Codes
WiiRd forum
March 29, 2024, 11:48:12 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome on the new server

Update 4.3 - do NOT update!
Gecko 1.9.3.1
Should I get a USB Gecko, I wanna hack?
How do I use my USB Gecko
Where can I get WiiRd?
 
   Home   CODE DATABASE GAMEHACKING Help Search Login Register  
Pages: [1]
  Print  
Author Topic: breakpoints? dissassembler?  (Read 3637 times)
benny3t3
Hacker
Full Member
*****

Karma: 3
Posts: 169


« on: October 17, 2010, 12:00:45 AM »

could someone explain breakpoints to me?

what can I do with it?

how does ba work?

I get changing existing memory... but not anything else.

also, the dissasembler. what is that?

note: I am currently learning C++ on the computer. no previous programming experience.

or could someone give me a link? thanks! : D
« Last Edit: October 17, 2010, 12:03:55 AM by benny3t3 » Logged

dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #1 on: October 17, 2010, 05:54:58 AM »

Breakpoints pause the game's execution when something happens.  For instance, when some instruction is executed, or when some data is read or written. 

Disassembler will read memory and interpret it as assembly instructions.  This allows you to see what the game does.

The game has a lot of ASM, and ASM functions will call other ASM with bl (Branch and Link), so this can create a complicated flow of execution.  We use breakpoints to navigate around the ASM to find something we're interested in.

For example, if you have the address of Mario's life, you can set a write breakpoint on it.  When you die, the game will pause at the point where it is writing the new, lower life value to memory.  You then switch to the disassembler and look around, and you might find a subi (SUBtract Immediate) that is subtracting one from your life count.  You then patch the subi into something else so that your life count doesn't go down when you die.

---

The ba is the "base address".  When using code types, we have 32 bits, but we can only specify 25 bits of the address.  The other 7 bits are devoted to the code type.  So we use the ba (or po) to compensate for the 7 bits that we don't have room for.  It's important to note the ba can only specify those 7 bits; the other 25 bits of the ba are ignored.  However, the full value of the po is used for po code types.
Logged

Romaap
Hacker
Moderator
Legendary Member
*****

Karma: 89
Posts: 1802


WWW
« Reply #2 on: October 17, 2010, 01:57:00 PM »

Also, something you might need to know to understand dcx2's posts:

Assembly (ASM) is a programming language which is 'understandable by the machine (the Wii in this case)'.
When you make an application in C++ the compiler compiles your code to ASM, this is then assembled to Machine Code.
We have the programming languages like C++ because they are much more readable by humans.

ASM consists of operations which can do small things like add, subtract, read to RAM, load from RAM.
It can alter the Registers, the registers are memory which is accessible very fast.  (The Wii has 31 'normal' registers)

When you write a program in C++ which does this:

life++;

When you compile this, it will make something like this:

lwz r20, 0(r5) //this will load the life value from RAM (the place where it is stored in RAM will be in r5), and put it in r20
addi r21, r20, 1 //this adds 1 to r20 and puts the result back in r21
stw 0(r5), r21 //this will store the new value back in RAM (at the place which is stored in r5)

These 3 lines are the ASM operations representing the life++;
« Last Edit: October 17, 2010, 01:59:23 PM by Romaap » Logged
benny3t3
Hacker
Full Member
*****

Karma: 3
Posts: 169


« Reply #3 on: October 17, 2010, 05:24:49 PM »

Is there an existing guide on this? How did you both learn this?

I would be happy to read another 200 pages of tutorials, (I actually prefer that over a book)

I should probably learn what all of these terms like "subi" correct?

Logged

dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #4 on: October 17, 2010, 06:15:44 PM »

There's no real "guide" to learning this.  The landscape of game hacking is far and wide, and it's impossible to cover it all in one, or even many guides.  I kindof cheated.  I knew a lot about computers in general before I started hacking the Wii...

