Breakpoint at 'monster seeing you' MH3

[Stuff]

I was trying to make a "monster doesn't notice you" code so I found this address(9014BD7D) that changes based on how aware the monster is of your presence. It's 00 when they aren't aware of you, 02 when you have the yellow eye next to your name, and 01 when it's the red eye and they're attacking you. But here's what happens. I do a 00 code to write 00 to the address, and then monster gets stuck when it spots you. It goes from yellow to nothing again and again very fast, and the monster is just stuck there. Could work as a freeze monster code. But that's not what I'm looking for. If I write 02 to the address, the eye goes from red to yellow and back very fast, and the monster goes into an infinite loop of spotting you, therefore must roar. Very funny, but c'mon.

So I write BP at (this address gets read often for whatever reason. I think it was the same function, though)9014BD7D and tried nopping it, but then the monster freezes like I was writing 00 to the address. And that was the beginning of the function... I wanted to go up and maybe find something that happens before the alert status is updated...something that tells the game what to do when a monster should notice you.

So here's the registers, the function, and the call stack along with the instruction at each 'call?' copying each function at those addresses would've been too much to post.

[spoiler=registers and fregisters]  CR:88200488  XER:00000000  CTR:00000004 DSIS:02400000
DAR:9014BD7D SRR0:80130788 SRR1:0000B032   LR:8012C8D4
  r0:00000000   r1:807AD5E0   r2:8079DAA0   r3:9014B940
  r4:00000002   r5:00000002   r6:00000000   r7:00000005
  r8:00000000   r9:00000007  r10:807AD3D0  r11:807AD600
r12:0038208C  r13:80798E20  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:9014CF70  r19:816884E8
r20:817C5000  r21:00000030  r22:00000003  r23:00000000
r24:00000000  r25:00000000  r26:9014B940  r27:00000000
r28:00000000  r29:00000000  r30:00000001  r31:00000000

  f0:C58C077F   f1:457A4363   f2:44E39C36   f3:BEA533DD
  f4:52A44554   f5:35E1FA2E   f6:3FFFF8EC   f7:461B8FD9
  f8:C87030FC   f9:4908C2D6  f10:473932D9  f11:3D4BDC87
f12:360B9318  f13:3905E941  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:00000000  f29:00000000  f30:00000000  f31:00000000
[/spoiler]

80130784:  4D820020   beqlr-      <--incase it's relevant. But the function starts on the next line
80130788:  9883043D   stb   r4,1085(r3)
8013078C:  38000000   li   r0,0
80130790:  B0030442   sth   r0,1090(r3)
80130794:  28050001   cmplwi   r5,1
80130798:  4C820020   bnelr-   

[spoiler=call stack]80130788/\
8012CC04:  4BFFFC6D   bl   0x8012c870
80138700:  4BFF42AD   bl   0x8012c9ac
801379CC:  48000871   bl   0x8013823c
80143D08:  4BFF3C15   bl   0x8013791c
8028CCB4:  4BEB6F61   bl   0x80143c14
8028D020:  4BFFFC5D   bl   0x8028cc7c
8028C060:  48000D51   bl   0x8028cdb0
8004178C:  4E800421   bctrl   
80046DB8:  4BFFA8DD   bl   0x80041694
8003F3F4:  48007941   bl   0x80046d34
80006474:  48038DA5   bl   0x8003f218[/spoiler]

I'm not sure about what the values in each register is, but looking at these:
r4:00000002   r5:00000002
One or both is/are what it's getting ready to write. Lagiacrus just saw me at this BP, so I'll have the yellow eye next to my name for like 1 second. So it's gonna change to 02. Looking at the asm, It looks like it uses r4 to write 02 to the address. And r5 to....compare something.

So I just want the monster to not even notice me because when it does, if the value at 9014BD7D can't change, it just gets stuck. I think a code like this already exists, but it's not on the db so now I'm looking for it. What I do?

[Bully@Wiiplaza]

did it work like intended to just do a "ram write" to the address?

[Stuff]

no. 00 ram write causes the monster to freeze because every frame it spots you but then it unspots you. 02 ram write causes the monster to roar forever because it's not sure if your there but then it sees you so it roars. Those aren't desired results. What I want is for the monster to not see me at all. The address's value is spazing between 01 and 00/02 every time the codehandler executes I guess, based on what's written.

[Deathwolf]

Yup

80130788:  9883043D   stb   r4,1085(r3) #  store r4 value to r3 +1085

80130794:  28050001   cmplwi   r5,1  # compare logical immediate

[dcx2]

I've been a bit busy lately, and there's a backlog of posts in this board that need addressed, but I told you I'd help with this so here goes...

So I write BP at (this address gets read often for whatever reason. I think it was the same function, though)

You might want to enable the Step Log while taking BPs.  It can be very useful for analyzing later.

The address is read very often because it probably says "is the monster in the idle state?" every frame.  Then, if a monster is idle, it might then say "can the monster see the player?"  Then, if it can see the player, it will over-write the value (and by now it's too late, the monster has "seen" you, and the game is just recording that fact)  So you might want to try replacing the RBP with an li rX,0 instead.  Then, whenever the game would ask if a monster is idle, the hack would say "why yes, the monster is in fact idle."  EDIT: this will probably have the same effect as RAM-writing 0.  You should also post the Copy Function for the RBP.

tried nopping it, but then the monster freezes like I was writing 00 to the address.

There might be more than one variable controlling "monster state".  Or when it tries to go from 0 to 2, it initiates a sequence of events (e.g. change eye to yellow, roar, etc) for the rest of that frame, and then at the start of the next frame the monster state is still idle, so it re-initiates the sequence of events.

So here's the registers, the function, and the call stack along with the instruction at each 'call?' copying each function at those addresses would've been too much to post.

