Respawn freeze with an ASM code?

[Bully@Wiiplaza]

I took some looks at the LR´s function...
and found something... (seems like your guess was right!)

[spoiler]
80F3B47C:  4B31251C   b   0x8024d998
80F3B480:  9421FFC0   stwu   r1,-64(r1)
80F3B484:  7C0802A6   mflr   r0
80F3B488:  90010044   stw   r0,68(r1)
80F3B48C:  DBE10030   stfd   f31,48(r1)
80F3B490:  F3E10038   psq_st   f31,56(r1),0,0
80F3B494:  39610030   addi   r11,r1,48
80F3B498:  4B46DC0D   bl   0x803a90a4
80F3B49C:  3FE0804A   lis   r31,-32694
80F3B4A0:  3D0080F4   lis   r8,-32524
80F3B4A4:  3BFF136C   addi   r31,r31,4972
80F3B4A8:  83C30570   lwz   r30,1392(r3)
80F3B4AC:  A8BF10CA   lha   r5,4298(r31)
80F3B4B0:  3BA00000   li   r29,0
80F3B4B4:  A81F10C2   lha   r0,4290(r31)
80F3B4B8:  A8DF10C8   lha   r6,4296(r31)
80F3B4BC:  A89F10C4   lha   r4,4292(r31)
80F3B4C0:  7C050214   add   r0,r5,r0
80F3B4C4:  A8FF10C0   lha   r7,4288(r31)
80F3B4C8:  7C862214   add   r4,r6,r4
80F3B4CC:  A8BF10E4   lha   r5,4324(r31)
80F3B4D0:  7C040214   add   r0,r4,r0
80F3B4D4:  A8DF10E0   lha   r6,4320(r31)
80F3B4D8:  A89F10E2   lha   r4,4322(r31)
80F3B4DC:  7CA72A14   add   r5,r7,r5
80F3B4E0:  A8FF10CC   lha   r7,4300(r31)
80F3B4E4:  7C862214   add   r4,r6,r4
80F3B4E8:  C3E8B8B0   lfs   f31,-18256(r8)
80F3B4EC:  7C852214   add   r4,r5,r4
80F3B4F0:  7C070214   add   r0,r7,r0
80F3B4F4:  7C040215   add.   r0,r4,r0
80F3B4F8:  40820010   bne-   0x80f3b508
80F3B4FC:  38000001   li   r0,1
80F3B500:  981F12D4   stb   r0,4820(r31)
80F3B504:  4800010C   b   0x80f3b610
80F3B508:  38000000   li   r0,0
80F3B50C:  981F12D4   stb   r0,4820(r31)
80F3B510:  80630570   lwz   r3,1392(r3)
80F3B514:  83830004   lwz   r28,4(r3)
80F3B518:  807C0060   lwz   r3,96(r28)
80F3B51C:  83630000   lwz   r27,0(r3)
80F3B520:  2C1B0000   cmpwi   r27,0
80F3B524:  4182006C   beq-   0x80f3b590
80F3B528:  807B0024   lwz   r3,36(r27)
80F3B52C:  38800000   li   r4,0
80F3B530:  81830000   lwz   r12,0(r3)
80F3B534:  818C0074   lwz   r12,116(r12)
80F3B538:  7D8903A6   mtctr   r12
80F3B53C:  4E800421   bctrl   
80F3B540:  819B0000   lwz   r12,0(r27)
80F3B544:  7F63DB78   mr   r3,r27
80F3B548:  818C002C   lwz   r12,44(r12)
80F3B54C:  7D8903A6   mtctr   r12
80F3B550:  4E800421   bctrl   
80F3B554:  A8FF10C0   lha   r7,4288(r31)
80F3B558:  380000FF   li   r0,255
80F3B55C:  A8DF10C2   lha   r6,4290(r31)
80F3B560:  38A10008   addi   r5,r1,8
80F3B564:  A87F10C4   lha   r3,4292(r31)
80F3B568:  38800000   li   r4,0
80F3B56C:  B0E10008   sth   r7,8(r1)
80F3B570:  B0C1000A   sth   r6,10(r1)
80F3B574:  B061000C   sth   r3,12(r1)
80F3B578:  B001000E   sth   r0,14(r1)
80F3B57C:  807B002C   lwz   r3,44(r27)
80F3B580:  81830000   lwz   r12,0(r3)
80F3B584:  818C0060   lwz   r12,96(r12)
80F3B588:  7D8903A6   mtctr   r12
80F3B58C:  4E800421   bctrl   
80F3B590:  807C0060   lwz   r3,96(r28)
80F3B594:  83630004   lwz   r27,4(r3)
80F3B598:  2C1B0000   cmpwi   r27,0
80F3B59C:  41820074   beq-   0x80f3b610
80F3B5A0:  807B0024   lwz   r3,36(r27)
80F3B5A4:  38800000   li   r4,0
80F3B5A8:  81830000   lwz   r12,0(r3)
80F3B5AC:  818C0074   lwz   r12,116(r12)
80F3B5B0:  7D8903A6   mtctr   r12
80F3B5B4:  4E800421   bctrl   
80F3B5B8:  819B0000   lwz   r12,0(r27)
80F3B5BC:  7F63DB78   mr   r3,r27
80F3B5C0:  818C002C   lwz   r12,44(r12)
80F3B5C4:  7D8903A6   mtctr   r12
80F3B5C8:  4E800421   bctrl   
80F3B5CC:  3D00804A   lis   r8,-32694
80F3B5D0:  38A10008   addi   r5,r1,8
80F3B5D4:  3908136C   addi   r8,r8,4972
80F3B5D8:  38800000   li   r4,0
80F3B5DC:  A8E810E8   lha   r7,4328(r8)
80F3B5E0:  A8C810EA   lha   r6,4330(r8)
80F3B5E4:  A86810EC   lha   r3,4332(r8)
80F3B5E8:  A80810EE   lha   r0,4334(r8)
80F3B5EC:  B0E10008   sth   r7,8(r1)
80F3B5F0:  B0C1000A   sth   r6,10(r1)
