Teleporting code

[Bully@Wiiplaza]

yep I hit step over every time it broke on a stw then poked. Should I poke even if it isn't stw?

just skip it, it will take like forever to teach, if you do all that stuff.
You probably don´t need to do it anyways. :eek:

[toonlink444]

Are you saying that i'm incapable?

[Bully@Wiiplaza]

Are you saying that i'm incapable?

no, but it´s so much that could make it fail, it would take very long to talk about each single case.

[toonlink444]

Alright but before I throw in the towel could the addresses be in the 90000000 - 93400000 range?

[Bully@Wiiplaza]

Alright but before I throw in the towel could the addresses be in the 90000000 - 93400000 range?

so you didn´t even find the coordinates in memory once? ???
We were talking about how to set up your code...

I mostly search greater/less than when jumping up/down.
Notice that it could be either mem80 and 90. Some games may also use a lower value the higher you are and a greater value the downer you are.

[toonlink444]

Well none of my addresses took so I'm left to searching again. Is there a possiblity that the addresses are stored differently?

The code didn't teleport me so I figured I must have a bad address

[dcx2]

There may also be a psq_st instruction that writes the coordinates.  Pretty sure that's how SMG2 worked.  It's usually a very short function, two psq_l's and two psq_st's.  It's just copying the coordinates from one memory location to another; psq instructions can load/store 8 bytes instead of 4, so sometimes the compiler will use them to optimize a memory transfer.

This type of function with psq instructions will often be re-used in many places.  Hackers often try to hook this instruction, with devastating consequences.  Typically, walking the stack back one level, and hooking a few instructions before the bl that calls the psq function, will provide a much better hook.

You can repeat the same procedure for psq_st that you do for stw.

The coordinates are probably not in MEM2.  I'll be on vacation soon.  I might try to give you some guidance by checking it out.

[wiiztec]

Everytime I have found coordinates poking them never teleported me, I used to find coordinates to make walk through walls codes but now I have a much better method

[toonlink444]

There may also be a psq_st instruction that writes the coordinates.  Pretty sure that's how SMG2 worked.  It's usually a very short function, two psq_l's and two psq_st's.  It's just copying the coordinates from one memory location to another; psq instructions can load/store 8 bytes instead of 4, so sometimes the compiler will use them to optimize a memory transfer.

This type of function with psq instructions will often be re-used in many places.  Hackers often try to hook this instruction, with devastating consequences.  Typically, walking the stack back one level, and hooking a few instructions before the bl that calls the psq function, will provide a much better hook.

You can repeat the same procedure for psq_st that you do for stw.

The coordinates are probably not in MEM2.  I'll be on vacation soon.  I might try to give you some guidance by checking it out.

I've been skipping over the ones with the psq instructions that may be helpful. Have a good vacation.

[Bully@Wiiplaza]

This type of function with psq instructions will often be re-used in many places.  Hackers often try to hook this instruction, with devastating consequences.  Typically, walking the stack back one level, and hooking a few instructions before the bl that calls the psq function, will provide a much better hook.

that´s what I did and it succeeded quite well. ;D

[Anarion]

It seems you are having a bit of difficulty finding the actual coordinates. perhaps because they may have a value that is always slightly changing. i think some games have certain coordinates like that. so unless you really knew how you wanted to try finding the coordinates, it would take a really hard time finding them. if no matter what you try you still cannot find the coordinates, then assume that the coordinates are always being affected in some way even though you may not be moving. so, use the game's start/pause. that should stop coordinates from having slight changes, if they are.


edit: OR you may have been searching on the wrong mem indeed.
so, to make things easier if this game has a moon jump code made for it, set an execute breakpoint on the address used for the game's moon jump code. moon jump address & xyz coordinates should be on the same mem and xyz coordinates are always located some addresses before the moon jump address.

[toonlink444]

Here's my code.
[spoiler]C23E0C40 0000000E
9421FFB0 BDC10008
3DC08061 61CED340
A1CE0000 3DE0806E
2C0E4008 40820020
3C60805F 82036AD4
82236AD8 82436ADC
920F7460 922F7464
924F7468 2C0E4004
4082001C 826F7460
828F7464 82AF7468
92636AD4 92836AD8
92A36ADC 81C10008
38210050 D0030008
60000000 00000000[/spoiler]
Yet it freezes the game. Is there an error or is it another bad address?

