I was trying to make a "monster doesn't notice you" code so I found this address(9014BD7D) that changes based on how aware the monster is of your presence. It's 00 when they aren't aware of you, 02 when you have the yellow eye next to your name, and 01 when it's the red eye and they're attacking you. But here's what happens. I do a 00 code to write 00 to the address, and then monster gets stuck when it spots you. It goes from yellow to nothing again and again very fast, and the monster is just stuck there. Could work as a freeze monster code. But that's not what I'm looking for. If I write 02 to the address, the eye goes from red to yellow and back very fast, and the monster goes into an infinite loop of spotting you, therefore must roar. Very funny, but c'mon.
So I write BP at (this address gets read often for whatever reason. I think it was the same function, though)9014BD7D and tried nopping it, but then the monster freezes like I was writing 00 to the address. And that was the beginning of the function... I wanted to go up and maybe find something that happens before the alert status is updated...something that tells the game what to do when a monster should notice you.
So here's the registers, the function, and the call stack along with the instruction at each 'call?' copying each function at those addresses would've been too much to post.
[spoiler=registers and fregisters] CR:88200488 XER:00000000 CTR:00000004 DSIS:02400000
DAR:9014BD7D SRR0:80130788 SRR1:0000B032 LR:8012C8D4
r0:00000000 r1:807AD5E0 r2:8079DAA0 r3:9014B940
r4:00000002 r5:00000002 r6:00000000 r7:00000005
r8:00000000 r9:00000007 r10:807AD3D0 r11:807AD600
r12:0038208C r13:80798E20 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:9014CF70 r19:816884E8
r20:817C5000 r21:00000030 r22:00000003 r23:00000000
r24:00000000 r25:00000000 r26:9014B940 r27:00000000
r28:00000000 r29:00000000 r30:00000001 r31:00000000
f0:C58C077F f1:457A4363 f2:44E39C36 f3:BEA533DD
f4:52A44554 f5:35E1FA2E f6:3FFFF8EC f7:461B8FD9
f8:C87030FC f9:4908C2D6 f10:473932D9 f11:3D4BDC87
f12:360B9318 f13:3905E941 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:00000000
[/spoiler]
Quote80130784: 4D820020 beqlr- <--incase it's relevant. But the function starts on the next line
80130788: 9883043D stb r4,1085(r3)
8013078C: 38000000 li r0,0
80130790: B0030442 sth r0,1090(r3)
80130794: 28050001 cmplwi r5,1
80130798: 4C820020 bnelr-
[spoiler=call stack]80130788/\
8012CC04: 4BFFFC6D bl 0x8012c870
80138700: 4BFF42AD bl 0x8012c9ac
801379CC: 48000871 bl 0x8013823c
80143D08: 4BFF3C15 bl 0x8013791c
8028CCB4: 4BEB6F61 bl 0x80143c14
8028D020: 4BFFFC5D bl 0x8028cc7c
8028C060: 48000D51 bl 0x8028cdb0
8004178C: 4E800421 bctrl
80046DB8: 4BFFA8DD bl 0x80041694
8003F3F4: 48007941 bl 0x80046d34
80006474: 48038DA5 bl 0x8003f218[/spoiler]
I'm not sure about what the values in each register is, but looking at these:
r4:00000002 r5:00000002
One or both is/are what it's getting ready to write. Lagiacrus just saw me at this BP, so I'll have the yellow eye next to my name for like 1 second. So it's gonna change to 02. Looking at the asm, It looks like it uses r4 to write 02 to the address. And r5 to....compare something.
So I just want the monster to not even notice me because when it does, if the value at 9014BD7D can't change, it just gets stuck. I think a code like this already exists, but it's not on the db so now I'm looking for it. What I do?
did it work like intended to just do a "ram write" to the address?
no. 00 ram write causes the monster to freeze because every frame it spots you but then it unspots you. 02 ram write causes the monster to roar forever because it's not sure if your there but then it sees you so it roars. Those aren't desired results. What I want is for the monster to not see me at all. The address's value is spazing between 01 and 00/02 every time the codehandler executes I guess, based on what's written.
Yup
80130788: 9883043D stb r4,1085(r3) # store r4 value to r3 +1085
80130794: 28050001 cmplwi r5,1 # compare logical immediate
I've been a bit busy lately, and there's a backlog of posts in this board that need addressed, but I told you I'd help with this so here goes...
Quote from: Stuff on August 15, 2011, 07:33:03 AM
So I write BP at (this address gets read often for whatever reason. I think it was the same function, though)
You might want to enable the Step Log while taking BPs. It can be very useful for analyzing later.
The address is read very often because it probably says "is the monster in the idle state?" every frame. Then, if a monster is idle, it might then say "can the monster see the player?" Then, if it can see the player, it will over-write the value (and by now it's too late, the monster has "seen" you, and the game is just recording that fact) So you might want to try replacing the RBP with an li rX,0 instead. Then, whenever the game would ask if a monster is idle, the hack would say "why yes, the monster is in fact idle." EDIT: this will probably have the same effect as RAM-writing 0. You should also post the Copy Function for the RBP.
Quotetried nopping it, but then the monster freezes like I was writing 00 to the address.
There might be more than one variable controlling "monster state". Or when it tries to go from 0 to 2, it initiates a sequence of events (e.g. change eye to yellow, roar, etc) for the rest of that frame, and then at the start of the next frame the monster state is still idle, so it re-initiates the sequence of events.
QuoteSo here's the registers, the function, and the call stack along with the instruction at each 'call?' copying each function at those addresses would've been too much to post.
Yeah, copying the disassembly for the whole call stack ("Copy All Frames" on the disasm context menu) gathers all of this info into a single clipboard. But it's very large. You could try pastie. http://pastie.org/
Quote80130784: 4D820020 beqlr- <--incase it's relevant. But the function starts on the next line
80130788: 9883043D stb r4,1085(r3)
8013078C: 38000000 li r0,0
80130790: B0030442 sth r0,1090(r3)
80130794: 28050001 cmplwi r5,1
80130798: 4C820020 bnelr-
80130788/\
8012CC04: 4BFFFC6D bl 0x8012c870
80138700: 4BFF42AD bl 0x8012c9ac
Uh oh! That's not the whole function. =( Conditional blr's mess with Gecko.NET's ability to parse functions. The actual start of the function's address is given by the caller's bl = 8012C870. It doesn't look like there's a stack frame, so this is probably a leaf function. Since this address is
kinda REALLY far away (about 0x4000-ish away from start of function!), and it looks like there's multiple conditional blr's, my guess is that 8012C870 probably shows ctr being loaded with something and then bctr to the appropriate section.