80F3B5F4:  B061000C   sth   r3,12(r1)
80F3B5F8:  B001000E   sth   r0,14(r1)
80F3B5FC:  807B002C   lwz   r3,44(r27)
80F3B600:  81830000   lwz   r12,0(r3)
80F3B604:  818C0060   lwz   r12,96(r12)
80F3B608:  7D8903A6   mtctr   r12
80F3B60C:  4E800421   bctrl   
80F3B610:  3C60804A   lis   r3,-32694
80F3B614:  3863136C   addi   r3,r3,4972
80F3B618:  880312D4   lbz   r0,4820(r3)
80F3B61C:  2C000000   cmpwi   r0,0
80F3B620:  4182000C   beq-   0x80f3b62c
80F3B624:  38600001   li   r3,1
80F3B628:  4800012C   b   0x80f3b754
80F3B62C:  3C608052   lis   r3,-32686
80F3B630:  8803115C   lbz   r0,4444(r3)
80F3B634:  7C040775   extsb.   r4,r0
80F3B638:  41800028   blt-   0x80f3b660
80F3B63C:  3C608048   lis   r3,-32696
80F3B640:  3863A828   subi   r3,r3,22488
80F3B644:  38634EC4   addi   r3,r3,20164
80F3B648:  4B0ED98D   bl   0x80028fd4
80F3B64C:  81830000   lwz   r12,0(r3)
80F3B650:  818C010C   lwz   r12,268(r12)
80F3B654:  7D8903A6   mtctr   r12
80F3B658:  4E800421   bctrl   
80F3B65C:  7C7D1B78   mr   r29,r3
80F3B660:  2C1D0000   cmpwi   r29,0
80F3B664:  41820008   beq-   0x80f3b66c
80F3B668:  C3FD0004   lfs   f31,4(r29)
80F3B66C:  3C608048   lis   r3,-32696
80F3B670:  3863A828   subi   r3,r3,22488
80F3B674:  808361C4   lwz   r4,25028(r3)
80F3B678:  2C040000   cmpwi   r4,0
80F3B67C:  4182001C   beq-   0x80f3b698
80F3B680:  C024018C   lfs   f1,396(r4)
80F3B684:  3C6080F4   lis   r3,-32524
80F3B688:  C003B8B4   lfs   f0,-18252(r3)
80F3B68C:  EC21F828   fsubs   f1,f1,f31
80F3B690:  EC200072   fmuls   f1,f0,f1
80F3B694:  4800000C   b   0x80f3b6a0
80F3B698:  3C6080F4   lis   r3,-32524
80F3B69C:  C023B8B0   lfs   f1,-18256(r3)
80F3B6A0:  C004018C   lfs   f0,396(r4)
80F3B6A4:  3FA08044   lis   r29,-32700
80F3B6A8:  C064019C   lfs   f3,412(r4)
80F3B6AC:  387DB408   subi   r3,r29,19448
80F3B6B0:  EC400828   fsubs   f2,f0,f1
80F3B6B4:  C024017C   lfs   f1,380(r4)
80F3B6B8:  4B40856D   bl   0x80343c24
80F3B6BC:  387DB408   subi   r3,r29,19448
80F3B6C0:  389E0024   addi   r4,r30,36
80F3B6C4:  4A18B761   bl   0x7f0c6e24 # offending branch?
80F3B6C8:  4B250AED   bl   0x8018c1b4
80F3B6CC:  A07E005C   lhz   r3,92(r30)
80F3B6D0:  3BA00002   li   r29,2
80F3B6D4:  3B63FFFF   subi   r27,r3,1
80F3B6D8:  48000038   b   0x80f3b710
80F3B6DC:  807E0060   lwz   r3,96(r30)
80F3B6E0:  576013BA   rlwinm   r0,r27,2,14,29
80F3B6E4:  7C63002E   lwzx   r3,r3,r0
80F3B6E8:  2C030000   cmpwi   r3,0
80F3B6EC:  4182001C   beq-   0x80f3b708
80F3B6F0:  80630034   lwz   r3,52(r3)
80F3B6F4:  81830000   lwz   r12,0(r3)
80F3B6F8:  818C0030   lwz   r12,48(r12)
80F3B6FC:  7D8903A6   mtctr   r12
80F3B700:  4E800421   bctrl   
80F3B704:  7C7F1B78   mr   r31,r3
80F3B708:  9BBF0000   stb   r29,0(r31)
80F3B70C:  3B7BFFFF   subi   r27,r27,1
80F3B710:  2C1B0000   cmpwi   r27,0
80F3B714:  4080FFC8   bge+   0x80f3b6dc
80F3B718:  3FE08048   lis   r31,-32696
80F3B71C:  3FA0804B   lis   r29,-32693
80F3B720:  3BFFA828   subi   r31,r31,22488
80F3B724:  7FC3F378   mr   r3,r30
80F3B728:  809F5F74   lwz   r4,24436(r31)
80F3B72C:  3BBD9FC0   subi   r29,r29,24640
80F3B730:  801F5F78   lwz   r0,24440(r31)
80F3B734:  909D0048   stw   r4,72(r29)
80F3B738:  901D004C   stw   r0,76(r29)
80F3B73C:  4B0D8A79   bl   0x800141b4
80F3B740:  809F5F90   lwz   r4,24464(r31)
80F3B744:  38600001   li   r3,1
80F3B748:  801F5F94   lwz   r0,24468(r31)
80F3B74C:  909D0048   stw   r4,72(r29)
80F3B750:  901D004C   stw   r0,76(r29)
80F3B754:  E3E10038   psq_l   f31,56(r1),0,0
80F3B758:  39610030   addi   r11,r1,48
80F3B75C:  CBE10030   lfd   f31,48(r1)
80F3B760:  4B46D991   bl   0x803a90f0
80F3B764:  80010044   lwz   r0,68(r1)
80F3B768:  7C0803A6   mtlr   r0
80F3B76C:  38210040   addi   r1,r1,64
80F3B770:  4E800020   blr   [/spoiler]
What are we going to do with it?

