Hacking We Dare

[WiiPower]

If this is the wrong secting, please move it.

We Dare uses some copy protection that should prevent Gecko OS from loading the game. Apparently the game looks for the byte pattern:
3C608000 606318A8 7C6903A6
and it doesn't find it when it looks like this:
3C608000 606318A8 60000000 7C6903A6

This can be "fixed" by replacing:

Code Select Expand

__asm__(
"lis %r3, appentrypoint@h\n"
"ori %r3, %r3, appentrypoint@l\n"
"lwz %r3, 0(%r3)\n"
"mtlr %r3\n"
"lis %r3, 0x8000\n"
"ori %r3, %r3, 0x18A8\n"
"mtctr %r3\n"
"bctr\n"
);
with:

Code Select Expand

__asm__(
"lis %r3, appentrypoint@h\n"
"ori %r3, %r3, appentrypoint@l\n"
"lwz %r3, 0(%r3)\n"
"mtlr %r3\n"
"lis %r3, 0x8000\n"
"ori %r3, %r3, 0x18A8\n"
"nop\n"
"mtctr %r3\n"
"bctr\n"
);

In the source code of Gecko OS, and the same for the rebooter/channel boot code.

I'm just posting this in case somebody is interesting in hacking the game to hell, but couldn't get it work with Gecko OS.

[dcx2]

Wow.  Thanks for the tip.  I'll never understand publishers that try to put cheat protection into single player games...

Let me see if I understand this.

Gecko OS loads the dol into MEM1 and then hands control over to the game.  While running, the game actually scans its own assembly, looking for the code handler's signature.  If it finds the signature...it hangs?

It sounds like their protection can be beaten without even inserting a nop.  Just replace ori with addi.

Alternatively, use a register other than r3.

[giantpune]

when is the game freezing for you before you do this change?  im starting the game using an unmodified geckoOS and it shows the strap screen and one of the opening movies.  then it crashes right at the end of the movie.  it looks like the game is trying to access some memory which doesnt exist  and dies ( NULL + 0x188 ).
[spoiler]

[/spoiler]

[Nuke]

i'll patch out this check in the next update.

[WiiPower]

It would be nice if somebody could confirm this. Can't an Ocarina code memset the code in question right before the game starts? If i understand correctly, the code handler is executed 1 time before the game is actually started.

This was only tested on PAL or NTSC, and i don't even know which. Also, the game might have a protection against being patched at all, like Prince of Persia did. I'm sorry i didn't mention this before, i was just so happy when this solution was found. If i had the game myself, i could add some proper information.

[dcx2]

IIRC, this game won't be released in the states...I think it's PAL only.  pune's copy is PAL (SLVP41)

pune, can you go to the disassembler to the line where it crashes and right-click;Copy Function?  I would like to see where r3 comes from.  The LR tells me that it just recently came back from a bl, but I don't know if the r3 came from that bl or not.

If we're lucky, it's a bl to "Screw_With_Hackers()", and returns 0 to hang the Wii if it detects the code handler, or a pointer if no code handler is found.

OT: I was unaware Prince of Persia had hack protection.  The only such games I know about are the Metroid: Other M, Toy Story 3, and Conduit 2.  What did they do?

[WiiPower]

As far as i know Prince of Persia checks its own main.dol for modifications, no looking for the code handler like some gamecube games do.

Well it's only checking the data or code section(s) of the .dol, there's a patch to get rid of its 2nd protection and it doesn't trigger the 1st.

