Hi,
I tried to make a "Freefly" code for Twilight Prinzess.
Here´s the assembly (hope it´s self-explanatory)
[spoiler]Address: 80F3BAA4
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16[/spoiler]
the code works for one axis so far, but if I fall down from the map, it crashes the game.
The crash breakpoint breaks on the exact same address and shows the original instruction, even though, my code was writing a branch to it...
r31 (source register) does never change on XBP when I don´t change rooms or fall down.
[spoiler] CR:88000088 XER:20000000 CTR:8001F5D4 DSIS:00000000
DAR:00000000 SRR0:7F0C6E24 SRR1:10009032 LR:80F3B6C8
r0:00002C2C r1:805371C8 r2:8052A180 r3:8043B408
r4:811D3404 r5:000000A2 r6:000000AB r7:000000A3
r8:804A136C r9:00000002 r10:0011C26C r11:805371F8
r12:8001F5D4 r13:80525EA0 r14:00002000 r15:80000000
r16:41A00000 r17:80431940 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:00000000 r23:803E17C0
r24:803E17D4 r25:80433958 r26:803E1930 r27:810D838C
r28:810D7D40 r29:80440000 r30:811D33E0 r31:804A136C
f0:3F800000 f1:3F3CF126 f2:3F3962ED f3:3C638E39
f4:3F303E43 f5:00000000 f6:00000000 f7:00000000
f8:00000000 f9:00000000 f10:00000000 f11:00000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:3F800000 f29:BF800000 f30:59800004 f31:00000000
80F3BAA4: C01F04D0 lfs f0, 1232 (r31)[/spoiler]
But r31 is legit. Why does it crash, although I implemented a stack frame?
Btw. I used gecko.net 0.66.7
Your original instruction is the stack frame? Your are not using any branch instruction?
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
b _NOTZLEFT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
----------- # what about your original instruction?
Try to compare 2 things without any branch instruction... That won't work.
cmpwi r18,0x0040
bne- END1
li r0,63
stw r0, 0 (r3)
END1:
cmpwi r18,0x0080
bne- END
li r0,63
stw r0, 0 (r3)
END:
stw r5,0 (r3)
Now you only can compare one thing and not 2. That's because of the branch instruction.
Quote from: Deathwolf on August 15, 2011, 12:42:05 PM
Your original instruction is the stack frame? Your are not using any branch instruction?
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
b _NOTZLEFT not needed...
fsubs f0, f0, f22
stfs f0, 1232 (r31)
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
----------- # what about your original instruction?
the code works with *both* compares.
WTF is that? could you explain me why you are branching not to the original instruction?
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f0,1232(r31) # this is not needed here since you can't edit fx "registers"
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOTZRIGHT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
b _NOTZLEFT
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
lfs f0,1232(r31)
why?
Because I want to load the value into f0 and THEN do something with it (add/sub float registers)
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x41A0
stw r16, 0x1600 (r15)
lfs f22, 0x1600 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002 # Yeah this is right, compare with 2002 and then sub from f0.
bne- _NOTZRIGHT
fsubs f0, f0, f22
stfs f0, 1232 (r31)
b _NOTZLEFT # if not pressed, DO NOTHING. (original instruction)
_NOTZRIGHT:
cmpwi r14, 0x2001
bne- _NOTZLEFT
fadds f0, f0, f22
stfs f0, 1232 (r31)
_NOTZLEFT:
lwz r11,8(r1)
addi r1,r1,16
lfs f0,1232(r31) # original instruction
that would disable the second activator, if the first is not pressed...
I rewrote it, but didn´t test yet (including all 3 coordinates with increase/decrease).
Code for Legend of Zelda TP PAL.
[spoiler]Addy:80F3BAA4
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000 # load RAM Address first 16bit
lis r16, 0x41A0 # Load value 41A0000 into r16
lis r17, 0x4300 # Load value 4300000 into r17
stw r16, 0x1600 (r15) # Store r16 to RAM (80001600)
stw r17, 0x1604 (r15) # Store r17 to RAM (80001604)
lfs f20, 1232 (r31) # Load X coordinate into f20
lfs f21, 1236 (r31) # Load Y coordinate into f21
lfs f22, 1240 (r31) # Load Z coordinate into f22
lfs f23, 0x1600 (r15) # Load value from address 80001600 into f23
lfs f24, 0x1604 (r15) # Load value from address 80001604 into f24
lis r14, 0x8043 # Load first 16 bit of button activator
lhz r14, 0x3AF6 (r14) # Load value from address 80433AF6 into r14
cmpwi r14, 0x2002 # compare if Z and D-PAD RIGHT is pressed
bne- _NOZRIGHT # if not...
fsubs f20, f20, f23 # sub f23 from f20 and store back to f20
stfs f20, 1232 (r31) # update X coordinate
_NOZRIGHT: # skip operation
cmpwi r14, 0x2001 # compare if Z and D-PAD LEFT is pressed
bne- _NOZLEFT # if not...