[Anarion]

so you found the real coordinates after all, huh?

if you did, it may be a bad address. try using a read bp instead of a write. use the same assembly, replacing each template placeholder with the correct values used on the original instruction the point broke on.

[Bully@Wiiplaza]

no, don´t use a breakpoint write there.
You know why? The last stfs will overwrite anything that was achieved by your code...
Does it freeze instantly? It shouldn´t... it must be a bad address.

[dcx2]

So as not to remove all the challenge, I will use SMG2 as an example.  You can then try to use the same technique for SMG.  It is pretty much a walkthrough on how to do it.  It's a lot to digest, but it's very careful and deliberate, and I try to show you each step involved in the process that I take.

Using some method, determine the location of Mario's coordinates.  There's a few ways to do this; use someone's existing hook to get close, do some searches as mentioned above, it doesn't matter.  I deliberately chose a result that won't work at first, just to demonstrate how to follow the chain.

I determined that there are usually many copies of Mario's coordinates in memory at any one time.  Two of them are very, very close to each other.  In my case, they were 812733D0 and 812733DC.  Switch MemView to Single, turn on auto-update, and make Mario jump.  I see a value that looks obviously like it's a coordinate.  I Right click, "Copy All Cells" and I can save this in a notepad somewhere.  In the following two snapshots, you can see the one coordinate falling, I have it highlighted.

[spoiler]81273360   0   0   4.6E-42   0
81273370   4.8E-42   0   0   0
81273380   0   0   0   0
81273390   0   0   0   0
812733A0   0   0   0   0
812733B0   0   -3.1E-38   4.2E-39   2.9E-44
812733C0   0   0   0   -10.6335
812733D0   *2352.8*   -43.1877   -10.6335   *2335.6*
812733E0   -43.1877   5.1E-42   0   0
812733F0   0   0   9.2E-41   0
81273400   0   0   0   0
81273410   0   0   1   0
81273420   0   0   0   1
81273430   0   0   0   0
81273440   1   0   -9.9E-39   -3.1E-38
81273450   0   NaN   -5.2E-39   -4E-38[/spoiler]

[spoiler]81273360   0   0   4.6E-42   0
81273370   4.8E-42   0   0   0
81273380   0   0   0   0
81273390   0   0   0   0
812733A0   0   0   0   0
812733B0   0   -3.1E-38   4.2E-39   3.2E-44
812733C0   0   0   0   -10.6335
812733D0   *2317.5*   -43.1877   -10.6335   *2298.5*
812733E0   -43.1877   5.1E-42   0   0
812733F0   0   0   9.2E-41   0
81273400   0   0   0   0
81273410   0   0   1   0
81273420   0   0   0   1
81273430   0   0   0   0
81273440   1   0   -9.9E-39   -3.1E-38
81273450   0   NaN   -5.2E-39   -4E-38[/spoiler]

I'm going to choose 812733D0.  Right click, set breakpoint; on the BP tab, Read/Write (I like RW when logging, normally it would be just Write), check "Step Log", "SB4E01 coords.log"  Spam the Set button; literally, click it as fast as possible while watching the screen.  Pressing space bar once it's the active button works too.  I want to keep doing this until I see a few frames of movement.

[spoiler=RWBP coords log]
8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = -254.849   r3 = 812733CC   [812733CC] = C37ED935

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = 0   r6 = 812733CC   [812733CC] = C37ED935

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = -245.726   r6 = 812733CC   [812733CC] = C37ED935

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = -245.726   r3 = 812733CC   [812733CC] = C375B9C0

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = 0   r6 = 812733CC   [812733CC] = C375B9C0

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = -236.617   r6 = 812733CC   [812733CC] = C375B9C0

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = -236.617   r3 = 812733CC   [812733CC] = C36C9DF4

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = 0   r6 = 812733CC   [812733CC] = C36C9DF4