Yeah, copying the disassembly for the whole call stack ("Copy All Frames" on the disasm context menu) gathers all of this info into a single clipboard.  But it's very large.  You could try pastie.  http://pastie.org/

80130784:  4D820020   beqlr-      <--incase it's relevant. But the function starts on the next line
80130788:  9883043D   stb   r4,1085(r3)
8013078C:  38000000   li   r0,0
80130790:  B0030442   sth   r0,1090(r3)
80130794:  28050001   cmplwi   r5,1
80130798:  4C820020   bnelr-

80130788/\
8012CC04:  4BFFFC6D   bl   0x8012c870
80138700:  4BFF42AD   bl   0x8012c9ac

Uh oh!  That's not the whole function. =(  Conditional blr's mess with Gecko.NET's ability to parse functions.  The actual start of the function's address is given by the caller's bl = 8012C870.  It doesn't look like there's a stack frame, so this is probably a leaf function.  Since this address is kinda REALLY far away (about 0x4000-ish away from start of function!), and it looks like there's multiple conditional blr's, my guess is that 8012C870 probably shows ctr being loaded with something and then bctr to the appropriate section.

You'll need to go to 8012C870 and manually use Copy Visible to fill out the function.  =(

[Stuff]

Well I did a read BP and it wasn't the same function. whoops. This is a pretty long function:

