Set Value to ASM C2

[Deathwolf]

Hi

I want to set my own value to a C2 code like base address with 63 (99) lives. [game new super mario bros PAL]
the base address of lives = 80355193

breakpoint (write) says:

CR  : 28000888  XER : 20000000  CTR : 80272D30  DSIS: 02400000
DAR : 80355190  SRR0: 8006066C  SRR1: 0000B032  LR  : 80060630
r0  : 00000003  r1  : 8043FC18  r2  : 80433360  r3  : 80355190
r4  : 00000000  r5  : 00000004  r6  : 00000000  r7  : 00000000
r8  : 00000000  r9  : 00000000  r10 : 00000000  r11 : 8043FC18
r12 : 80272D30  r13 : 8042F980  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000008
r20 : 00000000  r21 : 40E00000  r22 : 40800000  r23 : 8154B94C
r24 : 81541448  r25 : 00000001  r26 : 00000001  r27 : 00000001
r28 : 8154B804  r29 : 8154B804  r30 : 8154CC34  r31 : 8154B804

f0  : 00000000  f1  : 00000000  f2  : 59800004  f3  : 41700000
f4  : 00000000  f5  : 41400000  f6  : BF800000  f7  : 00000000
f8  : 00000000  f9  : 00000000  f10 : 00000000  f11 : 3F800000
f12 : 3F5B14A0  f13 : 3ED2F6DA  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 00000000
f28 : 00000000  f29 : 00000000  f30 : 00000000  f31 : 00000000


800060670

8006066C:  7C03212E   stwx   r0,r3,r4
80060670:  4082000C   bne-   0x8006067c
80060674:  38000000   li   r0,0
80060678:  900DA648   stw   r0,-22968(r13)
8006067C:  3865FFFF   subi   r3,r5,1
80060680:  80010014   lwz   r0,20(r1)
80060684:  7C0803A6   mtlr   r0
80060688:  38210010   addi   r1,r1,16
8006068C:  4E800020   blr   
80060690:  9421FFE0   stwu   r1,-32(r1)
80060694:  7C0802A6   mflr   r0
80060698:  90010024   stw   r0,36(r1)
8006069C:  93E1001C   stw   r31,28(r1)
800606A0:  7C7F1B78   mr   r31,r3
800606A4:  800DA620   lwz   r0,-23008(r13)
800606A8:  80AD8288   lwz   r5,-32120(r13)

hook address = C206066C

now I don't know how to set the value like a base address.

thanks for help

[dcx2]

The "hook" address is the instruction you want to replace, not the address you want to write to.  In your case, I think you want to replace 8006066C.

You also didn't hit a Read breakpoint.  You hit a Write breakpoint.  Notice how the instruction at 8006066C is stwx = STore Word indeXed.  Pretend it is like stw r0,r4(r3); r4 is the index.

What instructions are before a hook is almost more important than what is after the hook.  Please provide some extra disassembly, like ten instructions before 8006066C.

Also, everything after the blr is unnecessary.  Functions usually begin with stwu r1/mflr r0 and end with mtlr r0/addi r1/blr.  (rarely, there will be no stwu/mflr, or mtlr/addi, but there is ALWAYS a blr at the end)

(this is the end of the function we care about.  We want the beginning of it...preferably everything up to its stwu r1/mflr r0)
8006066C:  7C03212E   stwx   r0,r3,r4
80060670:  4082000C   bne-   0x8006067c
80060674:  38000000   li   r0,0
80060678:  900DA648   stw   r0,-22968(r13)
8006067C:  3865FFFF   subi   r3,r5,1
80060680:  80010014   lwz   r0,20(r1)
80060684:  7C0803A6   mtlr   r0
80060688:  38210010   addi   r1,r1,16
8006068C:  4E800020   blr   

(this is part of the next function; we don't care about it)
80060690:  9421FFE0   stwu   r1,-32(r1)
80060694:  7C0802A6   mflr   r0
80060698:  90010024   stw   r0,36(r1)
8006069C:  93E1001C   stw   r31,28(r1)
800606A0:  7C7F1B78   mr   r31,r3
800606A4:  800DA620   lwz   r0,-23008(r13)
800606A8:  80AD8288   lwz   r5,-32120(r13)

[Deathwolf]

