Health

Started by sulfur, March 12, 2010, 06:16:33 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions

sulfur

March 12, 2010, 06:16:33 AM
Can somebody help me I am trying to make a health code I start out by searching a unknown 32bit equal value then I hurt myself pause the game and search not equal run the game wait till the red screen goes away and search a not equal then a equal and so on and so on I got down to 8 addresses all of the have the same values except one so I write/breakpoint and this is what it gives me:

I tried to nop stfs f0,400(r3) but that didn't seem to work any ideas thanks.


CR: 48000428  XER: 00000000  CTR: 00000000 DSIS: 02400000
DAR: 808BA790 SRR0: 80561DE0 SRR1: 0000B032   LR: 80561DC0
  r0: 00000000   r1: 801C9A08   r2: 801C1300   r3: 808BA600
  r4: 808BA600   r5: 00000000   r6: 00000000   r7: 00000008
  r8: 80DF7084   r9: 000000C2  r10: 00000000  r11: 801C9A08
r12: 81107A18  r13: 801C02A0  r14: 935E0000  r15: 03534D00
r16: 8011A2E0  r17: 00000000  r18: 00000000  r19: 802BB000
r20: 802BA580  r21: 00000001  r22: 800E7040  r23: 800F1000
r24: 8011A180  r25: 00000001  r26: 00000001  r27: 00000000
r28: 00000001  r29: 00000007  r30: 808BA600  r31: 808BAE3C

f0: 3FAAAAAB   f1: 4403C000   f2: 43C88000   f3: D0A10000
  f4: D0A0C000   f5: 00000000   f6: 00000000   f7: 00000000
  f8: 00000000   f9: 00000000  f10: 00000000  f11: 3F800000
f12: 3F800000  f13: 00000000  f14: 00000000  f15: 00000000
f16: 00000000  f17: 00000000  f18: 00000000  f19: 00000000
f20: 00000000  f21: 00000000  f22: 00000000  f23: 00000000
f24: 00000000  f25: 00000000  f26: 00000000  f27: 00000000
f28: 00000000  f29: BF800000  f30: 00000000  f31: 3F800000



80561DE0:  D0030190   stfs   f0,400(r3)
80561DE4:  C01F0014   lfs   f0,20(r31)
80561DE8:  D0030194   stfs   f0,404(r3)
80561DEC:  C01F0000   lfs   f0,0(r31)
80561DF0:  D0030180   stfs   f0,384(r3)
80561DF4:  C01F0004   lfs   f0,4(r31)
80561DF8:  D0030184   stfs   f0,388(r3)
80561DFC:  C01F0008   lfs   f0,8(r31)
80561E00:  D0030188   stfs   f0,392(r3)
80561E04:  807E0344   lwz   r3,836(r30)
80561E08:  38030001   addi   r0,r3,1
80561E0C:  901E0344   stw   r0,836(r30)
80561E10:  3BBD0001   addi   r29,r29,1
80561E14:  281D0008   cmplwi   r29,8
80561E18:  3BFF003C   addi   r31,r31,60
80561E1C:  4180FF9C   blt+   0x80561db8
80561E20:  3C60808C   lis   r3,-32628
80561E24:  8003AE88   lwz   r0,-20856(r3)
80561E28:  20000001   subfic   r0,r0,1
80561E2C:  9003AE88   stw   r0,-20856(r3)
80561E30:  83E1001C   lwz   r31,28(r1)
80561E34:  83C10018   lwz   r30,24(r1)
80561E38:  83A10014   lwz   r29,20(r1)
80561E3C:  80010024   lwz   r0,36(r1)
80561E40:  7C0803A6   mtlr   r0
80561E44:  38210020   addi   r1,r1,32
80561E48:  4E800020   blr   
80561E4C:  9421FFD0   stwu   r1,-48(r1)
80561E50:  7C0802A6   mflr   r0
80561E54:  90010034   stw   r0,52(r1)
80561E58:  39610030   addi   r11,r1,48
80561E5C:  4BACCC2D   bl   0x8002ea88
80561E60:  7C7E1B78   mr   r30,r3
80561E64:  3F20808C   lis   r25,-32628
80561E68:  38799E00   subi   r3,r25,25088
80561E6C:  38800000   li   r4,0
80561E70:  38A00800   li   r5,2048
80561E74:  4BAA24DD   bl   0x80004350
80561E78:  3BE00000   li   r31,0
80561E7C:  3BA00000   li   r29,0

GMO

#1
March 12, 2010, 06:30:52 AM
Try but doing a 32-Bit Unknown Search on equal.  Each time you get hit do a Less than search.
If you die and start on a new life do one greater than search, then continue with the less than searches til you have less then 10 results
http://gamemasterzer0.blogspot.com
For Codes, Guides, & Support Codemasters-Project
USB Gecko Facebook Page - My Wii's 4.1 U | 4.0 E

sulfur

#2
March 12, 2010, 02:50:21 PM
I tried that but it didn't work I just came up with 3 codes but when I go to mem veiw they are constantly counting down by one whether I get hit or not. Any other ideas to try and find my health?

dcx2

#3
March 12, 2010, 03:56:57 PM
The game most likely doesn't use a float for health, if it did it's probably for the percentage of a health bar it needs to throw up on the display.