[spoiler]800F3604:  9421FFC0   stwu   r1,-64(r1)
800F3608:  7C0802A6   mflr   r0
800F360C:  90010044   stw   r0,68(r1)
800F3610:  39610040   addi   r11,r1,64
800F3614:  483637DD   bl   0x80456df0
800F3618:  7C781B78   mr   r24,r3
800F361C:  38A00000   li   r5,0
800F3620:  98A301D9   stb   r5,473(r3)
800F3624:  3C800001   lis   r4,1
800F3628:  3804FFFF   subi   r0,r4,1
800F362C:  B00301DC   sth   r0,476(r3)
800F3630:  98A301E2   stb   r5,482(r3)
800F3634:  98A301E5   stb   r5,485(r3)
800F3638:  98A301E8   stb   r5,488(r3)
800F363C:  98A301EB   stb   r5,491(r3)
800F3640:  98A301DA   stb   r5,474(r3)
800F3644:  B00301DE   sth   r0,478(r3)
800F3648:  98A301E3   stb   r5,483(r3)
800F364C:  98A301E6   stb   r5,486(r3)
800F3650:  98A301E9   stb   r5,489(r3)
800F3654:  98A301EC   stb   r5,492(r3)
800F3658:  98A301DB   stb   r5,475(r3)
800F365C:  B00301E0   sth   r0,480(r3)
800F3660:  98A301E4   stb   r5,484(r3)
800F3664:  98A301E7   stb   r5,487(r3)
800F3668:  98A301EA   stb   r5,490(r3)
800F366C:  98A301ED   stb   r5,493(r3)
800F3670:  38600000   li   r3,0
800F3674:  4BFDC41D   bl   0x800cfa90
800F3678:  2C030000   cmpwi   r3,0
800F367C:  41820290   beq-   0x800f390c
800F3680:  3B232274   addi   r25,r3,8820
800F3684:  38600002   li   r3,2
800F3688:  4BFDC409   bl   0x800cfa90
800F368C:  7C7D1B78   mr   r29,r3
800F3690:  2C030000   cmpwi   r3,0
800F3694:  41820278   beq-   0x800f390c
800F3698:  4BFDBB81   bl   0x800cf218
800F369C:  5460063E   rlwinm   r0,r3,0,24,31
800F36A0:  28000002   cmplwi   r0,2
800F36A4:  4182001C   beq-   0x800f36c0
800F36A8:  4BFDBCDD   bl   0x800cf384
800F36AC:  7C600774   extsb   r0,r3
800F36B0:  1C000B20   mulli   r0,r0,2848
800F36B4:  7FBD0214   add   r29,r29,r0
800F36B8:  3B800000   li   r28,0
800F36BC:  48000008   b   0x800f36c4
800F36C0:  3B9D0B20   addi   r28,r29,2848
800F36C4:  482BA231   bl   0x803ad8f4
800F36C8:  5460063E   rlwinm   r0,r3,0,24,31
800F36CC:  2800000B   cmplwi   r0,11
800F36D0:  40820014   bne-   0x800f36e4
800F36D4:  7F03C378   mr   r3,r24
800F36D8:  7FA4EB78   mr   r4,r29
800F36DC:  4BFFFE11   bl   0x800f34ec
800F36E0:  4800022C   b   0x800f390c
800F36E4:  482BA211   bl   0x803ad8f4
800F36E8:  5460063E   rlwinm   r0,r3,0,24,31
800F36EC:  28000006   cmplwi   r0,6
800F36F0:  40820014   bne-   0x800f3704
800F36F4:  7F03C378   mr   r3,r24
800F36F8:  7FA4EB78   mr   r4,r29
800F36FC:  4BFFFE59   bl   0x800f3554
800F3700:  4800020C   b   0x800f390c
800F3704:  3B400000   li   r26,0
800F3708:  3B600000   li   r27,0
800F370C:  7F1FC378   mr   r31,r24
800F3710:  3AE00000   li   r23,0
800F3714:  3AC00001   li   r22,1
800F3718:  2C1A0003   cmpwi   r26,3
800F371C:  408001F0   bge-   0x800f390c
800F3720:  A0190006   lhz   r0,6(r25)
800F3724:  2C000000   cmpwi   r0,0
800F3728:  418201D4   beq-   0x800f38fc
800F372C:  A8190004   lha   r0,4(r25)
800F3730:  2C000000   cmpwi   r0,0
800F3734:  418201C8   beq-   0x800f38fc
800F3738:  80190000   lwz   r0,0(r25)
800F373C:  5403043E   rlwinm   r3,r0,0,16,31
800F3740:  3881000C   addi   r4,r1,12
800F3744:  38A10008   addi   r5,r1,8
800F3748:  48050E99   bl   0x801445e0
800F374C:  5460063E   rlwinm   r0,r3,0,24,31
800F3750:  28000001   cmplwi   r0,1
800F3754:  408201A8   bne-   0x800f38fc
800F3758:  8061000C   lwz   r3,12(r1)
800F375C:  88030000   lbz   r0,0(r3)
800F3760:  2C000000   cmpwi   r0,0
800F3764:  41820198   beq-   0x800f38fc
800F3768:  800301C8   lwz   r0,456(r3)
800F376C:  540007FE   rlwinm   r0,r0,0,31,31
800F3770:  2C000000   cmpwi   r0,0
800F3774:  41820188   beq-   0x800f38fc
800F3778:  480398B5   bl   0x8012d02c
800F377C:  2C030000   cmpwi   r3,0
800F3780:  4082017C   bne-   0x800f38fc
800F3784:  8061000C   lwz   r3,12(r1)
800F3788:  A003001A   lhz   r0,26(r3)
800F378C:  B01F01DC   sth   r0,476(r31)
800F3790:  7FD8D214   add   r30,r24,r26
800F3794:  8061000C   lwz   r3,12(r1)
800F3798:  88030003   lbz   r0,3(r3)
800F379C:  981E01E2   stb   r0,482(r30)
800F37A0:  4BFDBA79   bl   0x800cf218
800F37A4:  5460063E   rlwinm   r0,r3,0,24,31
800F37A8:  28000002   cmplwi   r0,2
800F37AC:  41820034   beq-   0x800f37e0
800F37B0:  8061000C   lwz   r3,12(r1)
800F37B4:  7FA4EB78   mr   r4,r29
800F37B8:  480398FD   bl   0x8012d0b4
800F37BC:  28030001   cmplwi   r3,1
800F37C0:  40820018   bne-   0x800f37d8
800F37C4:  8061000C   lwz   r3,12(r1)
800F37C8:  889D0008   lbz   r4,8(r29)
800F37CC:  4803E145   bl   0x80131910
800F37D0:  7C751B78   mr   r21,r3
800F37D4:  4800008C   b   0x800f3860
800F37D8:  3AA00000   li   r21,0
800F37DC:  48000084   b   0x800f3860
800F37E0:  8061000C   lwz   r3,12(r1)
800F37E4:  7FA4EB78   mr   r4,r29
800F37E8:  480398CD   bl   0x8012d0b4
800F37EC:  28030001   cmplwi   r3,1
800F37F0:  40820044   bne-   0x800f3834
800F37F4:  8061000C   lwz   r3,12(r1)
800F37F8:  889D0008   lbz   r4,8(r29)
800F37FC:  4803E115   bl   0x80131910
800F3800:  7C751B78   mr   r21,r3
800F3804:  2C030000   cmpwi   r3,0
800F3808:  40820058   bne-   0x800f3860
800F380C:  8061000C   lwz   r3,12(r1)
800F3810:  7F84E378   mr   r4,r28
800F3814:  480398A1   bl   0x8012d0b4
800F3818:  28030001   cmplwi   r3,1
800F381C:  40820044   bne-   0x800f3860
800F3820:  8061000C   lwz   r3,12(r1)
800F3824:  889C0008   lbz   r4,8(r28)
800F3828:  4803E0E9   bl   0x80131910
800F382C:  7C751B78   mr   r21,r3
800F3830:  48000030   b   0x800f3860
800F3834:  8061000C   lwz   r3,12(r1)
800F3838:  7F84E378   mr   r4,r28
800F383C:  48039879   bl   0x8012d0b4
800F3840:  28030001   cmplwi   r3,1
800F3844:  40820014   bne-   0x800f3858
800F3848:  8061000C   lwz   r3,12(r1)
800F384C:  889C0008   lbz   r4,8(r28)
800F3850:  4803E0C1   bl   0x80131910
800F3854:  48000008   b   0x800f385c
800F3858:  38600000   li   r3,0
800F385C:  7C751B78   mr   r21,r3
800F3860:  2C150000   cmpwi   r21,0
800F3864:  4082000C   bne-   0x800f3870
800F3868:  9AFE01E5   stb   r23,485(r30)
800F386C:  48000008   b   0x800f3874
800F3870:  9ADE01E5   stb   r22,485(r30)
800F3874:  8061000C   lwz   r3,12(r1)
800F3878:  88030003   lbz   r0,3(r3)
800F387C:  28000014   cmplwi   r0,20
800F3880:  4082003C   bne-   0x800f38bc
800F3884:  8803043D   lbz   r0,1085(r3)
800F3888:  28000001   cmplwi   r0,1
800F388C:  4182001C   beq-   0x800f38a8
800F3890:  28000002   cmplwi   r0,2
800F3894:  41820014   beq-   0x800f38a8
800F3898:  481BC3ED   bl   0x802afc84
800F389C:  5460063E   rlwinm   r0,r3,0,24,31
800F38A0:  28000003   cmplwi   r0,3
800F38A4:  4082000C   bne-   0x800f38b0
800F38A8:  9ADE01EB   stb   r22,491(r30)
800F38AC:  48000008   b   0x800f38b4
800F38B0:  9AFE01EB   stb   r23,491(r30)
800F38B4:  9AFE01E8   stb   r23,488(r30)
800F38B8:  48000038   b   0x800f38f0
800F38BC:  8803043D   lbz   r0,1085(r3) <--BP was here the second time >.>(after I couldn't unpause and had to reset)
800F38C0:  28000001   cmplwi   r0,1
800F38C4:  4082000C   bne-   0x800f38d0
800F38C8:  9ADE01EB   stb   r22,491(r30)
800F38CC:  48000008   b   0x800f38d4
800F38D0:  9AFE01EB   stb   r23,491(r30)
800F38D4:  8061000C   lwz   r3,12(r1)
800F38D8:  8803043D   lbz   r0,1085(r3) <--where the breakpoint was at 1st time
800F38DC:  28000002   cmplwi   r0,2
800F38E0:  4082000C   bne-   0x800f38ec
800F38E4:  9ADE01E8   stb   r22,488(r30)
800F38E8:  48000008   b   0x800f38f0
800F38EC:  9AFE01E8   stb   r23,488(r30)
800F38F0:  9ADE01D9   stb   r22,473(r30)
800F38F4:  3BFF0002   addi   r31,r31,2
800F38F8:  3B5A0001   addi   r26,r26,1
800F38FC:  3B7B0001   addi   r27,r27,1
800F3900:  3B390010   addi   r25,r25,16
800F3904:  2C1B0006   cmpwi   r27,6
800F3908:  4180FE10   blt+   0x800f3718
800F390C:  39610040   addi   r11,r1,64
800F3910:  4836352D   bl   0x80456e3c
800F3914:  80010044   lwz   r0,68(r1)
800F3918:  7C0803A6   mtlr   r0
800F391C:  38210040   addi   r1,r1,64
800F3920:  4E800020   blr   [/spoiler]

