 1C860038 mulli r4,r6,56
80450854: 38C60001 addi r6,r6,1
80450858: 2C060078 cmpwi r6,120
8045085C: 7C9F2214 add r4,r31,r4
80450860: A1040110 lhz r8,272(r4)
80450864: A0E40112 lhz r7,274(r4)
80450868: B105FF7C sth r8,-132(r5)
8045086C: B0E5FF7E sth r7,-130(r5)
80450870: A1040114 lhz r8,276(r4)
80450874: A0E40116 lhz r7,278(r4)
80450878: B105FF80 sth r8,-128(r5)
8045087C: B0E5FF82 sth r7,-126(r5)
80450880: A1040118 lhz r8,280(r4)
80450884: A0E4011A lhz r7,282(r4)
80450888: B105FF84 sth r8,-124(r5)
8045088C: B0E5FF86 sth r7,-122(r5)
80450890: A104011C lhz r8,284(r4)
80450894: A0E4011E lhz r7,286(r4)
80450898: B105FF88 sth r8,-120(r5)
8045089C: B0E5FF8A sth r7,-118(r5)
804508A0: A1040120 lhz r8,288(r4)
804508A4: A0E40122 lhz r7,290(r4)
804508A8: B105FF8C sth r8,-116(r5)
804508AC: B0E5FF8E sth r7,-114(r5)
804508B0: A1040124 lhz r8,292(r4)
804508B4: A0E40126 lhz r7,294(r4)
804508B8: B105FF90 sth r8,-112(r5)
804508BC: B0E5FF92 sth r7,-110(r5)
804508C0: A1040128 lhz r8,296(r4)
804508C4: A0E4012A lhz r7,298(r4)
804508C8: B105FF94 sth r8,-108(r5)
804508CC: B0E5FF96 sth r7,-106(r5)
804508D0: A104012C lhz r8,300(r4)
804508D4: A0E4012E lhz r7,302(r4)
804508D8: B105FF98 sth r8,-104(r5)
804508DC: B0E5FF9A sth r7,-102(r5)
804508E0: A1040130 lhz r8,304(r4)
804508E4: A0E40132 lhz r7,306(r4)
804508E8: B105FF9C sth r8,-100(r5)
804508EC: B0E5FF9E sth r7,-98(r5)
804508F0: A1040134 lhz r8,308(r4)
804508F4: A0E40136 lhz r7,310(r4)
804508F8: B105FFA0 sth r8,-96(r5)
804508FC: B0E5FFA2 sth r7,-94(r5)
80450900: A1040138 lhz r8,312(r4)
80450904: A0E4013A lhz r7,314(r4)
80450908: B105FFA4 sth r8,-92(r5)
8045090C: B0E5FFA6 sth r7,-90(r5)
80450910: A104013C lhz r8,316(r4)
80450914: A0E4013E lhz r7,318(r4)
80450918: B105FFA8 sth r8,-88(r5)
8045091C: B0E5FFAA sth r7,-86(r5)
80450920: A1040140 lhz r8,320(r4)
80450924: A0E40142 lhz r7,322(r4)
80450928: B105FFAC sth r8,-84(r5)
8045092C: B0E5FFAE sth r7,-82(r5)
80450930: A0E40144 lhz r7,324(r4)
80450934: A0840146 lhz r4,326(r4)
80450938: B0E5FFB0 sth r7,-80(r5)
8045093C: B085FFB2 sth r4,-78(r5)
80450940: 38A5FF7C subi r5,r5,132
80450944: 41800008 blt- 0x8045094c
80450948: 38C00000 li r6,0
8045094C: 3400FFFF subic. r0,r0,1
80450950: 4082FF00 bne+ 0x80450850
80450954: 1C060038 mulli r0,r6,56
80450958: 7E1F0214 add r16,r31,r0
8045095C: A1F0013A lhz r15,314(r16)
80450960: A0100136 lhz r0,310(r16)
80450964: 91E10074 stw r15,116(r1)
80450968: A1F0013C lhz r15,316(r16)
8045096C: B001003E sth r0,62(r1)
80450970: 80010074 lwz r0,116(r1)
80450974: 91E10060 stw r15,96(r1)
80450978: A1F0013E lhz r15,318(r16)
8045097C: B0010042 sth r0,66(r1)
80450980: 80010060 lwz r0,96(r1)
80450984: 91E10064 stw r15,100(r1)
80450988: A1F00140 lhz r15,320(r16)
8045098C: B0010044 sth r0,68(r1)
80450990: 80010064 lwz r0,100(r1)
80450994: 91E10068 stw r15,104(r1)
80450998: A1F00142 lhz r15,322(r16)
8045099C: B0010046 sth r0,70(r1)
804509A0: 80010068 lwz r0,104(r1)
804509A4: 91E1006C stw r15,108(r1)
804509A8: A1F00144 lhz r15,324(r16)
804509AC: B0010048 sth r0,72(r1)
804509B0: 8001006C lwz r0,108(r1)
804509B4: 91E10070 stw r15,112(r1)
804509B8: A2300110 lhz r17,272(r16)
804509BC: A2500112 lhz r18,274(r16)
804509C0: A2700114 lhz r19,276(r16)
804509C4: A2900116 lhz r20,278(r16)
804509C8: A2B00118 lhz r21,280(r16)
804509CC: A2D0011A lhz r22,282(r16)
804509D0: A2F0011C lhz r23,284(r16)
804509D4: A310011E lhz r24,286(r16)
804509D8: A3300120 lhz r25,288(r16)
804509DC: A3500122 lhz r26,290(r16)
804509E0: A1900124 lhz r12,292(r16)
804509E4: A1700126 lhz r11,294(r16)
804509E8: A1500128 lhz r10,296(r16)
804509EC: A130012A lhz r9,298(r16)
804509F0: A110012C lhz r8,300(r16)
804509F4: A0F0012E lhz r7,302(r16)
804509F8: A0D00130 lhz r6,304(r16)
804509FC: A0B00132 lhz r5,306(r16)
80450A00: A0900134 lhz r4,308(r16)
80450A04: A1D00138 lhz r14,312(r16)
80450A08: A1F00146 lhz r15,326(r16)
80450A0C: B001004A sth r0,74(r1)
80450A10: 80010070 lwz r0,112(r1)
80450A14: B2210018 sth r17,24(r1)