[giantpune]

this is the function that crashes
[spoiler]

Code Select Expand


800C9624:  9421FF50 stwu r1,-176(r1)
800C9628:  7C0802A6 mflr r0
800C962C:  900100B4 stw r0,180(r1)
800C9630:  396100B0 addi r11,r1,176
800C9634:  48348299 bl 0x804118cc
800C9638:  7C7F1B78 mr r31,r3
800C963C:  38800000 li r4,0
800C9640:  880301DD lbz r0,477(r3)
800C9644:  50803E30 rlwimi r0,r4,7,24,24
800C9648:  980301DD stb r0,477(r3)
800C964C:  5400063E rlwinm r0,r0,0,24,31
800C9650:  5404F7FE rlwinm r4,r0,30,31,31
800C9654:  5400FFFE rlwinm r0,r0,31,31,31
800C9658:  7C840040 cmplw cr1,r4,r0
800C965C:  41860008 beq- cr1,0x800c9664
800C9660:  48004241 bl 0x800cd8a0
800C9664:  838D9930 lwz r28,-26320(r13)
800C9668:  7FE3FB78 mr r3,r31
800C966C:  48001985 bl 0x800caff0
800C9670:  7C651B78 mr r5,r3
800C9674:  38610030 addi r3,r1,48
800C9678:  7F84E378 mr r4,r28
800C967C:  481C09E1 bl 0x8028a05c
800C9680:  3BA10030 addi r29,r1,48
800C9684:  3B9F0038 addi r28,r31,56
800C9688:  3BC10010 addi r30,r1,16
800C968C:  7FC3F378 mr r3,r30
800C9690:  7FA4EB78 mr r4,r29
800C9694:  4BFECCCD bl 0x800b6360
800C9698:  387E0004 addi r3,r30,4
800C969C:  389D0004 addi r4,r29,4
800C96A0:  4BFECCC1 bl 0x800b6360
800C96A4:  7FC3F378 mr r3,r30
800C96A8:  483519C9 bl 0x8041b070
800C96AC:  80010014 lwz r0,20(r1)
800C96B0:  7C600028 lwarx r3,r0,r0
800C96B4:  38630001 addi r3,r3,1
800C96B8:  7C60012D stwcx. r3,r0,r0
800C96BC:  40A2FFF4 bne- 0x800c96b0
800C96C0:  38610014 addi r3,r1,20
800C96C4:  389C0004 addi r4,r28,4
800C96C8:  48005311 bl 0x800ce9d8
800C96CC:  38610010 addi r3,r1,16
800C96D0:  7F84E378 mr r4,r28
800C96D4:  48005305 bl 0x800ce9d8
800C96D8:  3BA10010 addi r29,r1,16
800C96DC:  2C9D0000 cmpwi cr1,r29,0
800C96E0:  41860034 beq- cr1,0x800c9714
800C96E4:  7FA3EB78 mr r3,r29
800C96E8:  48351989 bl 0x8041b070
800C96EC:  7C641B78 mr r4,r3
800C96F0:  387D0004 addi r3,r29,4
800C96F4:  4BFC89F9 bl 0x800920ec
800C96F8:  2C830000 cmpwi cr1,r3,0
800C96FC:  4186000C beq- cr1,0x800c9708
800C9700:  7FA3EB78 mr r3,r29
800C9704:  4BFC8285 bl 0x80091988
800C9708:  7FA3EB78 mr r3,r29
800C970C:  38800000 li r4,0
800C9710:  4BF3D7CD bl 0x80006edc
800C9714:  3B810030 addi r28,r1,48
800C9718:  2C9C0000 cmpwi cr1,r28,0
800C971C:  41860038 beq- cr1,0x800c9754
800C9720:  41860034 beq- cr1,0x800c9754
800C9724:  7F83E378 mr r3,r28
800C9728:  48351949 bl 0x8041b070
