Kill an enemy to restore health super mario galaxy.

[toonlink444]

Here's my new code.
[spoiler]C20848FC 00000004
38000000 B01C0566
3EC08049 62D6292B
82D60000 92D60004
60000000 00000000[/spoiler]
The assembly
[spoiler]li r0,0 # make r0 = 00000000
sth r0,1382(r28) # Original instruction
lis r22, 0x8049
ori r22,r22,0x292B # load address 8049292B into r22
lwz r22,0(r22) read from r22(8049292B) and store to r22
stw r22,4(r22) add 4 to r22 and store back to r22
nop[/spoiler]
But every time an enemy dies the game freezes. what do the stw and lwz need to contain?

[matt123337]

Sorry, but I didn't realize that heath was a 16-bit number, and your stw isn't done quite right.

Try this:

Code Select Expand


lis r22, 0x8049
ori r22,r22,0x292B # load address 8049292B into r22
lhz r0,0(r22) read from r22(8049292B) and store to r0
addi. r0,r0,4 # add 4 to your heath
sth r0,0(r22) store back to 0x8049292B
li r0,0 # make r0 = 00000000
sth r0,1382(r28) # Original instruction


[toonlink444]

alright that makes sense.

[matt123337]

Can you tell us if it works?

[Stuff]

unless you know r22 is safe, you might want to use r12,r11, and I've never used more than 2 so idk what else. If you don't see r22 being loaded to before anything else happens with it, it's probably not safe and would be the reason it freezes.

[matt123337]

unless you know r22 is safe, you might want to use r12,r11, and I've never used more than 2 so idk what else. If you don't see r22 being loaded to before anything else happens with it, it's probably not safe and would be the reason it freezes.

What would make you think that r12 and r11 are more safe then r22? As dcx2 has said many times, there is no "safe" register, it's all depended upon the function that you're hooking.

Btw, the reason why it was crashing was because he was loading a value then,was trying to write that same value to the address of the value + 4

[Stuff]

the Spectrum of Safety

safest --- safer --- safe --- ?? --- unsafe --- unsafer --- unsafest
r12   r11   r10-r5     r4-r3     r0       r31-r?       r14-r31    r1    r2,r13

....

The safest register is r12.  r12 is used exclusively (at least to my knowledge) to load the ctr preceding a bctr[l]; this means there's only a one-instruction long "unsafe" window and it's very rare to encounter.  Unusual, but quite fortunate for us.  You pretty much never have to worry about the contents of r12.

....

r11 is the most safer register.  I think I have only ever seen r11 used to cache the stack pointer.  It is never used to pass parameters into a function, so it is safe after a bl (i.e. at the entry point of a function).  The function called does not have to preserve its contents, so it is guaranteed to be safe after a blr.

The rest of that post is pretty awesome too.

But I understand that writing to (where you loaded from)+4 might be a cause. But if r22 isn't safe atm, it's more likely to be r22. And I lean towards the r22 being the cause because I would imagine current hp and max hp being next to each other followed by other player stats. Why would the game freeze for a change in max hp or stats? The worst that can happen is you'll have 0 of something.

[matt123337]

could you link me to that post? I haven't seen it, and that MAY be true, but doing what I said above is the best way of making sure a register is safe (or using a stack frame :P)

And I know for a fact that r22 wasn't the cause of the crash, lets run a little simulation with his code shall we?

I'm assuming that:
0x8049292B is player's HP
the player's HP is 4

Code Select Expand


li r0,0
sth r0,1382(r28) # set's enemies HP to 0 (kills it)
lis r22, 0x8049
ori r22,r22,0x292B # load HP address into r22
lwz r22,0(r22) # read 0x0004 from 0x8049292B into r22
stw r22,4(r22) # write value of r22(0x00000004) to value of r22 + 4 (0x00000004 + 4 = 0x00000008)

now is 0x00000008 a valid address?

