I can't seem to copy all frames. I'm in a bp, right click load call stacks, right click copy all frames = can't find, continue searching?
then it comes up with this [spoiler]See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.IndexOutOfRangeException: Index was outside the bounds of the array.
at FTDIUSBGecko.USBGecko.Dump(UInt32 startdump, UInt32 enddump, Stream[] saveStream, Dump memdump)
at FTDIUSBGecko.USBGecko.Dump(UInt32 startdump, UInt32 enddump, Stream saveStream)
at GeckoApp.Disassembly.Disassemble(UInt32 address, Int32 commands)
at GeckoApp.MainForm.copyAllFramesToolStripMenuItem_Click(Object sender, EventArgs e)
at System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e)
at System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)
at System.Windows.Forms.ToolStripItem.FireEventInteractive(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStripItem.FireEvent(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ToolStrip.WndProc(Message& m)
at System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3603 (GDR.050727-3600)
CodeBase: file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
Gecko dNet
Assembly Version: 1.0.0.0
Win32 Version: 1.0.0.0
CodeBase: file:///C:/Documents%20and%20Settings/Patrangela/Desktop/Gecko2/Gecko%20dNet.exe
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3082 (QFE.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
[/spoiler]
I walked the stack and found that mr r4,r27 is my where r27 is the enemy's or the hero's damage input.
I figured if I branch to after the DamageHP(store) when Damage(Enemy) then I stop the enemies from hurting.
This is my assembly but I can't figure out the branch (Even when I place the address into the dissasembler it comes up with an error of between mins and maxes)
80095CE8 address hooking at
stwu r1,-80(r1)
stmw r14,8(r1)
mr r4,r27
lis r14,-32678
ori r14,r14,48544
stw r14,0(r15)
cmpwi r4,15
beq- 0x140 ->this is how much more I have to go at the original address.80095DD4
lmw r14,8(r1)
addi r1,r1,80
nop
Here's a log of what I've been doing.
You can't use Copy Frames while you're stepping through a C2 code. C2 codes screw with the parser. Once you're out of the C2 code, though, you can Copy All Frames again.
I started the game without any codes and still no success with copying all frames.
Can you load the call stack?
Can you Copy Function?
Can you Goto Function Start? And Goto Function End?
I can load the call stack, end and beginning function work and I can copy the function.
... very unusual...
for the second to last stack function I can't go to the beginning but I can go to the end.
I found the stwu and still can't copy function
Yeah, that second function is screwing everything up.
When you say "last", do you mean top or bottom? The top of the stack is the breakpoint instruction.
The way "Copy All Frames" works, is that it goes to each item in the call stack, finds the beginning and end, and dumps it all in the clipboard. If it can't find the start of a function it will freak out.
Can you manually determine the function's beginning and end, and copy/paste it here, so that I may determine why Gecko.NET is confused? Also, copy and paste the call stack listbox too, please.
because I was doing this when I triggered the c2, I associated a crash with pressing the yes continue to search button. It now works, and here is the call stack all frames which is attached.
File too big >155k
Edit: the second of the bottom of the stack load
Edit 2.2: Correct edited functions attached
Edit 3:added subject to subject title
Explanations:Volatile output
80095DCC: 90040014 stw r0,20(r4) [spoiler]r4= who is receiving the damage/repair [/spoiler]
Volatile input
80095DC8: 7C033A14 add r0,r3,r7[spoiler] r0= the quantity
[/spoiler]
80095DC0: 80640014 lwz r3,20(r4) [spoiler]hp[/spoiler]
80095D80: 7CE83A14 add r7,r8,r7
80095D6C: 80E400B4 lwz r7,180(r4) [spoiler]quantity of damage/repair[/spoiler]
80095D74: 810400B8 lwz r8,184(r4)[spoiler] might be repetitive damage/repair like poison[/spoiler]
Branch
80095CEC: 48000059 bl 0x80095d44 [spoiler]This transfers to the damage function[/spoiler]
Non Volatile transfer
80095CE8: 7F64DB78 mr r4,r27 [spoiler]the victim is chosen by r27[/spoiler]
80095CB8: 7F60EA14 add r27,r0,r29
80095CB4: 801A0358 lwz r0,856(r26) [spoiler]is a pointer which then has a value of 0 or 1 (0 when there is no battle)[/spoiler]
`
At your breakpoint, r7 is the amount of damage being done. r3 probably holds the current health, gotten from 80095DC0: 80640014 lwz r3,20(r4). Then the add r0,r3,r7 is what subtracts from your health.