800C972C:  7C641B78 mr r4,r3
800C9730:  387C0004 addi r3,r28,4
800C9734:  4BFC89B9 bl 0x800920ec
800C9738:  2C830000 cmpwi cr1,r3,0
800C973C:  4186000C beq- cr1,0x800c9748
800C9740:  7F83E378 mr r3,r28
800C9744:  4BFC8245 bl 0x80091988
800C9748:  7F83E378 mr r3,r28
800C974C:  38800000 li r4,0
800C9750:  4BF3D78D bl 0x80006edc
800C9754:  387F0038 addi r3,r31,56
800C9758:  4BFEE9D9 bl 0x800b8130
800C975C:  7C0300D0 neg r0,r3
800C9760:  7C001B78 or r0,r0,r3
800C9764:  54000FFE rlwinm r0,r0,1,31,31
800C9768:  2C800000 cmpwi cr1,r0,0
800C976C:  418604F8 beq- cr1,0x800c9c64
800C9770:  881F01DD lbz r0,477(r31)
800C9774:  5400F7FE rlwinm r0,r0,30,31,31
800C9778:  2C800000 cmpwi cr1,r0,0
800C977C:  41860034 beq- cr1,0x800c97b0
800C9780:  387F0038 addi r3,r31,56
800C9784:  4BFEE9C9 bl 0x800b814c
800C9788:  81830000 lwz r12,0(r3)
800C978C:  818C00E4 lwz r12,228(r12)
800C9790:  7D8903A6 mtctr r12
800C9794:  4E800421 bctrl
800C9798:  88030021 lbz r0,33(r3)
800C979C:  2C800000 cmpwi cr1,r0,0
800C97A0:  41860010 beq- cr1,0x800c97b0
800C97A4:  7FE3FB78 mr r3,r31
800C97A8:  38800000 li r4,0
800C97AC:  480040F5 bl 0x800cd8a0
800C97B0:  7FE3FB78 mr r3,r31
800C97B4:  4800392D bl 0x800cd0e0
800C97B8:  806D927C lwz r3,-28036(r13)
800C97BC:  88037484 lbz r0,29828(r3)
800C97C0:  5400CFFE rlwinm r0,r0,25,31,31
800C97C4:  2C800000 cmpwi cr1,r0,0
800C97C8:  4086009C bne- cr1,0x800c9864
800C97CC:  7FE3FB78 mr r3,r31
800C97D0:  48003591 bl 0x800ccd60
800C97D4:  2C830000 cmpwi cr1,r3,0
800C97D8:  4186008C beq- cr1,0x800c9864
800C97DC:  801F01CC lwz r0,460(r31)
800C97E0:  2880003C cmplwi cr1,r0,60
800C97E4:  40850080 ble- cr1,0x800c9864
800C97E8:  7FE3FB78 mr r3,r31
800C97EC:  48001805 bl 0x800caff0
800C97F0:  7C7D1B78 mr r29,r3
800C97F4:  7FE3FB78 mr r3,r31
800C97F8:  48003569 bl 0x800ccd60
800C97FC:  7FA4EB78 mr r4,r29
800C9800:  38A00001 li r5,1
800C9804:  4800CC1D bl 0x800d6420
800C9808:  C01F0118 lfs f0,280(r31)
800C980C:  3B810074 addi r28,r1,116
800C9810:  D0010074 stfs f0,116(r1)
800C9814:  C01F011C lfs f0,284(r31)
800C9818:  D0010078 stfs f0,120(r1)
800C981C:  C01F0120 lfs f0,288(r31)
800C9820:  D001007C stfs f0,124(r1)
800C9824:  C01F010C lfs f0,268(r31)
800C9828:  3BC10080 addi r30,r1,128
800C982C:  D0010080 stfs f0,128(r1)
800C9830:  C01F0110 lfs f0,272(r31)
800C9834:  D0010084 stfs f0,132(r1)
800C9838:  C01F0114 lfs f0,276(r31)
