Moon jump (basically change X,Y,Z) on Mario Strikers Charged

trackme · December 31, 2010, 04:23:50 PM

Hi again. I readed many moon jumps posts but the only game that I'm interested is Mario strikers.
I understand others posts but I don't find the way to do it on msc.
Sorry for the topic, really to do a moon jump could be trivial. The only problem is to find correct X,Y,Z.

I've done a lot of searches and I found for example the ball's pointer. When u go inside pointer u will find many interesting float values like (ball's power, ball's X, ball's Y, ball's Z, ball's speed... etc). These values are ver near.
If I do a poke on ball's power I will see in game that it works (obviously same if I will do a 32 ram write).

But with x,y,z,etc It doesn't work. I set a 05 code (81xxxxxx mem region) to change the Y float value and it doesn't work :(

I found many other addresses that have the same values.. 6 locations approximately. But it never works. (05 ram writes).
I tried with asm to change float registers but it never works.

I searched the values more times. Very accuracely and 80mem, 90 mem etc. The pointer is at 80x and points to 81x.

Any hint, trick... help? :(
The question is, someone has found a similar problem? I think the only solution is to see where the f-X float is created but it can be hard because the game uses the same asm instruction to load/save sooome different values/addresses.

Thanks!!

dcx2 · December 31, 2010, 05:36:05 PM

Another way to find location coordinates is to use spatial locality on easier to find values that belong to the same object. For instance, if you can find e.g. Mario's power, then turn on Memory Viewer in View Mode: Single, and run around in circles while looking in the vicinity of Mario's power. The coordinates should jump right out at you.

---

Poking location coordinates almost never works. I found in Super Mario Galaxy that there are actually a couple cached coordinate values. You probably poked an old copy, which is why nothing changed.

After setting a few breakpoints, I found a piece of code where the coordinates were being copied around. A little ASM to ensure I was only working on Mario and not other actors, and if I'm working on Mario then I inject my new coordinates instead of the coordinates it was supposed to copy.

You will probably see some weird instructions when it comes to copying coordinates. The compiler prefers to use Paired Singles SIMD instructions, like psq_l/psq_st, because they can move two floats at a time instead of just one with lfs/stfs.

trackme · December 31, 2010, 07:32:51 PM

Thanks!

Anyway, I did a more extense search. I found 180 possible memory addresses that store position (current, cache, old.. etc etc). Only 1 actor (each actor has own addresses but it's not the problem)
All of them are floats and if one is 4,11111, other 4,12222... etc. Are very close each value.

I tested with permanently ram write 10 addresses of them (10/180 random) and the result is curious and funny (It says u how work).
I see my hacked character on the position that I want to see but... The game thinks my character is on his default value and it has a curious effect.
Example:

Character are at X=3,5. I want to move it to X=12,1. I see my character at X=12,1 but I control the character from X=3,5. The curious effect is as follows: I see a "ghost" effect between X=3,5 and X=12,1. Like the character wants to return to X=3,5 position. And each position between X=3,5 and X=12,1 I can see this ghost effect.

I'm sorry, I don't know If I explained correctly.

Thanks and Happy new year :)

edit: Tested with all 180 addresses. More pronounced effect and the character still staying at X=3,5.

dcx2 · December 31, 2010, 10:13:15 PM

Set a read breakpoint on the coordinates that your character is at. When it hits, switch to Memory Viewer and change the coordinates while the game is frozen. Then hit run. The game will read the new coordinates and you should hopefully teleport.

The first read breakpoint might not work. You might need to follow the copies along to find the right breakpoint. Or you may need to use write breakpoints and trace backwards.

trackme · December 31, 2010, 10:47:25 PM

Thanks dcx2!

Now I found the correct values :) Just following values with breakpoints (tracing many backwards...).
With correct values If I do a poke ingame the actor teleports to it instantly. Now I only have to get the pointer..If I can (it seems to be a pointer in a pointer in a pointer.....)

Thanks again!

dcx2 · December 31, 2010, 11:06:20 PM

Nice! :cool:

Pointers can be hard to find...you will need to follow arguments backwards through the call stack. Why not just use a C2 ASM hook? You will need some extra ASM to make sure you only process your character, but there is usually a way to make sure.

If you use Gecko.NET, you can use Copy Function on the top three or four functions in the Call Stack on the Disassembly tab during the breakpoint you traced backwards. Paste each of the functions into a spoiler. I can then explain how to work your way through the call stack to find the pointers. I will also explain what register you can use to determine who you are processing.

trackme · January 01, 2011, 12:13:23 AM

Well, I don't know if I understand u post but...

Once again, thanks!

Info:

Address that stores X Position: 811EB138

I see 12 function on call stack list, I will post the top four functions:

80353D00 [spoiler]
80353CF0: 9421FFF0   stwu   r1,-16(r1)
80353CF4: 7C0802A6   mflr   r0
80353CF8: 90010014   stw   r0,20(r1)
80353CFC: 93E1000C   stw   r31,12(r1)
80353D00: D0230098   stfs   f1,152(r3)
80353D04: 83E3001C   lwz   r31,28(r3)
80353D08: D043009C   stfs   f2,156(r3)
80353D0C: D06300A0   stfs   f3,160(r3)
80353D10: 48000018   b   0x80353d28
80353D14: 7FE3FB78   mr   r3,r31
80353D18: 4BFF0649   bl   0x80344360
80353D1C: 7FE3FB78   mr   r3,r31
80353D20: 4BFEFEB9   bl   0x80343bd8
80353D24: 7C7F1B78   mr   r31,r3
80353D28: 2C1F0000   cmpwi   r31,0
80353D2C: 4082FFE8   bne+   0x80353d14
80353D30: 80010014   lwz   r0,20(r1)
80353D34: 83E1000C   lwz   r31,12(r1)
80353D38: 7C0803A6   mtlr   r0
80353D3C: 38210010   addi   r1,r1,16
80353D40: 4E800020   blr
[/spoiler]

