Help with calling the stack

[Bully@Wiiplaza]

I´m forced to do a simple RAM Write using ASM, since the address of interest always moves in memory.
I attempted to do a Pointer Search that failed with 0 results. Afterwards I used cmpwi´s to get sure that my ASM is always writing to the right address, but it didn´t work out either, since still too many addresses were used by my BP Read instruction (therefore freeze)
I need some help calling the stack to finally create this code since it seems impossible to use this hook.

Registers (Read)
[spoiler]  CR:42000488  XER:00000000  CTR:8054BA68 DSIS:00400000
DAR:930FE764 SRR0:80682BF0 SRR1:00009032   LR:80682B98
 r0:00000000   r1:900C9BA8   r2:802459C0   r3:93058300
 r4:93058300   r5:00003C00   r6:00002459   r7:0000889B
 r8:9311CCB0   r9:00008765  r10:93094300  r11:930CDF40
r12:930C06D0  r13:80244680  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:80BD25C0  r21:93130920  r22:808A6F80  r23:80935CB0
r24:00000000  r25:00001463  r26:00007FB5  r27:930B8890
r28:93113E50  r29:00000006  r30:80BC0000  r31:00000000[/spoiler]

Function (Read)
[spoiler]80682AE4:  9421FFD0   stwu   r1,-48(r1)
80682AE8:  7C0802A6   mflr   r0
80682AEC:  90010034   stw   r0,52(r1)
80682AF0:  39610030   addi   r11,r1,48
80682AF4:  4B9DB385   bl   0x8005de78
80682AF8:  7C781B78   mr   r24,r3
80682AFC:  7CB92B78   mr   r25,r5
80682B00:  2C030001   cmpwi   r3,1
80682B04:  2C030001   cmpwi   r3,1
80682B08:  4082000C   bne-   0x80682b14
80682B0C:  38000001   li   r0,1
80682B10:  48000008   b   0x80682b18
80682B14:  38000001   li   r0,1
80682B18:  3FC080BC   lis   r30,-32580
80682B1C:  80BE7710   lwz   r5,30480(r30)
80682B20:  547F103A   rlwinm   r31,r3,2,0,29
80682B24:  7C65F82E   lwzx   r3,r5,r31
80682B28:  7C040214   add   r0,r4,r0
80682B2C:  54002036   rlwinm   r0,r0,4,0,27
80682B30:  7C630214   add   r3,r3,r0
80682B34:  A343000E   lhz   r26,14(r3)
80682B38:  2C1A0000   cmpwi   r26,0
80682B3C:  41820238   beq-   0x80682d74
80682B40:  2C180001   cmpwi   r24,1
80682B44:  4082000C   bne-   0x80682b50
80682B48:  38001400   li   r0,5120
80682B4C:  48000008   b   0x80682b54
80682B50:  38003C00   li   r0,15360
80682B54:  807E7710   lwz   r3,30480(r30)
80682B58:  7C63F82E   lwzx   r3,r3,r31
80682B5C:  7C1A0214   add   r0,r26,r0
80682B60:  54002036   rlwinm   r0,r0,4,0,27
80682B64:  7F830214   add   r28,r3,r0
80682B68:  801C0008   lwz   r0,8(r28)
80682B6C:  541D06FE   rlwinm   r29,r0,0,27,31
80682B70:  2C180001   cmpwi   r24,1
80682B74:  4082000C   bne-   0x80682b80
