Moon jump ASM for 3d games

Patedj · March 13, 2011, 11:45:01 AM

If I do this technic in super mario Galaxy, but for step

Quote from: strakn on March 12, 2011, 10:20:25 PM
1. start with an unknown search
2. dont move - search equal to
3. jump - while in the air - search greater than
4. land - search less than
5. dont move after landing - search equal to
6. goto 3.

You cant move and then do an equal search, you may think the surface your on is flat but if its off by a hair you will lose a possible value that your looking for.

If your character does any kind of bobbing or movement when standing still you may have eliminate the equal to searches.

Also in some games up may be a lower value than down, you might try searching less than when in the air and greater than after landing.

If I do this technic in super mario Galaxy, but for step 5 Mario falls asleep, would that lose my address? I'm asking this because in most games, the avatar changes position when in idle.

dcx2 · March 13, 2011, 05:29:46 PM

This whole painstaking voodoo surrounding this search method is why I prefer a different approach to this sort of thing. Especially with SMG, you have no idea which direction "up" is because the world can be upside down.

We can exploit spatial locality to find something near the coordinates that is easier to find and then browse around Memory Viewer looking for something that behaves like coordinates. For example, the floats which control size are usually located near floats for coordinates. How do you find the size floats?

1) Find it yourself.
a) Memory Viewer -> Search type Hex -> 3F8000003F8000003F800000 (1.0, 1.0, 1.0 = normal size)
b) Memory Viewer -> Poke (Write) 40000000 (2.0, 1.0, 1.0 = fat along one axis)
c) If your avatar didn't wasn't affected, go back to 1a (note: this is a good way to find avatars!)

OR

2) Search tab for all 3F800000's in memory and Serial Poke them. Once you set the Serial Poke up you can just rapid-fire poke one at a time until you get to the float you're interested in (but you'll touch a lot of floats you aren't interested in, for better or for worse, which is why Memory Viewer's search is more reliable than, because it can search for more than 4 bytes)

OR

3) Use someone else's code. Normally, you could just get the hook from the C2, but brkirch has a region free size modifier for SMG1. It's a bit messy to explain how to turn an F6 code into a proper hook, but if you MemView Search Hex for C03E0024 7C7D1B78 (the second line of brkirch's SMG1 Size Modifier code) you will find the hook.
a) BPTab -> Set an execute BP on the hook
b) Step until you are on the instruction which reads or writes the size (may have to look around a bit, and/or activate the code itself)
c) Click Show Mem (-> switches to Memory Viewer tab)

---

Once you are in Memory Viewer looking at the size floats

a) Change View Mode to Single
b) Enable auto-update
c) Walk. Run. Jump. Look for something nearby that behaves like coordinates or velocity. Sometimes you may have to go up a few pages, or down a few pages.

If you can't find it, you may have to look for something else that would be nearby your coordinates.

Deathwolf · March 13, 2011, 05:30:32 PM

Why is brkirchs code sooo large?
Could be done with just lis,ori and stfs :-\

Deathwolf · March 13, 2011, 05:40:42 PM

Quote from: dcx2 on March 13, 2011, 05:29:46 PM

a) Memory Viewer -> Search type Hex -> 3F8000003F8000003F800000 (1.0, 1.0, 1.0 = normal

Finding the size data via memory viewer is too difficult. Sometimes you get:
3F8000003F8000003F8000003F8000003F8000003F800000
3F8000003F8000003F8000003F8000003F8000003F800000 and and and.
That's not a good idea.

Using a Multi-Poke by searching for 3F800000 is very dangerous. Because it freez at some addresses and sometimes you have to poke over 100 pages.

(At The Conduit the size value was 4013F333)

Try to search for Speed or Jump address. The Size data is near speed and jump.

dcx2 · March 13, 2011, 06:43:57 PM

If you find a long string of 3F800000, that's probably not the size. Skip further down until you're beyond that portion, and then keep searching.

Yes, multi-poke all 3F800000's can be dangerous. That's why I said Memory Viewer is more reliable.

The point behind finding the size (in this example) is so you can find coordinates and/or velocity. Depending on the game, size can be something easier to find than coordinates. The point is to look for something that would probably be located close to your actual target.

