I began to do tests on the avatar's (Frodo Gamgee) y axis so that he can jump.
I've noticed that almost all addresses are executed by psq.
Nonetheless I persevered and found something correlated. The speed address.
Well not exactly, if I nop the actual address, nothing seems to happen.[spoiler]800DFD70: D01E0064 stfs f0,100(r30) bp writes here only if I'm walking not when I'm standing[/spoiler] I walked the stack and found
800DFD44: EFE700B2 fmuls f31,f7,f2 and nopping this stops all the avatars from moving
There seems to be some addresses that are only executable when walking. I'll abreviate with EWW
Function
[spoiler]
800DFB74: 9421FF30 stwu r1,-208(r1)
800DFB78: 7C0802A6 mflr r0
800DFB7C: 900100D4 stw r0,212(r1)
800DFB80: DBE100C0 stfd f31,192(r1)
800DFB84: F3E100C8 psq_st f31,200(r1),0,0
800DFB88: DBC100B0 stfd f30,176(r1)
800DFB8C: F3C100B8 psq_st f30,184(r1),0,0
800DFB90: DBA100A0 stfd f29,160(r1)
800DFB94: F3A100A8 psq_st f29,168(r1),0,0
800DFB98: DB810090 stfd f28,144(r1)
800DFB9C: F3810098 psq_st f28,152(r1),0,0
800DFBA0: 93E1008C stw r31,140(r1)
800DFBA4: 93C10088 stw r30,136(r1)
800DFBA8: 7C7E1B78 mr r30,r3 r30 for psq_l f7 and psq_l f9
800DFBAC: 93A10084 stw r29,132(r1)
800DFBB0: 83E301B4 lwz r31,436(r3)
800DFBB4: 819F0010 lwz r12,16(r31)
800DFBB8: 7FE3FB78 mr r3,r31
800DFBBC: 818C0340 lwz r12,832(r12)
800DFBC0: 7D8903A6 mtctr r12
800DFBC4: 4E800421 bctrl
800DFBC8: 801F0014 lwz r0,20(r31)
800DFBCC: 7C7D1B78 mr r29,r3
800DFBD0: 540004E7 rlwinm. r0,r0,0,19,19
800DFBD4: 4082025C bne- 0x800dfe30
800DFBD8: 819E0000 lwz r12,0(r30)
800DFBDC: 7FC3F378 mr r3,r30
800DFBE0: 818C00B0 lwz r12,176(r12)
800DFBE4: 7D8903A6 mtctr r12
800DFBE8: 4E800421 bctrl
800DFBEC: C11F002C lfs f8,44(r31)
800DFBF0: 39410038 addi r10,r1,56
800DFBF4: C3E29480 lfs f31,-27520(r2)
800DFBF8: 38E10040 addi r7,r1,64
800DFBFC: C0FF003C lfs f7,60(r31)
800DFC00: 39210048 addi r9,r1,72 r9 for psq_l f1
800DFC04: C09F004C lfs f4,76(r31)
800DFC08: 38C10050 addi r6,r1,80
800DFC0C: D0E1003C stfs f7,60(r1)
800DFC10: 39010058 addi r8,r1,88 r8 for psq_l f11 for or ps_madds0 fr9
800DFC14: C05F0030 lfs f2,48(r31)
800DFC18: 38A10060 addi r5,r1,96 r5 for psq_l f11
800DFC1C: D1010038 stfs f8,56(r1)
800DFC20: 38810068 addi r4,r1,104
800DFC24: C03F0040 lfs f1,64(r31)
800DFC28: 38610028 addi r3,r1,40
800DFC2C: C01F0050 lfs f0,80(r31)
800DFC30: D0410048 stfs f2,72(r1)
800DFC34: C0DF0034 lfs f6,52(r31)
800DFC38: D021004C stfs f1,76(r1)
800DFC3C: C0BF0044 lfs f5,68(r31)
800DFC40: D0010050 stfs f0,80(r1)
800DFC44: C07F0054 lfs f3,84(r31)
800DFC48: D3E10054 stfs f31,84(r1)
800DFC4C: E13E0254 psq_l f9,596(r30),0,0 f9 for ps_madds1f10 and ps_muls0 f10
800DFC50: E10A0000 psq_l f8,0(r10),0,0 f8 for ps_muls0 f10
800DFC54: E39F005C psq_l f28,92(r31),0,0
800DFC58: D0810040 stfs f4,64(r1)
800DFC5C: 11480258 ps_muls0 f10,f8,f9 f10 for ps_madds1 f10
800DFC60: 11A80718 ps_muls0 f13,f8,f28
800DFC64: E0290000 psq_l f1,0(r9),0,0 f1 for ps_madds1 f10
800DFC68: D3E10044 stfs f31,68(r1)
800DFC6C: E3C60000 psq_l f30,0(r6),0,0
800DFC70: 1141525E ps_madds1 f10,f1,f9,f10 f10 for for ps_madds0 fr9
800DFC74: E0870000 psq_l f4,0(r7),0,0
800DFC78: 11A16F1E ps_madds1 f13,f1,f28,f13
800DFC7C: D0C10058 stfs f6,88(r1)
800DFC80: 11640258 ps_muls0 f11,f4,f9
800DFC84: E0FE025C psq_l f7,604(r30),0,0 f7 for ps_madds0 fr9
800DFC88: 11840718 ps_muls0 f12,f4,f28
800DFC8C: D0A1005C stfs f5,92(r1)
800DFC90: 10DE5A5E ps_madds1 f6,f30,f9,f11
800DFC94: E1680000 psq_l f11,0(r8),0,0 f11 for ps_madds0 fr9
800DFC98: C11F0068 lfs f8,104(r31)
800DFC9C: 10BE671E ps_madds1 f5,f30,f28,f12
800DFCA0: 112B51DC ps_madds0 f9,f11,f7,f10f9 for ps_mul f12
800DFCA4: C09E0260 lfs f4,608(r30)
800DFCA8: E3BF0064 psq_l f29,100(r31),0,0
800DFCAC: D0610060 stfs f3,96(r1)[/spoiler]
800DFCB0: 11890272 ps_mul f12,f9,f9 f12?