fadds f20, f20, f23 # add f23 to f20 and store back to f20
stfs f20, 1232 (r31) # update X coordinate
_NOZLEFT: # skip operation
cmpwi r14, 0x2008
bne- _NOZUP
fsubs f21, f21, f24
stfs f21, 1236 (r31)
_NOZUP:
cmpwi r14, 0x2004
bne- _NOZDOWN
fadds f21, f21, f24
stfs f21, 1236 (r31)
_NOZDOWN:
cmpwi r14, 0x108
bne- _NO2UP
fsubs f22, f22, f23
stfs f22, 1240 (r31)
_NO2UP:
cmpwi r14, 0x104
bne- _NO2DOWN
fadds f22, f22, f23
stfs f22, 1240 (r31)
_NO2DOWN:
lwz r11,8(r1)
addi r1,r1,16
lfs f0,1232(r31) # original instruction[/spoiler]
stwu r1,-16(r1)
stw r11,8(r1)
lis r15, 0x8000
lis r16, 0x4100
lis r17, 0x4300
stw r16, 0x1600 (r15)
stw r17, 0x1604 (r15)
lfs f20, 1232 (r31)
lfs f21, 1236 (r31)
lfs f22, 1240 (r31)
lfs f23, 0x1600 (r15)
lfs f24, 0x1604 (r15)
lis r14, 0x8043
lhz r14, 0x3AF6 (r14)
cmpwi r14, 0x2002
bne- _NOZRIGHT
fsubs f20, f20, f23
stfs f20, 1232 (r31)
b ORIGINAL
_NOZRIGHT:
cmpwi r14, 0x2001
bne- _NOZLEFT
fadds f20, f20, f23
stfs f20, 1232 (r31)
b ORIGINAL
_NOZLEFT:
cmpwi r14, 0x2008
bne- _NOZUP
fsubs f21, f21, f24
stfs f21, 1236 (r31)
b ORIGINAL
_NOZUP:
cmpwi r14, 0x2004
bne- _NOZDOWN
fadds f21, f21, f24
stfs f21, 1236 (r31)
b ORIGINAL
_NOZDOWN:
cmpwi r14, 0x108
bne- _NO2UP
fsubs f22, f22, f23
stfs f22, 1240 (r31)
b ORIGINAL
_NO2UP:
cmpwi r14, 0x104
bne- ORIGINAL
fadds f22, f22, f23
stfs f22, 1240 (r31)
ORIGINAL:
lwz r11,8(r1)
addi r1,r1,16
lfs f0,1232(r31)
assembled:
C2000000 00000018
9421FFF0 91610008
3DE08000 3E004100
3E204300 920F1600
922F1604 C29F04D0
C2BF04D4 C2DF04D8
C2EF1600 C30F1604
3DC08043 A1CE3AF6
2C0E2002 40820010
EE94B828 D29F04D0
48000064 2C0E2001
40820010 EE94B82A
D29F04D0 48000050
2C0E2008 40820010
EEB5C028 D2BF04D4
4800003C 2C0E2004
40820010 EEB5C02A
D2BF04D4 48000028
2C0E0108 40820010
EED6B828 D2DF04D8
48000014 2C0E0104
4082000C EED6B82A
D2DF04D8 81610008
38210010 C01F04D0
60000000 00000000
A Pm from dcx2:
Quote from: dcx2 on July 26, 2010, 11:29:02 PM
You're a lot closer.
But it made me realize I made a mistake. andi. should use beq-, but cmpwi should use bne-.
lis r12,0x8075
ori r12,r12,0x6102
lhz r12,0(r12)
cmpwi r12,0x0200
bne- TEST_SECOND_ACTIVATOR
li r12,0x777
stw r12,48(r31)
b THE_END
TEST_SECOND_ACTIVATOR:
cmpwi r12,0x0100
bne- THE_END
li r12,0x888
stw r12,48(r31)
THE_END:
lwz r3,48(r31)
code works, still freezes on respawn... :(
---
[spoiler]
lis r12,0x8075
ori r12,r12,0x6102
lhz r12, 0x6102 (r12)
cmpwi r12,0x0200
bne- TEST_SECOND_ACTIVATOR
li r12,0x777
stw r12,48(r31)
b THE_END
TEST_SECOND_ACTIVATOR:
cmpwi r12,0x0100
bne- THE_END
li r12,0x888
stw r12,48(r31)
THE_END:
lwz r3,48(r31)[/spoiler]
works, too.
I tested it out.
Don´t tell me something else :p
I see. IDK why you need the b instruction xD I think I'm just spreading wrong information lol
back to my problem.
Latest code build I posted works.
If I go out of bounds (accidentally), it freezes and black screens before respawning.
During that time, coordinates move in memory.
I´m still curious, why it freezes... is there anything that fails in the code?
Remember that the crash breakpoint showed the same address with legit source register.
I only used free float and normal registers (using the stack frame)
Either the breakpoint triggered wrong or something odd happened. :-\
Shouldn´t it crash, if the source register is legit?
The ASM code follows the new position and writes there next time, that´s not an issue at all...
Quote from: Bully@Wiiplaza on August 15, 2011, 12:29:45 PM
[spoiler] CR:88000088 XER:20000000 CTR:8001F5D4 DSIS:00000000
DAR:00000000 SRR0:7F0C6E24 SRR1:10009032 LR:80F3B6C8
r0:00002C2C r1:805371C8 r2:8052A180 r3:8043B408
r4:811D3404 r5:000000A2 r6:000000AB r7:000000A3
r8:804A136C r9:00000002 r10:0011C26C r11:805371F8
r12:8001F5D4 r13:80525EA0 r14:00002000 r15:80000000
r16:41A00000 r17:80431940 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:00000000 r23:803E17C0
r24:803E17D4 r25:80433958 r26:803E1930 r27:810D838C
r28:810D7D40 r29:80440000 r30:811D33E0 r31:804A136C
f0:3F800000 f1:3F3CF126 f2:3F3962ED f3:3C638E39
f4:3F303E43 f5:00000000 f6:00000000 f7:00000000
f8:00000000 f9:00000000 f10:00000000 f11:00000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:3F800000 f29:BF800000 f30:59800004 f31:00000000
[/spoiler]
But r31 is legit. Why does it crash, although I implemented a stack frame?
You're lucky you used 0.66.7. The other builds would have crashed hard without generating a breakpoint. This is because you have an ISI Exception EDIT: and 0.66.7 is the first build to automatically install ISI and Program exception handlers for the code handler. Look at SRR0 - the instruction that the PPC wanted to fetch is at address 7F0C6E24.
ah that´s lucky. Otherwise we wouldn´t know what was going on there.
Well, but I´m still wondering why that invalid SRR0 address thing happens.
I just hooked one adress as usual and it worked quite fine... ???
Did I make a coding mistake or something like that?
Usually it means you branched off into nowhere. That's probably not directly your fault; the game probably wasn't able to deal with what you were doing.
There are only three ways to branch; relative, ctr, and lr.
ctr = 8001F5D4 so that's not it. lr = 80F3B6C8 so that's not it, either. 80000000 - 7F0C6E24 = 00F391DC; conditional branches use 16-bit displacement operands and this is 24, so it must have been an unconditional branch. This means you're looking for a "b 0x7F0C6E24" instruction somewhere.
The lr is probably as close as you can get to the offending instruction. ISI exceptions show you where the CPU *wanted* to fetch from, but not where it is *right now* (which is why you were confused by the disassembly) I would go to the LR and look around there. Maybe you'll get lucky and see the offending branch a bit after the lr's address. Maybe you'll have to double-click the bl just before the lr's address. You could also try looking for the most recent LR save word on the stack, but that's pretty complicated.
I took some looks at the LR´s function...
and found something... (seems like your guess was right!)