Now my edited code code:

Code Select Expand


lis r22, 0x8049
ori r22,r22,0x292B # load address 0x8049292B into r22
lhz r0,0(r22) # loads 0x0004 from value of r22(0x8049292B) into r0
addi. r0,r0,4 # adds 4 to r0 (your HP), and store it back into r0
sth r0,0(r22) stores value of r0 (0x0008) back into value of r22 + 0 ( 0x8049292B  + 0)
li r0,0 # make r0 = 00000000
sth r0,1382(r28) # set enemies HP to 0


[Stuff]

ah. I didn't even notice he loaded to r22. >.<. lol.

you can click the "Quote from:" to go to the post. So far r12 and r11 haven't failed me.

[matt123337]

ah. I didn't even notice he loaded to r22. >.<. lol.

you can click the "Quote from:" to go to the post. So far r12 and r11 haven't failed me.

Odd, earlier the Quote from wasn't a link (or so i thought :S)

Oh and toon, I think Mario's health moves based upon the level you're on. Try to find a pointer for it, and then we can show you what to do from there ;)

Edit: yeah there is a pointer, i got it from:

Code Select Expand


Infinite Health [dexter0]
48000000 806B7B40
14000380 00000003
E0000000 80008000

so the pointer is [0x806B7B40] + 0x380, so toon, you were actually on the right track... The code would be like this:

Code Select Expand


lis r22, 0x806B
ori r22,r22,0x7B40 # load address 0x806B7B40 into r22
lwz r22,0x380(r22) # read HP address from pointer
lhz r0,0(r22) #reads actual HP into r0
addi. r0,r0,4 # add 4 to your heath
sth r0,0(r22) store back to HP address stored in r22
li r0,0 # make r0 = 00000000
sth r0,1382(r28) # Original instruction


[dcx2]

careful stuff. lwz takes a SIMM. so lower half >= 0x8000 will actually change your upper half

megazig is correct, that's why the template Stuff pasted uses @ha.  @ha causes GNU's as assembler to account for sign extension.  Note that @ha should NEVER be used with ori!  @h is used with ori instead, because ori does not sign extend the immediate.

What would make you think that r12 and r11 are more safe then r22? As dcx2 has said many times, there is no "safe" register, it's all depended upon the function that you're hooking.

r12 and r11 are volatile registers that will never be used for passing arguments to functions.  That makes them the two safest registers.  Since r11 is occasionally doing stack-related stuff, it gives me the heeby-jeebies to mess with it, so I prefer r12.  r10-r3 are used to pass arguments to functions.  The compiler prefers smaller registers, so if you need more than r12 and r11, you can work with r10 on down.  Careful review of the function will show when one of these registers isn't safe.  r3 and r4 can return values to the caller, but r5-r10 are input-arguments only, so after returning from a bl you know r10-r5 are safe.  I suppose that a compiler looking for maximum efficiency could theoretically use the volatile regs as local variables, but only in-between function calls.

---

toon, if you get a crash, go to the BP tab and press "Step Into".  It will show you what crashed.  If this happens, you can post the registers and disasm and folks will probably be able to figure out why it crashed.

As far as your goal, I would hook whatever ASM runs when an enemy gets killed.  Chances are there's a pointer to Mario somewhere in the registers, because it would want to know who killed the enemy.  If not, you'll need a second hook that stores Mario's pointer somewhere.  You can try dexter0's pointer, but it's not always valid. =(

I'm not sure how to approach finding the first hook, though.  You could try setting WBP on Mario's HP, and then look at the call stack when he gets hurt.  Chances are that when Mario hits enemies, some of the call stack will be the same.  So try setting XBP's on all the call stack addresses, starting from the top, and try to kill enemies.  If one hits, then you might be able to use that.

As far as enemies who can withstand multiple hits, so that you can try repeated searches, I would avoid bosses even though they are a tempting target.  Go for those centipede-like common enemies, who lose one body part each time you hit them.

[toonlink444]

Alright I made a code for zelda tp using these tactics and it worked so I will try again on super mario galaxy.

[toonlink444]

Been away for a while so would I put the wbp on the pointer?

[Bully@Wiiplaza]

Been away for a while so would I put the wbp on the pointer?

Include reading from health pointer on your code and find a hook that only runs once when you kill an enemy.
Then, do "add 1" and "store new health" inside your assembly and you´re done. :)
This definitely isn´t an easy code to make, though. Can you do it? ;D

[toonlink444]

I'm going to make it a 1 hit kill now. Btw where are the enemy's dcx2 is talking about