[dcx2]

I should stress that the disassembly you saw for the crash is wrong.  80F3BAA4: C01F04D0 lfs f0, 1232 (r31) was not the address the caused the crash.

When the game breakpoints, Gecko.NET reads SRR0 to determine the disassembly to display.  7F0C6E24 isn't a valid address, so it didn't update the disassembly.  What you saw was the disassembly for the last successful breakpoint.

I would say that yes, 80F3B6C4:  4A18B761   bl   0x7f0c6e24  is the offending instruction.  Matches the address exactly, and it also explains the value in lr.

I am surprised that it's a truly illegal instruction that's just chillin' in the middle of what appears to be perfectly valid ASM.  When you start a fresh game which hasn't been hacked or poked yet, is that really what appears at 80F3B6C4?  It really looks like something modified that instruction.

You could try to set an XBP on it without your code to see if it ever hits or what it's supposed to do.

[Bully@Wiiplaza]

I am surprised that it's a truly illegal instruction that's just chillin' in the middle of what appears to be perfectly valid ASM.  When you start a fresh game which hasn't been hacked or poked yet, is that really what appears at 80F3B6C4?  It really looks like something modified that instruction.

It was modified by something...

[spoiler]80F3B47C:  4B31251C   b   0x8024d998
80F3B480:  9421FFC0   stwu   r1,-64(r1)
80F3B484:  7C0802A6   mflr   r0
80F3B488:  90010044   stw   r0,68(r1)
80F3B48C:  DBE10030   stfd   f31,48(r1)
80F3B490:  F3E10038   psq_st   f31,56(r1),0,0
80F3B494:  39610030   addi   r11,r1,48
80F3B498:  4B46DC0D   bl   0x803a90a4
80F3B49C:  3FE0804A   lis   r31,-32694
80F3B4A0:  3D0080F4   lis   r8,-32524
80F3B4A4:  3BFF136C   addi   r31,r31,4972
80F3B4A8:  83C30570   lwz   r30,1392(r3)
80F3B4AC:  A8BF10CA   lha   r5,4298(r31)
80F3B4B0:  3BA00000   li   r29,0
80F3B4B4:  A81F10C2   lha   r0,4290(r31)
80F3B4B8:  A8DF10C8   lha   r6,4296(r31)
80F3B4BC:  A89F10C4   lha   r4,4292(r31)
80F3B4C0:  7C050214   add   r0,r5,r0
80F3B4C4:  A8FF10C0   lha   r7,4288(r31)
80F3B4C8:  7C862214   add   r4,r6,r4
80F3B4CC:  A8BF10E4   lha   r5,4324(r31)
80F3B4D0:  7C040214   add   r0,r4,r0
80F3B4D4:  A8DF10E0   lha   r6,4320(r31)
80F3B4D8:  A89F10E2   lha   r4,4322(r31)
80F3B4DC:  7CA72A14   add   r5,r7,r5
80F3B4E0:  A8FF10CC   lha   r7,4300(r31)
80F3B4E4:  7C862214   add   r4,r6,r4
80F3B4E8:  C3E8B8B0   lfs   f31,-18256(r8)
80F3B4EC:  7C852214   add   r4,r5,r4
80F3B4F0:  7C070214   add   r0,r7,r0
80F3B4F4:  7C040215   add.   r0,r4,r0
80F3B4F8:  40820010   bne-   0x80f3b508
80F3B4FC:  38000001   li   r0,1
80F3B500:  981F12D4   stb   r0,4820(r31)
80F3B504:  4800010C   b   0x80f3b610
80F3B508:  38000000   li   r0,0
80F3B50C:  981F12D4   stb   r0,4820(r31)
80F3B510:  80630570   lwz   r3,1392(r3)
80F3B514:  83830004   lwz   r28,4(r3)
80F3B518:  807C0060   lwz   r3,96(r28)