8031D114 [spoiler]
8031CAB4: 9421FBA0   stwu   r1,-1120(r1)
8031CAB8: 7C0802A6   mflr   r0
8031CABC: 90010464   stw   r0,1124(r1)
8031CAC0: 93E1045C   stw   r31,1116(r1)
8031CAC4: 7C9F2378   mr   r31,r4
8031CAC8: 93C10458   stw   r30,1112(r1)
8031CACC: 7C7E1B78   mr   r30,r3
8031CAD0: 93A10454   stw   r29,1108(r1)
8031CAD4: 93810450   stw   r28,1104(r1)
8031CAD8: 8383000C   lwz   r28,12(r3)
8031CADC: 2C1C0000   cmpwi   r28,0
8031CAE0: 41820610   beq-   0x8031d0f0
8031CAE4: 2C050000   cmpwi   r5,0
8031CAE8: 40820608   bne-   0x8031d0f0
8031CAEC: 801C0008   lwz   r0,8(r28)
8031CAF0: 2C000000   cmpwi   r0,0
8031CAF4: 40820018   bne-   0x8031cb0c
8031CAF8: 807C0004   lwz   r3,4(r28)
8031CAFC: 2C030000   cmpwi   r3,0
8031CB00: 4182000C   beq-   0x8031cb0c
8031CB04: 48037371   bl   0x80353e74
8031CB08: 4800000C   b   0x8031cb14
8031CB0C: 7C030378   mr   r3,r0
8031CB10: 480272F1   bl   0x80343e00
8031CB14: C0030000   lfs   f0,0(r3)
8031CB18: C022B840   lfs   f1,-18368(r2)
8031CB1C: D0010408   stfs   f0,1032(r1)
8031CB20: C002B844   lfs   f0,-18364(r2)
8031CB24: C0430004   lfs   f2,4(r3)
8031CB28: D0410418   stfs   f2,1048(r1)
8031CB2C: C0430008   lfs   f2,8(r3)
8031CB30: D0410428   stfs   f2,1064(r1)
8031CB34: C0430010   lfs   f2,16(r3)
8031CB38: D041040C   stfs   f2,1036(r1)
8031CB3C: C0430014   lfs   f2,20(r3)
8031CB40: D041041C   stfs   f2,1052(r1)
8031CB44: C0430018   lfs   f2,24(r3)
8031CB48: D041042C   stfs   f2,1068(r1)
8031CB4C: C0430020   lfs   f2,32(r3)
8031CB50: D0410410   stfs   f2,1040(r1)
8031CB54: C0430024   lfs   f2,36(r3)
8031CB58: D0410420   stfs   f2,1056(r1)
8031CB5C: C0430028   lfs   f2,40(r3)
8031CB60: D0410430   stfs   f2,1072(r1)
8031CB64: D0210438   stfs   f1,1080(r1)
8031CB68: D021043C   stfs   f1,1084(r1)
8031CB6C: D0210440   stfs   f1,1088(r1)
8031CB70: D0010444   stfs   f0,1092(r1)
8031CB74: D0210414   stfs   f1,1044(r1)
8031CB78: D0210424   stfs   f1,1060(r1)
8031CB7C: D0210434   stfs   f1,1076(r1)
8031CB80: 839C000C   lwz   r28,12(r28)
8031CB84: 2C1C0000   cmpwi   r28,0
8031CB88: 41820174   beq-   0x8031ccfc
8031CB8C: 801C0008   lwz   r0,8(r28)
8031CB90: 2C000000   cmpwi   r0,0
8031CB94: 40820018   bne-   0x8031cbac
8031CB98: 807C0004   lwz   r3,4(r28)
8031CB9C: 2C030000   cmpwi   r3,0
8031CBA0: 4182000C   beq-   0x8031cbac
8031CBA4: 480372D1   bl   0x80353e74
8031CBA8: 4800000C   b   0x8031cbb4
8031CBAC: 7C030378   mr   r3,r0
8031CBB0: 48027251   bl   0x80343e00
8031CBB4: 38810248   addi   r4,r1,584
8031CBB8: 48002C31   bl   0x8031f7e8
8031CBBC: 839C000C   lwz   r28,12(r28)
8031CBC0: 2C1C0000   cmpwi   r28,0
8031CBC4: 418200E8   beq-   0x8031ccac
8031CBC8: 801C0008   lwz   r0,8(r28)
8031CBCC: 2C000000   cmpwi   r0,0
8031CBD0: 40820018   bne-   0x8031cbe8
8031CBD4: 807C0004   lwz   r3,4(r28)
8031CBD8: 2C030000   cmpwi   r3,0
8031CBDC: 4182000C   beq-   0x8031cbe8
8031CBE0: 48037295   bl   0x80353e74
8031CBE4: 4800000C   b   0x8031cbf0
8031CBE8: 7C030378   mr   r3,r0
8031CBEC: 48027215   bl   0x80343e00
8031CBF0: 38810288   addi   r4,r1,648
8031CBF4: 48002BF5   bl   0x8031f7e8
8031CBF8: 807C000C   lwz   r3,12(r28)
8031CBFC: 2C030000   cmpwi   r3,0
8031CC00: 4182005C   beq-   0x8031cc5c
8031CC04: 38810308   addi   r4,r1,776
8031CC08: 48001405   bl   0x8031e00c
8031CC0C: 38610388   addi   r3,r1,904
8031CC10: 38810288   addi   r4,r1,648
8031CC14: 38A10308   addi   r5,r1,776
8031CC18: 4804A165   bl   0x80366d7c
8031CC1C: C8E10388   lfd   f7,904(r1)
8031CC20: C8C10390   lfd   f6,912(r1)
8031CC24: C8A10398   lfd   f5,920(r1)
8031CC28: C88103A0   lfd   f4,928(r1)
8031CC2C: C86103A8   lfd   f3,936(r1)
8031CC30: C84103B0   lfd   f2,944(r1)
8031CC34: C82103B8   lfd   f1,952(r1)
8031CC38: C80103C0   lfd   f0,960(r1)
8031CC3C: D8E10288   stfd   f7,648(r1)
8031CC40: D8C10290   stfd   f6,656(r1)
8031CC44: D8A10298   stfd   f5,664(r1)
8031CC48: D88102A0   stfd   f4,672(r1)
8031CC4C: D86102A8   stfd   f3,680(r1)
8031CC50: D84102B0   stfd   f2,688(r1)
8031CC54: D82102B8   stfd   f1,696(r1)