I put the call stack for that in pastie. http://pastie.org/2381612

This is the function at 8012C870. Tried nopping that and the game froze a few seconds later. I guess a kelbi was there and the game didn't know what to do.
[spoiler]8012C870:  9421FFE0   stwu   r1,-32(r1)
8012C874:  7C0802A6   mflr   r0
8012C878:  90010024   stw   r0,36(r1)
8012C87C:  39610020   addi   r11,r1,32
8012C880:  4832A585   bl   0x80456e04
8012C884:  7C7A1B78   mr   r26,r3
8012C888:  7C9E2378   mr   r30,r4
8012C88C:  8803095C   lbz   r0,2396(r3)
8012C890:  28000004   cmplwi   r0,4
8012C894:  4082000C   bne-   0x8012c8a0
8012C898:  38600000   li   r3,0
8012C89C:  480000F8   b   0x8012c994
8012C8A0:  A8030916   lha   r0,2326(r3)
8012C8A4:  2C000000   cmpwi   r0,0
8012C8A8:  4081000C   ble-   0x8012c8b4
8012C8AC:  38600000   li   r3,0
8012C8B0:  480000E4   b   0x8012c994
8012C8B4:  8803038C   lbz   r0,908(r3)
8012C8B8:  540007FE   rlwinm   r0,r0,0,31,31
8012C8BC:  2C000000   cmpwi   r0,0
8012C8C0:  4082000C   bne-   0x8012c8cc
8012C8C4:  38600000   li   r3,0
8012C8C8:  480000CC   b   0x8012c994
8012C8CC:  38800002   li   r4,2
8012C8D0:  48003EA9   bl   0x80130778
8012C8D4:  7F43D378   mr   r3,r26
8012C8D8:  38800004   li   r4,4
8012C8DC:  4800DFA9   bl   0x8013a884
8012C8E0:  28030001   cmplwi   r3,1
8012C8E4:  408200AC   bne-   0x8012c990
8012C8E8:  38600002   li   r3,2
8012C8EC:  4BFA31E5   bl   0x800cfad0
8012C8F0:  547C043E   rlwinm   r28,r3,0,16,31
8012C8F4:  38600002   li   r3,2
8012C8F8:  4BFA3199   bl   0x800cfa90
8012C8FC:  7C7D1B78   mr   r29,r3
8012C900:  380000FF   li   r0,255
8012C904:  981A0798   stb   r0,1944(r26)
8012C908:  3B600000   li   r27,0
8012C90C:  3BE00001   li   r31,1
8012C910:  57DE063E   rlwinm   r30,r30,0,24,31
8012C914:  48000058   b   0x8012c96c
8012C918:  881D0000   lbz   r0,0(r29)
8012C91C:  2C000000   cmpwi   r0,0
8012C920:  41820044   beq-   0x8012c964
8012C924:  887D0008   lbz   r3,8(r29)
8012C928:  48000881   bl   0x8012d1a8
8012C92C:  2C030000   cmpwi   r3,0
8012C930:  40820034   bne-   0x8012c964
8012C934:  5760063E   rlwinm   r0,r27,0,24,31
8012C938:  7FE00030   slw   r0,r31,r0
8012C93C:  7FC00038   and   r0,r30,r0
8012C940:  2C000000   cmpwi   r0,0
8012C944:  41820020   beq-   0x8012c964
8012C948:  7F43D378   mr   r3,r26
8012C94C:  7FA4EB78   mr   r4,r29
8012C950:  48000765   bl   0x8012d0b4
8012C954:  2C030000   cmpwi   r3,0
8012C958:  4182000C   beq-   0x8012c964
8012C95C:  9B7A0798   stb   r27,1944(r26)
8012C960:  48000018   b   0x8012c978
8012C964:  3B7B0001   addi   r27,r27,1
8012C968:  3BBD0B20   addi   r29,r29,2848
8012C96C:  5760063E   rlwinm   r0,r27,0,24,31
8012C970:  7C00E000   cmpw   r0,r28
8012C974:  4180FFA4   blt+   0x8012c918
8012C978:  7F43D378   mr   r3,r26
8012C97C:  38800004   li   r4,4
8012C980:  38A00000   li   r5,0
8012C984:  48000471   bl   0x8012cdf4
8012C988:  38600001   li   r3,1
8012C98C:  48000008   b   0x8012c994
8012C990:  38600000   li   r3,0
8012C994:  39610020   addi   r11,r1,32
8012C998:  4832A4B9   bl   0x80456e50
8012C99C:  80010024   lwz   r0,36(r1)
8012C9A0:  7C0803A6   mtlr   r0
8012C9A4:  38210020   addi   r1,r1,32
8012C9A8:  4E800020   blr   
[/spoiler]
I don't see where this goes to 80130788, though. Should I copy the other call stacks?

Another read BP, because li r0,0 changed nothing noticeable and the BP was different after assembling that. >.> It keeps finding a different Read BP if I change it.. it's going in a pastie. http://pastie.org/2381859

Actually, one of the many Read BP that I put li r0,0 in did give me the same effect that ram writing 00 had, but this time it seems to be switching between all 3 values. And G Jaggi is able to turn to me this time. I must make a video of this. It's way too funny to waste. This is just one of those things.
-----
>.< I had a bad code activated that made my game freeze for trying to kick.