800C983C:  D0010088 stfs f0,136(r1)
800C9840:  7FE3FB78 mr r3,r31
800C9844:  480017AD bl 0x800caff0
800C9848:  7C7D1B78 mr r29,r3
800C984C:  7FE3FB78 mr r3,r31
800C9850:  48003511 bl 0x800ccd60
800C9854:  7FA4EB78 mr r4,r29
800C9858:  7FC5F378 mr r5,r30
800C985C:  7F86E378 mr r6,r28
800C9860:  4800D369 bl 0x800d6bc8
800C9864:  38600000 li r3,0
800C9868:  881F01DD lbz r0,477(r31)
800C986C:  506026F6 rlwimi r0,r3,4,27,27
800C9870:  981F01DD stb r0,477(r31)
800C9874:  387F0038 addi r3,r31,56
800C9878:  4BFEE8B9 bl 0x800b8130
800C987C:  7C0300D0 neg r0,r3
800C9880:  7C001B78 or r0,r0,r3
800C9884:  54000FFE rlwinm r0,r0,1,31,31
800C9888:  2C800000 cmpwi cr1,r0,0
800C988C:  41860024 beq- cr1,0x800c98b0
800C9890:  387F0038 addi r3,r31,56
800C9894:  4BFEE8B9 bl 0x800b814c
800C9898:  38800000 li r4,0
800C989C:  81830000 lwz r12,0(r3)
800C98A0:  818C0104 lwz r12,260(r12)
800C98A4:  7D8903A6 mtctr r12
800C98A8:  4E800421 bctrl
800C98AC:  48000058 b 0x800c9904
800C98B0:  880D9100 lbz r0,-28416(r13)
800C98B4:  7C000774 extsb r0,r0
800C98B8:  2C800000 cmpwi cr1,r0,0
800C98BC:  40860024 bne- cr1,0x800c98e0
800C98C0:  3C608073 lis r3,-32653
800C98C4:  3863F800 subi r3,r3,2048
800C98C8:  C0028180 lfs f0,-32384(r2)
800C98CC:  D0030000 stfs f0,0(r3)
800C98D0:  D0030004 stfs f0,4(r3)
800C98D4:  D0030008 stfs f0,8(r3)
800C98D8:  38000001 li r0,1
800C98DC:  980D9100 stb r0,-28416(r13)
800C98E0:  3C608073 lis r3,-32653
800C98E4:  3883F800 subi r4,r3,2048
800C98E8:  C0040000 lfs f0,0(r4)
800C98EC:  38610050 addi r3,r1,80
800C98F0:  D0010050 stfs f0,80(r1)
800C98F4:  C0040004 lfs f0,4(r4)
800C98F8:  D0010054 stfs f0,84(r1)
800C98FC:  C0040008 lfs f0,8(r4)
800C9900:  D0010058 stfs f0,88(r1)
800C9904:  3B810068 addi r28,r1,104
800C9908:  C0030000 lfs f0,0(r3)
800C990C:  D0010068 stfs f0,104(r1)
800C9910:  C0030004 lfs f0,4(r3)
800C9914:  D001006C stfs f0,108(r1)
800C9918:  C0030008 lfs f0,8(r3)
800C991C:  D0010070 stfs f0,112(r1)
800C9920:  387F0038 addi r3,r31,56
800C9924:  4BFEE80D bl 0x800b8130
800C9928:  7C0300D0 neg r0,r3
800C992C:  7C001B78 or r0,r0,r3
800C9930:  54000FFE rlwinm r0,r0,1,31,31
800C9934:  2C800000 cmpwi cr1,r0,0
800C9938:  41860030 beq- cr1,0x800c9968
800C993C:  387F0038 addi r3,r31,56
800C9940:  4BFEE80D bl 0x800b814c
800C9944:  7C641B78 mr r4,r3
800C9948:  38610038 addi r3,r1,56
