I´m forced to do a simple RAM Write using ASM, since the address of interest always moves in memory.
I attempted to do a Pointer Search that failed with 0 results. Afterwards I used cmpwi´s to get sure that my ASM is always writing to the right address, but it didn´t work out either, since still too many addresses were used by my BP Read instruction (therefore freeze)
I need some help calling the stack to finally create this code since it seems impossible to use this hook.
Registers (Read)
[spoiler] CR:42000488 XER:00000000 CTR:8054BA68 DSIS:00400000
DAR:930FE764 SRR0:80682BF0 SRR1:00009032 LR:80682B98
r0:00000000 r1:900C9BA8 r2:802459C0 r3:93058300
r4:93058300 r5:00003C00 r6:00002459 r7:0000889B
r8:9311CCB0 r9:00008765 r10:93094300 r11:930CDF40
r12:930C06D0 r13:80244680 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:80BD25C0 r21:93130920 r22:808A6F80 r23:80935CB0
r24:00000000 r25:00001463 r26:00007FB5 r27:930B8890
r28:93113E50 r29:00000006 r30:80BC0000 r31:00000000[/spoiler]
Function (Read)
[spoiler]80682AE4: 9421FFD0 stwu r1,-48(r1)
80682AE8: 7C0802A6 mflr r0
80682AEC: 90010034 stw r0,52(r1)
80682AF0: 39610030 addi r11,r1,48
80682AF4: 4B9DB385 bl 0x8005de78
80682AF8: 7C781B78 mr r24,r3
80682AFC: 7CB92B78 mr r25,r5
80682B00: 2C030001 cmpwi r3,1
80682B04: 2C030001 cmpwi r3,1
80682B08: 4082000C bne- 0x80682b14
80682B0C: 38000001 li r0,1
80682B10: 48000008 b 0x80682b18
80682B14: 38000001 li r0,1
80682B18: 3FC080BC lis r30,-32580
80682B1C: 80BE7710 lwz r5,30480(r30)
80682B20: 547F103A rlwinm r31,r3,2,0,29
80682B24: 7C65F82E lwzx r3,r5,r31
80682B28: 7C040214 add r0,r4,r0
80682B2C: 54002036 rlwinm r0,r0,4,0,27
80682B30: 7C630214 add r3,r3,r0
80682B34: A343000E lhz r26,14(r3)
80682B38: 2C1A0000 cmpwi r26,0
80682B3C: 41820238 beq- 0x80682d74
80682B40: 2C180001 cmpwi r24,1
80682B44: 4082000C bne- 0x80682b50
80682B48: 38001400 li r0,5120
80682B4C: 48000008 b 0x80682b54
80682B50: 38003C00 li r0,15360
80682B54: 807E7710 lwz r3,30480(r30)
80682B58: 7C63F82E lwzx r3,r3,r31
80682B5C: 7C1A0214 add r0,r26,r0
80682B60: 54002036 rlwinm r0,r0,4,0,27
80682B64: 7F830214 add r28,r3,r0
80682B68: 801C0008 lwz r0,8(r28)
80682B6C: 541D06FE rlwinm r29,r0,0,27,31
80682B70: 2C180001 cmpwi r24,1
80682B74: 4082000C bne- 0x80682b80
80682B78: 3B601400 li r27,5120
80682B7C: 48000008 b 0x80682b84
80682B80: 3B603C00 li r27,15360
80682B84: 7F03C378 mr r3,r24
80682B88: 7F24CB78 mr r4,r25
80682B8C: 801C0008 lwz r0,8(r28)
80682B90: 5405C23E rlwinm r5,r0,24,8,31
80682B94: 4BFFD379 bl 0x8067ff0c
80682B98: 7C1B1A14 add r0,r27,r3
80682B9C: 54002036 rlwinm r0,r0,4,0,27
80682BA0: 807E7710 lwz r3,30480(r30)
80682BA4: 7C83F82E lwzx r4,r3,r31
80682BA8: 2C180001 cmpwi r24,1
80682BAC: 4082000C bne- 0x80682bb8
80682BB0: 38A01400 li r5,5120
80682BB4: 48000008 b 0x80682bbc
80682BB8: 38A03C00 li r5,15360
80682BBC: 807E7710 lwz r3,30480(r30)
