Memory protection?

Started by Mathew_Wi, June 29, 2010, 04:30:46 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions

dcx2

#30
July 25, 2010, 08:19:04 PM
...

Some parts of memory still dump.  Others don't.  Thomas got all of memory to dump by pausing on start, so you could browse disassembly.  I wouldn't call this unhackable until brkirch throws in the towel.

Bully@Wiiplaza

#31
July 25, 2010, 08:32:09 PM
Seach and Memory Viewer are dump functions and they freeze in a specific range in mem80.
Then the disassembler should do aswell, I guess...
However, I am interested in hacking this game, just wondering... :confused:
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully

dcx2

#32
July 25, 2010, 08:48:36 PM
Have you tried just not searching the areas that freeze?  Maybe the game doesn't even use those regions.

brkirch

#33
August 24, 2010, 11:12:07 PM
Quote from: dcx2 on July 21, 2010, 05:08:11 PMA page table?  Wouldn't that require some kind of backing store to page out to, like a hard drive?
Not necessarily.  If the purpose is memory protection then there is no need to be able to page out.

Quote from: dcx2 on July 21, 2010, 05:08:11 PM
Quoteso I would guess some of the PTEs may have their page protection bits set to 0.
If that were the case, wouldn't that stop the game from reading those pages, too?
I was probably wrong with that theory anyway (it doesn't seem that changing the protection bits can block read access).  What is more likely is that some PTEs are being deleted/invalidated so that there is no memory mapped to a certain memory address range.  Also the game probably has no access to whatever memory is being blocked and is marking the memory as reserved so that it isn't accessed.  I have had some success in preventing changes to what memory range(s) are protected by disabling certain function that appear to be changing the page table but so far I have not been able to disable the memory protection altogether.

dcx2

#34
August 24, 2010, 11:30:19 PM
Quote from: brkirch on August 24, 2010, 11:12:07 PM
Also the game probably has no access to whatever memory is being blocked and is marking the memory as reserved so that it isn't accessed.

If this is the case, then there's nothing important in those portions of memory anyway, so there's no real reason to search them, right?

I could easily extend Gecko.NET to support "memory holes", where it specifically avoids dumping certain regions in order to avoid triggering this memory protection.

kenobi

#35
September 11, 2010, 04:44:26 AM
Seems like TS3 uses virtual memory (BAT), and protects the memory region (so the game hangs when dumping the ram)... Means not much "easy" codes/hacking for this game for now (unless the code search tools are updated).

Only some kind of asm hacking can be done, for exemple on a memory ram dump taken before the game starts (ie. do a pause start), and even with that results are not guarenteed.

Proof that the game uses virtual memory (for the EU version, but it might also work on US):
I made a full ram dump, and after a few searches found the starting life value of the first level : 8077EA00 42C80000. Then I put a bpr on it, and found the instruction at 0x80395334 where the value was readen, then copied to another place.

So, start the game, but a bpr on 8077EA00 until it breaks on 0x80395334. See that instruction at 0x8039535C, "stfs f1,20(r31)" ? Now look at r31 value... 0xB40D6720 ? 0xA11D0B70 ?... (changes each time you start the level). Not a "normal" address. And no crash when the instruction is executed, so the adress is valid. So these 0xA/0xB adresses are in virtual memory (the "real" place of the life value is in the 0x926... area, which isn't accessible as the memory is protected).

Also still as a proof of concept, here is a kinda useless code that gives you 1000000 life point instead of 100 when you start a level :
0477EA00 49742400

And here is a patch, that you'll have to apply manually  (means do a poke) before starting the game (when you do a paused start) :
801FA2E4 48000180

This allows you to dump all the MEM1/MEM2 (can be useful to find some values but the game stills use virtual memory, means for exemple no breakpoints).

wiiztec

#36
September 11, 2010, 05:05:18 AM
Quote from: dcx2 on July 17, 2010, 06:51:55 AM
DEADBABE is the kind of thing I usually see when there is stack or heap protection.  What you do is fill a bunch of memory with a particular value, like DEADBABE, and then later you can go look over the memory and if anything isn't DEADBABE then you know someone wrote something that they shouldn't have.

This is interesting.  There's not much that should cause a trap on a read...

Can you read the end of memory?  That is, is it a "protected hole"?  Or is everything after 809A9000 off limits?

Can you poke 809A9000 to 0?  If the poke is successful, does it still freeze back in the disassembler?

I found a DEADBABE in brawl a long time ago
If there's any code at all that you want to be button activated, or even able to toggle on & off, and I have the game, just PM me and I'll make it happen

dcx2

#37
September 11, 2010, 03:40:17 PM
I think kenobi is now my second favorite hacker, next to brkirch.

