Problems with "moving" ASM when code applied...

Started by Bully@Wiiplaza, December 04, 2010, 03:18:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Bully@Wiiplaza

December 04, 2010, 03:18:46 PM Last Edit: December 04, 2010, 03:20:25 PM by Bully@Wiiplaza
I sometimes encounter this annoying problem.

I try to breakpoint read an adress and want to write with lis, ori, stb, lbz my new value. -> go to code template.

After I have applied the new code, I checked the value. No, it didn´t work, let´s set our read breakpoint again.
It hits and shows me the same instruction again, but with a different adress. I´ll hook this adress, got the same problem again.
What can I do to make it work finally? :confused:

the function:
[spoiler]8047C388:  9421FFA0   stwu   r1,-96(r1)
8047C38C:  7C0802A6   mflr   r0
8047C390:  90010064   stw   r0,100(r1)
8047C394:  39610060   addi   r11,r1,96
8047C398:  4BBE1ADD   bl   0x8005de74
8047C39C:  7C7B1B78   mr   r27,r3
8047C3A0:  7C9C2378   mr   r28,r4
8047C3A4:  3FE080A2   lis   r31,-32606
8047C3A8:  3BFF7750   addi   r31,r31,30544
8047C3AC:  800337A8   lwz   r0,14248(r3)
8047C3B0:  2C000000   cmpwi   r0,0
8047C3B4:  4082000C   bne-   0x8047c3c0
8047C3B8:  38600000   li   r3,0
8047C3BC:  48000354   b   0x8047c710
8047C3C0:  80BF0160   lwz   r5,352(r31)
8047C3C4:  88050018   lbz   r0,24(r5) -> hit adress
8047C3C8:  2C000000   cmpwi   r0,0
8047C3CC:  40820040   bne-   0x8047c40c
8047C3D0:  4BFFFEB9   bl   0x8047c288
8047C3D4:  7C771B78   mr   r23,r3
8047C3D8:  480FD17D   bl   0x80579554
8047C3DC:  809F0118   lwz   r4,280(r31)
8047C3E0:  80040018   lwz   r0,24(r4)
8047C3E4:  7F030050   sub   r24,r0,r3
8047C3E8:  480FD16D   bl   0x80579554
8047C3EC:  7C661B78   mr   r6,r3
8047C3F0:  7F63DB78   mr   r3,r27
8047C3F4:  7F84E378   mr   r4,r28
8047C3F8:  7EE5BB78   mr   r5,r23
8047C3FC:  7F07C378   mr   r7,r24
8047C400:  4800CFA1   bl   0x804893a0
8047C404:  38600000   li   r3,0
8047C408:  48000308   b   0x8047c710
8047C40C:  800337A4   lwz   r0,14244(r3)
8047C410:  2C000000   cmpwi   r0,0
8047C414:  4182000C   beq-   0x8047c420
8047C418:  38600000   li   r3,0
8047C41C:  480002F4   b   0x8047c710
8047C420:  3861001C   addi   r3,r1,28
8047C424:  38800000   li   r4,0
8047C428:  38A00014   li   r5,20
8047C42C:  4BB87F25   bl   0x80004350
8047C430:  7F63DB78   mr   r3,r27
8047C434:  4BFFFD51   bl   0x8047c184
8047C438:  7C7E1B78   mr   r30,r3
8047C43C:  3BA00000   li   r29,0
8047C440:  3F2080C5   lis   r25,-32571
8047C444:  3F4080C7   lis   r26,-32569
8047C448:  48000164   b   0x8047c5ac
8047C44C:  1EFE0050   mulli   r23,r30,80
8047C450:  7C7BBA14   add   r3,r27,r23
8047C454:  3BA30164   addi   r29,r3,356
8047C458:  7F63DB78   mr   r3,r27
8047C45C:  7F84E378   mr   r4,r28
8047C460:  4BFFFE29   bl   0x8047c288
8047C464:  7C781B78   mr   r24,r3
8047C468:  387944E8   addi   r3,r25,17640
8047C46C:  4828AEB9   bl   0x80707324
8047C470:  807B3808   lwz   r3,14344(r27)
8047C474:  2C030000   cmpwi   r3,0
8047C478:  4182002C   beq-   0x8047c4a4
8047C47C:  48003141   bl   0x8047f5bc
8047C480:  2C030000   cmpwi   r3,0
8047C484:  41820020   beq-   0x8047c4a4