8031CC58: D80102C0   stfd   f0,704(r1)
8031CC5C: 38610348   addi   r3,r1,840
8031CC60: 38810248   addi   r4,r1,584
8031CC64: 38A10288   addi   r5,r1,648
8031CC68: 4804A115   bl   0x80366d7c
8031CC6C: C8E10348   lfd   f7,840(r1)
8031CC70: C8C10350   lfd   f6,848(r1)
8031CC74: C8A10358   lfd   f5,856(r1)
8031CC78: C8810360   lfd   f4,864(r1)
8031CC7C: C8610368   lfd   f3,872(r1)
8031CC80: C8410370   lfd   f2,880(r1)
8031CC84: C8210378   lfd   f1,888(r1)
8031CC88: C8010380   lfd   f0,896(r1)
8031CC8C: D8E10248   stfd   f7,584(r1)
8031CC90: D8C10250   stfd   f6,592(r1)
8031CC94: D8A10258   stfd   f5,600(r1)
8031CC98: D8810260   stfd   f4,608(r1)
8031CC9C: D8610268   stfd   f3,616(r1)
8031CCA0: D8410270   stfd   f2,624(r1)
8031CCA4: D8210278   stfd   f1,632(r1)
8031CCA8: D8010280   stfd   f0,640(r1)
8031CCAC: 386102C8   addi   r3,r1,712
8031CCB0: 38810408   addi   r4,r1,1032
8031CCB4: 38A10248   addi   r5,r1,584
8031CCB8: 4804A0C5   bl   0x80366d7c
8031CCBC: C8E102C8   lfd   f7,712(r1)
8031CCC0: C8C102D0   lfd   f6,720(r1)
8031CCC4: C8A102D8   lfd   f5,728(r1)
8031CCC8: C88102E0   lfd   f4,736(r1)
8031CCCC: C86102E8   lfd   f3,744(r1)
8031CCD0: C84102F0   lfd   f2,752(r1)
8031CCD4: C82102F8   lfd   f1,760(r1)
8031CCD8: C8010300   lfd   f0,768(r1)
8031CCDC: D8E10408   stfd   f7,1032(r1)
8031CCE0: D8C10410   stfd   f6,1040(r1)
8031CCE4: D8A10418   stfd   f5,1048(r1)
8031CCE8: D8810420   stfd   f4,1056(r1)
8031CCEC: D8610428   stfd   f3,1064(r1)
8031CCF0: D8410430   stfd   f2,1072(r1)
8031CCF4: D8210438   stfd   f1,1080(r1)
8031CCF8: D8010440   stfd   f0,1088(r1)
8031CCFC: 83BE000C   lwz   r29,12(r30)
8031CD00: 801D0008   lwz   r0,8(r29)
8031CD04: 2C000000   cmpwi   r0,0
8031CD08: 40820018   bne-   0x8031cd20
8031CD0C: 807D0004   lwz   r3,4(r29)
8031CD10: 2C030000   cmpwi   r3,0
8031CD14: 4182000C   beq-   0x8031cd20
8031CD18: 48037155   bl   0x80353e6c
8031CD1C: 4800000C   b   0x8031cd28
8031CD20: 7C030378   mr   r3,r0
8031CD24: 480270D5   bl   0x80343df8
8031CD28: C0430008   lfs   f2,8(r3)
8031CD2C: C0230004   lfs   f1,4(r3)
8031CD30: C0030000   lfs   f0,0(r3)
8031CD34: D01D0014   stfs   f0,20(r29)
8031CD38: D03D0018   stfs   f1,24(r29)
8031CD3C: D05D001C   stfs   f2,28(r29)
8031CD40: 839D000C   lwz   r28,12(r29)
8031CD44: 2C1C0000   cmpwi   r28,0
8031CD48: 41820328   beq-   0x8031d070
8031CD4C: 801C0008   lwz   r0,8(r28)
8031CD50: 2C000000   cmpwi   r0,0
8031CD54: 40820018   bne-   0x8031cd6c
8031CD58: 807C0004   lwz   r3,4(r28)
8031CD5C: 2C030000   cmpwi   r3,0
8031CD60: 4182000C   beq-   0x8031cd6c
8031CD64: 48037109   bl   0x80353e6c
8031CD68: 4800000C   b   0x8031cd74
8031CD6C: 7C030378   mr   r3,r0
8031CD70: 48027089   bl   0x80343df8
8031CD74: C0430008   lfs   f2,8(r3)
8031CD78: C0230004   lfs   f1,4(r3)
8031CD7C: C0030000   lfs   f0,0(r3)
8031CD80: D001002C   stfs   f0,44(r1)
8031CD84: D0210030   stfs   f1,48(r1)
8031CD88: D0410034   stfs   f2,52(r1)
8031CD8C: 807C000C   lwz   r3,12(r28)
8031CD90: 2C030000   cmpwi   r3,0
8031CD94: 41820070   beq-   0x8031ce04
8031CD98: 38810020   addi   r4,r1,32
8031CD9C: 480003B5   bl   0x8031d150
8031CDA0: 807C000C   lwz   r3,12(r28)
8031CDA4: 388101C8   addi   r4,r1,456
8031CDA8: 48001265   bl   0x8031e00c
8031CDAC: 38610008   addi   r3,r1,8
8031CDB0: 3881002C   addi   r4,r1,44
8031CDB4: 38A101C8   addi   r5,r1,456
8031CDB8: 4804A0B5   bl   0x80366e6c
8031CDBC: 8061000C   lwz   r3,12(r1)
8031CDC0: 80810008   lwz   r4,8(r1)
8031CDC4: 80010010   lwz   r0,16(r1)
8031CDC8: 90610030   stw   r3,48(r1)
8031CDCC: C0210024   lfs   f1,36(r1)
8031CDD0: 90010034   stw   r0,52(r1)
8031CDD4: C0010030   lfs   f0,48(r1)
8031CDD8: 9081002C   stw   r4,44(r1)
8031CDDC: EC81002A   fadds   f4,f1,f0
8031CDE0: C0610028   lfs   f3,40(r1)
8031CDE4: C0410034   lfs   f2,52(r1)
8031CDE8: C0210020   lfs   f1,32(r1)
8031CDEC: C001002C   lfs   f0,44(r1)
8031CDF0: EC43102A   fadds   f2,f3,f2
8031CDF4: D0810030   stfs   f4,48(r1)
8031CDF8: EC01002A   fadds   f0,f1,f0
8031CDFC: D0410034   stfs   f2,52(r1)