For example, with Resident Evil 4, the sniper rifle shakes when in the scope. How would you find the shake, a random value that is not displayed and cannot be controlled? Search for sniper rifle zoom (very easy to find since you can control), switch View Mode to single, auto-update, and the shaking can be found right next to the zoom.

Deathwolf · March 13, 2011, 07:01:03 PM

Yes that's it. On SMG2 it's 3F8000003F8000003F800000 but not on every game.

QuoteFor example, with Resident Evil 4, the sniper rifle shakes when in the scope. How would you find the shake, a random value that is not displayed and cannot be controlled? Search for sniper rifle zoom (very easy to find since you can control), switch View Mode to single, auto-update, and the shaking can be found right next to the zoom.

Ok then how would you do a Walk Through Walls code? It can be everywhere! On Resident Evil 4 it was far away from the size data. This is the only code which I don't understand how to search. On Call of Duty it was a default value like 000000001 and on Resident Evil 4 it was a floating value like 4064CCCC. I already read the TUT on kodewerx but that is completly wrong. Would be very interesting how to search for it.

Patedj · March 13, 2011, 11:53:44 PM

Walk through walls is my next challenge. So, I guess I have to go one step at a time.

If my avatar falls asleep, couldn't I find that address to locate the others?

dcx2 · March 14, 2011, 12:30:56 AM

If the sleep variable is near the coordinates, yeah.

While most of Mario's data might be in the Mario object, there might be a separate "position object" and the Mario object has a pointer to the position object. So finding the sleeping variable may or may not help you find coordinates.

Patedj · March 14, 2011, 01:18:41 AM

Good to know. Awesome guys.
Alright I came up with two addresses.
1. the address' value starts at 0 when jumping and ends at 24 when landing.
2. this address' value changes when I move around + when I jump. It looks like an axis address but without be specifically towards one axis. Could be velocity.

I'm curious to what the first address is doing but won't focus on it right now.

Registers
[spoiler]CR:48200088 XER:20000000 CTR:00000000 DSIS:02400000
DAR:807A61E4 SRR0:800018A8 SRR1:0000B032 LR:806085FC
r0:806085FC r1:80287048 r2:8027E5E0 r3:00000000
r4:00003032 r5:0000B032 r6:801BB6FC r7:801BB700
r8:801BB638 r9:0083CB6E r10:00001083 r11:00001000
r12:00000000 r13:8027D600 r14:808D2940 r15:808D2D00
r16:80752728 r17:808D0000 r18:00000004 r19:00000000
r20:0000001E r21:0000003C r22:00000002 r23:00000001
r24:80790000 r25:808D2940 r26:80790000 r27:80790000
r28:E0E3951F r29:01000000 r30:808D3D58 r31:808D3D58

f0:00000000 f1:4B00001E f2:FFC00000 f3:4F800000
f4:4F000000 f5:477FFF00 f6:477FFF00 f7:59800004
f8:BE7E0F86 f9:3DBA2E6E f10:3D886B35 f11:3D4BDA5B
f12:3205A3F2 f13:350037BF f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:3F800000 f31:3F000000[/spoiler]