8047C488:  807B3808   lwz   r3,14344(r27)
8047C48C:  48003185   bl   0x8047f610
8047C490:  2C030000   cmpwi   r3,0
8047C494:  41820010   beq-   0x8047c4a4
8047C498:  807B3808   lwz   r3,14344(r27)
8047C49C:  7F84E378   mr   r4,r28
8047C4A0:  48006559   bl   0x804829f8
8047C4A4:  807B0000   lwz   r3,0(r27)
8047C4A8:  7F84E378   mr   r4,r28
8047C4AC:  5705003C   rlwinm   r5,r24,0,0,30
8047C4B0:  38DD0001   addi   r6,r29,1
8047C4B4:  39000000   li   r8,0
8047C4B8:  38E00000   li   r7,0
8047C4BC:  813D003C   lwz   r9,60(r29)
8047C4C0:  815D0040   lwz   r10,64(r29)
8047C4C4:  4828BAF1   bl   0x80707fb4
8047C4C8:  2C030000   cmpwi   r3,0
8047C4CC:  4082002C   bne-   0x8047c4f8
8047C4D0:  7F63DB78   mr   r3,r27
8047C4D4:  7C9BBA14   add   r4,r27,r23
8047C4D8:  3884016D   addi   r4,r4,365
8047C4DC:  4BFFE2E1   bl   0x8047a7bc
8047C4E0:  807B0000   lwz   r3,0(r27)
8047C4E4:  4828AE41   bl   0x80707324
8047C4E8:  7F63DB78   mr   r3,r27
8047C4EC:  4BFFFC99   bl   0x8047c184
8047C4F0:  7C7E1B78   mr   r30,r3
8047C4F4:  480000B8   b   0x8047c5ac
8047C4F8:  387D0001   addi   r3,r29,1
8047C4FC:  3881001C   addi   r4,r1,28
8047C500:  48233D19   bl   0x806b0218
8047C504:  2C030000   cmpwi   r3,0
8047C508:  4082002C   bne-   0x8047c534
8047C50C:  7F63DB78   mr   r3,r27
8047C510:  7C9BBA14   add   r4,r27,r23
8047C514:  3884016D   addi   r4,r4,365
8047C518:  4BFFE2A5   bl   0x8047a7bc
8047C51C:  807B0000   lwz   r3,0(r27)
8047C520:  4828AE05   bl   0x80707324
8047C524:  7F63DB78   mr   r3,r27
8047C528:  4BFFFC5D   bl   0x8047c184
8047C52C:  7C7E1B78   mr   r30,r3
8047C530:  4800007C   b   0x8047c5ac
8047C534:  3B000000   li   r24,0
8047C538:  881A4334   lbz   r0,17204(r26)
8047C53C:  2C000000   cmpwi   r0,0
8047C540:  40820040   bne-   0x8047c580
8047C544:  8061001C   lwz   r3,28(r1)
8047C548:  80010020   lwz   r0,32(r1)
8047C54C:  90610008   stw   r3,8(r1)
8047C550:  9001000C   stw   r0,12(r1)
8047C554:  80610024   lwz   r3,36(r1)
8047C558:  80010028   lwz   r0,40(r1)
8047C55C:  90610010   stw   r3,16(r1)
8047C560:  90010014   stw   r0,20(r1)
8047C564:  8001002C   lwz   r0,44(r1)
8047C568:  90010018   stw   r0,24(r1)
8047C56C:  38610008   addi   r3,r1,8
8047C570:  48105875   bl   0x80581de4
8047C574:  2C030000   cmpwi   r3,0
8047C578:  41820008   beq-   0x8047c580
8047C57C:  3B000001   li   r24,1
8047C580:  2C180000   cmpwi   r24,0
8047C584:  41820030   beq-   0x8047c5b4
8047C588:  7F63DB78   mr   r3,r27
8047C58C:  7C9BBA14   add   r4,r27,r23
8047C590:  3884016D   addi   r4,r4,365
8047C594:  4BFFE229   bl   0x8047a7bc
8047C598:  807B0000   lwz   r3,0(r27)
8047C59C:  4828AD89   bl   0x80707324
8047C5A0:  7F63DB78   mr   r3,r27
8047C5A4:  4BFFFBE1   bl   0x8047c184
8047C5A8:  7C7E1B78   mr   r30,r3
8047C5AC:  2C1E0000   cmpwi   r30,0
8047C5B0:  4080FE9C   bge+   0x8047c44c
8047C5B4:  2C1E0000   cmpwi   r30,0
8047C5B8:  408000E8   bge-   0x8047c6a0
8047C5BC:  3C6080C7   lis   r3,-32569
8047C5C0:  88034334   lbz   r0,17204(r3)
8047C5C4:  2C000000   cmpwi   r0,0
8047C5C8:  4182002C   beq-   0x8047c5f4
8047C5CC:  38000003   li   r0,3
8047C5D0:  3C6080C7   lis   r3,-32569
8047C5D4:  90034338   stw   r0,17208(r3)