[spoiler]
80F3B47C: 4B31251C b 0x8024d998
80F3B480: 9421FFC0 stwu r1,-64(r1)
80F3B484: 7C0802A6 mflr r0
80F3B488: 90010044 stw r0,68(r1)
80F3B48C: DBE10030 stfd f31,48(r1)
80F3B490: F3E10038 psq_st f31,56(r1),0,0
80F3B494: 39610030 addi r11,r1,48
80F3B498: 4B46DC0D bl 0x803a90a4
80F3B49C: 3FE0804A lis r31,-32694
80F3B4A0: 3D0080F4 lis r8,-32524
80F3B4A4: 3BFF136C addi r31,r31,4972
80F3B4A8: 83C30570 lwz r30,1392(r3)
80F3B4AC: A8BF10CA lha r5,4298(r31)
80F3B4B0: 3BA00000 li r29,0
80F3B4B4: A81F10C2 lha r0,4290(r31)
80F3B4B8: A8DF10C8 lha r6,4296(r31)
80F3B4BC: A89F10C4 lha r4,4292(r31)
80F3B4C0: 7C050214 add r0,r5,r0
80F3B4C4: A8FF10C0 lha r7,4288(r31)
80F3B4C8: 7C862214 add r4,r6,r4
80F3B4CC: A8BF10E4 lha r5,4324(r31)
80F3B4D0: 7C040214 add r0,r4,r0
80F3B4D4: A8DF10E0 lha r6,4320(r31)
80F3B4D8: A89F10E2 lha r4,4322(r31)
80F3B4DC: 7CA72A14 add r5,r7,r5
80F3B4E0: A8FF10CC lha r7,4300(r31)
80F3B4E4: 7C862214 add r4,r6,r4
80F3B4E8: C3E8B8B0 lfs f31,-18256(r8)
80F3B4EC: 7C852214 add r4,r5,r4
80F3B4F0: 7C070214 add r0,r7,r0
80F3B4F4: 7C040215 add. r0,r4,r0
80F3B4F8: 40820010 bne- 0x80f3b508
80F3B4FC: 38000001 li r0,1
80F3B500: 981F12D4 stb r0,4820(r31)
80F3B504: 4800010C b 0x80f3b610
80F3B508: 38000000 li r0,0
80F3B50C: 981F12D4 stb r0,4820(r31)
80F3B510: 80630570 lwz r3,1392(r3)
80F3B514: 83830004 lwz r28,4(r3)
80F3B518: 807C0060 lwz r3,96(r28)
80F3B51C: 83630000 lwz r27,0(r3)
80F3B520: 2C1B0000 cmpwi r27,0
80F3B524: 4182006C beq- 0x80f3b590
80F3B528: 807B0024 lwz r3,36(r27)
80F3B52C: 38800000 li r4,0
80F3B530: 81830000 lwz r12,0(r3)
80F3B534: 818C0074 lwz r12,116(r12)
80F3B538: 7D8903A6 mtctr r12
80F3B53C: 4E800421 bctrl
80F3B540: 819B0000 lwz r12,0(r27)
80F3B544: 7F63DB78 mr r3,r27
80F3B548: 818C002C lwz r12,44(r12)
80F3B54C: 7D8903A6 mtctr r12
80F3B550: 4E800421 bctrl
80F3B554: A8FF10C0 lha r7,4288(r31)
80F3B558: 380000FF li r0,255
80F3B55C: A8DF10C2 lha r6,4290(r31)
80F3B560: 38A10008 addi r5,r1,8
80F3B564: A87F10C4 lha r3,4292(r31)
80F3B568: 38800000 li r4,0
80F3B56C: B0E10008 sth r7,8(r1)
80F3B570: B0C1000A sth r6,10(r1)
80F3B574: B061000C sth r3,12(r1)
80F3B578: B001000E sth r0,14(r1)
80F3B57C: 807B002C lwz r3,44(r27)
80F3B580: 81830000 lwz r12,0(r3)
80F3B584: 818C0060 lwz r12,96(r12)
80F3B588: 7D8903A6 mtctr r12
80F3B58C: 4E800421 bctrl
80F3B590: 807C0060 lwz r3,96(r28)
80F3B594: 83630004 lwz r27,4(r3)
80F3B598: 2C1B0000 cmpwi r27,0
80F3B59C: 41820074 beq- 0x80f3b610
80F3B5A0: 807B0024 lwz r3,36(r27)
80F3B5A4: 38800000 li r4,0
80F3B5A8: 81830000 lwz r12,0(r3)
80F3B5AC: 818C0074 lwz r12,116(r12)
80F3B5B0: 7D8903A6 mtctr r12
80F3B5B4: 4E800421 bctrl
80F3B5B8: 819B0000 lwz r12,0(r27)
80F3B5BC: 7F63DB78 mr r3,r27
80F3B5C0: 818C002C lwz r12,44(r12)
80F3B5C4: 7D8903A6 mtctr r12
80F3B5C8: 4E800421 bctrl
80F3B5CC: 3D00804A lis r8,-32694
80F3B5D0: 38A10008 addi r5,r1,8
80F3B5D4: 3908136C addi r8,r8,4972
80F3B5D8: 38800000 li r4,0
80F3B5DC: A8E810E8 lha r7,4328(r8)
80F3B5E0: A8C810EA lha r6,4330(r8)
80F3B5E4: A86810EC lha r3,4332(r8)
80F3B5E8: A80810EE lha r0,4334(r8)
80F3B5EC: B0E10008 sth r7,8(r1)
80F3B5F0: B0C1000A sth r6,10(r1)
80F3B5F4: B061000C sth r3,12(r1)
80F3B5F8: B001000E sth r0,14(r1)
80F3B5FC: 807B002C lwz r3,44(r27)
80F3B600: 81830000 lwz r12,0(r3)
80F3B604: 818C0060 lwz r12,96(r12)
80F3B608: 7D8903A6 mtctr r12
80F3B60C: 4E800421 bctrl
80F3B610: 3C60804A lis r3,-32694
80F3B614: 3863136C addi r3,r3,4972
80F3B618: 880312D4 lbz r0,4820(r3)
80F3B61C: 2C000000 cmpwi r0,0
80F3B620: 4182000C beq- 0x80f3b62c
80F3B624: 38600001 li r3,1
80F3B628: 4800012C b 0x80f3b754
80F3B62C: 3C608052 lis r3,-32686
80F3B630: 8803115C lbz r0,4444(r3)
80F3B634: 7C040775 extsb. r4,r0
80F3B638: 41800028 blt- 0x80f3b660
80F3B63C: 3C608048 lis r3,-32696
80F3B640: 3863A828 subi r3,r3,22488
80F3B644: 38634EC4 addi r3,r3,20164
80F3B648: 4B0ED98D bl 0x80028fd4
80F3B64C: 81830000 lwz r12,0(r3)
