Pointer in Pointer [in] Pointer problem

Started by Deathwolf, October 10, 2010, 02:39:48 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

Deathwolf

#15
October 10, 2010, 08:18:03 PM
Quote from: dcx2 on October 10, 2010, 08:14:32 PM
Wait...how did you do Copy Function without vdappc?!

EDIT: thinking about this...did you put the log in a folder that wasn't the same folder that you run Gecko.NET from?

yes, first I saved it in another folder but now it works.
lolz

dcx2

#16
October 10, 2010, 08:18:52 PM
Weird, I'll look into that.  Anyway...

It's always the same caller.  The pointer we want is in r4...but how did it get there?  Copy Function on 80044C04 - that is who gave us r4.

Deathwolf

#17
October 10, 2010, 08:22:35 PM
wrong address?
btw it's for resident evil...
lolz

dcx2

#18
October 10, 2010, 08:26:36 PM
Functions call functions call functions call functions call...

There is a list.  We call it the Call Stack.  It shows who called who.  You pasted it a few posts back...if you look at it, you'll see that 80044C04 is who called the function that your breakpoint finds.

You need to step back to the caller and see what's going on.  So go to disassembler, go to 80044C04 , and Copy Function, then paste that into a spoiler.

Deathwolf

#19
October 10, 2010, 08:28:44 PM
[spoiler]80044BD0:  9421FFF0   stwu   r1,-16(r1)
80044BD4:  7C0802A6   mflr   r0
80044BD8:  90010014   stw   r0,20(r1)
80044BDC:  93E1000C   stw   r31,12(r1)
80044BE0:  7C7F1B78   mr   r31,r3
80044BE4:  3863003C   addi   r3,r3,60
80044BE8:  389F00A0   addi   r4,r31,160
80044BEC:  480D3775   bl   0x80118360
80044BF0:  387F003C   addi   r3,r31,60
80044BF4:  389F0094   addi   r4,r31,148
80044BF8:  480D374D   bl   0x80118344
80044BFC:  387F003C   addi   r3,r31,60
80044C00:  389F00AC   addi   r4,r31,172
80044C04:  480D36C5   bl   0x801182c8
80044C08:  387F003C   addi   r3,r31,60
80044C0C:  389F000C   addi   r4,r31,12
80044C10:  4813CE45   bl   0x80181a54
80044C14:  80010014   lwz   r0,20(r1)
80044C18:  83E1000C   lwz   r31,12(r1)
80044C1C:  7C0803A6   mtlr   r0
80044C20:  38210010   addi   r1,r1,16
80044C24:  4E800020   blr   
[/spoiler]
lolz

dcx2

#20
October 10, 2010, 08:47:19 PM
Awesome.  Now, look carefully at this.

[spoiler]
80044BD0:  9421FFF0   stwu   r1,-16(r1)
80044BD4:  7C0802A6   mflr   r0
80044BD8:  90010014   stw   r0,20(r1)
80044BDC:  93E1000C   stw   r31,12(r1)
80044BE0:  7C7F1B78   mr   r31,r3
80044BE4:  3863003C   addi   r3,r3,60
80044BE8:  389F00A0   addi   r4,r31,160
80044BEC:  480D3775   bl   0x80118360
80044BF0:  387F003C   addi   r3,r31,60
80044BF4:  389F0094   addi   r4,r31,148
80044BF8:  480D374D   bl   0x80118344
80044BFC:  387F003C   addi   r3,r31,60
80044C00:  389F00AC   addi   r4,r31,172
80044C04:  480D36C5   bl   0x801182c8
80044C08:  387F003C   addi   r3,r31,60
80044C0C:  389F000C   addi   r4,r31,12
80044C10:  4813CE45   bl   0x80181a54
80044C14:  80010014   lwz   r0,20(r1)
80044C18:  83E1000C   lwz   r31,12(r1)
80044C1C:  7C0803A6   mtlr   r0
80044C20:  38210010   addi   r1,r1,16
80044C24:  4E800020   blr   
[/spoiler]

Do you remember the function you found with the read breakpoint?  It starts with 801182C8.  Do you see the bolded bl in the spoiler?  That's the call!  That is how this function connects to the other function.

In the function you just pasted, look at 80044BE0.  It takes the value given to it by r3 and puts it into r31.  This is your pointer!  If you were to Log Steps with an Execute Breakpoint on 80044BE0, you could compile a list of all the pointers that are used by this function.