Hacking is very "close to the metal".  High-level languages have features that make life easy.  One line of code ("life++;") ends up being a whole *bunch* of ASM (in this case, 3x as many lines).  So it helps to think about things from the CPU perspective.  http://wiird.l0nk.org/forum/index.php/topic,5249.0.html

C++ and hacking do have one thing in common...pointers.  You will repeatedly curse pointers.  They are like names for actors and such, and sometimes they have nicknames, and sometimes these nicknames can change without notice.  For now, think of a pointer as a memory address specified by the value in the ()'s of a disassembled ASM instruction.  e.g. lwz r0,100(r12); r12 is the pointer.  100 is the offset from the pointer.

Once you can see from the CPU perspective, and you understand how to see the actors through the pointers, you need to step up a level of abstraction.  The game execution will jump from place to place use bl and blr (Branch and Link, Branch to Link Register).  These are how the game goes "to" and "from" functions.  You should understand how execution will flow from one function to the next.  http://wiird.l0nk.org/forum/index.php/topic,5080

After seeing how the flow of execution is altered by function calls, you may notice that the game generally follows a series of conventions.  Certain registers are used for certain things.  The simplest is that r1 is the stack pointer and that you shouldn't touch it unless you know what you're doing.  r2 and r13 are also very special registers.  In fact, I tried to make some pretty pictures to help explain what registers do what across function calls.  http://wiird.l0nk.org/forum/index.php/topic,6555.0.html

Oh, yes.  Datasheets.  Looking at datasheets should make you smile reflexively.  The PowerPC Application Binary Interface (http://www.ibm.com/chips/techlib/techlib.nsf/techdocs/852569B20050FF77852569970071B0D6/$file/eabi_app.pdf) is the drier version of my previous link.  Much more commonly used will be any reference to the PowerPC ASM instructions; I tend to link here a lot.  Here you will see exactly what subi or lwz do.

---

At least, that's how I hack.  There are other ways, and there are also other ends that can be achieved.  The Collective (http://wiird.l0nk.org/forum/index.php/board,40.0.html) is an excellent resource for learning more about other techniques and such.

Experience is important, too.  The longer you do it, the better you'll get.  Even knowing all I do, I still learn things from others every now and then.
Logged

Romaap
Hacker
Moderator
Legendary Member
*****

Karma: 89
Posts: 1802


WWW
« Reply #5 on: October 17, 2010, 08:55:44 PM »

If you want 'some' more information on the ppc microprocessor you could check this pdf, its a 680 page book with a lot of information on ppc microprocessors and ppc ASM.
Logged
benny3t3
Hacker
Full Member
*****

Karma: 3
Posts: 169


« Reply #6 on: October 19, 2010, 12:20:09 AM »

Thank you dcx2! Thank you Romaap!
err... this may take a while. I'm gonna need a bigger binder, like, the size of a classroom.
Maybe I won't have to take AP Computer Science...

anyways, really, thank you for your support.
Logged

dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #7 on: October 19, 2010, 12:39:14 AM »

I would recommend taking comp sci while you learn to hack.  You will see aspects of one while learning the other and it will help reinforce the concepts.

And it will take weeks, months, maybe even years to fully understand how it all works.  Don't be discouraged when it's too hard to do the hack you wanted to do.
Logged

benny3t3
Hacker
Full Member
*****

Karma: 3
Posts: 169


« Reply #8 on: October 20, 2010, 08:42:16 PM »

To implement the C language statements the following assembly language instructions illustrate loading
and passing the value in var1 to func1. After var1 is set to 4, R3 is loaded with the value in var1 in
order to pass it as an argument. The lwz instruction is used to load R3. Notice that after the instructions
to set var1 = 4, R12 contains the high order 16-bits of the address of var1 and is therefore used by
the lwz instruction. R3 is used since it is the first available parameter passing register for integer
values.