80F3B650: 818C010C lwz r12,268(r12)
80F3B654: 7D8903A6 mtctr r12
80F3B658: 4E800421 bctrl
80F3B65C: 7C7D1B78 mr r29,r3
80F3B660: 2C1D0000 cmpwi r29,0
80F3B664: 41820008 beq- 0x80f3b66c
80F3B668: C3FD0004 lfs f31,4(r29)
80F3B66C: 3C608048 lis r3,-32696
80F3B670: 3863A828 subi r3,r3,22488
80F3B674: 808361C4 lwz r4,25028(r3)
80F3B678: 2C040000 cmpwi r4,0
80F3B67C: 4182001C beq- 0x80f3b698
80F3B680: C024018C lfs f1,396(r4)
80F3B684: 3C6080F4 lis r3,-32524
80F3B688: C003B8B4 lfs f0,-18252(r3)
80F3B68C: EC21F828 fsubs f1,f1,f31
80F3B690: EC200072 fmuls f1,f0,f1
80F3B694: 4800000C b 0x80f3b6a0
80F3B698: 3C6080F4 lis r3,-32524
80F3B69C: C023B8B0 lfs f1,-18256(r3)
80F3B6A0: C004018C lfs f0,396(r4)
80F3B6A4: 3FA08044 lis r29,-32700
80F3B6A8: C064019C lfs f3,412(r4)
80F3B6AC: 387DB408 subi r3,r29,19448
80F3B6B0: EC400828 fsubs f2,f0,f1
80F3B6B4: C024017C lfs f1,380(r4)
80F3B6B8: 4B40856D bl 0x80343c24
80F3B6BC: 387DB408 subi r3,r29,19448
80F3B6C0: 389E0024 addi r4,r30,36
80F3B6C4: 4A18B761 bl 0x7f0c6e24 # offending branch?
80F3B6C8: 4B250AED bl 0x8018c1b4
80F3B6CC: A07E005C lhz r3,92(r30)
80F3B6D0: 3BA00002 li r29,2
80F3B6D4: 3B63FFFF subi r27,r3,1
80F3B6D8: 48000038 b 0x80f3b710
80F3B6DC: 807E0060 lwz r3,96(r30)
80F3B6E0: 576013BA rlwinm r0,r27,2,14,29
80F3B6E4: 7C63002E lwzx r3,r3,r0
80F3B6E8: 2C030000 cmpwi r3,0
80F3B6EC: 4182001C beq- 0x80f3b708
80F3B6F0: 80630034 lwz r3,52(r3)
80F3B6F4: 81830000 lwz r12,0(r3)
80F3B6F8: 818C0030 lwz r12,48(r12)
80F3B6FC: 7D8903A6 mtctr r12
80F3B700: 4E800421 bctrl
80F3B704: 7C7F1B78 mr r31,r3
80F3B708: 9BBF0000 stb r29,0(r31)
80F3B70C: 3B7BFFFF subi r27,r27,1
80F3B710: 2C1B0000 cmpwi r27,0
80F3B714: 4080FFC8 bge+ 0x80f3b6dc
80F3B718: 3FE08048 lis r31,-32696
80F3B71C: 3FA0804B lis r29,-32693
80F3B720: 3BFFA828 subi r31,r31,22488
80F3B724: 7FC3F378 mr r3,r30
80F3B728: 809F5F74 lwz r4,24436(r31)
80F3B72C: 3BBD9FC0 subi r29,r29,24640
80F3B730: 801F5F78 lwz r0,24440(r31)
80F3B734: 909D0048 stw r4,72(r29)
80F3B738: 901D004C stw r0,76(r29)
80F3B73C: 4B0D8A79 bl 0x800141b4
80F3B740: 809F5F90 lwz r4,24464(r31)
80F3B744: 38600001 li r3,1
80F3B748: 801F5F94 lwz r0,24468(r31)
80F3B74C: 909D0048 stw r4,72(r29)
80F3B750: 901D004C stw r0,76(r29)
80F3B754: E3E10038 psq_l f31,56(r1),0,0
80F3B758: 39610030 addi r11,r1,48
80F3B75C: CBE10030 lfd f31,48(r1)
80F3B760: 4B46D991 bl 0x803a90f0
80F3B764: 80010044 lwz r0,68(r1)
80F3B768: 7C0803A6 mtlr r0
80F3B76C: 38210040 addi r1,r1,64
80F3B770: 4E800020 blr [/spoiler]
What are we going to do with it?
I should stress that the disassembly you saw for the crash is wrong. 80F3BAA4: C01F04D0 lfs f0, 1232 (r31) was not the address the caused the crash.
When the game breakpoints, Gecko.NET reads SRR0 to determine the disassembly to display. 7F0C6E24 isn't a valid address, so it didn't update the disassembly. What you saw was the disassembly for the last successful breakpoint.
I would say that yes, 80F3B6C4: 4A18B761 bl 0x7f0c6e24 is the offending instruction. Matches the address exactly, and it also explains the value in lr.
I am surprised that it's a truly illegal instruction that's just chillin' in the middle of what appears to be perfectly valid ASM. When you start a fresh game which hasn't been hacked or poked yet, is that really what appears at 80F3B6C4? It really looks like something modified that instruction.
You could try to set an XBP on it without your code to see if it ever hits or what it's supposed to do.
Quote from: dcx2 on August 16, 2011, 04:59:09 PM
I am surprised that it's a truly illegal instruction that's just chillin' in the middle of what appears to be perfectly valid ASM. When you start a fresh game which hasn't been hacked or poked yet, is that really what appears at 80F3B6C4? It really looks like something modified that instruction.
It was modified by something...