---
Your goal is to prevent the enemy from hurting you? You could try this, it doesn't even require a C2 code. Just replace 80095D80: 7CE83A14 add r7,r8,r7 with an li r7,0 instead. This may have unintended side-effects, like preventing you from healing, or preventing you from hurting enemies.
---
It also looks like 160(r27) has some sort of "invincibility" bit. If it's set, it ends up skipping over all the calls to damage.
80095CC8: 801B00A0 lwz r0,160(r27)
80095CCC: 540005EF rlwinm. r0,r0,0,23,23
80095CD0: 41820020 beq- 0x80095cf0
you are right it does make everything invincible.
if I change r30 it makes everything add 9999
Okay, you have two options now.
1) Find some way to determine friend from foe. Hook the add r7,r8,r7 and set r7 to 0 when the target is a friend.
2) Find a different hook, perhaps entirely unrelated to this hook, but it only runs on friends. Use this hook to set the invincibility bit, and it will only get set for friends. Then you won't need to hook the damage function at all
wouldnt this do it?
stwu r1,-80(r1)
stmw r14,8(r1)
mr r4,r27
lis r14,-32678
ori r14,r14,48544
stw r14,0(r15)
cmpwi r4,15
beq- 0x????
addi r1,r1,80
nop
where r4 will determine who it is and the beq will go to the end of the attack
80095CC8: 801B00A0 lwz r0,160(r27)
80095CCC: 540005EF rlwinm. r0,r0,0,23,23
80095CD0: 41820020 beq- 0x80095cf0
I can add 80095CC8 lis r0,1 under the beq or 80095CB0 lis r30,1 which makes the enemey attack 9999 repair
No.
You can't do relative branches in C2 codes. Relative branches are "current address + branch displacement". C2 codes live in the code handler. Your beq- would go 0x140 bytes after the instruction in the code handler, not 0x140 bytes after the hook address (which was your intention).
Also, if you only need one register, there's no point in making a stack frame. Just use r12.
What are you trying to do with stw r14,0(r15)?
Why are you comparing r4 to 15?
EDIT: please include an address when you're describing what you're trying to hook or over-write. Telling me "lis r0,1" means nothing, because it doesn't say *where* you are adding it.
at address 80095CE8 I can see that r4 is either 10 or 20
which means that either 10 or 20 is the friends or foes
Are you sure about that?
80095CE8: 7F64DB78 mr r4,r27
The value in r4 is lost at this instruction. If it had a value, that value came from the bl just before it, so you should look there to see how r4 came to have this value that you believe discriminates between friend and foe.
80095CE0: 48001315 bl 0x80096ff4
ok I will,
how about this if I'm right
80095CE8
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14,-32678
ori r14,r14,48544
stw r14,0(r15)
cmpwi r4,15
mr r4,r27
beq- NO_ADD
lmw r14,8(r1)
addi r1,r1,80
NO_ADD:
lis r30,1
That will definitely crash. You created a stack frame, and then sometimes you don't release it.
yeah I see that, hmmm
here's the function:[spoiler]80096FF4: 9421FFE0 stwu r1,-32(r1)
80096FF8: 7C0802A6 mflr r0
80096FFC: 90010024 stw r0,36(r1)
80097000: BF410008 stmw r26,8(r1)
80097004: 7C7A1B78 mr r26,r3
80097008: 7C9B2378 mr r27,r4
8009700C: 3B800000 li r28,0
80097010: 8004009C lwz r0,156(r4)
80097014: 83E40558 lwz r31,1368(r4)
80097018: 540003DF rlwinm. r0,r0,0,15,15
8009701C: 83A40548 lwz r29,1352(r4)
80097020: 83DF0078 lwz r30,120(r31)
80097024: 41820018 beq- 0x8009703c
80097028: 80040098 lwz r0,152(r4)
8009702C: 3BA0000A li r29,10
80097030: 540006B9 rlwinm. r0,r0,0,26,28
80097034: 41820008 beq- 0x8009703c
80097038: 3BA00000 li r29,0
8009703C: 80040514 lwz r0,1300(r4)