80450A18: B241001A sth r18,26(r1)
80450A1C: B261001C sth r19,28(r1)
80450A20: B281001E sth r20,30(r1)
80450A24: B2A10020 sth r21,32(r1)
80450A28: B2C10022 sth r22,34(r1)
80450A2C: B2E10024 sth r23,36(r1)
80450A30: B3010026 sth r24,38(r1)
80450A34: B3210028 sth r25,40(r1)
80450A38: B341002A sth r26,42(r1)
80450A3C: B181002C sth r12,44(r1)
80450A40: B161002E sth r11,46(r1)
80450A44: B1410030 sth r10,48(r1)
80450A48: B1210032 sth r9,50(r1)
80450A4C: B1010034 sth r8,52(r1)
80450A50: B0E10036 sth r7,54(r1)
80450A54: B0C10038 sth r6,56(r1)
80450A58: B0A1003A sth r5,58(r1)
80450A5C: B081003C sth r4,60(r1)
80450A60: B1C10040 sth r14,64(r1)
80450A64: B001004C sth r0,76(r1)
80450A68: B1E1004E sth r15,78(r1)
80450A6C: 480576A5 bl 0x804a8110
80450A70: A14220A4 lhz r10,8356(r2)
80450A74: 7F63DB78 mr r3,r27
80450A78: A12220A6 lhz r9,8358(r2)
80450A7C: 38A10010 addi r5,r1,16
80450A80: A10220A8 lhz r8,8360(r2)
80450A84: 38800000 li r4,0
80450A88: A0E220AC lhz r7,8364(r2)
80450A8C: A0C220AE lhz r6,8366(r2)
80450A90: A00220B0 lhz r0,8368(r2)
80450A94: B1410010 sth r10,16(r1)
80450A98: B1210012 sth r9,18(r1)
80450A9C: B1010014 sth r8,20(r1)
80450AA0: B0E10008 sth r7,8(r1)
80450AA4: B0C1000A sth r6,10(r1)
80450AA8: B001000C sth r0,12(r1)
80450AAC: 48087E2D bl 0x804d88d8
80450AB0: A8A10010 lha r5,16(r1)
80450AB4: A8810014 lha r4,20(r1)
80450AB8: A8610012 lha r3,18(r1)
80450ABC: 7C0429D6 mullw r0,r4,r5
80450AC0: 7C0019D7 mullw. r0,r0,r3
80450AC4: 41820058 beq- 0x80450b1c
80450AC8: 6CA08000 xoris r0,r5,32768
80450ACC: 6C638000 xoris r3,r3,32768
80450AD0: 90010054 stw r0,84(r1)
80450AD4: 6C808000 xoris r0,r4,32768
80450AD8: C8822090 lfd f4,8336(r2)
80450ADC: C8010050 lfd f0,80(r1)
80450AE0: 9061005C stw r3,92(r1)
80450AE4: EC402028 fsubs f2,f0,f4
80450AE8: C062207C lfs f3,8316(r2)
80450AEC: 90010054 stw r0,84(r1)
80450AF0: C8210058 lfd f1,88(r1)
80450AF4: C8010050 lfd f0,80(r1)
80450AF8: EC431024 fdivs f2,f3,f2
80450AFC: EC212028 fsubs f1,f1,f4
80450B00: D05F1B9C stfs f2,7068(r31)
80450B04: EC002028 fsubs f0,f0,f4
80450B08: EC230824 fdivs f1,f3,f1
80450B0C: EC030024 fdivs f0,f3,f0
80450B10: D03F1BA0 stfs f1,7072(r31)
80450B14: D01F1BA4 stfs f0,7076(r31)
80450B18: 48000014 b 0x80450b2c
80450B1C: C00220B4 lfs f0,8372(r2)
80450B20: D01F1B9C stfs f0,7068(r31)
80450B24: D01F1BA0 stfs f0,7072(r31)
80450B28: D01F1BA4 stfs f0,7076(r31)
80450B2C: 7F63DB78 mr r3,r27
80450B30: 38A10008 addi r5,r1,8
80450B34: 38800001 li r4,1
80450B38: 48087DA1 bl 0x804d88d8
80450B3C: A8A10008 lha r5,8(r1)
80450B40: A881000C lha r4,12(r1)
80450B44: A861000A lha r3,10(r1)
80450B48: 7C0429D6 mullw r0,r4,r5
80450B4C: 7C0019D7 mullw. r0,r0,r3
80450B50: 41820058 beq- 0x80450ba8
80450B54: 6CA08000 xoris r0,r5,32768
80450B58: 6C638000 xoris r3,r3,32768
80450B5C: 9001005C stw r0,92(r1)
80450B60: 6C808000 xoris r0,r4,32768
80450B64: C8822090 lfd f4,8336(r2)
80450B68: C8010058 lfd f0,88(r1)
80450B6C: 90610054 stw r3,84(r1)
80450B70: EC402028 fsubs f2,f0,f4
80450B74: C062207C lfs f3,8316(r2)
80450B78: 9001005C stw r0,92(r1)
80450B7C: C8210050 lfd f1,80(r1)
80450B80: C8010058 lfd f0,88(r1)
80450B84: EC431024 fdivs f2,f3,f2
80450B88: EC212028 fsubs f1,f1,f4
80450B8C: D05F1BA8 stfs f2,7080(r31)
80450B90: EC002028 fsubs f0,f0,f4
80450B94: EC230824 fdivs f1,f3,f1
80450B98: EC030024 fdivs f0,f3,f0
80450B9C: D03F1BAC stfs f1,7084(r31)
80450BA0: D01F1BB0 stfs f0,7088(r31)
80450BA4: 48000014 b 0x80450bb8
80450BA8: C00220B8 lfs f0,8376(r2)
80450BAC: D01F1BA8 stfs f0,7080(r31)
80450BB0: D01F1BAC stfs f0,7084(r31)
80450BB4: D01F1BB0 stfs f0,7088(r31)
80450BB8: 1C1E0084 mulli r0,r30,132
80450BBC: 3C600001 lis r3,1
80450BC0: 7FC6F378 mr r6,r30
80450BC4: 3923FFFF subi r9,r3,1
80450BC8: 7DDC0214 add r14,r28,r0
80450BCC: 388000FD li r4,253
80450BD0: 7D284B78 mr r8,r9
80450BD4: 7D274B78 mr r7,r9
80450BD8: 38AEFF7C subi r5,r14,132
80450BDC: 28060001 cmplwi r6,1
80450BE0: 38A5FF7C subi r5,r5,132
80450BE4: 4081000C ble- 0x80450bf0
80450BE8: 7CA32B78 mr r3,r5