80682BC0: 7C63F82E lwzx r3,r3,r31
80682BC4: 7C04022E lhzx r0,r4,r0
80682BC8: 7C002A14 add r0,r0,r5
80682BCC: 54002036 rlwinm r0,r0,4,0,27
80682BD0: 7F630214 add r27,r3,r0
80682BD4: 801B0008 lwz r0,8(r27)
80682BD8: 7C00EB78 or r0,r0,r29
80682BDC: 901B0008 stw r0,8(r27)
80682BE0: 2C1D0001 cmpwi r29,1
80682BE4: 41820090 beq- 0x80682c74
80682BE8: 801C0004 lwz r0,4(r28)
80682BEC: 901B0004 stw r0,4(r27)
80682BF0: 807C0004 lwz r3,4(r28) # Break
80682BF4: 381DFFFF subi r0,r29,1
80682BF8: 28000004 cmplwi r0,4
80682BFC: 40800118 bge- 0x80682d14
80682C00: 2C000000 cmpwi r0,0
80682C04: 40820040 bne- 0x80682c44
80682C08: 2C180001 cmpwi r24,1
80682C0C: 4082000C bne- 0x80682c18
80682C10: 38A00001 li r5,1
80682C14: 48000008 b 0x80682c1c
80682C18: 38A00001 li r5,1
80682C1C: 809E7710 lwz r4,30480(r30)
80682C20: 5700103A rlwinm r0,r24,2,0,29
80682C24: 7C84002E lwzx r4,r4,r0
80682C28: 7C032A14 add r0,r3,r5
80682C2C: 54002036 rlwinm r0,r0,4,0,27
80682C30: 7C840214 add r4,r4,r0
80682C34: A0640004 lhz r3,4(r4)
80682C38: 38030001 addi r0,r3,1
80682C3C: B0040004 sth r0,4(r4)
80682C40: 480000D4 b 0x80682d14
80682C44: 28000002 cmplwi r0,2
80682C48: 41810010 bgt- 0x80682c58
80682C4C: 7F04C378 mr r4,r24
80682C50: 4BFFB569 bl 0x8067e1b8
80682C54: 480000C0 b 0x80682d14
80682C58: 8803FFFF lbz r0,-1(r3)
80682C5C: 2C000000 cmpwi r0,0
80682C60: 408200B4 bne- 0x80682d14
80682C64: A083FFFC lhz r4,-4(r3)
80682C68: 38040001 addi r0,r4,1
80682C6C: B003FFFC sth r0,-4(r3)
80682C70: 480000A4 b 0x80682d14
80682C74: 2C180001 cmpwi r24,1
80682C78: 4082000C bne- 0x80682c84
80682C7C: 38A00001 li r5,1
80682C80: 48000008 b 0x80682c88
80682C84: 38A00001 li r5,1
80682C88: 807E7710 lwz r3,30480(r30)
80682C8C: 5700103A rlwinm r0,r24,2,0,29
80682C90: 7C63002E lwzx r3,r3,r0
80682C94: 809C0004 lwz r4,4(r28)
80682C98: 7C042A14 add r0,r4,r5
80682C9C: 54002036 rlwinm r0,r0,4,0,27
80682CA0: 7C630214 add r3,r3,r0
80682CA4: 80030008 lwz r0,8(r3)
80682CA8: 540006FE rlwinm r0,r0,0,27,31
80682CAC: 28000014 cmplwi r0,20
80682CB0: 40820024 bne- 0x80682cd4
80682CB4: 7F03C378 mr r3,r24
80682CB8: 4BFFE79D bl 0x80681454
80682CBC: 7C651B78 mr r5,r3
80682CC0: 907B0004 stw r3,4(r27)
80682CC4: 7F03C378 mr r3,r24
80682CC8: 809C0004 lwz r4,4(r28)
80682CCC: 4BFFFE19 bl 0x80682ae4
80682CD0: 48000044 b 0x80682d14
80682CD4: 909B0004 stw r4,4(r27)
80682CD8: 809C0004 lwz r4,4(r28)
80682CDC: 2C180001 cmpwi r24,1
80682CE0: 4082000C bne- 0x80682cec
80682CE4: 38A00001 li r5,1
80682CE8: 48000008 b 0x80682cf0
80682CEC: 38A00001 li r5,1
80682CF0: 807E7710 lwz r3,30480(r30)
80682CF4: 5700103A rlwinm r0,r24,2,0,29
80682CF8: 7C63002E lwzx r3,r3,r0
80682CFC: 7C042A14 add r0,r4,r5
80682D00: 54002036 rlwinm r0,r0,4,0,27
80682D04: 7C830214 add r4,r3,r0
80682D08: A0640004 lhz r3,4(r4)
80682D0C: 38030001 addi r0,r3,1
80682D10: B0040004 sth r0,4(r4)
80682D14: 2C180001 cmpwi r24,1