80F3B51C:  83630000   lwz   r27,0(r3)
80F3B520:  2C1B0000   cmpwi   r27,0
80F3B524:  4182006C   beq-   0x80f3b590
80F3B528:  807B0024   lwz   r3,36(r27)
80F3B52C:  38800000   li   r4,0
80F3B530:  81830000   lwz   r12,0(r3)
80F3B534:  818C0074   lwz   r12,116(r12)
80F3B538:  7D8903A6   mtctr   r12
80F3B53C:  4E800421   bctrl   
80F3B540:  819B0000   lwz   r12,0(r27)
80F3B544:  7F63DB78   mr   r3,r27
80F3B548:  818C002C   lwz   r12,44(r12)
80F3B54C:  7D8903A6   mtctr   r12
80F3B550:  4E800421   bctrl   
80F3B554:  A8FF10C0   lha   r7,4288(r31)
80F3B558:  380000FF   li   r0,255
80F3B55C:  A8DF10C2   lha   r6,4290(r31)
80F3B560:  38A10008   addi   r5,r1,8
80F3B564:  A87F10C4   lha   r3,4292(r31)
80F3B568:  38800000   li   r4,0
80F3B56C:  B0E10008   sth   r7,8(r1)
80F3B570:  B0C1000A   sth   r6,10(r1)
80F3B574:  B061000C   sth   r3,12(r1)
80F3B578:  B001000E   sth   r0,14(r1)
80F3B57C:  807B002C   lwz   r3,44(r27)
80F3B580:  81830000   lwz   r12,0(r3)
80F3B584:  818C0060   lwz   r12,96(r12)
80F3B588:  7D8903A6   mtctr   r12
80F3B58C:  4E800421   bctrl   
80F3B590:  807C0060   lwz   r3,96(r28)
80F3B594:  83630004   lwz   r27,4(r3)
80F3B598:  2C1B0000   cmpwi   r27,0
80F3B59C:  41820074   beq-   0x80f3b610
80F3B5A0:  807B0024   lwz   r3,36(r27)
80F3B5A4:  38800000   li   r4,0
80F3B5A8:  81830000   lwz   r12,0(r3)
80F3B5AC:  818C0074   lwz   r12,116(r12)
80F3B5B0:  7D8903A6   mtctr   r12
80F3B5B4:  4E800421   bctrl   
80F3B5B8:  819B0000   lwz   r12,0(r27)
80F3B5BC:  7F63DB78   mr   r3,r27
80F3B5C0:  818C002C   lwz   r12,44(r12)
80F3B5C4:  7D8903A6   mtctr   r12
80F3B5C8:  4E800421   bctrl   
80F3B5CC:  3D00804A   lis   r8,-32694
80F3B5D0:  38A10008   addi   r5,r1,8
80F3B5D4:  3908136C   addi   r8,r8,4972
80F3B5D8:  38800000   li   r4,0
80F3B5DC:  A8E810E8   lha   r7,4328(r8)
80F3B5E0:  A8C810EA   lha   r6,4330(r8)
80F3B5E4:  A86810EC   lha   r3,4332(r8)
80F3B5E8:  A80810EE   lha   r0,4334(r8)
80F3B5EC:  B0E10008   sth   r7,8(r1)
80F3B5F0:  B0C1000A   sth   r6,10(r1)
80F3B5F4:  B061000C   sth   r3,12(r1)
80F3B5F8:  B001000E   sth   r0,14(r1)
80F3B5FC:  807B002C   lwz   r3,44(r27)
80F3B600:  81830000   lwz   r12,0(r3)
80F3B604:  818C0060   lwz   r12,96(r12)
80F3B608:  7D8903A6   mtctr   r12
80F3B60C:  4E800421   bctrl   
80F3B610:  3C60804A   lis   r3,-32694
80F3B614:  3863136C   addi   r3,r3,4972
80F3B618:  880312D4   lbz   r0,4820(r3)
80F3B61C:  2C000000   cmpwi   r0,0
80F3B620:  4182000C   beq-   0x80f3b62c
80F3B624:  38600001   li   r3,1
80F3B628:  4800012C   b   0x80f3b754
80F3B62C:  3C608052   lis   r3,-32686
80F3B630:  8803115C   lbz   r0,4444(r3)
80F3B634:  7C040775   extsb.   r4,r0
80F3B638:  41800028   blt-   0x80f3b660
80F3B63C:  3C608048   lis   r3,-32696
80F3B640:  3863A828   subi   r3,r3,22488
80F3B644:  38634EC4   addi   r3,r3,20164
80F3B648:  4B0ED98D   bl   0x80028fd4
80F3B64C:  81830000   lwz   r12,0(r3)
80F3B650:  818C010C   lwz   r12,268(r12)
