All frames for [WF4P] for damage(heros) functions

[Patedj]

I can't seem to copy all frames. I'm in a bp, right click load call stacks, right click copy all frames = can't find, continue searching?

then it comes up with this [spoiler]See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.IndexOutOfRangeException: Index was outside the bounds of the array.
  at FTDIUSBGecko.USBGecko.Dump(UInt32 startdump, UInt32 enddump, Stream[] saveStream, Dump memdump)
  at FTDIUSBGecko.USBGecko.Dump(UInt32 startdump, UInt32 enddump, Stream saveStream)
  at GeckoApp.Disassembly.Disassemble(UInt32 address, Int32 commands)
  at GeckoApp.MainForm.copyAllFramesToolStripMenuItem_Click(Object sender, EventArgs e)
  at System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e)
  at System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)
  at System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)
  at System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)
  at System.Windows.Forms.ToolStripItem.FireEventInteractive(EventArgs e, ToolStripItemEventType met)
  at System.Windows.Forms.ToolStripItem.FireEvent(EventArgs e, ToolStripItemEventType met)
  at System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)
  at System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)
  at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
  at System.Windows.Forms.Control.WndProc(Message& m)
  at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
  at System.Windows.Forms.ToolStrip.WndProc(Message& m)
  at System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)
  at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
  at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
  at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
   Assembly Version: 2.0.0.0
   Win32 Version: 2.0.50727.3603 (GDR.050727-3600)
   CodeBase: file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
Gecko dNet
   Assembly Version: 1.0.0.0
   Win32 Version: 1.0.0.0
   CodeBase: file:///C:/Documents%20and%20Settings/Patrangela/Desktop/Gecko2/Gecko%20dNet.exe
----------------------------------------
System.Windows.Forms
   Assembly Version: 2.0.0.0
   Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
   CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
   Assembly Version: 2.0.0.0
   Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
   CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
   Assembly Version: 2.0.0.0
   Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
   CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
   Assembly Version: 2.0.0.0
   Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
   CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
   Assembly Version: 2.0.0.0
   Win32 Version: 2.0.50727.3082 (QFE.050727-3000)
   CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
   <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.


[/spoiler]

[Patedj]

I walked the stack and found that mr r4,r27 is my where r27 is the enemy's or the hero's damage input.

I figured if I branch to after the DamageHP(store) when Damage(Enemy) then I stop the enemies from hurting.

This is my assembly but I can't figure out the branch (Even when I place the address into the dissasembler it comes up with an error of between mins and maxes)

80095CE8 address hooking at
stwu r1,-80(r1)
stmw r14,8(r1)
mr r4,r27
lis r14,-32678
ori r14,r14,48544
stw r14,0(r15)
cmpwi r4,15
beq- 0x140  ->this is how much more I have to go at the original address.80095DD4
lmw r14,8(r1)
addi r1,r1,80
nop


Here's a log of what I've been doing.

[dcx2]

You can't use Copy Frames while you're stepping through a C2 code.  C2 codes screw with the parser.  Once you're out of the C2 code, though, you can Copy All Frames again.

[Patedj]

I started the game without any codes and still no success with copying all frames.

[dcx2]

Can you load the call stack?

Can you Copy Function?

Can you Goto Function Start?  And Goto Function End?

[Patedj]

I can load the call stack, end and beginning function work and I can copy the function.

... very unusual...
for the second to last stack function I can't go to the beginning but I can go to the end.
I found the stwu and still can't copy function

[dcx2]

Yeah, that second function is screwing everything up.

When you say "last", do you mean top or bottom?  The top of the stack is the breakpoint instruction.

The way "Copy All Frames" works, is that it goes to each item in the call stack, finds the beginning and end, and dumps it all in the clipboard.  If it can't find the start of a function it will freak out.

Can you manually determine the function's beginning and end, and copy/paste it here, so that I may determine why Gecko.NET is confused?  Also, copy and paste the call stack listbox too, please.