80682D18: 4082000C bne- 0x80682d24
80682D1C: 38001400 li r0,5120
80682D20: 48000008 b 0x80682d28
80682D24: 38003C00 li r0,15360
80682D28: 807E7710 lwz r3,30480(r30)
80682D2C: 7C63F82E lwzx r3,r3,r31
80682D30: 7C1A0214 add r0,r26,r0
80682D34: 54002036 rlwinm r0,r0,4,0,27
80682D38: 7C630214 add r3,r3,r0
80682D3C: A083000E lhz r4,14(r3)
80682D40: 2C040000 cmpwi r4,0
80682D44: 41820030 beq- 0x80682d74
80682D48: 2C180001 cmpwi r24,1
80682D4C: 4082000C bne- 0x80682d58
80682D50: 38001400 li r0,5120
80682D54: 48000008 b 0x80682d5c
80682D58: 38003C00 li r0,15360
80682D5C: 807E7710 lwz r3,30480(r30)
80682D60: 7C63F82E lwzx r3,r3,r31
80682D64: 7C040214 add r0,r4,r0
80682D68: 54002036 rlwinm r0,r0,4,0,27
80682D6C: 7F43022E lhzx r26,r3,r0
80682D70: 4BFFFDD0 b 0x80682b40
80682D74: 39610030 addi r11,r1,48
80682D78: 4B9DB14D bl 0x8005dec4
80682D7C: 80010034 lwz r0,52(r1)
80682D80: 7C0803A6 mtlr r0
80682D84: 38210030 addi r1,r1,48
80682D88: 4E800020 blr [/spoiler]
Call Stack (Read)
[spoiler]80682BF0
8068344C
80682080
806896E0
8068F7EC
80690160
80692108
805066F0
80597070
80597368
8058841C
800B535C[/spoiler]
Registers (Write)
[spoiler] CR:48000888 XER:00000000 CTR:8068B89C DSIS:02400000
DAR:930FE764 SRR0:806831C4 SRR1:0000B032 LR:8068B900
r0:00000001 r1:900C8A98 r2:802459C0 r3:00683040
r4:00000000 r5:93058300 r6:00000000 r7:00000000
r8:930FE760 r9:00006C1C r10:931004C0 r11:900C8AA8
r12:00000000 r13:80244680 r14:00000000 r15:00000000
r16:9346B920 r17:00000000 r18:00001CAE r19:00000000
r20:00000D35 r21:80BD25D8 r22:808A6F80 r23:80935CB0
r24:80BC7728 r25:80BD7728 r26:00000000 r27:000047A6
r28:00001F62 r29:000003EB r30:930FE760 r31:80BD25D0
[/spoiler]
function (write)
[spoiler]806830E4: 9421FFF0 stwu r1,-16(r1)
806830E8: 7C0802A6 mflr r0
806830EC: 90010014 stw r0,20(r1)
806830F0: 93E1000C stw r31,12(r1)
806830F4: 93C10008 stw r30,8(r1)
806830F8: 7C661B78 mr r6,r3
806830FC: 7CBF2B78 mr r31,r5
80683100: 2C040000 cmpwi r4,0
80683104: 418200C8 beq- 0x806831cc
80683108: 3CA080BC lis r5,-32580
8068310C: 80A57710 lwz r5,30480(r5)
80683110: 5460103A rlwinm r0,r3,2,0,29
80683114: 7CA5002E lwzx r5,r5,r0
80683118: 2C030001 cmpwi r3,1
8068311C: 38003C00 li r0,15360
80683120: 40820008 bne- 0x80683128
80683124: 38001400 li r0,5120
80683128: 7C040214 add r0,r4,r0
8068312C: 54002036 rlwinm r0,r0,4,0,27
80683130: 7FC50214 add r30,r5,r0
80683134: 809E0004 lwz r4,4(r30)
80683138: 801E0008 lwz r0,8(r30)
8068313C: 540306FE rlwinm r3,r0,0,27,31
80683140: 3803FFFF subi r0,r3,1
80683144: 28000004 cmplwi r0,4
80683148: 40800060 bge- 0x806831a8
8068314C: 2C000000 cmpwi r0,0
80683150: 40820010 bne- 0x80683160
80683154: 7CC33378 mr r3,r6
80683158: 4BFFE671 bl 0x806817c8
8068315C: 4800004C b 0x806831a8
80683160: 28000002 cmplwi r0,2
80683164: 41810010 bgt- 0x80683174
80683168: 7CC33378 mr r3,r6
8068316C: 4BFFB219 bl 0x8067e384
