Back on the scene for a while so for my next code I was thinking of a teleporting code. I figure you have to find the x y and z values then record them so you go back there. My question is how would you record a value as in save it. And I'm guessing to find the x y and z values you just move around.
Load them into gecko registers or use asm
How would I load into to a gecko register?
Quote from: toonlink444 on November 21, 2011, 10:08:24 PM
How would I load into to a gecko register?
I think that my codes are good for learning purpoises. ;D
Actually, I made all kinds of teleporters for many different games. 8)
Importance order of these examples:
1.) ASM (always possible, can be un-reasonable/un-convenient since it may affect other players aswell)
2.) Pointer (mostly possible)
3.) Base Address (seldomly possible)
NOTE: These are examples on how to do it.
1.) Base Address Teleporter using Gecko Registers
[spoiler]28XXXXXX YYYYZZZZ # store position
82210000 QQQQQQQ # X Coord Address
82210001 WWWWWWWW # Y Coord Address
82210002 RRRRRRRRR # Z Coord Address
E0000000 00000000
28XXXXXX YYYYZZZZ # load position
84210000 QQQQQQQ # X Coord Address
84210001 WWWWWWWW # Y Coord Address
84210002 RRRRRRRRR # Z Coord Address
E0000000 80008000[/spoiler]
2.) Pointer Teleporter using Gecko Registers
[spoiler]28XXXXXX YYYYZZZZ # store position
48000000 PPPPPPPP # Pointer Address
DE000000 80008180
92210000 0000QQQQ # offset 1 (X coord)
92210001 0000WWWW # offset 2 (Y coord)
92210002 0000RRRRR # offset 3 (Z coord)
E0000000 00000000
28XXXXXX YYYYZZZZ # load position
48000000 PPPPPPPP # Pointer Address
DE000000 80008180
94210000 0000QQQQ # offset 1 (X coord)
94210001 0000WWWW # offset 2 (Y coord)
94210002 0000RRRR # offset 3 (Z coord)
E0000000 80008000[/spoiler]
3.) Assembly Teleporter using free RAM space example[spoiler]Goldeneye Offline
Teleporter -PAL- [Bully@Wiiplaza]
C2044E34 0000000D
9421FFB0 BDC10008
3DC08000 3DE0805F
A1EF7422 2C0F1000
4082001C 820400F8
822400FC 82440100
920E1600 922E1604
924E1608 2C0F0010
4082001C 826E1600
828E1604 82AE1608
926400F8 928400FC
92A40100 B9C10008
38210050 C00400FC
60000000 00000000
*Press minus to save position*
*Press plus to teleport*
Address: 80044E34
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14,-32768
lis r15,-32673
lhz r15,29730(r15)
cmpwi r15,4096
bne- 0x1C
lwz r16,248(r4)
lwz r17,252(r4)
lwz r18,256(r4)
stw r16,5632(r14)
stw r17,5636(r14)
stw r18,5640(r14)
cmpwi r15,16
bne- 0x1C
lwz r19,5632(r14)
lwz r20,5636(r14)
lwz r21,5640(r14)
stw r19,248(r4)
stw r20,252(r4)
stw r21,256(r4)
lmw r14,8(r1)
addi r1,r1,80
lfs f0,252(r4)
nop
[/spoiler]
Understood? ;D
I figured it out last night and it worked pretty well, but the Y axis was saved wrong and put me high in the air. Plus the gravity stopped working.
The code now only works if you don't travel that far from the saved coordinates is there a way to extend it.
Quote from: toonlink444 on November 25, 2011, 10:55:39 PM
The code now only works if you don't travel that far from the saved coordinates is there a way to extend it.
This is just a guess, but most games store "current" XYZ coords and "previous frame" XYZ coords... I wouldn't be surprised if some games don't like it when the current coords are suddenly way different from the previous coords.
But, I may be wrong.
Hmmmm :confused: so what would a good way to find a previous frame coords
Quote from: toonlink444 on November 26, 2011, 04:44:21 AM
Hmmmm :confused: so what would a good way to find a previous frame coords
They tend to be very close to current coords in memory. In fact, they may be exactly next to them. Open memory viewer with the game paused, and go frame-by-frame; note the current X coord while moving, go forward one frame, and look for that value to appear. Alternatively, breakpoints might be able to find them.
Again, I'm not certain that this is the issue you're having, but I've definitely seen games that misbehave if you poke the current coords to something very far from the previous coords. (In particular, Super Smash Bros Melee doesn't like it at all.) I think this is because the previous coords are used to calculate collision detection, but don't quote me on that.
Found the issue the screen moves when you move so I need to find the value of where the screen is to make the screen move to the place the coords were.
Any ideas on how to do this?
Quote from: toonlink444 on November 25, 2011, 10:55:39 PM
The code now only works if you don't travel that far from the saved coordinates is there a way to extend it.
this is common with almost all teleport codes i've used. and what biolizard89 mentioned may be the reason why the teleporting code won't work when the game has loaded a new area. from what i've observed when making teleport codes, there are 3 addresses you can poke and see a change in character position, and there are another 3 that also show the character coordinates but when poked won't cause a change. those addresses aren't far from the actual coordinate addresses. they are usually above them. simply try to save the current coordinates of the latter addresses i mentioned, along with the character coordinates you already found and use in your teleporting code, to see if it solves the problem.
I've seen them I'll give it a shot.
Quote from: Jay on November 28, 2011, 09:14:50 PM
Quote from: toonlink444 on November 25, 2011, 10:55:39 PM
The code now only works if you don't travel that far from the saved coordinates is there a way to extend it.
this is common with almost all teleport codes i've used. and what biolizard89 mentioned may be the reason why the teleporting code won't work when the game has loaded a new area. from what i've observed when making teleport codes, there are 3 addresses you can poke and see a change in character position, and there are another 3 that also show the character coordinates but when poked won't cause a change. those addresses aren't far from the actual coordinate addresses. they are usually above them. simply try to save the current coordinates of the latter addresses i mentioned, along with the character coordinates you already found and use in your teleporting code, to see if it solves the problem.
Yep, that's what I've seen as well. If you're not moving, the previous and current XYZ coords will be the same, so they'll show up on a search.
Hmm I made a teleport code for new super mario bros wii and it worked but for super mario galaxy I found the xyz corrds but when I poked them nothing changed.
It depends on "when" you poke them.
The game runs in frames. At some point in the frame, the code handler runs. (this is not always technically true, but it's close enough to true for this discussion)
At some point in time, the game writes Mario's coordinates to memory. Some time later, it reads them back and does stuff with them. If the selected hook causes the code handler to run after the coordinates are written, and before they are read, then everything will work.
However, if the selected hook causes the code handler to run after the coordinates are *read* and before they are *written*, then whatever the code handler writes will be over-written by the game.
I ran into this with my Televitation code. I had to write a C2 code that hooked the game just after the coordinates were written to memory, so that my C2 could over-write those coordinates when I used the activator.
EDIT:
It's also possible you found the "last frame coordinates", so that when you poked them, you didn't actually change your coordinates.
So simply storeing the coords in registers may not work. How would I go about making it a c2 code? Sounds a little more complicated. Should I use a read/write breakpoint and use that data? If so how would I turn that into a c2 code.(still not good with asm :p)
You must find a good C2 hook address that runs after the write and before the read. You need to use breakpoints to do that.
Here's the SMG2 multi-teleport/levitation code I wrote. Not the best example, because I do a lot of ASM hacks to optimize code length, and I have four teleport slots, and I also permit levitation. But hey, it's already written.
http://wiird.l0nk.org/forum/index.php/topic,6517.msg55339.html#msg55339
Hmmm thats confusing. So to get the hook I would get a coord and break when moving and find an instruction in between the read and write?
I used a write breakpoint on the coordinates. Once the BP hit, I would step over the write, and then manually poke the coordinates during the breakpoint. Then I would hit run; if my poke worked, I found the right hook. If it didn't work, I would ignore that BP address and look for a new one.
One of the problems you'll run into is that there's a common function used to copy three floats from one place to the next. If you hook this function, you'll affect every actor (the mushrooms, the goombas, coins, Yoshi, etc). You can verify this by using an execute BP on the potential hook. If it runs more than once per frame, it's probably working on everyone.
So when the BP hits, you walk the stack backwards to the caller, and repeat the execute BP check. If it runs once per frame, you've probably found the right hook.
Alright I'll give it a shot. But the address I found breaks as soon as I set it.
Quote from: toonlink444 on December 01, 2011, 11:33:42 PM
Alright I'll give it a shot. But the address I found breaks as soon as I set it.
take some looks at my assembly teleporters, too.
The general idea is to store and load to/from unused memory.
Can you post one of your codes with comments so I can see an example?
Quote from: toonlink444 on December 03, 2011, 06:04:03 AM
Can you post one of your codes with comments so I can see an example?
I made one for MKWii & TLOZ TP on geckocodes.
As I said above, it´s ideas was to load store from unused memory.
Also, the stack frame is needed to receive free registers.
So a lot of lwz and stw?
I managed to crash the game using the code. So I don't think I have the right address is there some fool proof way to find x y and z coords.
yes. if you already made a teleport code for a game, whatever you did to find the xyz coordinates for that code will be the same thing you do to find coordinates on other games. but if you need,
[spoiler]be on a flat surface. start on one spot.
search unknown.
search again for equal.
move to another spot and stop moving. *
search unknown, not equal.
search again for equal.
repeat from *
if its still too hard, see if there is a moonjump code for the game you wanna make the teleport code, and take the address used in the moonjump code. xyz coordinates are usually found before the 'moonjump' address. so view that part of the memory.[/spoiler]
what game are you trying to make the teleport code?