800DFCB4: 106B6F5C ps_madds0 f3,f11,f29,f13
800DFCB8: C0429498 lfs f2,-27496(r2) f2
800DFCBC: D3E10064 stfs f31,100(r1)
800DFCC0: 118C6314 ps_sum0 f12,f12,f12,f12 f12? for fadds f7
800DFCC4: C0029490 lfs f0,-27504(r2)
800DFCC8: E1650000 psq_l f11,0(r5),0,0f11 for fadds f3
800DFCCC: F0640000 psq_st f3,0(r4),0,0
800DFCD0: 114B31DC ps_madds0 f10,f11,f7,f6
800DFCD4: C0229494 lfs f1,-27500(r2)
800DFCD8: 10AB2F5C ps_madds0 f5,f11,f29,f5
800DFCDC: C0610068 lfs f3,104(r1)
800DFCE0: C0C1006C lfs f6,108(r1)
800DFCE4: FCE01850 fneg f7,f3
800DFCE8: FD605018 frsp f11,f10
800DFCEC: D1010074 stfs f8,116(r1)
800DFCF0: FCA02818 frsp f5,f5
800DFCF4: FCC03050 fneg f6,f6
800DFCF8: D0E10068 stfs f7,104(r1)
800DFCFC: EC6B02F2 fmuls f3,f11,f11 heres f3 for fadds f7
800DFD00: FCA02850 fneg f5,f5
800DFD04: D0C1006C stfs f6,108(r1)
800DFD08: ECE3602A fadds f7,f3,f12 here's f7 (cmp f7)
800DFD0C: D0A10070 stfs f5,112(r1)
800DFD10: F1230000 psq_st f9,0(r3),0,0
800DFD14: FC071040 fcmpo cr0,f7,f2 is this comparing?
800DFD18: D1410030 stfs f10,48(r1)
800DFD1C: D0810034 stfs f4,52(r1)
800DFD20: 4C401382 cror 2,0,2
800DFD24: 40820008 bne- 0x800dfd2c what was compared?
800DFD28: 48000020 b 0x800dfd48 hmm
800DFD2C: FC403834 fsqrte f2,f7 f2 start (bne-) EWW
800DFD30: EC6200B2 fmuls f3,f2,f2
800DFD34: EC020032 fmuls f0,f2,f0
800DFD38: EC6309FC fnmsubs f3,f3,f7,f1
800DFD3C: EC430032 fmuls f2,f3,f0 EWW
800DFD40: FC4238AE fsel f2,f2,f2,f7 here's f2 EWW
800DFD44: EFE700B2 fmuls f31,f7,f2nopping this stops all the avatars from moving EWW
800DFD48: C0029480 lfs f0,-27520(r2) here's the bl NO EWW
[spoiler]800DFD4C: FC1F0000 fcmpu cr0,f31,f0
800DFD50: 418200A8 beq- 0x800dfdf8
800DFD54: C05D04A4 lfs f2,1188(r29)
800DFD58: FC001000 fcmpu cr0,f0,f2
800DFD5C: 4182001C beq- 0x800dfd78
800DFD60: C00294C8 lfs f0,-27448(r2)
800DFD64: EC3F07F2 fmuls f1,f31,f31
800DFD68: EC0000B2 fmuls f0,f0,f2
800DFD6C: EC010032 fmuls f0,f1,f0
800DFD70: D01E0064 stfs f0,100(r30) bp writes here only if I'm walking not when I'm standing
800DFD74: 48000008 b 0x800dfd7c
800DFD78: D01E0064 stfs f0,100(r30)
800DFD7C: 807E01B4 lwz r3,436(r30)
800DFD80: 38A10008 addi r5,r1,8
800DFD84: E03E0254 psq_l f1,596(r30),0,0
800DFD88: 38810010 addi r4,r1,16
800DFD8C: C04300C8 lfs f2,200(r3)
800DFD90: 38C10018 addi r6,r1,24
800DFD94: E01E025C psq_l f0,604(r30),0,0