Quote from: kenobi on September 11, 2010, 04:44:26 AM
So, start the game, but a bpr on 8077EA00 until it breaks on 0x80395334. See that instruction at 0x8039535C, "stfs f1,20(r31)" ? Now look at r31 value... 0xB40D6720 ? 0xA11D0B70 ?... (changes each time you start the level). Not a "normal" address. And no crash when the instruction is executed, so the adress is valid. So these 0xA/0xB adresses are in virtual memory (the "real" place of the life value is in the 0x926... area, which isn't accessible as the memory is protected).
Is it possible to locate the table that does the virtual -> physical memory location translation?  If so, I could possibly integrate a feature into Gecko.NET that will help with this.  Although it would be a massive pain in the ass.

If I remember correctly (it's been a few years since my comp. arch. classes)...only the first few bits are used to look up the appropriate entry in the table, and the remainder are an offset from that value.  Which is why the last 3/4 of the two virtual addresses are pretty close (D6720 and D0B70).

QuoteAnd here is a patch, that you'll have to apply manually  (means do a poke) before starting the game (when you do a paused start) :
801FA2E4 48000180
Are you just branching over the code that sets the protection bits?!  Niiice.  I wonder if there's a similar trick for the new Metroid?

kenobi

#38
September 11, 2010, 06:47:30 PM
Yes, it is possible to translate, but it would be needed to get a dump of the registers used for vm (in geckoos that would add 64+ opcodes just to dump the needed registers (about 33 registers) into ram).

But once the registers are dumped, I have all the address translation implemented in delphi in gcnrdgui source code, thanks to Parasyte back then (once you analyze the register dump you then dump the table, and you can translate the adress properly). So the code could be ported to wiirdgui, wiird, gecko.net kinda easily.


About the "patch" I made. I'm honestly not 100% sure of what happens. I mean I first I didn't think the game was actually using VM, and all I was doing it paused start the game, then followed the asm until memory area 81000000 would stop being accessible. Then I found out which instructions were causing the trouble, and I skipped them. After further analysis, it seems skipping these instructions actually disable the memory protection set by the virtual memory (when you set it, you can choose to protect or not the memory region), and it looks like the game is actually using vm. But it's been a very long time since I hacked virtual memory games, so I'm not 100% sure of what's going on.

And it has nothing to do with metroid. Metroid use 2 protections : timer based protection, and "data integrity" protection. But nothing close to virtual memory.

Thomas83Lin

#39
June 28, 2011, 01:06:48 AM Last Edit: June 29, 2011, 10:21:23 PM by thomas83lin
Found another Game using Virtual Memory Cars 2 USA

Cars 2 [SCYE4Q]

Enable Code Search (function ported from Kenobi) [Thomas83Lin]
0419CB1C 48000180
*Must be enabled as a Sd-Cheat or poked in on a Pause Start*

Quote
this allows you to dump all the MEM1/MEM2 (can be useful to find some values but the game stills use virtual memory, means for exemple no breakpoints).

I think its pretty cool, that i found a similar function in this game as in T3 but i was expecting to, sense its made by the same people