8031CE00: D001002C   stfs   f0,44(r1)
8031CE04: 839D000C   lwz   r28,12(r29)
8031CE08: 801C0008   lwz   r0,8(r28)
8031CE0C: 2C000000   cmpwi   r0,0
8031CE10: 40820018   bne-   0x8031ce28
8031CE14: 807C0004   lwz   r3,4(r28)
8031CE18: 2C030000   cmpwi   r3,0
8031CE1C: 4182000C   beq-   0x8031ce28
8031CE20: 48037055   bl   0x80353e74
8031CE24: 4800000C   b   0x8031ce30
8031CE28: 7C030378   mr   r3,r0
8031CE2C: 48026FD5   bl   0x80343e00
8031CE30: C0030000   lfs   f0,0(r3)
8031CE34: C022B840   lfs   f1,-18368(r2)
8031CE38: D0010208   stfs   f0,520(r1)
8031CE3C: C002B844   lfs   f0,-18364(r2)
8031CE40: C0430004   lfs   f2,4(r3)
8031CE44: D0410218   stfs   f2,536(r1)
8031CE48: C0430008   lfs   f2,8(r3)
8031CE4C: D0410228   stfs   f2,552(r1)
8031CE50: C0430010   lfs   f2,16(r3)
8031CE54: D041020C   stfs   f2,524(r1)
8031CE58: C0430014   lfs   f2,20(r3)
8031CE5C: D041021C   stfs   f2,540(r1)
8031CE60: C0430018   lfs   f2,24(r3)
8031CE64: D041022C   stfs   f2,556(r1)
8031CE68: C0430020   lfs   f2,32(r3)
8031CE6C: D0410210   stfs   f2,528(r1)
8031CE70: C0430024   lfs   f2,36(r3)
8031CE74: D0410220   stfs   f2,544(r1)
8031CE78: C0430028   lfs   f2,40(r3)
8031CE7C: D0410230   stfs   f2,560(r1)
8031CE80: D0210238   stfs   f1,568(r1)
8031CE84: D021023C   stfs   f1,572(r1)
8031CE88: D0210240   stfs   f1,576(r1)
8031CE8C: D0010244   stfs   f0,580(r1)
8031CE90: D0210214   stfs   f1,532(r1)
8031CE94: D0210224   stfs   f1,548(r1)
8031CE98: D0210234   stfs   f1,564(r1)
8031CE9C: 839C000C   lwz   r28,12(r28)
8031CEA0: 2C1C0000   cmpwi   r28,0
8031CEA4: 41820174   beq-   0x8031d018
8031CEA8: 801C0008   lwz   r0,8(r28)
8031CEAC: 2C000000   cmpwi   r0,0
8031CEB0: 40820018   bne-   0x8031cec8
8031CEB4: 807C0004   lwz   r3,4(r28)
8031CEB8: 2C030000   cmpwi   r3,0
8031CEBC: 4182000C   beq-   0x8031cec8
8031CEC0: 48036FB5   bl   0x80353e74
8031CEC4: 4800000C   b   0x8031ced0
8031CEC8: 7C030378   mr   r3,r0
8031CECC: 48026F35   bl   0x80343e00
8031CED0: 38810048   addi   r4,r1,72
8031CED4: 48002915   bl   0x8031f7e8
8031CED8: 839C000C   lwz   r28,12(r28)
8031CEDC: 2C1C0000   cmpwi   r28,0
8031CEE0: 418200E8   beq-   0x8031cfc8
8031CEE4: 801C0008   lwz   r0,8(r28)
8031CEE8: 2C000000   cmpwi   r0,0
8031CEEC: 40820018   bne-   0x8031cf04
8031CEF0: 807C0004   lwz   r3,4(r28)
8031CEF4: 2C030000   cmpwi   r3,0
8031CEF8: 4182000C   beq-   0x8031cf04
8031CEFC: 48036F79   bl   0x80353e74
8031CF00: 4800000C   b   0x8031cf0c
8031CF04: 7C030378   mr   r3,r0
8031CF08: 48026EF9   bl   0x80343e00
8031CF0C: 38810088   addi   r4,r1,136
8031CF10: 480028D9   bl   0x8031f7e8
8031CF14: 807C000C   lwz   r3,12(r28)
8031CF18: 2C030000   cmpwi   r3,0
8031CF1C: 4182005C   beq-   0x8031cf78
8031CF20: 38810108   addi   r4,r1,264
8031CF24: 480010E9   bl   0x8031e00c
8031CF28: 38610188   addi   r3,r1,392
8031CF2C: 38810088   addi   r4,r1,136
8031CF30: 38A10108   addi   r5,r1,264
8031CF34: 48049E49   bl   0x80366d7c
8031CF38: C8E10188   lfd   f7,392(r1)
8031CF3C: C8C10190   lfd   f6,400(r1)
8031CF40: C8A10198   lfd   f5,408(r1)
8031CF44: C88101A0   lfd   f4,416(r1)
8031CF48: C86101A8   lfd   f3,424(r1)
8031CF4C: C84101B0   lfd   f2,432(r1)
8031CF50: C82101B8   lfd   f1,440(r1)
8031CF54: C80101C0   lfd   f0,448(r1)
8031CF58: D8E10088   stfd   f7,136(r1)
8031CF5C: D8C10090   stfd   f6,144(r1)
8031CF60: D8A10098   stfd   f5,152(r1)
8031CF64: D88100A0   stfd   f4,160(r1)
8031CF68: D86100A8   stfd   f3,168(r1)
8031CF6C: D84100B0   stfd   f2,176(r1)
8031CF70: D82100B8   stfd   f1,184(r1)
8031CF74: D80100C0   stfd   f0,192(r1)
8031CF78: 38610148   addi   r3,r1,328
8031CF7C: 38810048   addi   r4,r1,72
8031CF80: 38A10088   addi   r5,r1,136
8031CF84: 48049DF9   bl   0x80366d7c
8031CF88: C8E10148   lfd   f7,328(r1)
8031CF8C: C8C10150   lfd   f6,336(r1)
8031CF90: C8A10158   lfd   f5,344(r1)
8031CF94: C8810160   lfd   f4,352(r1)
8031CF98: C8610168   lfd   f3,360(r1)
8031CF9C: C8410170   lfd   f2,368(r1)
8031CFA0: C8210178   lfd   f1,376(r1)
8031CFA4: C8010180   lfd   f0,384(r1)