800DFD98: 38610020 addi r3,r1,32
800DFD9C: 10210098 ps_muls0 f1,f1,f2
800DFDA0: E0BF005C psq_l f5,92(r31),0,0
800DFDA4: 10000098 ps_muls0 f0,f0,f2
800DFDA8: E09F0064 psq_l f4,100(r31),0,0
800DFDAC: F0250000 psq_st f1,0(r5),0,0
800DFDB0: F0040000 psq_st f0,0(r4),0,0
800DFDB4: C0610008 lfs f3,8(r1)
800DFDB8: C041000C lfs f2,12(r1)
800DFDBC: C0210010 lfs f1,16(r1)
800DFDC0: C0010014 lfs f0,20(r1)
800DFDC4: D0610018 stfs f3,24(r1)
800DFDC8: D041001C stfs f2,28(r1)
800DFDCC: E0460000 psq_l f2,0(r6),0,0
800DFDD0: D0210020 stfs f1,32(r1)
800DFDD4: 1025102A ps_add f1,f5,f2
800DFDD8: D0010024 stfs f0,36(r1)
800DFDDC: E0030000 psq_l f0,0(r3),0,0
800DFDE0: F03F005C psq_st f1,92(r31),0,0
800DFDE4: 1004002A ps_add f0,f4,f0
800DFDE8: D01F0064 stfs f0,100(r31)
800DFDEC: 801F0014 lwz r0,20(r31)
800DFDF0: 64000006 oris r0,r0,6
800DFDF4: 901F0014 stw r0,20(r31)
800DFDF8: E03F0064 psq_l f1,100(r31),0,0
800DFDFC: 7FE3FB78 mr r3,r31
800DFE00: E01F005C psq_l f0,92(r31),0,0
800DFE04: 389E0254 addi r4,r30,596
800DFE08: F01F00D0 psq_st f0,208(r31),0,0
800DFE0C: F03F00D8 psq_st f1,216(r31),0,0
800DFE10: 481E4599 bl 0x802c43a8
800DFE14: 38610028 addi r3,r1,40
800DFE18: 38810030 addi r4,r1,48
800DFE1C: E0030000 psq_l f0,0(r3),0,0
800DFE20: F01F032C psq_st f0,812(r31),0,0
800DFE24: E0040000 psq_l f0,0(r4),0,0
800DFE28: F01F0334 psq_st f0,820(r31),0,0
800DFE2C: D3FF037C stfs f31,892(r31)
800DFE30: 800100D4 lwz r0,212(r1)
800DFE34: E3E100C8 psq_l f31,200(r1),0,0
800DFE38: CBE100C0 lfd f31,192(r1)
800DFE3C: E3C100B8 psq_l f30,184(r1),0,0
800DFE40: CBC100B0 lfd f30,176(r1)
800DFE44: E3A100A8 psq_l f29,168(r1),0,0
800DFE48: CBA100A0 lfd f29,160(r1)
800DFE4C: E3810098 psq_l f28,152(r1),0,0
800DFE50: CB810090 lfd f28,144(r1)
800DFE54: 83E1008C lwz r31,140(r1)
800DFE58: 83C10088 lwz r30,136(r1)
800DFE5C: 83A10084 lwz r29,132(r1)
800DFE60: 7C0803A6 mtlr r0
800DFE64: 382100D0 addi r1,r1,208
800DFE68: 4E800020 blr
[/spoiler]
Log Attached (This log is 10xexecuted at every highlighted address except the bl (bne is insteresting) when standing and then 10xwalking )
Once in a while at the add r5,[r1,96] address [8069F2C6] the value equals 801A51B0 and the other times 00000000
In summury, I can walk this function back to mr r30,r3 and to r1 (I'm assuming that's the stwu) Ill post a function for r3 (I think it comes from the caller.)