80060630:  80010008   lwz   r0,8(r1)
80060634:  3C808035   lis   r4,-32715
80060638:  3C608035   lis   r3,-32715
8006063C:  5400103A   rlwinm   r0,r0,2,0,29
80060640:  38845160   addi   r4,r4,20832
80060644:  7C04002E   lwzx   r0,r4,r0
80060648:  38635190   addi   r3,r3,20880
8006064C:  5404103A   rlwinm   r4,r0,2,0,29
80060650:  7CA3202E   lwzx   r5,r3,r4
80060654:  2C050000   cmpwi   r5,0
80060658:  4181000C   bgt-   0x80060664
8006065C:  38600000   li   r3,0
80060660:  48000020   b   0x80060680
80060664:  2C000000   cmpwi   r0,0
80060668:  3805FFFF   subi   r0,r5,1
8006066C:  7C03212E   stwx   r0,r3,r4
80060670:  4082000C   bne-   0x8006067c
80060674:  38000000   li   r0,0
80060678:  900DA648   stw   r0,-22968(r13)
8006067C:  3865FFFF   subi   r3,r5,1
80060680:  80010014   lwz   r0,20(r1)
80060684:  7C0803A6   mtlr   r0
80060688:  38210010   addi   r1,r1,16
8006068C:  4E800020   blr   
80060690:  9421FFE0   stwu   r1,-32(r1)
80060694:  7C0802A6   mflr   r0
80060698:  90010024   stw   r0,36(r1)
8006069C:  93E1001C   stw   r31,28(r1)
800606A0:  7C7F1B78   mr   r31,r3
800606A4:  800DA620   lwz   r0,-23008(r13)
800606A8:  80AD8288   lwz   r5,-32120(r13)

[dcx2]

Okay, I think this is what is happening.  NSMB is a multi-player game, so they probably store the lives near each other, and use stwx to get to player x's life count.

The base pointer for the lives appears to be 80355190.  Each player's life value should be here, and based on the player number the stwx will index to the correct player's life.

80060638:  3C608035   lis   r3,-32715
...
80060648:  38635190   addi   r3,r3,20880

Eventually, we load the current life count

80060650:  7CA3202E   lwzx   r5,r3,r4

and then, if it is greater than 0

80060654:  2C050000   cmpwi   r5,0
80060658:  4181000C   bgt-   0x80060664

we subtract 1 from it and store the new value

80060668:  3805FFFF   subi   r0,r5,1
8006066C:  7C03212E   stwx   r0,r3,r4

Therefore, if you want to always give 99 lives, replace subi   r0,r5,1 with li r0,0x63.  Then the stwx will store the 99 instead of r5-1

[Deathwolf]

syntax error

li r0,99

[dcx2]

Do you mean that li r0,99 works, but li r0,0x63 does not?

[Deathwolf]

if I change it to li r0,99 and I lose a live, the game freez.
and if I change it to li r0,0x63, it says error (assembled instruction is li r0,99)

[dcx2]

You are replacing the subi, not the stwx, right?

That's weird.  The ASM must be running more than once.  Set an Execute breakpoint on 80060668 and see what else causes it to hit...

[Deathwolf]

yes on subi   r0,r5,1

execute says:

80060640:  38845160   addi   r4,r4,20832
80060644:  7C04002E   lwzx   r0,r4,r0
80060648:  38635190   addi   r3,r3,20880
8006064C:  5404103A   rlwinm   r4,r0,2,0,29
80060650:  7CA3202E   lwzx   r5,r3,r4
80060654:  2C050000   cmpwi   r5,0
80060658:  4181000C   bgt-   0x80060664
8006065C:  38600000   li   r3,0
80060660:  48000020   b   0x80060680
80060664:  2C000000   cmpwi   r0,0
80060668:  3805FFFF   subi   r0,r5,1
8006066C:  7C03212E   stwx   r0,r3,r4
80060670:  4082000C   bne-   0x8006067c
80060674:  38000000   li   r0,0
80060678:  900DA648   stw   r0,-22968(r13)
80060668:  3805FFFF   subi   r0,r5,1
8006066C:  7C03212E   stwx   r0,r3,r4
80060670:  4082000C   bne-   0x8006067c
80060674:  38000000   li   r0,0
80060678:  900DA648   stw   r0,-22968(r13)
8006067C:  3865FFFF   subi   r3,r5,1
80060680:  80010014   lwz   r0,20(r1)
80060684:  7C0803A6   mtlr   r0
80060688:  38210010   addi   r1,r1,16
8006068C:  4E800020   blr   
80060690:  9421FFE0   stwu   r1,-32(r1)
80060694:  7C0802A6   mflr   r0
80060698:  90010024   stw   r0,36(r1)
8006069C:  93E1001C   stw   r31,28(r1)
800606A0:  7C7F1B78   mr   r31,r3
800606A4:  800DA620   lwz   r0,-23008(r13)

[dcx2]

That instruction must be doing more than just lives.  The execute BP will say the same instructions every time, but you are more interested in what actions trigger the execute BP.