80F3B654:  7D8903A6   mtctr   r12
80F3B658:  4E800421   bctrl   
80F3B65C:  7C7D1B78   mr   r29,r3
80F3B660:  2C1D0000   cmpwi   r29,0
80F3B664:  41820008   beq-   0x80f3b66c
80F3B668:  C3FD0004   lfs   f31,4(r29)
80F3B66C:  3C608048   lis   r3,-32696
80F3B670:  3863A828   subi   r3,r3,22488
80F3B674:  808361C4   lwz   r4,25028(r3)
80F3B678:  2C040000   cmpwi   r4,0
80F3B67C:  4182001C   beq-   0x80f3b698
80F3B680:  C024018C   lfs   f1,396(r4)
80F3B684:  3C6080F4   lis   r3,-32524
80F3B688:  C003B8B4   lfs   f0,-18252(r3)
80F3B68C:  EC21F828   fsubs   f1,f1,f31
80F3B690:  EC200072   fmuls   f1,f0,f1
80F3B694:  4800000C   b   0x80f3b6a0
80F3B698:  3C6080F4   lis   r3,-32524
80F3B69C:  C023B8B0   lfs   f1,-18256(r3)
80F3B6A0:  C004018C   lfs   f0,396(r4)
80F3B6A4:  3FA08044   lis   r29,-32700
80F3B6A8:  C064019C   lfs   f3,412(r4)
80F3B6AC:  387DB408   subi   r3,r29,19448
80F3B6B0:  EC400828   fsubs   f2,f0,f1
80F3B6B4:  C024017C   lfs   f1,380(r4)
80F3B6B8:  4B40856D   bl   0x80343c24
80F3B6BC:  387DB408   subi   r3,r29,19448
80F3B6C0:  389E0024   addi   r4,r30,36
80F3B6C4:  4B408111   bl   0x803437d4
80F3B6C8:  4B250AED   bl   0x8018c1b4
80F3B6CC:  A07E005C   lhz   r3,92(r30)
80F3B6D0:  3BA00002   li   r29,2
80F3B6D4:  3B63FFFF   subi   r27,r3,1
80F3B6D8:  48000038   b   0x80f3b710
80F3B6DC:  807E0060   lwz   r3,96(r30)
80F3B6E0:  576013BA   rlwinm   r0,r27,2,14,29
80F3B6E4:  7C63002E   lwzx   r3,r3,r0
80F3B6E8:  2C030000   cmpwi   r3,0
80F3B6EC:  4182001C   beq-   0x80f3b708
80F3B6F0:  80630034   lwz   r3,52(r3)
80F3B6F4:  81830000   lwz   r12,0(r3)
80F3B6F8:  818C0030   lwz   r12,48(r12)
80F3B6FC:  7D8903A6   mtctr   r12
80F3B700:  4E800421   bctrl   
80F3B704:  7C7F1B78   mr   r31,r3
80F3B708:  9BBF0000   stb   r29,0(r31)
80F3B70C:  3B7BFFFF   subi   r27,r27,1
80F3B710:  2C1B0000   cmpwi   r27,0
80F3B714:  4080FFC8   bge+   0x80f3b6dc
80F3B718:  3FE08048   lis   r31,-32696
80F3B71C:  3FA0804B   lis   r29,-32693
80F3B720:  3BFFA828   subi   r31,r31,22488
80F3B724:  7FC3F378   mr   r3,r30
80F3B728:  809F5F74   lwz   r4,24436(r31)
80F3B72C:  3BBD9FC0   subi   r29,r29,24640
80F3B730:  801F5F78   lwz   r0,24440(r31)
80F3B734:  909D0048   stw   r4,72(r29)
80F3B738:  901D004C   stw   r0,76(r29)
80F3B73C:  4B0D8A79   bl   0x800141b4
80F3B740:  809F5F90   lwz   r4,24464(r31)
80F3B744:  38600001   li   r3,1
80F3B748:  801F5F94   lwz   r0,24468(r31)
80F3B74C:  909D0048   stw   r4,72(r29)
80F3B750:  901D004C   stw   r0,76(r29)
80F3B754:  E3E10038   psq_l   f31,56(r1),0,0
80F3B758:  39610030   addi   r11,r1,48
80F3B75C:  CBE10030   lfd   f31,48(r1)
80F3B760:  4B46D991   bl   0x803a90f0
80F3B764:  80010044   lwz   r0,68(r1)
80F3B768:  7C0803A6   mtlr   r0
80F3B76C:  38210040   addi   r1,r1,64
80F3B770:  4E800020   blr   
[/spoiler]
1.) It executes all the time
2.) It changes to that illegal branch on respawn (after getting out of bounds)

