Teleporting code

toonlink444 · December 17, 2011, 04:56:17 AM

Nice explanation. I'll get to work tomorrow. Thanks It's my winter break now so I'll finish this code then work on littler things so you guys can do stuff that I can't fathom.

toonlink444 · December 18, 2011, 07:43:32 PM

I found a hook connected to address that stores one of the coords. But it doesn't teleport me when I do a xbp on it. I follow the stack but noone of them teleport me. And the hook connected to the address messes up mario. I would post a picture but I have no idea how to.

wiiztec · December 18, 2011, 08:35:51 PM

Just take a screenshot with Gecko.NET or WiiRd

dcx2 · December 18, 2011, 08:44:47 PM

You need to give more details about what you're trying to do, so that we know you found the right thing.

What breakpoint did you find? What was the call stack? When it didn't work, did you follow the chain?

One step at a time. The first step is to collect data about the first Write Breakpoint on the coordinates. So find the coordinates, then set the WBP. Once it hits, click "Text View" on the BP tab so you can highlight the registers and copy/paste them into a spoiler here. Then go to the disasm tab, right-click the highlighted line, and Copy Function, and paste it into a spoiler. Then right-click the Call Stack listbox, Load, wait until it finishes, and then right click again and Copy All, then paste into a third spoiler.

Once you post this info, we'll do the next step.

toonlink444 · December 18, 2011, 08:50:26 PM

*Breaths* alright give me a bit my tv is being used.

toonlink444 · December 18, 2011, 10:20:48 PM

Here are the registers:
[spoiler]CR:24000088 XER:00000000 CTR:802E95B0 DSIS:02400000
DAR:805F6AD4 SRR0:80018B1C SRR1:0000A032 LR:803E0C50
r0:803E0C3C r1:806BD488 r2:806AB280 r3:805F6AD4
r4:80FB3894 r5:00000773 r6:81347C68 r7:00000391
r8:00000000 r9:00000005 r10:0000000B r11:806BD478
r12:00000003 r13:806A4CA0 r14:00000001 r15:806BD9B4
r16:806BD6D4 r17:805B02E8 r18:00000000 r19:00000000
r20:00000000 r21:00000001 r22:00000000 r23:00000000
r24:806BD49C r25:80FB3830 r26:805F6A70 r27:00000000
r28:805F6A70 r29:00000000 r30:806BD5B8 r31:00000001

f0:C58C7C41 f1:455424D4 f2:4000009E f3:40400000
f4:3F000000 f5:3C23D70A f6:3FFFF87E f7:C58C7C41
f8:3F800000 f9:80000000 f10:80000000 f11:80000000
f12:00000000 f13:3F4DC876 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:42A00000 f30:42C80000 f31:41F00001[/spoiler]

The function:
[spoiler]80018B14: E0240000   psq_l   f1,0(r4),0,0
80018B18: C0040008   lfs   f0,8(r4)
80018B1C: F0230000   psq_st   f1,0(r3),0,0
80018B20: D0030008   stfs   f0,8(r3)
80018B24: 4E800020   blr
[/spoiler]

The call stack:
[spoiler]80018B1C
803E0C4C
803E23EC
802D3878
802AD564
802ACF68
802B0CC8
802B0AB8
802B0980
802B0854
8016551C
802AFE00
80261B88
8026181C
80344840
80343C1C
8033F7C8
8016FB14
8033E774
8039D304
80399D98
80399EBC
8016FB14
80399C9C
80399B20
803995C0
800041A0
[/spoiler]

The hook I used was 80018B1C because it lead me back to it.

dcx2 · December 19, 2011, 03:26:46 PM

That's much more useful.

That function is a bad hook. An "XBP test" on 80018B1C will probably hit many times per frame. That's the sign of a bad hook, XBP that hits too often.

That means walk the stack. The top of the stack is 80018B1C, and its caller is 803E0C4C (second from the top). The function at 80018B1C has two arguments that are passed to it by the caller; r3 and r4. It's purpose is to copy three floats from the pointer in r4 to the pointer in r3.