You'll need to go to 8012C870 and manually use Copy Visible to fill out the function. =(
Well I did a read BP and it wasn't the same function. whoops. This is a pretty long function:
[spoiler]800F3604: 9421FFC0 stwu r1,-64(r1)
800F3608: 7C0802A6 mflr r0
800F360C: 90010044 stw r0,68(r1)
800F3610: 39610040 addi r11,r1,64
800F3614: 483637DD bl 0x80456df0
800F3618: 7C781B78 mr r24,r3
800F361C: 38A00000 li r5,0
800F3620: 98A301D9 stb r5,473(r3)
800F3624: 3C800001 lis r4,1
800F3628: 3804FFFF subi r0,r4,1
800F362C: B00301DC sth r0,476(r3)
800F3630: 98A301E2 stb r5,482(r3)
800F3634: 98A301E5 stb r5,485(r3)
800F3638: 98A301E8 stb r5,488(r3)
800F363C: 98A301EB stb r5,491(r3)
800F3640: 98A301DA stb r5,474(r3)
800F3644: B00301DE sth r0,478(r3)
800F3648: 98A301E3 stb r5,483(r3)
800F364C: 98A301E6 stb r5,486(r3)
800F3650: 98A301E9 stb r5,489(r3)
800F3654: 98A301EC stb r5,492(r3)
800F3658: 98A301DB stb r5,475(r3)
800F365C: B00301E0 sth r0,480(r3)
800F3660: 98A301E4 stb r5,484(r3)
800F3664: 98A301E7 stb r5,487(r3)
800F3668: 98A301EA stb r5,490(r3)
800F366C: 98A301ED stb r5,493(r3)
800F3670: 38600000 li r3,0
800F3674: 4BFDC41D bl 0x800cfa90
800F3678: 2C030000 cmpwi r3,0
800F367C: 41820290 beq- 0x800f390c
800F3680: 3B232274 addi r25,r3,8820
800F3684: 38600002 li r3,2
800F3688: 4BFDC409 bl 0x800cfa90
800F368C: 7C7D1B78 mr r29,r3
800F3690: 2C030000 cmpwi r3,0
800F3694: 41820278 beq- 0x800f390c
800F3698: 4BFDBB81 bl 0x800cf218
800F369C: 5460063E rlwinm r0,r3,0,24,31
800F36A0: 28000002 cmplwi r0,2
800F36A4: 4182001C beq- 0x800f36c0
800F36A8: 4BFDBCDD bl 0x800cf384
800F36AC: 7C600774 extsb r0,r3
800F36B0: 1C000B20 mulli r0,r0,2848
800F36B4: 7FBD0214 add r29,r29,r0
800F36B8: 3B800000 li r28,0
800F36BC: 48000008 b 0x800f36c4
800F36C0: 3B9D0B20 addi r28,r29,2848
800F36C4: 482BA231 bl 0x803ad8f4
800F36C8: 5460063E rlwinm r0,r3,0,24,31
800F36CC: 2800000B cmplwi r0,11
800F36D0: 40820014 bne- 0x800f36e4
800F36D4: 7F03C378 mr r3,r24
800F36D8: 7FA4EB78 mr r4,r29
800F36DC: 4BFFFE11 bl 0x800f34ec
800F36E0: 4800022C b 0x800f390c
800F36E4: 482BA211 bl 0x803ad8f4
800F36E8: 5460063E rlwinm r0,r3,0,24,31
800F36EC: 28000006 cmplwi r0,6
800F36F0: 40820014 bne- 0x800f3704
800F36F4: 7F03C378 mr r3,r24
800F36F8: 7FA4EB78 mr r4,r29
800F36FC: 4BFFFE59 bl 0x800f3554
800F3700: 4800020C b 0x800f390c
800F3704: 3B400000 li r26,0
800F3708: 3B600000 li r27,0
800F370C: 7F1FC378 mr r31,r24
800F3710: 3AE00000 li r23,0
800F3714: 3AC00001 li r22,1
800F3718: 2C1A0003 cmpwi r26,3
800F371C: 408001F0 bge- 0x800f390c
800F3720: A0190006 lhz r0,6(r25)
800F3724: 2C000000 cmpwi r0,0
800F3728: 418201D4 beq- 0x800f38fc
800F372C: A8190004 lha r0,4(r25)
800F3730: 2C000000 cmpwi r0,0
800F3734: 418201C8 beq- 0x800f38fc
800F3738: 80190000 lwz r0,0(r25)
800F373C: 5403043E rlwinm r3,r0,0,16,31
800F3740: 3881000C addi r4,r1,12
800F3744: 38A10008 addi r5,r1,8
800F3748: 48050E99 bl 0x801445e0
800F374C: 5460063E rlwinm r0,r3,0,24,31
800F3750: 28000001 cmplwi r0,1
800F3754: 408201A8 bne- 0x800f38fc
800F3758: 8061000C lwz r3,12(r1)
800F375C: 88030000 lbz r0,0(r3)
800F3760: 2C000000 cmpwi r0,0
800F3764: 41820198 beq- 0x800f38fc
800F3768: 800301C8 lwz r0,456(r3)
800F376C: 540007FE rlwinm r0,r0,0,31,31
800F3770: 2C000000 cmpwi r0,0
800F3774: 41820188 beq- 0x800f38fc
800F3778: 480398B5 bl 0x8012d02c
800F377C: 2C030000 cmpwi r3,0
800F3780: 4082017C bne- 0x800f38fc
800F3784: 8061000C lwz r3,12(r1)
800F3788: A003001A lhz r0,26(r3)
800F378C: B01F01DC sth r0,476(r31)
800F3790: 7FD8D214 add r30,r24,r26
800F3794: 8061000C lwz r3,12(r1)
800F3798: 88030003 lbz r0,3(r3)
800F379C: 981E01E2 stb r0,482(r30)
