Finding the Final Smash value

[Deathwolf]

here... I've ported it for you

04817968 8803001F
4A000000 90180F38
3A000002 FF00003D
C2817968 00000005
8803001F 2C0000F8
4182001C 38000038
2C1B010C 40820008
38000078 9803001F
48000004 00000000
E0000000 80008000
original by Y.S.
search value to port: 806300008803001F5403D7FE

[dcx2]

It doesn't matter where you found the code.  Always post the author of the code.

When you hit a breakpoint, the game will freeze.  This is normal.

[toonlink444]

Breakpoint tab
[spoiler]CR:28000088  XER:00000000  CTR:8081DA00 DSIS:00000000
DAR:00000000 SRR0:8081C934 SRR1:0000B032   LR:80838E20
  r0:00000000   r1:805B4E30   r2:805A9320   r3:812DCE30
  r4:00040000   r5:00000000   r6:00000000   r7:81533160
  r8:00000120   r9:00000036  r10:81533160  r11:805B4E50
r12:8081DA00  r13:805A4420  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000

8081C934:  8803001F   lbz   r0,31(r3)
8081C938:  5403D7FE   rlwinm   r3,r0,26,31,31
8081C93C:  7C0300D0   neg   r0,r3
8081C940:  7C001B78   or   r0,r0,r3
8081C944:  54030FFE   rlwinm   r3,r0,1,31,31
8081C948:  4E800020   blr[/spoiler]
Disassembler tab
[spoiler]8081C934:  8803001F   lbz   r0,31(r3)
8081C938:  5403D7FE   rlwinm   r3,r0,26,31,31
8081C93C:  7C0300D0   neg   r0,r3
8081C940:  7C001B78   or   r0,r0,r3
8081C944:  54030FFE   rlwinm   r3,r0,1,31,31
8081C948:  4E800020   blr   
8081C94C:  80630000   lwz   r3,0(r3)
8081C950:  8803001F   lbz   r0,31(r3)
8081C954:  50802EB4   rlwimi   r0,r4,5,26,26
8081C958:  9803001F   stb   r0,31(r3)
8081C95C:  4E800020   blr   
8081C960:  80630000   lwz   r3,0(r3)
8081C964:  8803001F   lbz   r0,31(r3)
8081C968:  5403DFFE   rlwinm   r3,r0,27,31,31
8081C96C:  7C0300D0   neg   r0,r3
8081C970:  7C001B78   or   r0,r0,r3
8081C974:  54030FFE   rlwinm   r3,r0,1,31,31
8081C978:  4E800020   blr   
8081C97C:  80630000   lwz   r3,0(r3)
8081C980:  8803001F   lbz   r0,31(r3)
8081C984:  50801F38   rlwimi   r0,r4,3,28,28
8081C988:  9803001F   stb   r0,31(r3)
8081C98C:  4E800020   blr   
8081C990:  80630000   lwz   r3,0(r3)
8081C994:  8803001F   lbz   r0,31(r3)
8081C998:  5403EFFE   rlwinm   r3,r0,29,31,31
8081C99C:  7C0300D0   neg   r0,r3
8081C9A0:  7C001B78   or   r0,r0,r3
8081C9A4:  54030FFE   rlwinm   r3,r0,1,31,31
8081C9A8:  4E800020   blr   
8081C9AC:  80630000   lwz   r3,0(r3)
8081C9B0:  8803001F   lbz   r0,31(r3)
8081C9B4:  5080177A   rlwimi   r0,r4,2,29,29
8081C9B8:  9803001F   stb   r0,31(r3)
8081C9BC:  4E800020   blr   
8081C9C0:  80630000   lwz   r3,0(r3)
8081C9C4:  8803001F   lbz   r0,31(r3)
8081C9C8:  5403F7FE   rlwinm   r3,r0,30,31,31
8081C9CC:  7C0300D0   neg   r0,r3
8081C9D0:  7C001B78   or   r0,r0,r3
8081C9D4:  54030FFE   rlwinm   r3,r0,1,31,31
8081C9D8:  4E800020   blr   
8081C9DC:  80030000   lwz   r0,0(r3)
8081C9E0:  38A00001   li   r5,1
8081C9E4:  7C602214   add   r3,r0,r4
8081C9E8:  98A30070   stb   r5,112(r3)
8081C9EC:  4E800020   blr   
8081C9F0:  80830000   lwz   r4,0(r3)
8081C9F4:  38600000   li   r3,0
8081C9F8:  88040070   lbz   r0,112(r4)
8081C9FC:  2C000000   cmpwi   r0,0
8081CA00:  40820008   bne-   0x8081ca08
8081CA04:  38600001   li   r3,1
8081CA08:  88040071   lbz   r0,113(r4)
8081CA0C:  2C000000   cmpwi   r0,0
8081CA10:  4082000C   bne-   0x8081ca1c
8081CA14:  38030001   addi   r0,r3,1
8081CA18:  5403063E   rlwinm   r3,r0,0,24,31
8081CA1C:  88040072   lbz   r0,114(r4)
8081CA20:  2C000000   cmpwi   r0,[/spoiler]

[toonlink444]

Ok the post where I found the code was by pyromasterom egaz. Don't know if he made the code.
Deathwolf a little confused on how you ported it

[Deathwolf]

original by Y.S.