80683170: 48000038 b 0x806831a8
80683174: 8804FFFF lbz r0,-1(r4)
80683178: 2C000000 cmpwi r0,0
8068317C: 4082002C bne- 0x806831a8
80683180: 3864FFFC subi r3,r4,4
80683184: A084FFFC lhz r4,-4(r4)
80683188: 2C040000 cmpwi r4,0
8068318C: 41820010 beq- 0x8068319c
80683190: 3804FFFF subi r0,r4,1
80683194: B0030000 sth r0,0(r3)
80683198: 48000010 b 0x806831a8
8068319C: 38800010 li r4,16
806831A0: 7CC53378 mr r5,r6
806831A4: 4BFF916D bl 0x8067c310
806831A8: 801E0008 lwz r0,8(r30)
806831AC: 54030034 rlwinm r3,r0,0,0,26
806831B0: 907E0008 stw r3,8(r30)
806831B4: 801F0004 lwz r0,4(r31)
806831B8: 7C600378 or r0,r3,r0
806831BC: 901E0008 stw r0,8(r30)
806831C0: 801F0000 lwz r0,0(r31)
806831C4: 901E0004 stw r0,4(r30) # Break
806831C8: 48000024 b 0x806831ec
806831CC: 1C030058 mulli r0,r3,88
806831D0: 3C8080BC lis r4,-32580
806831D4: 80847718 lwz r4,30488(r4)
806831D8: 7CA40214 add r5,r4,r0
806831DC: 8085003C lwz r4,60(r5)
806831E0: 80A50040 lwz r5,64(r5)
806831E4: 7FE6FB78 mr r6,r31
806831E8: 4BFFFCD9 bl 0x80682ec0
806831EC: 83E1000C lwz r31,12(r1)
806831F0: 83C10008 lwz r30,8(r1)
806831F4: 80010014 lwz r0,20(r1)
806831F8: 7C0803A6 mtlr r0
806831FC: 38210010 addi r1,r1,16
80683200: 4E800020 blr [/spoiler]
Call Stack (Write)
[spoiler]806831C4
8068B8FC
8068B8FC
8068FAB0
8068FEE8
805337F0
804F5E18
804EE840
8068A2C4
8068FAB0
8068FEE8
805336E4
804F6108
804F65A4
804DF780
804DFA04
804E022C
80559F38
804E22F8
804E28C4
804E419C
804E4380
80591D88
80592134
80592218
80596994
805774CC
805971DC
8059739C
8058841C
800B535C[/spoiler]
Good thing is that the assembly above does not move and that the call stack doesn´t ever change either.
I read dcx2´s TuT, but I´m still a bit lost since I want to use BP Read this time.
I should try with BP Write instead (but execute breakpoints use multiple addresses!)
If you want my help, you'll need to tell me what game this is, and what it is that you're trying to do. Without knowing this function's purpose it will be difficult to understand what to do.
Quote from: dcx2 on June 25, 2011, 02:21:41 PM
If you want my help, you'll need to tell me what game this is, and what it is that you're trying to do. Without knowing this function's purpose it will be difficult to understand what to do.
this function counts your kills in a row (1 kill = 00000001, 2 kills = 00000002)
If you get killed, it´s reset to 0 since the streak has ended.
Total kills are in mem80 and don´t move at all, but this kill row is in mem90 and moves...
I´m wondering why it´s so hard to code.
Same issues appear to happen with experience and rounds played.
Example:
8068D340: 80040000 lwz r0,0(r4)
8068D344: 90030000 stw r0,0(r3) # Break
8068D348: 4E800020 blr
r0 comes from r4.
let´s walk the stack.
...
80689D5C: 7E84A378 mr r4,r20 # r20 is put in r4, where does r20 come from?
80689D60: 480035E1 bl 0x8068d340 # caller
...
