Mario Kart Wii Flat code(again but with ASM)

toonlink444 · January 27, 2011, 09:53:21 PM

So let me do some explaining first. I did a Write breakpoint at 80E92F8C And got

Registers
[spoiler]CR:48000088 XER:20000000 CTR:8009ABC0 DSIS:02400000
DAR:80E92F8C SRR0:805AE5F4 SRR1:0000B032 LR:8057A720
r0:00000001 r1:80394A68 r2:8038AC20 r3:80E92F2C
r4:80890000 r5:00000000 r6:00000000 r7:00000000
r8:00000000 r9:00000000 r10:00000000 r11:80394A08
r12:8009ABC0 r13:80388880 r14:00000000 r15:80FE5484
r16:80E930A0 r17:00000000 r18:0000000E r19:00000000
r20:00000000 r21:80E92CF4 r22:0000000E r23:00000000
r24:00000000 r25:0000000C r26:00000000 r27:00000000
r28:00000000 r29:00000000 r30:80E92A20 r31:0000010E[/spoiler]
Disasmbly
[spoiler]805AE5F4: 90A30060   stw   r5,96(r3)
805AE5F8: D023006C   stfs   f1,108(r3)
805AE5FC: D0230070   stfs   f1,112(r3)
805AE600: D0230074   stfs   f1,116(r3)
805AE604: D0030068   stfs   f0,104(r3)
805AE608: 98030064   stb   r0,100(r3)[/spoiler]

Disasembly tab
[spoiler]805AE5DC: 3CA08089   lis   r5,-32631
805AE5E0: 3C808089   lis   r4,-32631
805AE5E4: C025E0F0   lfs   f1,-7952(r5)
805AE5E8: 38A00000   li   r5,0
805AE5EC: C004E080   lfs   f0,-8064(r4)
805AE5F0: 38000001   li   r0,1
805AE5F4: 90A30060   stw   r5,96(r3)
805AE5F8: D023006C   stfs   f1,108(r3)
805AE5FC: D0230070   stfs   f1,112(r3)
805AE600: D0230074   stfs   f1,116(r3)
805AE604: D0030068   stfs   f0,104(r3)
805AE608: 98030064   stb   r0,100(r3)
805AE60C: 4E800020   blr
[/spoiler]
So my question is what do I do with this.

dcx2 · January 27, 2011, 10:26:14 PM

When your code uses float registers, you should also copy and paste them with the integer registers.

At your breakpoint, what are the values in f1 and f0?

Why did you choose to break on 80E92F8C? Is there some significance to the value at that address?

toonlink444 · January 27, 2011, 11:54:20 PM

Sorry about the delay went to chickfil-a. Anyway the value at f1 is 1 and at f0 0. I breaked on 80E92F8C because the value changed from 00000001 to 00000000 when I got hit. So what does stfs and stb mean?

toonlink444 · January 28, 2011, 12:55:26 AM

I just tried to make a code out of this and it crashed the game. The code is
C25AE5E8 00000002
38A00001 38600001
60000000 00000000

Which is
li r5,1
li r3,1
nop

What's wrong with that?

Patedj · January 28, 2011, 01:12:12 AM

Hey Toonlink444,
Check out my post. dcx2 explains it perfectly
[spoiler]http://wiird.l0nk.org/forum/index.php/topic,7791.0.html[/spoiler]

translation = you need your anti code which is your bp first address ( not the address you put in to bp)
so 805AE5F4 90A30060

which makes 045AE5F4 90A30060 in your gct section
then your asm and finish it with the bp's asm stw r5,96(r3)
but in your case, you have 2 bps... do it again and we'll work at it together. are you pal? cause I've got pal version...

dcx2 · January 28, 2011, 01:26:15 AM

It crashed because you replaced r3 with a 1.

1 is not a valid address. So when the game went to execute stfs f1,108(r3), it couldn't, because r3 was not a valid address.