[dcx2]

Ack, you're doing it wrong. =P

Hit the breakpoint.  Go to disasm tab.  Right click.  "Copy All Frames".  This does a Copy Function on every function in the Call Stack, as well as grabbing a copy of the current registers, and places it in the clipboard.  It minimizes the amount of work you have to do.

Also, since there are a few read BPs, you should do another thing.  On the BP tab, check Step Log.  Then set a RWBP on the address of interest.  Then just spam the Set Breakpoint button for a while, until at least two frames pass by (so that you can definitely identify the pattern of data accesses).  In addition to a pastie of the Copy All Frames

[Stuff]

Here you have a nice pyramid. I like. can't fit in the post, so http://pastie.org/2382555.

You told me to spam RWBP, so I turbo clicked it for about 1 minute. Not sure what you mean by 2 frames. I thought a BP pauses on that frame. This is what the pattern looks like

[spoiler]800F38BC:  8803043D   lbz   r0,1085(r3)   r0 = 0000000C   r3 = 9014B940   [9014BD7D] = 00000000

800F38D8:  8803043D   lbz   r0,1085(r3)   r0 = 00000000   r3 = 9014B940   [9014BD7D] = 00000000

801307B8:  8803043D   lbz   r0,1085(r3)   r0 = 801298C0   r3 = 9014B940   [9014BD7D] = 00000000

80129830:  881F043D   lbz   r0,1085(r31)   r0 = 00000003   r31 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012BBA4:  8817043D   lbz   r0,1085(r23)   r0 = 00000000   r23 = 9014B940   [9014BD7D] = 00000000

8012C9E0:  881A043D   lbz   r0,1085(r26)   r0 = 000000FF   r26 = 9014B940   [9014BD7D] = 00000000

8012CB44:  881A043D   lbz   r0,1085(r26)   r0 = 00000000   r26 = 9014B940   [9014BD7D] = 00000000

8012CBD8:  881A043D   lbz   r0,1085(r26)   r0 = 00000000   r26 = 9014B940   [9014BD7D] = 00000000

8012CC50:  881A043D   lbz   r0,1085(r26)   r0 = 00000000   r26 = 9014B940   [9014BD7D] = 00000000

8034664C:  881D043D   lbz   r0,1085(r29)   r0 = 00000000   r29 = 9014B940   [9014BD7D] = 00000000

8031E854:  881E043D   lbz   r0,1085(r30)   r0 = 00000003   r30 = 9014B940   [9014BD7D] = 00000000

and repeat[/spoiler]
Here's the pastie if you want to see. http://pastie.org/2382522

The video came out really bad quality and it didn't even record the whole thing. I'll have to borrow someone's laptop. Or record with a camera(eww). I made a code so I can redo it at another time.
Rathian spawned, and I needed to record this. http://www.youtube.com/watch?v=8a1NmywzGUk

[dcx2]

Yes, Copy All Frames is great for following arguments as they get passed from one function call to the next.

A breakpoint is anything that can happen which causes the CPU to stop executing and let us take a look at things.  Many things can cause breakpoints.  In general, we use two types of breakpoints; data and instruction.  But any time a breakpoint condition is satisfied, CPU execution will stop.

The PowerPC in the Wii is 713 MHz.  Given 60 frames per second, this means it executes just under 12 million instructions per frame.  That's not technically true but it's good enough to make the point; a breakpoint condition (i.e. "read address 9014BD7D") can be satisfied many times per frame.

You will know a frame has passed when you see the screen jiggle.  Every time the screen jiggles, that's one frame.

---

I notice there's no WBP's in the list.  So, if you set a WBP on the address, the game just keeps moving until the monsters see you?  You might want to try spamming RWBP while you try to get into some monster's field of view, so you can see at what point the write takes place in this stream of reads.

---

Regarding Copy All Frames, this loop in the top frame looks interesting.  Your breakpoint is right in the middle.

The stuff at the very end is particularly interesting.  The loop is terminated when r27 = 6.  r27 is the loop index (the i in a classic for loop).  It increments once per loop.

r25 also increments every loop.  It's some sort of pointer running through an array of stuff.  Each array element is 16 bytes, hence the += 16 at the end of the loop.

r26 is keeping track of something.  When it b's to 800F38FC, it's skipping the r26 += 1.  It must be tracking a number of things that meet a certain criteria, because once r23 = 3 it bails out of the loop.

r31 is also some sort of pointer to an array.  However, these array elements are only 2 bytes each.  This is incremented in concert with r26, so r26 is probably the index for this array.

The loop is probably processing values that it pulls from the r25 array and when some of those values satisfies some conditions, some data is copied into the r31 array.  Can you think of anything that seems like a good candidate for looping over 6 or 3 times?  Is there like some maximum number of enemies that you can fight?  Some max number of allies?