Funnction : bp starts at the first address: stwu
[spoiler]800018A8: 9421FF58   stwu   r1,-168(r1) Breaks here on write
800018AC: 90010008   stw   r0,8(r1)
800018B0: 7C0802A6   mflr   r0
800018B4: 900100AC   stw   r0,172(r1)
800018B8: 7C000026   mfcr   r0
800018BC: 9001000C   stw   r0,12(r1)
800018C0: 7C0902A6   mfctr   r0
800018C4: 90010010   stw   r0,16(r1)
800018C8: 7C0102A6   mfxer   r0
800018CC: 90010014   stw   r0,20(r1)
800018D0: BC610018   stmw   r3,24(r1)
800018D4: 7F2000A6   mfmsr   r25
800018D8: 633A2000   ori   r26,r25,8192
800018DC: 735AF9FF   andi.   r26,r26,63999
800018E0: 7F400124   mtmsr   r26
800018E4: D8410098   stfd   f2,152(r1)
800018E8: D86100A0   stfd   f3,160(r1)
800018EC: 3FE08000   lis   r31,-32768
800018F0: 3E80CC00   lis   r20,-13312
800018F4: A3944010   lhz   r28,16400(r20)
800018F8: 639500FF   ori   r21,r28,255
800018FC: B2B44010   sth   r21,16400(r20)
80001900: 48000655   bl   0x80001f54
80001904: 3AA00000   li   r21,0
80001908: 3AC00019   li   r22,25
8000190C: 3AE000D0   li   r23,208
80001910: 3F00CD00   lis   r24,-13056
80001914: 63F22774   ori   r18,r31,10100
80001918: 800100AC   lwz   r0,172(r1)
8000191C: 90120004   stw   r0,4(r18)
80001920: 92B8643C   stw   r21,25660(r24)
80001924: 4800042D   bl   0x80001d50
80001928: 418205A4   beq-   0x80001ecc
8000192C: 2C1D0004   cmpwi   r29,4
80001930: 40800010   bge-   0x80001940
80001934: 2C1D0001   cmpwi   r29,1
80001938: 41800594   blt-   0x80001ecc
8000193C: 4800034C   b   0x80001c88
80001940: 418204F0   beq-   0x80001e30
80001944: 2C1D0006   cmpwi   r29,6
80001948: 4182008C   beq-   0x800019d4
8000194C: 2C1D0007   cmpwi   r29,7
80001950: 41820330   beq-   0x80001c80
80001954: 2C1D0008   cmpwi   r29,8
80001958: 41820580   beq-   0x80001ed8
8000195C: 2C1D0009   cmpwi   r29,9
80001960: 418200A0   beq-   0x80001a00
80001964: 2C1D0010   cmpwi   r29,16
80001968: 41820098   beq-   0x80001a00
8000196C: 2C1D002F   cmpwi   r29,47
80001970: 41820070   beq-   0x800019e0
80001974: 2C1D0030   cmpwi   r29,48
80001978: 41820078   beq-   0x800019f0
8000197C: 2C1D0038   cmpwi   r29,56
80001980: 41820528   beq-   0x80001ea8
80001984: 2C1D0040   cmpwi   r29,64
80001988: 41820340   beq-   0x80001cc8
8000198C: 2C1D0041   cmpwi   r29,65
80001990: 41820358   beq-   0x80001ce8
80001994: 2C1D0044   cmpwi   r29,68
80001998: 41820068   beq-   0x80001a00
8000199C: 2C1D0050   cmpwi   r29,80
800019A0: 41820020   beq-   0x800019c0
800019A4: 2C1D0060   cmpwi   r29,96
800019A8: 41820024   beq-   0x800019cc
800019AC: 2C1D0089   cmpwi   r29,137
800019B0: 41820050   beq-   0x80001a00
800019B4: 2C1D0099   cmpwi   r29,153
800019B8: 4182050C   beq-   0x80001ec4
800019BC: 48000510   b   0x80001ecc
800019C0: 80720000   lwz   r3,0(r18)
800019C4: 48000429   bl   0x80001dec
800019C8: 48000504   b   0x80001ecc
800019CC: 48000589   bl   0x80001f54
