Codes
WiiRd forum
March 28, 2024, 09:22:30 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome on the new server

Update 4.3 - do NOT update!
Gecko 1.9.3.1
Should I get a USB Gecko, I wanna hack?
How do I use my USB Gecko
Where can I get WiiRd?
 
   Home   CODE DATABASE GAMEHACKING Help Search Login Register  
Pages: 1 [2] 3
  Print  
Author Topic: LUT discussion.  (Read 34565 times)
hetoan2
Moderator
Legendary Member
*****

Karma: 348
Posts: 2279


I hack WiFi, but I don't cheat on WiFi ;)


WWW
« Reply #15 on: June 10, 2010, 10:43:52 AM »

hey. I was just wondering why isn't this working:


bl 0x0004
mflr r17
lwz r0,260(r3)
cmpwi r0,0x4F
bgt branch
addi r17,r17,0x1C
lbzx r0,r17,r0
branch:
b 0x0058

00010203 04050607
08090A0B 0C0D0E0F
10111213 14151617
18191A1B 1C1D1E1F
20212223 24252627
28292A2B 2C2D2E2F
30313233 34353637
38393A3B 3C3D3E3F
40414243 44454647
48494A4B 4C4D4E4F

nop

just wondering how come this doesn't work while cmpwi on individual values does.

I think the asm is used for more than the ammo values i'm trying to swap in and out of it.
that shouldn't matter tho as I haven't changed any of the values.

The routine i wrote over is lwz r0,260(r3) and the next address stores the bites.
Logged



Check out my site with codes obviously...
http://hetoan2.com/

and youtube...
http://youtube.com/hetoan2
James0x57
Database Admin
Leader
Legendary Member
*****

Karma: 70
Posts: 1546

Gamertag: James0x57


WWW
« Reply #16 on: June 10, 2010, 11:19:16 AM »

That should work fine as it is IF the LR wasn't being used and r17 is free to use.
(As a heads up, C0 codetype uses the LR- but I see you were using C2 for this)

I assume you made sure r17 was free to use so this is how you'd make it okay to change the LR (as you did):

mflr r0 #back up LR
bl 0x0004 #change LR
mflr r17 #back up new LR
mtlr r0 #restore old LR
lwz r0,260(r3)
cmpwi r0,0x4F
bgt branch
addi r17,r17,0x1C
lbzx r0,r17,r0
branch:
b 0x0058 #this goes past the nop, but that should be a branch back to the routine you hijacked, so it's okay

00010203 04050607
08090A0B 0C0D0E0F
10111213 14151617
18191A1B 1C1D1E1F
20212223 24252627
28292A2B 2C2D2E2F
30313233 34353637
38393A3B 3C3D3E3F
40414243 44454647
48494A4B 4C4D4E4F

nop



[edit] Just in case it was a silly mistake instead: make sure you counted your data as part of the lines for the C2 count at the top of your code. Wink
« Last Edit: June 10, 2010, 11:25:02 AM by James0x57 » Logged


dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #17 on: June 10, 2010, 01:54:41 PM »

In addition to what James mentions (back up LR in case you're in a leaf function; remember to count the data lines as part of the C2 code's length; your b 0x58 overshoots the nop by one instruction, which should land on the branch back)...

Some instructions react differently in the event of an operand that is r0.  lbzx is one of them

http://pds.twi.tudelft.nl/vakken/in1200/labcourse/instruction-set/lbzx.html

In this case, if rA == r0, then instead of using the value in r0, it uses an actual 0.  However, it looks like your lbzx is using rB == r0, in which case you should be safe.

Also, be careful; if 260(r3) is signed, then your cmpwi would permit the table to be used with negative indices, which could make problems.
Logged

James0x57
Database Admin
Leader
Legendary Member
*****

Karma: 70
Posts: 1546

Gamertag: James0x57


WWW
« Reply #18 on: June 10, 2010, 02:59:38 PM »

Also, be careful; if 260(r3) is signed, then your cmpwi would permit the table to be used with negative indices, which could make problems.