var1 = 4;
li %r11,4
addis %r12,%r0,var1@ha
stw %r11,var1@l(%r12)
func1(var1);
lwz %r3,var1@l(%r12)
bl func1

Can someone explain this to me? it's going over my head. I understand that 4 is being assigned to var1 and func1(var1) is passing var1 to func1, but all of the rest I can't get. Is that a modulus operator? why? I only know how to modulus a number.  huh
Logged

dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #9 on: October 20, 2010, 09:10:37 PM »

The ASM from the datasheet is a little bit more unwieldy than what you see in the disassembler tab.  Ignore % signs, they just indicate that it's a register...it's not a modulus operation.  The var1@ stuff is just a fancy way to refer to the address of a variable...the assembler will replace the var1@ stuff with the address of the variable, which you don't necessarily know before hand.

It would look more like the following in the disassembly tab.  I'm going to assume that var1 is stored at address 80123458, and that func1's entry point is at address 81234568.

li r11,4
addis r12,r0,0x8012  # note: addis rX,r0,Y is a special case where 0 is used instead of the contents of r0
stw r11,0x4568(r12)

lwz r3,0x4568(r12)
bl 0x81234568

EDIT: Oh yeah, disassembler will use decimal displacements, but I used hex because it's easier to follow the example.  e.g. the stw would look more like stw r11,17768(r12)
« Last Edit: October 20, 2010, 09:12:09 PM by dcx2 » Logged

benny3t3
Hacker
Full Member
*****

Karma: 3
Posts: 169


« Reply #10 on: October 20, 2010, 09:29:29 PM »

and what is li?

load immediately?
« Last Edit: October 20, 2010, 09:35:34 PM by benny3t3 » Logged

dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #11 on: October 20, 2010, 09:39:23 PM »

li is a mnemonic for addi.  It stands for "load immediate".  Immediate refers to a value that comes from the instruction itself; for instance, li r4,100 when assembled would look like 38800063.  The red numbers are the immediate value encoded in the instruction.

addi is another one of those (rA|0) instructions.  When rA = r0, the value 0 is used; this is what allows the mnemonic li to work.

addi r12,r0,1234 would put 1234 + 0 into r12.  This is effectively li r12,1234.
Logged

benny3t3
Hacker
Full Member
*****

Karma: 3
Posts: 169


« Reply #12 on: October 20, 2010, 10:02:20 PM »

phew, okay, I think I'm getting it, but I still have many questions (of course I do, and I will for a long time!), but I'll see what I can find out on my own. I'm sure knowing this one piece of info backwards and forwards will lessen the amount of said questions.

So, 1 more piece of help I could use is having all of this be translated line by line into english

so 11 is loaded into r11 in line 1,
line 2: 0x8012 is loaded into r11
line 3:0x4568 is stored Huh??

line 4: 0x4568 loaded into r3?
line 5: bl?

I am sorry that I am not grasping this, I just can't understand even the explanations (for example, in the 'simplified Power PC instruction set' says that lwz means "Load Word and Zero" I know what a word is, (an int, longint,enum,pointer,float,) but what does it mean by load? load to where?
Logged

dcx2
Computer Engineer
Moderator
Legendary Member
*****

Karma: 165
Posts: 3468


WWW
« Reply #13 on: October 20, 2010, 10:11:45 PM »

In the example I posted, the immediate value 4 will be loaded into register r11.

Then the hex value 0x8012 is loaded into the upper 16 bits of register r12.

Then the value in r11 is stored at the address specified by .

Then the value at address r12 + 0x4568 is loaded into register r3.

Then execution branches to the entry point of the function at 0x81234568.

---

lwz = Load Word and Zero = Load the Word into the register.  The destination operand will be the first register specified, while the second register will be in ()'s as part of the base-displacement operand; the register in ()'s is the "base" and the value before the ()'s is the "displacement", or the value that is added to the base register to determine the Effective Address (EA; you will see that a lot in the datasheets) for the load.
Logged

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!