What possessed you to change r3 to a 1?

Patedj is half right. You forgot to include the original instruction in your C2 code. You're supposed to do that.

However, you only need the anticode if you're trying to disable your C2 code. If you never plan on disabling your C2 code, you don't need an anticode.

toonlink444 · January 28, 2011, 02:40:20 AM

I'm going snowboarding tomorrow so we can countinue this sunday afternoon when I get back. And I'm NTSC-US sorry i would like to work togather too.

Bully@Wiiplaza · January 28, 2011, 06:28:01 AM

Code would be:

Hook: 805AE5F8

lis r12, XXXX
ori r12, r12, YYYY
stw r12, 108 (r3)
stfs f1,108(r3)

XXXX = first 16 bit
YYYY = second 16 bit

If you want to write 000000001, it would look like this:

Hook: 805AE5F8

lis r12, 0x0000
ori r12, r12, 0x0001
stw r12, 108 (r3)
stfs f1,108(r3)

Always write "0x" infront.
But generally, I recommend using breakpoint read, which is mostly better, but seems harder to handle!

toonlink444 · January 28, 2011, 01:41:13 PM

I thought asm instructions could only be an odd number? And I copyed all the registers to a notepad so I can work on it with out my wii (but that means no testing).
I want to know about the stfs instruction. And the floats.

toonlink444 · January 28, 2011, 05:26:09 PM

Anyway the code didn't work.

Patedj · January 28, 2011, 10:22:28 PM

break point again. send us the function and registers... but this time wait a bit and make sure that the bp is consistent. O0

Bully@Wiiplaza · January 28, 2011, 11:06:04 PM

Quote from: toonlink444 on January 28, 2011, 05:26:09 PM
Anyway the code didn't work.

thatÂ´s common.
If it didnÂ´t work, set a new breakpoint and see if you get a different one.
Try again.
If you are good, you can "see" if itÂ´s the right one or not... :p

toonlink444 · January 31, 2011, 10:54:14 PM

Sorry I haven't posted in awhile. The snowboard trip took longer than I thought. Anyway I made a discovery.

Heres when I'm just flatened.
Address:80E92E8C
Breakpoint registers and floats
[spoiler]CR:48000088 XER:20000000 CTR:8009ABC0 DSIS:02400000
DAR:80E92E8C SRR0:805AE5F4 SRR1:0000B032 LR:8057A720
r0:00000001 r1:80394A68 r2:8038AC20 r3:80E92E2C
r4:80890000 r5:00000000 r6:00000000 r7:00000000
r8:00000000 r9:00000000 r10:00000000 r11:80394A08
r12:8009ABC0 r13:80388880 r14:00000000 r15:80FE5384
r16:80E92FA0 r17:00000000 r18:0000000E r19:00000000
r20:00000000 r21:80E92BF4 r22:0000000E r23:00000000
r24:00000000 r25:0000000C r26:00000000 r27:00000000
r28:00000000 r29:00000000 r30:80E92920 r31:0000010E

f0:00000000 f1:3F800000 f2:59800004 f3:348B0B8F
f4:00000000 f5:34F33486 f6:B2428EF0 f7:3BE07B10
f8:A1C23FF5 f9:3DA9827A f10:3DA9827A f11:AF7A10F6
f12:40400000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:BF34FDF4 f29:00000000 f30:3BA3D70A f31:00000000[/spoiler]

Disasembly
[spoiler]805AE5F4: 90A30060   stw   r5,96(r3)
805AE5F8: D023006C   stfs   f1,108(r3)
805AE5FC: D0230070   stfs   f1,112(r3)
805AE600: D0230074   stfs   f1,116(r3)
805AE604: D0030068   stfs   f0,104(r3)
805AE608: 98030064   stb   r0,100(r3)[/spoiler]