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = -227.523   r6 = 812733CC   [812733CC] = C36C9DF4

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = -227.523   r3 = 812733CC   [812733CC] = C36385CA

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = 0   r6 = 812733CC   [812733CC] = C36385CA

80037068:  E0060000   psq_l   f0,0(r6),0,0   f0 = -218.791   r6 = 812733CC   [812733CC] = C36385CA
[/spoiler]

You can identify the pattern.  They all access the same memory address, 812733CC.  But that's not my address!  812733D0 was my address.  If I look at DAR on BP tab, it is in fact 812733D0.  psq_st can write 8 bytes, and it's the last four bytes that hit the breakpoint.  DAR will always tell the address that was being accessed for a Read or Write breakpoint.

There's only one store in this list, the psq_st at 8000E748.  That's a candidate for a hook.  So how good of a hook is this?  Right-click the breakpoint instruction on the disassembly tab, "Copy Function".  Here's the entire function

[spoiler=bp function]
8000E740:  E0240000   psq_l   f1,0(r4),0,0
8000E744:  C0040008   lfs   f0,8(r4)
8000E748:  F0230000   psq_st   f1,0(r3),0,0
8000E74C:  D0030008   stfs   f0,8(r3)
8000E750:  4E800020   blr   
[/spoiler]

This is just copying from r4 to r3.  So it probably touches a lot.  Execute BP on 8000E748 to see how many addresses this ASM touches.  Spam the Set button again.

I'll spare you the full log, but there's a bunch.  I didn't feel like pressing Set enough times to see a frame go by.  If any address differs from what was found initially (812733D0), it's bad.

[spoiler=XBP coords log (partial)]
8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = 0   r3 = 807F2BAC   [807F2BAC] = C33EB232

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = -190.696   r3 = 810A8D68   [810A8D68] = C348EB67

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = 0   r3 = 807F2BAC   [807F2BAC] = C33EB232

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = 0   r3 = 807F2BAC   [807F2BAC] = C33BA6E9

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = 0   r3 = 807F2B6C   [807F2B6C] = C33A1E76

8000E748:  F0230000   psq_st   f1,0(r3),0,0   f1 = -186.119   r3 = 810A8D68   [810A8D68] = C33EB232
[/spoiler]

None of these addresses match our address.  So this is a bad hook.  Back to WBP on 812733D0.  Now we want to find the caller.  Go to the disassembly tab, double click the Call Stack.  I see 8000E748 (my breakpoint) at the top.  The Call Stack looks like this

[spoiler=call stack]8000E748 (bp)
80405EC8 (bp's caller)
80388974 (bp's caller's caller)
803C22CC (bp's caller's caller's caller)
803C215C (you get the point!)
803C1FCC
803C1C3C
802376B4
803C1874
8033A168
80339DA8
80458DD4
80457ED8
80451E60
802431FC
804518B0
804BA668
804B6D18
804B6F58
802431FC
804B6C50
804B6AA0
804B64C0
800041B0
[/spoiler]

Whew, that's pretty deep.  Double click the bp's caller (second from top, 80405EC8).  Copy Function.

[spoiler=bp's caller]80405EB0:  9421FFF0   stwu   r1,-16(r1)
80405EB4:  7C0802A6   mflr   r0
80405EB8:  3883000C   addi   r4,r3,12
80405EBC:  90010014   stw   r0,20(r1)
80405EC0:  93E1000C   stw   r31,12(r1)
80405EC4:  7C7F1B78   mr   r31,r3
80405EC8:  4BC08879   bl   0x8000e740  # calls bp
80405ECC:  38600001   li   r3,1
80405ED0:  38000000   li   r0,0
80405ED4:  987F0019   stb   r3,25(r31)
80405ED8:  981F0018   stb   r0,24(r31)
80405EDC:  83E1000C   lwz   r31,12(r1)
80405EE0:  80010014   lwz   r0,20(r1)
80405EE4:  7C0803A6   mtlr   r0
80405EE8:  38210010   addi   r1,r1,16
80405EEC:  4E800020   blr   
[/spoiler]

bl 0x8000e740 would be the start of the function that the breakpoint found (remember the bp was 8000E748 - a mere two instructions after this bl)

Make sure this is a good hook.  XBP on 80405ECC (the instruction after the bl, so that we can over-write whatever was copied) a few times and each time a frame of movement passes, which means this is a good hook.  At this point, it is safe to change areas, reboot the game, etc.  I will never have to search for Mario's coordinates again because I know 80405EC4 will always give me a pointer to his coordinates via r3.  Save that address in a text file somewhere so it can't be lost.

