Gecko dotNET Bugs and Requests

Bully@Wiiplaza · August 08, 2011, 10:13:15 PM

Quote from: dcx2 on August 08, 2011, 10:09:13 PM
Yeah, there's some kinda cmp or . instruction before the bge-. You could change it so it always evaluates to greater-or-equal.

Try this C2 code. It might work, although I'd need a Copy Function on the hook address to know for sure.

lis r12,0x801E
ori r12,r12,0x8B48
mtctr r12
bctr

If that C2 code works, and the 04 code does not, then I would blame the cache.

The C2 code crashes aswell.

Code Select


C21E8B28 00000003
3D80801E 618C8B48
7D8903A6 4E800420
60000000 00000000

[spoiler]801E8AEC: 9421FFF0   stwu   r1,-16(r1)
801E8AF0: 7C0802A6   mflr   r0
801E8AF4: 90010014   stw   r0,20(r1)
801E8AF8: 93E1000C   stw   r31,12(r1)
801E8AFC: 3FE08066   lis   r31,-32666
801E8B00: 3BFF2688   addi   r31,r31,9864
801E8B04: 801F3164   lwz   r0,12644(r31)
801E8B08: 2C000000   cmpwi   r0,0
801E8B0C: 41820010   beq-   0x801e8b1c
801E8B10: 28000001   cmplwi   r0,1
801E8B14: 41820054   beq-   0x801e8b68
801E8B18: 480000AC   b   0x801e8bc4
801E8B1C: 807F30BC   lwz   r3,12476(r31)
801E8B20: 38030001   addi   r0,r3,1
801E8B24: 28000005   cmplwi   r0,5
801E8B28: 40800020   bge-   0x801e8b48
801E8B2C: 807F3168   lwz   r3,12648(r31)
801E8B30: 38800052   li   r4,82
801E8B34: 4BFFAFC5   bl   0x801e3af8
801E8B38: 38000000   li   r0,0
801E8B3C: 901F3150   stw   r0,12624(r31)
801E8B40: 901F314C   stw   r0,12620(r31)
801E8B44: 48000080   b   0x801e8bc4
801E8B48: 807F3168   lwz   r3,12648(r31)
801E8B4C: 38800000   li   r4,0
801E8B50: 38A00006   li   r5,6
801E8B54: 4BFFB369   bl   0x801e3ebc
801E8B58: 807F3164   lwz   r3,12644(r31)
801E8B5C: 38030001   addi   r0,r3,1
801E8B60: 901F3164   stw   r0,12644(r31)
801E8B64: 48000060   b   0x801e8bc4
801E8B68: 801F3128   lwz   r0,12584(r31)
801E8B6C: 2C000000   cmpwi   r0,0
801E8B70: 41820038   beq-   0x801e8ba8
801E8B74: 80DF316C   lwz   r6,12652(r31)
801E8B78: 3C600001   lis   r3,1
801E8B7C: 38038000   subi   r0,r3,32768
801E8B80: 3880000C   li   r4,12
801E8B84: 7C6600D0   neg   r3,r6
801E8B88: 38A00000   li   r5,0
801E8B8C: 7C633378   or   r3,r3,r6
801E8B90: 38C00000   li   r6,0
801E8B94: 7C63FE70   srawi   r3,r3,31
801E8B98: 7C001838   and   r0,r0,r3
801E8B9C: 60000022   ori   r0,r0,34
801E8BA0: 5403043E   rlwinm   r3,r0,0,16,31
801E8BA4: 4BFDE4A1   bl   0x801c7044
801E8BA8: 3C808066   lis   r4,-32666
801E8BAC: 38000000   li   r0,0
801E8BB0: 38842688   addi   r4,r4,9864
801E8BB4: 38600001   li   r3,1
801E8BB8: 90043150   stw   r0,12624(r4)
801E8BBC: 9004314C   stw   r0,12620(r4)
801E8BC0: 48000008   b   0x801e8bc8
801E8BC4: 38600000   li   r3,0
801E8BC8: 80010014   lwz   r0,20(r1)
801E8BCC: 83E1000C   lwz   r31,12(r1)
801E8BD0: 7C0803A6   mtlr   r0
801E8BD4: 38210010   addi   r1,r1,16
801E8BD8: 4E800020   blr   [/spoiler]

dcx2 · August 08, 2011, 10:20:28 PM

Okay, there's no way the C2 code had a cache problem.