800F37A0: 4BFDBA79 bl 0x800cf218
800F37A4: 5460063E rlwinm r0,r3,0,24,31
800F37A8: 28000002 cmplwi r0,2
800F37AC: 41820034 beq- 0x800f37e0
800F37B0: 8061000C lwz r3,12(r1)
800F37B4: 7FA4EB78 mr r4,r29
800F37B8: 480398FD bl 0x8012d0b4
800F37BC: 28030001 cmplwi r3,1
800F37C0: 40820018 bne- 0x800f37d8
800F37C4: 8061000C lwz r3,12(r1)
800F37C8: 889D0008 lbz r4,8(r29)
800F37CC: 4803E145 bl 0x80131910
800F37D0: 7C751B78 mr r21,r3
800F37D4: 4800008C b 0x800f3860
800F37D8: 3AA00000 li r21,0
800F37DC: 48000084 b 0x800f3860
800F37E0: 8061000C lwz r3,12(r1)
800F37E4: 7FA4EB78 mr r4,r29
800F37E8: 480398CD bl 0x8012d0b4
800F37EC: 28030001 cmplwi r3,1
800F37F0: 40820044 bne- 0x800f3834
800F37F4: 8061000C lwz r3,12(r1)
800F37F8: 889D0008 lbz r4,8(r29)
800F37FC: 4803E115 bl 0x80131910
800F3800: 7C751B78 mr r21,r3
800F3804: 2C030000 cmpwi r3,0
800F3808: 40820058 bne- 0x800f3860
800F380C: 8061000C lwz r3,12(r1)
800F3810: 7F84E378 mr r4,r28
800F3814: 480398A1 bl 0x8012d0b4
800F3818: 28030001 cmplwi r3,1
800F381C: 40820044 bne- 0x800f3860
800F3820: 8061000C lwz r3,12(r1)
800F3824: 889C0008 lbz r4,8(r28)
800F3828: 4803E0E9 bl 0x80131910
800F382C: 7C751B78 mr r21,r3
800F3830: 48000030 b 0x800f3860
800F3834: 8061000C lwz r3,12(r1)
800F3838: 7F84E378 mr r4,r28
800F383C: 48039879 bl 0x8012d0b4
800F3840: 28030001 cmplwi r3,1
800F3844: 40820014 bne- 0x800f3858
800F3848: 8061000C lwz r3,12(r1)
800F384C: 889C0008 lbz r4,8(r28)
800F3850: 4803E0C1 bl 0x80131910
800F3854: 48000008 b 0x800f385c
800F3858: 38600000 li r3,0
800F385C: 7C751B78 mr r21,r3
800F3860: 2C150000 cmpwi r21,0
800F3864: 4082000C bne- 0x800f3870
800F3868: 9AFE01E5 stb r23,485(r30)
800F386C: 48000008 b 0x800f3874
800F3870: 9ADE01E5 stb r22,485(r30)
800F3874: 8061000C lwz r3,12(r1)
800F3878: 88030003 lbz r0,3(r3)
800F387C: 28000014 cmplwi r0,20
800F3880: 4082003C bne- 0x800f38bc
800F3884: 8803043D lbz r0,1085(r3)
800F3888: 28000001 cmplwi r0,1
800F388C: 4182001C beq- 0x800f38a8
800F3890: 28000002 cmplwi r0,2
800F3894: 41820014 beq- 0x800f38a8
800F3898: 481BC3ED bl 0x802afc84
800F389C: 5460063E rlwinm r0,r3,0,24,31
800F38A0: 28000003 cmplwi r0,3
800F38A4: 4082000C bne- 0x800f38b0
800F38A8: 9ADE01EB stb r22,491(r30)
800F38AC: 48000008 b 0x800f38b4
800F38B0: 9AFE01EB stb r23,491(r30)
800F38B4: 9AFE01E8 stb r23,488(r30)
800F38B8: 48000038 b 0x800f38f0
800F38BC: 8803043D lbz r0,1085(r3) <--BP was here the second time >.>(after I couldn't unpause and had to reset)
800F38C0: 28000001 cmplwi r0,1
800F38C4: 4082000C bne- 0x800f38d0
800F38C8: 9ADE01EB stb r22,491(r30)
800F38CC: 48000008 b 0x800f38d4
800F38D0: 9AFE01EB stb r23,491(r30)
800F38D4: 8061000C lwz r3,12(r1)
800F38D8: 8803043D lbz r0,1085(r3) <--where the breakpoint was at 1st time
800F38DC: 28000002 cmplwi r0,2
800F38E0: 4082000C bne- 0x800f38ec
800F38E4: 9ADE01E8 stb r22,488(r30)
800F38E8: 48000008 b 0x800f38f0
800F38EC: 9AFE01E8 stb r23,488(r30)
800F38F0: 9ADE01D9 stb r22,473(r30)
800F38F4: 3BFF0002 addi r31,r31,2
800F38F8: 3B5A0001 addi r26,r26,1
800F38FC: 3B7B0001 addi r27,r27,1
800F3900: 3B390010 addi r25,r25,16
800F3904: 2C1B0006 cmpwi r27,6
800F3908: 4180FE10 blt+ 0x800f3718
800F390C: 39610040 addi r11,r1,64
800F3910: 4836352D bl 0x80456e3c
800F3914: 80010044 lwz r0,68(r1)
800F3918: 7C0803A6 mtlr r0
800F391C: 38210040 addi r1,r1,64
800F3920: 4E800020 blr [/spoiler]
I put the call stack for that in pastie. http://pastie.org/2381612 (http://pastie.org/2381612)
This is the function at 8012C870. Tried nopping that and the game froze a few seconds later. I guess a kelbi was there and the game didn't know what to do.