Super Mario Galaxy and I thought I found the Y coord but it was the Y speed so what I thought was the X and Z were the X and Z speed.
i think you just have to keep trying. if you follow the steps i mentioned on the spoiler, you're bound to find the coordinates eventually.
alrighty
Sorry for the long break between posts my grandad died so I was at his funeral. So I think I found the address and there was a few instances of lwz and stw. How would I test to see if this is the right address with out making a code that might crash the game?
Quote from: toonlink444 on December 13, 2011, 07:10:49 PM
Sorry for the long break between posts my grandad died so I was at his funeral. So I think I found the address and there was a few instances of lwz and stw. How would I test to see if this is the right address with out making a code that might crash the game?
you do some execute breakpoints on it.
IF your destination register does never change it´s value, it won´t crash...
Just keep collecting breaks until you found a reasonable one. ;D
Here´s another example on doing an assembly teleporter (link teleporter for skyward sword -PAL- [bully@wiiplaza])
[spoiler]Hook: 80244A9C
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14, 0x805F
ori r14, r14, 0xDE0A
lhz r14, 0 (r14)
lis r15, 0x8000
cmpwi r14, 0x1
bne- _END
lwz r16, 192 (r31)
lwz r17, 196 (r31)
lwz r18, 200 (r31)
stw r16, 0x1500 (r15)
stw r17, 0x1504 (r15)
stw r18, 0x1508 (r15)
_END:
cmpwi r14, 0x2
bne- _END2
lwz r19, 0x1500 (r15)
lwz r20, 0x1504 (r15)
lwz r21, 0x1508 (r15)
stw r19, 192 (r31)
stw r20, 196 (r31)
stw r21, 200 (r31)
_END2:
lwz r14,8(r1)
addi r1,r1,80
lfs f2,192(r31)[/spoiler]
I kept the coding/source so that I can make easy changes to it.
I made spaces so that it´s easier to understand. ASMWiiRd has no problems with converting such a code using branch labels and spaces, though.
If I just got such useful examples as I didn´t understand all that...
I assume this is a button activator
[spoiler]lis r14, 0x805F
ori r14, r14, 0xDE0A
lhz r14, 0 (r14)
[/spoiler]
and these store the addresses value
[spoiler]lwz r16, 192 (r31)
lwz r17, 196 (r31)
lwz r18, 200 (r31)
stw r16, 0x1500 (r15)
stw r17, 0x1504 (r15)
stw r18, 0x1508 (r15)
[/spoiler]
and these load
[spoiler]lwz r19, 0x1500 (r15)
lwz r20, 0x1504 (r15)
lwz r21, 0x1508 (r15)
stw r19, 192 (r31)
stw r20, 196 (r31)
stw r21, 200 (r31)
[/spoiler]
so whats the rest of the code for?
stack frame ("make room for more registers"), compares ("if pressed") and original instruction ("lfs"). :p
is the orginal instruction needed?
yes. bully's teleporting assembly is a good template for asm teleporters. all you have to replace are the Y and Z placeholders which should be the same as what is shown on your original instruction.
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14,-32768
lis r15,0xWWWW -------1st half of button activator address
ori r15,r15,0xWWWW --/2nd half of button activator address
lhz r15,0(r15)
cmpwi r15,0xTTTT -----button value to save coordinates
bne- 0x1C
lwz r16,YYY(rZ)
lwz r17,YYY(rZ) --------the original 'offset' plus 4 goes in place of Y here
lwz r18,YYY(rZ) --------the original 'offset' plus 8 goes in place of Y here
stw r16,5632(r14)
stw r17,5636(r14)
stw r18,5640(r14)
cmpwi r15,0xTTTT -----button value to restore saved coordinates
bne- 0x1C
lwz r19,5632(r14)
lwz r20,5636(r14)
lwz r21,5640(r14)
stw r19,YYY(rZ)
stw r20,YYY(rZ) ------the original 'offset' plus 4 goes in place of Y here
stw r21,YYY(rZ) ------the original 'offset' plus 8 goes in place of Y here
lmw r14,8(r1)
addi r1,r1,80
[original instruction]
the original instruction is pretty much always needed.
Give me a try on an universal template. Sry Jay, but yours is a bit confusing. ;D
[spoiler]
Hook: 8SSSSSSS
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14, 0x80XX
ori r14, r14, 0xXXXX
lhz r14, 0 (r14)
lis r15, 0x8000
cmpwi r14, 0xzzzz
bne- _COORDSNOTSAVED
lwz r16, TTT (rWW)
lwz r17, TTT + 4 (rWW)
lwz r18, TTT + 8 (rWW)
stw r16, 0x1500 (r15)
stw r17, 0x1504 (r15)
stw r18, 0x1508 (r15)
_COORDSNOTSAVED:
cmpwi r14, 0xZZZZ
bne- _COORDSNOTRESTORED
lwz r19, 0x1500 (r15)
lwz r20, 0x1504 (r15)
lwz r21, 0x1508 (r15)
stw r19, TTT (rWW)
stw r20, TTT + 4 (rWW)
stw r21, TTT + 8 (rWW)
_COORDSNOTRESTORED:
lwz r14,8(r1)
addi r1,r1,80
IIII qPP, TTT (rWW)
SSSSSSS = BP Read Address on X Coordinate (may only execute for one same address)
XXXXXX = Button Activator Address
IIII = Default Instruction Name (lfs, lwz, etc.)
q = Register Type (Float "f" or Normal "r")
PP = Register Number (1-31)
TTT = Default Instruction Offset
WW = Default Instruction Source/Destination Register Number (1-31)
zzzz = Button Value for "Store Coordinates"
ZZZZ = Button Value for "Load Coordinates"[/spoiler]
Quote from: Bully@Wiiplaza on December 14, 2011, 09:12:08 AM
the original instruction is pretty much always needed.
Give me a try on an universal template. Sry Jay, but yours is a bit confusing. ;D
[spoiler]
Hook: 8SSSSSSS
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14, 0x80XX
ori r14, r14, 0xXXXX
lhz r14, 0 (r14)
lis r15, 0x8000
cmpwi r14, 0xzzzz
bne- _COORDSNOTSAVED
lwz r16, TTT (rWW)
lwz r17, TTT + 4 (rWW)
lwz r18, TTT + 8 (rWW)
stw r16, 0x1500 (r15)
stw r17, 0x1504 (r15)
stw r18, 0x1508 (r15)
_COORDSNOTSAVED:
cmpwi r14, 0xZZZZ
bne- _COORDSNOTRESTORED
lwz r19, 0x1500 (r15)
lwz r20, 0x1504 (r15)
lwz r21, 0x1508 (r15)
stw r19, TTT (rWW)
stw r20, TTT + 4 (rWW)
stw r21, TTT + 8 (rWW)
_COORDSNOTRESTORED:
lwz r14,8(r1)
addi r1,r1,80
IIII qPP, TTT (rWW)
SSSSSSS = BP Read Address on X Coordinate (may only execute for one same address)
XXXXXX = Button Activator Address
IIII = Default Instruction Name (lfs, lwz, etc.)
q = Register Type (Float "f" or Normal "r")
PP = Register Number (1-31)
TTT = Default Instruction Offset
WW = Default Instruction Source/Destination Register Number (1-31)
zzzz = Button Value for "Store Coordinates"
ZZZZ = Button Value for "Load Coordinates"[/spoiler]
but its your template. i just did not include detailed explanations. the assembly it is shown exactly as it is when the code is disassembled. :D
edit: ahh yes. i see a mistake
To make sure you found the right address, set the Write BP on your coordinates, then when it hits, press Step so that the stw is executed, then go back to memview and poke the coordinate to something else. If it takes, then you will teleport once. If it doesn't take, then you didn't find the right coordinate address, or you need a different hook.
Also, one thing to keep in mind is that you don't need to use a hook that is reading/writing to coordinates for a teleporter. Since some games use the same functions for reading/writing everyone's coordinates, it might cause problems to use that hook.
Instead, once you know the offset to the coordinates (which you can get from the BP), you can go find any other ASM hook that runs every frame and has a pointer to the character you want to teleport. For instance, you could possibly set a RBP on Mario's hit points to get a hook which uses Mario's pointer, and then use that pointer with the coordinate offsets to handle the teleportation. Since other characters in the game won't have their HP displayed on the screen, you don't have to worry about the hook executing with other characters.
Quick noobish question in the bne instruction how do I know what to put in it (bne-0x??)
Quote from: dcx2 on December 14, 2011, 05:33:19 PM
To make sure you found the right address, set the Write BP on your coordinates, then when it hits, press Step so that the stw is executed, then go back to memview and poke the coordinate to something else. If it takes, then you will teleport once. If it doesn't take, then you didn't find the right coordinate address, or you need a different hook.
You said step over before
In the simple case, you'd just count how many instructions you want to skip, add 1 to it, then multiply by 4. So to skip two instructions, you would do bne 0xC.
In the WiiRD or Gecko.NET assembler, you can patch a branch by giving its absolute address, and the app will convert the absolute address to a relative offset for you. This is a special feature of WiiRD/Gecko.NET in particular. This only works because the address of the branch and its destination are known it is assembled.
If you're writing your own ASM routine for ASMWiiRD or PyiiASMH, then you can just use branch labels. In Bully's example, the branch labels are _COORDSNOTSAVED and _COORDSNOTRESTORED. This is easier than counting instructions.
By convention, I typically prefix branch labels with an underscore, and I make them all caps. You can use the branch label to avoid calculating the branch distance by hand. The "destination" of the label will be the label suffixed with a :
---
Step Into and Step Over behave the same, except when the current instruction is a bl. Step Over will step "over" the bl so that you are not taken into its execution. Step Into will step "into" the bl so you can keep following it along. Step Out is different, it will always take you "out" of the current function to the caller.
Gotcha. Alrighty back to work havent sat down and really worked hard on the assembling.