[spoiler]|  |  |  |  |  |  |  |  800F3718:  2C1A0003   cmpwi   r26,3
|  |  |  |  |  |  |  |  800F371C:  408001F0   bge-   0x800f390c
|  |  |  |  |  |  |  |  800F3720:  A0190006   lhz   r0,6(r25)
|  |  |  |  |  |  |  |  800F3724:  2C000000   cmpwi   r0,0
|  |  |  |  |  |  |  |  800F3728:  418201D4   beq-   0x800f38fc
|  |  |  |  |  |  |  |  800F372C:  A8190004   lha   r0,4(r25)
|  |  |  |  |  |  |  |  800F3730:  2C000000   cmpwi   r0,0
|  |  |  |  |  |  |  |  800F3734:  418201C8   beq-   0x800f38fc
|  |  |  |  |  |  |  |  800F3738:  80190000   lwz   r0,0(r25)
|  |  |  |  |  |  |  |  800F373C:  5403043E   rlwinm   r3,r0,0,16,31
|  |  |  |  |  |  |  |  800F3740:  3881000C   addi   r4,r1,12
|  |  |  |  |  |  |  |  800F3744:  38A10008   addi   r5,r1,8
|  |  |  |  |  |  |  |  800F3748:  48050E99   bl   0x801445e0
|  |  |  |  |  |  |  |  800F374C:  5460063E   rlwinm   r0,r3,0,24,31
|  |  |  |  |  |  |  |  800F3750:  28000001   cmplwi   r0,1
|  |  |  |  |  |  |  |  800F3754:  408201A8   bne-   0x800f38fc
|  |  |  |  |  |  |  |  800F3758:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F375C:  88030000   lbz   r0,0(r3)
|  |  |  |  |  |  |  |  800F3760:  2C000000   cmpwi   r0,0
|  |  |  |  |  |  |  |  800F3764:  41820198   beq-   0x800f38fc
|  |  |  |  |  |  |  |  800F3768:  800301C8   lwz   r0,456(r3)
|  |  |  |  |  |  |  |  800F376C:  540007FE   rlwinm   r0,r0,0,31,31
|  |  |  |  |  |  |  |  800F3770:  2C000000   cmpwi   r0,0
|  |  |  |  |  |  |  |  800F3774:  41820188   beq-   0x800f38fc
|  |  |  |  |  |  |  |  800F3778:  480398B5   bl   0x8012d02c
|  |  |  |  |  |  |  |  800F377C:  2C030000   cmpwi   r3,0
|  |  |  |  |  |  |  |  800F3780:  4082017C   bne-   0x800f38fc
|  |  |  |  |  |  |  |  800F3784:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F3788:  A003001A   lhz   r0,26(r3)
|  |  |  |  |  |  |  |  800F378C:  B01F01DC   sth   r0,476(r31)
|  |  |  |  |  |  |  |  800F3790:  7FD8D214   add   r30,r24,r26
|  |  |  |  |  |  |  |  800F3794:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F3798:  88030003   lbz   r0,3(r3)
|  |  |  |  |  |  |  |  800F379C:  981E01E2   stb   r0,482(r30)
|  |  |  |  |  |  |  |  800F37A0:  4BFDBA79   bl   0x800cf218
|  |  |  |  |  |  |  |  800F37A4:  5460063E   rlwinm   r0,r3,0,24,31
|  |  |  |  |  |  |  |  800F37A8:  28000002   cmplwi   r0,2
|  |  |  |  |  |  |  |  800F37AC:  41820034   beq-   0x800f37e0
|  |  |  |  |  |  |  |  800F37B0:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F37B4:  7FA4EB78   mr   r4,r29
|  |  |  |  |  |  |  |  800F37B8:  480398FD   bl   0x8012d0b4
|  |  |  |  |  |  |  |  800F37BC:  28030001   cmplwi   r3,1
|  |  |  |  |  |  |  |  800F37C0:  40820018   bne-   0x800f37d8
|  |  |  |  |  |  |  |  800F37C4:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F37C8:  889D0008   lbz   r4,8(r29)
|  |  |  |  |  |  |  |  800F37CC:  4803E145   bl   0x80131910
|  |  |  |  |  |  |  |  800F37D0:  7C751B78   mr   r21,r3
|  |  |  |  |  |  |  |  800F37D4:  4800008C   b   0x800f3860
|  |  |  |  |  |  |  |  800F37D8:  3AA00000   li   r21,0
|  |  |  |  |  |  |  |  800F37DC:  48000084   b   0x800f3860
|  |  |  |  |  |  |  |  800F37E0:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F37E4:  7FA4EB78   mr   r4,r29
|  |  |  |  |  |  |  |  800F37E8:  480398CD   bl   0x8012d0b4
|  |  |  |  |  |  |  |  800F37EC:  28030001   cmplwi   r3,1
|  |  |  |  |  |  |  |  800F37F0:  40820044   bne-   0x800f3834
|  |  |  |  |  |  |  |  800F37F4:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F37F8:  889D0008   lbz   r4,8(r29)
|  |  |  |  |  |  |  |  800F37FC:  4803E115   bl   0x80131910
|  |  |  |  |  |  |  |  800F3800:  7C751B78   mr   r21,r3
|  |  |  |  |  |  |  |  800F3804:  2C030000   cmpwi   r3,0
|  |  |  |  |  |  |  |  800F3808:  40820058   bne-   0x800f3860
|  |  |  |  |  |  |  |  800F380C:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F3810:  7F84E378   mr   r4,r28
|  |  |  |  |  |  |  |  800F3814:  480398A1   bl   0x8012d0b4
|  |  |  |  |  |  |  |  800F3818:  28030001   cmplwi   r3,1
|  |  |  |  |  |  |  |  800F381C:  40820044   bne-   0x800f3860
|  |  |  |  |  |  |  |  800F3820:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F3824:  889C0008   lbz   r4,8(r28)
|  |  |  |  |  |  |  |  800F3828:  4803E0E9   bl   0x80131910
|  |  |  |  |  |  |  |  800F382C:  7C751B78   mr   r21,r3
|  |  |  |  |  |  |  |  800F3830:  48000030   b   0x800f3860
|  |  |  |  |  |  |  |  800F3834:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F3838:  7F84E378   mr   r4,r28
|  |  |  |  |  |  |  |  800F383C:  48039879   bl   0x8012d0b4
|  |  |  |  |  |  |  |  800F3840:  28030001   cmplwi   r3,1
|  |  |  |  |  |  |  |  800F3844:  40820014   bne-   0x800f3858
|  |  |  |  |  |  |  |  800F3848:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F384C:  889C0008   lbz   r4,8(r28)
|  |  |  |  |  |  |  |  800F3850:  4803E0C1   bl   0x80131910
|  |  |  |  |  |  |  |  800F3854:  48000008   b   0x800f385c
|  |  |  |  |  |  |  |  800F3858:  38600000   li   r3,0
|  |  |  |  |  |  |  |  800F385C:  7C751B78   mr   r21,r3
|  |  |  |  |  |  |  |  800F3860:  2C150000   cmpwi   r21,0
|  |  |  |  |  |  |  |  800F3864:  4082000C   bne-   0x800f3870
|  |  |  |  |  |  |  |  800F3868:  9AFE01E5   stb   r23,485(r30)
|  |  |  |  |  |  |  |  800F386C:  48000008   b   0x800f3874
|  |  |  |  |  |  |  |  800F3870:  9ADE01E5   stb   r22,485(r30)
|  |  |  |  |  |  |  |  800F3874:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F3878:  88030003   lbz   r0,3(r3)
|  |  |  |  |  |  |  |  800F387C:  28000014   cmplwi   r0,20
|  |  |  |  |  |  |  |  800F3880:  4082003C   bne-   0x800f38bc
|  |  |  |  |  |  |  |  800F3884:  8803043D   lbz   r0,1085(r3)
|  |  |  |  |  |  |  |  800F3888:  28000001   cmplwi   r0,1
|  |  |  |  |  |  |  |  800F388C:  4182001C   beq-   0x800f38a8
|  |  |  |  |  |  |  |  800F3890:  28000002   cmplwi   r0,2
|  |  |  |  |  |  |  |  800F3894:  41820014   beq-   0x800f38a8
|  |  |  |  |  |  |  |  800F3898:  481BC3ED   bl   0x802afc84
|  |  |  |  |  |  |  |  800F389C:  5460063E   rlwinm   r0,r3,0,24,31
|  |  |  |  |  |  |  |  800F38A0:  28000003   cmplwi   r0,3
|  |  |  |  |  |  |  |  800F38A4:  4082000C   bne-   0x800f38b0
|  |  |  |  |  |  |  |  800F38A8:  9ADE01EB   stb   r22,491(r30)
|  |  |  |  |  |  |  |  800F38AC:  48000008   b   0x800f38b4
|  |  |  |  |  |  |  |  800F38B0:  9AFE01EB   stb   r23,491(r30)
|  |  |  |  |  |  |  |  800F38B4:  9AFE01E8   stb   r23,488(r30)
|  |  |  |  |  |  |  |  800F38B8:  48000038   b   0x800f38f0
|  |  |  |  |  |  |  |  800F38BC:  8803043D   lbz   r0,1085(r3)
|  |  |  |  |  |  |  |  800F38C0:  28000001   cmplwi   r0,1
|  |  |  |  |  |  |  |  800F38C4:  4082000C   bne-   0x800f38d0
|  |  |  |  |  |  |  |  800F38C8:  9ADE01EB   stb   r22,491(r30)
|  |  |  |  |  |  |  |  800F38CC:  48000008   b   0x800f38d4
|  |  |  |  |  |  |  |  800F38D0:  9AFE01EB   stb   r23,491(r30)
|  |  |  |  |  |  |  |  800F38D4:  8061000C   lwz   r3,12(r1)
|  |  |  |  |  |  |  |  800F38D8:  8803043D   lbz   r0,1085(r3)
|  |  |  |  |  |  |  |  800F38DC:  28000002   cmplwi   r0,2
|  |  |  |  |  |  |  |  800F38E0:  4082000C   bne-   0x800f38ec
|  |  |  |  |  |  |  |  800F38E4:  9ADE01E8   stb   r22,488(r30)
|  |  |  |  |  |  |  |  800F38E8:  48000008   b   0x800f38f0
|  |  |  |  |  |  |  |  800F38EC:  9AFE01E8   stb   r23,488(r30)
|  |  |  |  |  |  |  |  800F38F0:  9ADE01D9   stb   r22,473(r30)
|  |  |  |  |  |  |  |  800F38F4:  3BFF0002   addi   r31,r31,2
|  |  |  |  |  |  |  |  800F38F8:  3B5A0001   addi   r26,r26,1
|  |  |  |  |  |  |  |  800F38FC:  3B7B0001   addi   r27,r27,1
|  |  |  |  |  |  |  |  800F3900:  3B390010   addi   r25,r25,16
|  |  |  |  |  |  |  |  800F3904:  2C1B0006   cmpwi   r27,6
|  |  |  |  |  |  |  |  800F3908:  4180FE10   blt+   0x800f3718
[/spoiler]