Okay, so it seems all good.  Since I XBP'd on 80405ECC, I'm already after the write (which happens during the bl), so go to MemView tab and poke 812733D0 during the breakpoint.  Since the mode is set to Single, and I can see the value was around 2100 on the ground, so I put 2500 into the Selected Address, then right-click, "convert float to hex" .  Then poke and then click run.

If I'm lucky, Mario will move and it's done, this is the hook.  If I'm not (I wasn't), then follow the chain again.  This function is copying from one address to another, so let's try that other address.  Since it's copying from r4 to r3, let's look at r4.  As it turns out, r4 is that nearby address, 812733DC.  WBP on 812733DC.  It hits this function

[spoiler]80405F90:  9421FFF0   stwu   r1,-16(r1)
80405F94:  7C0802A6   mflr   r0
80405F98:  90010014   stw   r0,20(r1)
80405F9C:  93E1000C   stw   r31,12(r1)
80405FA0:  7C9F2378   mr   r31,r4
80405FA4:  93C10008   stw   r30,8(r1)
80405FA8:  7C7E1B78   mr   r30,r3
80405FAC:  8803002C   lbz   r0,44(r3)
80405FB0:  2C000000   cmpwi   r0,0
80405FB4:  40820044   bne-   0x80405ff8
80405FB8:  88030019   lbz   r0,25(r3)
80405FBC:  2C000000   cmpwi   r0,0
80405FC0:  41820020   beq-   0x80405fe0
80405FC4:  3863000C   addi   r3,r3,12
80405FC8:  481C2C49   bl   0x805c8c10
80405FCC:  C0021800   lfs   f0,6144(r2)
80405FD0:  FC010040   fcmpo   cr0,f1,f0
80405FD4:  4081000C   ble-   0x80405fe0
80405FD8:  38000001   li   r0,1
80405FDC:  981E0018   stb   r0,24(r30)
80405FE0:  C01F0000   lfs   f0,0(r31)
80405FE4:  D01E000C   stfs   f0,12(r30)
80405FE8:  C01F0004   lfs   f0,4(r31)
80405FEC:  D01E0010   stfs   f0,16(r30)
80405FF0:  C01F0008   lfs   f0,8(r31)
80405FF4:  D01E0014   stfs   f0,20(r30)
80405FF8:  80010014   lwz   r0,20(r1)
80405FFC:  83E1000C   lwz   r31,12(r1)
80406000:  83C10008   lwz   r30,8(r1)
80406004:  7C0803A6   mtlr   r0
80406008:  38210010   addi   r1,r1,16
8040600C:  4E800020   blr   
[/spoiler]

XBP on 80405FF0, after it hits, MemView tab, poke with 2500 Float to Hex, run.  Fail again!  Follow the chain.  Now it's copying from r31 to r30.  Look at r31 (in my case, 8126E334).  Set a WBP on that.

[spoiler]8000E740:  E0240000   psq_l   f1,0(r4),0,0
8000E744:  C0040008   lfs   f0,8(r4)
8000E748:  F0230000   psq_st   f1,0(r3),0,0
8000E74C:  D0030008   stfs   f0,8(r3)
8000E750:  4E800020   blr   
[/spoiler]

Hey, this looks familiar.  It's our first BP's function, but writing to a different address.  Disasm tab, double-click a blank spot in the call stack to reload it (blank spot so it does not take you to that address) and it will reload (or you can right-click call stack to reload it).  The second from the top is now 803880A8, so I will XBP on 803880AC (the instruction after it).  Here is the function