80097040: 2C000000 cmpwi r0,0
80097044: 40820154 bne- 0x80097198
80097048: 800400A0 lwz r0,160(r4)
8009704C: 54000529 rlwinm. r0,r0,0,20,20
80097050: 4082001C bne- 0x8009706c
80097054: 8004000C lwz r0,12(r4)
80097058: 2C000001 cmpwi r0,1
8009705C: 40820024 bne- 0x80097080
80097060: 80040098 lwz r0,152(r4)
80097064: 54000529 rlwinm. r0,r0,0,20,20
80097068: 41820018 beq- 0x80097080
8009706C: 7FE3FB78 mr r3,r31
80097070: 38800010 li r4,16
80097074: 4BFCC251 bl 0x800632c4
80097078: 3B800001 li r28,1
8009707C: 48000010 b 0x8009708c
80097080: 7FE3FB78 mr r3,r31
80097084: 38800010 li r4,16
80097088: 4BFCC24D bl 0x800632d4
8009708C: 807B0098 lwz r3,152(r27)
80097090: 70603CC0 andi. r0,r3,15552
80097094: 40820010 bne- 0x800970a4
80097098: 801B009C lwz r0,156(r27)
8009709C: 70000082 andi. r0,r0,130
800970A0: 41820008 beq- 0x800970a8
800970A4: 3B800001 li r28,1
800970A8: 54600631 rlwinm. r0,r3,0,24,24
800970AC: 4182000C beq- 0x800970b8
800970B0: 3BA00009 li r29,9
800970B4: 4800001C b 0x800970d0
800970B8: 7060B347 andi. r0,r3,45895
800970BC: 40820010 bne- 0x800970cc
800970C0: 801B009C lwz r0,156(r27)
800970C4: 70000181 andi. r0,r0,385
800970C8: 41820008 beq- 0x800970d0
800970CC: 3BA00003 li r29,3
800970D0: 801B000C lwz r0,12(r27)
800970D4: 38600000 li r3,0
800970D8: 907B051C stw r3,1308(r27)
800970DC: 2C000000 cmpwi r0,0
800970E0: 40820050 bne- 0x80097130
800970E4: 807B009C lwz r3,156(r27)
800970E8: 546007BD rlwinm. r0,r3,0,30,30
800970EC: 40820044 bne- 0x80097130
800970F0: 546003DF rlwinm. r0,r3,0,15,15
800970F4: 4082003C bne- 0x80097130
800970F8: 801B040C lwz r0,1036(r27)
800970FC: 2C000000 cmpwi r0,0
80097100: 40820030 bne- 0x80097130
80097104: 801A3EC0 lwz r0,16064(r26)
80097108: 540007FF rlwinm. r0,r0,0,31,31
8009710C: 41820024 beq- 0x80097130
80097110: 2C1C0000 cmpwi r28,0
80097114: 4082001C bne- 0x80097130
80097118: 38000001 li r0,1
8009711C: 901B051C stw r0,1308(r27)
80097120: 7FE3FB78 mr r3,r31
80097124: 38800010 li r4,16
80097128: 4BFCC19D bl 0x800632c4
8009712C: 3BA0000D li r29,13
80097130: 801B009C lwz r0,156(r27)
80097134: 540007BD rlwinm. r0,r0,0,30,30
80097138: 41820030 beq- 0x80097168
8009713C: 2C1D0009 cmpwi r29,9
80097140: 4182000C beq- 0x8009714c
80097144: 2C1D0003 cmpwi r29,3
80097148: 40820010 bne- 0x80097158
8009714C: 7FC3F378 mr r3,r30
80097150: 7FA4EB78 mr r4,r29
80097154: 4BFE02E5 bl 0x80077438
80097158: 7FC3F378 mr r3,r30
8009715C: 38800010 li r4,16
80097160: 4BFDFAC9 bl 0x80076c28
80097164: 4800001C b 0x80097180
80097168: 7FC3F378 mr r3,r30
8009716C: 7FA4EB78 mr r4,r29
80097170: 4BFE02C9 bl 0x80077438
80097174: 7FC3F378 mr r3,r30
80097178: 38800010 li r4,16
8009717C: 4BFDFABD bl 0x80076c38
80097180: 801B040C lwz r0,1036(r27)
80097184: 2C000000 cmpwi r0,0
80097188: 40820010 bne- 0x80097198
8009718C: 7F43D378 mr r3,r26
80097190: 7F64DB78 mr r4,r27
80097194: 4BFF7091 bl 0x8008e224
80097198: BB410008 lmw r26,8(r1)
8009719C: 80010024 lwz r0,36(r1)
800971A0: 7C0803A6 mtlr r0
800971A4: 38210020 addi r1,r1,32
800971A8: 4E800020 blr
[/spoiler]
If you're sure r4 discriminates, then you could try this. This assumes 0x10 = friend. If that's wrong, you'll need to switch the bne- to beq- instead.
hook 80095CE8: 7F64DB78 mr r4,r27
cmpwi r4,0x10
bne- _ENEMY
lwz r12,160(r27) # load word with invincibility flag
oris r12,r12,0x80 # set invincibility, bit 23
stw r12,160(r27) # store new word
_ENEMY:
mr r4,r27 # original instruction
EDIT: upon closer inspection, that might not work. The invincibility test is performed before the hook.
when the enemy attacks r4 is 20
0x20, or 0x14?