[Patedj]

because I was doing this when I triggered the c2, I associated a crash with pressing the yes continue to search button. It now works, and here is the call stack all frames which is attached.
File too big >155k


Edit: the second of the bottom of the stack load

Edit 2.2: Correct edited functions attached

Edit 3:added subject to subject title

[Patedj]

Explanations:Volatile output
80095DCC:  90040014   stw   r0,20(r4) [spoiler]r4= who is receiving the damage/repair [/spoiler]

Volatile input
80095DC8:  7C033A14   add   r0,r3,r7[spoiler] r0= the quantity
[/spoiler]
80095DC0:  80640014   lwz   r3,20(r4) [spoiler]hp[/spoiler]
80095D80:  7CE83A14   add   r7,r8,r7
80095D6C:  80E400B4   lwz   r7,180(r4) [spoiler]quantity of damage/repair[/spoiler]
80095D74:  810400B8   lwz   r8,184(r4)[spoiler] might be repetitive damage/repair like poison[/spoiler]

Branch
80095CEC:  48000059   bl   0x80095d44 [spoiler]This transfers to the damage function[/spoiler]

Non Volatile transfer
80095CE8:  7F64DB78   mr   r4,r27 [spoiler]the victim is chosen by r27[/spoiler]
80095CB8:  7F60EA14   add   r27,r0,r29
80095CB4:  801A0358   lwz   r0,856(r26) [spoiler]is a pointer which then has a value of 0 or 1 (0 when there is no battle)[/spoiler]




`

[dcx2]

At your breakpoint, r7 is the amount of damage being done.  r3 probably holds the current health, gotten from 80095DC0:  80640014   lwz   r3,20(r4).  Then the add r0,r3,r7 is what subtracts from your health.

---

Your goal is to prevent the enemy from hurting you?  You could try this, it doesn't even require a C2 code.  Just replace 80095D80:  7CE83A14   add   r7,r8,r7 with an li r7,0 instead.  This may have unintended side-effects, like preventing you from healing, or preventing you from hurting enemies.

---

It also looks like 160(r27) has some sort of "invincibility" bit.  If it's set, it ends up skipping over all the calls to damage.

80095CC8:  801B00A0   lwz   r0,160(r27)
80095CCC:  540005EF   rlwinm.   r0,r0,0,23,23
80095CD0:  41820020   beq-   0x80095cf0

[Patedj]

you are right it does make everything invincible.
if I change r30 it makes everything add 9999

[dcx2]

Okay, you have two options now.

1) Find some way to determine friend from foe.  Hook the add r7,r8,r7 and set r7 to 0 when the target is a friend.

2) Find a different hook, perhaps entirely unrelated to this hook, but it only runs on friends.  Use this hook to set the invincibility bit, and it will only get set for friends.  Then you won't need to hook the damage function at all

[Patedj]

wouldnt this do it?
stwu r1,-80(r1)
stmw r14,8(r1)
mr r4,r27
lis r14,-32678
ori r14,r14,48544
stw r14,0(r15)
cmpwi r4,15
beq- 0x????
addi r1,r1,80
nop

where r4 will determine who it is and the beq will go to the end of the attack
80095CC8:  801B00A0   lwz   r0,160(r27)
80095CCC:  540005EF   rlwinm.   r0,r0,0,23,23
80095CD0:  41820020   beq-   0x80095cf0
I can add 80095CC8 lis r0,1 under the beq or 80095CB0 lis r30,1 which makes the enemey attack 9999 repair

[dcx2]

No.

You can't do relative branches in C2 codes.  Relative branches are "current address + branch displacement".  C2 codes live in the code handler.  Your beq- would go 0x140 bytes after the instruction in the code handler, not 0x140 bytes after the hook address (which was your intention).

Also, if you only need one register, there's no point in making a stack frame.  Just use r12.

What are you trying to do with stw r14,0(r15)?

Why are you comparing r4 to 15?

EDIT: please include an address when you're describing what you're trying to hook or over-write.  Telling me "lis r0,1" means nothing, because it doesn't say *where* you are adding it.

[Patedj]

at address 80095CE8 I can see that r4 is either 10 or 20
which means that either 10 or 20 is the friends or foes