[spoiler]800DFA34: 9421FFF0 stwu r1,-16(r1)
800DFA38: 7C0802A6 mflr r0
800DFA3C: 90010014 stw r0,20(r1)
800DFA40: 93E1000C stw r31,12(r1)
800DFA44: 93C10008 stw r30,8(r1)
800DFA48: 7C7E1B78 mr r30,r3
800DFA4C: 80A301B4 lwz r5,436(r3)
800DFA50: 80050454 lwz r0,1108(r5)
800DFA54: 54000631 rlwinm. r0,r0,0,24,24
800DFA58: 41820048 beq- 0x800dfaa0
800DFA5C: 3C808064 lis r4,-32668
800DFA60: 38847040 addi r4,r4,28736
800DFA64: E0240000 psq_l f1,0(r4),0,0
800DFA68: E0040008 psq_l f0,8(r4),0,0
800DFA6C: F003025C psq_st f0,604(r3),0,0
800DFA70: F0230254 psq_st f1,596(r3),0,0
800DFA74: 80850558 lwz r4,1368(r5)
800DFA78: 80040004 lwz r0,4(r4)
800DFA7C: 2C000007 cmpwi r0,7
800DFA80: 40820020 bne- 0x800dfaa0
800DFA84: 800504B4 lwz r0,1204(r5)
800DFA88: 2C000001 cmpwi r0,1
800DFA8C: 4182000C beq- 0x800dfa98
800DFA90: 2C000002 cmpwi r0,2
800DFA94: 4082000C bne- 0x800dfaa0
800DFA98: C0029480 lfs f0,-27520(r2)
800DFA9C: D0030250 stfs f0,592(r3)
800DFAA0: 806301B4 lwz r3,436(r3)
800DFAA4: 80030484 lwz r0,1156(r3)
800DFAA8: 2C000000 cmpwi r0,0
800DFAAC: 41820018 beq- 0x800dfac4
800DFAB0: 80630484 lwz r3,1156(r3)
800DFAB4: 3C630001 addis r3,r3,1
800DFAB8: 8803A038 lbz r0,-24520(r3)
800DFABC: 2C000000 cmpwi r0,0
800DFAC0: 4182000C beq- 0x800dfacc
800DFAC4: 7FC3F378 mr r3,r30
800DFAC8: 48004D5D bl 0x800e4824
800DFACC: 801E0004 lwz r0,4(r30)
800DFAD0: 3BE00000 li r31,0
800DFAD4: 9BFE024B stb r31,587(r30)
800DFAD8: 2C000000 cmpwi r0,0
800DFADC: 4182004C beq- 0x800dfb28
800DFAE0: 819E0000 lwz r12,0(r30)
800DFAE4: 7FC3F378 mr r3,r30
800DFAE8: 818C002C lwz r12,44(r12)
800DFAEC: 7D8903A6 mtctr r12
800DFAF0: 4E800421 bctrl
800DFAF4: 2C030000 cmpwi r3,0
800DFAF8: 41820020 beq- 0x800dfb18
800DFAFC: 819E0000 lwz r12,0(r30)
800DFB00: 7FC3F378 mr r3,r30
800DFB04: 818C00A0 lwz r12,160(r12)
800DFB08: 7D8903A6 mtctr r12
800DFB0C: 4E800421 bctrl
800DFB10: 987E024A stb r3,586(r30)
[/spoiler]800DFB14: 48000018 b 0x800dfb2c ---> let's have a look here next.
800DFB18: 7FC3F378 mr r3,r30 this is the r3 for the next r30
800DFB1C: 48000059 bl 0x800dfb74 this is the stwu of the speed function
800DFB20: 9BFE024A stb r31,586(r30)
800DFB24: 48000008 b 0x800dfb2c
800DFB28: 9BFE024A stb r31,586(r30)
800DFB2C: 819E0000 lwz r12,0(r30) this is the b
800DFB30: 7FC3F378 mr r3,r30
800DFB34: 818C0064 lwz r12,100(r12)
800DFB38: 7D8903A6 mtctr r12
800DFB3C: 4E800421 bctrl ---> 802D75BC....
800DFB40: 80010014 lwz r0,20(r1)
800DFB44: 83E1000C lwz r31,12(r1)
800DFB48: 83C10008 lwz r30,8(r1)
800DFB4C: 7C0803A6 mtlr r0
800DFB50: 38210010 addi r1,r1,16
800DFB54: 4E800020 blr
I'm starting to think that a copy all frames should do the trick...
All frames attached.
By the way, the feel for speed for this game is identical to Okami. Once you get to a certain amount of speed you accelerate again with a blurred vision.
For now I'm letting go of the speed and looking into a local y axis.
I'm determined to make frodo Gamgee Jump for my son. What kind of boy doesn't jump!! Come on!
I found the corresponding Y axis. BUT, it's activated when the avatar walks, and not by the button. PLUS, the avatars float right up to the sky and stay there... I have put a -1 float whenever I don't push the button but that doesn't seem to affect the avatar whatsoever ( the button condition that is)
Nonetheless, it's the right address. Now to find the Avatar(HERO).... I'll post an all frame next.
bl NO_DATA
.float 0x100
NO_DATA:
mflr r12
lfs f1,56(r3)
lfs f0,4(r28)
fadds f0,f0,f1
stfs f0,4(r28)
4E00000C 00000000
C2425ED4 00000004
48000009 42C80000
7D8802A6 C0230038
C01C0004 EC00082A
D01C0004 00000000
14000000 BF800000
2861F69A FBFF0400
14000000 42C80000
E0000000 80008000
All frames too large. Download here [spoiler]http://www.mediafire.com/?j4oh9t2a18i0qd0[/spoiler] Function Log attached.