80682B78:  3B601400   li   r27,5120
80682B7C:  48000008   b   0x80682b84
80682B80:  3B603C00   li   r27,15360
80682B84:  7F03C378   mr   r3,r24
80682B88:  7F24CB78   mr   r4,r25
80682B8C:  801C0008   lwz   r0,8(r28)
80682B90:  5405C23E   rlwinm   r5,r0,24,8,31
80682B94:  4BFFD379   bl   0x8067ff0c
80682B98:  7C1B1A14   add   r0,r27,r3
80682B9C:  54002036   rlwinm   r0,r0,4,0,27
80682BA0:  807E7710   lwz   r3,30480(r30)
80682BA4:  7C83F82E   lwzx   r4,r3,r31
80682BA8:  2C180001   cmpwi   r24,1
80682BAC:  4082000C   bne-   0x80682bb8
80682BB0:  38A01400   li   r5,5120
80682BB4:  48000008   b   0x80682bbc
80682BB8:  38A03C00   li   r5,15360
80682BBC:  807E7710   lwz   r3,30480(r30)
80682BC0:  7C63F82E   lwzx   r3,r3,r31
80682BC4:  7C04022E   lhzx   r0,r4,r0
80682BC8:  7C002A14   add   r0,r0,r5
80682BCC:  54002036   rlwinm   r0,r0,4,0,27
80682BD0:  7F630214   add   r27,r3,r0
80682BD4:  801B0008   lwz   r0,8(r27)
80682BD8:  7C00EB78   or   r0,r0,r29
80682BDC:  901B0008   stw   r0,8(r27)
80682BE0:  2C1D0001   cmpwi   r29,1
80682BE4:  41820090   beq-   0x80682c74
80682BE8:  801C0004   lwz   r0,4(r28)
80682BEC:  901B0004   stw   r0,4(r27)
80682BF0:  807C0004   lwz   r3,4(r28) # Break
80682BF4:  381DFFFF   subi   r0,r29,1
80682BF8:  28000004   cmplwi   r0,4
80682BFC:  40800118   bge-   0x80682d14
80682C00:  2C000000   cmpwi   r0,0
80682C04:  40820040   bne-   0x80682c44
80682C08:  2C180001   cmpwi   r24,1
80682C0C:  4082000C   bne-   0x80682c18
80682C10:  38A00001   li   r5,1
80682C14:  48000008   b   0x80682c1c
80682C18:  38A00001   li   r5,1
80682C1C:  809E7710   lwz   r4,30480(r30)
80682C20:  5700103A   rlwinm   r0,r24,2,0,29
80682C24:  7C84002E   lwzx   r4,r4,r0
80682C28:  7C032A14   add   r0,r3,r5
80682C2C:  54002036   rlwinm   r0,r0,4,0,27
80682C30:  7C840214   add   r4,r4,r0
80682C34:  A0640004   lhz   r3,4(r4)
80682C38:  38030001   addi   r0,r3,1
80682C3C:  B0040004   sth   r0,4(r4)
80682C40:  480000D4   b   0x80682d14
80682C44:  28000002   cmplwi   r0,2
80682C48:  41810010   bgt-   0x80682c58
80682C4C:  7F04C378   mr   r4,r24
80682C50:  4BFFB569   bl   0x8067e1b8
80682C54:  480000C0   b   0x80682d14
80682C58:  8803FFFF   lbz   r0,-1(r3)
80682C5C:  2C000000   cmpwi   r0,0
80682C60:  408200B4   bne-   0x80682d14
80682C64:  A083FFFC   lhz   r4,-4(r3)
80682C68:  38040001   addi   r0,r4,1
80682C6C:  B003FFFC   sth   r0,-4(r3)
80682C70:  480000A4   b   0x80682d14
80682C74:  2C180001   cmpwi   r24,1
80682C78:  4082000C   bne-   0x80682c84
80682C7C:  38A00001   li   r5,1
80682C80:  48000008   b   0x80682c88