800019D0: 480004FC   b   0x80001ecc
800019D4: 38800001   li   r4,1
800019D8: 90920000   stw   r4,0(r18)
800019DC: 480004F0   b   0x80001ecc
800019E0: 48000409   bl   0x80001de8
800019E4: 3A0000A0   li   r16,160
800019E8: 63EC2798   ori   r12,r31,10136
800019EC: 48000314   b   0x80001d00
800019F0: 38600120   li   r3,288
800019F4: 63EC2798   ori   r12,r31,10136
800019F8: 480003C9   bl   0x80001dc0
800019FC: 480004D0   b   0x80001ecc
80001A00: 2F1D0010   cmpwi   cr6,r29,16
80001A04: 2E9D0044   cmpwi   cr5,r29,68
80001A08: 63E41AB4   ori   r4,r31,6836
80001A0C: 3C608000   lis   r3,-32768
80001A10: 60630300   ori   r3,r3,768
80001A14: 48000509   bl   0x80001f1c
80001A18: 38630A00   addi   r3,r3,2560
80001A1C: 48000501   bl   0x80001f1c
80001A20: 38630600   addi   r3,r3,1536
80001A24: 480004F9   bl   0x80001f1c
80001A28: 63EC2788   ori   r12,r31,10120
80001A2C: 92AC0000   stw   r21,0(r12)
80001A30: 92AC0004   stw   r21,4(r12)
80001A34: 92AC0008   stw   r21,8(r12)
80001A38: 63E42798   ori   r4,r31,10136
80001A3C: 81240018   lwz   r9,24(r4)
80001A40: 80720000   lwz   r3,0(r18)
80001A44: 2C030002   cmpwi   r3,2
80001A48: 4082000C   bne-   0x80001a54
80001A4C: 4196000C   beq-   cr5,0x80001a58
80001A50: 48000020   b   0x80001a70
80001A54: 38600000   li   r3,0
80001A58: 906C000C   stw   r3,12(r12)
80001A5C: 40820014   bne-   0x80001a70
80001A60: 40960010   bne-   cr5,0x80001a70
80001A64: 61290400   ori   r9,r9,1024
80001A68: 91240018   stw   r9,24(r4)
80001A6C: 48000214   b   0x80001c80
80001A70: 552905A8   rlwinm   r9,r9,0,22,20
80001A74: 91240018   stw   r9,24(r4)
80001A78: 41960454   beq-   cr5,0x80001ecc
80001A7C: 419A0008   beq-   cr6,0x80001a84
80001A80: 398C0004   addi   r12,r12,4
80001A84: 38600004   li   r3,4
80001A88: 48000309   bl   0x80001d90
80001A8C: 40990010   ble-   cr6,0x80001a9c
80001A90: 398C0004   addi   r12,r12,4
80001A94: 38600004   li   r3,4
80001A98: 480002F9   bl   0x80001d90
80001A9C: 63E42788   ori   r4,r31,10120
80001AA0: 80640000   lwz   r3,0(r4)
80001AA4: 80840004   lwz   r4,4(r4)
80001AA8: 7C72FBA6   mtspr   1010,r3
80001AAC: 7C95FBA6   mtdabr   r4
80001AB0: 4800041C   b   0x80001ecc
80001AB4: 7C3243A6   mtsprg   2,r1
80001AB8: 7C3A02A6   mfsrr0   r1
80001ABC: 7C7343A6   mtsprg   3,r3
80001AC0: 7C7B02A6   mfsrr1   r3
80001AC4: 546305A8   rlwinm   r3,r3,0,22,20
80001AC8: 906027B0   stw   r3,10160(r0)
80001ACC: 5463061E   rlwinm   r3,r3,0,24,15
80001AD0: 60632000   ori   r3,r3,8192
80001AD4: 7C7B03A6   mtsrr1   r3
80001AD8: 3C608000   lis   r3,-32768
80001ADC: 60631AE8   ori   r3,r3,6888
80001AE0: 7C7A03A6   mtsrr0   r3
80001AE4: 4C000064   rfi
80001AE8: 3C608000   lis   r3,-32768
80001AEC: 60632798   ori   r3,r3,10136
80001AF0: 90230014   stw   r1,20(r3)
80001AF4: 7C611B78   mr   r1,r3
80001AF8: 7C7342A6   mfsprg   r3,3