The good news is that you won't need to do memory searches for Mario's coordinates anymore. To find his coordinates, set an XBP on 803E0C4C. Then, look in r3. This will be a pointer to Mario's coordinates, just before they are passed to 80018B1C. (this assumes 803E0C4C is a good hook, which it probably is; an XBP test would confirm) r4 will have a pointer to another copy of the coordinates.

It's usually a good idea to look at the caller. So go to the disasm tab, go to 803E0C4C, right click, Copy Function, paste into spoiler. You do NOT need to be at a breakpoint for this.

---

To test this hook to see if it can teleport you, set an XBP on 803E0C50 (this is the instruction AFTER the call 803E0C4C: ???????? bl 0x80018B1C). Once the XBP hits, grab the address from r3, go to that address in Memory Viewer. I always suggest a MemView Auto-Update while running to verify that you found the right thing, jump up and down a few times and you should see the Y coordinate.

If you clicked run, go back to BP tab and set another XBP on 803E0C50; this must be done as a "breakpoint poke". Once it hits, go back and poke the Y coordinate to something much bigger, add at least a few hundred in float to the coordinate (i.e. so if the float is 2000, make it 2500 or something like that, you will have to convert some hex to float and back again).

Post back with your results.

toonlink444 · December 19, 2011, 07:34:06 PM

Here's 803E0C4C' s function:
[spoiler]803E0AA4: 9421FF20   stwu   r1,-224(r1)
803E0AA8: 7C0802A6   mflr   r0
803E0AAC: 900100E4   stw   r0,228(r1)
803E0AB0: DBE100D0   stfd   f31,208(r1)
803E0AB4: F3E100D8   psq_st   f31,216(r1),0,0
803E0AB8: 396100D0   addi   r11,r1,208
803E0ABC: 48136A5D   bl   0x80517518
803E0AC0: 7C7E1B78   mr   r30,r3
803E0AC4: 7C972378   mr   r23,r4
803E0AC8: 7CB62B78   mr   r22,r5
803E0ACC: 7CD53378   mr   r21,r6
803E0AD0: 4BD94D8D   bl   0x8017585c
803E0AD4: 8063000C   lwz   r3,12(r3)
803E0AD8: 7EE4BB78   mr   r4,r23
803E0ADC: 7EC5B378   mr   r5,r22
803E0AE0: 38C00000   li   r6,0
803E0AE4: 80630000   lwz   r3,0(r3)
803E0AE8: 38E00000   li   r7,0
803E0AEC: 39000000   li   r8,0
803E0AF0: 4BD9350D   bl   0x80173ffc
803E0AF4: 2C030000   cmpwi   r3,0
803E0AF8: 7C7F1B78   mr   r31,r3
803E0AFC: 4082000C   bne-   0x803e0b08
803E0B00: 38600000   li   r3,0
803E0B04: 48000188   b   0x803e0c8c
803E0B08: 3B400000   li   r26,0
803E0B0C: 3B210014   addi   r25,r1,20
803E0B10: 7F58D378   mr   r24,r26
803E0B14: 3B600000   li   r27,0
803E0B18: 3B800000   li   r28,0
803E0B1C: 48000044   b   0x803e0b60
803E0B20: 4BD94D3D   bl   0x8017585c
803E0B24: 8063000C   lwz   r3,12(r3)
803E0B28: 7F64DB78   mr   r4,r27
803E0B2C: 80630000   lwz   r3,0(r3)
803E0B30: 4BD93BA5   bl   0x801746d4
803E0B34: 2C150000   cmpwi   r21,0
803E0B38: 7C79E12E   stwx   r3,r25,r28
803E0B3C: 4182001C   beq-   0x803e0b58
803E0B40: 7C79E02E   lwzx   r3,r25,r28
803E0B44: 80030008   lwz   r0,8(r3)
803E0B48: 7C00A840   cmplw   r0,r21
803E0B4C: 4082000C   bne-   0x803e0b58
803E0B50: 7F19E12E   stwx   r24,r25,r28
803E0B54: 3B5A0001   addi   r26,r26,1
803E0B58: 3B7B0001   addi   r27,r27,1
803E0B5C: 3B9C0004   addi   r28,r28,4
803E0B60: 7C1BF840   cmplw   r27,r31
803E0B64: 4180FFBC   blt+   0x803e0b20
803E0B68: 7C1AF850   sub   r0,r31,r26