[spoiler]80F3B47C: 4B31251C b 0x8024d998
80F3B480: 9421FFC0 stwu r1,-64(r1)
80F3B484: 7C0802A6 mflr r0
80F3B488: 90010044 stw r0,68(r1)
80F3B48C: DBE10030 stfd f31,48(r1)
80F3B490: F3E10038 psq_st f31,56(r1),0,0
80F3B494: 39610030 addi r11,r1,48
80F3B498: 4B46DC0D bl 0x803a90a4
80F3B49C: 3FE0804A lis r31,-32694
80F3B4A0: 3D0080F4 lis r8,-32524
80F3B4A4: 3BFF136C addi r31,r31,4972
80F3B4A8: 83C30570 lwz r30,1392(r3)
80F3B4AC: A8BF10CA lha r5,4298(r31)
80F3B4B0: 3BA00000 li r29,0
80F3B4B4: A81F10C2 lha r0,4290(r31)
80F3B4B8: A8DF10C8 lha r6,4296(r31)
80F3B4BC: A89F10C4 lha r4,4292(r31)
80F3B4C0: 7C050214 add r0,r5,r0
80F3B4C4: A8FF10C0 lha r7,4288(r31)
80F3B4C8: 7C862214 add r4,r6,r4
80F3B4CC: A8BF10E4 lha r5,4324(r31)
80F3B4D0: 7C040214 add r0,r4,r0
80F3B4D4: A8DF10E0 lha r6,4320(r31)
80F3B4D8: A89F10E2 lha r4,4322(r31)
80F3B4DC: 7CA72A14 add r5,r7,r5
80F3B4E0: A8FF10CC lha r7,4300(r31)
80F3B4E4: 7C862214 add r4,r6,r4
80F3B4E8: C3E8B8B0 lfs f31,-18256(r8)
80F3B4EC: 7C852214 add r4,r5,r4
80F3B4F0: 7C070214 add r0,r7,r0
80F3B4F4: 7C040215 add. r0,r4,r0
80F3B4F8: 40820010 bne- 0x80f3b508
80F3B4FC: 38000001 li r0,1
80F3B500: 981F12D4 stb r0,4820(r31)
80F3B504: 4800010C b 0x80f3b610
80F3B508: 38000000 li r0,0
80F3B50C: 981F12D4 stb r0,4820(r31)
80F3B510: 80630570 lwz r3,1392(r3)
80F3B514: 83830004 lwz r28,4(r3)
80F3B518: 807C0060 lwz r3,96(r28)
80F3B51C: 83630000 lwz r27,0(r3)
80F3B520: 2C1B0000 cmpwi r27,0
80F3B524: 4182006C beq- 0x80f3b590
80F3B528: 807B0024 lwz r3,36(r27)
80F3B52C: 38800000 li r4,0
80F3B530: 81830000 lwz r12,0(r3)
80F3B534: 818C0074 lwz r12,116(r12)
80F3B538: 7D8903A6 mtctr r12
80F3B53C: 4E800421 bctrl
80F3B540: 819B0000 lwz r12,0(r27)
80F3B544: 7F63DB78 mr r3,r27
80F3B548: 818C002C lwz r12,44(r12)
80F3B54C: 7D8903A6 mtctr r12
80F3B550: 4E800421 bctrl
80F3B554: A8FF10C0 lha r7,4288(r31)
80F3B558: 380000FF li r0,255
80F3B55C: A8DF10C2 lha r6,4290(r31)
80F3B560: 38A10008 addi r5,r1,8
80F3B564: A87F10C4 lha r3,4292(r31)
80F3B568: 38800000 li r4,0
80F3B56C: B0E10008 sth r7,8(r1)
80F3B570: B0C1000A sth r6,10(r1)
80F3B574: B061000C sth r3,12(r1)
80F3B578: B001000E sth r0,14(r1)
80F3B57C: 807B002C lwz r3,44(r27)
80F3B580: 81830000 lwz r12,0(r3)
80F3B584: 818C0060 lwz r12,96(r12)
80F3B588: 7D8903A6 mtctr r12
80F3B58C: 4E800421 bctrl
80F3B590: 807C0060 lwz r3,96(r28)
80F3B594: 83630004 lwz r27,4(r3)
80F3B598: 2C1B0000 cmpwi r27,0
80F3B59C: 41820074 beq- 0x80f3b610
80F3B5A0: 807B0024 lwz r3,36(r27)
80F3B5A4: 38800000 li r4,0
80F3B5A8: 81830000 lwz r12,0(r3)
80F3B5AC: 818C0074 lwz r12,116(r12)
80F3B5B0: 7D8903A6 mtctr r12
80F3B5B4: 4E800421 bctrl
80F3B5B8: 819B0000 lwz r12,0(r27)
80F3B5BC: 7F63DB78 mr r3,r27
80F3B5C0: 818C002C lwz r12,44(r12)
80F3B5C4: 7D8903A6 mtctr r12
80F3B5C8: 4E800421 bctrl
80F3B5CC: 3D00804A lis r8,-32694
80F3B5D0: 38A10008 addi r5,r1,8
80F3B5D4: 3908136C addi r8,r8,4972
80F3B5D8: 38800000 li r4,0
80F3B5DC: A8E810E8 lha r7,4328(r8)
80F3B5E0: A8C810EA lha r6,4330(r8)
80F3B5E4: A86810EC lha r3,4332(r8)
80F3B5E8: A80810EE lha r0,4334(r8)
80F3B5EC: B0E10008 sth r7,8(r1)
80F3B5F0: B0C1000A sth r6,10(r1)
80F3B5F4: B061000C sth r3,12(r1)
80F3B5F8: B001000E sth r0,14(r1)
80F3B5FC: 807B002C lwz r3,44(r27)
80F3B600: 81830000 lwz r12,0(r3)
80F3B604: 818C0060 lwz r12,96(r12)
80F3B608: 7D8903A6 mtctr r12
80F3B60C: 4E800421 bctrl
80F3B610: 3C60804A lis r3,-32694
80F3B614: 3863136C addi r3,r3,4972
80F3B618: 880312D4 lbz r0,4820(r3)
80F3B61C: 2C000000 cmpwi r0,0
80F3B620: 4182000C beq- 0x80f3b62c
80F3B624: 38600001 li r3,1
80F3B628: 4800012C b 0x80f3b754
80F3B62C: 3C608052 lis r3,-32686
80F3B630: 8803115C lbz r0,4444(r3)
80F3B634: 7C040775 extsb. r4,r0
80F3B638: 41800028 blt- 0x80f3b660
80F3B63C: 3C608048 lis r3,-32696
80F3B640: 3863A828 subi r3,r3,22488
80F3B644: 38634EC4 addi r3,r3,20164
80F3B648: 4B0ED98D bl 0x80028fd4
80F3B64C: 81830000 lwz r12,0(r3)
80F3B650: 818C010C lwz r12,268(r12)
80F3B654: 7D8903A6 mtctr r12
80F3B658: 4E800421 bctrl
80F3B65C: 7C7D1B78 mr r29,r3
80F3B660: 2C1D0000 cmpwi r29,0
80F3B664: 41820008 beq- 0x80f3b66c
80F3B668: C3FD0004 lfs f31,4(r29)
80F3B66C: 3C608048 lis r3,-32696
80F3B670: 3863A828 subi r3,r3,22488
80F3B674: 808361C4 lwz r4,25028(r3)
80F3B678: 2C040000 cmpwi r4,0
80F3B67C: 4182001C beq- 0x80f3b698
80F3B680: C024018C lfs f1,396(r4)