80001AFC: BC410024   stmw   r2,36(r1)
80001B00: 7C240B78   mr   r4,r1
80001B04: 7C3242A6   mfsprg   r1,2
80001B08: 9004001C   stw   r0,28(r4)
80001B0C: 90240020   stw   r1,32(r4)
80001B10: 7C6802A6   mflr   r3
80001B14: 9064009C   stw   r3,156(r4)
80001B18: 7C600026   mfcr   r3
80001B1C: 90640000   stw   r3,0(r4)
80001B20: 7C6102A6   mfxer   r3
80001B24: 90640004   stw   r3,4(r4)
80001B28: 7C6902A6   mfctr   r3
80001B2C: 90640008   stw   r3,8(r4)
80001B30: 7C7202A6   mfdsisr   r3
80001B34: 9064000C   stw   r3,12(r4)
80001B38: 7C7302A6   mfdar   r3
80001B3C: 90640010   stw   r3,16(r4)
80001B40: 39200000   li   r9,0
80001B44: 7D32FBA6   mtspr   1010,r9
80001B48: 7D35FBA6   mtdabr   r9
80001B4C: 3CA08000   lis   r5,-32768
80001B50: 60A51B70   ori   r5,r5,7024
80001B54: 3FE0D004   lis   r31,-12284
80001B58: 63FF00A0   ori   r31,r31,160
80001B5C: 93E50000   stw   r31,0(r5)
80001B60: 7C00286C   dcbst   r0,r5
80001B64: 7C0004AC   sync
80001B68: 7C002FAC   icbi   r0,r5
80001B6C: 4C00012C   isync
80001B70: D3E4011C   stfs   f31,284(r4)
80001B74: 3BFF0004   addi   r31,r31,4
80001B78: 3FFF0020   addis   r31,r31,32
80001B7C: 57F0014B   rlwinm.   r16,r31,0,5,5
80001B80: 4182FFDC   beq+   0x80001b5c
80001B84: 3FE08000   lis   r31,-32768
80001B88: 63E52788   ori   r5,r31,10120
80001B8C: 82050000   lwz   r16,0(r5)
80001B90: 82250004   lwz   r17,4(r5)
80001B94: 8265000C   lwz   r19,12(r5)
80001B98: 2C130000   cmpwi   r19,0
80001B9C: 41820074   beq-   0x80001c10
80001BA0: 2C130002   cmpwi   r19,2
80001BA4: 40820018   bne-   0x80001bbc
80001BA8: 81240014   lwz   r9,20(r4)
80001BAC: 39330003   addi   r9,r19,3
80001BB0: 91250000   stw   r9,0(r5)
80001BB4: 9125000C   stw   r9,12(r5)
80001BB8: 4800006C   b   0x80001c24
80001BBC: 7C109800   cmpw   r16,r19
80001BC0: 41820038   beq-   0x80001bf8
80001BC4: 7C119800   cmpw   r17,r19
80001BC8: 41820030   beq-   0x80001bf8
80001BCC: 7D308A14   add   r9,r16,r17
80001BD0: 9125000C   stw   r9,12(r5)
80001BD4: 82050008   lwz   r16,8(r5)
80001BD8: 2C100000   cmpwi   r16,0
80001BDC: 41820048   beq-   0x80001c24
80001BE0: 80640010   lwz   r3,16(r4)
80001BE4: 7C101800   cmpw   r16,r3
80001BE8: 40820010   bne-   0x80001bf8
80001BEC: 3A000000   li   r16,0
80001BF0: 92050008   stw   r16,8(r5)
80001BF4: 48000030   b   0x80001c24
80001BF8: 3A200000   li   r17,0
80001BFC: 9225000C   stw   r17,12(r5)
80001C00: 81240018   lwz   r9,24(r4)
80001C04: 61290400   ori   r9,r9,1024
80001C08: 91240018   stw   r9,24(r4)
80001C0C: 48000030   b   0x80001c3c
80001C10: 7E12FBA6   mtspr   1010,r16
80001C14: 7E35FBA6   mtdabr   r17
80001C18: 39200001   li   r9,1
80001C1C: 9125000C   stw   r9,12(r5)
80001C20: 4800001C   b   0x80001c3c
80001C24: 38A00002   li   r5,2
80001C28: 63E42774   ori   r4,r31,10100
80001C2C: 90A40000   stw   r5,0(r4)
80001C30: 38600011   li   r3,17