80682C84:  38A00001   li   r5,1
80682C88:  807E7710   lwz   r3,30480(r30)
80682C8C:  5700103A   rlwinm   r0,r24,2,0,29
80682C90:  7C63002E   lwzx   r3,r3,r0
80682C94:  809C0004   lwz   r4,4(r28)
80682C98:  7C042A14   add   r0,r4,r5
80682C9C:  54002036   rlwinm   r0,r0,4,0,27
80682CA0:  7C630214   add   r3,r3,r0
80682CA4:  80030008   lwz   r0,8(r3)
80682CA8:  540006FE   rlwinm   r0,r0,0,27,31
80682CAC:  28000014   cmplwi   r0,20
80682CB0:  40820024   bne-   0x80682cd4
80682CB4:  7F03C378   mr   r3,r24
80682CB8:  4BFFE79D   bl   0x80681454
80682CBC:  7C651B78   mr   r5,r3
80682CC0:  907B0004   stw   r3,4(r27)
80682CC4:  7F03C378   mr   r3,r24
80682CC8:  809C0004   lwz   r4,4(r28)
80682CCC:  4BFFFE19   bl   0x80682ae4
80682CD0:  48000044   b   0x80682d14
80682CD4:  909B0004   stw   r4,4(r27)
80682CD8:  809C0004   lwz   r4,4(r28)
80682CDC:  2C180001   cmpwi   r24,1
80682CE0:  4082000C   bne-   0x80682cec
80682CE4:  38A00001   li   r5,1
80682CE8:  48000008   b   0x80682cf0
80682CEC:  38A00001   li   r5,1
80682CF0:  807E7710   lwz   r3,30480(r30)
80682CF4:  5700103A   rlwinm   r0,r24,2,0,29
80682CF8:  7C63002E   lwzx   r3,r3,r0
80682CFC:  7C042A14   add   r0,r4,r5
80682D00:  54002036   rlwinm   r0,r0,4,0,27
80682D04:  7C830214   add   r4,r3,r0
80682D08:  A0640004   lhz   r3,4(r4)
80682D0C:  38030001   addi   r0,r3,1
80682D10:  B0040004   sth   r0,4(r4)
80682D14:  2C180001   cmpwi   r24,1
80682D18:  4082000C   bne-   0x80682d24
80682D1C:  38001400   li   r0,5120
80682D20:  48000008   b   0x80682d28
80682D24:  38003C00   li   r0,15360
80682D28:  807E7710   lwz   r3,30480(r30)
80682D2C:  7C63F82E   lwzx   r3,r3,r31
80682D30:  7C1A0214   add   r0,r26,r0
80682D34:  54002036   rlwinm   r0,r0,4,0,27
80682D38:  7C630214   add   r3,r3,r0
80682D3C:  A083000E   lhz   r4,14(r3)
80682D40:  2C040000   cmpwi   r4,0
80682D44:  41820030   beq-   0x80682d74
80682D48:  2C180001   cmpwi   r24,1
80682D4C:  4082000C   bne-   0x80682d58
80682D50:  38001400   li   r0,5120
80682D54:  48000008   b   0x80682d5c
80682D58:  38003C00   li   r0,15360
80682D5C:  807E7710   lwz   r3,30480(r30)
80682D60:  7C63F82E   lwzx   r3,r3,r31
80682D64:  7C040214   add   r0,r4,r0
80682D68:  54002036   rlwinm   r0,r0,4,0,27
80682D6C:  7F43022E   lhzx   r26,r3,r0
80682D70:  4BFFFDD0   b   0x80682b40
80682D74:  39610030   addi   r11,r1,48
80682D78:  4B9DB14D   bl   0x8005dec4
80682D7C:  80010034   lwz   r0,52(r1)
80682D80:  7C0803A6   mtlr   r0
80682D84:  38210030   addi   r1,r1,48
80682D88:  4E800020   blr   [/spoiler]