803E0B6C: 28000020   cmplwi   r0,32
803E0B70: 900DD998   stw   r0,-9832(r13)
803E0B74: 4180000C   blt-   0x803e0b80
803E0B78: 38000020   li   r0,32
803E0B7C: 900DD998   stw   r0,-9832(r13)
803E0B80: 3F40805F   lis   r26,-32673
803E0B84: 3B010014   addi   r24,r1,20
803E0B88: 3B5A6A70   addi   r26,r26,27248
803E0B8C: 3AE00000   li   r23,0
803E0B90: 3BA00000   li   r29,0
803E0B94: 3B600000   li   r27,0
803E0B98: 480000E8   b   0x803e0c80
803E0B9C: C3E21AFC   lfs   f31,6908(r2)
803E0BA0: 3AC00000   li   r22,0
803E0BA4: 3AA00000   li   r21,0
803E0BA8: 3B800000   li   r28,0
803E0BAC: 48000060   b   0x803e0c0c
803E0BB0: 7C18E02E   lwzx   r0,r24,r28
803E0BB4: 2C000000   cmpwi   r0,0
803E0BB8: 4182004C   beq-   0x803e0c04
803E0BBC: 4BD94CA1   bl   0x8017585c
803E0BC0: 8063000C   lwz   r3,12(r3)
803E0BC4: 7EA4AB78   mr   r4,r21
803E0BC8: 80630000   lwz   r3,0(r3)
803E0BCC: 4BD93B09   bl   0x801746d4
803E0BD0: 7C791B78   mr   r25,r3
803E0BD4: 7FC4F378   mr   r4,r30
803E0BD8: 38610008   addi   r3,r1,8
803E0BDC: 4BC37FB1   bl   0x80018b8c
803E0BE0: 38610008   addi   r3,r1,8
803E0BE4: 38990064   addi   r4,r25,100
803E0BE8: 4BC3F909   bl   0x800204f0
803E0BEC: 38610008   addi   r3,r1,8
803E0BF0: 480D6065   bl   0x804b6c54
803E0BF4: FC1F0840   fcmpo   cr0,f31,f1
803E0BF8: 4081000C   ble-   0x803e0c04
803E0BFC: 7EB6AB78   mr   r22,r21
803E0C00: FFE00890   fmr   f31,f1
803E0C04: 3AB50001   addi   r21,r21,1
803E0C08: 3B9C0004   addi   r28,r28,4
803E0C0C: 7C15F840   cmplw   r21,r31
803E0C10: 4180FFA0   blt+   0x803e0bb0
803E0C14: 4BD94C49   bl   0x8017585c
803E0C18: 8063000C   lwz   r3,12(r3)
803E0C1C: 7EC4B378   mr   r4,r22
803E0C20: 80630000   lwz   r3,0(r3)
803E0C24: 4BD93AB1   bl   0x801746d4
803E0C28: 7C791B78   mr   r25,r3
803E0C2C: 7F9AEA14   add   r28,r26,r29
803E0C30: 7F83E378   mr   r3,r28
803E0C34: 7F24CB78   mr   r4,r25
803E0C38: 4BECDA75   bl   0x802ae6ac
803E0C3C: C0190060   lfs   f0,96(r25)
803E0C40: 387C0064   addi   r3,r28,100
803E0C44: 38990064   addi   r4,r25,100
803E0C48: D01C0060   stfs   f0,96(r28)
803E0C4C: 4BC37EC9   bl   0x80018b14
803E0C50: 387C0070   addi   r3,r28,112
803E0C54: 38990070   addi   r4,r25,112
803E0C58: 4BC37EBD   bl   0x80018b14
803E0C5C: 387C007C   addi   r3,r28,124
803E0C60: 3899007C   addi   r4,r25,124
803E0C64: 4BC37EB1   bl   0x80018b14
803E0C68: 88790088   lbz   r3,136(r25)
803E0C6C: 56C0103A   rlwinm   r0,r22,2,0,29
803E0C70: 7F78012E   stwx   r27,r24,r0
803E0C74: 3AF70001   addi   r23,r23,1
803E0C78: 3BBD008C   addi   r29,r29,140
803E0C7C: 987C0088   stb   r3,136(r28)
803E0C80: 806DD998   lwz   r3,-9832(r13)
803E0C84: 7C171840   cmplw   r23,r3
803E0C88: 4180FF14   blt+   0x803e0b9c
803E0C8C: E3E100D8   psq_l   f31,216(r1),0,0
803E0C90: 396100D0   addi   r11,r1,208
803E0C94: CBE100D0   lfd   f31,208(r1)
803E0C98: 481368CD   bl   0x80517564
803E0C9C: 800100E4   lwz   r0,228(r1)
803E0CA0: 7C0803A6   mtlr   r0
803E0CA4: 382100E0   addi   r1,r1,224
803E0CA8: 4E800020   blr
[/spoiler]
r3 was the same address that I set the first breakpoint 805F6AD4. And the address that appeared to be the Y (805F6AD0) when I poked it during the breakpoint didn't teleport Mario.
I feel like I've done this before. Should I follow the chain with a breakpoint on r28 since it's adding 112 to r3 or should I walk the stack again?