8031CFA8: D8E10048   stfd   f7,72(r1)
8031CFAC: D8C10050   stfd   f6,80(r1)
8031CFB0: D8A10058   stfd   f5,88(r1)
8031CFB4: D8810060   stfd   f4,96(r1)
8031CFB8: D8610068   stfd   f3,104(r1)
8031CFBC: D8410070   stfd   f2,112(r1)
8031CFC0: D8210078   stfd   f1,120(r1)
8031CFC4: D8010080   stfd   f0,128(r1)
8031CFC8: 386100C8   addi   r3,r1,200
8031CFCC: 38810208   addi   r4,r1,520
8031CFD0: 38A10048   addi   r5,r1,72
8031CFD4: 48049DA9   bl   0x80366d7c
8031CFD8: C8E100C8   lfd   f7,200(r1)
8031CFDC: C8C100D0   lfd   f6,208(r1)
8031CFE0: C8A100D8   lfd   f5,216(r1)
8031CFE4: C88100E0   lfd   f4,224(r1)
8031CFE8: C86100E8   lfd   f3,232(r1)
8031CFEC: C84100F0   lfd   f2,240(r1)
8031CFF0: C82100F8   lfd   f1,248(r1)
8031CFF4: C8010100   lfd   f0,256(r1)
8031CFF8: D8E10208   stfd   f7,520(r1)
8031CFFC: D8C10210   stfd   f6,528(r1)
8031D000: D8A10218   stfd   f5,536(r1)
8031D004: D8810220   stfd   f4,544(r1)
8031D008: D8610228   stfd   f3,552(r1)
8031D00C: D8410230   stfd   f2,560(r1)
8031D010: D8210238   stfd   f1,568(r1)
8031D014: D8010240   stfd   f0,576(r1)
8031D018: 38610014   addi   r3,r1,20
8031D01C: 389D0014   addi   r4,r29,20
8031D020: 38A10208   addi   r5,r1,520
8031D024: 48049E49   bl   0x80366e6c
8031D028: 80610014   lwz   r3,20(r1)
8031D02C: 80010018   lwz   r0,24(r1)
8031D030: 907D0014   stw   r3,20(r29)
8031D034: 901D0018   stw   r0,24(r29)
8031D038: 8001001C   lwz   r0,28(r1)
8031D03C: 901D001C   stw   r0,28(r29)
8031D040: C021002C   lfs   f1,44(r1)
8031D044: C01D0014   lfs   f0,20(r29)
8031D048: C0610030   lfs   f3,48(r1)
8031D04C: EC81002A   fadds   f4,f1,f0
8031D050: C05D0018   lfs   f2,24(r29)
8031D054: C0210034   lfs   f1,52(r1)
8031D058: C01D001C   lfs   f0,28(r29)
8031D05C: EC43102A   fadds   f2,f3,f2
8031D060: D09D0014   stfs   f4,20(r29)
8031D064: EC01002A   fadds   f0,f1,f0
8031D068: D05D0018   stfs   f2,24(r29)
8031D06C: D01D001C   stfs   f0,28(r29)
8031D070: C03D0014   lfs   f1,20(r29)
8031D074: 386103C8   addi   r3,r1,968
8031D078: C002B844   lfs   f0,-18364(r2)
8031D07C: 38810408   addi   r4,r1,1032
8031D080: D0210438   stfs   f1,1080(r1)
8031D084: C03D0018   lfs   f1,24(r29)
8031D088: D021043C   stfs   f1,1084(r1)
8031D08C: C03D001C   lfs   f1,28(r29)
8031D090: D0210440   stfs   f1,1088(r1)
8031D094: D0010444   stfs   f0,1092(r1)
8031D098: 4BF970D5   bl   0x802b416c
8031D09C: 7FE4FB78   mr   r4,r31
8031D0A0: 38610038   addi   r3,r1,56
8031D0A4: 38A103C8   addi   r5,r1,968
8031D0A8: 48049DC5   bl   0x80366e6c
8031D0AC: 801E0008   lwz   r0,8(r30)
8031D0B0: 2C000000   cmpwi   r0,0
8031D0B4: 40820024   bne-   0x8031d0d8
8031D0B8: 807E0004   lwz   r3,4(r30)
8031D0BC: 2C030000   cmpwi   r3,0
8031D0C0: 41820018   beq-   0x8031d0d8
8031D0C4: C0210038   lfs   f1,56(r1)
8031D0C8: C041003C   lfs   f2,60(r1)
8031D0CC: C0610040   lfs   f3,64(r1)
8031D0D0: 48036C21   bl   0x80353cf0
8031D0D4: 4800005C   b   0x8031d130
8031D0D8: C0210038   lfs   f1,56(r1)
8031D0DC: 7C030378   mr   r3,r0
8031D0E0: C041003C   lfs   f2,60(r1)
8031D0E4: C0610040   lfs   f3,64(r1)
8031D0E8: 48026C8D   bl   0x80343d74
8031D0EC: 48000044   b   0x8031d130
8031D0F0: 80030008   lwz   r0,8(r3)
8031D0F4: 2C000000   cmpwi   r0,0
8031D0F8: 40820024   bne-   0x8031d11c
8031D0FC: 80630004   lwz   r3,4(r3)
8031D100: 2C030000   cmpwi   r3,0
8031D104: 41820018   beq-   0x8031d11c
8031D108: C0240000   lfs   f1,0(r4)
8031D10C: C0440004   lfs   f2,4(r4)
8031D110: C0640008   lfs   f3,8(r4)
8031D114: 48036BDD   bl   0x80353cf0
8031D118: 48000018   b   0x8031d130
8031D11C: C0240000   lfs   f1,0(r4)
8031D120: 7C030378   mr   r3,r0
8031D124: C0440004   lfs   f2,4(r4)
8031D128: C0640008   lfs   f3,8(r4)
8031D12C: 48026C49   bl   0x80343d74
8031D130: 80010464   lwz   r0,1124(r1)
8031D134: 83E1045C   lwz   r31,1116(r1)
8031D138: 83C10458   lwz   r30,1112(r1)
8031D13C: 83A10454   lwz   r29,1108(r1)
8031D140: 83810450   lwz   r28,1104(r1)
8031D144: 7C0803A6   mtlr   r0
8031D148: 38210460   addi   r1,r1,1120
8031D14C: 4E800020   blr
[/spoiler]