It seems to me that
80425D6C: C002D54C lfs f0,-10932(r2) f0 = 0 r2 = 80662DC0 [8066030C] = B8D1B717
80425D70: FFE00890 fmr f31,f1 f31 = 4001 f1 = -2.12205
80425D74: FC010040 fcmpo cr0,f1,f0 f1 = -2.12205 f0 = -0.0001 r0 = 804262E8
80425D78: 41800018 blt- 0x80425d90
influences the right branch to the AVATAR(HERO)
so 80425D78 = AvatarBranch()
Hero's address is at r0= 804262E8 = 2C030000
r4 seems to be important! [spoiler]This is the discriminator or it r0. If r4 is the discriminator then Hero's discriminator = 00000001 [/spoiler]
80425D64: 38810158 addi r4,r1,344 r4 = 806A0DB8 r1 = 806A0C50
80425D68: 480003B9 bl 0x80426120
| 80426120: E0030000 psq_l f0,0(r3),0,0 f0 = -21050.7 r3 = 806A0F38 [806A0F38] = 00000000
| 80426124: E0240000 psq_l f1,0(r4),0,0 f1 = 2.12205 r4 = 806A0DA8 [806A0DA8] = C6A475B8
I've recently utilized an avatar discriminator for ff4 After Years which I think will be useful here
[spoiler]C2095D68 00000005
800400A0 3D800009
618C0100 7C006000
4082000C 3980270F
91840014 540004E7
800400BC 00000000[/spoiler]
So
lwz r0,160(r4)
lis r12,9
ori r12,r12,256
cmpw r0,r12
bne- 0x0C
li r12,9999
stw r12,20(r4)
rlwinm. r0,r0,0,19,19
lwz r0,188(r4)
And So
Load discriminator register
lis r12, with discriminator
ori r12, with disriminator end
cmpw r0 with r12
bne- _NOHERO
ASM
_NOHERO:
normal y axis address
hmmm r4 at the original bpwrite is always 00000001
and r0 = 00000004 all the time too... Even when I execute the asm address. not the real address (Avatar's y axis address).
so why is it that I trigger the y axis and it affects everyone?
Good thing that the original address only triggers when the avatar walks. If he stands then nothing happens.
Here are the cells
[spoiler] CR:44200488 XER:20000000 CTR:00000000 DSIS:02400000
DAR:81549370 SRR0:80425ED4 SRR1:0000B032 LR:80425ECC
r0:00000004 r1:8069EA70 r2:80662DC0 r3:8069EBB8
r4:00000001 r5:42480000 r6:4236FFB8 r7:8069EA60
r8:8069EF58 r9:8069ED48 r10:8069ED58 r11:8069EC60
r12:8069ED68 r13:80659220 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:8069EE08 r23:8069EE18
r24:8069EF58 r25:8154936C r26:0000000F r27:0000000F
r28:8154936C r29:8069EEA8 r30:8069EEB8 r31:8069EFF8
f0:42480000 f1:423FAEFC f2:42480000 f3:4236FFB8
f4:34A20800 f5:00000000 f6:40AAAAA8 f7:00000000
f8:424C0000 f9:42240000 f10:42440000 f11:42200000
f12:3F800000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:457A1001 f29:3F10306F f30:3C730C05 f31:3ED806C2
[/spoiler]
When the actual address is bp write then only r5 and r6 change ( I assume they're axis). And f28 doesn't move
[spoiler]hehe replacing stfs f0,4(r28) with stfs f28,4(r28) brings everyone to heaven! lol. Once reactivated, everyone comes down to earth. It sure seems like they think they're going to hell with all of their arms wailing about like that.[/spoiler]
I think I figured it out. It was underneath my nose all the time. It's r28 the discriminator. I can compare r28 with the actual address for instance the hero's 8154936C -4 = 81549369 and if it equals it then activate flight.
Let's try it out
lfs f0,4(r28)
lis r12, 0x8154
ori r12, r12, 0x9370
fcmpw r0, r12
bne- _NOHERO
[spoiler]hmm, I guess I need to stack this... I'd have to load a button activator (2861F69A FBFF0400) cmpw it and then fadd float (so 4E00000x 00000000 at the beginning of the code)...[/spoiler]
_NOHERO:
stfs f0,4(r28)
does this work?
lfs f0,4(r28)
lis r12, 0x8154
ori r12, r12, 0x9370
fcmpo f1, f0,r12
bne- _NOHERO
bl NO_DATA
.float 0x100
NO_DATA:
mflr r12
lfs f1,0(r12)
lfs f0,4(r28)
fadds f0,f0,f1
stfs f0,4(r28)
_NOHERO:
stfs f0,4(r28)
Result
[spoiler]4E000024 00000000
C2425ED4 00000007
C01C0004 3D808154
618C9370 FC806040
40820020 48000009
42C80000 7D8802A6
C02C0000 C01C0004
EC00082A D01C0004
D01C0004 00000000
14000000 BF800000
2861F69A FBFF0400
14000000 42C80000
E0000000 80008000[/spoiler]
Makes only the Hero avatar walk (can't accelerate anymore) and all the avatars including the hero pass through hills... Almost..