80450BEC: 48000008 b 0x80450bf4
80450BF0: 38610018 addi r3,r1,24
80450BF4: 88030029 lbz r0,41(r3)
80450BF8: 7C000774 extsb r0,r0
80450BFC: 2C00FFFE cmpwi r0,-2
80450C00: 41820054 beq- 0x80450c54
80450C04: 40800010 bge- 0x80450c14
80450C08: 2C00FFF9 cmpwi r0,-7
80450C0C: 41820048 beq- 0x80450c54
80450C10: 48000048 b 0x80450c58
80450C14: 2C000000 cmpwi r0,0
80450C18: 41820008 beq- 0x80450c20
80450C1C: 4800003C b 0x80450c58
80450C20: 88830028 lbz r4,40(r3)
80450C24: 28040001 cmplwi r4,1
80450C28: 40820010 bne- 0x80450c38
80450C2C: A1030000 lhz r8,0(r3)
80450C30: 39200000 li r9,0
80450C34: 48000020 b 0x80450c54
80450C38: 28040002 cmplwi r4,2
80450C3C: 40820010 bne- 0x80450c4c
80450C40: A123002A lhz r9,42(r3)
80450C44: 39000000 li r8,0
80450C48: 4800000C b 0x80450c54
80450C4C: 39200000 li r9,0
80450C50: 39000000 li r8,0
80450C54: A0E30000 lhz r7,0(r3)
80450C58: 34C6FFFF subic. r6,r6,1
80450C5C: 4082FF80 bne+ 0x80450bdc
80450C60: 2807FFFF cmplwi r7,65535
80450C64: 40820024 bne- 0x80450c88
80450C68: 7F83E378 mr r3,r28
80450C6C: 7FE4FB78 mr r4,r31
80450C70: 38A00084 li r5,132
80450C74: 4BBB36C5 bl 0x80004338
80450C78: 37DEFFFF subic. r30,r30,1
80450C7C: 3B9C0084 addi r28,r28,132
80450C80: 4082FFE8 bne+ 0x80450c68
80450C84: 4800015C b 0x80450de0
80450C88: 2808FFFF cmplwi r8,65535
80450C8C: 40820008 bne- 0x80450c94
80450C90: 811F0000 lwz r8,0(r31)
80450C94: 2809FFFF cmplwi r9,65535
80450C98: 40820008 bne- 0x80450ca0
80450C9C: 813F0060 lwz r9,96(r31)
80450CA0: 70E09FFF andi. r0,r7,40959 80450CA4: 807F0000 lwz r3,0(r31)
80450CA8: 51000464 rlwimi r0,r8,0,17,18
80450CAC: 28040002 cmplwi r4,2
80450CB0: 5465043E rlwinm r5,r3,0,16,31
80450CB4: 7C032A78 xor r3,r0,r5
80450CB8: 901F0000 stw r0,0(r31)
80450CBC: 7C600038 and r0,r3,r0
80450CC0: 901F0004 stw r0,4(r31)
80450CC4: 7C602838 and r0,r3,r5
80450CC8: 901F0008 stw r0,8(r31)
80450CCC: 40820028 bne- 0x80450cf4
80450CD0: 807F0060 lwz r3,96(r31)
80450CD4: 5520043E rlwinm r0,r9,0,16,31
80450CD8: 5465043E rlwinm r5,r3,0,16,31
80450CDC: 901F0060 stw r0,96(r31)
80450CE0: 7C032A78 xor r3,r0,r5
80450CE4: 7C600038 and r0,r3,r0
80450CE8: 901F0064 stw r0,100(r31)
80450CEC: 7C602838 and r0,r3,r5
80450CF0: 901F0068 stw r0,104(r31)
80450CF4: 7FE3FB78 mr r3,r31
80450CF8: 7FA5EB78 mr r5,r29
80450CFC: 4BFFD955 bl 0x8044e650
80450D00: 7FCFF378 mr r15,r30
80450D04: 39CEFF7C subi r14,r14,132
80450D08: 3A400001 li r18,1
80450D0C: 3A200000 li r17,0
80450D10: 3A000010 li r16,16
80450D14: 280F0001 cmplwi r15,1
80450D18: 39CEFF7C subi r14,r14,132
80450D1C: 4081000C ble- 0x80450d28
80450D20: 7DD37378 mr r19,r14
80450D24: 48000008 b 0x80450d2c
80450D28: 3A610018 addi r19,r1,24
80450D2C: 88130029 lbz r0,41(r19)
80450D30: 981F005D stb r0,93(r31)
80450D34: 88930028 lbz r4,40(r19)
80450D38: 881F005C lbz r0,92(r31)
80450D3C: 7C002040 cmplw r0,r4
80450D40: 41820020 beq- 0x80450d60
80450D44: 88730029 lbz r3,41(r19)
80450D48: 38030002 addi r0,r3,2
80450D4C: 5400063E rlwinm r0,r0,0,24,31
80450D50: 28000002 cmplwi r0,2
80450D54: 4181000C bgt- 0x80450d60
80450D58: 989F005C stb r4,92(r31)
80450D5C: 9A5F1BDE stb r18,7134(r31)
80450D60: 88130036 lbz r0,54(r19)
80450D64: 981F005F stb r0,95(r31)
80450D68: 88130029 lbz r0,41(r19)
80450D6C: 7C000775 extsb. r0,r0
80450D70: 41820014 beq- 0x80450d84
80450D74: 40800038 bge- 0x80450dac
80450D78: 2C00FFF9 cmpwi r0,-7
80450D7C: 41820014 beq- 0x80450d90
80450D80: 4800002C b 0x80450dac
80450D84: 7FE3FB78 mr r3,r31
80450D88: 7E649B78 mr r4,r19
80450D8C: 4BFFF6D5 bl 0x80450460
80450D90: 7FE3FB78 mr r3,r31
80450D94: 7E649B78 mr r4,r19
80450D98: 4BFFDDB9 bl 0x8044eb50
80450D9C: 7FE3FB78 mr r3,r31
80450DA0: 7E649B78 mr r4,r19
80450DA4: 4BFFEF19 bl 0x8044fcbc
80450DA8: 48000008 b 0x80450db0
80450DAC: 9A3F005E stb r17,94(r31)
80450DB0: 38AE0080 addi r5,r14,128
80450DB4: 389FFFFC subi r4,r31,4
80450DB8: 7E0903A6 mtctr r16
80450DBC: 80640004 lwz r3,4(r4)
80450DC0: 84040008 lwzu r0,8(r4)
80450DC4: 90650004 stw r3,4(r5)
80450DC8: 94050008 stwu r0,8(r5)