edit: Toy Story 3's function for future reference

[spoiler]
801FA070:  9421FFE0   stwu   r1,-32(r1)
801FA074:  7C0802A6   mflr   r0
801FA078:  90010024   stw   r0,36(r1)
801FA07C:  BFA10014   stmw   r29,20(r1)
801FA080:  7C7E1B78   mr   r30,r3
801FA084:  7C9F2378   mr   r31,r4
801FA088:  389E0020   addi   r4,r30,32
801FA08C:  8003000C   lwz   r0,12(r3)
801FA090:  540000BE   rlwinm   r0,r0,0,2,31
801FA094:  9003000C   stw   r0,12(r3)
801FA098:  38632620   addi   r3,r3,9760
801FA09C:  4BFFFF49   bl   0x801f9fe4
801FA0A0:  387E2628   addi   r3,r30,9768
801FA0A4:  389E0320   addi   r4,r30,800
801FA0A8:  4BFFFF3D   bl   0x801f9fe4
801FA0AC:  387E2630   addi   r3,r30,9776
801FA0B0:  389E0620   addi   r4,r30,1568
801FA0B4:  4BFFFF31   bl   0x801f9fe4
801FA0B8:  387E2638   addi   r3,r30,9784
801FA0BC:  389E1620   addi   r4,r30,5664
801FA0C0:  4BFFFF25   bl   0x801f9fe4
801FA0C4:  387E2620   addi   r3,r30,9760
801FA0C8:  389F0020   addi   r4,r31,32
801FA0CC:  4BFFFF51   bl   0x801fa01c
801FA0D0:  387E2620   addi   r3,r30,9760
801FA0D4:  389F0050   addi   r4,r31,80
801FA0D8:  4BFFFF45   bl   0x801fa01c
801FA0DC:  387E2620   addi   r3,r30,9760
801FA0E0:  389F0060   addi   r4,r31,96
801FA0E4:  4BFFFF39   bl   0x801fa01c
801FA0E8:  387E2620   addi   r3,r30,9760
801FA0EC:  389F00A0   addi   r4,r31,160
801FA0F0:  4BFFFF2D   bl   0x801fa01c
801FA0F4:  387E2620   addi   r3,r30,9760
801FA0F8:  389F00D0   addi   r4,r31,208
801FA0FC:  4BFFFF21   bl   0x801fa01c
801FA100:  387E2620   addi   r3,r30,9760
801FA104:  389F00E0   addi   r4,r31,224
801FA108:  4BFFFF15   bl   0x801fa01c
801FA10C:  387E2620   addi   r3,r30,9760
801FA110:  389F0100   addi   r4,r31,256
801FA114:  4BFFFF09   bl   0x801fa01c
801FA118:  387E2630   addi   r3,r30,9776
801FA11C:  389F0110   addi   r4,r31,272
801FA120:  4BFFFEFD   bl   0x801fa01c
801FA124:  387E2630   addi   r3,r30,9776
801FA128:  389F0150   addi   r4,r31,336
801FA12C:  4BFFFEF1   bl   0x801fa01c
801FA130:  801E0008   lwz   r0,8(r30)
801FA134:  80DE000C   lwz   r6,12(r30)
801FA138:  5400103A   rlwinm   r0,r0,2,0,29
801FA13C:  7C0000D0   neg   r0,r0
801FA140:  7C060214   add   r0,r6,r0
801FA144:  54030026   rlwinm   r3,r0,0,0,19
801FA148:  907E2644   stw   r3,9796(r30)
801FA14C:  3803A000   subi   r0,r3,24576
801FA150:  54030026   rlwinm   r3,r0,0,0,19
801FA154:  907E2640   stw   r3,9792(r30)
801FA158:  7FA33050   sub   r29,r6,r3
801FA15C:  7FA4EB78   mr   r4,r29
801FA160:  484BE051   bl   0x806b81b0
801FA164:  807E2640   lwz   r3,9792(r30)
801FA168:  7FA4EB78   mr   r4,r29
801FA16C:  484BDFB5   bl   0x806b8120
801FA170:  881E0000   lbz   r0,0(r30)
801FA174:  80DE0010   lwz   r6,16(r30)
801FA178:  807E000C   lwz   r3,12(r30)
801FA17C:  2C800000   cmpwi   cr1,r0,0
801FA180:  801E2640   lwz   r0,9792(r30)
801FA184:  7C633214   add   r3,r3,r6
801FA188:  4186001C   beq-   cr1,0x801fa1a4
801FA18C:  5466A43E   rlwinm   r6,r3,20,16,31
801FA190:  807E2634   lwz   r3,9780(r30)
801FA194:  38A6FFFF   subi   r5,r6,1
801FA198:  5404A43E   rlwinm   r4,r0,20,16,31
801FA19C:  4BFE338D   bl   0x801dd528
801FA1A0:  48000018   b   0x801fa1b8
801FA1A4:  5466A43E   rlwinm   r6,r3,20,16,31
801FA1A8:  807E2624   lwz   r3,9764(r30)
801FA1AC:  38A6FFFF   subi   r5,r6,1
801FA1B0:  5404A43E   rlwinm   r4,r0,20,16,31
801FA1B4:  4BFE3375   bl   0x801dd528
801FA1B8:  809E2640   lwz   r4,9792(r30)