Well none of my addresses took so I'm left to searching again. Is there a possiblity that the addresses are stored differently?
Did you make sure to step, so that the stw had already executed? If you poke before stepping, the stw will over-write your poke.
It's also possible there's more than one copy of the coordinates.
Quote from: dcx2 on December 14, 2011, 05:33:19 PM
Also, one thing to keep in mind is that you don't need to use a hook that is reading/writing to coordinates for a teleporter. Since some games use the same functions for reading/writing everyone's coordinates, it might cause problems to use that hook.
Instead, once you know the offset to the coordinates (which you can get from the BP), you can go find any other ASM hook that runs every frame and has a pointer to the character you want to teleport. For instance, you could possibly set a RBP on Mario's hit points to get a hook which uses Mario's pointer, and then use that pointer with the coordinate offsets to handle the teleportation. Since other characters in the game won't have their HP displayed on the screen, you don't have to worry about the hook executing with other characters.
good point, but e.g. Mario is the only "object" that is affected by the coordinates assembly.
Same for Link on Skyward Sword, James Bond on GE (Story Mode).
My template will probably fail, when it does use multiple people´s coordinates (had that on Water Warfare).
Then, an additional branch probably does the job ("are we affecting P1 or not?")
Alternatively, one can use Pointer + Gecko Register, if it should not affect anything else. :P
yep I hit step over every time it broke on a stw then poked. Should I poke even if it isn't stw?
Quote from: toonlink444 on December 15, 2011, 08:44:04 PM
yep I hit step over every time it broke on a stw then poked. Should I poke even if it isn't stw?
just skip it, it will take like forever to teach, if you do all that stuff.
You probably don´t need to do it anyways. :eek:
Are you saying that i'm incapable?
Quote from: toonlink444 on December 15, 2011, 09:10:23 PM
Are you saying that i'm incapable?
no, but it´s so much that could make it fail, it would take very long to talk about each single case.
Alright but before I throw in the towel could the addresses be in the 90000000 - 93400000 range?
Quote from: toonlink444 on December 15, 2011, 09:16:59 PM
Alright but before I throw in the towel could the addresses be in the 90000000 - 93400000 range?
so you didn´t even find the coordinates in memory once? ???
We were talking about how to set up your code...
I mostly search greater/less than when jumping up/down.
Notice that it could be either mem80 and 90. Some games may also use a lower value the higher you are and a greater value the downer you are.
Quote from: toonlink444 on December 15, 2011, 02:17:14 AM
Well none of my addresses took so I'm left to searching again. Is there a possiblity that the addresses are stored differently?
The code didn't teleport me so I figured I must have a bad address
There may also be a psq_st instruction that writes the coordinates. Pretty sure that's how SMG2 worked. It's usually a very short function, two psq_l's and two psq_st's. It's just copying the coordinates from one memory location to another; psq instructions can load/store 8 bytes instead of 4, so sometimes the compiler will use them to optimize a memory transfer.
This type of function with psq instructions will often be re-used in many places. Hackers often try to hook this instruction, with devastating consequences. Typically, walking the stack back one level, and hooking a few instructions before the bl that calls the psq function, will provide a much better hook.
You can repeat the same procedure for psq_st that you do for stw.
The coordinates are probably not in MEM2. I'll be on vacation soon. I might try to give you some guidance by checking it out.
Everytime I have found coordinates poking them never teleported me, I used to find coordinates to make walk through walls codes but now I have a much better method
Quote from: dcx2 on December 15, 2011, 11:48:39 PM
There may also be a psq_st instruction that writes the coordinates. Pretty sure that's how SMG2 worked. It's usually a very short function, two psq_l's and two psq_st's. It's just copying the coordinates from one memory location to another; psq instructions can load/store 8 bytes instead of 4, so sometimes the compiler will use them to optimize a memory transfer.
This type of function with psq instructions will often be re-used in many places. Hackers often try to hook this instruction, with devastating consequences. Typically, walking the stack back one level, and hooking a few instructions before the bl that calls the psq function, will provide a much better hook.
You can repeat the same procedure for psq_st that you do for stw.
The coordinates are probably not in MEM2. I'll be on vacation soon. I might try to give you some guidance by checking it out.
I've been skipping over the ones with the psq instructions that may be helpful. Have a good vacation.
Quote from: dcx2 on December 15, 2011, 11:48:39 PM
This type of function with psq instructions will often be re-used in many places. Hackers often try to hook this instruction, with devastating consequences. Typically, walking the stack back one level, and hooking a few instructions before the bl that calls the psq function, will provide a much better hook.
that´s what I did and it succeeded quite well. ;D
It seems you are having a bit of difficulty finding the actual coordinates. perhaps because they may have a value that is always slightly changing. i think some games have certain coordinates like that. so unless you really knew how you wanted to try finding the coordinates, it would take a really hard time finding them. if no matter what you try you still cannot find the coordinates, then assume that the coordinates are always being affected in some way even though you may not be moving. so, use the game's start/pause. that should stop coordinates from having slight changes, if they are.
edit: OR you may have been searching on the wrong mem indeed.
so, to make things easier if this game has a moon jump code made for it, set an execute breakpoint on the address used for the game's moon jump code. moon jump address & xyz coordinates should be on the same mem and xyz coordinates are always located some addresses before the moon jump address.
Here's my code.
[spoiler]C23E0C40 0000000E
9421FFB0 BDC10008
3DC08061 61CED340
A1CE0000 3DE0806E
2C0E4008 40820020
3C60805F 82036AD4
82236AD8 82436ADC
920F7460 922F7464
924F7468 2C0E4004
4082001C 826F7460
828F7464 82AF7468
92636AD4 92836AD8
92A36ADC 81C10008
38210050 D0030008
60000000 00000000[/spoiler]
Yet it freezes the game. Is there an error or is it another bad address?
so you found the real coordinates after all, huh?
if you did, it may be a bad address. try using a read bp instead of a write. use the same assembly, replacing each template placeholder with the correct values used on the original instruction the point broke on.
no, don´t use a breakpoint write there.
You know why? The last stfs will overwrite anything that was achieved by your code...
Does it freeze instantly? It shouldn´t... it must be a bad address.
So as not to remove all the challenge, I will use SMG2 as an example. You can then try to use the same technique for SMG. It is pretty much a walkthrough on how to do it. It's a lot to digest, but it's very careful and deliberate, and I try to show you each step involved in the process that I take.
Using some method, determine the location of Mario's coordinates. There's a few ways to do this; use someone's existing hook to get close, do some searches as mentioned above, it doesn't matter. I deliberately chose a result that won't work at first, just to demonstrate how to follow the chain.
I determined that there are usually many copies of Mario's coordinates in memory at any one time. Two of them are very, very close to each other. In my case, they were 812733D0 and 812733DC. Switch MemView to Single, turn on auto-update, and make Mario jump. I see a value that looks obviously like it's a coordinate. I Right click, "Copy All Cells" and I can save this in a notepad somewhere. In the following two snapshots, you can see the one coordinate falling, I have it highlighted.
[spoiler]81273360 0 0 4.6E-42 0
81273370 4.8E-42 0 0 0
81273380 0 0 0 0
81273390 0 0 0 0
812733A0 0 0 0 0
812733B0 0 -3.1E-38 4.2E-39 2.9E-44
812733C0 0 0 0 -10.6335
812733D0 *2352.8* -43.1877 -10.6335 *2335.6*
812733E0 -43.1877 5.1E-42 0 0
812733F0 0 0 9.2E-41 0
81273400 0 0 0 0
81273410 0 0 1 0
81273420 0 0 0 1
81273430 0 0 0 0
81273440 1 0 -9.9E-39 -3.1E-38
81273450 0 NaN -5.2E-39 -4E-38[/spoiler]
[spoiler]81273360 0 0 4.6E-42 0
81273370 4.8E-42 0 0 0
81273380 0 0 0 0
81273390 0 0 0 0
812733A0 0 0 0 0
812733B0 0 -3.1E-38 4.2E-39 3.2E-44
812733C0 0 0 0 -10.6335
812733D0 *2317.5* -43.1877 -10.6335 *2298.5*
812733E0 -43.1877 5.1E-42 0 0
812733F0 0 0 9.2E-41 0
81273400 0 0 0 0
81273410 0 0 1 0
81273420 0 0 0 1
81273430 0 0 0 0
81273440 1 0 -9.9E-39 -3.1E-38
81273450 0 NaN -5.2E-39 -4E-38[/spoiler]
I'm going to choose 812733D0. Right click, set breakpoint; on the BP tab, Read/Write (I like RW when logging, normally it would be just Write), check "Step Log", "SB4E01 coords.log" Spam the Set button; literally, click it as fast as possible while watching the screen. Pressing space bar once it's the active button works too. I want to keep doing this until I see a few frames of movement.
[spoiler=RWBP coords log]
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = -254.849 r3 = 812733CC [812733CC] = C37ED935
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = 0 r6 = 812733CC [812733CC] = C37ED935
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = -245.726 r6 = 812733CC [812733CC] = C37ED935
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = -245.726 r3 = 812733CC [812733CC] = C375B9C0
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = 0 r6 = 812733CC [812733CC] = C375B9C0
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = -236.617 r6 = 812733CC [812733CC] = C375B9C0
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = -236.617 r3 = 812733CC [812733CC] = C36C9DF4
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = 0 r6 = 812733CC [812733CC] = C36C9DF4
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = -227.523 r6 = 812733CC [812733CC] = C36C9DF4
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = -227.523 r3 = 812733CC [812733CC] = C36385CA
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = 0 r6 = 812733CC [812733CC] = C36385CA
80037068: E0060000 psq_l f0,0(r6),0,0 f0 = -218.791 r6 = 812733CC [812733CC] = C36385CA
[/spoiler]
You can identify the pattern. They all access the same memory address, 812733CC. But that's not my address! 812733D0 was my address. If I look at DAR on BP tab, it is in fact 812733D0. psq_st can write 8 bytes, and it's the last four bytes that hit the breakpoint. DAR will always tell the address that was being accessed for a Read or Write breakpoint.