80001C34: 480001B9   bl   0x80001dec
80001C38: 4BFFFC71   bl   0x800018a8
80001C3C: 7C2000A6   mfmsr   r1
80001C40: 542107FA   rlwinm   r1,r1,0,31,29
80001C44: 5421045E   rlwinm   r1,r1,0,17,15
80001C48: 7C200124   mtmsr   r1
80001C4C: 63E12798   ori   r1,r31,10136
80001C50: 80610000   lwz   r3,0(r1)
80001C54: 7C6FF120   mtcr   r3
80001C58: 80610014   lwz   r3,20(r1)
80001C5C: 7C7A03A6   mtsrr0   r3
80001C60: 80610018   lwz   r3,24(r1)
80001C64: 7C7B03A6   mtsrr1   r3
80001C68: 8061009C   lwz   r3,156(r1)
80001C6C: 7C6803A6   mtlr   r3
80001C70: B8410024   lmw   r2,36(r1)
80001C74: 8001001C   lwz   r0,28(r1)
80001C78: 80210020   lwz   r1,32(r1)
80001C7C: 4C000064   rfi
80001C80: 92B20000   stw   r21,0(r18)
80001C84: 48000254   b   0x80001ed8
80001C88: 2E9D0002   cmpwi   cr5,r29,2
80001C8C: 38600008   li   r3,8
80001C90: 63EC277C   ori   r12,r31,10108
80001C94: 480000FD   bl   0x80001d90
80001C98: 80AC0000   lwz   r5,0(r12)
80001C9C: 806C0004   lwz   r3,4(r12)
80001CA0: 98650000   stb   r3,0(r5)
80001CA4: 41940010   blt-   cr5,0x80001cb4
80001CA8: B0650000   sth   r3,0(r5)
80001CAC: 41960008   beq-   cr5,0x80001cb4
80001CB0: 90650000   stw   r3,0(r5)
80001CB4: 7C0028AC   dcbf   r0,r5
80001CB8: 7C0004AC   sync
80001CBC: 7C002FAC   icbi   r0,r5
80001CC0: 4C00012C   isync
80001CC4: 48000208   b   0x80001ecc
80001CC8: 48000121   bl   0x80001de8
80001CCC: 38600004   li   r3,4
80001CD0: 63EC277C   ori   r12,r31,10108
80001CD4: 480000BD   bl   0x80001d90
80001CD8: 820C0000   lwz   r16,0(r12)
80001CDC: 3D808000   lis   r12,-32768
80001CE0: 618C28B8   ori   r12,r12,10424
80001CE4: 4800001C   b   0x80001d00
80001CE8: 48000101   bl   0x80001de8
80001CEC: 38600008   li   r3,8
80001CF0: 63EC277C   ori   r12,r31,10108
80001CF4: 4800009D   bl   0x80001d90
80001CF8: 820C0004   lwz   r16,4(r12)
80001CFC: 818C0000   lwz   r12,0(r12)
80001D00: 63FB2784   ori   r27,r31,10116
80001D04: 3A200F80   li   r17,3968
80001D08: 48000239   bl   0x80001f40
80001D0C: 41820020   beq-   0x80001d2c
80001D10: 7E238B78   mr   r3,r17
80001D14: 4800007D   bl   0x80001d90
80001D18: 480000D1   bl   0x80001de8
80001D1C: 4182FFFC   beq+   0x80001d18
80001D20: 7D8C7214   add   r12,r12,r14
80001D24: 356BFFFF   subic.   r11,r11,1
80001D28: 4181FFE8   bgt+   0x80001d10
80001D2C: 807B0000   lwz   r3,0(r27)
80001D30: 2C030000   cmpwi   r3,0
80001D34: 41820008   beq-   0x80001d3c
80001D38: 48000059   bl   0x80001d90
80001D3C: 7C0060AC   dcbf   r0,r12
80001D40: 7C0004AC   sync
80001D44: 7C0067AC   icbi   r0,r12
80001D48: 4C00012C   isync
80001D4C: 48000180   b   0x80001ecc
80001D50: 7FC802A6   mflr   r30
80001D54: 3C60A000   lis   r3,-24576
80001D58: 48000015   bl   0x80001d6c
80001D5C: 76030800   andis.   r3,r16,2048
80001D60: 561D863E   rlwinm   r29,r16,16,24,31
80001D64: 7FC803A6   mtlr   r30
80001D68: 4E800020   blr
[/spoiler]