Call Stack (Read)
[spoiler]80682BF0
8068344C
80682080
806896E0
8068F7EC
80690160
80692108
805066F0
80597070
80597368
8058841C
800B535C[/spoiler]

Registers (Write)
[spoiler]  CR:48000888  XER:00000000  CTR:8068B89C DSIS:02400000
DAR:930FE764 SRR0:806831C4 SRR1:0000B032   LR:8068B900
  r0:00000001   r1:900C8A98   r2:802459C0   r3:00683040
  r4:00000000   r5:93058300   r6:00000000   r7:00000000
  r8:930FE760   r9:00006C1C  r10:931004C0  r11:900C8AA8
r12:00000000  r13:80244680  r14:00000000  r15:00000000
r16:9346B920  r17:00000000  r18:00001CAE  r19:00000000
r20:00000D35  r21:80BD25D8  r22:808A6F80  r23:80935CB0
r24:80BC7728  r25:80BD7728  r26:00000000  r27:000047A6
r28:00001F62  r29:000003EB  r30:930FE760  r31:80BD25D0
[/spoiler]
function (write)
[spoiler]806830E4:  9421FFF0   stwu   r1,-16(r1)
806830E8:  7C0802A6   mflr   r0
806830EC:  90010014   stw   r0,20(r1)
806830F0:  93E1000C   stw   r31,12(r1)
806830F4:  93C10008   stw   r30,8(r1)
806830F8:  7C661B78   mr   r6,r3
806830FC:  7CBF2B78   mr   r31,r5
80683100:  2C040000   cmpwi   r4,0
80683104:  418200C8   beq-   0x806831cc
80683108:  3CA080BC   lis   r5,-32580
8068310C:  80A57710   lwz   r5,30480(r5)
80683110:  5460103A   rlwinm   r0,r3,2,0,29
80683114:  7CA5002E   lwzx   r5,r5,r0
80683118:  2C030001   cmpwi   r3,1
8068311C:  38003C00   li   r0,15360
80683120:  40820008   bne-   0x80683128
80683124:  38001400   li   r0,5120
80683128:  7C040214   add   r0,r4,r0
8068312C:  54002036   rlwinm   r0,r0,4,0,27
80683130:  7FC50214   add   r30,r5,r0
80683134:  809E0004   lwz   r4,4(r30)
80683138:  801E0008   lwz   r0,8(r30)
8068313C:  540306FE   rlwinm   r3,r0,0,27,31
80683140:  3803FFFF   subi   r0,r3,1
80683144:  28000004   cmplwi   r0,4
80683148:  40800060   bge-   0x806831a8
8068314C:  2C000000   cmpwi   r0,0
80683150:  40820010   bne-   0x80683160
80683154:  7CC33378   mr   r3,r6
80683158:  4BFFE671   bl   0x806817c8
8068315C:  4800004C   b   0x806831a8
80683160:  28000002   cmplwi   r0,2
80683164:  41810010   bgt-   0x80683174
80683168:  7CC33378   mr   r3,r6
8068316C:  4BFFB219   bl   0x8067e384
80683170:  48000038   b   0x806831a8
80683174:  8804FFFF   lbz   r0,-1(r4)
80683178:  2C000000   cmpwi   r0,0
8068317C:  4082002C   bne-   0x806831a8
80683180:  3864FFFC   subi   r3,r4,4
80683184:  A084FFFC   lhz   r4,-4(r4)
80683188:  2C040000   cmpwi   r4,0
8068318C:  41820010   beq-   0x8068319c
80683190:  3804FFFF   subi   r0,r4,1
80683194:  B0030000   sth   r0,0(r3)
80683198:  48000010   b   0x806831a8
8068319C:  38800010   li   r4,16
806831A0:  7CC53378   mr   r5,r6
806831A4:  4BFF916D   bl   0x8067c310
806831A8:  801E0008   lwz   r0,8(r30)
806831AC:  54030034   rlwinm   r3,r0,0,0,26
806831B0:  907E0008   stw   r3,8(r30)
806831B4:  801F0004   lwz   r0,4(r31)
806831B8:  7C600378   or   r0,r3,r0
806831BC:  901E0008   stw   r0,8(r30)
806831C0:  801F0000   lwz   r0,0(r31)
806831C4:  901E0004   stw   r0,4(r30) # Break
806831C8:  48000024   b   0x806831ec
806831CC:  1C030058   mulli   r0,r3,88
806831D0:  3C8080BC   lis   r4,-32580
806831D4:  80847718   lwz   r4,30488(r4)
806831D8:  7CA40214   add   r5,r4,r0
806831DC:  8085003C   lwz   r4,60(r5)
806831E0:  80A50040   lwz   r5,64(r5)
806831E4:  7FE6FB78   mr   r6,r31
806831E8:  4BFFFCD9   bl   0x80682ec0
806831EC:  83E1000C   lwz   r31,12(r1)
806831F0:  83C10008   lwz   r30,8(r1)
806831F4:  80010014   lwz   r0,20(r1)
806831F8:  7C0803A6   mtlr   r0
806831FC:  38210010   addi   r1,r1,16
80683200:  4E800020   blr   [/spoiler]