801FA1BC:  387E2648   addi   r3,r30,9800
801FA1C0:  38A00000   li   r5,0
801FA1C4:  38C017FF   li   r6,6143
801FA1C8:  48001F59   bl   0x801fc120
801FA1CC:  80DF0064   lwz   r6,100(r31)
801FA1D0:  387E2648   addi   r3,r30,9800
801FA1D4:  80FF0060   lwz   r7,96(r31)
801FA1D8:  389E2630   addi   r4,r30,9776
801FA1DC:  38060001   addi   r0,r6,1
801FA1E0:  80DF0140   lwz   r6,320(r31)
801FA1E4:  7C070050   sub   r0,r0,r7
801FA1E8:  3CA01000   lis   r5,4096
801FA1EC:  7CE03214   add   r7,r0,r6
801FA1F0:  38E7FFFF   subi   r7,r7,1
801FA1F4:  48001F55   bl   0x801fc148
801FA1F8:  801F00F0   lwz   r0,240(r31)
801FA1FC:  387E2670   addi   r3,r30,9840
801FA200:  901E2660   stw   r0,9824(r30)
801FA204:  809E2644   lwz   r4,9796(r30)
801FA208:  801F00F4   lwz   r0,244(r31)
801FA20C:  901E2664   stw   r0,9828(r30)
801FA210:  80BF0120   lwz   r5,288(r31)
801FA214:  80DF0124   lwz   r6,292(r31)
801FA218:  48001F09   bl   0x801fc120
801FA21C:  809E2644   lwz   r4,9796(r30)
801FA220:  387E2698   addi   r3,r30,9880
801FA224:  80BF0130   lwz   r5,304(r31)
801FA228:  80DF0134   lwz   r6,308(r31)
801FA22C:  48001EF5   bl   0x801fc120
801FA230:  80DF0064   lwz   r6,100(r31)
801FA234:  387E26C0   addi   r3,r30,9920
801FA238:  80FF0060   lwz   r7,96(r31)
801FA23C:  38C60001   addi   r6,r6,1
801FA240:  801F0140   lwz   r0,320(r31)
801FA244:  7CE73050   sub   r7,r6,r7
801FA248:  809E2644   lwz   r4,9796(r30)
801FA24C:  80DF0144   lwz   r6,324(r31)
801FA250:  7CA03A14   add   r5,r0,r7
801FA254:  48001ECD   bl   0x801fc120
801FA258:  38800000   li   r4,0
801FA25C:  3CA00004   lis   r5,4
801FA260:  7C002264   tlbie   r4
801FA264:  38841000   addi   r4,r4,4096
801FA268:  7C042800   cmpw   r4,r5
801FA26C:  4180FFF4   blt+   0x801fa260
801FA270:  7C0004AC   sync   
801FA274:  801E0014   lwz   r0,20(r30)
801FA278:  7C0004AC   sync   
801FA27C:  7C1903A6   mtsdr1   r0
801FA280:  4C00012C   isync   
801FA284:  3C006000   lis   r0,24576
801FA288:  60000008   ori   r0,r0,8
801FA28C:  7C0801A4   mtsr   8,r0
801FA290:  4C00012C   isync   
801FA294:  5400000E   rlwinm   r0,r0,0,0,7
801FA298:  60000009   ori   r0,r0,9
801FA29C:  7C0901A4   mtsr   9,r0
801FA2A0:  4C00012C   isync   
801FA2A4:  3C007000   lis   r0,28672
801FA2A8:  6000000A   ori   r0,r0,10
801FA2AC:  7C0A01A4   mtsr   10,r0
801FA2B0:  4C00012C   isync   
801FA2B4:  5400000E   rlwinm   r0,r0,0,0,7
801FA2B8:  6000000B   ori   r0,r0,11
801FA2BC:  7C0B01A4   mtsr   11,r0
801FA2C0:  4C00012C   isync   
801FA2C4:  5400000E   rlwinm   r0,r0,0,0,7
801FA2C8:  6000000E   ori   r0,r0,14
801FA2CC:  7C0E01A4   mtsr   14,r0
801FA2D0:  4C00012C   isync   
801FA2D4:  5400000E   rlwinm   r0,r0,0,0,7
801FA2D8:  6000000F   ori   r0,r0,15
801FA2DC:  7C0F01A4   mtsr   15,r0
801FA2E0:  4C00012C   isync   
801FA2E4:  801F01F4   lwz   r0,500(r31)
801FA2E8:  807F01F8   lwz   r3,504(r31)
801FA2EC:  7C0004AC   sync   
801FA2F0:  7C168BA6   mtspr   566,r0
801FA2F4:  7C778BA6   mtspr   567,r3
801FA2F8:  4C00012C   isync   
801FA2FC:  801F01E0   lwz   r0,480(r31)
801FA300:  807F01E4   lwz   r3,484(r31)
801FA304:  7C0004AC   sync   
801FA308:  7C148BA6   mtspr   564,r0
801FA30C:  7C758BA6   mtspr   565,r3
801FA310:  4C00012C   isync   
801FA314:  801F01CC   lwz   r0,460(r31)
801FA318:  807F01D0   lwz   r3,464(r31)
801FA31C:  7C0004AC   sync   
801FA320:  7C128BA6   mtspr   562,r0