8031D114 (Yes, repeated function? I don't post it again)

8031A994 [spoiler]
8031A960: 9421FFE0   stwu   r1,-32(r1)
8031A964: 7C0802A6   mflr   r0
8031A968: C0240000   lfs   f1,0(r4)
8031A96C: 38A00000   li   r5,0
8031A970: 90010024   stw   r0,36(r1)
8031A974: C0040004   lfs   f0,4(r4)
8031A978: D0210008   stfs   f1,8(r1)
8031A97C: C0240008   lfs   f1,8(r4)
8031A980: 38810008   addi   r4,r1,8
8031A984: D001000C   stfs   f0,12(r1)
8031A988: C0030044   lfs   f0,68(r3)
8031A98C: EC01002A   fadds   f0,f1,f0
8031A990: D0010010   stfs   f0,16(r1)
8031A994: 48002121   bl   0x8031cab4
8031A998: 80010024   lwz   r0,36(r1)
8031A99C: 7C0803A6   mtlr   r0
8031A9A0: 38210020   addi   r1,r1,32
8031A9A4: 4E800020   blr
[/spoiler]

dcx2 · January 01, 2011, 01:54:12 AM

Weird. It's possible for something to be in the Call Stack twice; they are called recursive functions. However, in such cases the bl in the call stack should point to the same function (8031CAB4), but in this case the bl points to a different function (80353CF0). No matter, it's still trace-able.

Your breakpoint stopped on

80353D00: D0230098 stfs f1,152(r3)

So far, our pointer would be [r3 + 152]. r3 is an input parameter, so it comes from the caller at 8031D114. This is a mega function that allocates a massive stack of over 1000 bytes. But it looks like the path you need to take to get to the right bl is actually much shorter.