80450DCC: 4200FFF0 bdnz+ 0x80450dbc
80450DD0: 80040004 lwz r0,4(r4)
80450DD4: 35EFFFFF subic. r15,r15,1
80450DD8: 90050004 stw r0,4(r5)
80450DDC: 4082FF38 bne+ 0x80450d14
80450DE0: 38000000 li r0,0
80450DE4: 7FC3F378 mr r3,r30
80450DE8: 981F1BDC stb r0,7132(r31)
80450DEC: 396100C0 addi r11,r1,192
80450DF0: 480C6759 bl 0x80517548
80450DF4: 800100C4 lwz r0,196(r1)
80450DF8: 7C0803A6 mtlr r0
80450DFC: 382100C0 addi r1,r1,192
80450E00: 4E800020 blr
[/spoiler]
---
First, you should use MemView Hex Search to make sure you have 2809FFFF 40820008. If you don't, then you have a different version of the padread function that will require a different hook. I bolded the region that the hook looks for, with the hook itself in red.
This only works for Wiimote + Nunchuck, but Y.S. did a version with 4 players. If you want the CC you'll need to use another hook.
I tried to find the button activators in Wii Play, and then set a breakpoint at the first address from the results, and from that breakpoint, if I scrolled up one step, it's the address with instruction "andi. r0,r7,40959", which is the hook for Wii Play.
So I just randomly came across that address without at all understanding why/how I got there, but I assume the hook must be connected to the button activators in some way. If I didn't know that line was supposed to be the hook for a game, how should I go about finding it in a way that actually makes sense? I'm curious about this because I'd like to try finding the padread function in other games that don't have the value "2809FFFF 40820008".
Thanks very much.
Write breakpoint on the button activator is pretty much what I did. I believe your BP hit in this section
80450CB4: 7C032A78 xor r3,r0,r5 # what buttons changed?
80450CB8: 901F0000 stw r0,0(r31) # store current button values
80450CBC: 7C600038 and r0,r3,r0 # set delta activator bits for buttons that were pressed
80450CC0: 901F0004 stw r0,4(r31) # store those values just after the buttons
80450CC4: 7C602838 and r0,r3,r5 # set delta activator bits for buttons that were released
80450CC8: 901F0008 stw r0,8(r31) # store those values just after the just-pressed values
It was important to make sure that any mapped or spoofed values are placed into r0 before this. I imagine other versions have a similar process of writing to three consecutive bytes using xor and and operations.
I tried looking for PadRead in other games by using breakpoints but I wasn't able to make it work before I wandered off to do something else.
Oh... that's not very encouraging, if someone with your experience couldn't do it then I'm not sure if I'll be able to, lol. Could you explain why "andi. r0,r7,40959" was chosen to be the hook in this case, instead of the line immediately before the sequence (80450CB0: 5465043E rlwinm r5,r3,0,16,31)?
Well, I only tried one other game that it didn't work for. I'm sure there are several versions of the PadRead function and some may be easier to find.
Why andi.? It had to come at least on or after 80450CA0 because of 80450C98: 40820008 bne- 0x80450ca0.
However, the . in andi. is performing a comparison. If I chose my hook after the andi., I would have to push/pop the CR to preserve the result of that comparison. Or I would have to re-perform the comparison to make sure the CR was set correctly. By choosing the andi. as my hook and performing the andi. at the end, the CR will hold the correct value, and that instruction is guaranteed to run no matter what the result of the various bne's above it, and that instruction is before the delta activators are calculated.
Hmm, so this line "80450CA8: 51000464 rlwimi r0,r8,0,17,18" from your example doesn't change the value in r0?
I copied some instructions around a few breakpoints I got from the button activators. I think the sequence surrounding the first breakpoint looks similar to the sequence in your example, can "mtctr r9" be the hook for this game?