801FA324:  7C738BA6   mtspr   563,r3
801FA328:  4C00012C   isync   
801FA32C:  801F01B8   lwz   r0,440(r31)
801FA330:  807F01BC   lwz   r3,444(r31)
801FA334:  7C0004AC   sync   
801FA338:  7C108BA6   mtspr   560,r0
801FA33C:  7C718BA6   mtspr   561,r3
801FA340:  4C00012C   isync   
801FA344:  801F01A4   lwz   r0,420(r31)
801FA348:  807F01A8   lwz   r3,424(r31)
801FA34C:  7C0004AC   sync   
801FA350:  7C1683A6   mtibatu   3,r0
801FA354:  7C7783A6   mtibatl   3,r3
801FA358:  4C00012C   isync   
801FA35C:  801F0190   lwz   r0,400(r31)
801FA360:  807F0194   lwz   r3,404(r31)
801FA364:  7C0004AC   sync   
801FA368:  7C1483A6   mtibatu   2,r0
801FA36C:  7C7583A6   mtibatl   2,r3
801FA370:  4C00012C   isync   
801FA374:  801F017C   lwz   r0,380(r31)
801FA378:  807F0180   lwz   r3,384(r31)
801FA37C:  7C0004AC   sync   
801FA380:  7C1283A6   mtibatu   1,r0
801FA384:  7C7383A6   mtibatl   1,r3
801FA388:  4C00012C   isync   
801FA38C:  801F0168   lwz   r0,360(r31)
801FA390:  807F016C   lwz   r3,364(r31)
801FA394:  7C0004AC   sync   
801FA398:  7C1083A6   mtibatu   0,r0
801FA39C:  7C7183A6   mtibatl   0,r3
801FA3A0:  4C00012C   isync   
801FA3A4:  801F0294   lwz   r0,660(r31)
801FA3A8:  807F0298   lwz   r3,664(r31)
801FA3AC:  7C0004AC   sync   
801FA3B0:  7C1E8BA6   mtspr   574,r0
801FA3B4:  7C7F8BA6   mtspr   575,r3
801FA3B8:  4C00012C   isync   
801FA3BC:  801F0280   lwz   r0,640(r31)
801FA3C0:  807F0284   lwz   r3,644(r31)
801FA3C4:  7C0004AC   sync   
801FA3C8:  7C1C8BA6   mtspr   572,r0
801FA3CC:  7C7D8BA6   mtspr   573,r3
801FA3D0:  4C00012C   isync   
801FA3D4:  801F026C   lwz   r0,620(r31)
801FA3D8:  807F0270   lwz   r3,624(r31)
801FA3DC:  7C0004AC   sync   
801FA3E0:  7C1A8BA6   mtspr   570,r0
801FA3E4:  7C7B8BA6   mtspr   571,r3
801FA3E8:  4C00012C   isync   
801FA3EC:  801F0258   lwz   r0,600(r31)
801FA3F0:  807F025C   lwz   r3,604(r31)
801FA3F4:  7C0004AC   sync   
801FA3F8:  7C188BA6   mtspr   568,r0
801FA3FC:  7C798BA6   mtspr   569,r3
801FA400:  4C00012C   isync   
801FA404:  801F0244   lwz   r0,580(r31)
801FA408:  807F0248   lwz   r3,584(r31)
801FA40C:  7C0004AC   sync   
801FA410:  7C1E83A6   mtdbatu   3,r0
801FA414:  7C7F83A6   mtdbatl   3,r3
801FA418:  4C00012C   isync   
801FA41C:  801F0230   lwz   r0,560(r31)
801FA420:  807F0234   lwz   r3,564(r31)
801FA424:  7C0004AC   sync   
801FA428:  7C1C83A6   mtdbatu   2,r0
801FA42C:  7C7D83A6   mtdbatl   2,r3
801FA430:  4C00012C   isync   
801FA434:  801F021C   lwz   r0,540(r31)
801FA438:  807F0220   lwz   r3,544(r31)
801FA43C:  7C0004AC   sync   
801FA440:  7C1A83A6   mtdbatu   1,r0
801FA444:  7C7B83A6   mtdbatl   1,r3
801FA448:  4C00012C   isync   
801FA44C:  801F0208   lwz   r0,520(r31)
801FA450:  807F020C   lwz   r3,524(r31)
801FA454:  7C0004AC   sync   
801FA458:  7C1883A6   mtdbatu   0,r0
801FA45C:  7C7983A6   mtdbatl   0,r3
801FA460:  4C00012C   isync   
801FA464:  3FE00180   lis   r31,384
801FA468:  3FC00001   lis   r30,1
801FA46C:  387F8000   subi   r3,r31,32768
801FA470:  389E8000   subi   r4,r30,32768
801FA474:  48000A5D   bl   0x801faed0
801FA478:  387F8000   subi   r3,r31,32768
801FA47C:  389E8000   subi   r4,r30,32768
801FA480:  48000A7D   bl   0x801faefc
801FA484:  BBA10014   lmw   r29,20(r1)
801FA488:  80010024   lwz   r0,36(r1)
801FA48C:  7C0803A6   mtlr   r0
801FA490:  38210020   addi   r1,r1,32
801FA494:  4E800020   blr   
[/spoiler]