[spoiler]8012C870: 9421FFE0 stwu r1,-32(r1)
8012C874: 7C0802A6 mflr r0
8012C878: 90010024 stw r0,36(r1)
8012C87C: 39610020 addi r11,r1,32
8012C880: 4832A585 bl 0x80456e04
8012C884: 7C7A1B78 mr r26,r3
8012C888: 7C9E2378 mr r30,r4
8012C88C: 8803095C lbz r0,2396(r3)
8012C890: 28000004 cmplwi r0,4
8012C894: 4082000C bne- 0x8012c8a0
8012C898: 38600000 li r3,0
8012C89C: 480000F8 b 0x8012c994
8012C8A0: A8030916 lha r0,2326(r3)
8012C8A4: 2C000000 cmpwi r0,0
8012C8A8: 4081000C ble- 0x8012c8b4
8012C8AC: 38600000 li r3,0
8012C8B0: 480000E4 b 0x8012c994
8012C8B4: 8803038C lbz r0,908(r3)
8012C8B8: 540007FE rlwinm r0,r0,0,31,31
8012C8BC: 2C000000 cmpwi r0,0
8012C8C0: 4082000C bne- 0x8012c8cc
8012C8C4: 38600000 li r3,0
8012C8C8: 480000CC b 0x8012c994
8012C8CC: 38800002 li r4,2
8012C8D0: 48003EA9 bl 0x80130778
8012C8D4: 7F43D378 mr r3,r26
8012C8D8: 38800004 li r4,4
8012C8DC: 4800DFA9 bl 0x8013a884
8012C8E0: 28030001 cmplwi r3,1
8012C8E4: 408200AC bne- 0x8012c990
8012C8E8: 38600002 li r3,2
8012C8EC: 4BFA31E5 bl 0x800cfad0
8012C8F0: 547C043E rlwinm r28,r3,0,16,31
8012C8F4: 38600002 li r3,2
8012C8F8: 4BFA3199 bl 0x800cfa90
8012C8FC: 7C7D1B78 mr r29,r3
8012C900: 380000FF li r0,255
8012C904: 981A0798 stb r0,1944(r26)
8012C908: 3B600000 li r27,0
8012C90C: 3BE00001 li r31,1
8012C910: 57DE063E rlwinm r30,r30,0,24,31
8012C914: 48000058 b 0x8012c96c
8012C918: 881D0000 lbz r0,0(r29)
8012C91C: 2C000000 cmpwi r0,0
8012C920: 41820044 beq- 0x8012c964
8012C924: 887D0008 lbz r3,8(r29)
8012C928: 48000881 bl 0x8012d1a8
8012C92C: 2C030000 cmpwi r3,0
8012C930: 40820034 bne- 0x8012c964
8012C934: 5760063E rlwinm r0,r27,0,24,31
8012C938: 7FE00030 slw r0,r31,r0
8012C93C: 7FC00038 and r0,r30,r0
8012C940: 2C000000 cmpwi r0,0
8012C944: 41820020 beq- 0x8012c964
8012C948: 7F43D378 mr r3,r26
8012C94C: 7FA4EB78 mr r4,r29
8012C950: 48000765 bl 0x8012d0b4
8012C954: 2C030000 cmpwi r3,0
8012C958: 4182000C beq- 0x8012c964
8012C95C: 9B7A0798 stb r27,1944(r26)
8012C960: 48000018 b 0x8012c978
8012C964: 3B7B0001 addi r27,r27,1
8012C968: 3BBD0B20 addi r29,r29,2848
8012C96C: 5760063E rlwinm r0,r27,0,24,31
8012C970: 7C00E000 cmpw r0,r28
8012C974: 4180FFA4 blt+ 0x8012c918
8012C978: 7F43D378 mr r3,r26
8012C97C: 38800004 li r4,4
8012C980: 38A00000 li r5,0
8012C984: 48000471 bl 0x8012cdf4
8012C988: 38600001 li r3,1
8012C98C: 48000008 b 0x8012c994
8012C990: 38600000 li r3,0
8012C994: 39610020 addi r11,r1,32
8012C998: 4832A4B9 bl 0x80456e50
8012C99C: 80010024 lwz r0,36(r1)
8012C9A0: 7C0803A6 mtlr r0
8012C9A4: 38210020 addi r1,r1,32
8012C9A8: 4E800020 blr
[/spoiler]
I don't see where this goes to 80130788, though. Should I copy the other call stacks?
Another read BP, because li r0,0 changed nothing noticeable and the BP was different after assembling that. >.> It keeps finding a different Read BP if I change it.. it's going in a pastie. http://pastie.org/2381859 (http://pastie.org/2381859)
Actually, one of the many Read BP that I put li r0,0 in did give me the same effect that ram writing 00 had, but this time it seems to be switching between all 3 values. And G Jaggi is able to turn to me this time. I must make a video of this. It's way too funny to waste. This is just one of those things.
-----
>.< I had a bad code activated that made my game freeze for trying to kick.
Ack, you're doing it wrong. =P
Hit the breakpoint. Go to disasm tab. Right click. "Copy All Frames". This does a Copy Function on every function in the Call Stack, as well as grabbing a copy of the current registers, and places it in the clipboard. It minimizes the amount of work you have to do.
Also, since there are a few read BPs, you should do another thing. On the BP tab, check Step Log. Then set a RWBP on the address of interest. Then just spam the Set Breakpoint button for a while, until at least two frames pass by (so that you can definitely identify the pattern of data accesses). In addition to a pastie of the Copy All Frames
Here you have a nice pyramid. I like. can't fit in the post, so http://pastie.org/2382555 (http://pastie.org/2382555).
