Starting out with WiiRD on Brawl... Final Smash Effects attempt....

[shadowofchaos]

Thanks you guys for all the helpful support!!!

I'm trying again today... Wish me luck!!!

Edit: Attempt today... I've decided that to understand how to figure this stuff out... I need to figure out what those ASM on the breakpoints mean...

I'm understanding more and more each time... however, I still need help while learning....

(I still have the game paused with WiiRD while watching TV)

Anyway... Here's the thing now....

Breakpoint set to "806299B3"

While I get the smashball.. it gets triggered... (btw, what's the significance if it doesn't trigger when I check "exact match"?)

I have these results....

Upper Window

Code Select Expand

CR  : 44004088  XER : 20000000  CTR : 80046A24  DSIS: 02400000
DAR : 806299B0  SRR0: 80044964  SRR1: 0000B032  LR  : 8004587C
r0  : 00000008  r1  : 805B4E60  r2  : 805A9320  r3  : 806299A8
r4  : 806292EC  r5  : 00000007  r6  : 00000000  r7  : 00000080
r8  : 00000001  r9  : 00000000  r10 : 805B4E90  r11 : 805B4E90
r12 : 80046A24  r13 : 805A4420  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000000
r20 : 00000001  r21 : 43300000  r22 : 80000000  r23 : 00000000
r24 : 80629980  r25 : 00010000  r26 : 806292EC  r27 : 8062F3E0
r28 : 00000000  r29 : 00000001  r30 : 80B84EE0  r31 : 00000000

f0  : 3F800000  f1  : 4101999A  f2  : 4101999A  f3  : 4101999A
f4  : 4101999A  f5  : 43700000  f6  : 43A00000  f7  : 43A00000
f8  : C3700000  f9  : 4B7FFF58  f10 : 36397ED0  f11 : 3E088888
f12 : 3CB327A4  f13 : 3B6B6916  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 3F7FA371
f28 : 59800004  f29 : 59800000  f30 : 3F800000  f31 : 426FC29F


Lower Window:

80044964:  90030008   stw   r0,8(r3)
80044968:  4E800020   blr   
8004496C:  80A40000   lwz   r5,0(r4)
80044970:  80C40004   lwz   r6,4(r4)
80044974:  2C050000   cmpwi   r5,0
80044978:  4182000C   beq-   0x80044984
8004497C:  90C50004   stw   r6,4(r5)
80044980:  48000008   b   0x80044988
80044984:  90C30004   stw   r6,4(r3)
80044988:  2C060000   cmpwi   r6,0
8004498C:  4182000C   beq -   0x80044998
80044990:  90A60000   stw   r5,0(r6)
80044994:  48000008   b   0x8004499c
80044998:  90A30000   stw   r5,0(r3)
8004499C:  38000000   li   r0,0
800449A0:  90040004   stw   r0,4(r4)

*Wait... from the bolded part... it's the code that appears in the Assembly code itself in the form of what is injected in your own ASM instructions?



It says: Do not break on "80044964"...

My question is... How is that significant when it comes to ASM and the breakpoint?

To understand this... I've been looking at Black_Wolf's ASM tutorial on the Moonjump code...

From what I see from Dr. Pepper's posts about injection... If theoretically I was to inject an ASM code... it would be on "80044968"? If not, how would you determine where to inject the ASM code?


If my understanding of the lower window is incorrect, PLEASE correct me...

80044964:  90030008   stw   r0,8(r3) // Store the value in r0 into the address r3 is pointing to + 8
80044968:  4E800020   blr              // End Program (Is this where you're able to inject the ASM?)
8004496C:  80A40000   lwz   r5,0(r4)  // Load the value in the address in r4 or the "word" (like if the value of the address is 0x00001234, it would load the "0x1234" into r5?)
80044970:  80C40004   lwz   r6,4(r4) // Load the value in the address in r4 of the "word" + 4?
80044974:  2C050000   cmpwi   r5,0      // Subtracts 0 from r5 to confirm?
80044978:  4182000C   beq-   0x80044984 // Branch to this value (Address?) if equal? What's the "-" for then?
8004497C:  90C50004   stw   r6,4(r5)     // load the word from r6 into the address in r5 + 4?
80044980:  48000008   b   0x80044988 // Branch to this address? (Go to this address?)
80044984:  90C30004   stw   r6,4(r3) //Store the word from r6 into the "address" in r3 + 4?
80044988:  2C060000   cmpwi   r6,0     // Confirm by subracting zero to compare...
8004498C:  4182000C   beq -   0x80044998 //... and branch to address if they are equal
80044990:  90A60000   stw   r5,0(r6)      //store the word value from r5 into the address pointed to by r6
80044994:  48000008   b   0x8004499c // branch always to address
80044998:  90A30000   stw   r5,0(r3)  //store word from r5 into the address in r3
8004499C:  38000000   li   r0,0     // load immediately the value "0" in r0
800449A0:  90040004   stw   r0,4(r4) // store the value from r0 to the address in r4 + 4

Edit #2: Does "Branch" mean "go to"? and the "Branch to link register" from the PowerPC tutorial is always at the end of the code in the tutorial... I don't see it in ASM code here though... is it because the end of the codes always go back to the original code assembly instructions after it's injected?