Do I have the 4E000024 right??
I'm thinking 24 because I'm triggering the 42C80000 and so 9x4 = 36=24 in hex.
If I am right, why the hell isn't it triggering!!! I've got the button address correct too.
16 byte if equal then (28) with mask on for button B=400 ( mask FBFF) at the second half of the 32 byte (8061F698 = 8061F69A) = 2861F69A FBFF0400
Could it be the game that doesn't allow me?
I thought about the fcmpo and I changed it to a normal cmpw with a loaded r14 instead of comparing the float.
[spoiler]lfs f0,4(r28)
lwz r14,4(r28)
lis r12, 0x8154
ori r12, r12, 0x9370
cmpwi r14,r12[/spoiler]Edit
lis r14, 0x8154
ori r14, r14, 0x936C
cmpw r28,r14
bne- _NOHERO
bl NO_DATA
.float 0x100
NO_DATA:
mflr r12
lfs f1,0(r12)
lfs f0,4(r28)
fadds f0,f0,f1
stfs f0,4(r28)
_NOHERO:
stfs f0,4(r28)
Original Code:
[spoiler]4E000028 00000000
C2425ED4 00000008
C01C0004 81DC0004
3D808154 618C9370
2C0E000C 40820020
48000009 42C80000
7D8802A6 C02C0000
C01C0004 EC00082A
D01C0004 D01C0004
60000000 00000000
14000000 BF800000
2861F69A FBFF0400
14000000 42C80000
E0000000 80008000[/spoiler]
Ill post a log of the code...
[spoiler]
80425ED4: 4BBDCA8C b 0x80002960
... ... ... ...
80002960: C01C0004 lfs f0,4(r28) f0 = 49.3577 r28 = 806A10BC [806A10C0] = BF800000
80002964: 81DC0004 lwz r14,4(r28) r14 = BF800000 r28 = 806A10BC [806A10C0] = BF800000
80002968: 3D808154 lis r12,-32428 r12 = 806A0A88
8000296C: 618C9370 ori r12,r12,37744 r12 = 81540000 r12 = 81540000
80002970: 2C0E000C cmpwi r14,12 r14 = BF800000
80002974: 40820020 bne- 0x80002994
... ... ... ...
80002994: D01C0004 stfs f0,4(r28) f0 = -1 r28 = 806A10BC [806A10C0] = BF800000
80002998: 60000000 nop
8000299C: 4842353C b 0x80425ed8
... ... ... ...
80425ED8: 38800002 li r4,2 r4 = 00000001
80425EDC: 4BFFF439 bl 0x80425314
| 80425314: 5480103A rlwinm r0,r4,2,0,29 r0 = 00000004 r4 = 00000002
| 80425318: 7C630214 add r3,r3,r0 r3 = 806A08D8 r3 = 806A08D8 r0 = 00000008
| 8042531C: 4E800020 blr LR = 80425EE0
80425EE0: C0030000 lfs f0,0(r3) f0 = -1 r3 = 806A08E0 [806A08E0] = 42210F34
80425EE4: D01C0008 stfs f0,8(r28) f0 = 40.2649 r28 = 806A10BC [806A10C4] = 00000000
80425EE8: C002D4D8 lfs f0,-11048(r2) f0 = 40.2649 r2 = 80662DC0 [80660298] = 3F800000
80425EEC: D01C000C stfs f0,12(r28) f0 = 1 r28 = 806A10BC [806A10C8] = 3F800000
80425EF0: 5760077B rlwinm. r0,r27,0,29,29 r0 = 00000008 r27 = 0000000F
80425EF4: 41820114 beq- 0x80426008
80425EF8: FC20F090 fmr f1,f30 f1 = 40.2649 f30 = 0.450341
80425EFC: 635A0004 ori r26,r26,4 r26 = 0000000F r26 = 0000000F
80425F00: 38610028 addi r3,r1,40 r3 = 806A08E0 r1 = 806A0790
80425F04: 4800030D bl 0x80426210
| 80426210: D0230000 stfs f1,0(r3) f1 = 0.450341 r3 = 806A07B8 [806A07B8] = 00000000
| 80426214: D0230004 stfs f1,4(r3) f1 = 0.450341 r3 = 806A07B8 [806A07BC] = 00000000
| 80426218: D0230008 stfs f1,8(r3) f1 = 0.450341 r3 = 806A07B8 [806A07C0] = 00000000
| 8042621C: D023000C stfs f1,12(r3) f1 = 0.450341 r3 = 806A07B8 [806A07C4] = 00000000
| 80426220: 4E800020 blr LR = 80425F08
80425F08: 7C641B78 mr r4,r3 r4 = 00000002 r3 = 806A07B8
80425F0C: 7F05C378 mr r5,r24 r5 = 42456E4A r24 = 806A0C78
80425F10: 38610038 addi r3,r1,56 r3 = 806A07B8 r1 = 806A0790
80425F14: 480002A9 bl 0x804261bc
| 804261BC: E0040000 psq_l f0,0(r4),0,0 f0 = 1 r4 = 806A07B8 [806A07B8] = 3EE6930A
| 804261C0: 9421FFE0 stwu r1,-32(r1) r1 = 806A0790 r1 = 806A0790 [806A0770] = 80000000
| 804261C4: E0450000 psq_l f2,0(r5),0,0 f2 = 49.3577 r5 = 806A0C78 [806A0C78] = 4247E81D[/spoiler]
by removing the first lfs f0 it allowed everything to be back to normal again... Why is it that the 4(r28)=bf800000 and never 42C80000?