You told me to spam RWBP, so I turbo clicked it for about 1 minute. Not sure what you mean by 2 frames. I thought a BP pauses on that frame. This is what the pattern looks like
[spoiler]800F38BC: 8803043D lbz r0,1085(r3) r0 = 0000000C r3 = 9014B940 [9014BD7D] = 00000000
800F38D8: 8803043D lbz r0,1085(r3) r0 = 00000000 r3 = 9014B940 [9014BD7D] = 00000000
801307B8: 8803043D lbz r0,1085(r3) r0 = 801298C0 r3 = 9014B940 [9014BD7D] = 00000000
80129830: 881F043D lbz r0,1085(r31) r0 = 00000003 r31 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012BBA4: 8817043D lbz r0,1085(r23) r0 = 00000000 r23 = 9014B940 [9014BD7D] = 00000000
8012C9E0: 881A043D lbz r0,1085(r26) r0 = 000000FF r26 = 9014B940 [9014BD7D] = 00000000
8012CB44: 881A043D lbz r0,1085(r26) r0 = 00000000 r26 = 9014B940 [9014BD7D] = 00000000
8012CBD8: 881A043D lbz r0,1085(r26) r0 = 00000000 r26 = 9014B940 [9014BD7D] = 00000000
8012CC50: 881A043D lbz r0,1085(r26) r0 = 00000000 r26 = 9014B940 [9014BD7D] = 00000000
8034664C: 881D043D lbz r0,1085(r29) r0 = 00000000 r29 = 9014B940 [9014BD7D] = 00000000
8031E854: 881E043D lbz r0,1085(r30) r0 = 00000003 r30 = 9014B940 [9014BD7D] = 00000000
and repeat[/spoiler]
Here's the pastie if you want to see. http://pastie.org/2382522 (http://pastie.org/2382522)
The video came out really bad quality and it didn't even record the whole thing. I'll have to borrow someone's laptop. Or record with a camera(eww). I made a code so I can redo it at another time.
Rathian spawned, and I needed to record this. http://www.youtube.com/watch?v=8a1NmywzGUk (http://www.youtube.com/watch?v=8a1NmywzGUk)
Yes, Copy All Frames is great for following arguments as they get passed from one function call to the next.
A breakpoint is anything that can happen which causes the CPU to stop executing and let us take a look at things. Many things can cause breakpoints. In general, we use two types of breakpoints; data and instruction. But any time a breakpoint condition is satisfied, CPU execution will stop.
The PowerPC in the Wii is 713 MHz. Given 60 frames per second, this means it executes just under 12 million instructions per frame. That's not technically true but it's good enough to make the point; a breakpoint condition (i.e. "read address 9014BD7D") can be satisfied many times per frame.
You will know a frame has passed when you see the screen jiggle. Every time the screen jiggles, that's one frame.
---
I notice there's no WBP's in the list. So, if you set a WBP on the address, the game just keeps moving until the monsters see you? You might want to try spamming RWBP while you try to get into some monster's field of view, so you can see at what point the write takes place in this stream of reads.
---
Regarding Copy All Frames, this loop in the top frame looks interesting. Your breakpoint is right in the middle.
The stuff at the very end is particularly interesting. The loop is terminated when r27 = 6. r27 is the loop index (the i in a classic for loop). It increments once per loop.
r25 also increments every loop. It's some sort of pointer running through an array of stuff. Each array element is 16 bytes, hence the += 16 at the end of the loop.
r26 is keeping track of something. When it b's to 800F38FC, it's skipping the r26 += 1. It must be tracking a number of things that meet a certain criteria, because once r23 = 3 it bails out of the loop.
r31 is also some sort of pointer to an array. However, these array elements are only 2 bytes each. This is incremented in concert with r26, so r26 is probably the index for this array.
The loop is probably processing values that it pulls from the r25 array and when some of those values satisfies some conditions, some data is copied into the r31 array. Can you think of anything that seems like a good candidate for looping over 6 or 3 times? Is there like some maximum number of enemies that you can fight? Some max number of allies?
[spoiler]| | | | | | | | 800F3718: 2C1A0003 cmpwi r26,3
| | | | | | | | 800F371C: 408001F0 bge- 0x800f390c
| | | | | | | | 800F3720: A0190006 lhz r0,6(r25)
| | | | | | | | 800F3724: 2C000000 cmpwi r0,0
| | | | | | | | 800F3728: 418201D4 beq- 0x800f38fc
| | | | | | | | 800F372C: A8190004 lha r0,4(r25)
| | | | | | | | 800F3730: 2C000000 cmpwi r0,0
| | | | | | | | 800F3734: 418201C8 beq- 0x800f38fc
| | | | | | | | 800F3738: 80190000 lwz r0,0(r25)
| | | | | | | | 800F373C: 5403043E rlwinm r3,r0,0,16,31
| | | | | | | | 800F3740: 3881000C addi r4,r1,12
| | | | | | | | 800F3744: 38A10008 addi r5,r1,8
| | | | | | | | 800F3748: 48050E99 bl 0x801445e0
| | | | | | | | 800F374C: 5460063E rlwinm r0,r3,0,24,31
| | | | | | | | 800F3750: 28000001 cmplwi r0,1
| | | | | | | | 800F3754: 408201A8 bne- 0x800f38fc
| | | | | | | | 800F3758: 8061000C lwz r3,12(r1)
| | | | | | | | 800F375C: 88030000 lbz r0,0(r3)
| | | | | | | | 800F3760: 2C000000 cmpwi r0,0
| | | | | | | | 800F3764: 41820198 beq- 0x800f38fc
| | | | | | | | 800F3768: 800301C8 lwz r0,456(r3)
| | | | | | | | 800F376C: 540007FE rlwinm r0,r0,0,31,31
| | | | | | | | 800F3770: 2C000000 cmpwi r0,0
| | | | | | | | 800F3774: 41820188 beq- 0x800f38fc
| | | | | | | | 800F3778: 480398B5 bl 0x8012d02c
| | | | | | | | 800F377C: 2C030000 cmpwi r3,0
| | | | | | | | 800F3780: 4082017C bne- 0x800f38fc
| | | | | | | | 800F3784: 8061000C lwz r3,12(r1)