80689CE8: 2C000000 cmpwi r0,0
80689CEC: 41820084 beq- 0x80689d70
80689CF0: 82810244 lwz r20,580(r1) # r20 comes from r1 + 580 (let´s execute this BP)
[spoiler] CR:42000488 XER:00000000 CTR:80689C68 DSIS:02400000
DAR:930A8944 SRR0:80689CF0 SRR1:0000B032 LR:80689CA4
r0:00000006 r1:900C9C28 r2:802459C0 r3:80BD25B8
r4:00003C00 r5:00000FA9 r6:93094300 r7:93130C50
r8:00009C95 r9:930C0A50 r10:0025FE46 r11:900C9EC8
r12:80517310 r13:80244680 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000FA9 r21:930AF6C0 r22:808A6F80 r23:80935CB0
r24:80BC7728 r25:80BD7728 r26:00000000 r27:00000000
r28:00002006 r29:00001CCB r30:00009C95 r31:00009C95[/spoiler]
r1 is unchanged. 580 + r1 = 900C9E6C
Let´s check in memory....
oh it´s an address that changes all the time! That doesn´t help.
r1 is the stack pointer. Anything that lives on the stack will die when the function ends. Usually, some other function will be called, and that stack space will be used for something completely different. That's why you see it constantly changing.
At your breakpoint, go to the Disassembler and hit Copy All Frames. You probably won't be able to paste it into the forum, because it's too large, so attach it as a text file.
---
You also said you tried a code before. What did you try?
---
My guess is this is the Conduit (2) or GoldenEye.
copy all frames while in a breakpoint?
Btw. it´s not Conduit2 or Goldeneye.
I tried to use cmpwi´s on that hook, but it wasn´t possible with those registers (I couldn´t make it only write to the right address...)
I pressed copy all frames while in a BP Write of it. It dumped lots of stuff and asked me "Could not find, continue?" I pressed yes and then geckodotnet froze up.
EDIT:
Happened again. Is there a way to not use copy all frames and approach to the creation of the code anyways?
EDIT 2:
Added write function, call stack and registers.
Can you please guide me somehow?
Copy All Frames would show you the whole call stack and the current breakpoint registers. As it stands now, I'd have to ask you over and over for all kinds of bits and pieces. It puts a complete picture into the clipboard. You could try pressing no.
EDIT: Black Ops? There's gotta be some reason you're not saying the game name.
would read or write be better?
Btw. yes, it´s black ops, but it´s just a host only match score modifier.
...I suppose this doesn't really give you an advantage over other people, like increasing your chance at winning.
Build up some kills, then set a write breakpoint and die.
Quote from: dcx2 on June 25, 2011, 04:49:40 PM
Build up some kills, then set a write breakpoint and die.
There it is. ;D
the stw writes value 00000000 because I got killed and the kills in a row counter gets resetted.
Are you sure that this will allow us to write any value to it?
Registers
[spoiler] CR:48000488 XER:00000000 CTR:80689CD8 DSIS:02400000
DAR:930E04E4 SRR0:8068D344 SRR1:0000B032 LR:80689D64
r0:00000000 r1:900C82B8 r2:802459C0 r3:930E04E4
r4:80BD25D0 r5:900C8330 r6:00000000 r7:93094300
r8:930E04E0 r9:000054C7 r10:930C09E0 r11:900C82B8
r12:00000000 r13:80244680 r14:00000000 r15:00000000
r16:9346B620 r17:00000000 r18:00001D6B r19:00000000
r20:80BD25D0 r21:930E04E0 r22:808A6F80 r23:80935CB0
r24:80BC7728 r25:80BD7728 r26:00000000 r27:00005F52
r28:0000166E r29:00000349 r30:00004C1E r31:000054C7
f0:FFC00000 f1:44908800 f2:59800004 f3:00000000
f4:3F800000 f5:3F000000 f6:BF800000 f7:3F800000
f8:BF800000 f9:3F800000 f10:BF800000 f11:3F800000
f12:41BC0000 f13:411B3B00 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:41C00000 f23:43480000
f24:425C0000 f25:43800000 f26:BF800000 f27:47800000
f28:431F41D8 f29:3F800000 f30:3F800000 f31:443B8000[/spoiler]
Function
[spoiler]8068D340: 80040000 lwz r0,0(r4)
8068D344: 90030000 stw r0,0(r3) #Break
8068D348: 4E800020 blr [/spoiler]
And Call Stack (if needed)
[spoiler]8068D344
80689D60 #whole function: http://www.mediafire.com/?fgcnhu3f0r0lbvm
8068FAB0
8068FEE8
805337F0
804F5E18
804EE840
8068A2C4
8068FAB0
8068FEE8
805336E4
804F6108
804F65A4
804F7F00
8050B6A8
805057A4
8050EC68
8050F6EC
80505E48
805067B0
80597070
80597368
8058841C
800B535C[/spoiler]
*the "could not find" message happens when there is a larger function than .net is used to. It's not frozen. It can take up to 5 mins, 10 on my retro ex. gov. laptop.