It seems to me that each time I reload, the address is the same. Perhaps simply working with the gecko registers could work.
82200001 81549370
2861F69A FBFF0400
86000001 00001111
84200001 81549370
Even though the address seems to increase (remote address is correct) the Hero avatar doesn't lift/move/twitch.
82200001 81548A9C
2861F69A FBFF0400
86000001 00111111
84200001 81548A9C
It works at this address though!! yay!
Let's look for speed now. And I'll modify the jump (perhaps put a if greater than nop which would give it a jumping feel)
hmmm, what I'm looking for is if gr1 > then +100 than nop... Is that possible
Well, it seems that any address that implicates velocity has to be manipulated via ASM. Gecko Registers influence the address but not the Avatar. In fact the address' values turn right back to "normal" as soon as I activate the code. In conclusion, changing the values through ASM is a must.
As for the Jump(y axis) ASM would definately improve the quality (smoothness) of the jump. The game prefers having all Avatars stick to the ground. So If I make the hero jump a meter high, it twitches. Sometimes he doesn't jump at all (value to small). Utlimately, the avatar has to jump into the sky to have some smoothness to it...
Nonetheless, it's the right address.
For Now enjoy Levitation
82200001 81548A9C
2861F69A FBFF0400
86000001 000F0000
E2000001 80008000
84200001 81548A9C
25548A9C 42EFFFFF
80000001 42EFFFFF
84200001 81548A9C
E0000000 80008000
pressing B levitates the hero to 42EFFFFF (Change this if needed due to certain cliffs; the avatar will pass through them)
While I was adjusting the y axis I found this
Avatars become invisible and can walk through walls
2861F69A F3FF0C00
04404480 60000000
CC000000 00000000
04404480 D0030044
E0000000 80008000
(AB to activate on/off condition)
I was successfull in finding a discriminator for attack!!
address:800F4674
lis r14, 0x8154
ori r14, r14, 0x8AC4
cmpw r31,r14
bne- _NOHERO
fsubs f30,f31,f1
b _END
_NOHERO:
fadds f30,f31,f1
_END:
nop
which means that each time they attack the hero, it replenishes the hero and not the contrary! EXCELLENT!
[spoiler]C20F4674 00000005
3DC08154 61CE8AC4
7C1F7000 4082000C
EFDF0828 48000008
EFDF082A 60000000
60000000 00000000[/spoiler]
I'm going to have to do a slight adjustment. Healing properties (food) decreases hp.
So perhaps a button activator!
2861F69A FCFF0200
C20F4674 00000005
3DC08154 61CE8AC4
7C1F7000 4082000C
EFDF0828 48000008
EFDF082A 60000000
60000000 00000000
CC000000 00000000
040F4674 EFDF082A
E0000000 80008000
YAY if you press 2 it unlocks the code!
Edit1:I've noticed that Each hero avatar has it's own address and at different parts of the story.