| | | | | | | | 800F3788: A003001A lhz r0,26(r3)
| | | | | | | | 800F378C: B01F01DC sth r0,476(r31)
| | | | | | | | 800F3790: 7FD8D214 add r30,r24,r26
| | | | | | | | 800F3794: 8061000C lwz r3,12(r1)
| | | | | | | | 800F3798: 88030003 lbz r0,3(r3)
| | | | | | | | 800F379C: 981E01E2 stb r0,482(r30)
| | | | | | | | 800F37A0: 4BFDBA79 bl 0x800cf218
| | | | | | | | 800F37A4: 5460063E rlwinm r0,r3,0,24,31
| | | | | | | | 800F37A8: 28000002 cmplwi r0,2
| | | | | | | | 800F37AC: 41820034 beq- 0x800f37e0
| | | | | | | | 800F37B0: 8061000C lwz r3,12(r1)
| | | | | | | | 800F37B4: 7FA4EB78 mr r4,r29
| | | | | | | | 800F37B8: 480398FD bl 0x8012d0b4
| | | | | | | | 800F37BC: 28030001 cmplwi r3,1
| | | | | | | | 800F37C0: 40820018 bne- 0x800f37d8
| | | | | | | | 800F37C4: 8061000C lwz r3,12(r1)
| | | | | | | | 800F37C8: 889D0008 lbz r4,8(r29)
| | | | | | | | 800F37CC: 4803E145 bl 0x80131910
| | | | | | | | 800F37D0: 7C751B78 mr r21,r3
| | | | | | | | 800F37D4: 4800008C b 0x800f3860
| | | | | | | | 800F37D8: 3AA00000 li r21,0
| | | | | | | | 800F37DC: 48000084 b 0x800f3860
| | | | | | | | 800F37E0: 8061000C lwz r3,12(r1)
| | | | | | | | 800F37E4: 7FA4EB78 mr r4,r29
| | | | | | | | 800F37E8: 480398CD bl 0x8012d0b4
| | | | | | | | 800F37EC: 28030001 cmplwi r3,1
| | | | | | | | 800F37F0: 40820044 bne- 0x800f3834
| | | | | | | | 800F37F4: 8061000C lwz r3,12(r1)
| | | | | | | | 800F37F8: 889D0008 lbz r4,8(r29)
| | | | | | | | 800F37FC: 4803E115 bl 0x80131910
| | | | | | | | 800F3800: 7C751B78 mr r21,r3
| | | | | | | | 800F3804: 2C030000 cmpwi r3,0
| | | | | | | | 800F3808: 40820058 bne- 0x800f3860
| | | | | | | | 800F380C: 8061000C lwz r3,12(r1)
| | | | | | | | 800F3810: 7F84E378 mr r4,r28
| | | | | | | | 800F3814: 480398A1 bl 0x8012d0b4
| | | | | | | | 800F3818: 28030001 cmplwi r3,1
| | | | | | | | 800F381C: 40820044 bne- 0x800f3860
| | | | | | | | 800F3820: 8061000C lwz r3,12(r1)
| | | | | | | | 800F3824: 889C0008 lbz r4,8(r28)
| | | | | | | | 800F3828: 4803E0E9 bl 0x80131910
| | | | | | | | 800F382C: 7C751B78 mr r21,r3
| | | | | | | | 800F3830: 48000030 b 0x800f3860
| | | | | | | | 800F3834: 8061000C lwz r3,12(r1)
| | | | | | | | 800F3838: 7F84E378 mr r4,r28
| | | | | | | | 800F383C: 48039879 bl 0x8012d0b4
| | | | | | | | 800F3840: 28030001 cmplwi r3,1
| | | | | | | | 800F3844: 40820014 bne- 0x800f3858
| | | | | | | | 800F3848: 8061000C lwz r3,12(r1)
| | | | | | | | 800F384C: 889C0008 lbz r4,8(r28)
| | | | | | | | 800F3850: 4803E0C1 bl 0x80131910
| | | | | | | | 800F3854: 48000008 b 0x800f385c
| | | | | | | | 800F3858: 38600000 li r3,0
| | | | | | | | 800F385C: 7C751B78 mr r21,r3
| | | | | | | | 800F3860: 2C150000 cmpwi r21,0
| | | | | | | | 800F3864: 4082000C bne- 0x800f3870
| | | | | | | | 800F3868: 9AFE01E5 stb r23,485(r30)
| | | | | | | | 800F386C: 48000008 b 0x800f3874
| | | | | | | | 800F3870: 9ADE01E5 stb r22,485(r30)
| | | | | | | | 800F3874: 8061000C lwz r3,12(r1)
| | | | | | | | 800F3878: 88030003 lbz r0,3(r3)
| | | | | | | | 800F387C: 28000014 cmplwi r0,20
| | | | | | | | 800F3880: 4082003C bne- 0x800f38bc
| | | | | | | | 800F3884: 8803043D lbz r0,1085(r3)
| | | | | | | | 800F3888: 28000001 cmplwi r0,1
| | | | | | | | 800F388C: 4182001C beq- 0x800f38a8
| | | | | | | | 800F3890: 28000002 cmplwi r0,2
| | | | | | | | 800F3894: 41820014 beq- 0x800f38a8
| | | | | | | | 800F3898: 481BC3ED bl 0x802afc84
| | | | | | | | 800F389C: 5460063E rlwinm r0,r3,0,24,31
| | | | | | | | 800F38A0: 28000003 cmplwi r0,3
| | | | | | | | 800F38A4: 4082000C bne- 0x800f38b0
| | | | | | | | 800F38A8: 9ADE01EB stb r22,491(r30)
| | | | | | | | 800F38AC: 48000008 b 0x800f38b4
| | | | | | | | 800F38B0: 9AFE01EB stb r23,491(r30)
| | | | | | | | 800F38B4: 9AFE01E8 stb r23,488(r30)
| | | | | | | | 800F38B8: 48000038 b 0x800f38f0
| | | | | | | | 800F38BC: 8803043D lbz r0,1085(r3)
| | | | | | | | 800F38C0: 28000001 cmplwi r0,1
| | | | | | | | 800F38C4: 4082000C bne- 0x800f38d0
| | | | | | | | 800F38C8: 9ADE01EB stb r22,491(r30)
| | | | | | | | 800F38CC: 48000008 b 0x800f38d4
| | | | | | | | 800F38D0: 9AFE01EB stb r23,491(r30)
| | | | | | | | 800F38D4: 8061000C lwz r3,12(r1)
| | | | | | | | 800F38D8: 8803043D lbz r0,1085(r3)
| | | | | | | | 800F38DC: 28000002 cmplwi r0,2
| | | | | | | | 800F38E0: 4082000C bne- 0x800f38ec
| | | | | | | | 800F38E4: 9ADE01E8 stb r22,488(r30)
| | | | | | | | 800F38E8: 48000008 b 0x800f38f0
| | | | | | | | 800F38EC: 9AFE01E8 stb r23,488(r30)
| | | | | | | | 800F38F0: 9ADE01D9 stb r22,473(r30)
| | | | | | | | 800F38F4: 3BFF0002 addi r31,r31,2
| | | | | | | | 800F38F8: 3B5A0001 addi r26,r26,1
| | | | | | | | 800F38FC: 3B7B0001 addi r27,r27,1
| | | | | | | | 800F3900: 3B390010 addi r25,r25,16
| | | | | | | | 800F3904: 2C1B0006 cmpwi r27,6
| | | | | | | | 800F3908: 4180FE10 blt+ 0x800f3718
[/spoiler]
Another interesting thing is that there are a great deal of branches to 800F390C. This takes you past the end of the loop to the function prologue epilogue. Basically it's many different ways to leave the function. This one is at the very beginning. It's the equivalent of "if (r3 == 0) return;"
| | | | | | | | 800F3678: 2C030000 cmpwi r3,0
| | | | | | | | 800F367C: 41820290 beq- 0x800f390c
It might be interesting to turn the beq- into a b. (i.e. 800F367C: 48000290 b 0x800f390c) This would basically prevent the function from ever running. I wonder what happens.