[spoiler] CR:82000428 XER:00000000 CTR:00000000 DSIS:02400000
DAR:805AD524 SRR0:80095CE4 SRR1:0000A032 LR:80095CE4
r0:80095CE4 r1:802BA680 r2:802B2020 r3:805AE128
r4:00000020 r5:00000000 r6:000000FF r7:00000000
r8:00000000 r9:0011C264 r10:0011C26C r11:000000CF
r12:80EF74E0 r13:802B0C80 r14:00020000 r15:802A9570
r16:00000273 r17:000001BE r18:00000006 r19:0000000D
r20:801FAF80 r21:00000000 r22:801FE200 r23:00010000
r24:801FE1C0 r25:801B9330 r26:80555CA8 r27:805ADB20
r28:00000004 r29:00001AC0 r30:00000000 r31:7FFFCE00
f0:00000000 f1:42040241 f2:424303C6 f3:87454387
f4:00800080 f5:00000000 f6:00000000 f7:59800004
f8:00000000 f9:00000000 f10:BF7FFFFE f11:3B888889
f12:3B4CCCCD f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:3FAF286C f27:3F800000
f28:3F99999A f29:59800000 f30:3F000000 f31:59800004[/spoiler]
The ONLY time you're allowed to drop hex notation is with an address.
Every single other time a number is in hex you must prefix with 0x or you will confuse the hell out of me.
---
Nothing puts 32 = 0x20 into r4 in the function you pasted. We need more info.
Use the Step Log. Set an XBP on 80095CDC first. Then set a Breakpoint Condition SRR0 == 80095CE4. Then press Step Until. This will show us where 0x20 comes from.
it skips it
You have to make sure Active Conditions is NOT checked when you set the first execute BP. Otherwise, your BP address is 80095CDC but it won't break until SRR0 = 80095CE4, which can't possibly happen because every time it breaks it will break at 80095CDC.
AFTER you hit the breakpoint, then you can check the checkbox and press Step Until.
That's not what I meant, I meant that when I bp without the condition and then step until it won't stop, it skips the mark
It "skips the mark"? Even if it went past when it was supposed to stop, the Step Log will still have valid data.
It will stop, eventually. It might take a long time, depending on how complex the function is. But there's no possible way that you can set XBP on 80095CDC, and it won't execute 80095CE4 sooner or later.
it keeps going in loops
Yeah, it will go in loops sometimes. A branch with a + hint marker is a sure sign of a branch that is going backwards as part of a loop.
Go make some coffee or something. It's not stuck and it will finish eventually.
there might be a problem with the way I was doing the branching off. It takes one hit to register this
Enemies replenish you after damaging you
C2095CE8 00000003
2C040020 40820008
3FC00001 7F64DB78
60000000 00000000
it's 1.23 megs! here's the last bit
Here's the log: [spoiler]http://www.mediafire.com/?asutsasmsrdhrk9[/spoiler]
While I break at every address, I can see the r4 change,
I figured that at
8008E358: 2C1F0000 cmpwi r31,0 r31 = FFFFFFFF
8008E35C: 41800010 blt- 0x8008e36c
will determine if r4 has changes or not
8008E36C: 387E0608 addi r3,r30,1544 r3 = 80EF327C r30 = 805ACDC0
8008E370: 38800020 li r4,32 r4 = 00000000
8008E374: 4BFE88B5 bl 0x80076c28
can't figure out the r31...
I revised my work, with dcx2's advice and found the right discriminator.
80095D68: 800400A0 lwz r0,160(r4)
And with his help we came up with this code
C2095D68 00000005
800400A0 3D800009
618C0100 7C006000
4082000C 3980270F
91840014 540004E7
800400BC 00000000
This will make the enemy give the allies 9999 hp each time they hit them. At the same time, the allies can kick the enemies but!