800040F0: 89240000 lbz r9,0(r4)
800040F4: 38840001 addi r4,r4,1
800040F8: 99280000 stb r9,0(r8)
800040FC: 39080001 addi r8,r8,1
80004100: 4200FFF0 bdnz+ 0x800040f0
[spoiler]80004038: 714A0007 andi. r10,r10,7
8000403C: 41A2002C beq+ 0x80004068
80004040: 38C00008 li r6,8
80004044: 7D293050 sub r9,r6,r9
80004048: 39030000 addi r8,r3,0
8000404C: 7D2903A6 mtctr r9
80004050: 7CA92850 sub r5,r5,r9
80004054: 89240000 lbz r9,0(r4)
80004058: 38840001 addi r4,r4,1
8000405C: 99280000 stb r9,0(r8)
80004060: 39080001 addi r8,r8,1
80004064: 4200FFF0 bdnz+ 0x80004054
80004068: 54A6D97E rlwinm r6,r5,27,5,31
8000406C: 7CC903A6 mtctr r6
80004070: C8240000 lfd f1,0(r4)
80004074: C8440008 lfd f2,8(r4)
80004078: C8640010 lfd f3,16(r4)
8000407C: C8840018 lfd f4,24(r4)
80004080: 38840020 addi r4,r4,32
80004084: D8280000 stfd f1,0(r8)
80004088: D8480008 stfd f2,8(r8)
8000408C: D8680010 stfd f3,16(r8)
80004090: D8880018 stfd f4,24(r8)
80004094: 39080020 addi r8,r8,32
80004098: 4200FFD8 bdnz+ 0x80004070
8000409C: 70A6001F andi. r6,r5,31
800040A0: 4D820020 beqlr-
800040A4: 3884FFFF subi r4,r4,1
800040A8: 7CC903A6 mtctr r6
800040AC: 3908FFFF subi r8,r8,1
800040B0: 8D240001 lbzu r9,1(r4)
800040B4: 9D280001 stbu r9,1(r8)
800040B8: 4200FFF8 bdnz+ 0x800040b0
800040BC: 4E800020 blr
800040C0: 38C00014 li r6,20
800040C4: 7E853040 cmplw cr5,r5,r6
800040C8: 40950094 ble- cr5,0x8000415c
800040CC: 548907BE rlwinm r9,r4,0,30,31
800040D0: 546A07BE rlwinm r10,r3,0,30,31
800040D4: 7D4B4A79 xor. r11,r10,r9
800040D8: 40820084 bne- 0x8000415c
800040DC: 38C00004 li r6,4
800040E0: 7D293050 sub r9,r6,r9
800040E4: 39030000 addi r8,r3,0
800040E8: 7CA92850 sub r5,r5,r9
800040EC: 7D2903A6 mtctr r9 <<<------- hook?
800040F0: 89240000 lbz r9,0(r4)
800040F4: 38840001 addi r4,r4,1
800040F8: 99280000 stb r9,0(r8) ------BP
800040FC: 39080001 addi r8,r8,1
80004100: 4200FFF0 bdnz+ 0x800040f0
80004104: 54A6E13E rlwinm r6,r5,28,4,31
80004108: 7CC903A6 mtctr r6
8000410C: 81240000 lwz r9,0(r4)
80004110: 81440004 lwz r10,4(r4)
80004114: 81640008 lwz r11,8(r4)
80004118: 8184000C lwz r12,12(r4)
8000411C: 38840010 addi r4,r4,16
80004120: 91280000 stw r9,0(r8)
80004124: 91480004 stw r10,4(r8)
80004128: 91680008 stw r11,8(r8)
8000412C: 9188000C stw r12,12(r8)
80004130: 39080010 addi r8,r8,16
80004134: 4200FFD8 bdnz+ 0x8000410c
80004138: 70A6000F andi. r6,r5,15
8000413C: 4D820020 beqlr-
80004140: 3884FFFF subi r4,r4,1
80004144: 7CC903A6 mtctr r6
80004148: 3908FFFF subi r8,r8,1
8000414C: 8D240001 lbzu r9,1(r4)
80004150: 9D280001 stbu r9,1(r8) ------BP
80004154: 4200FFF8 bdnz+ 0x8000414c
80004158: 4E800020 blr
8000415C: 38E4FFFF subi r7,r4,1
80004160: 3903FFFF subi r8,r3,1
80004164: 7CA903A6 mtctr r5
80004168: 8D270001 lbzu r9,1(r7)
8000416C: 9D280001 stbu r9,1(r8) -------BP
80004170: 4200FFF8 bdnz+ 0x80004168
80004174: 4E800020 blr
80004178: 7C842A14 add r4,r4,r5
8000417C: 7D832A14 add r12,r3,r5
80004180: 38C00080 li r6,128
80004184: 7E853040 cmplw cr5,r5,r6
80004188: 4194007C blt- cr5,0x80004204
8000418C: 5489077E rlwinm r9,r4,0,29,31
80004190: 558A077E rlwinm r10,r12,0,29,31
80004194: 7D4B4A79 xor. r11,r10,r9
80004198: 408200F0 bne- 0x80004288
8000419C: 714A0007 andi. r10,r10,7
800041A0: 41A20014 beq+ 0x800041b4[/spoiler]
I don't think that looks right.
8000XXXX range is VERY low in memory, I highly doubt PadRead would be there.
Thanks for the feedback! I looked for other breakpoints that are not in the 8000XXXX range, and this seemed like a probable candidate:
804F6CF0: B0050000 sth r0,0(r5)
where r0 holds the value of the buttons I press, and r5 holds the address of a button activator. I scrolled down a bit, and found this sequence:
804F7054: A93D0006 lha r9,6(r29)
804F7058: 7D080734 extsh r8,r8
804F705C: 54000E32 rlwinm r0,r0,1,24,25
804F7060: 5508002E rlwinm r8,r8,0,0,23
804F7064: 7D080734 extsh r8,r8
804F7068: 7D000378 or r0,r8,r0
804F706C: 7C000734 extsh r0,r0
804F7070: 7D200378 or r0,r9,r0
804F7074: B01D0006 sth r0,6(r29)
Does this look a little more interesting to you?
No, that doesn't look quite right either. Are you sure you chose a good button activator? You have to use breakpoints on the right one. There are many other addresses with duplicate values of the button activators, but they all come from one "source". Modifying the wrong write breakpoint will not create the result you want.
One way to test it would be to do this. For your breakpoint, it was a sth r0. So click r0 in the BP tab, and modify it so that one of the buttons is being pressed. Something like a jump button. If you "fake" a button press by modifying r0 so that the jump button is pressed, then you press run game and the character jumps, you found the right breakpoint.