In which case you should use "cmplwi" instead; As it preforms an unsigned comparison. Thus the only values that make it past the bgt instruction are [0,4F].
« Last Edit: June 10, 2010, 03:03:00 PM by James0x57 » Logged


hetoan2
Moderator
Legendary Member
*****

Karma: 348
Posts: 2279


I hack WiFi, but I don't cheat on WiFi ;)


WWW
« Reply #19 on: June 10, 2010, 05:26:08 PM »

well at least its not freezing now. It's a little buggy for some reason and keeps writing 01 to the address regardless, but I think it's because the instruction is used for multiple things.

when i fix it / need more help i'll let you know

by the way. it froze with lbzx r0,r17,r0

I just added at the beginning mr r15,r0 and mr r0,r15 at the end
« Last Edit: June 10, 2010, 05:32:02 PM by hetoan2 » Logged



Check out my site with codes obviously...
http://hetoan2.com/

and youtube...
http://youtube.com/hetoan2
dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #20 on: June 10, 2010, 05:42:14 PM »

Why are you doing mr r15,r0 and mr r0,r15?

Set an execute breakpoint on the instruction immediately before the one your C2 hooks.  When you hit that breakpoint, send the codes to the game while it is paused.  Then go back to the Breakpoint tab and Step Into; you should catch the very first execution of your C2 code.  Follow it through and see what's happening.

You say it freezes on lbzx r0,r17,r0.  Make sure r17+r0 points to your LUT.  If it does, but you still freeze, then you should try using something other than r0.
Logged

hetoan2
Moderator
Legendary Member
*****

Karma: 348
Posts: 2279


I hack WiFi, but I don't cheat on WiFi ;)


WWW
« Reply #21 on: June 10, 2010, 06:36:09 PM »

That was the case, i cant recall what it was picking up, but meh.

Either way James, with the added instructions in the code, you need to change the line addi r17,r17,0x1C to addi r17,r17,0x20 right?

Logged



Check out my site with codes obviously...
http://hetoan2.com/

and youtube...
http://youtube.com/hetoan2
hetoan2
Moderator
Legendary Member
*****

Karma: 348
Posts: 2279


I hack WiFi, but I don't cheat on WiFi ;)


WWW
« Reply #22 on: June 11, 2010, 01:03:20 AM »

So i want the code to only work when r4 is pointing to the address that contains the ammo value which is 8155A640.

So i used this:

mflr r0
bl 0x0004
mflr r17
mtlr r0
lwz r15,260(r3)
cmplwi r15,0x4F
bgt- branch
lis r23,0x8155
ori r23,r23,0x6A40
cmpw r4,r23
bne branch
addi r17,r17,48
lbzx r15,r17,r15
branch:
b 0x0054

data 00-4F

mr r0,r15

which freezes; however, this code works (but is glitchy because the ASM is used in different things as well)


mflr r0
bl 0x0004
mflr r17
mtlr r0
lwz r15,260(r3)
cmplwi r15,0x4F
bgt- branch
addi r17,r17,32
lbzx r15,r17,r15
branch:
b 0x0054

data 00-4F

mr r0,r15

any reason why?

by the way r23 is free as far as i can tell
« Last Edit: June 11, 2010, 01:06:03 AM by hetoan2 » Logged



Check out my site with codes obviously...
http://hetoan2.com/

and youtube...
http://youtube.com/hetoan2
James0x57
Database Admin
Leader
Legendary Member
*****

Karma: 70
Posts: 1546

Gamertag: James0x57


WWW
« Reply #23 on: June 11, 2010, 01:33:44 AM »

The "mr r0,r15" is not needed at all..?

Either way James, with the added instructions in the code, you need to change the line addi r17,r17,0x1C to addi r17,r17,0x20 right?
Oh balls, yes you do. =)


You don't need to use r23- I can't see why else it would freeze anyway:

lis r15,0x8155
ori r15,r15,0x6A40
cmpw r4,r15
lwz r15,260(r3)
bne branch

mflr r0
bl 0x0004
mflr r17
mtlr r0
cmplwi r15,0x4F
bgt branch
addi r17,r17,0x1C
lbzx r15,r17,r15
branch:
b 0x0054

data 00-4F

nop


2 more things:
1) Are you sure r17 is free?
2) Are you hijacking into this in the middle of a comparison? You may need to backup the CR (condition register)! [This would be very likely to cause a crash!]