[toonlink444]

Ok here's the code.
Taunt for Final Smash(by Y.S)
0481C934 8803001F
4A000000 90180F38
3A000002 FF00003D
C281C934 00000005
8803001F 2C0000F8
4182001C 38000038
2C1B010C 40820008
38000078 9803001F
48000004 00000000
E0000000 80008000

[dcx2]

You chopped off some registers.  You should post the all the registers, all the way up to r31.

Also, a function ends after a blr.  So everything after the blr is an unrelated function.  It's just clutter.  In Gecko.NET, you can choose "Copy Function" from the right-click menu in the disassembler and it will copy only that function and ignore everything else.

It looks like this was just a convenient instruction that had access to some important pointer in r3.  The C2 writes a different value to the address in r3, after doing something.  I bet r3 is a pointer to your character.

I don't know why there's an if that patches the anti-code based on some 8-bit value in the MEM2 90xxxxxx range.

---

Repeat this process.  That is, set an execute breakpoint on 8081C934 again.  Get the address in r3 (this time, it's 812DCE30, however it might have changed if you use a different character, level, etc).  Then look at that address in memory viewer with Auto Update enabled while you're trying to do this Final Smash thing.  See if any of the addresses are changing in a predictable manner in the Memory Viewer around the pointer you got from r3.

[toonlink444]

Here are are the registers
[spoiler]CR:28000088  XER:00000000  CTR:8081DA00 DSIS:00000000
DAR:00000000 SRR0:8081C934 SRR1:0000B032   LR:80838E20
  r0:00000000   r1:805B4E30   r2:805A9320   r3:812DCE30
  r4:00040000   r5:00000000   r6:00000000   r7:81533160
  r8:00000120   r9:00000036  r10:81533160  r11:805B4E50
r12:8081DA00  r13:805A4420  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000001  r21:43300000  r22:80000000  r23:805B4FD8
r24:00000000  r25:805B8A00  r26:00000001  r27:00000000
r28:10000000  r29:812BAA80  r30:812DCE20  r31:812BB5E4

  f0:3D8F5C29   f1:42480000   f2:3E4CCCCD   f3:3E4CCCCD
  f4:423D8000   f5:429C1604   f6:C28C0000   f7:00000000
  f8:3F800000   f9:C1A00000  f10:C1A00000  f11:431C0000
f12:3F800000  f13:00000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:3F8123AD
f28:59800004  f29:42480000  f30:42480000  f31:00000000[/spoiler]

[Bully@Wiiplaza]

I don't have a disassembler handy at the moment, so I can't disassemble the C2 code and explain what's going on.  However, this does give us a starting point.

hey,
I was also wondering what´s going on on this code, pretty nice one!

Assembly:

8081C934

lbz r0,31(r3)
cmpwi r0,248
beq- 0x1C
li r0,56
cmpwi r27,268
bne- 0x08
li r0,120
stb r0,31(r3)
b 0x04

[toonlink444]

Not what I got. Where are you testing?
Edit: Nothing was changing. I feel like a noob

[Bully@Wiiplaza]

Not what I got. Where are you testing?
Edit: Nothing was changing. I feel like a noob

I´ll take my hands on that code soon, if  it´isn´t solved...
Do you want to have that all characters have final smash?
I think that the "taunt enables final smash" is only made to work for the taunting player.
It would be a lot easier to make it write to all players all the time.
That´s what I could maybe do... I need to view the behaviour of the adress first

[dcx2]

If the value in 31(r3) is 0xF8, skip to the very end, i.e. do not execute the stb!

If it's not 0xF8, load r0 with 0x38.  Then, check r27 for 0x10C.

If r27 is not 0x10C, stb the 0x38.

If r27 is 0x10C, load r0 with 0x78 and stb the 0x78.

---

It looks like these are being used as bit fields.

0x38 = 0011 1000
0x78 = 0111 1000
0xF8 = 1111 1000

The first two bits probably indicate something related to whether you can Final Smash.  That's why everything is skipped if the first bit is set.

---

Not sure why r27 is there.  Might be how the code knows you're taunting.  Or it might be the if code that's testing MEM2.

[toonlink444]

Not what I got. Where are you testing?
Edit: Nothing was changing. I feel like a noob

I´ll take my hands on that code soon, if  it´isn´t solved...
Do you want to have that all characters have final smash?
I think that the "taunt enables final smash" is only made to work for the taunting player.
It would be a lot easier to make it write to all players all the time.
That´s what I could maybe do... I need to view the behaviour of the adress first

I know all that, I'm just wanting to know how to make this code with asm for the learning experience

[dcx2]

If you want to just practice something like that, it might be better to start with something simpler.  How about this?

Always have 99 lives [REDSOXROX]
1528AE64 00000063

Finding the address for your lives shouldn't be too hard.  But this code gives it away; your life count is stored at 8128AE64.

Try to make this code with ASM.

[toonlink444]

I'll try that. Then I'll come back to this. I'll post again when I think I'll try again. Thank you for helping me. :)