Try doing this.

801E8B24: 28000005 cmplwi r0,5 -> cmpw r3,r3 # this will always be equal, should effectively make bge- into b

or

801E8B20: 38030001 addi r0,r3,1 -> li r0,6 # will make the cmpwi always greater than

Also...if you poke the branch when it's already executing, does it still work?

Bully@Wiiplaza · August 08, 2011, 10:26:44 PM

Quote from: dcx2 on August 08, 2011, 10:20:28 PM
801E8B24: 28000005 cmplwi r0,5 -> cmpw r3,r3 # this will always be equal, should effectively make bge- into b

Also...if you poke the branch when it's already executing, does it still work?

Poking did never crash.

---

gct code 041E8B24 7C031800 ("cmpw r3, r3") crashed the game.
gct code 041E8B20 38000006 ("li r0, 6") crashed the game.

Gecko.NET always says stuff about error extentions...

[spoiler]FTDIUSBGecko.EUSBGeckoException: Eine Ausnahme vom Typ "FTDIUSBGecko.EUSBGeckoException" wurde ausgelÃ¶st.
bei FTDIUSBGecko.USBGecko.Dump(UInt32 startdump, UInt32 enddump, Stream[] saveStream, Dump memdump)
bei FTDIUSBGecko.USBGecko.GetExiSendAddress()
bei GeckoApp.CodeController.UpdateActiveCodeCount()
bei GeckoApp.CodeController.UpdateCode(Int32 index, String codeInput)
bei GeckoApp.CodeController.codeOutput_SelectedIndexChanged(Object sender, EventArgs e)
bei System.Windows.Forms.ListView.OnSelectedIndexChanged(EventArgs e)
bei System.Windows.Forms.ListView.WmReflectNotify(Message& m)
bei System.Windows.Forms.ListView.WndProc(Message& m)
bei System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

---

bei = at
wurde ausgelÃ¶st = was triggered

[/spoiler]

dcx2 · August 08, 2011, 10:42:52 PM

Are you sure you poked the address while that part of the game was executing? Because it sounds like this isn't a problem with the code or the code handler, because otherwise other ASM hacks would fail too.

Did you try pausing before you send cheats? It shouldn't make a difference but maybe it will.

Bully@Wiiplaza · August 08, 2011, 10:50:46 PM

Quote from: dcx2 on August 08, 2011, 10:42:52 PM
Are you sure you poked the address while that part of the game was executing? Because it sounds like this isn't a problem with the code or the code handler, because otherwise other ASM hacks would fail too.

Did you try pausing before you send cheats? It shouldn't make a difference but maybe it will.

1.) IÂ´m 100% sure that it worked by poke.
I tried it again and switched from default to modded value and nothing crashed.
The code took effect, how it was intended.

But if I send the same 04 code operation, it crashes.
Pausing the game before sending crashed aswell.

IÂ´m really clueless now.
Using the code as GCT works :eek:

dcx2 · August 08, 2011, 10:53:58 PM

Quote from: Bully@Wiiplaza on August 08, 2011, 10:50:46 PM
Pausing the game before sending crashed aswell.

Did it crash before or after you unpaused? The game should not be running while it's paused, and therefore it shouldn't crash until the game is run. So...

1) Pause Game
2) Send Cheats
3) Switch to memview tab and see if you can read memory.

If you can, then the game didn't crash yet.

Quote
Using the code as GCT works :eek:

You mean via SD cheats?

EDIT:

Other things to try.