There's only one store in this list, the psq_st at 8000E748. That's a candidate for a hook. So how good of a hook is this? Right-click the breakpoint instruction on the disassembly tab, "Copy Function". Here's the entire function
[spoiler=bp function]
8000E740: E0240000 psq_l f1,0(r4),0,0
8000E744: C0040008 lfs f0,8(r4)
8000E748: F0230000 psq_st f1,0(r3),0,0
8000E74C: D0030008 stfs f0,8(r3)
8000E750: 4E800020 blr
[/spoiler]
This is just copying from r4 to r3. So it probably touches a lot. Execute BP on 8000E748 to see how many addresses this ASM touches. Spam the Set button again.
I'll spare you the full log, but there's a bunch. I didn't feel like pressing Set enough times to see a frame go by. If any address differs from what was found initially (812733D0), it's bad.
[spoiler=XBP coords log (partial)]
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = 0 r3 = 807F2BAC [807F2BAC] = C33EB232
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = -190.696 r3 = 810A8D68 [810A8D68] = C348EB67
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = 0 r3 = 807F2BAC [807F2BAC] = C33EB232
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = 0 r3 = 807F2BAC [807F2BAC] = C33BA6E9
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = 0 r3 = 807F2B6C [807F2B6C] = C33A1E76
8000E748: F0230000 psq_st f1,0(r3),0,0 f1 = -186.119 r3 = 810A8D68 [810A8D68] = C33EB232
[/spoiler]
None of these addresses match our address. So this is a bad hook. Back to WBP on 812733D0. Now we want to find the caller. Go to the disassembly tab, double click the Call Stack. I see 8000E748 (my breakpoint) at the top. The Call Stack looks like this
[spoiler=call stack]8000E748 (bp)
80405EC8 (bp's caller)
80388974 (bp's caller's caller)
803C22CC (bp's caller's caller's caller)
803C215C (you get the point!)
803C1FCC
803C1C3C
802376B4
803C1874
8033A168
80339DA8
80458DD4
80457ED8
80451E60
802431FC
804518B0
804BA668
804B6D18
804B6F58
802431FC
804B6C50
804B6AA0
804B64C0
800041B0
[/spoiler]
Whew, that's pretty deep. Double click the bp's caller (second from top, 80405EC8). Copy Function.
[spoiler=bp's caller]80405EB0: 9421FFF0 stwu r1,-16(r1)
80405EB4: 7C0802A6 mflr r0
80405EB8: 3883000C addi r4,r3,12
80405EBC: 90010014 stw r0,20(r1)
80405EC0: 93E1000C stw r31,12(r1)
80405EC4: 7C7F1B78 mr r31,r3
80405EC8: 4BC08879 bl 0x8000e740 # calls bp
80405ECC: 38600001 li r3,1
80405ED0: 38000000 li r0,0
80405ED4: 987F0019 stb r3,25(r31)
80405ED8: 981F0018 stb r0,24(r31)
80405EDC: 83E1000C lwz r31,12(r1)
80405EE0: 80010014 lwz r0,20(r1)
80405EE4: 7C0803A6 mtlr r0
80405EE8: 38210010 addi r1,r1,16
80405EEC: 4E800020 blr
[/spoiler]
bl 0x8000e740 would be the start of the function that the breakpoint found (remember the bp was 8000E748 - a mere two instructions after this bl)
Make sure this is a good hook. XBP on 80405ECC (the instruction after the bl, so that we can over-write whatever was copied) a few times and each time a frame of movement passes, which means this is a good hook. At this point, it is safe to change areas, reboot the game, etc. I will never have to search for Mario's coordinates again because I know 80405EC4 will always give me a pointer to his coordinates via r3. Save that address in a text file somewhere so it can't be lost.
Okay, so it seems all good. Since I XBP'd on 80405ECC, I'm already after the write (which happens during the bl), so go to MemView tab and poke 812733D0 during the breakpoint. Since the mode is set to Single, and I can see the value was around 2100 on the ground, so I put 2500 into the Selected Address, then right-click, "convert float to hex" . Then poke and then click run.
If I'm lucky, Mario will move and it's done, this is the hook. If I'm not (I wasn't), then follow the chain again. This function is copying from one address to another, so let's try that other address. Since it's copying from r4 to r3, let's look at r4. As it turns out, r4 is that nearby address, 812733DC. WBP on 812733DC. It hits this function
[spoiler]80405F90: 9421FFF0 stwu r1,-16(r1)
80405F94: 7C0802A6 mflr r0
80405F98: 90010014 stw r0,20(r1)
80405F9C: 93E1000C stw r31,12(r1)
80405FA0: 7C9F2378 mr r31,r4
80405FA4: 93C10008 stw r30,8(r1)
80405FA8: 7C7E1B78 mr r30,r3
80405FAC: 8803002C lbz r0,44(r3)
80405FB0: 2C000000 cmpwi r0,0
80405FB4: 40820044 bne- 0x80405ff8
80405FB8: 88030019 lbz r0,25(r3)
80405FBC: 2C000000 cmpwi r0,0
80405FC0: 41820020 beq- 0x80405fe0
80405FC4: 3863000C addi r3,r3,12
80405FC8: 481C2C49 bl 0x805c8c10
80405FCC: C0021800 lfs f0,6144(r2)
80405FD0: FC010040 fcmpo cr0,f1,f0
80405FD4: 4081000C ble- 0x80405fe0
80405FD8: 38000001 li r0,1
80405FDC: 981E0018 stb r0,24(r30)
80405FE0: C01F0000 lfs f0,0(r31)
80405FE4: D01E000C stfs f0,12(r30)
80405FE8: C01F0004 lfs f0,4(r31)
80405FEC: D01E0010 stfs f0,16(r30)
80405FF0: C01F0008 lfs f0,8(r31)
80405FF4: D01E0014 stfs f0,20(r30)
80405FF8: 80010014 lwz r0,20(r1)
80405FFC: 83E1000C lwz r31,12(r1)
80406000: 83C10008 lwz r30,8(r1)
80406004: 7C0803A6 mtlr r0
80406008: 38210010 addi r1,r1,16
8040600C: 4E800020 blr
[/spoiler]
XBP on 80405FF0, after it hits, MemView tab, poke with 2500 Float to Hex, run. Fail again! Follow the chain. Now it's copying from r31 to r30. Look at r31 (in my case, 8126E334). Set a WBP on that.
[spoiler]8000E740: E0240000 psq_l f1,0(r4),0,0
8000E744: C0040008 lfs f0,8(r4)
8000E748: F0230000 psq_st f1,0(r3),0,0
8000E74C: D0030008 stfs f0,8(r3)
8000E750: 4E800020 blr
[/spoiler]
Hey, this looks familiar. It's our first BP's function, but writing to a different address. Disasm tab, double-click a blank spot in the call stack to reload it (blank spot so it does not take you to that address) and it will reload (or you can right-click call stack to reload it). The second from the top is now 803880A8, so I will XBP on 803880AC (the instruction after it). Here is the function
[spoiler]80387FC0: 9421FFD0 stwu r1,-48(r1)
80387FC4: 7C0802A6 mflr r0
80387FC8: 90010034 stw r0,52(r1)
80387FCC: 93E1002C stw r31,44(r1)
80387FD0: 93C10028 stw r30,40(r1)
80387FD4: 7C7E1B78 mr r30,r3
80387FD8: 480000F9 bl 0x803880d0
80387FDC: 7FC3F378 mr r3,r30
80387FE0: 48000171 bl 0x80388150
80387FE4: 801E0014 lwz r0,20(r30)
80387FE8: 5400A7FF rlwinm. r0,r0,20,31,31
80387FEC: 4182004C beq- 0x80388038
80387FF0: 809E0138 lwz r4,312(r30)
80387FF4: 38610014 addi r3,r1,20
80387FF8: C03E0710 lfs f1,1808(r30)
80387FFC: 38BE06EC addi r5,r30,1772
80388000: 3884000C addi r4,r4,12
80388004: 38DE06F8 addi r6,r30,1784
80388008: 4BCC9759 bl 0x80051760
8038800C: 80BE0138 lwz r5,312(r30)
80388010: 38610008 addi r3,r1,8
80388014: 38810014 addi r4,r1,20
80388018: 3BE5000C addi r31,r5,12
8038801C: 4BC84135 bl 0x8000c150
80388020: 7FE4FB78 mr r4,r31
80388024: 38610008 addi r3,r1,8
80388028: 4BC94BC9 bl 0x8001cbf0
8038802C: 807E0138 lwz r3,312(r30)
80388030: 38810008 addi r4,r1,8
80388034: 4807DFDD bl 0x80406010
80388038: 801E000C lwz r0,12(r30)
8038803C: 54000FFF rlwinm. r0,r0,1,31,31
80388040: 41820010 beq- 0x80388050
80388044: 7FC3F378 mr r3,r30
80388048: 48000259 bl 0x803882a0
8038804C: 48000028 b 0x80388074
80388050: 7FC3F378 mr r3,r30
80388054: 48022FFD bl 0x803ab050
80388058: 2C030000 cmpwi r3,0
8038805C: 41820010 beq- 0x8038806c
80388060: 7FC3F378 mr r3,r30
80388064: 4800058D bl 0x803885f0
80388068: 4800000C b 0x80388074
8038806C: 7FC3F378 mr r3,r30
80388070: 48000641 bl 0x803886b0
80388074: 7FC3F378 mr r3,r30
80388078: 48022B39 bl 0x803aabb0
8038807C: 7C641B78 mr r4,r3
80388080: 807E0138 lwz r3,312(r30)
80388084: 4807DE6D bl 0x80405ef0
80388088: 807E0004 lwz r3,4(r30)
8038808C: 389E0160 addi r4,r30,352
80388090: 38630038 addi r3,r3,56
80388094: 4BC866AD bl 0x8000e740
80388098: 807E0004 lwz r3,4(r30)
8038809C: 809E0138 lwz r4,312(r30)
803880A0: 38630014 addi r3,r3,20
803880A4: 3884000C addi r4,r4,12
803880A8: 4BC86699 bl 0x8000e740
803880AC: 80010034 lwz r0,52(r1)
803880B0: 83E1002C lwz r31,44(r1)
803880B4: 83C10028 lwz r30,40(r1)
803880B8: 7C0803A6 mtlr r0
803880BC: 38210030 addi r1,r1,48
803880C0: 4E800020 blr
[/spoiler]
After the XBP hits, go to MemView, poke the new address with 2500 float to hex, hit Run. Mario Teleported! Third time is a charm. XBP on 803880AC a few times, and you'll see it is also a good hook; one frame per breakpoint. Your pointer to over-write is in r3 (remember, it is copying from r4 to r3). OR you could hook 803880A4, and your pointer would be in r4 (though in this particular case, hooking before the call to the bp, I would put the original instruction at the beginning instead of the end like we usually do)
And if you look at my SMG2 teleporter, you'll see that indeed, I use 803880AC for my hook.