MOD EDIT: bolded the function call of interest

dcx2 · December 19, 2011, 07:46:11 PM

You should only walk the stack if you found a breakpoint that fails the XBP test for a good hook.

If poking r3's y coordinate during a breakpoint failed, you should follow the chain. Look carefully at this piece

803E0C40: 387C0064 addi r3,r28,100
803E0C44: 38990064 addi r4,r25,100
803E0C48: D01C0060 stfs f0,96(r28)
803E0C4C: 4BC37EC9 bl 0x80018b14

In this case, r3 = r28 + 0x64, and r4 = r25 + 0x64. Since it was copying from r4 to r3, and r3 has failed, we now want to see who writes to r4. (following the chain of writes)

---

So, set XBP on 803E0C50 again (actually, anything after 803E0C44 and before 803E0C54 is okay, since it will have the right address in r4 at that time). Copy the pointer from r4, and set a Write BP on it. When the BP hits, Step once, then poke the coordinate in MemView and see if it works.

Also, when the Write BP hits, Copy Function and paste into spoiler. As a precaution, also copy the full Call Stack, just in case the Write BP would be a bad hook.

EDIT:

Whoa there, hold on a sec. You say your apparent Y coordinate was 805F6AD0. However, your r3 pointer was 805F6AD4. This means that your Y coordinate had to be either 805F6AD4, 805F6AD8, or 805F6ADC.

Bully@Wiiplaza · December 19, 2011, 08:02:47 PM

this is Super Mario Galaxy... (I think).
I just noticed that I donÂ´t have those dumps, normally I do have all regions of popular games. :(

What I did was following the link register to get to a better hook.
A pointer code would work aswell.

toonlink444 · December 19, 2011, 09:50:52 PM

Here's the write breakpoint:
[spoiler]80018B14: E0240000   psq_l   f1,0(r4),0,0
80018B18: C0040008   lfs   f0,8(r4)
80018B1C: F0230000   psq_st   f1,0(r3),0,0
80018B20: D0030008   stfs   f0,8(r3)
80018B24: 4E800020   blr
[/spoiler]
And the stack:
[spoiler]80018B1C
80176EC8
80174248
803E03DC
803ED158
803ED964
803EDB1C
80273A68
8016FB14
801654FC
80261B88
8026181C
80344840
80343C0C
8033F7C8
8016FB14
8033E774
8039D304
80399D98
80399EBC
8016FB14
80399C9C
80399B20
803995C0
800041A0
[/spoiler]
Leads back to the same function. But different stack.

dcx2 · December 19, 2011, 09:56:28 PM

Yes, it's pretty common for functions to be re-used like that, it's why they make such bad hooks.

Did you see my edit? You didn't poke the right address during a breakpoint.