How does health work in the game?  Did anything happen at all when you nop'd?  When you set the breakpoint, did it pause only when you got hit?  When you watch it in Memory Viewer with auto-update, does it behave like you might expect health to behave, staying the same until you get hit and then decreasing?

It looks like there's supposed to be a lfs f0,something before it.  TIP: whenever pasting a disassembly, it's important to show some instructions *before* the instruction you're breaking on, so we can see what's happening.  In fact, what's happening before an instruction is probably more important than what happens after.

You might be able to find out who wrote to f0.  Unfortunately, according to http://babbage.cs.qc.edu/IEEE-754/32bit.html f0 holds "1.333" so that's probably not health...

sulfur

#4
March 12, 2010, 06:24:24 PM
When I watch in mem view when I get hit it goes down then back up just like health does. When I write/breakpoint it froze when I got hit I will post the lines before tonight.

sulfur

#5
March 13, 2010, 10:22:58 PM Last Edit: March 14, 2010, 05:52:09 PM by sulfur
Hey guys sorry for the late reply here is 10 lines up thanks.

80561DB8:  7FE3FB78     mr      r3,r31
80561DBC:  4BFFFF75     bl      0x80561d30
80561DC0:  2C30000      cmpwi   r3,0
80561DC4:  4182004C     beq-    0x80561e10
80561DC8:  801E0344     lwz     r0,836(r30)
80561DCC:  1C000018     mulli   r0,r0,24
80561DD0:  7C7E0214     add     r3,r30,r0
80561DD4:  C01F000C     lfs     f0,12(r31)
80561DD8:  D003018C     stfs    f0,396(r3)
80561DDC:  C01F0010     lfs     f0,16(r31)
80561DE0:  D0030190   stfs   f0,400(r3)
80561DE4:  C01F0014   lfs   f0,20(r31)
80561DE8:  D0030194   stfs   f0,404(r3)
80561DEC:  C01F0000   lfs   f0,0(r31)
80561DF0:  D0030180   stfs   f0,384(r3)
80561DF4:  C01F0004   lfs   f0,4(r31)
80561DF8:  D0030184   stfs   f0,388(r3)
80561DFC:  C01F0008   lfs   f0,8(r31)
80561E00:  D0030188   stfs   f0,392(r3)
80561E04:  807E0344   lwz   r3,836(r30)
80561E08:  38030001   addi   r0,r3,1
80561E0C:  901E0344   stw   r0,836(r30)
80561E10:  3BBD0001   addi   r29,r29,1
80561E14:  281D0008   cmplwi   r29,8
80561E18:  3BFF003C   addi   r31,r31,60
80561E1C:  4180FF9C   blt+   0x80561db8

sulfur

#6
March 14, 2010, 05:52:41 PM
Is this enough info or do you guys need more?

dcx2

#7
March 14, 2010, 11:21:03 PM
It looks like the code you found is copying a bunch of floats around for 8 different objects.

r31 points to an object in an array.  A copy of the pointer gets passed to that bl through r3.  The bl returns the result of...some function...in r3.  (in general, r3 is used to give things to a bl, and it is also used to get things back from a bl).  If that result was 0, it moves on to the next object.

80561DB8:  7FE3FB78     mr      r3,r31
80561DBC:  4BFFFF75     bl      0x80561d30
80561DC0:  2C30000      cmpwi   r3,0
80561DC4:  4182004C     beq-    0x80561e10
...snip...
80561E10:  3BBD0001   addi   r29,r29,1
80561E14:  281D0008   cmplwi   r29,8
80561E18:  3BFF003C   addi   r31,r31,60
80561E1C:  4180FF9C   blt+   0x80561db8

r29 is used to count through 8 objects for processing.  Each object takes up 0x3C bytes in memory.  If r29 is less than 8, we still have more objects to go, so add 0x3C to r31 and branch back to the top (where we put r31 into r3 and bl'd).

Inside the snipped bit, it's calculating a pointer and copying a bunch of floats from the current r31 to the calculated pointer.

This doesn't really sound very much like health processing code.  Set an execute breakpoint right after the beq- and if the breakpoint gets hit when the player isn't losing health then you don't have health code.  If that breakpoint only gets hit when someone takes damage, then r31 should hold a pointer to health-related values.