Cars 2 Function
[spoiler]
8019C8E0:  9421FFE0   stwu   r1,-32(r1)
8019C8E4:  7C0802A6   mflr   r0
8019C8E8:  90010024   stw   r0,36(r1)
8019C8EC:  BFA10014   stmw   r29,20(r1)
8019C8F0:  7C7D1B78   mr   r29,r3
8019C8F4:  7C9F2378   mr   r31,r4
8019C8F8:  8063000C   lwz   r3,12(r3)
8019C8FC:  4BFFFF41   bl   0x8019c83c
8019C900:  907D000C   stw   r3,12(r29)
8019C904:  387D2620   addi   r3,r29,9760
8019C908:  389D0020   addi   r4,r29,32
8019C90C:  4BFFFF0D   bl   0x8019c818
8019C910:  387D2628   addi   r3,r29,9768
8019C914:  389D0320   addi   r4,r29,800
8019C918:  4BFFFF01   bl   0x8019c818
8019C91C:  387D2630   addi   r3,r29,9776
8019C920:  389D0620   addi   r4,r29,1568
8019C924:  4BFFFEF5   bl   0x8019c818
8019C928:  387D2638   addi   r3,r29,9784
8019C92C:  389D1620   addi   r4,r29,5664
8019C930:  4BFFFEE9   bl   0x8019c818
8019C934:  387D2620   addi   r3,r29,9760
8019C938:  389F0010   addi   r4,r31,16
8019C93C:  4BFFFF09   bl   0x8019c844
8019C940:  387D2620   addi   r3,r29,9760
8019C944:  389F0040   addi   r4,r31,64
8019C948:  4BFFFEFD   bl   0x8019c844
8019C94C:  387D2620   addi   r3,r29,9760
8019C950:  389F0050   addi   r4,r31,80
8019C954:  4BFFFEF1   bl   0x8019c844
8019C958:  387D2620   addi   r3,r29,9760
8019C95C:  389F0090   addi   r4,r31,144
8019C960:  4BFFFEE5   bl   0x8019c844
8019C964:  387D2620   addi   r3,r29,9760
8019C968:  389F00C0   addi   r4,r31,192
8019C96C:  4BFFFED9   bl   0x8019c844
8019C970:  387D2620   addi   r3,r29,9760
8019C974:  389F0110   addi   r4,r31,272
8019C978:  4BFFFECD   bl   0x8019c844
8019C97C:  387D2630   addi   r3,r29,9776
8019C980:  389F0130   addi   r4,r31,304
8019C984:  4BFFFEC1   bl   0x8019c844
8019C988:  387D2630   addi   r3,r29,9776
8019C98C:  389F0170   addi   r4,r31,368
8019C990:  4BFFFEB5   bl   0x8019c844
8019C994:  801D0008   lwz   r0,8(r29)
8019C998:  807D000C   lwz   r3,12(r29)
8019C99C:  5400103A   rlwinm   r0,r0,2,0,29
8019C9A0:  907D2644   stw   r3,9796(r29)
8019C9A4:  7C8000D0   neg   r4,r0
8019C9A8:  4BFE3075   bl   0x8017fa1c
8019C9AC:  907D2644   stw   r3,9796(r29)
8019C9B0:  3880000C   li   r4,12
8019C9B4:  4BFF52C9   bl   0x80191c7c
8019C9B8:  907D2644   stw   r3,9796(r29)
8019C9BC:  3880A000   li   r4,-24576
8019C9C0:  4BFE305D   bl   0x8017fa1c
8019C9C4:  907D2640   stw   r3,9792(r29)
8019C9C8:  3880000C   li   r4,12
8019C9CC:  4BFF52B1   bl   0x80191c7c
8019C9D0:  907D2640   stw   r3,9792(r29)
8019C9D4:  809D000C   lwz   r4,12(r29)
8019C9D8:  4BFE303D   bl   0x8017fa14
8019C9DC:  7C7E1B78   mr   r30,r3
8019C9E0:  807D2640   lwz   r3,9792(r29)
8019C9E4:  7FC4F378   mr   r4,r30
8019C9E8:  485B9E29   bl   0x80756810
8019C9EC:  807D2640   lwz   r3,9792(r29)
8019C9F0:  7FC4F378   mr   r4,r30
8019C9F4:  485B9D8D   bl   0x80756780
8019C9F8:  881D0000   lbz   r0,0(r29)
8019C9FC:  80DD0010   lwz   r6,16(r29)
8019CA00:  807D000C   lwz   r3,12(r29)
8019CA04:  2C800000   cmpwi   cr1,r0,0
8019CA08:  801D2640   lwz   r0,9792(r29)
8019CA0C:  7C633214   add   r3,r3,r6
8019CA10:  4186001C   beq-   cr1,0x8019ca2c
8019CA14:  5466A43E   rlwinm   r6,r3,20,16,31
8019CA18:  387D2630   addi   r3,r29,9776
8019CA1C:  5404A43E   rlwinm   r4,r0,20,16,31
8019CA20:  38A6FFFF   subi   r5,r6,1
8019CA24:  4BFFFE81   bl   0x8019c8a4
8019CA28:  48000018   b   0x8019ca40
8019CA2C:  5466A43E   rlwinm   r6,r3,20,16,31
8019CA30:  387D2620   addi   r3,r29,9760
8019CA34:  5404A43E   rlwinm   r4,r0,20,16,31
8019CA38:  38A6FFFF   subi   r5,r6,1
8019CA3C:  4BFFFE69   bl   0x8019c8a4
8019CA40:  809D2640   lwz   r4,9792(r29)
8019CA44:  387D2648   addi   r3,r29,9800
8019CA48:  80BF0100   lwz   r5,256(r31)
8019CA4C:  80DF0104   lwz   r6,260(r31)
8019CA50:  4800203D   bl   0x8019ea8c
8019CA54:  809D2644   lwz   r4,9796(r29)
8019CA58:  387D2670   addi   r3,r29,9840
8019CA5C:  80BF0140   lwz   r5,320(r31)
8019CA60:  80DF0144   lwz   r6,324(r31)
8019CA64:  48002029   bl   0x8019ea8c
8019CA68:  809D2644   lwz   r4,9796(r29)
8019CA6C:  387D2698   addi   r3,r29,9880
8019CA70:  80BF0150   lwz   r5,336(r31)
8019CA74:  80DF0154   lwz   r6,340(r31)
8019CA78:  48002015   bl   0x8019ea8c
8019CA7C:  809D2644   lwz   r4,9796(r29)
8019CA80:  387D26C0   addi   r3,r29,9920
8019CA84:  80BF0160   lwz   r5,352(r31)
8019CA88:  80DF0164   lwz   r6,356(r31)
8019CA8C:  48002001   bl   0x8019ea8c
8019CA90:  38800000   li   r4,0
8019CA94:  3CA00004   lis   r5,4
8019CA98:  7C002264   tlbie   r4
8019CA9C:  38841000   addi   r4,r4,4096
8019CAA0:  7C042800   cmpw   r4,r5
8019CAA4:  4180FFF4   blt+   0x8019ca98
8019CAA8:  7C0004AC   sync   
8019CAAC:  801D0014   lwz   r0,20(r29)
8019CAB0:  7C0004AC   sync   
8019CAB4:  7C1903A6   mtsdr1   r0
8019CAB8:  4C00012C   isync   
8019CABC:  3C006000   lis   r0,24576
8019CAC0:  60000008   ori   r0,r0,8