80F3B684: 3C6080F4 lis r3,-32524
80F3B688: C003B8B4 lfs f0,-18252(r3)
80F3B68C: EC21F828 fsubs f1,f1,f31
80F3B690: EC200072 fmuls f1,f0,f1
80F3B694: 4800000C b 0x80f3b6a0
80F3B698: 3C6080F4 lis r3,-32524
80F3B69C: C023B8B0 lfs f1,-18256(r3)
80F3B6A0: C004018C lfs f0,396(r4)
80F3B6A4: 3FA08044 lis r29,-32700
80F3B6A8: C064019C lfs f3,412(r4)
80F3B6AC: 387DB408 subi r3,r29,19448
80F3B6B0: EC400828 fsubs f2,f0,f1
80F3B6B4: C024017C lfs f1,380(r4)
80F3B6B8: 4B40856D bl 0x80343c24
80F3B6BC: 387DB408 subi r3,r29,19448
80F3B6C0: 389E0024 addi r4,r30,36
80F3B6C4: 4B408111 bl 0x803437d480F3B6C8: 4B250AED bl 0x8018c1b4
80F3B6CC: A07E005C lhz r3,92(r30)
80F3B6D0: 3BA00002 li r29,2
80F3B6D4: 3B63FFFF subi r27,r3,1
80F3B6D8: 48000038 b 0x80f3b710
80F3B6DC: 807E0060 lwz r3,96(r30)
80F3B6E0: 576013BA rlwinm r0,r27,2,14,29
80F3B6E4: 7C63002E lwzx r3,r3,r0
80F3B6E8: 2C030000 cmpwi r3,0
80F3B6EC: 4182001C beq- 0x80f3b708
80F3B6F0: 80630034 lwz r3,52(r3)
80F3B6F4: 81830000 lwz r12,0(r3)
80F3B6F8: 818C0030 lwz r12,48(r12)
80F3B6FC: 7D8903A6 mtctr r12
80F3B700: 4E800421 bctrl
80F3B704: 7C7F1B78 mr r31,r3
80F3B708: 9BBF0000 stb r29,0(r31)
80F3B70C: 3B7BFFFF subi r27,r27,1
80F3B710: 2C1B0000 cmpwi r27,0
80F3B714: 4080FFC8 bge+ 0x80f3b6dc
80F3B718: 3FE08048 lis r31,-32696
80F3B71C: 3FA0804B lis r29,-32693
80F3B720: 3BFFA828 subi r31,r31,22488
80F3B724: 7FC3F378 mr r3,r30
80F3B728: 809F5F74 lwz r4,24436(r31)
80F3B72C: 3BBD9FC0 subi r29,r29,24640
80F3B730: 801F5F78 lwz r0,24440(r31)
80F3B734: 909D0048 stw r4,72(r29)
80F3B738: 901D004C stw r0,76(r29)
80F3B73C: 4B0D8A79 bl 0x800141b4
80F3B740: 809F5F90 lwz r4,24464(r31)
80F3B744: 38600001 li r3,1
80F3B748: 801F5F94 lwz r0,24468(r31)
80F3B74C: 909D0048 stw r4,72(r29)
80F3B750: 901D004C stw r0,76(r29)
80F3B754: E3E10038 psq_l f31,56(r1),0,0
80F3B758: 39610030 addi r11,r1,48
80F3B75C: CBE10030 lfd f31,48(r1)
80F3B760: 4B46D991 bl 0x803a90f0
80F3B764: 80010044 lwz r0,68(r1)
80F3B768: 7C0803A6 mtlr r0
80F3B76C: 38210040 addi r1,r1,64
80F3B770: 4E800020 blr
[/spoiler]
1.) It executes all the time
2.) It changes to that illegal branch on respawn (after getting out of bounds)
Being right never gets old. ;D
WBP on the instruction that gets changed. Who is changing it?
YES YES, I DID IT!
I found the correct write.
[spoiler]
CR:28000088 XER:20000000 CTR:00000001 DSIS:02400000
DAR:80F3B6C4 SRR0:80335A3C SRR1:0000B032 LR:8033588C
r0:4A18B761 r1:80537208 r2:8052A180 r3:CA18B760
r4:4BFFFDB9 r5:80F3B920 r6:0000000F r7:80F3B41C
r8:00000000 r9:000000FF r10:00000003 r11:80537238
r12:802CE7DC r13:80525EA0 r14:00000000 r15:80000000
r16:41A00000 r17:42000000 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:00000000 r23:80F3B3B4
r24:803E17D4 r25:80420000 r26:00000000 r27:80F3B360
r28:80F3B6C4 r29:80F3B3B4 r30:80F3BAA0 r31:00000000[/spoiler]
[spoiler]80335878: 9421FFD0 stwu r1,-48(r1)
8033587C: 7C0802A6 mflr r0
80335880: 90010034 stw r0,52(r1)
80335884: 39610030 addi r11,r1,48
80335888: 4807380D bl 0x803a9094
8033588C: 2C030000 cmpwi r3,0
80335890: 7C7A1B78 mr r26,r3
80335894: 7C9B2378 mr r27,r4
80335898: 4182000C beq- 0x803358a4
8033589C: 83E30000 lwz r31,0(r3)
803358A0: 48000008 b 0x803358a8
803358A4: 3BE00000 li r31,0
803358A8: 80A40028 lwz r5,40(r4)
803358AC: 8004002C lwz r0,44(r4)
803358B0: 7C650214 add r3,r5,r0
803358B4: 38030007 addi r0,r3,7
803358B8: 7C050050 sub r0,r0,r5
803358BC: 5400E8FE rlwinm r0,r0,29,3,31
803358C0: 7C0903A6 mtctr r0
803358C4: 7C051840 cmplw r5,r3
803358C8: 40800018 bge- 0x803358e0
803358CC: 80050000 lwz r0,0(r5)
803358D0: 7C00F840 cmplw r0,r31
803358D4: 41820014 beq- 0x803358e8
803358D8: 38A50008 addi r5,r5,8
803358DC: 4200FFF0 bdnz+ 0x803358cc
803358E0: 38600000 li r3,0
803358E4: 48000224 b 0x80335b08
803358E8: 83C50004 lwz r30,4(r5)
803358EC: 3BA00000 li r29,0
803358F0: 3F208042 lis r25,-32702
803358F4: 480001DC b 0x80335ad0
803358F8: A01E0000 lhz r0,0(r30)
803358FC: 2C1F0000 cmpwi r31,0
80335900: 7F9C0214 add r28,r28,r0
80335904: 4182001C beq- 0x80335920
80335908: 881E0003 lbz r0,3(r30)
8033590C: 807A0010 lwz r3,16(r26)
80335910: 54001838 rlwinm r0,r0,3,0,28
80335914: 7C03002E lwzx r0,r3,r0
80335918: 5403003C rlwinm r3,r0,0,0,30
8033591C: 48000008 b 0x80335924
80335920: 38600000 li r3,0
80335924: 2C040006 cmpwi r4,6
80335928: 418200C4 beq- 0x803359ec
8033592C: 40800030 bge- 0x8033595c
