Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #570 on: August 08, 2011, 09:13:15 PM » |
|
Yeah, there's some kinda cmp or . instruction before the bge-. You could change it so it always evaluates to greater-or-equal.
Try this C2 code. It might work, although I'd need a Copy Function on the hook address to know for sure.
lis r12,0x801E ori r12,r12,0x8B48 mtctr r12 bctr
If that C2 code works, and the 04 code does not, then I would blame the cache.
The C2 code crashes aswell. C21E8B28 00000003 3D80801E 618C8B48 7D8903A6 4E800420 60000000 00000000 Spoiler for Hiden: 801E8AEC: 9421FFF0 stwu r1,-16(r1) 801E8AF0: 7C0802A6 mflr r0 801E8AF4: 90010014 stw r0,20(r1) 801E8AF8: 93E1000C stw r31,12(r1) 801E8AFC: 3FE08066 lis r31,-32666 801E8B00: 3BFF2688 addi r31,r31,9864 801E8B04: 801F3164 lwz r0,12644(r31) 801E8B08: 2C000000 cmpwi r0,0 801E8B0C: 41820010 beq- 0x801e8b1c 801E8B10: 28000001 cmplwi r0,1 801E8B14: 41820054 beq- 0x801e8b68 801E8B18: 480000AC b 0x801e8bc4 801E8B1C: 807F30BC lwz r3,12476(r31) 801E8B20: 38030001 addi r0,r3,1 801E8B24: 28000005 cmplwi r0,5 801E8B28: 40800020 bge- 0x801e8b48 801E8B2C: 807F3168 lwz r3,12648(r31) 801E8B30: 38800052 li r4,82 801E8B34: 4BFFAFC5 bl 0x801e3af8 801E8B38: 38000000 li r0,0 801E8B3C: 901F3150 stw r0,12624(r31) 801E8B40: 901F314C stw r0,12620(r31) 801E8B44: 48000080 b 0x801e8bc4 801E8B48: 807F3168 lwz r3,12648(r31) 801E8B4C: 38800000 li r4,0 801E8B50: 38A00006 li r5,6 801E8B54: 4BFFB369 bl 0x801e3ebc 801E8B58: 807F3164 lwz r3,12644(r31) 801E8B5C: 38030001 addi r0,r3,1 801E8B60: 901F3164 stw r0,12644(r31) 801E8B64: 48000060 b 0x801e8bc4 801E8B68: 801F3128 lwz r0,12584(r31) 801E8B6C: 2C000000 cmpwi r0,0 801E8B70: 41820038 beq- 0x801e8ba8 801E8B74: 80DF316C lwz r6,12652(r31) 801E8B78: 3C600001 lis r3,1 801E8B7C: 38038000 subi r0,r3,32768 801E8B80: 3880000C li r4,12 801E8B84: 7C6600D0 neg r3,r6 801E8B88: 38A00000 li r5,0 801E8B8C: 7C633378 or r3,r3,r6 801E8B90: 38C00000 li r6,0 801E8B94: 7C63FE70 srawi r3,r3,31 801E8B98: 7C001838 and r0,r0,r3 801E8B9C: 60000022 ori r0,r0,34 801E8BA0: 5403043E rlwinm r3,r0,0,16,31 801E8BA4: 4BFDE4A1 bl 0x801c7044 801E8BA8: 3C808066 lis r4,-32666 801E8BAC: 38000000 li r0,0 801E8BB0: 38842688 addi r4,r4,9864 801E8BB4: 38600001 li r3,1 801E8BB8: 90043150 stw r0,12624(r4) 801E8BBC: 9004314C stw r0,12620(r4) 801E8BC0: 48000008 b 0x801e8bc8 801E8BC4: 38600000 li r3,0 801E8BC8: 80010014 lwz r0,20(r1) 801E8BCC: 83E1000C lwz r31,12(r1) 801E8BD0: 7C0803A6 mtlr r0 801E8BD4: 38210010 addi r1,r1,16 801E8BD8: 4E800020 blr
|
|
|
Logged
|
|
|
|
dcx2
Computer Engineer
Moderator
Legendary Member
Karma: 165
Posts: 3468
|
|
« Reply #571 on: August 08, 2011, 09:20:28 PM » |
|
Okay, there's no way the C2 code had a cache problem.
Try doing this.
801E8B24: 28000005 cmplwi r0,5 -> cmpw r3,r3 # this will always be equal, should effectively make bge- into b
or
801E8B20: 38030001 addi r0,r3,1 -> li r0,6 # will make the cmpwi always greater than
Also...if you poke the branch when it's already executing, does it still work?
|
|
|
Logged
|
|
|
|
Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #572 on: August 08, 2011, 09:26:44 PM » |
|
801E8B24: 28000005 cmplwi r0,5 -> cmpw r3,r3 # this will always be equal, should effectively make bge- into b
Also...if you poke the branch when it's already executing, does it still work?
Poking did never crash. --- gct code 041E8B24 7C031800 ("cmpw r3, r3") crashed the game. gct code 041E8B20 38000006 ("li r0, 6") crashed the game. Gecko.NET always says stuff about error extentions...
|
|
« Last Edit: August 08, 2011, 09:37:07 PM by Bully@Wiiplaza »
|
Logged
|
|
|
|
dcx2
Computer Engineer
Moderator
Legendary Member
Karma: 165
Posts: 3468
|
|
« Reply #573 on: August 08, 2011, 09:42:52 PM » |
|
Are you sure you poked the address while that part of the game was executing? Because it sounds like this isn't a problem with the code or the code handler, because otherwise other ASM hacks would fail too.