1) Set a breakpoint on the instruction just before the 04 code's target. i.e. 801E8B24
2) While at the breakpoint, send cheats.
3) While still at the breakpoint go to disasm tab and see if the target was changed

You can also try the same thing, but instead set the breakpoint on the blr (801E8BD8) instead of the instruction before the target address.

Bully@Wiiplaza · August 08, 2011, 10:55:25 PM

Quote from: dcx2 on August 08, 2011, 10:53:58 PM
Quote from: Bully@Wiiplaza on August 08, 2011, 10:50:46 PM
Pausing the game before sending crashed aswell.

Did it crash before or after you unpaused? The game should not be running while it's paused, and therefore it shouldn't crash until the game is run. So...

1) Pause Game
2) Send Cheats
3) Switch to memview tab and see if you can read memory.

If you can, then the game didn't crash yet.

Quote
Using the code as GCT works :eek:
You mean via SD cheats?

yes, sd cheats.

I paused the game.
Sent the code. (I can now still view memory)
Unpaused, game was crashed. (gecko.net froze up)

dcx2 · August 08, 2011, 10:57:27 PM

Did you switch to memview after sending the code and before unpausing? Did memview work while paused after sending codes?

Bully@Wiiplaza · August 08, 2011, 10:58:15 PM

Quote from: dcx2 on August 08, 2011, 10:57:27 PM
Did you switch to memview after sending the code and before unpausing? Did memview work while paused after sending codes?

yes, I could still view memory before unpausing.

dcx2 · August 08, 2011, 11:00:39 PM

Try this, too.

1) pause game
2) send cheats
3) go to disasm tab @ 801E8B28
4) is it 40800020 or 48000020?
5) Poke it while paused
6) unpause

Bully@Wiiplaza · August 08, 2011, 11:02:30 PM

Quote from: dcx2 on August 08, 2011, 11:00:39 PM
Try this, too.

1) pause game
2) send cheats
3) go to disasm tab @ 801E8B28
4) is it 40800020 or 48000020?
5) Poke it while paused
6) unpause

4) itÂ´s the new value (the value that got written)
5) which value? WouldnÂ´t it be overwritten by the 04 code?

dcx2 · August 08, 2011, 11:05:18 PM

5) I would use the hack value (48000020). If you're on disasm tab, just press "assemble" and it will poke it with the current instruction.

Yes, it will be over-written by the 04 code... *at the next frame*. After you send cheats, the codes are executed. If you then poke the address, it won't be over-written until the code handler runs at the next frame. So, for the current frame of the game, it will be the poked value.

Bully@Wiiplaza · August 08, 2011, 11:08:29 PM

Quote from: dcx2 on August 08, 2011, 11:05:18 PM
5) I would use the hack value (48000020). If you're on disasm tab, just press "assemble" and it will poke it with the current instruction.

Yes, it will be over-written by the 04 code... *at the next frame*. After you send cheats, the codes are executed. If you then poke the address, it won't be over-written until the code handler runs at the next frame. So, for the current frame of the game, it will be the poked value.

yep, still crashes after pressing "run"

dcx2 · August 08, 2011, 11:10:42 PM

This makes me doubt your claim that you're 100% sure poking works. Because you poked the address with the hacked branch and it still crashed.

Bully@Wiiplaza · August 08, 2011, 11:14:28 PM

Quote from: dcx2 on August 08, 2011, 11:10:42 PM
This makes me doubt your claim that you're 100% sure poking works. Because you poked the address with the hacked branch and it still crashed.

why did the "poked" hack then work for me?
ItÂ´s not a joke!
it must be something with gecko.net because it spits error exceptions after it crashed...
as you may noticed, NONE of my tries to send this 04 (and once the C2) code did not freeze the game.

WiiRd forum

News:

Gecko dotNET Bugs and Requests

Bully@Wiiplaza

dcx2

Bully@Wiiplaza

dcx2

Bully@Wiiplaza

dcx2

Bully@Wiiplaza

dcx2

Bully@Wiiplaza

dcx2

Bully@Wiiplaza

dcx2

Bully@Wiiplaza

dcx2

Bully@Wiiplaza