Did you know that you can go to the bp tab on a crash and set a bpe to see where it crashed in certain cases? Might be useful!
« Last Edit: June 11, 2010, 01:36:12 AM by James0x57 » Logged


hetoan2
Moderator
Legendary Member
*****

Karma: 348
Posts: 2279


I hack WiFi, but I don't cheat on WiFi ;)


WWW
« Reply #24 on: June 11, 2010, 01:38:50 AM »

i think that r23 actually wasn't free. i changed it to r19 to be safe which is free.
r17 is definitely free. i changed it to r18 for safety anyways which is also free.
i am not hijacking mid-comparison.
the mr r0,r15 is because i changed the lwz r0 to lwz r15 because lbzx r0 was messing up.
and the code is starting to work better; however if activated at the beginning of the disk boot-up it will freeze when starting a game, but it's good if activated after the game starts :S


Edit: it seems to only freeze when you're not alive. Like when the game is starting, or if you kill yourself.
« Last Edit: June 11, 2010, 01:59:25 AM by hetoan2 » Logged



Check out my site with codes obviously...
http://hetoan2.com/

and youtube...
http://youtube.com/hetoan2
dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #25 on: June 11, 2010, 03:34:25 AM »

James made a good point, never hook between a comparison and its branch.

In addition, it's possible that the ASM instructions are being swapped out with something else temporarily, making your branch over-write something unrelated.  I saw Resident Evil 4 switch out ASM depending on what gun was armed.  When the game starts, when the code would normally crash, make sure the ASM is what you expect it to be.  In the event that the ASM is changing, you should be able to use an F2/F4 code to make sure you're only hooking when it's appropriate.

However, much more likely is that registers look safe, but aren't, or change safety over the course of the game's execution.  If you can't ascertain 110% the safety of a register, then don't guess.  Just make a stack frame.  (for completeness sake, this is not how you really should make a stack frame.  Normally, after storing the LR in r0, you would push r0 onto the stack, but we can cheat because we only need to cache the LR for a few instructions.  I also allocate plenty of extra space because I'm paranoid)

---

mflr r0           # save LR
stwu r1,-32(r1)   # allocate room for a stack frame
stmw r29,8(r1)    # make room for local variables

bl 0x04           # get address of next instruction
table_pointer:
mflr r29          # r29 = table pointer
mtlr r0           # restore LR

lwz r30,260(r3)   # load index
cmplwi r30,0x4F   # only interested in r30 <= 0x4F
bgt- PopStackFrame

lis r31,0x8155    # r31 = ammo pointer
ori r31,r31,0x6A40
cmpw r4,r31       # only interested in r4 == ammo pointer
bne- PopStackFrame

addi r29,r29,data_offset-table_pointer
lbzx r30,r29,r30  # do the look-up
b PopStackFrame

data_offset:
.word 0x0001
.word 0x0203
.word 0x0405
.word 0x0607
.word 0x0809
.word 0x0A0B
.word 0x0C0D
.word 0x0E0F
.word 0x1011
.word 0x1213
.word 0x1415
.word 0x1617
.word 0x1819
.word 0x1A1B
.word 0x1C1D
.word 0x1E1F
.word 0x2021
.word 0x2223
.word 0x2425
.word 0x2627
.word 0x2829
.word 0x2A2B
.word 0x2C2D
.word 0x2E2F
.word 0x3031
.word 0x3233
.word 0x3435
.word 0x3637
.word 0x3839
.word 0x3A3B
.word 0x3C3D
.word 0x3E3F

PopStackFrame:
mr r0,r30       # make sure r0 is holding the value of interest
lmw r29,8(r1)   # pop registers
addi r1,r1,32   # release stack frame memory


---

It should turn into the following code.  PyiiASMH will calculate all the offsets for you - even the offset between bl/mflr and the table data!