Unfortunately, it's not modifying the values, but merely copying them from one to the other.  Sometimes you have to chase variables down in memory until you find the source that's adding or subing health.

sulfur

#8
March 15, 2010, 02:27:10 AM
Ok I researched the values and I came up with 8 codes again and they all start at 00000064 but when I get hit it slowly goes down when I die it is FFFFFFF8 so here is the write/breakpoint for the second one it was the only one I saw that had sub in it.

804FD1AC:  801E016C         lwz        r0,364(r30)
804FD1A8:  900397A4         stw        r0,-26716(r3)
804FD1A4:  801E0168         lwz         r0,360(r30)
804FD1A0:  900397A0         stw        r0,-26720(r3)
804FD19C:  801E0164         lwz         r0,356(r30)
804FD198:  9003979C         stw         r0,-26724(r3)
804FD194:  801E0160         lwz          r0,352(r30)
804FD190:  90039798         stw          r0,-26728(r3)
804FD18C:  90839794         stw          r4,-26732(r3)
804FD188:  801E015C         lwz          r0,348(r30)
804FD1B0:  900397A8   stw    r0,-26712(r3)
804FD1B4:  809E0170   lwz    r4,368(r30)
804FD1B8:  801E0174   lwz    r0,372(r30)
804FD1BC:  908397AC   stw    r4,-26708(r3)
804FD1C0:  900397B0   stw    r0,-26704(r3)
804FD1C4:  809E0178   lwz    r4,376(r30)
804FD1C8:  801E017C   lwz    r0,380(r30)
804FD1CC:  908397B4   stw    r4,-26700(r3)
804FD1D0:  900397B8   stw    r0,-26696(r3)
804FD1D4:  801E0180   lwz    r0,384(r30)
804FD1D8:  900397BC   stw    r0,-26692(r3)
804FD1DC:  38A397BE   subi    r5,r3,26690
804FD1E0:  389E0182   addi    r4,r30,386
804FD1E4:  38000020   li    r0,32
804FD1E8:  7C0903A6   mtctr    r0
804FD1EC:  A0640002   lhz    r3,2(r4)







CR  : 44000488  XER : 20000000  CTR : 00000000  DSIS: 02400000
DAR : 80A3AB88  SRR0: 804FD1B0  SRR1: 0000B032  LR  : 804FCEE0
r0  : 00000000  r1  : 801C9808  r2  : 801C1300  r3  : 80A413E0
r4  : 41F00000  r5  : 00000038  r6  : 00000008  r7  : FFFFFFFE
r8  : 801C9877  r9  : 00000000  r10 : 00000000  r11 : 00000000
r12 : 00000000  r13 : 801C02A0  r14 : 935E0000  r15 : 03534D00
r16 : 8011A2E0  r17 : 00000000  r18 : 00000000  r19 : 802BB000
r20 : 802BA580  r21 : 00000001  r22 : 800E7040  r23 : 00000000
r24 : 81426420  r25 : 00000CCB  r26 : 00000000  r27 : 80A213E0
r28 : 8066DEA0  r29 : 80605C68  r30 : 80A2DF08  r31 : 808719F0

f0  : 42700000  f1  : 00000000  f2  : 43360B61  f3  : 41BF791F
f4  : 00000000  f5  : BEA53531  f6  : 3E4D7339  f7  : 3E2AAAAA
f8  : BEA6B090  f9  : 3E4E0AA8  f10 : BD24054A  f11 : 373FB235
f12 : 3C6C5B52  f13 : 36D6B77A  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 00000000
f28 : 00000000  f29 : BF800000  f30 : 00000000  f31 : 3F800000

dcx2

#9
March 15, 2010, 03:32:53 AM
That subi isn't touching health, it's adjusting a pointer.

sulfur

#10
March 15, 2010, 03:48:53 AM
Well what the heck am I doing wrong. Ok let me do some more searching but thanks.

dcx2

#11
March 15, 2010, 03:57:13 AM
Did you try mem2 yet?

sulfur

#12
March 15, 2010, 03:58:57 AM
No I haven't really touched mem2 what is the range for that?

dcx2

#13
March 15, 2010, 04:05:17 AM
Search the forums for some posts on mem2.  According to http://wiibrew.org/wiki/Memory_Map it's 0x90000000 to 0x93FFFFFF, but some of that is used by IOS and I don't think you can touch that.

If you're using WiiRDGUI, on the code search tab, under "Memory Range" you should see an "80" - that's mem1.  Change that drop-down box to "90" and you'll be searching mem2.  It should automatically set the correct bounds.

Warning: mem2 is about 2 times bigger than mem1, so it takes a lot longer to search...

sulfur

#14
March 15, 2010, 11:44:37 AM
Thank you I will try it tonight.  :)
Print
Go Up Pages1 2
User actions