Button Activator Breakpoint

[Nutmeg]

lis r12, 0x809C
lwz r12, 0x2678(r12)
lis r14, 0x8000
cmpw r12, r14
blt- END              #This should branch during the first time the breakpoint hits
lis r15, 0x8180
cmpw r12, r15
bgt- END
lwz r15, 0x10C(r12)
cmpwi r15, 1
beq- END
lwz r15, 0x14(r12)
cmpw r15, r14
bgt- END
lis r14, 0x8000
cmpw r15, r14
blt- END
lwz r14, 0x1504(r14)
add r15, r15, r14
li r14, 0x7
stw r14, 0x8C(r15)
li r14,0x1
stw r14, 0x90(r15)
li r15, 0
add r0,r0,r14
li r14,0
stw r14, 0x10C(r12)
END:
stw r0,0(r31)  #Original Instruction

I am trying to run this ASM.  The address is a read breakpoint on a button activator that allows the hacker to poke buttons.  As soon as the game launches, it freezes at the screen that is universal for all games. ("Please secure wrist-strap of wii remote" with white background)  I assume that is the first time the breakpoint hits, and the game crashes.

Please Note:  This code is mostly made of pointers.  The game uses the same pointer for various codes, so don't try to understand the itilisized (spelling :p) code.  It's pretty confusing.

Help is appreciated.   :smileyface:

[dcx2]

Looks like it needs a stack frame.

[Nutmeg]

You've helped me before in a similar situation and you told me how to make a stack frame.  Does it work like this in every scenario?

stwu r1,-80(r1)         # make space for 18 registers
stmw r14,8(r1)         # push r14-r31 onto the stack
....code here....
lmw r14,8(r1)         # pop r14-r31 off the stack
addi r1,r1,80         # release the space

I'm going to go read some more on stmw and lmw.  I think that's where I don't understand what is going on.

[dcx2]

Yes.  It's the same every time.

stmw = Store Multiple Words.  stmw rX will take every register from rX up to r31 and store it to the memory specified (in this case, 8(r1), which is on the stack)

[Nutmeg]

So this time I want to use stmw r12,8(r1) ?

followed by lmw r12,8(r1) ?

[dcx2]

No, you never have to store r12.  r12 is pretty much always safe.  r14 is as low as you have to go.

Using stmw r14 and then lmw r14 when you're done, you have 18 registers to use, r14 all the way up to r31.

EDIT:

I looked a little closer at your code.  You should use bgt- instead of bge-.  What if the pointer is 81800000?  Your code will fail.

Also, your logic from this part on is bad.

cmpw r15, r14
bgt- END

At that point, r15 has the pointer you loaded, but r14 still has 0x80000000 in it.  So valid pointer values will instead branch to the end.

[Nutmeg]

Okay.  That did the trick.  And now, I have to fix the rest of my code. xD

Oh wow, you found the errors before I did. :p

[Nutmeg]

Case Re-opened. lol :p

So, my ASM in the middle wasn't quite right before, so I changed some stuff around and I am getting the same freeze as before:

Here is what works:
lbz r12, 0x3(r31)
cmpwi r12, 0x8  #Check to See if Ctrl Pad is pressed
ble- END
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14, 0x809C
lwz r14, 0x2678(r14)
lis r15, 0x8000
cmpw r14, r15
blt- END
lis r16, 0x8180
cmpw r14, r16
bge- END
lwz r19, 0x10C(r14)
cmpwi r19, 0
bne- END
lwz r17, 0x14(r14)
cmpw r17, r15
blt- END
cmpw r17, r16
bge- END
li r18, 0x7
stw r18, 0x8C(r17)
li r18, 0x1
stw r18, 0x90(r17)
li r18, 0
stw r18, 0x10C(r14)
lmw r14,8(r1)
addi r1,r1,80
li r0, 0x1
END:
stw r0,0(r31)

Here is what does not work.  The change is very minor... I don't know why this doesn't work, but the previous one does.

lbz r12, 0x3(r31)
cmpwi r12, 0x1  #check to see if 'down' is pressed
beq- END
stwu r1,-80(r1)
stmw r14,8(r1)
lis r14, 0x809C
lwz r14, 0x2678(r14)
lis r15, 0x8000
cmpw r14, r15
blt- END
lis r16, 0x8180
cmpw r14, r16
bge- END
lwz r19, 0x10C(r14)
cmpwi r19, 0
bne- END
lwz r17, 0x14(r14)
cmpw r17, r15
blt- END
cmpw r17, r16
bge- END
li r18, 0x7
stw r18, 0x8C(r17)
li r18, 0x1
stw r18, 0x90(r17)
li r18, 0
stw r18, 0x10C(r14)
lmw r14,8(r1)
addi r1,r1,80
li r0, 0x1
END:
stw r0,0(r31)

[dcx2]

You didn't follow the template.

The only thing allowed outside the stack frame is the original instruction.  Everything else must be wrapped in the "stwu/stmw" and "lmw/addi".

The reason you crashed is that you would create a stack frame once your first compare was true.  But the only time that frame is released is when you make it all the way through your code.  If any other compare wasn't true, you would branch right past the lmw/addi, so the stack frame you created was never released, and it FUBARed the game.

[Nutmeg]

thanks!  Worked.  Good information (as usual). :p