Yeah. WBP will breakpoint when the monster sees me. or if the monster untargets me. Which would take forever without poking the address.
The only thing I can think of that would be 3 is number of players
if it starts at 0(4 players online). But I can't think of anything that could count up to 6. I've seen more than 6 minions, I've never seen more than 3 bosses at once, and 3 was via custom quests. A max of about 64 objects in one area at once including projectiles(impossible without some sort of modding. Set infinite bombs/traps and you can see that limit). Maybe monsters have 6 senses? XD
Quoter23 = 3 it bails out of the
r26? I don't see a cmp r23
Quote from: dcx2 on August 17, 2011, 03:49:07 AMAnother interesting thing is that there are a great deal of branches to 800F390C. This takes you past the end of the loop to the function prologue epilogue. Basically it's many different ways to leave the function. This one is at the very beginning. It's the equivalent of "if (r3 == 0) return;"
| | | | | | | | 800F3678: 2C030000 cmpwi r3,0
| | | | | | | | 800F367C: 41820290 beq- 0x800f390c
It might be interesting to turn the beq- into a b. (i.e. 800F367C: 48000290 b 0x800f390c) This would basically prevent the function from ever running. I wonder what happens.
I did that and nothing happened. Jaggi saw me and that's it. But why would that have prevented the function from happening? Instead of branch if equal, it's branch always.
Quote from: Stuff on August 18, 2011, 04:30:18 AM
r26? I don't see a cmp r23
The r26 check is at the beginning of the loop.
QuoteI did that and nothing happened. Jaggi saw me and that's it. But why would that have prevented the function from happening? Instead of branch if equal, it's branch always.
What do you mean, "nothing happened"? As in, changing the beq to b made no difference?
It prevents the function from happening because it branches over all the "work", straight to the end. Double click that b, or just go to 8000F390C and you will see that it's popping the regs off the stack and getting ready to blr back to the caller.
Oh. Well yeah, it didn't change anything. Just did a RWBP after changing it to b 0x800f390c. It gave me a very different copy all frames. >.>. This time it was too big for pastie. http://dl.dropbox.com/u/24514984/copyallframes%20after%2048000290.htm
Actually, I think chacha should have an eye icon next to his name too. He was being targeted, though. I'll do it regular later.
This is where hacking can become tedious. Meticulously "remove" or alter one function at a time, and take notes about what changed. Eventually you will hit the jackpot.
Here's what looks interesting in your latest Copy All Frames.
[spoiler]801307A4: 9421FFF0 stwu r1,-16(r1)
801307A8: 7C0802A6 mflr r0
801307AC: 90010014 stw r0,20(r1)
801307B0: 93E1000C stw r31,12(r1)
801307B4: 7C7F1B78 mr r31,r3
801307B8: 8803043D lbz r0,1085(r3)
801307BC: 2C000001 cmpwi r0,1
801307C0: 41820010 beq- 0x801307d0
801307C4: 2C000002 cmpwi r0,2
801307C8: 41820054 beq- 0x8013081c
801307CC: 48000064 b 0x80130830
801307D0: 4BFF5865 bl 0x80126034
801307D4: 881F038F lbz r0,911(r31)
801307D8: 2C000000 cmpwi r0,0
801307DC: 41820010 beq- 0x801307ec
801307E0: 38000000 li r0,0
801307E4: B01F0442 sth r0,1090(r31)
801307E8: 48000048 b 0x80130830
801307EC: A89F0442 lha r4,1090(r31)
801307F0: 38040001 addi r0,r4,1
801307F4: B01F0442 sth r0,1090(r31)
801307F8: 7C040734 extsh r4,r0
801307FC: 80630058 lwz r3,88(r3)
80130800: A8030002 lha r0,2(r3)
80130804: 7C040000 cmpw r4,r0
80130808: 40810028 ble- 0x80130830
8013080C: 7FE3FB78 mr r3,r31
80130810: 38800000 li r4,0
80130814: 4BFFFF65 bl 0x80130778
80130818: 48000018 b 0x80130830
8013081C: 8803038F lbz r0,911(r3)
80130820: 2C000000 cmpwi r0,0
80130824: 4082000C bne- 0x80130830
80130828: 38800000 li r4,0
8013082C: 4BFFFF4D bl 0x80130778
80130830: 83E1000C lwz r31,12(r1)
80130834: 80010014 lwz r0,20(r1)
80130838: 7C0803A6 mtlr r0
8013083C: 38210010 addi r1,r1,16
80130840: 4E800020 blr
[/spoiler]
The green bold part is asking whether the byte of interest is 0, 1, or 2. If it is 0, then this function will do nothing by branching to the function epilogue (the red bold). The function epilogue is the inverse of the function prologue (in black). It pops the non-volatile registers off the stack (lwz r31), reads the LR save word so it can return to the caller (lwz r0/mtlr r0), destroys the current stack frame (addi r1), and then returns to the caller (blr). All function epilogues generally follow a similar pattern, so that's how you know it is asking "if (1085(r3) == 0) return;"
In the event of a 1085(r3) == 1, the blue part is executed. Note how there are multiple checks in the blue part that allow it to "bail out early" (by branching to the epilogue).