Nice explanation. I'll get to work tomorrow. Thanks It's my winter break now so I'll finish this code then work on littler things so you guys can do stuff that I can't fathom.
I found a hook connected to address that stores one of the coords. But it doesn't teleport me when I do a xbp on it. I follow the stack but noone of them teleport me. And the hook connected to the address messes up mario. I would post a picture but I have no idea how to.
Just take a screenshot with Gecko.NET or WiiRd
You need to give more details about what you're trying to do, so that we know you found the right thing.
What breakpoint did you find? What was the call stack? When it didn't work, did you follow the chain?
One step at a time. The first step is to collect data about the first Write Breakpoint on the coordinates. So find the coordinates, then set the WBP. Once it hits, click "Text View" on the BP tab so you can highlight the registers and copy/paste them into a spoiler here. Then go to the disasm tab, right-click the highlighted line, and Copy Function, and paste it into a spoiler. Then right-click the Call Stack listbox, Load, wait until it finishes, and then right click again and Copy All, then paste into a third spoiler.
Once you post this info, we'll do the next step.
*Breaths* alright give me a bit my tv is being used.
Here are the registers:
[spoiler]CR:24000088 XER:00000000 CTR:802E95B0 DSIS:02400000
DAR:805F6AD4 SRR0:80018B1C SRR1:0000A032 LR:803E0C50
r0:803E0C3C r1:806BD488 r2:806AB280 r3:805F6AD4
r4:80FB3894 r5:00000773 r6:81347C68 r7:00000391
r8:00000000 r9:00000005 r10:0000000B r11:806BD478
r12:00000003 r13:806A4CA0 r14:00000001 r15:806BD9B4
r16:806BD6D4 r17:805B02E8 r18:00000000 r19:00000000
r20:00000000 r21:00000001 r22:00000000 r23:00000000
r24:806BD49C r25:80FB3830 r26:805F6A70 r27:00000000
r28:805F6A70 r29:00000000 r30:806BD5B8 r31:00000001
f0:C58C7C41 f1:455424D4 f2:4000009E f3:40400000
f4:3F000000 f5:3C23D70A f6:3FFFF87E f7:C58C7C41
f8:3F800000 f9:80000000 f10:80000000 f11:80000000
f12:00000000 f13:3F4DC876 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:42A00000 f30:42C80000 f31:41F00001[/spoiler]
The function:
[spoiler]80018B14: E0240000 psq_l f1,0(r4),0,0
80018B18: C0040008 lfs f0,8(r4)
80018B1C: F0230000 psq_st f1,0(r3),0,0
80018B20: D0030008 stfs f0,8(r3)
80018B24: 4E800020 blr
[/spoiler]
The call stack:
[spoiler]80018B1C
803E0C4C
803E23EC
802D3878
802AD564
802ACF68
802B0CC8
802B0AB8
802B0980
802B0854
8016551C
802AFE00
80261B88
8026181C
80344840
80343C1C
8033F7C8
8016FB14
8033E774
8039D304
80399D98
80399EBC
8016FB14
80399C9C
80399B20
803995C0
800041A0
[/spoiler]
The hook I used was 80018B1C because it lead me back to it.
That's much more useful.
That function is a bad hook. An "XBP test" on 80018B1C will probably hit many times per frame. That's the sign of a bad hook, XBP that hits too often.
That means walk the stack. The top of the stack is 80018B1C, and its caller is 803E0C4C (second from the top). The function at 80018B1C has two arguments that are passed to it by the caller; r3 and r4. It's purpose is to copy three floats from the pointer in r4 to the pointer in r3.
The good news is that you won't need to do memory searches for Mario's coordinates anymore. To find his coordinates, set an XBP on 803E0C4C. Then, look in r3. This will be a pointer to Mario's coordinates, just before they are passed to 80018B1C. (this assumes 803E0C4C is a good hook, which it probably is; an XBP test would confirm) r4 will have a pointer to another copy of the coordinates.
It's usually a good idea to look at the caller. So go to the disasm tab, go to 803E0C4C, right click, Copy Function, paste into spoiler. You do NOT need to be at a breakpoint for this.
---
To test this hook to see if it can teleport you, set an XBP on 803E0C50 (this is the instruction AFTER the call 803E0C4C: ???????? bl 0x80018B1C). Once the XBP hits, grab the address from r3, go to that address in Memory Viewer. I always suggest a MemView Auto-Update while running to verify that you found the right thing, jump up and down a few times and you should see the Y coordinate.
If you clicked run, go back to BP tab and set another XBP on 803E0C50; this must be done as a "breakpoint poke". Once it hits, go back and poke the Y coordinate to something much bigger, add at least a few hundred in float to the coordinate (i.e. so if the float is 2000, make it 2500 or something like that, you will have to convert some hex to float and back again).
Post back with your results.
Here's 803E0C4C' s function:
[spoiler]803E0AA4: 9421FF20 stwu r1,-224(r1)
803E0AA8: 7C0802A6 mflr r0
803E0AAC: 900100E4 stw r0,228(r1)
803E0AB0: DBE100D0 stfd f31,208(r1)
803E0AB4: F3E100D8 psq_st f31,216(r1),0,0
803E0AB8: 396100D0 addi r11,r1,208
803E0ABC: 48136A5D bl 0x80517518
803E0AC0: 7C7E1B78 mr r30,r3
803E0AC4: 7C972378 mr r23,r4
803E0AC8: 7CB62B78 mr r22,r5
803E0ACC: 7CD53378 mr r21,r6
803E0AD0: 4BD94D8D bl 0x8017585c
803E0AD4: 8063000C lwz r3,12(r3)
803E0AD8: 7EE4BB78 mr r4,r23
803E0ADC: 7EC5B378 mr r5,r22
803E0AE0: 38C00000 li r6,0
803E0AE4: 80630000 lwz r3,0(r3)
803E0AE8: 38E00000 li r7,0
803E0AEC: 39000000 li r8,0
803E0AF0: 4BD9350D bl 0x80173ffc
803E0AF4: 2C030000 cmpwi r3,0
803E0AF8: 7C7F1B78 mr r31,r3
803E0AFC: 4082000C bne- 0x803e0b08
803E0B00: 38600000 li r3,0
803E0B04: 48000188 b 0x803e0c8c
803E0B08: 3B400000 li r26,0
803E0B0C: 3B210014 addi r25,r1,20
803E0B10: 7F58D378 mr r24,r26
803E0B14: 3B600000 li r27,0
803E0B18: 3B800000 li r28,0
803E0B1C: 48000044 b 0x803e0b60
803E0B20: 4BD94D3D bl 0x8017585c
803E0B24: 8063000C lwz r3,12(r3)
803E0B28: 7F64DB78 mr r4,r27
803E0B2C: 80630000 lwz r3,0(r3)
803E0B30: 4BD93BA5 bl 0x801746d4
803E0B34: 2C150000 cmpwi r21,0
803E0B38: 7C79E12E stwx r3,r25,r28
803E0B3C: 4182001C beq- 0x803e0b58
803E0B40: 7C79E02E lwzx r3,r25,r28