[spoiler]8031CAB4: 9421FBA0 stwu r1,-1120(r1)
8031CAB8: 7C0802A6 mflr r0
8031CABC: 90010464 stw r0,1124(r1)
8031CAC0: 93E1045C stw r31,1116(r1)
8031CAC4: 7C9F2378 mr r31,r4
8031CAC8: 93C10458 stw r30,1112(r1)
8031CACC: 7C7E1B78 mr r30,r3
8031CAD0: 93A10454 stw r29,1108(r1)
8031CAD4: 93810450 stw r28,1104(r1)
8031CAD8: 8383000C lwz r28,12(r3)
8031CADC: 2C1C0000 cmpwi r28,0
8031CAE0: 41820610 beq- 0x8031d0f0
8031CAE4: 2C050000 cmpwi r5,0
8031CAE8: 40820608 bne- 0x8031d0f0
...
8031D0F0: 80030008 lwz r0,8(r3)
8031D0F4: 2C000000 cmpwi r0,0
8031D0F8: 40820024 bne- 0x8031d11c
8031D0FC: 80630004 lwz r3,4(r3)
8031D100: 2C030000 cmpwi r3,0
8031D104: 41820018 beq- 0x8031d11c
8031D108: C0240000 lfs f1,0(r4)
8031D10C: C0440004 lfs f2,4(r4)
8031D110: C0640008 lfs f3,8(r4)
8031D114: 48036BDD bl 0x80353cf0
8031D118: 48000018 b 0x8031d130
8031D11C: C0240000 lfs f1,0(r4)
8031D120: 7C030378 mr r3,r0
8031D124: C0440004 lfs f2,4(r4)
8031D128: C0640008 lfs f3,8(r4)
8031D12C: 48026C49 bl 0x80343d74
8031D130: 80010464 lwz r0,1124(r1)
8031D134: 83E1045C lwz r31,1116(r1)
8031D138: 83C10458 lwz r30,1112(r1)
8031D13C: 83A10454 lwz r29,1108(r1)
8031D140: 83810450 lwz r28,1104(r1)
8031D144: 7C0803A6 mtlr r0
8031D148: 38210460 addi r1,r1,1120
8031D14C: 4E800020 blr [/spoiler]

So now our pointer is [[r3 + 4] + 152]. Once again, r3 comes from the caller. And r3 comes from that caller's caller. So I need a few more levels from the call stack.

---

One thing of interest is that the floats for your coordinates appear to be copied from here just before the bl.

8031D108: C0240000 lfs f1,0(r4)
8031D10C: C0440004 lfs f2,4(r4)
8031D110: C0640008 lfs f3,8(r4)
8031D114: 48036BDD bl 0x80353cf0

r4 also comes from the caller. (r3-r10 always come from the caller; smaller registers are preferred first)

8031A968: C0240000 lfs f1,0(r4)
...
8031A978: D0210008 stfs f1,8(r1)
8031A97C: C0240008 lfs f1,8(r4)
8031A980: 38810008 addi r4,r1,8
8031A984: D001000C stfs f0,12(r1)
8031A988: C0030044 lfs f0,68(r3)
8031A98C: EC01002A fadds f0,f1,f0
8031A990: D0010010 stfs f0,16(r1)
8031A994: 48002121 bl 0x8031cab4

r4 is an offset of r1, so it is pointing to the stack (not the call stack, the regular stack holds data). There's also other interesting stuff going on...the coordinates are being copied out of the previous value of r4 and onto the stack, and then the new value of r4 points directly at them. So once again, all the fun is at the callers.

EDIT:

Also, it looks like the cmpwi's at 8031CADC and 8031CAE4 help determine what actor you are.

trackme · January 01, 2011, 02:44:19 AM

awesome! Thank u very much! I think I understand! I always hated asm (x86). I will try to resolve it! and I will post the conclusions.

Now I only have two doubts:

First, the coordinates I want (X) are writed from two functions:

The known: 80353D00: D0230098 stfs f1,152(r3)
and if I set a breakpoint execute on same address again: 80356A98: D0A30098 stfs f5,152(r3).

Both have the same r3, offset, etc. But the top four(5 or more) functions on call stack list are differents. However it seems it has the same path with offsets.

I don't understand why but no problem.

About registers.. I had to be learned about registers because I didn't know that for example r3-r10 always come from the caller. I think it's very important information.

If someday u're going to Barcelona, Spain.. u know, free beer and food :)

dcx2 · January 01, 2011, 03:01:50 AM

This link goes into great detail about how each register is used.

http://wiird.l0nk.org/forum/index.php/topic,6555.0.html

One thing to watch out for when tracing backward is that the callee is not required to protect the volatile registers r3-r10, so they are "lost" after a blr (i.e. after you "come back" from a bl), except for the rare case where a function is pushing/popping registers on/off the stack. To compensate, there are non-volatile registers r14-r31 which the callee is required to protect, which is why the function prologue pushes any used non-volatile registers onto the stack. It can then use these registers in its own function to keep values after calling another function.

Here's the function prologue, which is pushing non-volatiles r28-r31 onto the stack. I'm going to abbreviate using the last 3 digits of the address for this example.

AB4 creates a new stack frame by allocating 1120 bytes on the stack and pushing the old stack pointer onto the stack. AB8 copies the address of the caller from the lr register into r0; this way when we call bl in this function we don't lose the caller's return address. ABC puts the return address on the stack. AC0, AC8, AD0, and AD4 are pushing the non-volatiles onto the stack so that we can use them without losing the caller's values. AC4 and ACC are caching the input parameters r3 and r4 into r30 and r31, so that when we call bl we won't lose those values.

8031CAB4: 9421FBA0 stwu r1,-1120(r1)
8031CAB8: 7C0802A6 mflr r0
8031CABC: 90010464 stw r0,1124(r1)
8031CAC0: 93E1045C stw r31,1116(r1)
8031CAC4: 7C9F2378 mr r31,r4
8031CAC8: 93C10458 stw r30,1112(r1)
8031CACC: 7C7E1B78 mr r30,r3
8031CAD0: 93A10454 stw r29,1108(r1)
8031CAD4: 93810450 stw r28,1104(r1)

Also, r3 and r4 can hold "return values" from the callee.

This old tutorial explains more about function prologues and epilogues. I also manually "walk the stack"; this was before Gecko.NET had a call stack listbox. http://wiird.l0nk.org/forum/index.php/topic,5080

If you paste the other functions from the old breakpoint into the spoilers, there might be another example of this.

---

The call stack is different because you're at a different place in ASM. Your old breakpoint hit the stfs @80353D00, but the new breakpoint hit the stfs @80356A98.