800C994C:  38A00000 li r5,0
800C9950:  81840000 lwz r12,0(r4)
800C9954:  818C01AC lwz r12,428(r12)
800C9958:  7D8903A6 mtctr r12
800C995C:  4E800421 bctrl
800C9960:  38810038 addi r4,r1,56
800C9964:  48000058 b 0x800c99bc
800C9968:  880D9100 lbz r0,-28416(r13)
800C996C:  7C000774 extsb r0,r0
800C9970:  2C800000 cmpwi cr1,r0,0
800C9974:  40860024 bne- cr1,0x800c9998
800C9978:  3C608073 lis r3,-32653
800C997C:  3863F800 subi r3,r3,2048
800C9980:  C0028180 lfs f0,-32384(r2)
800C9984:  D0030000 stfs f0,0(r3)
800C9988:  D0030004 stfs f0,4(r3)
800C998C:  D0030008 stfs f0,8(r3)
800C9990:  38000001 li r0,1
800C9994:  980D9100 stb r0,-28416(r13)
800C9998:  3C608073 lis r3,-32653
800C999C:  3863F800 subi r3,r3,2048
800C99A0:  C0030000 lfs f0,0(r3)
800C99A4:  38810044 addi r4,r1,68
800C99A8:  D0010044 stfs f0,68(r1)
800C99AC:  C0030004 lfs f0,4(r3)
800C99B0:  D0010048 stfs f0,72(r1)
800C99B4:  C0030008 lfs f0,8(r3)
800C99B8:  D001004C stfs f0,76(r1)
800C99BC:  38A1005C addi r5,r1,92
800C99C0:  C0040000 lfs f0,0(r4)
800C99C4:  D001005C stfs f0,92(r1)
800C99C8:  C0040004 lfs f0,4(r4)
800C99CC:  D0010060 stfs f0,96(r1)
800C99D0:  C0040008 lfs f0,8(r4)
800C99D4:  D0010064 stfs f0,100(r1)
800C99D8:  7FE3FB78 mr r3,r31
800C99DC:  7F84E378 mr r4,r28
800C99E0:  48001381 bl 0x800cad60
800C99E4:  7FE3FB78 mr r3,r31
800C99E8:  4800169D bl 0x800cb084
800C99EC:  7FE3FB78 mr r3,r31
800C99F0:  48001B29 bl 0x800cb518
800C99F4:  807F01CC lwz r3,460(r31)
800C99F8:  2C830000 cmpwi cr1,r3,0
800C99FC:  40860150 bne- cr1,0x800c9b4c
800C9A00:  38030001 addi r0,r3,1
800C9A04:  901F01CC stw r0,460(r31)
800C9A08:  387F0038 addi r3,r31,56
800C9A0C:  4BFEE741 bl 0x800b814c
800C9A10:  81830000 lwz r12,0(r3)
800C9A14:  818C00E4 lwz r12,228(r12)
800C9A18:  7D8903A6 mtctr r12
800C9A1C:  4E800421 bctrl
800C9A20:  88030021 lbz r0,33(r3)
800C9A24:  2C800000 cmpwi cr1,r0,0
800C9A28:  41860018 beq- cr1,0x800c9a40
800C9A2C:  38600001 li r3,1
800C9A30:  881F01DD lbz r0,477(r31)
800C9A34:  50603672 rlwimi r0,r3,6,25,25
800C9A38:  981F01DD stb r0,477(r31)
800C9A3C:  48000014 b 0x800c9a50
800C9A40:  38600000 li r3,0
800C9A44:  881F01DD lbz r0,477(r31)
800C9A48:  50603672 rlwimi r0,r3,6,25,25
800C9A4C:  981F01DD stb r0,477(r31)
800C9A50:  3BA00001 li r29,1
800C9A54:  881F01DD lbz r0,477(r31)
800C9A58:  53A03E30 rlwimi r0,r29,7,24,24
800C9A5C:  981F01DD stb r0,477(r31)