803E0B44: 80030008 lwz r0,8(r3)
803E0B48: 7C00A840 cmplw r0,r21
803E0B4C: 4082000C bne- 0x803e0b58
803E0B50: 7F19E12E stwx r24,r25,r28
803E0B54: 3B5A0001 addi r26,r26,1
803E0B58: 3B7B0001 addi r27,r27,1
803E0B5C: 3B9C0004 addi r28,r28,4
803E0B60: 7C1BF840 cmplw r27,r31
803E0B64: 4180FFBC blt+ 0x803e0b20
803E0B68: 7C1AF850 sub r0,r31,r26
803E0B6C: 28000020 cmplwi r0,32
803E0B70: 900DD998 stw r0,-9832(r13)
803E0B74: 4180000C blt- 0x803e0b80
803E0B78: 38000020 li r0,32
803E0B7C: 900DD998 stw r0,-9832(r13)
803E0B80: 3F40805F lis r26,-32673
803E0B84: 3B010014 addi r24,r1,20
803E0B88: 3B5A6A70 addi r26,r26,27248
803E0B8C: 3AE00000 li r23,0
803E0B90: 3BA00000 li r29,0
803E0B94: 3B600000 li r27,0
803E0B98: 480000E8 b 0x803e0c80
803E0B9C: C3E21AFC lfs f31,6908(r2)
803E0BA0: 3AC00000 li r22,0
803E0BA4: 3AA00000 li r21,0
803E0BA8: 3B800000 li r28,0
803E0BAC: 48000060 b 0x803e0c0c
803E0BB0: 7C18E02E lwzx r0,r24,r28
803E0BB4: 2C000000 cmpwi r0,0
803E0BB8: 4182004C beq- 0x803e0c04
803E0BBC: 4BD94CA1 bl 0x8017585c
803E0BC0: 8063000C lwz r3,12(r3)
803E0BC4: 7EA4AB78 mr r4,r21
803E0BC8: 80630000 lwz r3,0(r3)
803E0BCC: 4BD93B09 bl 0x801746d4
803E0BD0: 7C791B78 mr r25,r3
803E0BD4: 7FC4F378 mr r4,r30
803E0BD8: 38610008 addi r3,r1,8
803E0BDC: 4BC37FB1 bl 0x80018b8c
803E0BE0: 38610008 addi r3,r1,8
803E0BE4: 38990064 addi r4,r25,100
803E0BE8: 4BC3F909 bl 0x800204f0
803E0BEC: 38610008 addi r3,r1,8
803E0BF0: 480D6065 bl 0x804b6c54
803E0BF4: FC1F0840 fcmpo cr0,f31,f1
803E0BF8: 4081000C ble- 0x803e0c04
803E0BFC: 7EB6AB78 mr r22,r21
803E0C00: FFE00890 fmr f31,f1
803E0C04: 3AB50001 addi r21,r21,1
803E0C08: 3B9C0004 addi r28,r28,4
803E0C0C: 7C15F840 cmplw r21,r31
803E0C10: 4180FFA0 blt+ 0x803e0bb0
803E0C14: 4BD94C49 bl 0x8017585c
803E0C18: 8063000C lwz r3,12(r3)
803E0C1C: 7EC4B378 mr r4,r22
803E0C20: 80630000 lwz r3,0(r3)
803E0C24: 4BD93AB1 bl 0x801746d4
803E0C28: 7C791B78 mr r25,r3
803E0C2C: 7F9AEA14 add r28,r26,r29
803E0C30: 7F83E378 mr r3,r28
803E0C34: 7F24CB78 mr r4,r25
803E0C38: 4BECDA75 bl 0x802ae6ac
803E0C3C: C0190060 lfs f0,96(r25)
803E0C40: 387C0064 addi r3,r28,100
803E0C44: 38990064 addi r4,r25,100
803E0C48: D01C0060 stfs f0,96(r28)
803E0C4C: 4BC37EC9 bl 0x80018b14
803E0C50: 387C0070 addi r3,r28,112
803E0C54: 38990070 addi r4,r25,112
803E0C58: 4BC37EBD bl 0x80018b14
803E0C5C: 387C007C addi r3,r28,124
803E0C60: 3899007C addi r4,r25,124
803E0C64: 4BC37EB1 bl 0x80018b14
803E0C68: 88790088 lbz r3,136(r25)
803E0C6C: 56C0103A rlwinm r0,r22,2,0,29
803E0C70: 7F78012E stwx r27,r24,r0
803E0C74: 3AF70001 addi r23,r23,1
803E0C78: 3BBD008C addi r29,r29,140
803E0C7C: 987C0088 stb r3,136(r28)
803E0C80: 806DD998 lwz r3,-9832(r13)
803E0C84: 7C171840 cmplw r23,r3
803E0C88: 4180FF14 blt+ 0x803e0b9c
803E0C8C: E3E100D8 psq_l f31,216(r1),0,0
803E0C90: 396100D0 addi r11,r1,208
803E0C94: CBE100D0 lfd f31,208(r1)
803E0C98: 481368CD bl 0x80517564
803E0C9C: 800100E4 lwz r0,228(r1)
803E0CA0: 7C0803A6 mtlr r0
803E0CA4: 382100E0 addi r1,r1,224
803E0CA8: 4E800020 blr
[/spoiler]
r3 was the same address that I set the first breakpoint 805F6AD4. And the address that appeared to be the Y (805F6AD0) when I poked it during the breakpoint didn't teleport Mario.
I feel like I've done this before. Should I follow the chain with a breakpoint on r28 since it's adding 112 to r3 or should I walk the stack again?
MOD EDIT: bolded the function call of interest
You should only walk the stack if you found a breakpoint that fails the XBP test for a good hook.
If poking r3's y coordinate during a breakpoint failed, you should follow the chain. Look carefully at this piece
803E0C40: 387C0064 addi r3,r28,100
803E0C44: 38990064 addi r4,r25,100
803E0C48: D01C0060 stfs f0,96(r28)
803E0C4C: 4BC37EC9 bl 0x80018b14
In this case, r3 = r28 + 0x64, and r4 = r25 + 0x64. Since it was copying from r4 to r3, and r3 has failed, we now want to see who writes to r4. (following the chain of writes)
---
So, set XBP on 803E0C50 again (actually, anything after 803E0C44 and before 803E0C54 is okay, since it will have the right address in r4 at that time). Copy the pointer from r4, and set a Write BP on it. When the BP hits, Step once, then poke the coordinate in MemView and see if it works.
Also, when the Write BP hits, Copy Function and paste into spoiler. As a precaution, also copy the full Call Stack, just in case the Write BP would be a bad hook.
EDIT:
Whoa there, hold on a sec. You say your apparent Y coordinate was 805F6AD0. However, your r3 pointer was 805F6AD4. This means that your Y coordinate had to be either 805F6AD4, 805F6AD8, or 805F6ADC.
this is Super Mario Galaxy... (I think).
I just noticed that I don´t have those dumps, normally I do have all regions of popular games. :(
What I did was following the link register to get to a better hook.
A pointer code would work aswell.
Here's the write breakpoint:
[spoiler]80018B14: E0240000 psq_l f1,0(r4),0,0
80018B18: C0040008 lfs f0,8(r4)
80018B1C: F0230000 psq_st f1,0(r3),0,0
80018B20: D0030008 stfs f0,8(r3)
80018B24: 4E800020 blr
[/spoiler]
And the stack:
[spoiler]80018B1C
80176EC8
80174248
803E03DC
803ED158
803ED964
803EDB1C
80273A68
8016FB14
801654FC
80261B88
8026181C
80344840
80343C0C
8033F7C8
8016FB14
8033E774
8039D304
80399D98
80399EBC
8016FB14
80399C9C
80399B20
803995C0
800041A0
[/spoiler]
Leads back to the same function. But different stack.
Yes, it's pretty common for functions to be re-used like that, it's why they make such bad hooks.
Did you see my edit? You didn't poke the right address during a breakpoint.
If you wish to continue with this one (I recommend re-trying to make sure you poke the right address before moving on), Copy Function on 80176EC8. Then set XBP on 80176ECC and you can poke the address in r3 to see if it works.
Repoked on all those addresses no movement shall I do what you just said?