You also said "breakpoint execute" but I think you meant breakpoint write.

trackme · January 01, 2011, 03:22:37 AM

dcx2 · January 01, 2011, 04:05:26 AM

Okay, working our way back some more...we left off with the function @8031A960. Its caller is shown here.

801432E8: 9421FFC0   stwu   r1,-64(r1)
801432EC: 7C0802A6   mflr   r0
...
80143300: 7C7F1B78   mr   r31,r3
...
8014344C: C0410018   lfs   f2,24(r1)
80143450: 7FE3FB78   mr   r3,r31
80143454: C021001C   lfs   f1,28(r1)
80143458: 3881000C   addi   r4,r1,12
8014345C: C0029874   lfs   f0,-26508(r2)
80143460: D041000C   stfs   f2,12(r1)
80143464: D0210010   stfs   f1,16(r1)
80143468: D0010014   stfs   f0,20(r1)
8014346C: 481D74F5   bl   0x8031a960

In this function, you see that the input parameter r3 is cached into r31 @300. Then, after a bunch of stuff, it's copied back from r31 into r3 @450. Also, you can see that r4 is again derived from the stack. You can also see that the coordinates are being shuffled around on the stack some more. Since the pointer we're interested in comes from r3 at the top, we need to walk the stack again.

Unfortunately the next caller, 803205DC: 4806B6C1 bl 0x8038bc9c, is not pointing at the right place... 8038bc9c != 801432E8

I'll take a look at the second breakpoint and see if it's any different.

dcx2 · January 01, 2011, 04:37:03 AM

Second breakpoint: 80356A98: D0A30098 stfs f5,152(r3)

Again, r3 comes from the caller.

8035522C: 9421FE50   stwu   r1,-432(r1)
80355230: 7C0802A6   mflr   r0
...
803552B8: 7C902378   mr   r16,r4
...
80356450: 7E0E8378   mr   r14,r16
80356454: 39E00000   li   r15,0
80356458: 48000018   b   0x80356470
8035645C: FC20F090   fmr   f1,f30
80356460: 806E0000   lwz   r3,0(r14)
80356464: 480005D5   bl   0x80356a38
80356468: 39CE0004   addi   r14,r14,4
8035646C: 39EF0001   addi   r15,r15,1
80356470: 7C0F8800   cmpw   r15,r17
80356474: 4180FFE8   blt+   0x8035645c

Here you can see a loop. r15 is probably the index to the array counting through the actors. The pointer to the first element in the array of actors is in r16. r14 holds the pointer to the actor specified in r15. The number of total actors is in r17; when r15 reaches r17, the loop is over. Before each bl to 80356A38, the current actor's pointer is loaded from the array being traversed by r14 (remember, r16 points to the first element in the array, while r14 points to the current element).

The pointer to the array is passed in through r4, as shown by @2B8. So once again, we need to step back.

At this point, though, things get messy. It looks like the array is allocated and populated in this stack frame. It's becoming very difficult for me to follow...

80356E40: 38010007   addi   r0,r1,7
80356E44: 6004000F   ori   r4,r0,15
...
80356E54: 3B640001   addi   r27,r4,1
...
80356FB4: FC20F890   fmr   f1,f31
80356FB8: 7ECCB378   mr   r12,r22
80356FBC: 7EA3AB78   mr   r3,r21
80356FC0: 7F64DB78   mr   r4,r27
80356FC4: 7F25CB78   mr   r5,r25
80356FC8: 7F46D378   mr   r6,r26
80356FCC: 7F07C378   mr   r7,r24
80356FD0: 7D8903A6   mtctr   r12
80356FD4: 4E800421   bctrl

If I were going to write a C2 hook, I would probably choose 80356460 as my hook address. It has easy access to the actor pointers via r14 and the index via r15. The index for player 1 is probably 0, so you could use that to figure out when you're operating on your character.

dcx2 · January 01, 2011, 06:58:06 AM

Holy cow, that messy function at 80356DEC takes the cake for weirdest function I've ever seen. The first thing I noticed is this epilogue. This is by far the strangest epilogue I've seen in all my time of hacking Wii games.

80357204: 7FEAFB78   mr   r10,r31
80357208: CBFF0038   lfd   f31,56(r31)
8035720C: BAAA000C   lmw   r21,12(r10)
80357210: 81410000   lwz   r10,0(r1)
80357214: 800A0004   lwz   r0,4(r10)
80357218: 7D415378   mr   r1,r10
8035721C: 7C0803A6   mtlr   r0
80357220: 4E800020   blr

Then I went back and took a closer look and I saw a few of these...

80356E38: 7C01196E   stwux   r0,r1,r3
...
80356E60: 7C01196E   stwux   r0,r1,r3
...
80356ED0: 7C01196E   stwux   r0,r1,r3

I didn't see those at first. But now all the addi 7, ori 0xF, addi 1 stuff makes more sense...it's ensuring proper alignment for the creation of new stack frames! (stack frames have double-word = 64-bit alignment requirements, which explains the weird operations performed on the stack pointer) stwux is updating r1 for each new stack frame. That's why I was having trouble following...

---

Have you ever made a C2 code before? Do you have PyiiASMH or ASMWiiRD?

trackme · January 01, 2011, 11:47:15 AM

Thanks..Yes, I made a few codes with C2 codetype. I will try to do that.

Lol with Mario Strikers. If u have troubles to follow.. I... maybe I'm still searching the pointer at end of 2011 xD.

:)

WiiRd forum

News:

Moon jump (basically change X,Y,Z) on Mario Strikers Charged

trackme

dcx2

trackme

dcx2

trackme

dcx2

trackme

dcx2

trackme

dcx2

trackme

dcx2

dcx2

dcx2

trackme