If you wish to continue with this one (I recommend re-trying to make sure you poke the right address before moving on), Copy Function on 80176EC8. Then set XBP on 80176ECC and you can poke the address in r3 to see if it works.

toonlink444 · December 19, 2011, 10:02:32 PM

Repoked on all those addresses no movement shall I do what you just said?

dcx2 · December 19, 2011, 10:13:27 PM

Yeah, do the same thing with 80176ECC (XBP, get pointer from r3, poke during breakpoint)

toonlink444 · December 19, 2011, 10:26:29 PM

Alrighty it gave me pointer 80FB3894
The function for 80176EC8:
[spoiler]80176D34: 9421FD10   stwu   r1,-752(r1)
80176D38: 7C0802A6   mflr   r0
80176D3C: 900102F4   stw   r0,756(r1)
80176D40: DBE102E0   stfd   f31,736(r1)
80176D44: F3E102E8   psq_st   f31,744(r1),0,0
80176D48: DBC102D0   stfd   f30,720(r1)
80176D4C: F3C102D8   psq_st   f30,728(r1),0,0
80176D50: 396102D0   addi   r11,r1,720
80176D54: 483A07C5   bl   0x80517518
80176D58: 7CF83B78   mr   r24,r7
80176D5C: 7C751B78   mr   r21,r3
80176D60: 7C962378   mr   r22,r4
80176D64: 7CBA2B78   mr   r26,r5
80176D68: 7CD93378   mr   r25,r6
80176D6C: 7D174378   mr   r23,r8
80176D70: 7F03C378   mr   r3,r24
80176D74: 4833FEE1   bl   0x804b6c54
80176D78: FFE00890   fmr   f31,f1
80176D7C: 7F24CB78   mr   r4,r25
80176D80: 38750064   addi   r3,r21,100
80176D84: 38A10048   addi   r5,r1,72
80176D88: 4BE9F865   bl   0x800165ec
80176D8C: 7F24CB78   mr   r4,r25
80176D90: 38610024   addi   r3,r1,36
80176D94: 4BEA1DF9   bl   0x80018b8c
80176D98: 7F04C378   mr   r4,r24
80176D9C: 38610024   addi   r3,r1,36
80176DA0: 4BEA61E1   bl   0x8001cf80
80176DA4: 38750064   addi   r3,r21,100
80176DA8: 38810024   addi   r4,r1,36
80176DAC: 38A1003C   addi   r5,r1,60
80176DB0: 4BE9F83D   bl   0x800165ec
80176DB4: 38610018   addi   r3,r1,24
80176DB8: 3881003C   addi   r4,r1,60
80176DBC: 4BEA1DD1   bl   0x80018b8c
80176DC0: 38610018   addi   r3,r1,24
80176DC4: 38810048   addi   r4,r1,72
80176DC8: 4BEA9729   bl   0x800204f0
80176DCC: 3861003C   addi   r3,r1,60
80176DD0: 38810018   addi   r4,r1,24
80176DD4: 4BEA1D41   bl   0x80018b14
80176DD8: 38000000   li   r0,0
80176DDC: 7F4AD378   mr   r10,r26
80176DE0: 90010008   stw   r0,8(r1)
80176DE4: 38810048   addi   r4,r1,72
80176DE8: 38A1003C   addi   r5,r1,60
80176DEC: 38C10194   addi   r6,r1,404
80176DF0: 807500C4   lwz   r3,196(r21)
80176DF4: 38E10054   addi   r7,r1,84
80176DF8: 39010008   addi   r8,r1,8
80176DFC: 39210094   addi   r9,r1,148
80176E00: 4800CBCD   bl   0x801839cc
80176E04: 3B610194   addi   r27,r1,404
80176E08: 3B810094   addi   r28,r1,148
80176E0C: 3BA10054   addi   r29,r1,84
80176E10: 3B400000   li   r26,0
80176E14: 3BE00000   li   r31,0
80176E18: 3B200000   li   r25,0
80176E1C: 3BC00000   li   r30,0
80176E20: 480000C8   b   0x80176ee8
80176E24: 7FDBF42E   lfsx   f30,r27,r30
80176E28: 7F16FA14   add   r24,r22,r31