[dcx2]

Being right never gets old.   ;D

WBP on the instruction that gets changed.  Who is changing it?

[Bully@Wiiplaza]

YES YES, I DID IT!

I found the correct write.
[spoiler]
 CR:28000088  XER:20000000  CTR:00000001 DSIS:02400000
DAR:80F3B6C4 SRR0:80335A3C SRR1:0000B032   LR:8033588C
 r0:4A18B761   r1:80537208   r2:8052A180   r3:CA18B760
 r4:4BFFFDB9   r5:80F3B920   r6:0000000F   r7:80F3B41C
 r8:00000000   r9:000000FF  r10:00000003  r11:80537238
r12:802CE7DC  r13:80525EA0  r14:00000000  r15:80000000
r16:41A00000  r17:42000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:80F3B3B4
r24:803E17D4  r25:80420000  r26:00000000  r27:80F3B360
r28:80F3B6C4  r29:80F3B3B4  r30:80F3BAA0  r31:00000000[/spoiler]

[spoiler]80335878:  9421FFD0   stwu   r1,-48(r1)
8033587C:  7C0802A6   mflr   r0
80335880:  90010034   stw   r0,52(r1)
80335884:  39610030   addi   r11,r1,48
80335888:  4807380D   bl   0x803a9094
8033588C:  2C030000   cmpwi   r3,0
80335890:  7C7A1B78   mr   r26,r3
80335894:  7C9B2378   mr   r27,r4
80335898:  4182000C   beq-   0x803358a4
8033589C:  83E30000   lwz   r31,0(r3)
803358A0:  48000008   b   0x803358a8
803358A4:  3BE00000   li   r31,0
803358A8:  80A40028   lwz   r5,40(r4)
803358AC:  8004002C   lwz   r0,44(r4)
803358B0:  7C650214   add   r3,r5,r0
803358B4:  38030007   addi   r0,r3,7
803358B8:  7C050050   sub   r0,r0,r5
803358BC:  5400E8FE   rlwinm   r0,r0,29,3,31
803358C0:  7C0903A6   mtctr   r0
803358C4:  7C051840   cmplw   r5,r3
803358C8:  40800018   bge-   0x803358e0
803358CC:  80050000   lwz   r0,0(r5)
803358D0:  7C00F840   cmplw   r0,r31
803358D4:  41820014   beq-   0x803358e8
803358D8:  38A50008   addi   r5,r5,8
803358DC:  4200FFF0   bdnz+   0x803358cc
803358E0:  38600000   li   r3,0
803358E4:  48000224   b   0x80335b08
803358E8:  83C50004   lwz   r30,4(r5)
803358EC:  3BA00000   li   r29,0
803358F0:  3F208042   lis   r25,-32702
803358F4:  480001DC   b   0x80335ad0
803358F8:  A01E0000   lhz   r0,0(r30)
803358FC:  2C1F0000   cmpwi   r31,0
80335900:  7F9C0214   add   r28,r28,r0
80335904:  4182001C   beq-   0x80335920
80335908:  881E0003   lbz   r0,3(r30)
8033590C:  807A0010   lwz   r3,16(r26)
80335910:  54001838   rlwinm   r0,r0,3,0,28
80335914:  7C03002E   lwzx   r0,r3,r0
80335918:  5403003C   rlwinm   r3,r0,0,0,30
8033591C:  48000008   b   0x80335924
80335920:  38600000   li   r3,0
80335924:  2C040006   cmpwi   r4,6
80335928:  418200C4   beq-   0x803359ec
8033592C:  40800030   bge-   0x8033595c
80335930:  2C040002   cmpwi   r4,2
80335934:  41820068   beq-   0x8033599c
80335938:  40800014   bge-   0x8033594c
8033593C:  2C040000   cmpwi   r4,0
80335940:  4182018C   beq-   0x80335acc
80335944:  40800048   bge-   0x8033598c
80335948:  48000178   b   0x80335ac0
8033594C:  2C040004   cmpwi   r4,4
80335950:  41820078   beq-   0x803359c8
80335954:  40800084   bge-   0x803359d8
80335958:  48000060   b   0x803359b8
8033595C:  2C0400C9   cmpwi   r4,201
80335960:  4182016C   beq-   0x80335acc
80335964:  4080001C   bge-   0x80335980
80335968:  2C04000A   cmpwi   r4,10
8033596C:  418200B8   beq-   0x80335a24
80335970:  41800098   blt-   0x80335a08
80335974:  2C04000E   cmpwi   r4,14
80335978:  40800148   bge-   0x80335ac0
8033597C:  480000C8   b   0x80335a44
80335980:  2C0400CB   cmpwi   r4,203
80335984:  4080013C   bge-   0x80335ac0
80335988:  480000DC   b   0x80335a64
8033598C:  801E0004   lwz   r0,4(r30)
80335990:  7C030214   add   r0,r3,r0
80335994:  901C0000   stw   r0,0(r28)
80335998:  48000134   b   0x80335acc
8033599C:  801E0004   lwz   r0,4(r30)
803359A0:  809C0000   lwz   r4,0(r28)
803359A4:  7C630214   add   r3,r3,r0
803359A8:  5480078A   rlwinm   r0,r4,0,30,5
803359AC:  506001BA   rlwimi   r0,r3,0,6,29
803359B0:  901C0000   stw   r0,0(r28)
803359B4:  48000118   b   0x80335acc
803359B8:  801E0004   lwz   r0,4(r30)