800C9A60:  387F0038 addi r3,r31,56
800C9A64:  4BFEE6E9 bl 0x800b814c
800C9A68:  81830000 lwz r12,0(r3)
800C9A6C:  818C017C lwz r12,380(r12)
800C9A70:  7D8903A6 mtctr r12
800C9A74:  4E800421 bctrl
800C9A78:  547C063E rlwinm r28,r3,0,24,31
800C9A7C:  806D927C lwz r3,-28036(r13)
800C9A80:  7F84E378 mr r4,r28
800C9A84:  4801716D bl 0x800e0bf0
800C9A88:  7C7B1B78 mr r27,r3
800C9A8C:  801F0188 lwz r0,392(r31)
800C9A90:  90030188 stw r0,392(r3)
800C9A94:  939F0188 stw r28,392(r31)
800C9A98:  8BC301DC lbz r30,476(r3)
800C9A9C:  889F01DC lbz r4,476(r31)
800C9AA0:  48004AB5 bl 0x800ce554
800C9AA4:  7FE3FB78 mr r3,r31
800C9AA8:  7FC4F378 mr r4,r30
800C9AAC:  48004AA9 bl 0x800ce554
800C9AB0:  881B01DD lbz r0,477(r27)
800C9AB4:  541CF7FE rlwinm r28,r0,30,31,31
800C9AB8:  881F01DD lbz r0,477(r31)
800C9ABC:  5404F7FE rlwinm r4,r0,30,31,31
800C9AC0:  7F63DB78 mr r3,r27
800C9AC4:  48003DDD bl 0x800cd8a0
800C9AC8:  7FE3FB78 mr r3,r31
800C9ACC:  7F84E378 mr r4,r28
800C9AD0:  48003DD1 bl 0x800cd8a0
800C9AD4:  806D927C lwz r3,-28036(r13)
800C9AD8:  809F0188 lwz r4,392(r31)
800C9ADC:  4801A8B1 bl 0x800e438c
800C9AE0:  806D927C lwz r3,-28036(r13)
800C9AE4:  8003747C lwz r0,29820(r3)
800C9AE8:  9001000C stw r0,12(r1)
800C9AEC:  3861000C addi r3,r1,12
800C9AF0:  3B800000 li r28,0
800C9AF4:  881F01DD lbz r0,477(r31)
800C9AF8:  5400D7FE rlwinm r0,r0,26,31,31
800C9AFC:  2C800000 cmpwi cr1,r0,0
800C9B00:  41860038 beq- cr1,0x800c9b38
800C9B04:  38800006 li r4,6
800C9B08:  48005045 bl 0x800ceb4c
800C9B0C:  9081002C stw r4,44(r1)
800C9B10:  90610028 stw r3,40(r1)
800C9B14:  80630000 lwz r3,0(r3)
800C9B18:  7FA02030 slw r0,r29,r4
800C9B1C:  7C630038 and r3,r3,r0
800C9B20:  7C0300D0 neg r0,r3
800C9B24:  7C001B78 or r0,r0,r3
800C9B28:  54000FFE rlwinm r0,r0,1,31,31
800C9B2C:  2C800000 cmpwi cr1,r0,0
800C9B30:  40860008 bne- cr1,0x800c9b38
800C9B34:  3B800001 li r28,1
800C9B38:  2C9C0000 cmpwi cr1,r28,0
800C9B3C:  41860118 beq- cr1,0x800c9c54
800C9B40:  7FE3FB78 mr r3,r31
800C9B44:  48003BED bl 0x800cd730
800C9B48:  4800010C b 0x800c9c54
800C9B4C:  801F0188 lwz r0,392(r31)
800C9B50:  2C800003 cmpwi cr1,r0,3
800C9B54:  40860100 bne- cr1,0x800c9c54
800C9B58:  806D927C lwz r3,-28036(r13)
800C9B5C:  8003747C lwz r0,29820(r3)
800C9B60:  90010008 stw r0,8(r1)
800C9B64:  3B810008 addi r28,r1,8
800C9B68:  3BA00000 li r29,0