[Deathwolf]

.....

[Deathwolf]

omg now it works....

I have made one for coins.

base address : 803551A3

CR  : 88000888  XER : 00000000  CTR : 80038FD0  DSIS: 02400000
DAR : 803551A0  SRR0: 8006043C  SRR1: 0000B032  LR  : 80060288
r0  : 0000000B  r1  : 8043FB18  r2  : 80433360  r3  : 0000000A
r4  : 803551A0  r5  : 00000000  r6  : 00000002  r7  : 00000000
r8  : 00000001  r9  : 815E4478  r10 : 7D4256F0  r11 : 8043FB58
r12 : 80038FD0  r13 : 8042F980  r14 : 00000000  r15 : 00000000
r16 : 00000000  r17 : 00000000  r18 : 00000000  r19 : 00000000
r20 : 00000000  r21 : 00000000  r22 : 00000000  r23 : 00000000
r24 : 00000000  r25 : 00000002  r26 : 00000000  r27 : 00000000
r28 : 00000000  r29 : 8154B9F0  r30 : 8043FBE0  r31 : 80355110

f0  : 00000000  f1  : C402E351  f2  : 44B9DA47  f3  : C0E00000
f4  : 41300000  f5  : C3FFC6A2  f6  : 00000000  f7  : 00000000
f8  : 43800000  f9  : 46361A2A  f10 : 43800000  f11 : 80000000
f12 : 3F800000  f13 : 00000000  f14 : 00000000  f15 : 00000000
f16 : 00000000  f17 : 00000000  f18 : 00000000  f19 : 00000000
f20 : 00000000  f21 : 00000000  f22 : 00000000  f23 : 00000000
f24 : 00000000  f25 : 00000000  f26 : 00000000  f27 : 00000000
f28 : 00000000  f29 : 00000000  f30 : 44B9DA47  f31 : C402E351

800603FC:  7CC5012E   stwx   r6,r5,r0
80060400:  5484103A   rlwinm   r4,r4,2,0,29
80060404:  5503103A   rlwinm   r3,r8,2,0,29
80060408:  54E0103A   rlwinm   r0,r7,2,0,29
8006040C:  7CC5212E   stwx   r6,r5,r4
80060410:  7CC5192E   stwx   r6,r5,r3
80060414:  7CC5012E   stwx   r6,r5,r0
80060418:  48000028   b   0x80060440
8006041C:  80010008   lwz   r0,8(r1)
80060420:  387F0050   addi   r3,r31,80
80060424:  389F0090   addi   r4,r31,144
80060428:  5400103A   rlwinm   r0,r0,2,0,29
8006042C:  7C03002E   lwzx   r0,r3,r0
80060430:  5405103A   rlwinm   r5,r0,2,0,29
80060434:  7C64282E   lwzx   r3,r4,r5
80060438:  38030001   addi   r0,r3,1
8006043C:  7C04292E   stwx   r0,r4,r5
80060440:  39610040   addi   r11,r1,64
80060444:  4827CC6D   bl   0x802dd0b0
80060448:  80010044   lwz   r0,68(r1)
8006044C:  7C0803A6   mtlr   r0
80060450:  38210040   addi   r1,r1,64
80060454:  4E800020   blr   
80060458:  00000000   .word   0x00000000
8006045C:  00000000   .word   0x00000000
80060460:  9421FFC0   stwu   r1,-64(r1)
80060464:  7C0802A6   mflr   r0
80060468:  90010044   stw   r0,68(r1)
8006046C:  93E1003C   stw   r31,60(r1)
80060470:  93C10038   stw   r30,56(r1)
80060474:  7CBE2B78   mr   r30,r5
80060478:  93A10034   stw   r29,52(r1)

C2060438 00000002
380000XX 7C04292E
60000000 00000000
E0000000 80008000

or 04060438 380000XX

[dcx2]

Glad to hear it works.  :)

The "hook address" is the address you're replacing.  C2060438 00000002 = address 80060438 = hook address

[Deathwolf]

oh that is it  ;D

but yea thanks alot! :)

[Deathwolf]

but how to use it on a 32 bit code?