I'm just trying to make sense of this as I'm looking at the concepts... not necessarily this being the key to it all... My question is... did I understand the instructions right?

Edit #3: From my guess... the "bne -" that I was wondering about is causing the code to "recheck" by redoing the operation to compare by subracting a zero? "bne" and then - or + would cause shift one line in either direction and a more specific value would be like what Black_Wolf did was to skip three lines in his moon jump code by putting in "bne +0x12".... But wait... doesn't HEX for lines go in 4's... and therefore would be "bne +0x0C"?

-co-ordinates are at 0x80CC4584
-controller address is at 0x80496AC0
-The button we want to activate has a value of 0x00000200
-We want to add 0x004C to the Z Co-ords
- We are injecting our routine at the address 0x804568C8
lis r0, 0x8049                //Loads first 2 bytes of Control address
lwz r1, 0x6AC0(r0)         //Loads the full value of the control address into r1
li r2, 0x00000200           //Loads the value for the button we want to be the activator into r2
lis r3, 0x80CC               //Loads first 2 bytes of co-ords
lwz r4, 0x4584(r3)         //Loads the full value of the z-co-ords into r4
li r5, 0x0000004C          //Loads the value we want to add to co-ords (jump speed) into r5
cmpw r1, r2               //Compares the BUTTON value and the CONTROLLER address (check if we are holding our activator or not)
bne +0x12                 //If we are NOT holding the button activator, jump to the end i.e cancel
add r6, r4, r5             // If we ARE, add 0x004C to our z-co-ord value (increase our height)
stw r6, 0x4584(r3)       //Store the modified co-ords back to their address!

And thats pretty much it lol. In theory this should increase our height if holding a button, therefore "jumping" into the air. Now there might be some mistakes in the above routine, I'm very new to this type of asm, I'm good at mips but some of the syntaxes are very confusing, so bear with me if there some errors. This should however, give you a fair idea of how its done.

This is exactly how my ASM program looked:

Edit #4: Hmm... when I look at this... I'm feeling like the values on here with the addresses might have the instructions that "activate" the final smashes?

I might want to inject a similar code in ASM for Final Smash effects?

Edit #5: Hmm... When I get the smash ball with link on the same address set to a breakpoint... I get this screen....

Upper Window of Breakpoint:

Code Select Expand

CR  : 88004088  XER : 20000000  CTR : 0000000D  DSIS: 02400000
DAR : 806299B0  SRR0: 800449B0  SRR1: 0000B032  LR  : 80045F70
r0  : 00000007  r1  : 805B4CF0  r2  : 805A9320  r3  : 806299A8
r4  : 00000008  r5  : 00000000  r6  : 80628B98  r7  : 00000053
r8  : 00000914  r9  : 80627DD0  r10 : F0000000  r11 : 805B4D10
r12 : 8084FCC8  r13 : 805A4420  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000000
r20 : 00000001  r21 : 80624810  r22 : 80000000  r23 : 80AD7E40
r24 : 80627920  r25 : 00000022  r26 : 00000000  r27 : 00000000
r28 : 0000000C  r29 : 80629980  r30 : 00000000  r31 : 80629324

f0  : 3D8F5C29  f1  : 42480000  f2  : 4179BF28  f3  : 418212C7
f4  : 4221F01F  f5  : 42193A11  f6  : 410745FA  f7  : 3F266666
f8  : 00000000  f9  : 3E689917  f10 : BE1ACA6D  f11 : 3F734C91
f12 : BF6F8E7F  f13 : 3E28C16C  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 3F7EB1BC
f28 : 59800004  f29 : 42480000  f30 : 42480000  f31 : 00000000



Upper Window of Breakpoint

800449B0:  90030008   stw   r0,8(r3)
800449B4:  4E800020   blr   
800449B8:  80030008   lwz   r0,8(r3)
800449BC:  2C000000   cmpwi   r0,0
800449C0:  4182002C   beq-   0x800449ec
800449C4:  80C30000   lwz   r6,0(r3)
800449C8:  38A00000   li   r5,0
800449CC:  48000018   b   0x800449e4
800449D0:  7C062040   cmplw   r6,r4
800449D4:  40820008   bne-   0x800449dc
800449D8:  48000018   b   0x800449f0
800449DC:  80C60000   lwz   r6,0(r6)
800449E0:  38A50001   addi   r5,r5,1
800449E4:  2C060000   cmpwi   r6,0
800449E8:  4082FFE8   bne+   0x800449d0
800449EC:  38A0FFFF   li   r5,-1

Hmmm.... Looks very similar....

From what I can tell.. all the values that "change" when I get a final smash... the addresses are all pointed to by the assembly instructions...

Anyone have any suggestions on what I shoud do next?

Edit #6: At least someone can call this "progress"... XD

[Igglyboo]

That's almost correct, but blr does not mean end program.

blr is branch to link register, it branches to the address in LR

[Almas]

The last 8 characters of an ASM code must always be 00000000. This is because the code handler will put in a line to branch back to just after where you put your branch in.