800C9B6C:  387F0038 addi r3,r31,56
800C9B70:  4BFEE5DD bl 0x800b814c
800C9B74:  81830000 lwz r12,0(r3)
800C9B78:  818C00E4 lwz r12,228(r12)
800C9B7C:  7D8903A6 mtctr r12
800C9B80:  4E800421 bctrl
800C9B84:  88030021 lbz r0,33(r3)
800C9B88:  2C800000 cmpwi cr1,r0,0
800C9B8C:  41860040 beq- cr1,0x800c9bcc
800C9B90:  7F83E378 mr r3,r28
800C9B94:  38800006 li r4,6
800C9B98:  48004FB5 bl 0x800ceb4c
800C9B9C:  90810024 stw r4,36(r1)
800C9BA0:  90610020 stw r3,32(r1)
800C9BA4:  80630000 lwz r3,0(r3)
800C9BA8:  38000001 li r0,1
800C9BAC:  7C002030 slw r0,r0,r4
800C9BB0:  7C630038 and r3,r3,r0
800C9BB4:  7C0300D0 neg r0,r3
800C9BB8:  7C001B78 or r0,r0,r3
800C9BBC:  54000FFE rlwinm r0,r0,1,31,31
800C9BC0:  2C800000 cmpwi cr1,r0,0
800C9BC4:  40860008 bne- cr1,0x800c9bcc
800C9BC8:  3BA00001 li r29,1
800C9BCC:  2C9D0000 cmpwi cr1,r29,0
800C9BD0:  41860010 beq- cr1,0x800c9be0
800C9BD4:  7FE3FB78 mr r3,r31
800C9BD8:  48003B59 bl 0x800cd730
800C9BDC:  48000078 b 0x800c9c54
800C9BE0:  3B800000 li r28,0
800C9BE4:  387F0038 addi r3,r31,56
800C9BE8:  4BFEE565 bl 0x800b814c
800C9BEC:  81830000 lwz r12,0(r3)
800C9BF0:  818C00E4 lwz r12,228(r12)
800C9BF4:  7D8903A6 mtctr r12
800C9BF8:  4E800421 bctrl
800C9BFC:  88030021 lbz r0,33(r3)
800C9C00:  2C800000 cmpwi cr1,r0,0
800C9C04:  40860040 bne- cr1,0x800c9c44
800C9C08:  38610008 addi r3,r1,8
800C9C0C:  38800006 li r4,6
800C9C10:  48004F3D bl 0x800ceb4c
800C9C14:  9081001C stw r4,28(r1)
800C9C18:  90610018 stw r3,24(r1)
800C9C1C:  80630000 lwz r3,0(r3)
800C9C20:  38000001 li r0,1
800C9C24:  7C002030 slw r0,r0,r4
800C9C28:  7C630038 and r3,r3,r0
800C9C2C:  7C0300D0 neg r0,r3
800C9C30:  7C001B78 or r0,r0,r3
800C9C34:  54000FFE rlwinm r0,r0,1,31,31
800C9C38:  2C800000 cmpwi cr1,r0,0
800C9C3C:  41860008 beq- cr1,0x800c9c44
800C9C40:  3B800001 li r28,1
800C9C44:  2C9C0000 cmpwi cr1,r28,0
800C9C48:  4186000C beq- cr1,0x800c9c54
800C9C4C:  7FE3FB78 mr r3,r31
800C9C50:  48003AE1 bl 0x800cd730
800C9C54:  807F01CC lwz r3,460(r31)
800C9C58:  38030001 addi r0,r3,1
800C9C5C:  901F01CC stw r0,460(r31)
800C9C60:  48000090 b 0x800c9cf0
800C9C64:  38600000 li r3,0
800C9C68:  907F01D0 stw r3,464(r31)
800C9C6C:  907F01D4 stw r3,468(r31)
800C9C70:  801F01CC lwz r0,460(r31)
800C9C74:  2C800000 cmpwi cr1,r0,0
800C9C78:  41860024 beq- cr1,0x800c9c9c
800C9C7C:  907F01CC stw r3,460(r31)
800C9C80:  38600001 li r3,1