Call Stack (Write)
[spoiler]806831C4
8068B8FC
8068B8FC
8068FAB0
8068FEE8
805337F0
804F5E18
804EE840
8068A2C4
8068FAB0
8068FEE8
805336E4
804F6108
804F65A4
804DF780
804DFA04
804E022C
80559F38
804E22F8
804E28C4
804E419C
804E4380
80591D88
80592134
80592218
80596994
805774CC
805971DC
8059739C
8058841C
800B535C[/spoiler]

Good thing is that the assembly above does not move and that the call stack doesn´t ever change either.
I read dcx2´s TuT, but I´m still a bit lost since I want to use BP Read this time.
I should try with BP Write instead (but execute breakpoints use multiple addresses!)

[dcx2]

If you want my help, you'll need to tell me what game this is, and what it is that you're trying to do.  Without knowing this function's purpose it will be difficult to understand what to do.

[Bully@Wiiplaza]

If you want my help, you'll need to tell me what game this is, and what it is that you're trying to do.  Without knowing this function's purpose it will be difficult to understand what to do.

this function counts your kills in a row (1 kill = 00000001, 2 kills = 00000002)
If you get killed, it´s reset to 0 since the streak has ended.
Total kills are in mem80 and don´t move at all, but this kill row is in mem90 and moves...

I´m wondering why it´s so hard to code.

Same issues appear to happen with experience and rounds played.
Example:

8068D340:  80040000   lwz   r0,0(r4)
8068D344:  90030000   stw   r0,0(r3) # Break
8068D348:  4E800020   blr   
r0 comes from r4.

let´s walk the stack.

...
80689D5C:  7E84A378   mr   r4,r20 # r20 is put in r4, where does r20 come from?
80689D60:  480035E1   bl   0x8068d340 # caller
...

80689CE8:  2C000000   cmpwi   r0,0
80689CEC:  41820084   beq-   0x80689d70
80689CF0:  82810244   lwz   r20,580(r1) # r20 comes from r1 + 580 (let´s execute this BP)

[spoiler]  CR:42000488  XER:00000000  CTR:80689C68 DSIS:02400000
DAR:930A8944 SRR0:80689CF0 SRR1:0000B032   LR:80689CA4
  r0:00000006   r1:900C9C28   r2:802459C0   r3:80BD25B8
  r4:00003C00   r5:00000FA9   r6:93094300   r7:93130C50
  r8:00009C95   r9:930C0A50  r10:0025FE46  r11:900C9EC8
r12:80517310  r13:80244680  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000FA9  r21:930AF6C0  r22:808A6F80  r23:80935CB0
r24:80BC7728  r25:80BD7728  r26:00000000  r27:00000000
r28:00002006  r29:00001CCB  r30:00009C95  r31:00009C95[/spoiler]
r1 is unchanged. 580 + r1 = 900C9E6C

Let´s check in memory....
oh it´s an address that changes all the time! That doesn´t help.

[dcx2]

r1 is the stack pointer.  Anything that lives on the stack will die when the function ends.  Usually, some other function will be called, and that stack space will be used for something completely different.  That's why you see it constantly changing.