80335930: 2C040002 cmpwi r4,2
80335934: 41820068 beq- 0x8033599c
80335938: 40800014 bge- 0x8033594c
8033593C: 2C040000 cmpwi r4,0
80335940: 4182018C beq- 0x80335acc
80335944: 40800048 bge- 0x8033598c
80335948: 48000178 b 0x80335ac0
8033594C: 2C040004 cmpwi r4,4
80335950: 41820078 beq- 0x803359c8
80335954: 40800084 bge- 0x803359d8
80335958: 48000060 b 0x803359b8
8033595C: 2C0400C9 cmpwi r4,201
80335960: 4182016C beq- 0x80335acc
80335964: 4080001C bge- 0x80335980
80335968: 2C04000A cmpwi r4,10
8033596C: 418200B8 beq- 0x80335a24
80335970: 41800098 blt- 0x80335a08
80335974: 2C04000E cmpwi r4,14
80335978: 40800148 bge- 0x80335ac0
8033597C: 480000C8 b 0x80335a44
80335980: 2C0400CB cmpwi r4,203
80335984: 4080013C bge- 0x80335ac0
80335988: 480000DC b 0x80335a64
8033598C: 801E0004 lwz r0,4(r30)
80335990: 7C030214 add r0,r3,r0
80335994: 901C0000 stw r0,0(r28)
80335998: 48000134 b 0x80335acc
8033599C: 801E0004 lwz r0,4(r30)
803359A0: 809C0000 lwz r4,0(r28)
803359A4: 7C630214 add r3,r3,r0
803359A8: 5480078A rlwinm r0,r4,0,30,5
803359AC: 506001BA rlwimi r0,r3,0,6,29
803359B0: 901C0000 stw r0,0(r28)
803359B4: 48000118 b 0x80335acc
803359B8: 801E0004 lwz r0,4(r30)
803359BC: 7C030214 add r0,r3,r0
803359C0: B01C0000 sth r0,0(r28)
803359C4: 48000108 b 0x80335acc
803359C8: 801E0004 lwz r0,4(r30)
803359CC: 7C030214 add r0,r3,r0
803359D0: B01C0000 sth r0,0(r28)
803359D4: 480000F8 b 0x80335acc
803359D8: 801E0004 lwz r0,4(r30)
803359DC: 7C030214 add r0,r3,r0
803359E0: 5400843E rlwinm r0,r0,16,16,31
803359E4: B01C0000 sth r0,0(r28)
803359E8: 480000E4 b 0x80335acc
803359EC: 801E0004 lwz r0,4(r30)
803359F0: 7C030214 add r0,r3,r0
803359F4: 5403843E rlwinm r3,r0,16,16,31
803359F8: 54008FFE rlwinm r0,r0,17,31,31
803359FC: 7C030214 add r0,r3,r0
80335A00: B01C0000 sth r0,0(r28)
80335A04: 480000C8 b 0x80335acc
80335A08: 801E0004 lwz r0,4(r30)
80335A0C: 809C0000 lwz r4,0(r28)
80335A10: 7C630214 add r3,r3,r0
80335A14: 5480079E rlwinm r0,r4,0,30,15
80335A18: 5060043A rlwimi r0,r3,0,16,29
80335A1C: 901C0000 stw r0,0(r28)
80335A20: 480000AC b 0x80335acc
80335A24: 801E0004 lwz r0,4(r30)
80335A28: 809C0000 lwz r4,0(r28)
80335A2C: 7C030214 add r0,r3,r0
80335A30: 7C7C0050 sub r3,r0,r28
80335A34: 5480078A rlwinm r0,r4,0,30,5
80335A38: 506001BA rlwimi r0,r3,0,6,29
80335A3C: 901C0000 stw r0,0(r28)
80335A40: 4800008C b 0x80335acc
80335A44: 801E0004 lwz r0,4(r30)
80335A48: 809C0000 lwz r4,0(r28)
80335A4C: 7C030214 add r0,r3,r0
80335A50: 7C7C0050 sub r3,r0,r28
80335A54: 5480079E rlwinm r0,r4,0,30,15
80335A58: 5060043A rlwimi r0,r3,0,16,29
80335A5C: 901C0000 stw r0,0(r28)
80335A60: 4800006C b 0x80335acc
80335A64: 881E0003 lbz r0,3(r30)
80335A68: 2C1D0000 cmpwi r29,0
80335A6C: 807B0010 lwz r3,16(r27)
80335A70: 54001838 rlwinm r0,r0,3,0,28
80335A74: 7EE30214 add r23,r3,r0
80335A78: 7C03002E lwzx r0,r3,r0
80335A7C: 541C003C rlwinm r28,r0,0,0,30
80335A80: 41820024 beq- 0x80335aa4
80335A84: 801D0000 lwz r0,0(r29)
80335A88: 809D0004 lwz r4,4(r29)
80335A8C: 5418003C rlwinm r24,r0,0,0,30
80335A90: 7F03C378 mr r3,r24
80335A94: 4BFFB4F5 bl 0x80330f88
80335A98: 809D0004 lwz r4,4(r29)
80335A9C: 7F03C378 mr r3,r24
80335AA0: 4BFFB5CD bl 0x8033106c
80335AA4: 80170000 lwz r0,0(r23)
80335AA8: 540007FF rlwinm. r0,r0,0,31,31
80335AAC: 4182000C beq- 0x80335ab8
80335AB0: 7EFDBB78 mr r29,r23
80335AB4: 48000018 b 0x80335acc
80335AB8: 3BA00000 li r29,0
80335ABC: 48000010 b 0x80335acc
80335AC0: 38798860 subi r3,r25,30624
80335AC4: 4CC63182 crclr 6,6
80335AC8: 4BCD3719 bl 0x800091e0
80335ACC: 3BDE0008 addi r30,r30,8
80335AD0: 889E0002 lbz r4,2(r30)
80335AD4: 280400CB cmplwi r4,203
80335AD8: 4082FE20 bne+ 0x803358f8
80335ADC: 2C1D0000 cmpwi r29,0
80335AE0: 41820024 beq- 0x80335b04
80335AE4: 801D0000 lwz r0,0(r29)
80335AE8: 809D0004 lwz r4,4(r29)
80335AEC: 5419003C rlwinm r25,r0,0,0,30
80335AF0: 7F23CB78 mr r3,r25
80335AF4: 4BFFB495 bl 0x80330f88
80335AF8: 809D0004 lwz r4,4(r29)
80335AFC: 7F23CB78 mr r3,r25
80335B00: 4BFFB56D bl 0x8033106c
80335B04: 38600001 li r3,1
80335B08: 39610030 addi r11,r1,48
80335B0C: 480735D5 bl 0x803a90e0
80335B10: 80010034 lwz r0,52(r1)
80335B14: 7C0803A6 mtlr r0
80335B18: 38210030 addi r1,r1,48
80335B1C: 4E800020 blr [/spoiler]
Address: 80335A3C
lis r12, 0x4A18
ori r12, r12, 0xB761
cmpw r0, r12 # do we write illegal branch?