Another interesting thing is that there are a great deal of branches to 800F390C.  This takes you past the end of the loop to the function prologue epilogue.  Basically it's many different ways to leave the function.  This one is at the very beginning.  It's the equivalent of "if (r3 == 0) return;"

|  |  |  |  |  |  |  |  800F3678:  2C030000   cmpwi   r3,0
|  |  |  |  |  |  |  |  800F367C:  41820290   beq-   0x800f390c

It might be interesting to turn the beq- into a b.  (i.e. 800F367C:  48000290  b 0x800f390c)  This would basically prevent the function from ever running.  I wonder what happens.

[Stuff]

Yeah. WBP will breakpoint when the monster sees me. or if the monster untargets me. Which would take forever without poking the address.

The only thing I can think of that would be 3 is number of players if it starts at 0(4 players online). But I can't think of anything that could count up to 6. I've seen more than 6 minions, I've never seen more than 3 bosses at once, and 3 was via custom quests. A max of about 64 objects in one area at once including projectiles(impossible without some sort of modding. Set infinite bombs/traps and you can see that limit). Maybe monsters have 6 senses? XD

r23 = 3 it bails out of the

r26? I don't see a cmp r23

Another interesting thing is that there are a great deal of branches to 800F390C.  This takes you past the end of the loop to the function prologue epilogue.  Basically it's many different ways to leave the function.  This one is at the very beginning.  It's the equivalent of "if (r3 == 0) return;"

|  |  |  |  |  |  |  |  800F3678:  2C030000   cmpwi   r3,0
|  |  |  |  |  |  |  |  800F367C:  41820290   beq-   0x800f390c

It might be interesting to turn the beq- into a b.  (i.e. 800F367C:  48000290  b 0x800f390c)  This would basically prevent the function from ever running.  I wonder what happens.

I did that and nothing happened. Jaggi saw me and that's it. But why would that have prevented the function from happening? Instead of branch if equal, it's branch always.

[dcx2]

r26? I don't see a cmp r23

The r26 check is at the beginning of the loop.

I did that and nothing happened. Jaggi saw me and that's it. But why would that have prevented the function from happening? Instead of branch if equal, it's branch always.

What do you mean, "nothing happened"?  As in, changing the beq to b made no difference?