Look at 80044C00.  It takes the pointer in r31, adds 172 (that's your offset!), and puts the new pointer into r4.  Then it calls 0x801182c8, which is your read-breakpoint function.

---

We need to walk the stack more.  Where did r3 come from?  Go back to the call stack; the third entry is 80119D7C, so go to that in disassembler and Copy Function again.

---

BTW: what are you trying to do?  A size modifier?  What other floats are being affected?  Other players?

Deathwolf

#21
October 10, 2010, 08:57:17 PM
[spoiler]80119D60:  9421FFF0   stwu   r1,-16(r1)
80119D64:  7C0802A6   mflr   r0
80119D68:  90010014   stw   r0,20(r1)
80119D6C:  93E1000C   stw   r31,12(r1)
80119D70:  83E300F4   lwz   r31,244(r3)
80119D74:  48000010   b   0x80119d84
80119D78:  7FE3FB78   mr   r3,r31
80119D7C:  4BF2AE55   bl   0x80044bd0
80119D80:  83FF00F4   lwz   r31,244(r31)
80119D84:  2C1F0000   cmpwi   r31,0
80119D88:  4082FFF0   bne+   0x80119d78
80119D8C:  80010014   lwz   r0,20(r1)
80119D90:  83E1000C   lwz   r31,12(r1)
80119D94:  7C0803A6   mtlr   r0
80119D98:  38210010   addi   r1,r1,16
80119D9C:  4E800020   blr   
[/spoiler]

what are you trying to do? / partial size modifier for resident evil 4
What other floats are being affected?Other players? / yes, it changes some other floatings near the real address. it only should change one address and one thing of this part.
lolz

dcx2

#22
October 10, 2010, 09:23:26 PM
[spoiler]80119D60:  9421FFF0   stwu   r1,-16(r1)
80119D64:  7C0802A6   mflr   r0
80119D68:  90010014   stw   r0,20(r1)
80119D6C:  93E1000C   stw   r31,12(r1)
80119D70:  83E300F4   lwz   r31,244(r3)
80119D74:  48000010   b   0x80119d84
80119D78:  7FE3FB78   mr   r3,r31
80119D7C:  4BF2AE55   bl   0x80044bd0
80119D80:  83FF00F4   lwz   r31,244(r31)
80119D84:  2C1F0000   cmpwi   r31,0
80119D88:  4082FFF0   bne+   0x80119d78
80119D8C:  80010014   lwz   r0,20(r1)
80119D90:  83E1000C   lwz   r31,12(r1)
80119D94:  7C0803A6   mtlr   r0
80119D98:  38210010   addi   r1,r1,16
80119D9C:  4E800020   blr   
[/spoiler]

Now this is getting hard.  Do you see the bne+ @ '88?  That means there's a loop.  That's why this function is being called so much, and writing to many floats.

Do you see the lwz r31 @ '80?  That's a high-level programming structure called a "Linked List".  It will be very, very hard to do this hack.  Each time '80 is executed, your pointer search becomes pointer-in-pointer.  If '80 is executed again, we are now pointer-in-pointer-in-pointer.  If '80 executes again....four pointers.

---

You may want to abandon this hack.  It is becoming very difficult to do.  But hopefully you learned a lot...at least how to deal with Exact breakpoints.

Or you can try to Log Steps and set a lot of Execute Breakpoints on 80119D78.  Then look at the log.  You will have a bunch of pointers.  Look at these pointers in Memory Viewer.  See if there's any way you can tell them apart.  Maybe there is some value at a memory address that you can use to guess when you're processing the right pointer.

Deathwolf

#23
October 10, 2010, 09:30:18 PM
hmm okay, yep I trought that it would be very hard to do this but thanks a lot for your help and time!

so maybe it's impossible to hack this?
48 is my last codetype....
lolz

dcx2

#24
October 10, 2010, 09:36:43 PM
It's not impossible, but it's uber-hard, and I don't think I could walk you through it.  Sorry...

I hope you have learned some things, though.  So that it is not a total loss.

Panda On Smack

#25
October 11, 2010, 09:54:08 AM
heh, if you still have wiird on your PC then get it from that folder
Print
Go Up Pages 1 2
User actions