800C9C84:  881F01DD lbz r0,477(r31)
800C9C88:  50603E30 rlwimi r0,r3,7,24,24
800C9C8C:  981F01DD stb r0,477(r31)
800C9C90:  806D927C lwz r3,-28036(r13)
800C9C94:  809F0188 lwz r4,392(r31)
800C9C98:  4801A965 bl 0x800e45fc
800C9C9C:  38000000 li r0,0
800C9CA0:  901F01CC stw r0,460(r31)
800C9CA4:  7FE3FB78 mr r3,r31
800C9CA8:  480030B9 bl 0x800ccd60
800C9CAC:  2C830000 cmpwi cr1,r3,0
800C9CB0:  41860024 beq- cr1,0x800c9cd4
800C9CB4:  7FE3FB78 mr r3,r31
800C9CB8:  48001339 bl 0x800caff0
800C9CBC:  7C7E1B78 mr r30,r3
800C9CC0:  7FE3FB78 mr r3,r31
800C9CC4:  4800309D bl 0x800ccd60
800C9CC8:  7FC4F378 mr r4,r30
800C9CCC:  38A00000 li r5,0
800C9CD0:  4800C751 bl 0x800d6420
800C9CD4:  887F01DD lbz r3,477(r31)
800C9CD8:  5460E7FE rlwinm r0,r3,28,31,31
800C9CDC:  2C800000 cmpwi cr1,r0,0
800C9CE0:  40860010 bne- cr1,0x800c9cf0
800C9CE4:  38000001 li r0,1
800C9CE8:  500326F6 rlwimi r3,r0,4,27,27
800C9CEC:  987F01DD stb r3,477(r31)
800C9CF0:  881F01DD lbz r0,477(r31)
800C9CF4:  540007FE rlwinm r0,r0,0,31,31
800C9CF8:  2C800000 cmpwi cr1,r0,0
800C9CFC:  4186000C beq- cr1,0x800c9d08
800C9D00:  7FE3FB78 mr r3,r31
800C9D04:  480044F9 bl 0x800ce1fc
800C9D08:  7FE3FB78 mr r3,r31
800C9D0C:  480044A1 bl 0x800ce1ac
800C9D10:  387F01B0 addi r3,r31,432
800C9D14:  38800000 li r4,0
800C9D18:  481DF809 bl 0x802a9520
800C9D1C:  396100B0 addi r11,r1,176
800C9D20:  48347BF9 bl 0x80411918
800C9D24:  800100B4 lwz r0,180(r1)
800C9D28:  7C0803A6 mtlr r0
800C9D2C:  382100B0 addi r1,r1,176
800C9D30:  4E800020 blr

[/spoiler]

and this is the bl that comes before the crash.  there are more bls in this one.  and even more bls coming from those.
[spoiler]

Code Select Expand


sub_800E0BF0:

.set arg_0,  0
.set arg_4,  4

stwu    %sp, -0x50(%sp)
mfspr   %r0, LR
stw     %r0, 0x50+arg_4(%sp)
addi    %r11, %sp, 0x50+arg_0
bl      loc_804118A8
mr      %r28, %r3
mr      %r30, %r4
bl      sub_800E0C24
oris    %rtoc, %rtoc, 0x580F
lwz     %rtoc, 0x5FB8(%r9)
lwz     %rtoc, -0x2028(%r8)
dozi    %r5, %r5, -0xC6E
lbz     %r26, 0x7F0B(%r27)
# End of function sub_800E0BF0

[/spoiler]

i gave it a quick look going backwards, and the last function i noticed that changed r3 was at 800E0C44.  which apparently made this post too long for teh forum, so i put it on pastie instead.   http://pastie.org/private/hwd27fsaifswccjx9anw
[spoiler]

[/spoiler]