When 1085(r3) == 2, the purple part is executed.
To "nop" this whole function, you can replace 801307A4: 9421FFF0 stwu r1,-16(r1) with a blr (i.e. 801307A4: 4E800020 blr).
EDIT:
Looking at the blue part some more, I see something interesting. The value in 1090(r31) is reset when 911(r31) != 0. When 911(r31) == 0, instead it appears to increment every frame. It then also retrieves a value from a pointer-in-pointer and compares that to the incremented value; "if (r4 <= [[r3+88]+2]) return;" Note that in this case, r3 == r31 == monster pointer.
When r4 becomes greater than [[r3+88]+2], it will load the monster pointer into r3, 0 into r4, and then call 80130778. What's interesting is that in the purple section, if 911(r3) == 0 (same as the blue code's test for incrementing 1090(r31)), it loads the same arguments and calls the same function.
It would be nice to know exactly what 911(r31) and 1090(r31) mean. 1090(r31) is very close to your current value of interest, 1085(r31). 911(r31) isn't that far away.
Hope it's alright to revive this. Where we left off, we were speaking in some alien language that I wasn't familiar with. I was seriously just following your lead. I had no idea what I was doing. I still don't understand what this call stack thing is. afaik, it returns bl's that don't lead to my BP. But whatever. I want this code to happen. And now I think we can have a 2 way conversation when talking about this. It's a lot to take in to refresh my memory, so I'll just respond to the last post for now:
In the spoiler, it looks like it might be just another RBP. 1085(r3) == [9014BD7D] and that's the "awareness level" (for the 1st monster). It checks if it's 1, and if so, the blue part doesn't execute. It branches to 80126034. If it's 2, it checks [9014BCCF]. I don't know what's there. I'll check later and make some guess. It was 01 while fighting rathian. Looks like r31 is the same as r3 atm. But you said that. 8013080C: 7FE3FB78 mr r3,r31 must've happened already. Just a wild guess though. I can't really say what 1090(r31) is. In memory it's 7FFF0000. That's all for now.
The call stack shows you how the execution got to where it was. When a function calls another function, the new function is added to the call stack. If that function calls a third function, the third one is also added to the call stack. For instance, double click the top of the call stack and you'll see the current instruction. Double click the address below the top of the call stack, and you'll be taken to the bl which goes to the current instruction.
I think you have it backwards. If 1085(r3) == 1, the blue part is executed. Try changing 801307C0: 41820010 beq- 0x801307d0 into a nop and see what happens.
Monster Can't See You [Stuff]
041386BC 48000048
But I didn't arrive to this with what we discussed here. So you can say I learned very little from this thread. >.<
80138700 was a good candidate because it calls something that decides whether it spotted you because you hit it or it spotted you because it saw/sensed you. The reason I chose that other address was because noping 80138700 still let the monster sense your presence, it just wouldn't know your there. Like it saw you but you were cloaked in a smoke bombs. Between 0x6BC and 0x700 were a few bls that probably each did something about awareness so I preferred branching over all of them.
[spoiler]801386B4: 4828C161 bl 0x803c4814
801386B8: 2C030000 cmpwi r3,0
801386BC: 48000048 b 0x80138704 ##was bne- 0x48
801386C0: 881D046A lbz r0,1130(r29)
801386C4: 2C000000 cmpwi r0,0
801386C8: 4082003C bne- 0x80138704 ##It might be better to poke this instead
801386CC: 7FA3EB78 mr r3,r29
801386D0: 4800086D bl 0x80138f3c
801386D4: 7FA3EB78 mr r3,r29
801386D8: 4BFF760D bl 0x8012fce4
801386DC: 7FA3EB78 mr r3,r29
801386E0: 4BFF8A71 bl 0x80131150
801386E4: 7FA3EB78 mr r3,r29
801386E8: 4BFF2F65 bl 0x8012b64c
801386EC: 7FA3EB78 mr r3,r29
801386F0: 4BFF3705 bl 0x8012bdf4
801386F4: 7FA3EB78 mr r3,r29
801386F8: 4BFF3F09 bl 0x8012c600
801386FC: 7FA3EB78 mr r3,r29
80138700: 4BFF42AD bl 0x8012c9ac
80138704: 7FA3EB78 mr r3,r29
80138708: 4BFF999D bl 0x801320a4[/spoiler]
The method I used to get to this code was the walk to blr you described in another thread. Walk to blr->step into-> nop the branch above and see what happens. This took 2 "walk to blr step into"s and a little experimenting to find the super caller. Walk to blr is awesomeness. I made a few codes for kirby today using this method.
Just trying to let you know that you didn't waste your time helping me with this only to see this code never happen. >.< Many thanks o.0b.
You don't have to walk to blr. This can be painful when there's a big loop.
There are two types of step out; "leaf" and "frame". Leaf is what you use when the return address is already in the LR. This is because leaf functions do not store the return address on the stack. Frame is what you use when the return address is on the stack. This is because most functions will push the LR onto the stack so they can call their own functions.
You can also just left-click Step Out. It will attempt to guess whether the function is leaf or frame and go to the right caller.
You can also go to the disassembly tab and double-click the call stack list box. It's a lot easier than walking the stack through the BP tab.
Hmm. Interesting. Well it looks like I needed to go through a lesser method to see this.
80130788 ##BP
8012CBB8 ##The caller I arrived to first with walk to blr
80138700 ##And this is 80138700 that I just mentioned. My second walk to blr.
I can feel better about double clicking call stack now. So does Call Stack "Step Out"(not actually doing it) multiple times or something like that?
Each stack frame has a pointer to the previous stack frame, generating a linked list of stack frames. Immediately "below" this pointer is the LR save word for that frame. The Call Stack is generated by traversing the linked list of stack frames and extracting the LR save word in each frame.
ah. That is pretty cool. I just can't believe I had trouble understanding any of this. >.>
Still, I think I leveled up again today XD. Time to tackle potential codes I've left on queue.