I thought the "right" button activator is the one that has the one shot button activator 4 bytes after it.
Does it always give the right breakpoint or could it be a different destination address on some games?
Would make things easier.
Hm, I noticed two of the button activators seemed special in that if I wrote a button value to their addresses, that button was actually pressed once in a while at some random intervals; as oppose to the other 102 button activators acting as per usual.
I've only tested about 1/4 of all the button activators, so far, all the breakpoints are either within the 8000xxxx range, or nothing seems to happen when the register's edited. And these breakpoints are shared by the activators. I'm not sure if I can find additional breakpoints for the rest of the activators. Is it possible that even if a BP doesn't show the characteristics you've described, that it can still be a valid BP?
The BP I mentioned the last time really seems to be the most promising of the lot, and this time I scrolled up:
804F6CDC: 881C0015 lbz r0,21(r28) ---"nop", results in random nunchuck button presses
804F6CE0: A0850000 lhz r4,0(r5) ---"nop", game cycles through wiimote buttons
804F6CE4: 7C0000F8 not r0,r0 ---"nop", nunchuck buttons held down by default
804F6CE8: 54006C64 rlwinm r0,r0,13,17,18 ---"nop", game presses/holds multiple random buttons
804F6CEC: 7C800378 or r0,r4,r0 ---"nop", no buttons will be registered
804F6CF0: B0050000 sth r0,0(r5) -----------BP
Btw, what does one shot mean?
This doesn't seem to work on Call of Duty, nor does it work on Classic Controller. I'll look into it when I get the time. Probably a different Pad read function for classic stuff.
Quote from: daijoda on September 04, 2011, 02:23:20 AM
Hm, I noticed two of the button activators seemed special in that if I wrote a button value to their addresses, that button was actually pressed once in a while at some random intervals; as oppose to the other 102 button activators acting as per usual.
I've only tested about 1/4 of all the button activators, so far, all the breakpoints are either within the 8000xxxx range, or nothing seems to happen when the register's edited. And these breakpoints are shared by the activators. I'm not sure if I can find additional breakpoints for the rest of the activators. Is it possible that even if a BP doesn't show the characteristics you've described, that it can still be a valid BP?
The BP I mentioned the last time really seems to be the most promising of the lot, and this time I scrolled up:
804F6CDC: 881C0015 lbz r0,21(r28) ---"nop", results in random nunchuck button presses
804F6CE0: A0850000 lhz r4,0(r5) ---"nop", game cycles through wiimote buttons
804F6CE4: 7C0000F8 not r0,r0 ---"nop", nunchuck buttons held down by default
804F6CE8: 54006C64 rlwinm r0,r0,13,17,18 ---"nop", game presses/holds multiple random buttons
804F6CEC: 7C800378 or r0,r4,r0 ---"nop", no buttons will be registered
804F6CF0: B0050000 sth r0,0(r5) -----------BP
Btw, what does one shot mean?
When I was tinkering with button activators in Super Smash Bros Melee, I found it helpful to set a write BP on the pad data, and backtrace a bit to find an address that was the "source" of the address I had found. If you do that repeatedly, you're likely to find the "master" pad data address. Also, the behavior resulting from poking the pad data depends on your hook type. If the code handler executes after the pad data has been processed, poking it won't have any effect. If the code handler instead executes between the PadRead routine and the first time the pad data is read from the master pad data address, then poking will work. (As you might be able to guess, the PadRead hooktype is optimal, if it hooks. But since you're trying to find the PadRead function, I'm guessing that the PadRead hooktype didn't hook, otherwise you'd be using that result.)
Quote from: biolizard89 on September 04, 2011, 08:19:55 PM
Also, the behavior resulting from poking the pad data depends on your hook type. If the code handler executes after the pad data has been processed, poking it won't have any effect. If the code handler instead executes between the PadRead routine and the first time the pad data is read from the master pad data address, then poking will work. (As you might be able to guess, the PadRead hooktype is optimal, if it hooks. But since you're trying to find the PadRead function, I'm guessing that the PadRead hooktype didn't hook, otherwise you'd be using that result.)
This is not entirely true. During a breakpoint, the code handler is running non-stop. So if you poke during a breakpoint, the poke happens immediately. You can also change the registers during a breakpoint, which is kinda like poking.
Also, what signature does the PadRead hook look for?
Quote from: dcx2 on September 05, 2011, 05:19:52 PM
Quote from: biolizard89 on September 04, 2011, 08:19:55 PM
Also, the behavior resulting from poking the pad data depends on your hook type. If the code handler executes after the pad data has been processed, poking it won't have any effect. If the code handler instead executes between the PadRead routine and the first time the pad data is read from the master pad data address, then poking will work. (As you might be able to guess, the PadRead hooktype is optimal, if it hooks. But since you're trying to find the PadRead function, I'm guessing that the PadRead hooktype didn't hook, otherwise you'd be using that result.)
This is not entirely true. During a breakpoint, the code handler is running non-stop. So if you poke during a breakpoint, the poke happens immediately. You can also change the registers during a breakpoint, which is kinda like poking.
Also, what signature does the PadRead hook look for?
I'm aware that BP's would act differently from my description; I was referring to standard pokes (not during a BP). This made a difference with GeckoTunnel (GeckoTunnel pokes the pad data each time the code handler runs, which is why it only works properly with the PadRead hook). Obviously if you're in a BP then this isn't an issue. Sorry for any ambiguity.