8047C5D8:  7F63DB78   mr   r3,r27
8047C5DC:  7F84E378   mr   r4,r28
8047C5E0:  3CA0808F   lis   r5,-32625
8047C5E4:  38A52440   addi   r5,r5,9280
8047C5E8:  4BFFF5B5   bl   0x8047bb9c
8047C5EC:  38600000   li   r3,0
8047C5F0:  48000120   b   0x8047c710
8047C5F4:  7F83E378   mr   r3,r28
8047C5F8:  4828C3C1   bl   0x807089b8
8047C5FC:  2C030000   cmpwi   r3,0
8047C600:  40820098   bne-   0x8047c698
8047C604:  7F63DB78   mr   r3,r27
8047C608:  7F84E378   mr   r4,r28
8047C60C:  4BFFFCF9   bl   0x8047c304
8047C610:  2C030000   cmpwi   r3,0
8047C614:  41820050   beq-   0x8047c664
8047C618:  3C6080C5   lis   r3,-32571
8047C61C:  386344E8   addi   r3,r3,17640
8047C620:  4828AD05   bl   0x80707324
8047C624:  807F0040   lwz   r3,64(r31)
8047C628:  7F84E378   mr   r4,r28
8047C62C:  4BFFFC5D   bl   0x8047c288
8047C630:  7C771B78   mr   r23,r3
8047C634:  480FCF21   bl   0x80579554
8047C638:  809F0118   lwz   r4,280(r31)
8047C63C:  80040018   lwz   r0,24(r4)
8047C640:  7F630050   sub   r27,r0,r3
8047C644:  480FCF11   bl   0x80579554
8047C648:  7C661B78   mr   r6,r3
8047C64C:  807F0040   lwz   r3,64(r31)
8047C650:  7F84E378   mr   r4,r28
8047C654:  7EE5BB78   mr   r5,r23
8047C658:  7F67DB78   mr   r7,r27
8047C65C:  4800CD45   bl   0x804893a0
8047C660:  48000030   b   0x8047c690
8047C664:  807B3808   lwz   r3,14344(r27)
8047C668:  2C030000   cmpwi   r3,0
8047C66C:  4182001C   beq-   0x8047c688
8047C670:  800337A4   lwz   r0,14244(r3)
8047C674:  2C000000   cmpwi   r0,0
8047C678:  41820010   beq-   0x8047c688
8047C67C:  8003379C   lwz   r0,14236(r3)
8047C680:  2C000000   cmpwi   r0,0
8047C684:  4182000C   beq-   0x8047c690
8047C688:  7F83E378   mr   r3,r28
8047C68C:  4828C409   bl   0x80708a94
8047C690:  38600000   li   r3,0
8047C694:  4800007C   b   0x8047c710
8047C698:  38600000   li   r3,0
8047C69C:  48000074   b   0x8047c710
8047C6A0:  7F63DB78   mr   r3,r27
8047C6A4:  48007B95   bl   0x80484238
8047C6A8:  38600004   li   r3,4
8047C6AC:  9061001C   stw   r3,28(r1)
8047C6B0:  380003E9   li   r0,1001
8047C6B4:  B0010024   sth   r0,36(r1)
8047C6B8:  907B3724   stw   r3,14116(r27)
8047C6BC:  80010020   lwz   r0,32(r1)
8047C6C0:  901B3728   stw   r0,14120(r27)
8047C6C4:  A0010024   lhz   r0,36(r1)
8047C6C8:  B01B372C   sth   r0,14124(r27)
8047C6CC:  80010028   lwz   r0,40(r1)
8047C6D0:  901B3730   stw   r0,14128(r27)
8047C6D4:  8001002C   lwz   r0,44(r1)
8047C6D8:  901B3734   stw   r0,14132(r27)
8047C6DC:  93DB3720   stw   r30,14112(r27)
8047C6E0:  387B3738   addi   r3,r27,14136
8047C6E4:  389D0001   addi   r4,r29,1
8047C6E8:  38A00031   li   r5,49
8047C6EC:  4BB87915   bl   0x80004000
8047C6F0:  801D0040   lwz   r0,64(r29)
8047C6F4:  901B3774   stw   r0,14196(r27)
8047C6F8:  801D003C   lwz   r0,60(r29)
8047C6FC:  901B3778   stw   r0,14200(r27)
8047C700:  38000000   li   r0,0
8047C704:  901B376C   stw   r0,14188(r27)
8047C708:  901B3770   stw   r0,14192(r27)
8047C70C:  38600001   li   r3,1
8047C710:  39610060   addi   r11,r1,96
8047C714:  4BBE17AD   bl   0x8005dec0
8047C718:  80010064   lwz   r0,100(r1)
8047C71C:  7C0803A6   mtlr   r0
8047C720:  38210060   addi   r1,r1,96
8047C724:  4E800020   blr   