Thus, branching at a BLR isn't necessary. However, I personally find it more 'neat' to do it at a BLR whenever possible. It just feels more appropriate.

I would advise setting a break (Execute) about 0x10 earlier, to view what is actually going on. All you're seeing is the line which writes to the location - it could be useful to find out how that information is gotten.

That said, I'm not certain how you plan to achieve your final goal with this.

[Igglyboo]

You can use the step function to see what happens.

[shadowofchaos]

Ouch... It's from Phantom Wings himself...

My hopes just got shut down...

Allow Multiple Final Smashes:
Not possible unfortunately - unless someone supplies a method of being able to rapidly re-allocate memory that is read from the disk... When someone collects a smash ball, a file is read from the disk which goes something like Fit<character>Final.pac... This file provides everything needed for the final smashes, and because there's expected to only be able to have one FS at a time, there is only enough space set aside for a single file. When a second smash ball is collected, the original get's overwritten - while it's still being used... Keep in mind that many of the FS effects are crucial to the complete FS working(Landmaster, Darkbeast Ganon, etc.) so removing the need for the file itself is also out of the question...

Hmm... Although I'm not gonna give up that easily...

I'm gonna keep trying... no matter what...

[Igglyboo]

He is right, i had this problem when i was doing my FS texture hacks.
The FS effects file(for link its, ef_FinLink.pac) is only loaded when link gets a smash ball, so i had to load it at that exact instant.

[shadowofchaos]

He is right, i had this problem when i was doing my FS texture hacks.
The FS effects file(for link its, ef_FinLink.pac) is only loaded when link gets a smash ball, so i had to load it at that exact instant.

Well... I guess I'll just have to settle for the other codes I want to do then... XD


Thank you for all the support that you guys have given me!!!

Although it's deemed "impossible" right now... I'm still holding on to the hope that someone is able to find space to re-allocate that memory to be able to at least load two files...

You guys have been great!!!

[Phantom Wings]

Wow, I didn't realize how much work you've put into trying to make this work. You've put a lot of effort into this... Try not to think to badly about how this project turned out, at least you learned a lot from it. It took many of these kind of failures to finally get to where I'm currently at.

There's always the chance that you could return to this project later. Lately I've been working on an uploader system that can upload files directly from the SD card at runtime. If there was a space in memory that's large enough to hold a complete FS.pac file, then it may be possible to have one Final Smash always loaded in one section while another Final Smash is loaded in the standard dynamic location. So that could be an option for the future.

[Igglyboo]

I don't think it works like that but I might be wrong.
I have edited the FS textures and the FS effects textures(i.e, kirby's pot would be the FS and the fire would be an effect).
I haven't seen anything that looks like that glow in either of them.
It could be a lighting type thing that is handled by the game, like the trippy colors code i made(which just fucked up RGB triplets).

[Phantom Wings]

Yeah, I've been able to conjure the glowing aura at any time, so I think it's generated as part of the standard effects that are granted at the start of the match - the rest of the final smash though, appears to be restricted to it's .pac file.

[shadowofchaos]

There's always the chance that you could return to this project later. Lately I've been working on an uploader system that can upload files directly from the SD card at runtime. If there was a space in memory that's large enough to hold a complete FS.pac file, then it may be possible to have one Final Smash always loaded in one section while another Final Smash is loaded in the standard dynamic location. So that could be an option for the future.

Dude... You really are one worthy of being worshipped by the Hacking community...

Thanks for the encouragement!!!

As, I've said in the first post... I really didn't expect for it to work fully, but I enjoyed gaining some knowledge on how this stuff actually works.... I used to think that this stuff could only be done by those people like Datel who had access to the most sophisticated stuff for hacking games... I want you guys to know that every bit of advice that was contributed to this is appreciated!!! I appreciate all the input and all the kindness for helping me start out!!!! Thank you people!!!

Hmm... with the SD upload feature you're working on... I'm assuming that's what you and Igglyboo are working on as a method for Texture hacks right?

Edit: Btw, I'm wondering... what method of an unknown value search was used to get the address at which the Final Smash Effects .pac file is loaded at? You guys don't need to answer as this "project" is closed until there's another method to do this... lol

[Igglyboo]

Well, the texture method is done, we are just waiting for gecko 2.0 to be released.
But the SD upload method PW is working on will be much better than what we have now.

[shadowofchaos]

Well, the texture method is done, we are just waiting for gecko 2.0 to be released.
But the SD upload method PW is working on will be much better than what we have now.

You guys are the Greatest!!!

Replay value for games skyrocket because of guys like you!!!

[Romaap]

Edit: Btw, I'm wondering... what method of an unknown value search was used to get the address at which the Final Smash Effects .pac file is loaded at? You guys don't need to answer as this "project" is closed until there's another method to do this... lol

I don't know, but I think they searched in the Memory Viewer for the ASCII text ".pac".
Just a wild guess

[Igglyboo]

That wont work
The .pac is not in memory, that is just the extension on the FST.