Here are the PadRead hooks for GC games, from Neogamma (I assume GeckoOS Mod is the same):
const u32 hook0[11] = {
0x38000000, 0x9815000A, 0xA0150000, 0x5400066E, 0xB0150000, 0x3AF70001, 0x2C170004, 0x3B7B0004, 0x3B5A0002, 0x3B39000C, 0x3AB5000C
};
const u32 hook1[11] = {
0x38000000, 0x981F000A, 0xA01F0000, 0x5400066E, 0xB01F0000, 0x3AB50001, 0x2C150004, 0x3B18000C, 0x3BFF000C, 0x4180FCC0, 0x7EC3B378
};
const u32 hook2[11] = {
0x38000000, 0x981F000A, 0xA01F0000, 0x5400066E, 0xB01F0000, 0x3AB50001, 0x2C150004, 0x3B18000C, 0x3BFF000C, 0x4180FCC8, 0x7EC3B378
};
const u32 hook3[11] = {
0x38000000, 0x9817000A, 0xA0170000, 0x5400066E, 0xB0170000, 0x3B390001, 0x2C190004, 0x3B9C000C,0x3AF7000C, 0x4180FD6C, 0x7F43D378
};And here are the Wii equivalents, also from Neogamma (probably the same as GeckoOS)
const u32 kpadhooks[4] = {
0x9A3F005E,0x38AE0080,0x389FFFFC,0x7E0903A6
};
const u32 kpadoldhooks[6] = {
0x801D0060, 0x901E0060, 0x801D0064, 0x901E0064, 0x801D0068, 0x901E0068
};
const u32 joypadhooks[4] = {
0x3AB50001, 0x3A73000C, 0x2C150004, 0x3B18000C
};
const u32 wpadbuttonsdownhooks[4] = {
0x7D6B4A14, 0x816B0010, 0x7D635B78, 0x4E800020
};
const u32 wpadbuttonsdown2hooks[4] = {
0x7D6B4A14, 0x800B0010, 0x7C030378, 0x4E800020
};
So I couldn't find the padread function... but I'd like to revisit this idea with a different approach. Can I use one of those "universal" padread hooks to do a similar job? A few questions:
1. Could someone please briefly explain what a "pad hook" does? Is it an address for recording which buttons are pressed?
2. What do you mean by "hook"? When something is hooked, does it mean you now have recorded 1 of its addresses' location, and you can calculate all its other addresses' locations based on their relative location from that known address?
For the following example code:
Universal GC Pad hook[XeR]
4A000000 CD000000
14006430 A895A2F0
E0008000 80008000
3. Can I see what's at CD006430 in MemView? Even if I couldn't visually see what's at the address, a "14" code can write to it?
4. Why is the last line "E0008000", not "E0000000"?
5. Is a "one shot button" the same as a "delta activator"?
Thanks!
2) A hook is something that runs with something else.
For instance, assume you found the ASM address that decreases Mario's lives by 1 whenever he dies. You can then write a C2 code that "hooks" this ASM, and does something else (e.g. gives him 1 life). The "hook" means that the C2 code will run when that ASM address is executed.
Hooks are a prominent concept in programming.
1) A pad hook can either refer to the code handler's hook (i.e. call the code handler whenever the game reads from the pad), or in XeR's case it just means that he's forcing the pad to be read.
3) You may be able to see CD006430 in memview, but I'm not sure what you'd get. Look at YAGCD http://hitmen.c02.at/files/yagcd/yagcd/chap5.html#sec5.9 to see what this address does. It's the Serial Interface Poll Register.
4) I don't know why. Typo?
5) "one shot" is a generic term that means something happens the first time an event happens, but does not happen until the event stops. In the case of buttons, it means when you press the button, the effect only happens once. There are several ways to do one-shot activators. One of them are what I call "delta activators". Delta comes from the generic science term meaning 'difference'. Delta activators are calculated by XORing the last frame's button states with the current frames button states to detect what buttons changed (the "delta mask"). Delta activators are easy to use, but if the code handler's hook runs more than once per frame, delta activators can cause glitches where the activator runs twice (because the delta mask is only changed once per frame).
Thanks very much for answering all the questions, dcx2, even though I've never figured out how you manage to find the time to do that with everyone's on this forum!
If a pad hook works like the _______ in a C2______ code, then, I presume one could find relevant information pertaining to the pad around the hook. If so, some of that information might be hijacked into creating button spoofers... I suppose this was what biolizard89 was saying earlier. This sounds incredibly useful. And a lot of the PadRead hooks have already been found. Have you ever considered using one of those for the mapper/spoofer?
You're still a little confused, I think.
The GameCube controller is a very special case. XeR's "pad hook" is a misnomer; it just enables the serial subsystem in the Wii so that it is allowed to read from the GameCube controller. It is not ASM, all it does is enable the controller for reading; some other ASM must still do the reading. If a game has no ASM for reading the controller and formatting the data, then nothing will happen.
Wait, is there a specific value for shaking?
Kinda?
The shake value in the Wiimote pad data is a vector sum of the XYZ accelerations. Typically, the sum is about 1.0. I found that modifying the sum directly didn't work very well. However, if you modify one of the base accelerations before the sum is calculated, you can cause the game to think you jerked the controller in that frame. The nunchuck also has a separate shake vector as well.
In this code, the Y axis acceleration is cranked up to 100 when a shake is spoofed.
uff I tried to find the shaking activator with greather and less than searches but I just failed. The original button activator hasn't the shaking values. How have you found them and what about XYZ? The shaking address is completely different from the wiimote PAD address or? I don't really get it :/
Look around the normal button activators in Memory Viewer with Auto Update on. Rotate and shake the controller and nunchuck. They jump right out at you. It may help to set Memory Viewer View Mode to Single.
uff thats not easy or maybe I understand it wrong. If I don't shake the wiimote, it should be 1.0? Because there are more than 20 addresses which changes their values when I shake it. However, I tried to nop them and it effected the wiimote buttons too.
what dcx2 said.
Find the delta activator first (the one that only uses the button values and it´s 32bit).
If you´ve found it, there should be the one shot button activator +4 bytes.
Below that area should be some random floats. Keep an eye on them with auto-update on.
There´s stuff like shaking wiimote/nunchuck, twisting wiimote and a nunchuck stick activator can be found there, too. It consists of two addresses that change when you move the stick. ;)
You could also take one of dcx2´s shake nunchuck codes and analyse the address.
It´s almost equal for most games!
So it should be a 32 bit float and not only 16 bit like 0000FFFF and so on?