[spoiler]80387FC0:  9421FFD0   stwu   r1,-48(r1)
80387FC4:  7C0802A6   mflr   r0
80387FC8:  90010034   stw   r0,52(r1)
80387FCC:  93E1002C   stw   r31,44(r1)
80387FD0:  93C10028   stw   r30,40(r1)
80387FD4:  7C7E1B78   mr   r30,r3
80387FD8:  480000F9   bl   0x803880d0
80387FDC:  7FC3F378   mr   r3,r30
80387FE0:  48000171   bl   0x80388150
80387FE4:  801E0014   lwz   r0,20(r30)
80387FE8:  5400A7FF   rlwinm.   r0,r0,20,31,31
80387FEC:  4182004C   beq-   0x80388038
80387FF0:  809E0138   lwz   r4,312(r30)
80387FF4:  38610014   addi   r3,r1,20
80387FF8:  C03E0710   lfs   f1,1808(r30)
80387FFC:  38BE06EC   addi   r5,r30,1772
80388000:  3884000C   addi   r4,r4,12
80388004:  38DE06F8   addi   r6,r30,1784
80388008:  4BCC9759   bl   0x80051760
8038800C:  80BE0138   lwz   r5,312(r30)
80388010:  38610008   addi   r3,r1,8
80388014:  38810014   addi   r4,r1,20
80388018:  3BE5000C   addi   r31,r5,12
8038801C:  4BC84135   bl   0x8000c150
80388020:  7FE4FB78   mr   r4,r31
80388024:  38610008   addi   r3,r1,8
80388028:  4BC94BC9   bl   0x8001cbf0
8038802C:  807E0138   lwz   r3,312(r30)
80388030:  38810008   addi   r4,r1,8
80388034:  4807DFDD   bl   0x80406010
80388038:  801E000C   lwz   r0,12(r30)
8038803C:  54000FFF   rlwinm.   r0,r0,1,31,31
80388040:  41820010   beq-   0x80388050
80388044:  7FC3F378   mr   r3,r30
80388048:  48000259   bl   0x803882a0
8038804C:  48000028   b   0x80388074
80388050:  7FC3F378   mr   r3,r30
80388054:  48022FFD   bl   0x803ab050
80388058:  2C030000   cmpwi   r3,0
8038805C:  41820010   beq-   0x8038806c
80388060:  7FC3F378   mr   r3,r30
80388064:  4800058D   bl   0x803885f0
80388068:  4800000C   b   0x80388074
8038806C:  7FC3F378   mr   r3,r30
80388070:  48000641   bl   0x803886b0
80388074:  7FC3F378   mr   r3,r30
80388078:  48022B39   bl   0x803aabb0
8038807C:  7C641B78   mr   r4,r3
80388080:  807E0138   lwz   r3,312(r30)
80388084:  4807DE6D   bl   0x80405ef0
80388088:  807E0004   lwz   r3,4(r30)
8038808C:  389E0160   addi   r4,r30,352
80388090:  38630038   addi   r3,r3,56
80388094:  4BC866AD   bl   0x8000e740
80388098:  807E0004   lwz   r3,4(r30)
8038809C:  809E0138   lwz   r4,312(r30)
803880A0:  38630014   addi   r3,r3,20
803880A4:  3884000C   addi   r4,r4,12
803880A8:  4BC86699   bl   0x8000e740
803880AC:  80010034   lwz   r0,52(r1)
803880B0:  83E1002C   lwz   r31,44(r1)
803880B4:  83C10028   lwz   r30,40(r1)
803880B8:  7C0803A6   mtlr   r0
803880BC:  38210030   addi   r1,r1,48
803880C0:  4E800020   blr   
[/spoiler]

After the XBP hits, go to MemView, poke the new address with 2500 float to hex, hit Run.  Mario Teleported!  Third time is a charm.  XBP on 803880AC a few times, and you'll see it is also a good hook; one frame per breakpoint.  Your pointer to over-write is in r3 (remember, it is copying from r4 to r3).  OR you could hook 803880A4, and your pointer would be in r4 (though in this particular case, hooking before the call to the bp, I would put the original instruction at the beginning instead of the end like we usually do)

And if you look at my SMG2 teleporter, you'll see that indeed, I use 803880AC for my hook.