Yeah, do the same thing with 80176ECC (XBP, get pointer from r3, poke during breakpoint)
Alrighty it gave me pointer 80FB3894
The function for 80176EC8:
[spoiler]80176D34: 9421FD10 stwu r1,-752(r1)
80176D38: 7C0802A6 mflr r0
80176D3C: 900102F4 stw r0,756(r1)
80176D40: DBE102E0 stfd f31,736(r1)
80176D44: F3E102E8 psq_st f31,744(r1),0,0
80176D48: DBC102D0 stfd f30,720(r1)
80176D4C: F3C102D8 psq_st f30,728(r1),0,0
80176D50: 396102D0 addi r11,r1,720
80176D54: 483A07C5 bl 0x80517518
80176D58: 7CF83B78 mr r24,r7
80176D5C: 7C751B78 mr r21,r3
80176D60: 7C962378 mr r22,r4
80176D64: 7CBA2B78 mr r26,r5
80176D68: 7CD93378 mr r25,r6
80176D6C: 7D174378 mr r23,r8
80176D70: 7F03C378 mr r3,r24
80176D74: 4833FEE1 bl 0x804b6c54
80176D78: FFE00890 fmr f31,f1
80176D7C: 7F24CB78 mr r4,r25
80176D80: 38750064 addi r3,r21,100
80176D84: 38A10048 addi r5,r1,72
80176D88: 4BE9F865 bl 0x800165ec
80176D8C: 7F24CB78 mr r4,r25
80176D90: 38610024 addi r3,r1,36
80176D94: 4BEA1DF9 bl 0x80018b8c
80176D98: 7F04C378 mr r4,r24
80176D9C: 38610024 addi r3,r1,36
80176DA0: 4BEA61E1 bl 0x8001cf80
80176DA4: 38750064 addi r3,r21,100
80176DA8: 38810024 addi r4,r1,36
80176DAC: 38A1003C addi r5,r1,60
80176DB0: 4BE9F83D bl 0x800165ec
80176DB4: 38610018 addi r3,r1,24
80176DB8: 3881003C addi r4,r1,60
80176DBC: 4BEA1DD1 bl 0x80018b8c
80176DC0: 38610018 addi r3,r1,24
80176DC4: 38810048 addi r4,r1,72
80176DC8: 4BEA9729 bl 0x800204f0
80176DCC: 3861003C addi r3,r1,60
80176DD0: 38810018 addi r4,r1,24
80176DD4: 4BEA1D41 bl 0x80018b14
80176DD8: 38000000 li r0,0
80176DDC: 7F4AD378 mr r10,r26
80176DE0: 90010008 stw r0,8(r1)
80176DE4: 38810048 addi r4,r1,72
80176DE8: 38A1003C addi r5,r1,60
80176DEC: 38C10194 addi r6,r1,404
80176DF0: 807500C4 lwz r3,196(r21)
80176DF4: 38E10054 addi r7,r1,84
80176DF8: 39010008 addi r8,r1,8
80176DFC: 39210094 addi r9,r1,148
80176E00: 4800CBCD bl 0x801839cc
80176E04: 3B610194 addi r27,r1,404
80176E08: 3B810094 addi r28,r1,148
80176E0C: 3BA10054 addi r29,r1,84
80176E10: 3B400000 li r26,0
80176E14: 3BE00000 li r31,0
80176E18: 3B200000 li r25,0
80176E1C: 3BC00000 li r30,0
80176E20: 480000C8 b 0x80176ee8
80176E24: 7FDBF42E lfsx f30,r27,r30
80176E28: 7F16FA14 add r24,r22,r31
80176E2C: 3861000C addi r3,r1,12
80176E30: 3881003C addi r4,r1,60
80176E34: 4BEA1D59 bl 0x80018b8c
80176E38: FC20F090 fmr f1,f30
80176E3C: 3861000C addi r3,r1,12
80176E40: 4BEA8F2D bl 0x8001fd6c
80176E44: 38610030 addi r3,r1,48
80176E48: 38810048 addi r4,r1,72
80176E4C: 4BEA1D41 bl 0x80018b8c
80176E50: 38610030 addi r3,r1,48
80176E54: 3881000C addi r4,r1,12
80176E58: 4BEA6129 bl 0x8001cf80
80176E5C: 38810030 addi r4,r1,48
80176E60: 38750034 addi r3,r21,52
80176E64: 7C852378 mr r5,r4
80176E68: 4BE9F785 bl 0x800165ec
80176E6C: 807500C4 lwz r3,196(r21)
80176E70: 7C9CF02E lwzx r4,r28,r30
80176E74: 4800E329 bl 0x8018519c
80176E78: 80D500C8 lwz r6,200(r21)
80176E7C: 7C651B78 mr r5,r3
80176E80: 7F03C378 mr r3,r24
80176E84: 7EA4AB78 mr r4,r21
80176E88: 4800B5A5 bl 0x8018242c
80176E8C: 2C170000 cmpwi r23,0
80176E90: 41820024 beq- 0x80176eb4
80176E94: 81970000 lwz r12,0(r23)
80176E98: 7EE3BB78 mr r3,r23
80176E9C: 7F04C378 mr r4,r24
80176EA0: 818C0008 lwz r12,8(r12)
80176EA4: 7D8903A6 mtctr r12
80176EA8: 4E800421 bctrl
80176EAC: 2C030000 cmpwi r3,0
80176EB0: 4082002C bne- 0x80176edc
80176EB4: 7C1BF42E lfsx f0,r27,r30
80176EB8: 38780064 addi r3,r24,100
80176EBC: 38810030 addi r4,r1,48
80176EC0: EC1F0032 fmuls f0,f31,f0
80176EC4: D0180060 stfs f0,96(r24)
80176EC8: 4BEA1C4D bl 0x80018b14
80176ECC: 881D0000 lbz r0,0(r29)
80176ED0: 3B5A0001 addi r26,r26,1
80176ED4: 3BFF008C addi r31,r31,140
80176ED8: 98180088 stb r0,136(r24)
80176EDC: 3B390001 addi r25,r25,1
80176EE0: 3BDE0004 addi r30,r30,4
80176EE4: 3BBD0001 addi r29,r29,1
80176EE8: 80010008 lwz r0,8(r1)
80176EEC: 7C190040 cmplw r25,r0
80176EF0: 4180FF34 blt+ 0x80176e24
80176EF4: 7F43D378 mr r3,r26
80176EF8: E3E102E8 psq_l f31,744(r1),0,0
80176EFC: CBE102E0 lfd f31,736(r1)
80176F00: E3C102D8 psq_l f30,728(r1),0,0
80176F04: CBC102D0 lfd f30,720(r1)
80176F08: 396102D0 addi r11,r1,720
80176F0C: 483A0659 bl 0x80517564
80176F10: 800102F4 lwz r0,756(r1)
80176F14: 7C0803A6 mtlr r0
80176F18: 382102F0 addi r1,r1,752
80176F1C: 4E800020 blr
[/spoiler]
I breakpoint poked 80FB3894, 80FB3898, and 80FB389C none moved Mario.
Shall I breakpoint r24 since f0 is being multiplied by f31 and stored in f0. Then storing f0 and 96 into r24.
Edit: Or r4 again because of
80176EB8: 38780064 addi r3,r24,100
80176EBC: 38810030 addi r4,r1,48
80176EC0: EC1F0032 fmuls f0,f31,f0
80176EC4: D0180060 stfs f0,96(r24)
80176EC8: 4BEA1C4D bl 0x80018b14
80176ECC: 881D0000 lbz r0,0(r29)
Ignore the float registers. The data you want is being moved around in memory by the function using pointers in r3 and r4.
Don't forget that it's a good idea to test the pointers you get in MemView Auto Update to make sure the data "behaves" like you would expect coordinates to behave. The exception is if you get a pointer that points to the stack. In this case, 80FB3894 isn't on the stack, however...
---
Following the chain results in a link to data that lives on the stack. So we can't use WBP's to follow this chain.
80176EB8: 38780064 addi r3,r24,100
80176EBC: 38810030 addi r4,r1,48
80176EC0: EC1F0032 fmuls f0,f31,f0
80176EC4: D0180060 stfs f0,96(r24)
80176EC8: 4BEA1C4D bl 0x80018b14
addi r4,r1,48. Remember that r1 is the stack pointer. You can't follow the chain, because things on the stack have a VERY short life time; they exist only for the duration of this function. Once the blr at the bottom is executed, the thing on the stack is gone for good and you will be lucky if you ever see it again. A WBP will result in a false positive, because some other functions will probably use that part of the stack before the next game frame.
Fortunately, since the things on the stack only exist in this function, we should have everything we need to follow the chain in this spoiler. It requires more work now, though.
---
Scan the ASM, starting from the beginning of the function, for references to 48(r1) BEFORE the breakpoint but still in this same function.
80176E44: 38610030 addi r3,r1,48
80176E48: 38810048 addi r4,r1,72
80176E4C: 4BEA1D41 bl 0x80018b8c
r3 and r4 are both on the stack. Now, I can't see 80018B8C, but my guess is that it's moving something from r4 to r3. So we look for 72(r1) references, starting from the beginning and looking BEFORE 80176E44.
80176D7C: 7F24CB78 mr r4,r25
80176D80: 38750064 addi r3,r21,100
80176D84: 38A10048 addi r5,r1,72
80176D88: 4BE9F865 bl 0x800165ec
So 800165EC is doing something with 72(r1), 100(r21), and 0(r25). You should Copy Function on 800165EC so we can see what it's doing. You should also set an XBP on 80176D88 and post the registers, too. It looks like one of those pointers in r3 or possibly r4 will point to a copy of Mario's coordinates.