[/spoiler]

registers:
[spoiler] CR:44004848  XER:20000000  CTR:00000003 DSIS:00400000
DAR:814B5C78 SRR0:8047C3C4 SRR1:0000B032   LR:8047C39C
 r0:00000001   r1:80249748   r2:802459C0   r3:817E8980
 r4:00000000   r5:814B5C60   r6:817E95F5   r7:817EC0D8
 r8:00010101   r9:0000000A  r10:00000000  r11:802497A8
r12:80066664  r13:80244680  r14:00010005  r15:8017D510
r16:806AE6A8  r17:00000000  r18:00000000  r19:00000004
r20:00000000  r21:8036F000  r22:73433750  r23:00010005
r24:73433750  r25:80889378  r26:817E8980  r27:817E8980
r28:00000000  r29:00000000  r30:808F2AE8  r31:80A27750

 f0:FFC00000   f1:A37D5C37   f2:C2C65662   f3:B1CD3018
 f4:0087F807   f5:00000000   f6:00000000   f7:00000000
 f8:00000000   f9:00000000  f10:00000000  f11:00000000
f12:39443479  f13:00000000  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:00000000  f29:BF800000  f30:00000000  f31:3F800000[/spoiler]

code template:
[spoiler]
lis r12,0
ori r12,r12,0
stb r0,24(r5)
lbz r0,24(r5)

C247C3C4 00000003
3D800000 618C0000
98050018 88050018
60000000 00000000
[/spoiler]
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully

wiiztec

#1
December 04, 2010, 03:23:33 PM
You need to find the pointer, then make a D2 code
If there's any code at all that you want to be button activated, or even able to toggle on & off, and I have the game, just PM me and I'll make it happen

dcx2

#2
December 04, 2010, 06:59:11 PM
You don't need ASM.

8047C3A4:  3FE080A2   lis   r31,-32606
8047C3A8:  3BFF7750   addi   r31,r31,30544
...
8047C3C0:  80BF0160   lwz   r5,352(r31)
8047C3C4:  88050018   lbz   r0,24(r5) -> hit adress

You should be able to put this information together to make a classic pointer code that you can use with the 10 code type.

Bully@Wiiplaza

#3
December 08, 2010, 04:22:19 PM
Quote from: dcx2 on December 04, 2010, 06:59:11 PM
You don't need ASM.

8047C3A4:  3FE080A2   lis   r31,-32606
8047C3A8:  3BFF7750   addi   r31,r31,30544
...
8047C3C0:  80BF0160   lwz   r5,352(r31)
8047C3C4:  88050018   lbz   r0,24(r5) -> hit adress

You should be able to put this information together to make a classic pointer code that you can use with the 10 code type.
hey cool this worked :D
Thought it was not possible :p
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully

dcx2

#4
December 08, 2010, 06:15:56 PM
That is a great example of how to create a pointer code from ASM, without a pointer app.

The reason is because the "anchor" pointer, 80A27750, is in the same function as the pointer of interest.  This is even pointer-in-pointer.

Typically, the "anchor" will be a few steps up the call stack, which is why it's usually harder.
Print
Go Up Pages1
User actions