8019CAC4:  7C0801A4   mtsr   8,r0
8019CAC8:  4C00012C   isync   
8019CACC:  5400000E   rlwinm   r0,r0,0,0,7
8019CAD0:  60000009   ori   r0,r0,9
8019CAD4:  7C0901A4   mtsr   9,r0
8019CAD8:  4C00012C   isync   
8019CADC:  3C007000   lis   r0,28672
8019CAE0:  6000000A   ori   r0,r0,10
8019CAE4:  7C0A01A4   mtsr   10,r0
8019CAE8:  4C00012C   isync   
8019CAEC:  5400000E   rlwinm   r0,r0,0,0,7
8019CAF0:  6000000B   ori   r0,r0,11
8019CAF4:  7C0B01A4   mtsr   11,r0
8019CAF8:  4C00012C   isync   
8019CAFC:  5400000E   rlwinm   r0,r0,0,0,7
8019CB00:  6000000E   ori   r0,r0,14
8019CB04:  7C0E01A4   mtsr   14,r0
8019CB08:  4C00012C   isync   
8019CB0C:  5400000E   rlwinm   r0,r0,0,0,7
8019CB10:  6000000F   ori   r0,r0,15
8019CB14:  7C0F01A4   mtsr   15,r0
8019CB18:  4C00012C   isync   
8019CB1C:  801F0214   lwz   r0,532(r31)
8019CB20:  807F0218   lwz   r3,536(r31)
8019CB24:  7C0004AC   sync   
8019CB28:  7C168BA6   mtspr   566,r0
8019CB2C:  7C778BA6   mtspr   567,r3
8019CB30:  4C00012C   isync   
8019CB34:  801F0200   lwz   r0,512(r31)
8019CB38:  807F0204   lwz   r3,516(r31)
8019CB3C:  7C0004AC   sync   
8019CB40:  7C148BA6   mtspr   564,r0
8019CB44:  7C758BA6   mtspr   565,r3
8019CB48:  4C00012C   isync   
8019CB4C:  801F01EC   lwz   r0,492(r31)
8019CB50:  807F01F0   lwz   r3,496(r31)
8019CB54:  7C0004AC   sync   
8019CB58:  7C128BA6   mtspr   562,r0
8019CB5C:  7C738BA6   mtspr   563,r3
8019CB60:  4C00012C   isync   
8019CB64:  801F01D8   lwz   r0,472(r31)
8019CB68:  807F01DC   lwz   r3,476(r31)
8019CB6C:  7C0004AC   sync   
8019CB70:  7C108BA6   mtspr   560,r0
8019CB74:  7C718BA6   mtspr   561,r3
8019CB78:  4C00012C   isync   
8019CB7C:  801F01C4   lwz   r0,452(r31)
8019CB80:  807F01C8   lwz   r3,456(r31)
8019CB84:  7C0004AC   sync   
8019CB88:  7C1683A6   mtibatu   3,r0
8019CB8C:  7C7783A6   mtibatl   3,r3
8019CB90:  4C00012C   isync   
8019CB94:  801F01B0   lwz   r0,432(r31)
8019CB98:  807F01B4   lwz   r3,436(r31)
8019CB9C:  7C0004AC   sync   
8019CBA0:  7C1483A6   mtibatu   2,r0
8019CBA4:  7C7583A6   mtibatl   2,r3
8019CBA8:  4C00012C   isync   
8019CBAC:  801F019C   lwz   r0,412(r31)
8019CBB0:  807F01A0   lwz   r3,416(r31)
8019CBB4:  7C0004AC   sync   
8019CBB8:  7C1283A6   mtibatu   1,r0
8019CBBC:  7C7383A6   mtibatl   1,r3
8019CBC0:  4C00012C   isync   
8019CBC4:  801F0188   lwz   r0,392(r31)
8019CBC8:  807F018C   lwz   r3,396(r31)
8019CBCC:  7C0004AC   sync   
8019CBD0:  7C1083A6   mtibatu   0,r0
8019CBD4:  7C7183A6   mtibatl   0,r3
8019CBD8:  4C00012C   isync   
8019CBDC:  801F02B4   lwz   r0,692(r31)
8019CBE0:  807F02B8   lwz   r3,696(r31)
8019CBE4:  7C0004AC   sync   
8019CBE8:  7C1E8BA6   mtspr   574,r0
8019CBEC:  7C7F8BA6   mtspr   575,r3
8019CBF0:  4C00012C   isync   
8019CBF4:  801F02A0   lwz   r0,672(r31)
8019CBF8:  807F02A4   lwz   r3,676(r31)
8019CBFC:  7C0004AC   sync   
8019CC00:  7C1C8BA6   mtspr   572,r0
8019CC04:  7C7D8BA6   mtspr   573,r3
8019CC08:  4C00012C   isync   
8019CC0C:  801F028C   lwz   r0,652(r31)
8019CC10:  807F0290   lwz   r3,656(r31)
8019CC14:  7C0004AC   sync   
8019CC18:  7C1A8BA6   mtspr   570,r0
8019CC1C:  7C7B8BA6   mtspr   571,r3
8019CC20:  4C00012C   isync   
8019CC24:  801F0278   lwz   r0,632(r31)
8019CC28:  807F027C   lwz   r3,636(r31)
8019CC2C:  7C0004AC   sync   
8019CC30:  7C188BA6   mtspr   568,r0
8019CC34:  7C798BA6   mtspr   569,r3
8019CC38:  4C00012C   isync   
8019CC3C:  801F0264   lwz   r0,612(r31)
8019CC40:  807F0268   lwz   r3,616(r31)
8019CC44:  7C0004AC   sync   
8019CC48:  7C1E83A6   mtdbatu   3,r0
8019CC4C:  7C7F83A6   mtdbatl   3,r3
8019CC50:  4C00012C   isync   
8019CC54:  801F0250   lwz   r0,592(r31)
8019CC58:  807F0254   lwz   r3,596(r31)
8019CC5C:  7C0004AC   sync   
8019CC60:  7C1C83A6   mtdbatu   2,r0
8019CC64:  7C7D83A6   mtdbatl   2,r3
8019CC68:  4C00012C   isync   
8019CC6C:  801F023C   lwz   r0,572(r31)
8019CC70:  807F0240   lwz   r3,576(r31)
8019CC74:  7C0004AC   sync   
8019CC78:  7C1A83A6   mtdbatu   1,r0
8019CC7C:  7C7B83A6   mtdbatl   1,r3
8019CC80:  4C00012C   isync   
8019CC84:  801F0228   lwz   r0,552(r31)
8019CC88:  807F022C   lwz   r3,556(r31)
8019CC8C:  7C0004AC   sync   
8019CC90:  7C1883A6   mtdbatu   0,r0
8019CC94:  7C7983A6   mtdbatl   0,r3
8019CC98:  4C00012C   isync   
8019CC9C:  3FC00180   lis   r30,384
8019CCA0:  3FE00001   lis   r31,1
8019CCA4:  387E8000   subi   r3,r30,32768
8019CCA8:  389F8000   subi   r4,r31,32768
8019CCAC:  480009F1   bl   0x8019d69c
8019CCB0:  387E8000   subi   r3,r30,32768
8019CCB4:  389F8000   subi   r4,r31,32768
8019CCB8:  48000A11   bl   0x8019d6c8
8019CCBC:  BBA10014   lmw   r29,20(r1)
8019CCC0:  80010024   lwz   r0,36(r1)
8019CCC4:  7C0803A6   mtlr   r0
8019CCC8:  38210020   addi   r1,r1,32
8019CCCC:  4E800020   blr   
[/spoiler]