803359BC:  7C030214   add   r0,r3,r0
803359C0:  B01C0000   sth   r0,0(r28)
803359C4:  48000108   b   0x80335acc
803359C8:  801E0004   lwz   r0,4(r30)
803359CC:  7C030214   add   r0,r3,r0
803359D0:  B01C0000   sth   r0,0(r28)
803359D4:  480000F8   b   0x80335acc
803359D8:  801E0004   lwz   r0,4(r30)
803359DC:  7C030214   add   r0,r3,r0
803359E0:  5400843E   rlwinm   r0,r0,16,16,31
803359E4:  B01C0000   sth   r0,0(r28)
803359E8:  480000E4   b   0x80335acc
803359EC:  801E0004   lwz   r0,4(r30)
803359F0:  7C030214   add   r0,r3,r0
803359F4:  5403843E   rlwinm   r3,r0,16,16,31
803359F8:  54008FFE   rlwinm   r0,r0,17,31,31
803359FC:  7C030214   add   r0,r3,r0
80335A00:  B01C0000   sth   r0,0(r28)
80335A04:  480000C8   b   0x80335acc
80335A08:  801E0004   lwz   r0,4(r30)
80335A0C:  809C0000   lwz   r4,0(r28)
80335A10:  7C630214   add   r3,r3,r0
80335A14:  5480079E   rlwinm   r0,r4,0,30,15
80335A18:  5060043A   rlwimi   r0,r3,0,16,29
80335A1C:  901C0000   stw   r0,0(r28)
80335A20:  480000AC   b   0x80335acc
80335A24:  801E0004   lwz   r0,4(r30)
80335A28:  809C0000   lwz   r4,0(r28)
80335A2C:  7C030214   add   r0,r3,r0
80335A30:  7C7C0050   sub   r3,r0,r28
80335A34:  5480078A   rlwinm   r0,r4,0,30,5
80335A38:  506001BA   rlwimi   r0,r3,0,6,29
80335A3C:  901C0000   stw   r0,0(r28)
80335A40:  4800008C   b   0x80335acc
80335A44:  801E0004   lwz   r0,4(r30)
80335A48:  809C0000   lwz   r4,0(r28)
80335A4C:  7C030214   add   r0,r3,r0
80335A50:  7C7C0050   sub   r3,r0,r28
80335A54:  5480079E   rlwinm   r0,r4,0,30,15
80335A58:  5060043A   rlwimi   r0,r3,0,16,29
80335A5C:  901C0000   stw   r0,0(r28)
80335A60:  4800006C   b   0x80335acc
80335A64:  881E0003   lbz   r0,3(r30)
80335A68:  2C1D0000   cmpwi   r29,0
80335A6C:  807B0010   lwz   r3,16(r27)
80335A70:  54001838   rlwinm   r0,r0,3,0,28
80335A74:  7EE30214   add   r23,r3,r0
80335A78:  7C03002E   lwzx   r0,r3,r0
80335A7C:  541C003C   rlwinm   r28,r0,0,0,30
80335A80:  41820024   beq-   0x80335aa4
80335A84:  801D0000   lwz   r0,0(r29)
80335A88:  809D0004   lwz   r4,4(r29)
80335A8C:  5418003C   rlwinm   r24,r0,0,0,30
80335A90:  7F03C378   mr   r3,r24
80335A94:  4BFFB4F5   bl   0x80330f88
80335A98:  809D0004   lwz   r4,4(r29)
80335A9C:  7F03C378   mr   r3,r24
80335AA0:  4BFFB5CD   bl   0x8033106c
80335AA4:  80170000   lwz   r0,0(r23)
80335AA8:  540007FF   rlwinm.   r0,r0,0,31,31
80335AAC:  4182000C   beq-   0x80335ab8
80335AB0:  7EFDBB78   mr   r29,r23
80335AB4:  48000018   b   0x80335acc
80335AB8:  3BA00000   li   r29,0
80335ABC:  48000010   b   0x80335acc
80335AC0:  38798860   subi   r3,r25,30624
80335AC4:  4CC63182   crclr   6,6
80335AC8:  4BCD3719   bl   0x800091e0
80335ACC:  3BDE0008   addi   r30,r30,8
80335AD0:  889E0002   lbz   r4,2(r30)
80335AD4:  280400CB   cmplwi   r4,203
80335AD8:  4082FE20   bne+   0x803358f8
80335ADC:  2C1D0000   cmpwi   r29,0
80335AE0:  41820024   beq-   0x80335b04
80335AE4:  801D0000   lwz   r0,0(r29)
80335AE8:  809D0004   lwz   r4,4(r29)
80335AEC:  5419003C   rlwinm   r25,r0,0,0,30
80335AF0:  7F23CB78   mr   r3,r25
80335AF4:  4BFFB495   bl   0x80330f88
80335AF8:  809D0004   lwz   r4,4(r29)
80335AFC:  7F23CB78   mr   r3,r25
80335B00:  4BFFB56D   bl   0x8033106c
80335B04:  38600001   li   r3,1
80335B08:  39610030   addi   r11,r1,48
80335B0C:  480735D5   bl   0x803a90e0
80335B10:  80010034   lwz   r0,52(r1)
80335B14:  7C0803A6   mtlr   r0
80335B18:  38210030   addi   r1,r1,48
80335B1C:  4E800020   blr   [/spoiler]

Address: 80335A3C
lis r12, 0x4A18
ori r12, r12, 0xB761
cmpw r0, r12 # do we write illegal branch?
beq- _END # if yes, nop
stw r0,0(r28) # original instruction
_END:

Freefly Patch [Bully@Wiiplaza/dcx2]
C2335A3C 00000003
3D804A18 618CB761
7C006000 41820008
901C0000 00000000

;D

[dcx2]

Glad to hear it worked.  Anti-crash codes are top tier for sure.