Reading the address results to a totally different location. (8049319C near the end)
[spoiler]8049315C: 542B073E   rlwinm   r11,r1,0,28,31
80493160: 7C2C0B78   mr   r12,r1
80493164: 216BFFC0   subfic   r11,r11,-64
80493168: 7C21596E   stwux   r1,r1,r11
8049316C: 7C0802A6   mflr   r0
80493170: 900C0004   stw   r0,4(r12)
80493174: DBECFFF0   stfd   f31,-16(r12)
80493178: F3EC0FF8   psq_st   f31,4088(r12),0,0
8049317C: DBCCFFE0   stfd   f30,-32(r12)
80493180: F3CC0FE8   psq_st   f30,4072(r12),0,0
80493184: C0C50000   lfs   f6,0(r5)
80493188: C0040000   lfs   f0,0(r4)
8049318C: C0440004   lfs   f2,4(r4)
80493190: C0240008   lfs   f1,8(r4)
80493194: ED460032   fmuls   f10,f6,f0
80493198: ECE600B2   fmuls   f7,f6,f2
8049319C: C1250004   lfs   f9,4(r5) ----> breaks here on read
804931A0: C0840010   lfs   f4,16(r4)
804931A4: ECA60072   fmuls   f5,f6,f1
804931A8: C004000C   lfs   f0,12(r4)
804931AC: ED090132   fmuls   f8,f9,f4
804931B0: EC260032   fmuls   f1,f6,f0
804931B4: C0640014   lfs   f3,20(r4)
804931B8: C0440018   lfs   f2,24(r4)
804931BC: ED6A402A   fadds   f11,f10,f8
804931C0: C004001C   lfs   f0,28(r4)
804931C4: EC8900B2   fmuls   f4,f9,f2
804931C8: ECC900F2   fmuls   f6,f9,f3
804931CC: C1A50008   lfs   f13,8(r5)
804931D0: EC090032   fmuls   f0,f9,f0
804931D4: C1240020   lfs   f9,32(r4)
804931D8: EC85202A   fadds   f4,f5,f4
804931DC: C044002C   lfs   f2,44(r4)
804931E0: ED8D0272   fmuls   f12,f13,f9
804931E4: C1040024   lfs   f8,36(r4)
804931E8: C3C5000C   lfs   f30,12(r5)
804931EC: EC4D00B2   fmuls   f2,f13,f2
804931F0: ED2D0232   fmuls   f9,f13,f8
804931F4: C1440034   lfs   f10,52(r4)
804931F8: ED07302A   fadds   f8,f7,f6
804931FC: C0640028   lfs   f3,40(r4)
80493200: EC01002A   fadds   f0,f1,f0
80493204: C3E40030   lfs   f31,48(r4)
80493208: ECCD00F2   fmuls   f6,f13,f3
8049320C: C0E40038   lfs   f7,56(r4)
80493210: C064003C   lfs   f3,60(r4)
80493214: EDBE07F2   fmuls   f13,f30,f31
80493218: ECAC582A   fadds   f5,f12,f11
8049321C: 38810010   addi   r4,r1,16
80493220: EC29402A   fadds   f1,f9,f8
80493224: 38A00010   li   r5,16
80493228: ED5E02B2   fmuls   f10,f30,f10
8049322C: ED0D282A   fadds   f8,f13,f5
80493230: EC86202A   fadds   f4,f6,f4
80493234: ECCA082A   fadds   f6,f10,f1
80493238: D1010010   stfs   f8,16(r1)
8049323C: ECBE01F2   fmuls   f5,f30,f7
80493240: EC02002A   fadds   f0,f2,f0
80493244: D0C10014   stfs   f6,20(r1)
80493248: EC3E00F2   fmuls   f1,f30,f3
8049324C: EC45202A   fadds   f2,f5,f4
80493250: EC01002A   fadds   f0,f1,f0
80493254: D0410018   stfs   f2,24(r1)
80493258: D001001C   stfs   f0,28(r1)
8049325C: 4BB73011   bl   0x8000626c
80493260: 81410000   lwz   r10,0(r1)
80493264: 3800FFF8   li   r0,-8
80493268: 13EA000C   psq_lx   f31,r10,r0,0,0
8049326C: CBEAFFF0   lfd   f31,-16(r10)
80493270: 3800FFE8   li   r0,-24
80493274: 13CA000C   psq_lx   f30,r10,r0,0,0
80493278: 800A0004   lwz   r0,4(r10)
8049327C: CBCAFFE0   lfd   f30,-32(r10)
80493280: 7C0803A6   mtlr   r0
80493284: 7D415378   mr   r1,r10
80493288: 4E800020   blr
[/spoiler]