Did you try pausing before you send cheats? It shouldn't make a difference but maybe it will.
|
|
|
Logged
|
|
|
|
Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #574 on: August 08, 2011, 09:50:46 PM » |
|
Are you sure you poked the address while that part of the game was executing? Because it sounds like this isn't a problem with the code or the code handler, because otherwise other ASM hacks would fail too.
Did you try pausing before you send cheats? It shouldn't make a difference but maybe it will.
1.) I´m 100% sure that it worked by poke. I tried it again and switched from default to modded value and nothing crashed. The code took effect, how it was intended. But if I send the same 04 code operation, it crashes. Pausing the game before sending crashed aswell. I´m really clueless now. Using the code as GCT works
|
|
|
Logged
|
|
|
|
dcx2
Computer Engineer
Moderator
Legendary Member
Karma: 165
Posts: 3468
|
|
« Reply #575 on: August 08, 2011, 09:53:58 PM » |
|
Pausing the game before sending crashed aswell. Did it crash before or after you unpaused? The game should not be running while it's paused, and therefore it shouldn't crash until the game is run. So... 1) Pause Game 2) Send Cheats 3) Switch to memview tab and see if you can read memory. If you can, then the game didn't crash yet. Using the code as GCT works You mean via SD cheats? EDIT: Other things to try. 1) Set a breakpoint on the instruction just before the 04 code's target. i.e. 801E8B24 2) While at the breakpoint, send cheats. 3) While still at the breakpoint go to disasm tab and see if the target was changed You can also try the same thing, but instead set the breakpoint on the blr (801E8BD8) instead of the instruction before the target address.
|
|
« Last Edit: August 08, 2011, 09:56:46 PM by dcx2 »
|
Logged
|
|
|
|
Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #576 on: August 08, 2011, 09:55:25 PM » |
|
Pausing the game before sending crashed aswell. Did it crash before or after you unpaused? The game should not be running while it's paused, and therefore it shouldn't crash until the game is run. So... 1) Pause Game 2) Send Cheats 3) Switch to memview tab and see if you can read memory. If you can, then the game didn't crash yet. Using the code as GCT works You mean via SD cheats? yes, sd cheats. I paused the game. Sent the code. (I can now still view memory) Unpaused, game was crashed. (gecko.net froze up)
|
|
« Last Edit: August 08, 2011, 09:57:32 PM by Bully@Wiiplaza »
|
Logged
|
|
|
|
dcx2
Computer Engineer
Moderator
Legendary Member
Karma: 165
Posts: 3468
|
|
« Reply #577 on: August 08, 2011, 09:57:27 PM » |
|
Did you switch to memview after sending the code and before unpausing? Did memview work while paused after sending codes?
|
|
|
Logged
|
|
|
|
Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #578 on: August 08, 2011, 09:58:15 PM » |
|
Did you switch to memview after sending the code and before unpausing? Did memview work while paused after sending codes?
yes, I could still view memory before unpausing.
|
|
|
Logged
|
|
|
|
dcx2
Computer Engineer
Moderator
Legendary Member
Karma: 165
Posts: 3468
|
|
« Reply #579 on: August 08, 2011, 10:00:39 PM » |
|
Try this, too.
1) pause game 2) send cheats 3) go to disasm tab @ 801E8B28 4) is it 40800020 or 48000020? 5) Poke it while paused 6) unpause
|
|
|
Logged
|
|
|
|
Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #580 on: August 08, 2011, 10:02:30 PM » |
|
Try this, too.
1) pause game 2) send cheats 3) go to disasm tab @ 801E8B28 4) is it 40800020 or 48000020? 5) Poke it while paused 6) unpause
4) it´s the new value (the value that got written) 5) which value? Wouldn´t it be overwritten by the 04 code?
|
|
|
Logged
|
|
|
|
dcx2
Computer Engineer
Moderator
Legendary Member
Karma: 165
Posts: 3468
|
|
« Reply #581 on: August 08, 2011, 10:05:18 PM » |
|
5) I would use the hack value (48000020). If you're on disasm tab, just press "assemble" and it will poke it with the current instruction.
Yes, it will be over-written by the 04 code... *at the next frame*. After you send cheats, the codes are executed. If you then poke the address, it won't be over-written until the code handler runs at the next frame. So, for the current frame of the game, it will be the poked value.
|
|
|
Logged
|
|
|
|
Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #582 on: August 08, 2011, 10:08:29 PM » |
|
5) I would use the hack value (48000020). If you're on disasm tab, just press "assemble" and it will poke it with the current instruction.
Yes, it will be over-written by the 04 code... *at the next frame*. After you send cheats, the codes are executed. If you then poke the address, it won't be over-written until the code handler runs at the next frame. So, for the current frame of the game, it will be the poked value.
yep, still crashes after pressing "run"
|
|
|
Logged
|
|
|
|
dcx2
Computer Engineer
Moderator
Legendary Member
Karma: 165
Posts: 3468
|
|
« Reply #583 on: August 08, 2011, 10:10:42 PM » |
|
This makes me doubt your claim that you're 100% sure poking works. Because you poked the address with the hacked branch and it still crashed.
|
|
|
Logged
|
|
|
|
Bully@Wiiplaza
Hacker
Legendary Member
Karma: 93
Posts: 1853
|
|
« Reply #584 on: August 08, 2011, 10:14:28 PM » |
|
This makes me doubt your claim that you're 100% sure poking works. Because you poked the address with the hacked branch and it still crashed.
why did the "poked" hack then work for me? It´s not a joke! it must be something with gecko.net because it spits error exceptions after it crashed... as you may noticed, NONE of my tries to send this 04 (and once the C2) code did not freeze the game.
|
|
« Last Edit: August 08, 2011, 10:17:50 PM by Bully@Wiiplaza »
|
Logged
|
|
|
|
|