dcx2

#40
June 28, 2011, 08:11:43 PM
Interesting, thanks for sharing the code.  We'll have to keep an eye out...I wonder if this is in Nintendo's latest SDK, or if this is some custom API used only by this developer.

Thomas83Lin

#41
June 29, 2011, 10:12:08 PM Last Edit: June 29, 2011, 10:22:37 PM by thomas83lin
Quote from: dcx2 on June 28, 2011, 08:11:43 PM
Interesting, thanks for sharing the code.  We'll have to keep an eye out...I wonder if this is in Nintendo's latest SDK, or if this is some custom API used only by this developer.
I'm thinking its just this developer, but anyways i posted the function from toy story 3 if it helps in the future. it helped in porting the code to cars2.  i'll add the function from cars2 also

Bully@Wiiplaza

#42
June 30, 2011, 07:41:58 PM Last Edit: June 30, 2011, 07:45:27 PM by Bully@Wiiplaza
hehe this won´t be hard to port to different games from that publisher now.
These two functions are VERY similar.

Unfortunately, each developer has it´s own protection method (if there are any) so that there won´t be a final solution to it.

Did I get it right?
- Metroid other M: Pause Game protection, Health Write protection + Savegame modification protection #cracked insane, at least the in-game hacking
- Toy Story 3/Cars 2: Memory Access Protection # cracked pretty well
- Conduit 2: ammo, health, name, gamespeed, ... Write Protection + Savegame copy/modification protection # in-game hacking partly cracked with a loss at possibilities, the anti-protection methods of the other 2 games fail here ;D

More to come? ???
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully
Print
Go Up Pages 1 2 3
User actions