Quote from: Deathwolf on November 02, 2011, 08:29:32 PM
So it should be a 32 bit float and not only 16 bit like 0000FFFF and so on?
the delta activator always looks like this:
0000XXXX where XXXX is the button(s) that were pressed.
There should only be ONE in memory that´s like this (except for the one shot button activator(s))
Alright, I'm going to try that again. Thanks!
There are no 16 bit floats. Floats are either 32-bit (single precision) or 64-bit (double precision).
Do NOT use the Search tab to look for this. It will be very hard. Just go to the memview tab, go to the button activator address, change view mode to Single, enable auto-update, and shake the Wiimote. You'll see the values appear.
For instance, the new Kirby's activator address is 8080D08A. So go there and do the MemView auto-update Single thing.
Alright I found it.
8080D094 is the shaking address. I just noped the ASM address and I was not able to enable shake-attacks anymore.
Quote from: Deathwolf on November 02, 2011, 08:38:25 PM
Alright I found it.
8080D094 is the shaking address. I just noped the ASM address and I was not able to enable shake-attacks anymore.
awesome ;D
now find the nunchuck stick activators... :P
As I said above, if you try to write to the shake address, you will probably fail.
The "shake" is actually a vector sum of three floats, the X Y and Z accelerations. In order to spoof a shake, you should over-write one of the X Y or Z accelerations. This value would influence the shake value.
Quote from: dcx2 on November 02, 2011, 08:47:35 PM
As I said above, if you try to write to the shake address, you will probably fail.
The "shake" is actually a vector sum of three floats, the X Y and Z accelerations. In order to spoof a shake, you should over-write one of the X Y or Z accelerations. This value would influence the shake value.
true! then I found something new. One of these registers enables auto-shaking.
8006B194: D0040000 stfs f0,0(r4) is the original
Then I just changed f0 to f3 and when I press A+B on the GCC it enables shaking. It writes to XYZ.
So heres the code with shaking:
82000000 CD006404
82000001 CD006408
82000002 CD00640C
C206B07C 00000015
9421FFB0 BDC10008
3EA00000 62B50000
3DC0CD00 A18E6404
71950002 2C150000
41820008 60000004
71950001 2C150000
41820008 60000008
71950004 2C150000
41820008 60000001
71950100 2C150000
41820008 60000100
71950200 2C150000
41820008 60000200
71950008 2C150000
41820008 60000002
71951000 2C150000
41820008 60000010
71951000 2C150000
41820008 60001000
90030000 B9C10008
38210050 00000000
4A000000 CD006404 #shaking
38000000 00000380
0406B194 D0640000
E2100000 00000000
0406B194 D0040000
E0000000 80008000
8080D020 00000000 00000000 00000000 00000000
8080D030 00000000 00000000 00000000 00000000
8080D040 00000000 00000000 00000000 00000000
8080D050 00000000 00000000 00000000 00000000
8080D060 00000000 00000000 00000000 00000000
8080D070 00000000 00000000 00000000 00000000
8080D080 00000000 00000000 00000400 00000000
8080D090 00000000 *BD273D9F* BF840DB0 BE15E4F0
8080D0A0 3F857A7C 3809A270 00000000 00000000
8080D0B0 00000000 00000000 00000000 3F800000
8080D0C0 00000000 00000000 00000000 00000000
8080D0D0 3F800000 00000000 00000000 3F7DA7F9
8080D0E0 3E0A4009 00000001 00000000 00000000
8080D0F0 BF6806C0 BEC70F6B 3E88170C 3F82BDA3
8080D100 3682964F 00000000 00000000 00000000
8080D110 00000000 00000000 00000000 00000000
does this seem to be correct, dcx2?
Actually it should be^^
So, for a layperson such as myself :confused:, would there be a Mario Kart (RMCE01) code that I could load into Code Manager to remap the shaking required for tricks and wheelies to the nunchuck's C button?
Wheelies need an upward (y axis?) acceleration from the wiimote, which also seems sufficient for tricks. So, I suppose that's the address to find.
Thanks in advance to the geniuses who figure this out.
If RMCE01 uses the same pad read function, then yes my code would work. You would need a button activator that would write to the shake spoof. I believe the code already uses the Y axis to shake.
I don't do much Wii hacking anymore (moved on to the PC), so I can't really offer you much more help.
So, in this portion:
00010002 00040008 # LLLLRRRR DDDDUUUU
00100000 00000080 # ++++WWWW NNNNXXXX
01000200 04000800 # 22221111 BBBBAAAA
10002000 40008000 # ----ZZZZ CCCCHOME
Do I just replace the 4000? What with?
Is that all I'd need to do?
No, that's for remapping. You don't want to remap buttons, you just want to spoof a shake.
Given the original code (and not Y.S. modification for 4-players and rapid-fire), the following code will read the button state from gr10, and if the C button is held then it will write 0x20 to gr12. You still need the full original code (which would read from gr12 and then spoof the shake). The first three lines work in conjunction with the rest of the code. This allows you to easily change which button spoofs the shake without rewriting the whole code.
28001830 BFFF4000
04001838 00000020
E0000000 80008000
F6000001 80048100
2809FFFF 40820008
D200000C 0000001B
9421FFB0 BDC10008
3D808000 48000025
00010002 00040008
00100000 00000080
01000200 04000800
10002000 40008000
39C00010 39E00001
3A000000 3A200000
7E4802A6 A27F0018
2C133FDA 41800008
51E72EB4 A27F0074
2C133FDA 41800008
51E73672 7CF37839
4182000C 7E728A2E
7E109B78 3A310002
55EF083C 35CEFFFF
40A2FFE4 828C1838
72930060 7E109B78
72130020 4182000C
3E6042C8 927F0010
72130040 4182000C
3E6042C8 927F0070
70F30060 7E109B78
90EC1830 920C1834
7E878378 B9C10008
38210050 70E09FFF
60000000 00000000
E0000000 80008000
I just loaded that into a GCT file with code manager, but it had no effect. :(
Your game probably uses a different pad read function. This code is not nearly as universal as I had hoped.