C2000000 00000012
7C0802A6 9421FFE0
BFA10008 48000005
7FA802A6 7C0803A6
83C30104 281E004F
41810060 3FE08155
63FF6A40 7C04F800
40820050 3BBD0030
7FDDF0AE 48000044
00010203 04050607
08090A0B 0C0D0E0F
10111213 14151617
18191A1B 1C1D1E1F
20212223 24252627
28292A2B 2C2D2E2F
30313233 34353637
38393A3B 3C3D3E3F

7FC0F378 BBA10008
38210020 00000000
« Last Edit: June 11, 2010, 03:40:13 AM by dcx2 » Logged

James0x57
Database Admin
Leader
Legendary Member
*****

Karma: 70
Posts: 1546

Gamertag: James0x57


WWW
« Reply #26 on: June 11, 2010, 04:35:25 AM »

James made a good point, never hook between a comparison and its branch.
No no no, never said that. Just back up the CR if you do!


.long 0x00010203
.long 0x04050607
.long 0x08090A0B
.long 0x0C0D0E0F
.long 0x10111213
.long 0x14151617
.long 0x18191A1B
.long 0x1C1D1E1F
.long 0x20212223
.long 0x24252627
.long 0x28292A2B, 0x2C2D2E2F #this works too!
.long 0x30313233, 0x34353637
.long 0x38393A3B, 0x3C3D3E3F

Fixed Wink


And I had no idea you could add or subtract lables (and constants) like that! That's great! Thanks!
« Last Edit: June 11, 2010, 04:41:02 AM by James0x57 » Logged


brkirch
Hacker
Sr. Member
*****

Karma: 53
Posts: 395


« Reply #27 on: June 11, 2010, 07:31:36 AM »

I would simply recommend avoiding nonvolatile registers (r14-r31) altogether if you don't make a stack frame to backup and restore them.  Nonvolatile registers are not supposed to change between function calls so usually nonvolatile registers are not free unless they are used within the function being hooked and the next instruction in that function with that register overwrites it without using its value.  BTW there shouldn't be a problem with hooking over a comparison as the comparison is executed at the end of the ASM insert (the branch instruction executed at the end of the ASM insert will not change CR).

And I had no idea you could add or subtract lables (and constants) like that! That's great! Thanks!

You obviously missed the post I made earlier in this topic...  Wink
« Last Edit: June 11, 2010, 08:20:22 AM by brkirch » Logged

hetoan2
Moderator
Legendary Member
*****

Karma: 348
Posts: 2279


I hack WiFi, but I don't cheat on WiFi ;)


WWW
« Reply #28 on: June 11, 2010, 10:37:27 AM »

Thanks for the help you guys Cheesy the code actually worked!

sorry for being such a noob, but could you link me to a topic on how to make a stack frame or explain it.

i've never had to use a stack frame before because generally I have enough free registers, but it should be useful.

I understand the general idea behind a stack frame, i just dont get what's going on and how to apply it in a universal situation.

Also shouldn't this: cmplwi r30,0x4F   be cmplwi r30,0x3F  if your only writing 3F?

not to pick on typos
 
« Last Edit: June 11, 2010, 10:40:45 AM by hetoan2 » Logged



Check out my site with codes obviously...
http://hetoan2.com/

and youtube...
http://youtube.com/hetoan2
dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #29 on: June 11, 2010, 01:08:45 PM »

I have been owned on the "don't-hook-a-cmp", haha.

Yeah, hetoan, I typoed the 4f/3f deal.

For more info on stack frames, see section 5 of the PowerPC Application Binary Interface.  It goes into detail about the stack frame and has some pretty pictures to boot!

http://www.ibm.com/chips/techlib/techlib.nsf/techdocs/852569B20050FF77852569970071B0D6/$file/eabi_app.pdf

EDIT: brkirch, I think the ASM example you posted with all the .set etc might have been a little too verbose.  It's quite formidable when you're not used to looking at ASM that way.  Despite that, I highly suggest folks go back and carefully read through, because there are a lot of neat tricks, like declaring a "register variable" at the top of the code and then using that register variable so you can easily change what regs it uses.
« Last Edit: June 11, 2010, 04:38:49 PM by dcx2 » Logged

Pages: 1 [2] 3
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!