It prevents the function from happening because it branches over all the "work", straight to the end.  Double click that b, or just go to 8000F390C and you will see that it's popping the regs off the stack and getting ready to blr back to the caller.

[Stuff]

Oh. Well yeah, it didn't change anything. Just did a RWBP after changing it to b 0x800f390c. It gave me a very different copy all frames. >.>. This time it was too big for pastie. http://dl.dropbox.com/u/24514984/copyallframes%20after%2048000290.htm

Actually, I think chacha should have an eye icon next to his name too. He was being targeted, though. I'll do it regular later.

[dcx2]

This is where hacking can become tedious.  Meticulously "remove" or alter one function at a time, and take notes about what changed.  Eventually you will hit the jackpot.

Here's what looks interesting in your latest Copy All Frames.

[spoiler]801307A4: 9421FFF0 stwu r1,-16(r1)
801307A8: 7C0802A6 mflr r0
801307AC: 90010014 stw r0,20(r1)
801307B0: 93E1000C stw r31,12(r1)
801307B4: 7C7F1B78 mr r31,r3
801307B8: 8803043D lbz r0,1085(r3)
801307BC: 2C000001 cmpwi r0,1
801307C0: 41820010 beq- 0x801307d0
801307C4: 2C000002 cmpwi r0,2
801307C8: 41820054 beq- 0x8013081c
801307CC: 48000064 b 0x80130830
801307D0: 4BFF5865 bl 0x80126034
801307D4: 881F038F lbz r0,911(r31)
801307D8: 2C000000 cmpwi r0,0
801307DC: 41820010 beq- 0x801307ec
801307E0: 38000000 li r0,0
801307E4: B01F0442 sth r0,1090(r31)
801307E8: 48000048 b 0x80130830
801307EC: A89F0442 lha r4,1090(r31)
801307F0: 38040001 addi r0,r4,1
801307F4: B01F0442 sth r0,1090(r31)
801307F8: 7C040734 extsh r4,r0
801307FC: 80630058 lwz r3,88(r3)
80130800: A8030002 lha r0,2(r3)
80130804: 7C040000 cmpw r4,r0
80130808: 40810028 ble- 0x80130830
8013080C: 7FE3FB78 mr r3,r31
80130810: 38800000 li r4,0
80130814: 4BFFFF65 bl 0x80130778
80130818: 48000018 b 0x80130830
8013081C: 8803038F lbz r0,911(r3)
80130820: 2C000000 cmpwi r0,0
80130824: 4082000C bne- 0x80130830
80130828: 38800000 li r4,0
8013082C: 4BFFFF4D bl 0x80130778
80130830: 83E1000C lwz r31,12(r1)
80130834: 80010014 lwz r0,20(r1)
80130838: 7C0803A6 mtlr r0
8013083C: 38210010 addi r1,r1,16
80130840: 4E800020 blr
[/spoiler]

The green bold part is asking whether the byte of interest is 0, 1, or 2.  If it is 0, then this function will do nothing by branching to the function epilogue (the red bold).  The function epilogue is the inverse of the function prologue (in black).  It pops the non-volatile registers off the stack (lwz r31), reads the LR save word so it can return to the caller (lwz r0/mtlr r0), destroys the current stack frame (addi r1), and then returns to the caller (blr).  All function epilogues generally follow a similar pattern, so that's how you know it is asking "if (1085(r3) == 0) return;"

In the event of a 1085(r3) == 1, the blue part is executed.  Note how there are multiple checks in the blue part that allow it to "bail out early" (by branching to the epilogue).

When 1085(r3) == 2, the purple part is executed.

To "nop" this whole function, you can replace 801307A4: 9421FFF0 stwu r1,-16(r1)  with a blr (i.e. 801307A4: 4E800020 blr).

EDIT:

Looking at the blue part some more, I see something interesting.  The value in 1090(r31) is reset when 911(r31) != 0.  When 911(r31) == 0, instead it appears to increment every frame.  It then also retrieves a value from a pointer-in-pointer and compares that to the incremented value; "if (r4 <= [[r3+88]+2]) return;"  Note that in this case, r3 == r31 == monster pointer.

When r4 becomes greater than [[r3+88]+2], it will load the monster pointer into r3, 0 into r4, and then call 80130778.  What's interesting is that in the purple section, if 911(r3) == 0 (same as the blue code's test for incrementing 1090(r31)), it loads the same arguments and calls the same function.

It would be nice to know exactly what 911(r31) and 1090(r31) mean.  1090(r31) is very close to your current value of interest, 1085(r31).  911(r31) isn't that far away.

[Stuff]

Hope it's alright to revive this. Where we left off, we were speaking in some alien language that I wasn't familiar with. I was seriously just following your lead. I had no idea what I was doing. I still don't understand what this call stack thing is. afaik, it returns bl's that don't lead to my BP. But whatever. I want this code to happen. And now I think we can have a 2 way conversation when talking about this. It's a lot to take in to refresh my memory, so I'll just respond to the last post for now:

In the spoiler, it looks like it might be just another RBP. 1085(r3) == [9014BD7D] and that's the "awareness level" (for the 1st monster). It checks if it's 1, and if so, the blue part doesn't execute. It branches to 80126034. If it's 2, it checks [9014BCCF]. I don't know what's there. I'll check later and make some guess. It was 01 while fighting rathian. Looks like r31 is the same as r3 atm. But you said that. 8013080C: 7FE3FB78 mr r3,r31 must've happened already. Just a wild guess though. I can't really say what 1090(r31) is. In memory it's 7FFF0000. That's all for now.

[dcx2]

The call stack shows you how the execution got to where it was.  When a function calls another function, the new function is added to the call stack.  If that function calls a third function, the third one is also added to the call stack.  For instance, double click the top of the call stack and you'll see the current instruction.  Double click the address below the top of the call stack, and you'll be taken to the bl which goes to the current instruction.

I think you have it backwards.  If 1085(r3) == 1, the blue part is executed.  Try changing    801307C0: 41820010 beq- 0x801307d0  into a nop and see what happens.