800165EC's function:
[spoiler]800165EC: 7C661B78 mr r6,r3
800165F0: C0230020 lfs f1,32(r3)
800165F4: C0040000 lfs f0,0(r4)
800165F8: 7CA32B78 mr r3,r5
800165FC: C0660010 lfs f3,16(r6)
80016600: C0A60000 lfs f5,0(r6)
80016604: EC200072 fmuls f1,f0,f1
80016608: C0460024 lfs f2,36(r6)
8001660C: EC6000F2 fmuls f3,f0,f3
80016610: C0840004 lfs f4,4(r4)
80016614: ECA00172 fmuls f5,f0,f5
80016618: C0C60014 lfs f6,20(r6)
8001661C: EC0400B2 fmuls f0,f4,f2
80016620: C0E60004 lfs f7,4(r6)
80016624: EC4401B2 fmuls f2,f4,f6
80016628: C1060028 lfs f8,40(r6)
8001662C: EC8401F2 fmuls f4,f4,f7
80016630: C0E40008 lfs f7,8(r4)
80016634: C0C60008 lfs f6,8(r6)
80016638: EC63102A fadds f3,f3,f2
8001663C: C1460018 lfs f10,24(r6)
80016640: ECA5202A fadds f5,f5,f4
80016644: ECC701B2 fmuls f6,f7,f6
80016648: C126002C lfs f9,44(r6)
8001664C: EC8702B2 fmuls f4,f7,f10
80016650: EC470232 fmuls f2,f7,f8
80016654: C166001C lfs f11,28(r6)
80016658: EC01002A fadds f0,f1,f0
8001665C: ECA6282A fadds f5,f6,f5
80016660: C146000C lfs f10,12(r6)
80016664: EC64182A fadds f3,f4,f3
80016668: EC02002A fadds f0,f2,f0
8001666C: EC2A282A fadds f1,f10,f5
80016670: EC4B182A fadds f2,f11,f3
80016674: EC69002A fadds f3,f9,f0
80016678: 48000908 b 0x80016f80
8001667C: 9421FFE0 stwu r1,-32(r1)
80016680: 7C0802A6 mflr r0
80016684: 7C661B78 mr r6,r3
80016688: C0040004 lfs f0,4(r4)
8001668C: C066001C lfs f3,28(r6)
80016690: C043000C lfs f2,12(r3)
80016694: 7CA32B78 mr r3,r5
80016698: ED001828 fsubs f8,f0,f3
8001669C: C0240000 lfs f1,0(r4)
800166A0: C0060018 lfs f0,24(r6)
800166A4: ED211028 fsubs f9,f1,f2
800166A8: C0460010 lfs f2,16(r6)
800166AC: C0260008 lfs f1,8(r6)
800166B0: C0660004 lfs f3,4(r6)
800166B4: EC8800B2 fmuls f4,f8,f2
800166B8: C0A60000 lfs f5,0(r6)
800166BC: C1660014 lfs f11,20(r6)
800166C0: EC290072 fmuls f1,f9,f1
800166C4: EC080032 fmuls f0,f8,f0
800166C8: C0C6002C lfs f6,44(r6)
800166CC: C0440008 lfs f2,8(r4)
800166D0: ECA90172 fmuls f5,f9,f5
800166D4: EC6900F2 fmuls f3,f9,f3
800166D8: ECE23028 fsubs f7,f2,f6
800166DC: EC4802F2 fmuls f2,f8,f11
800166E0: C0C60020 lfs f6,32(r6)
800166E4: C1460028 lfs f10,40(r6)
800166E8: ECA5202A fadds f5,f5,f4
800166EC: C1660024 lfs f11,36(r6)
800166F0: EC43102A fadds f2,f3,f2
800166F4: EC8702F2 fmuls f4,f7,f11
800166F8: 90010024 stw r0,36(r1)
800166FC: ECC701B2 fmuls f6,f7,f6
80016700: EC01002A fadds f0,f1,f0
80016704: D1210008 stfs f9,8(r1)
80016708: EC6702B2 fmuls f3,f7,f10
8001670C: EC26282A fadds f1,f6,f5
80016710: D101000C stfs f8,12(r1)
80016714: EC44102A fadds f2,f4,f2
80016718: EC63002A fadds f3,f3,f0
8001671C: D0E10010 stfs f7,16(r1)
80016720: 48000861 bl 0x80016f80
80016724: 80010024 lwz r0,36(r1)
80016728: 7C0803A6 mtlr r0
8001672C: 38210020 addi r1,r1,32
80016730: 4E800020 blr
[/spoiler]
80176D88's registers:
[spoiler]CR:48000088 XER:20000000 CTR:00000001 DSIS:02400000
DAR:80FB3894 SRR0:80176D88 SRR1:0000A032 LR:80176D78
r0:8017424C r1:806BD9E8 r2:806AB280 r3:812D82AC
r4:806BDDE4 r5:806BDA30 r6:806BDDE4 r7:806BDDCC
r8:00000000 r9:00000000 r10:00000000 r11:806BDCB8
r12:80274A3C r13:806A4CA0 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:812D8248
r20:00000019 r21:812D8248 r22:80FB3830 r23:00000000
r24:806BDDCC r25:806BDDE4 r26:00000020 r27:00000000
r28:00000002 r29:80FB3794 r30:00000000 r31:80FB3794
f0:3A83126F f1:4479FFFF f2:3FFFFBC5 f3:40400000
f4:3F000000 f5:3A25C168 f6:4000015B f7:426FFFFF
f8:469BF86F f9:45F39AA3 f10:3F800000 f11:00000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:4479FFFF[/spoiler]
[spoiler]800165EC: 7C661B78 mr r6,r3
800165F0: C0230020 lfs f1,32(r3)
800165F4: C0040000 lfs f0,0(r4)
800165F8: 7CA32B78 mr r3,r5
800165FC: C0660010 lfs f3,16(r6)
80016600: C0A60000 lfs f5,0(r6)
80016604: EC200072 fmuls f1,f0,f1
80016608: C0460024 lfs f2,36(r6)
8001660C: EC6000F2 fmuls f3,f0,f3
80016610: C0840004 lfs f4,4(r4)
80016614: ECA00172 fmuls f5,f0,f5
80016618: C0C60014 lfs f6,20(r6)
8001661C: EC0400B2 fmuls f0,f4,f2
80016620: C0E60004 lfs f7,4(r6)
80016624: EC4401B2 fmuls f2,f4,f6
80016628: C1060028 lfs f8,40(r6)
8001662C: EC8401F2 fmuls f4,f4,f7
80016630: C0E40008 lfs f7,8(r4)
80016634: C0C60008 lfs f6,8(r6)
80016638: EC63102A fadds f3,f3,f2
8001663C: C1460018 lfs f10,24(r6)
80016640: ECA5202A fadds f5,f5,f4
80016644: ECC701B2 fmuls f6,f7,f6
80016648: C126002C lfs f9,44(r6)
8001664C: EC8702B2 fmuls f4,f7,f10
80016650: EC470232 fmuls f2,f7,f8
80016654: C166001C lfs f11,28(r6)
80016658: EC01002A fadds f0,f1,f0
8001665C: ECA6282A fadds f5,f6,f5
80016660: C146000C lfs f10,12(r6)
80016664: EC64182A fadds f3,f4,f3
80016668: EC02002A fadds f0,f2,f0
8001666C: EC2A282A fadds f1,f10,f5
80016670: EC4B182A fadds f2,f11,f3
80016674: EC69002A fadds f3,f9,f0
80016678: 48000908 b 0x80016f80[/spoiler]
The rest of that spoiler is junk. This branch will always take you somewhere else. You should Copy Function on 80016F80. (EDIT: but you probably don't need it. I usually copy more info into notepad than I need; too much is better than too little)
The registers show r4 is also probably on the stack. The stack grows down (stwu r1,-x(r1); x is always negative!), so that means addresses close to r1, but above it, are usually on the stack.
In this case, r3 looks like a good candidate; it's not on the stack so the address probably stays the same as long as you don't change areas or reload the game. XBP on 80176D88 again, then grab the pointer in r3, and go look in MemView auto update to see if there's anything that stands out when you jump around.
Nothing stood out so I did a test to see if the address changed so I did another breakpoint during the first and this happened.
Before:
[spoiler]CR:48000088 XER:20000000 CTR:00000001 DSIS:02400000
DAR:80FB3894 SRR0:80176D88 SRR1:0000A032 LR:80176D78
r0:8017424C r1:806BD9E8 r2:806AB280 r3:812D82AC
r4:806BDDE4 r5:806BDA30 r6:806BDDE4 r7:806BDDCC
r8:00000000 r9:00000000 r10:00000000 r11:806BDCB8
r12:80274A3C r13:806A4CA0 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:812D8248
r20:00000019 r21:812D8248 r22:80FB3830 r23:00000000
r24:806BDDCC r25:806BDDE4 r26:00000020 r27:00000000
r28:00000002 r29:80FB3794 r30:00000000 r31:80FB3794
f0:3A83126F f1:4479FFFF f2:3FFFFBC5 f3:40400000
f4:3F000000 f5:3A25C168 f6:4000015B f7:426FFFFF
f8:469BF86F f9:45F39AA3 f10:3F800000 f11:00000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:4479FFFF[/spoiler]
After:
[spoiler]CR:48000088 XER:20000000 CTR:00000001 DSIS:02400000
DAR:80FB3894 SRR0:80176D88 SRR1:0000A032 LR:80176D78
r0:8017424C r1:806BD9E8 r2:806AB280 r3:812E4D0C
r4:806BDDE4 r5:806BDA30 r6:806BDDE4 r7:806BDDCC
r8:00000000 r9:806BDA7C r10:00000020 r11:806BDCB8
r12:80274A3C r13:806A4CA0 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:812E4CA8
r20:00000019 r21:812E4CA8 r22:80FB3830 r23:00000000
r24:806BDDCC r25:806BDDE4 r26:00000020 r27:00000000
r28:00000006 r29:80FB3794 r30:00000000 r31:80FB3794
f0:3A83126F f1:4479FFFF f2:3FFFFBC5 f3:40400000
f4:3F000000 f5:00000000 f6:3FFFFBC5 f7:C53EC3E6
f8:3F800000 f9:80000000 f10:80000000 f11:80000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:4479FFFF[/spoiler]
Edit: Here's 80016F80's function anyway:
[spoiler]80016F80: D0230000 stfs f1,0(r3)
80016F84: D0430004 stfs f2,4(r3)
80016F88: D0630008 stfs f3,8(r3)
80016F8C: 4E800020 blr
[/spoiler]
I have SMG1 so I will look into this tomorrow and make sure we aren't barking up the wrong tree before we continue.
alright good plan I'll keep searching/
Well I have decided to try this code again later. All of my progress has been posted here so I can pick it up where I left off later. I have created a new topic on my next idea. It will be easier but I just need one piece of info.
seriously, dcx2.
I originally asked you for help on that same SMG Moonjump (and yes, it´s like the coordinates because of the psq instructions) and you ignored me.
But now, since someone else asks, you do help. It´s for an offline game and I can now follow on how it gets solved, too.
What was the point, then? I could also ask someone to put *my* question and it will be answered...
Quote from: Bully@Wiiplaza on December 22, 2011, 08:07:09 AM
seriously, dcx2.
I originally asked you for help on that same SMG Moonjump (and yes, it´s like the coordinates because of the psq instructions) and you ignored me.
But now, since someone else asks, you do help. It´s for an offline game and I can now follow on how it gets solved, too.
What was the point, then? I could also ask someone to put *my* question and it will be answered...
Chill man it happens to me too.
Quote from: toonlink444 on December 22, 2011, 08:04:29 PMChill man it happens to me too.
I was just wondering about that illogicalness :P
hey toonlink, I looked at your breakpoint's address in Memory Viewer with auto-update on. The address in r3 when you XBP @803E0C4C is not a good candidate. Auto-update shows that these coordinates are only changed when you're touching the ground, and if you're jumping then they aren't changing anymore. This should have caused you to disqualify this result.
I did a little bit of searching on my own and found a different address. This address was hit by two write breakpoints. I walked the stack for one, but it failed the XBP test. Fortunately, the other one did not fail the XBP test.
You can use an XBP @803125E8 and look at r3 and/or r4 to get a pointer to Mario's real coordinates. That address passes the XBP test, and MemView auto-update shows that it updates in real time while jumping.
Try to write-breakpoint-step-poke the value in r3. If it fails, follow the chain via r4's pointer and try the WBP-step-poke that.