At your breakpoint, go to the Disassembler and hit Copy All Frames.  You probably won't be able to paste it into the forum, because it's too large, so attach it as a text file.

---

You also said you tried a code before.  What did you try?

---

My guess is this is the Conduit (2) or GoldenEye.

[Bully@Wiiplaza]

copy all frames while in a breakpoint?
Btw. it´s not Conduit2 or Goldeneye.
I tried to use cmpwi´s on that hook, but it wasn´t possible with those registers (I couldn´t make it only write to the right address...)

I pressed copy all frames while in a BP Write of it. It dumped lots of stuff and asked me "Could not find, continue?" I pressed yes and then geckodotnet froze up.

EDIT:
Happened again. Is there a way to not use copy all frames and approach to the creation of the code anyways?

EDIT 2:
Added write function, call stack and registers.

Can you please guide me somehow?

[dcx2]

Copy All Frames would show you the whole call stack and the current breakpoint registers.  As it stands now, I'd have to ask you over and over for all kinds of bits and pieces.  It puts a complete picture into the clipboard.  You could try pressing no.

EDIT: Black Ops?  There's gotta be some reason you're not saying the game name.

[Bully@Wiiplaza]

would read or write be better?
Btw. yes, it´s black ops, but it´s just a host only match score modifier.

[dcx2]

...I suppose this doesn't really give you an advantage over other people, like increasing your chance at winning.

Build up some kills, then set a write breakpoint and die.

[Bully@Wiiplaza]

Build up some kills, then set a write breakpoint and die.

There it is. ;D
the stw writes value 00000000 because I got killed and the kills in a row counter gets resetted.
Are you sure that this will allow us to write any value to it?

Registers
[spoiler]  CR:48000488  XER:00000000  CTR:80689CD8 DSIS:02400000
DAR:930E04E4 SRR0:8068D344 SRR1:0000B032   LR:80689D64
 r0:00000000   r1:900C82B8   r2:802459C0   r3:930E04E4
 r4:80BD25D0   r5:900C8330   r6:00000000   r7:93094300
 r8:930E04E0   r9:000054C7  r10:930C09E0  r11:900C82B8
r12:00000000  r13:80244680  r14:00000000  r15:00000000
r16:9346B620  r17:00000000  r18:00001D6B  r19:00000000
r20:80BD25D0  r21:930E04E0  r22:808A6F80  r23:80935CB0
r24:80BC7728  r25:80BD7728  r26:00000000  r27:00005F52
r28:0000166E  r29:00000349  r30:00004C1E  r31:000054C7

 f0:FFC00000   f1:44908800   f2:59800004   f3:00000000
 f4:3F800000   f5:3F000000   f6:BF800000   f7:3F800000
 f8:BF800000   f9:3F800000  f10:BF800000  f11:3F800000
f12:41BC0000  f13:411B3B00  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:41C00000  f23:43480000
f24:425C0000  f25:43800000  f26:BF800000  f27:47800000
f28:431F41D8  f29:3F800000  f30:3F800000  f31:443B8000[/spoiler]

Function
[spoiler]8068D340:  80040000   lwz   r0,0(r4)
8068D344:  90030000   stw   r0,0(r3) #Break
8068D348:  4E800020   blr   [/spoiler]

And Call Stack (if needed)
[spoiler]8068D344
80689D60 #whole function: http://www.mediafire.com/?fgcnhu3f0r0lbvm
8068FAB0
8068FEE8
805337F0
804F5E18
804EE840
8068A2C4
8068FAB0
8068FEE8
805336E4
804F6108
804F65A4
804F7F00
8050B6A8
805057A4
8050EC68
8050F6EC
80505E48
805067B0
80597070
80597368
8058841C
800B535C[/spoiler]

[Patedj]

*the "could not find" message happens when there is a larger function than .net is used to. It's not frozen. It can take up to 5 mins, 10 on my retro ex. gov. laptop.