Patedj · March 14, 2011, 01:41:10 AM

I tried lfs f31, 4(r5) and it changed all of the floor and background to a transparent floor type... kind of cool.
Anyways, when I take a bp in the air it comes up with this function instead.
Searched address = 807A61E4 breaks at 800018A8 at the beginning of the jump and 80006288 in the air
[spoiler]80006238: 7C5143A6   mtsprg   1,r2
8000623C: 7C7243A6   mtsprg   2,r3
80006240: 7C9343A6   mtsprg   3,r4
80006244: 7C5A02A6   mfsrr0   r2
80006248: 7C9B02A6   mfsrr1   r4
8000624C: 7C6000A6   mfmsr   r3
80006250: 60630030   ori   r3,r3,48
80006254: 7C7B03A6   mtsrr1   r3
80006258: 3C60800A   lis   r3,-32758
8000625C: 60639170   ori   r3,r3,37232
80006260: 7C7A03A6   mtsrr0   r3
80006264: 38601F00   li   r3,7936
80006268: 4C000064   rfi
8000626C: 7C041840   cmplw   r4,r3
80006270: 41800028   blt-   0x80006298
80006274: 3884FFFF   subi   r4,r4,1
80006278: 38C3FFFF   subi   r6,r3,1
8000627C: 38A50001   addi   r5,r5,1
80006280: 4800000C   b   0x8000628c
80006284: 8C040001   lbzu   r0,1(r4)
80006288: 9C060001   stbu   r0,1(r6)
8000628C: 34A5FFFF   subic.   r5,r5,1
80006290: 4082FFF4   bne+   0x80006284
80006294: 4E800020   blr   [/spoiler]

Code
Button condition +
ASM:
stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8000 to 807A
ori r11, r11, 0x6288 to to 61e4
stw r11, 0(r12) to lwz r12, 0(r11)
addi r12,r12,11
stw r12, 0(r11)
lwz r11,8(r1)
addi r1,r1,16

Edit: bolded change
~~Edit: both crash and the gecko looses connecting to the wii~~
Edit: silly me I forgot to find an empty address to inject into

Results: nothing...? I was so pepped for it too!
This was for write... I'll try the floats for read now.

Patedj · March 14, 2011, 02:47:05 AM

injected at empty address (.word 00000000) 80006234

28215000 00000800 (button at the first 16 bytes not the last 16 byte)
C2006234 00000005
9421FFF0 91610008
3D608049 616B319C
C12B0000 918B0000
81610008 38210010
60000000 00000000
E2100000 00000000
0449319C C1250004
E0000000 80008000

ASM:stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8049 ----> lfs break (read)
ori r11, r11, 0x319C
lfs f9, 0(r11)
stw r12, 0(r11)
lwz r11,8(r1)
addi r1,r1,16

nothing...:(

Patedj · March 14, 2011, 03:06:14 AM

.........
I've started with the 3f80 search eventually it just sends me into a loop... with no success. Searching for 3f800000 in the search tab comes up with 350+ PAGES....
In the memory tab it brings me to page 34 and loops around pages 30-35
but
There's some tripped out stuff in Okami!!

Graphic warp
042766B0 30000000

Light/Flames modifier
04276698 xxx00000

Does the camera influence the velocity addresses?

Deathwolf · March 14, 2011, 06:51:11 PM

Quote from: Patedj on March 14, 2011, 02:47:05 AM
injected at empty address (.word 00000000) 80006234

28215000 00000800 (button at the first 16 bytes not the last 16 byte)
C2006234 00000005
9421FFF0 91610008
3D608049 616B319C
C12B0000 918B0000
81610008 38210010
60000000 00000000
E2100000 00000000
0449319C C1250004
E0000000 80008000

ASM:stwu r1,-16(r1)
stw r11,8(r1)
lis r11, 0x8049 ----> lfs break (read)
ori r11, r11, 0x319C
lfs f9, 0(r11)
stw r12, 0(r11)
lwz r11,8(r1)
addi r1,r1,16

nothing...:(

no you have to use your REAL hook address.
for loading into address use C0 codetype.

dcx2 · March 14, 2011, 07:50:28 PM

Don't use the else code type, E21. I've been told that it doesn't work right.

Deathwolf · March 14, 2011, 08:06:10 PM

aha I used it everytime and never had any problems. A8 is the codetype right?

WiiRd forum

News:

Moon jump ASM for 3d games

Patedj

dcx2

Deathwolf

Deathwolf

dcx2

Deathwolf

Patedj

dcx2

Patedj

Patedj

Patedj

Patedj

Deathwolf

dcx2

Deathwolf