Hook address:800F4674
lis r11,0x8154
ori r11,r11,0x8AC4 #load frodos 1st address
cmpw r31,r11 #compare frodo
beq- _REPLENISH
b _ARAGORN
_ARAGORN:
lis r11, 0x8155
ori r11,r11,0x9DC8 #load aragorn's address
cmpw r31,r11 #compare aragorn
beq- _REPLENISH
b _FRODO2
_FRODO2:
lis r11, 0x814E
ori r11,r11,0x88C4 #load aragorn's address
cmpw r31,r11 #compare aragorn
beq- _REPLENISH
b _ENEMY
_REPLENISH:
fsubs f30,f31,f1 #enemies replenish
b _END
_ENEMY:
fadds f30,f31,f1 #heros damage
_END:
nop
Function:
[spoiler]800F462C: 9421FFC0 stwu r1,-64(r1)
800F4630: 7C0802A6 mflr r0
800F4634: FC400A10 fabs f2,f1
800F4638: C00296A8 lfs f0,-26968(r2)
800F463C: 90010044 stw r0,68(r1)
800F4640: DBE10030 stfd f31,48(r1)
800F4644: FC020040 fcmpo cr0,f2,f0
800F4648: F3E10038 psq_st f31,56(r1),0,0
800F464C: DBC10020 stfd f30,32(r1)
800F4650: F3C10028 psq_st f30,40(r1),0,0
800F4654: 93E1001C stw r31,28(r1)
800F4658: 7C7F1B78 mr r31,r3
800F465C: 4080000C bge- 0x800f4668
800F4660: C0229690 lfs f1,-26992(r2)
800F4664: 48000084 b 0x800f46e8
800F4668: 81830000 lwz r12,0(r3)
800F466C: C3E30008 lfs f31,8(r3)
800F4670: 818C0014 lwz r12,20(r12)
800F4674: EFDF082A fadds f30,f31,f1This is where I'm hooking at
800F4678: 7D8903A6 mtctr r12
800F467C: 4E800421 bctrl
800F4680: 5463043E rlwinm r3,r3,0,16,31
800F4684: 3C004330 lis r0,17200
800F4688: 90010008 stw r0,8(r1)
800F468C: C84296A0 lfd f2,-26976(r2)
800F4690: 9061000C stw r3,12(r1)
800F4694: 881F000D lbz r0,13(r31)
800F4698: C8010008 lfd f0,8(r1)
800F469C: C0229690 lfs f1,-26992(r2)
800F46A0: 2C000000 cmpwi r0,0
800F46A4: EC001028 fsubs f0,f0,f2
800F46A8: EC40F028 fsubs f2,f0,f30
800F46AC: FC0207AE fsel f0,f2,f30,f0
800F46B0: EC400828 fsubs f2,f0,f1
800F46B4: FC02082E fsel f0,f2,f0,f1
800F46B8: D01F0008 stfs f0,8(r31)
800F46BC: 41820024 beq- 0x800f46e0
800F46C0: FC000018 frsp f0,f0
800F46C4: FC000840 fcmpo cr0,f0,f1
800F46C8: 4C401382 cror 2,0,2
800F46CC: 40820014 bne- 0x800f46e0
800F46D0: C002968C lfs f0,-26996(r2)
800F46D4: FC20F850 fneg f1,f31
800F46D8: D01F0008 stfs f0,8(r31)this is where it writes
800F46DC: 4800000C b 0x800f46e8
800F46E0: C01F0008 lfs f0,8(r31)
800F46E4: EC20F828 fsubs f1,f0,f31
800F46E8: 80010044 lwz r0,68(r1)
800F46EC: E3E10038 psq_l f31,56(r1),0,0
800F46F0: CBE10030 lfd f31,48(r1)
800F46F4: E3C10028 psq_l f30,40(r1),0,0
800F46F8: CBC10020 lfd f30,32(r1)
800F46FC: 83E1001C lwz r31,28(r1)
800F4700: 7C0803A6 mtlr r0
800F4704: 38210040 addi r1,r1,64
800F4708: 4E800020 blr
[/spoiler]
Congrats, you found one of the very few hooks where r12 is not safe.
800F4668: 81830000 lwz r12,0(r3)
800F466C: C3E30008 lfs f31,8(r3)
800F4670: 818C0014 lwz r12,20(r12)
800F4674: EFDF082A fadds f30,f31,f1This is where I'm hooking at
800F4678: 7D8903A6 mtctr r12
800F467C: 4E800421 bctrl
r12 is most definitely not safe in regions like this. (load r12/mtctr r12/bctrl) You can find a different hook, or use registers other than r12. r11-r5 are probably safe; prefer larger registers, so use r11 and then r10.
Specify addresses in hex. Frodo's address is in decimal and that hurts the eyes.
You can use just r11. Load Frodo into r11, cmpwi, beq- _HERO. After the beq-, you know that you aren't testing Frodo, so load Aragorn into r11, cmpwi, beq- _HERO. After that beq-, you must be an _ENEMY.
i remember when i tried doing the same thing. like you, i just found an address that placed frodo gamgee way high in the sky. he'd then just drop down, sometimes out of bounds. so i gave up further attempt. btw. great work on the invisibility code!! i hope you don't mind me using it. i can now try to enjoy exploring middle earth without seeing all of the little things that annoyed me about it like those two kids that follow you everywhere and begin dancing when you stop moving :)
I love the fact that you are using the codes! I'll work more on the jump asm. Did you find the prairie beside Gamgee's place? It's quite nice! If you are looking at the map, it's the top left corner.
good luck with the moon jump. i may actually try giving this game another chance now, perhaps create some different hacks for it or simply just enjoy it. its amazing what some hacks allow the player to do. that little prairie near bag end is quite nice. sad how without these hacks, little nice places like that can't ever be seen. btw, did you go further northeast? i was surprised to find sam alone in a house!
lol, I'll try it out!
hehe, neat! An open house used for camera purposes. Don't move him though, he stays moved hehe. *Sits in the air.