80176E2C: 3861000C   addi   r3,r1,12
80176E30: 3881003C   addi   r4,r1,60
80176E34: 4BEA1D59   bl   0x80018b8c
80176E38: FC20F090   fmr   f1,f30
80176E3C: 3861000C   addi   r3,r1,12
80176E40: 4BEA8F2D   bl   0x8001fd6c
80176E44: 38610030   addi   r3,r1,48
80176E48: 38810048   addi   r4,r1,72
80176E4C: 4BEA1D41   bl   0x80018b8c
80176E50: 38610030   addi   r3,r1,48
80176E54: 3881000C   addi   r4,r1,12
80176E58: 4BEA6129   bl   0x8001cf80
80176E5C: 38810030   addi   r4,r1,48
80176E60: 38750034   addi   r3,r21,52
80176E64: 7C852378   mr   r5,r4
80176E68: 4BE9F785   bl   0x800165ec
80176E6C: 807500C4   lwz   r3,196(r21)
80176E70: 7C9CF02E   lwzx   r4,r28,r30
80176E74: 4800E329   bl   0x8018519c
80176E78: 80D500C8   lwz   r6,200(r21)
80176E7C: 7C651B78   mr   r5,r3
80176E80: 7F03C378   mr   r3,r24
80176E84: 7EA4AB78   mr   r4,r21
80176E88: 4800B5A5   bl   0x8018242c
80176E8C: 2C170000   cmpwi   r23,0
80176E90: 41820024   beq-   0x80176eb4
80176E94: 81970000   lwz   r12,0(r23)
80176E98: 7EE3BB78   mr   r3,r23
80176E9C: 7F04C378   mr   r4,r24
80176EA0: 818C0008   lwz   r12,8(r12)
80176EA4: 7D8903A6   mtctr   r12
80176EA8: 4E800421   bctrl
80176EAC: 2C030000   cmpwi   r3,0
80176EB0: 4082002C   bne-   0x80176edc
80176EB4: 7C1BF42E   lfsx   f0,r27,r30
80176EB8: 38780064   addi   r3,r24,100
80176EBC: 38810030   addi   r4,r1,48
80176EC0: EC1F0032   fmuls   f0,f31,f0
80176EC4: D0180060   stfs   f0,96(r24)
80176EC8: 4BEA1C4D   bl   0x80018b14
80176ECC: 881D0000   lbz   r0,0(r29)
80176ED0: 3B5A0001   addi   r26,r26,1
80176ED4: 3BFF008C   addi   r31,r31,140
80176ED8: 98180088   stb   r0,136(r24)
80176EDC: 3B390001   addi   r25,r25,1
80176EE0: 3BDE0004   addi   r30,r30,4
80176EE4: 3BBD0001   addi   r29,r29,1
80176EE8: 80010008   lwz   r0,8(r1)
80176EEC: 7C190040   cmplw   r25,r0
80176EF0: 4180FF34   blt+   0x80176e24
80176EF4: 7F43D378   mr   r3,r26
80176EF8: E3E102E8   psq_l   f31,744(r1),0,0
80176EFC: CBE102E0   lfd   f31,736(r1)
80176F00: E3C102D8   psq_l   f30,728(r1),0,0
80176F04: CBC102D0   lfd   f30,720(r1)
80176F08: 396102D0   addi   r11,r1,720
80176F0C: 483A0659   bl   0x80517564
80176F10: 800102F4   lwz   r0,756(r1)
80176F14: 7C0803A6   mtlr   r0
80176F18: 382102F0   addi   r1,r1,752
80176F1C: 4E800020   blr
[/spoiler]
I breakpoint poked 80FB3894, 80FB3898, and 80FB389C none moved Mario.
Shall I breakpoint r24 since f0 is being multiplied by f31 and stored in f0. Then storing f0 and 96 into r24.

Edit: Or r4 again because of
80176EB8: 38780064   addi   r3,r24,100
80176EBC: 38810030   addi   r4,r1,48
80176EC0: EC1F0032   fmuls   f0,f31,f0
80176EC4: D0180060   stfs   f0,96(r24)
80176EC8: 4BEA1C4D   bl   0x80018b14
80176ECC: 881D0000   lbz   r0,0(r29)

WiiRd forum

News:

Teleporting code

toonlink444

toonlink444

wiiztec

dcx2

toonlink444

toonlink444

dcx2

toonlink444

dcx2

Bully@Wiiplaza

toonlink444

dcx2

toonlink444

dcx2

toonlink444