beq- _END # if yes, nop
stw r0,0(r28) # original instruction
_END:
Freefly Patch [Bully@Wiiplaza/dcx2]
C2335A3C 00000003
3D804A18 618CB761
7C006000 41820008
901C0000 00000000
;D
Glad to hear it worked. Anti-crash codes are top tier for sure.
However, instead of skipping the stw when r0 = "the wrong value", perhaps you should instead be checking r28 = "the wrong address". It's possible that the wrong value will change depending on e.g. what level you're in.
Quote from: dcx2 on August 17, 2011, 01:34:50 AM
Glad to hear it worked. Anti-crash codes are top tier for sure.
However, instead of skipping the stw when r0 = "the wrong value", perhaps you should instead be checking r28 = "the wrong address". It's possible that the wrong value will change depending on e.g. what level you're in.
damnit... it works on that area, but moving on to somewhere else black screens again :(
You were right at some point. This *new* crash was not caused by an illegal branch. But through a source register with value 0.
Pretty low in memory, actually...
[spoiler] CR:28000088 XER:20000000 CTR:8001F5D4 DSIS:04000000
DAR:00000000 SRR0:800274F8 SRR1:00009032 LR:8001F0C4
r0:00000000 r1:80537238 r2:8052A180 r3:00000000
r4:80EF5B94 r5:000000FF r6:000000FF r7:000000FF
r8:00000006 r9:00000005 r10:00000003 r11:80537218
r12:8001F5D4 r13:80525EA0 r14:00000000 r15:80000000
r16:41A00000 r17:42000000 r18:00000000 r19:00000000
r20:00000000 r21:00000000 r22:00000000 r23:803E17C0
r24:803E17D4 r25:80433958 r26:803E1930 r27:803E1964
r28:802510C4 r29:80F056D0 r30:80EF5B94 r31:80F3B968
800274E0: 80630008 lwz r3,8(r3)
800274E4: 4BFFFFDC b 0x800274c0
800274E8: 8063000C lwz r3,12(r3)
800274EC: 4BFFFFD4 b 0x800274c0
800274F0: 80630004 lwz r3,4(r3)
800274F4: 4BFFFFCC b 0x800274c0
800274F8: 80630000 lwz r3,0(r3)800274FC: 4BFFFFC4 b 0x800274c0
80027500: 80630010 lwz r3,16(r3)
80027504: 4BFFFFBC b 0x800274c0
80027508: 9421FFE0 stwu r1,-32(r1)
8002750C: 7C0802A6 mflr r0
80027510: 90010024 stw r0,36(r1)
80027514: 39610020 addi r11,r1,32
80027518: 48381B95 bl 0x803a90ac
8002751C: 880301A8 lbz r0,424(r3)
80027520: 7C7D1B78 mr r29,r3
80027524: 3BE00000 li r31,0
80027528: 7C000775 extsb. r0,r0
8002752C: 40820030 bne- 0x8002755c
80027530: 4BFFF4A1 bl 0x800269d0
80027534: 7C7E1B78 mr r30,r3
80027538: 387D00BC addi r3,r29,188
8002753C: 4BFFF48D bl 0x800269c8
80027540: 807D00B8 lwz r3,184(r29)
80027544: 7FA4EB78 mr r4,r29
80027548: 80630010 lwz r3,16(r3)
8002754C: 4BFFFF75 bl 0x800274c0
80027550: 7C7F1B78 mr r31,r3
80027554: 7FC3F378 mr r3,r30
80027558: 4BFFF471 bl 0x800269c8
8002755C: 39610020 addi r11,r1,32
80027560: 7FE3FB78 mr r3,r31
80027564: 48381B95 bl 0x803a90f8
80027568: 80010024 lwz r0,36(r1)
8002756C: 7C0803A6 mtlr r0
80027570: 38210020 addi r1,r1,32
80027574: 4E800020 blr
[/spoiler]
I feel like giving up on it now. r3 keeps changing aswell.
My guess is that the same stw that screwed you before is screwing you again. This crash feels very...random. There's no reason for game code to be stw'ing to other game code unless the pointers became corrupt. Fix corruption for one target and it simply pops up somewhere else.
One interesting thing - r12/ctr for your first crash and this crash are identical. That means it got just about as far as it did the first time before something messed it up.
I would set some XBP's on that stw, run around to get some "good" samples, and then try to cause the crash. Try to figure out what might identify when the pointer becomes corrupt.
I just noticed that my ASM code (freefly) does not work anymore in the castle since the assembly there changes (it worked in the garden).
Since the address is that high, it´s probably only on-the-fly ASM :/
I should get another hook... maybe that one won´t freeze at all.
---
stw´s don´t work since it´s always overwritten by something...
I may need to write a pointer code instead.
That one won´t fail since I already made a teleporter with pointer.
Topic terminated... :-[