Disasasembler tab
[spoiler]805AE5DC: 3CA08089   lis   r5,-32631
805AE5E0: 3C808089   lis   r4,-32631
805AE5E4: C025E0F0   lfs   f1,-7952(r5)
805AE5E8: 38A00000   li   r5,0
805AE5EC: C004E080   lfs   f0,-8064(r4)
805AE5F0: 38000001   li   r0,1
805AE5F4: 90A30060   stw   r5,96(r3)
805AE5F8: D023006C   stfs   f1,108(r3)
805AE5FC: D0230070   stfs   f1,112(r3)
805AE600: D0230074   stfs   f1,116(r3)
805AE604: D0030068   stfs   f0,104(r3)
805AE608: 98030064   stb   r0,100(r3)
805AE60C: 4E800020   blr
[/spoiler]

When I pop up
registers and floats
[spoiler]CR:48000088 XER:20000000 CTR:8009ABC0 DSIS:02400000
DAR:80E92E8C SRR0:805AE614 SRR1:0000B032 LR:80573020
r0:00000001 r1:80394C98 r2:8038AC20 r3:80E92E2C
r4:00000003 r5:00009032 r6:801A9C68 r7:00000000
r8:00000000 r9:40000000 r10:00000000 r11:80394C38
r12:8009ABC0 r13:80388880 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:00000000
r20:00000000 r21:8029FD00 r22:00000000 r23:00000000
r24:00000001 r25:00000001 r26:00000000 r27:80E92B84
r28:80E92920 r29:00000000 r30:808B1030 r31:8088D4E8

f0:3F800000 f1:3F800000 f2:59800004 f3:35BDADFC
f4:00000000 f5:36C711D1 f6:B41F3FEF f7:3DB81FE5
f8:A3AE30B4 f9:BE9984C0 f10:BE9984C0 f11:306279C2
f12:40400000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:00000000[/spoiler]

Disasembly
[spoiler]805AE614: 90030060   stw   r0,96(r3)
805AE618: 3C80808B   lis   r4,-32629
805AE61C: 3CA08089   lis   r5,-32631
805AE620: C04428BC   lfs   f2,10428(r4)
805AE624: 3C808089   lis   r4,-32631
805AE628: C025E0F0   lfs   f1,-7952(r5)[/spoiler]

Disasasembler tab
[spoiler]805AE610: 38000001   li   r0,1
805AE614: 90030060   stw   r0,96(r3)
805AE618: 3C80808B   lis   r4,-32629
805AE61C: 3CA08089   lis   r5,-32631
805AE620: C04428BC   lfs   f2,10428(r4)
805AE624: 3C808089   lis   r4,-32631
805AE628: C025E0F0   lfs   f1,-7952(r5)
805AE62C: C004E080   lfs   f0,-8064(r4)
805AE630: D023006C   stfs   f1,108(r3)
805AE634: D0430070   stfs   f2,112(r3)
805AE638: D0230074   stfs   f1,116(r3)
805AE63C: D0030068   stfs   f0,104(r3)
805AE640: 98030064   stb   r0,100(r3)
805AE644: 4E800020   blr
[/spoiler]

Their different. What do you make of this?

Patedj · February 01, 2011, 02:01:04 AM

could you right click -copy function. ( Dissassembly ) for a complete view of what happens. This can sometimes help more.
I think r5 is the data that get's registered for the address. So I think if you set the r5 to 1 all the time then you'd never get flattened. or at least unattended instantaneously. Take a breakpoint ( read ) when driving at that address.

toonlink444 · February 01, 2011, 12:54:14 PM

I did right click, copy function. To me it looks like r0 and r5 have some importance.

WiiRd forum

News:

Mario Kart Wii Flat code(again but with ASM)

toonlink444

dcx2

toonlink444

toonlink444

Patedj

dcx2

toonlink444

Bully@Wiiplaza

toonlink444

toonlink444

Patedj

Bully@Wiiplaza

toonlink444

Patedj

toonlink444