However, instead of skipping the stw when r0 = "the wrong value", perhaps you should instead be checking r28 = "the wrong address".  It's possible that the wrong value will change depending on e.g. what level you're in.

[Bully@Wiiplaza]

Glad to hear it worked.  Anti-crash codes are top tier for sure.

However, instead of skipping the stw when r0 = "the wrong value", perhaps you should instead be checking r28 = "the wrong address".  It's possible that the wrong value will change depending on e.g. what level you're in.

damnit... it works on that area, but moving on to somewhere else black screens again :(
You were right at some point. This *new* crash was not caused by an illegal branch. But through a source register with value 0.
Pretty low in memory, actually...

[spoiler]  CR:28000088  XER:20000000  CTR:8001F5D4 DSIS:04000000
DAR:00000000 SRR0:800274F8 SRR1:00009032   LR:8001F0C4
 r0:00000000   r1:80537238   r2:8052A180   r3:00000000
 r4:80EF5B94   r5:000000FF   r6:000000FF   r7:000000FF
 r8:00000006   r9:00000005  r10:00000003  r11:80537218
r12:8001F5D4  r13:80525EA0  r14:00000000  r15:80000000
r16:41A00000  r17:42000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:803E17C0
r24:803E17D4  r25:80433958  r26:803E1930  r27:803E1964
r28:802510C4  r29:80F056D0  r30:80EF5B94  r31:80F3B968

800274E0:  80630008   lwz   r3,8(r3)
800274E4:  4BFFFFDC   b   0x800274c0
800274E8:  8063000C   lwz   r3,12(r3)
800274EC:  4BFFFFD4   b   0x800274c0
800274F0:  80630004   lwz   r3,4(r3)
800274F4:  4BFFFFCC   b   0x800274c0
800274F8:  80630000   lwz   r3,0(r3)
800274FC:  4BFFFFC4   b   0x800274c0
80027500:  80630010   lwz   r3,16(r3)
80027504:  4BFFFFBC   b   0x800274c0
80027508:  9421FFE0   stwu   r1,-32(r1)
8002750C:  7C0802A6   mflr   r0
80027510:  90010024   stw   r0,36(r1)
80027514:  39610020   addi   r11,r1,32
80027518:  48381B95   bl   0x803a90ac
8002751C:  880301A8   lbz   r0,424(r3)
80027520:  7C7D1B78   mr   r29,r3
80027524:  3BE00000   li   r31,0
80027528:  7C000775   extsb.   r0,r0
8002752C:  40820030   bne-   0x8002755c
80027530:  4BFFF4A1   bl   0x800269d0
80027534:  7C7E1B78   mr   r30,r3
80027538:  387D00BC   addi   r3,r29,188
8002753C:  4BFFF48D   bl   0x800269c8
80027540:  807D00B8   lwz   r3,184(r29)
80027544:  7FA4EB78   mr   r4,r29
80027548:  80630010   lwz   r3,16(r3)
8002754C:  4BFFFF75   bl   0x800274c0
80027550:  7C7F1B78   mr   r31,r3
80027554:  7FC3F378   mr   r3,r30
80027558:  4BFFF471   bl   0x800269c8
8002755C:  39610020   addi   r11,r1,32
80027560:  7FE3FB78   mr   r3,r31
80027564:  48381B95   bl   0x803a90f8
80027568:  80010024   lwz   r0,36(r1)
8002756C:  7C0803A6   mtlr   r0
80027570:  38210020   addi   r1,r1,32
80027574:  4E800020   blr   
[/spoiler]
I feel like giving up on it now. r3 keeps changing aswell.

[dcx2]

My guess is that the same stw that screwed you before is screwing you again.  This crash feels very...random.  There's no reason for game code to be stw'ing to other game code unless the pointers became corrupt.  Fix corruption for one target and it simply pops up somewhere else.

One interesting thing - r12/ctr for your first crash and this crash are identical.  That means it got just about as far as it did the first time before something messed it up.

I would set some XBP's on that stw, run around to get some "good" samples, and then try to cause the crash.  Try to figure out what might identify when the pointer becomes corrupt.

[Bully@Wiiplaza]

I just noticed that my ASM code (freefly) does not work anymore in the castle since the assembly there changes (it worked in the garden).
Since the address is that high, it´s probably only on-the-fly ASM :/
I should get another hook... maybe that one won´t freeze at all.

---

stw´s don´t work since it´s always overwritten by something...
I may need to write a pointer code instead.
That one won´t fail since I already made a teleporter with pointer.

Topic terminated... :-[