Teleporting code

dcx2 · December 19, 2011, 10:43:48 PM

Ignore the float registers. The data you want is being moved around in memory by the function using pointers in r3 and r4.

Don't forget that it's a good idea to test the pointers you get in MemView Auto Update to make sure the data "behaves" like you would expect coordinates to behave. The exception is if you get a pointer that points to the stack. In this case, 80FB3894 isn't on the stack, however...

---

Following the chain results in a link to data that lives on the stack. So we can't use WBP's to follow this chain.

80176EB8: 38780064 addi r3,r24,100
80176EBC: 38810030 addi r4,r1,48
80176EC0: EC1F0032 fmuls f0,f31,f0
80176EC4: D0180060 stfs f0,96(r24)
80176EC8: 4BEA1C4D bl 0x80018b14

addi r4,r1,48. Remember that r1 is the stack pointer. You can't follow the chain, because things on the stack have a VERY short life time; they exist only for the duration of this function. Once the blr at the bottom is executed, the thing on the stack is gone for good and you will be lucky if you ever see it again. A WBP will result in a false positive, because some other functions will probably use that part of the stack before the next game frame.

Fortunately, since the things on the stack only exist in this function, we should have everything we need to follow the chain in this spoiler. It requires more work now, though.

---

Scan the ASM, starting from the beginning of the function, for references to 48(r1) BEFORE the breakpoint but still in this same function.

80176E44: 38610030 addi r3,r1,48
80176E48: 38810048 addi r4,r1,72
80176E4C: 4BEA1D41 bl 0x80018b8c

r3 and r4 are both on the stack. Now, I can't see 80018B8C, but my guess is that it's moving something from r4 to r3. So we look for 72(r1) references, starting from the beginning and looking BEFORE 80176E44.

80176D7C: 7F24CB78 mr r4,r25
80176D80: 38750064 addi r3,r21,100
80176D84: 38A10048 addi r5,r1,72
80176D88: 4BE9F865 bl 0x800165ec

So 800165EC is doing something with 72(r1), 100(r21), and 0(r25). You should Copy Function on 800165EC so we can see what it's doing. You should also set an XBP on 80176D88 and post the registers, too. It looks like one of those pointers in r3 or possibly r4 will point to a copy of Mario's coordinates.

toonlink444 · December 20, 2011, 12:38:33 AM

800165EC's function:
[spoiler]800165EC: 7C661B78   mr   r6,r3
800165F0: C0230020   lfs   f1,32(r3)
800165F4: C0040000   lfs   f0,0(r4)
800165F8: 7CA32B78   mr   r3,r5
800165FC: C0660010   lfs   f3,16(r6)
80016600: C0A60000   lfs   f5,0(r6)
80016604: EC200072   fmuls   f1,f0,f1
80016608: C0460024   lfs   f2,36(r6)
8001660C: EC6000F2   fmuls   f3,f0,f3
80016610: C0840004   lfs   f4,4(r4)
80016614: ECA00172   fmuls   f5,f0,f5
80016618: C0C60014   lfs   f6,20(r6)
8001661C: EC0400B2   fmuls   f0,f4,f2
80016620: C0E60004   lfs   f7,4(r6)
80016624: EC4401B2   fmuls   f2,f4,f6
80016628: C1060028   lfs   f8,40(r6)
8001662C: EC8401F2   fmuls   f4,f4,f7
80016630: C0E40008   lfs   f7,8(r4)
80016634: C0C60008   lfs   f6,8(r6)
80016638: EC63102A   fadds   f3,f3,f2
8001663C: C1460018   lfs   f10,24(r6)
80016640: ECA5202A   fadds   f5,f5,f4
80016644: ECC701B2   fmuls   f6,f7,f6
80016648: C126002C   lfs   f9,44(r6)
8001664C: EC8702B2   fmuls   f4,f7,f10
80016650: EC470232   fmuls   f2,f7,f8
80016654: C166001C   lfs   f11,28(r6)
80016658: EC01002A   fadds   f0,f1,f0
8001665C: ECA6282A   fadds   f5,f6,f5
80016660: C146000C   lfs   f10,12(r6)
80016664: EC64182A   fadds   f3,f4,f3
80016668: EC02002A   fadds   f0,f2,f0
8001666C: EC2A282A   fadds   f1,f10,f5
80016670: EC4B182A   fadds   f2,f11,f3
80016674: EC69002A   fadds   f3,f9,f0
80016678: 48000908   b   0x80016f80
8001667C: 9421FFE0   stwu   r1,-32(r1)
80016680: 7C0802A6   mflr   r0
80016684: 7C661B78   mr   r6,r3
80016688: C0040004   lfs   f0,4(r4)
8001668C: C066001C   lfs   f3,28(r6)
80016690: C043000C   lfs   f2,12(r3)
80016694: 7CA32B78   mr   r3,r5
80016698: ED001828   fsubs   f8,f0,f3
8001669C: C0240000   lfs   f1,0(r4)
800166A0: C0060018   lfs   f0,24(r6)
800166A4: ED211028   fsubs   f9,f1,f2
800166A8: C0460010   lfs   f2,16(r6)
800166AC: C0260008   lfs   f1,8(r6)
800166B0: C0660004   lfs   f3,4(r6)
800166B4: EC8800B2   fmuls   f4,f8,f2
800166B8: C0A60000   lfs   f5,0(r6)
800166BC: C1660014   lfs   f11,20(r6)
800166C0: EC290072   fmuls   f1,f9,f1
800166C4: EC080032   fmuls   f0,f8,f0
800166C8: C0C6002C   lfs   f6,44(r6)
800166CC: C0440008   lfs   f2,8(r4)
800166D0: ECA90172   fmuls   f5,f9,f5
800166D4: EC6900F2   fmuls   f3,f9,f3
800166D8: ECE23028   fsubs   f7,f2,f6
800166DC: EC4802F2   fmuls   f2,f8,f11
800166E0: C0C60020   lfs   f6,32(r6)
800166E4: C1460028   lfs   f10,40(r6)
800166E8: ECA5202A   fadds   f5,f5,f4
800166EC: C1660024   lfs   f11,36(r6)
800166F0: EC43102A   fadds   f2,f3,f2
800166F4: EC8702F2   fmuls   f4,f7,f11
800166F8: 90010024   stw   r0,36(r1)
800166FC: ECC701B2   fmuls   f6,f7,f6
80016700: EC01002A   fadds   f0,f1,f0
80016704: D1210008   stfs   f9,8(r1)
80016708: EC6702B2   fmuls   f3,f7,f10
8001670C: EC26282A   fadds   f1,f6,f5
80016710: D101000C   stfs   f8,12(r1)
80016714: EC44102A   fadds   f2,f4,f2
80016718: EC63002A   fadds   f3,f3,f0
8001671C: D0E10010   stfs   f7,16(r1)
80016720: 48000861   bl   0x80016f80
80016724: 80010024   lwz   r0,36(r1)
80016728: 7C0803A6   mtlr   r0
8001672C: 38210020   addi   r1,r1,32
80016730: 4E800020   blr
[/spoiler]
80176D88's registers:
[spoiler]CR:48000088 XER:20000000 CTR:00000001 DSIS:02400000
DAR:80FB3894 SRR0:80176D88 SRR1:0000A032 LR:80176D78
r0:8017424C r1:806BD9E8 r2:806AB280 r3:812D82AC
r4:806BDDE4 r5:806BDA30 r6:806BDDE4 r7:806BDDCC
r8:00000000 r9:00000000 r10:00000000 r11:806BDCB8
r12:80274A3C r13:806A4CA0 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:812D8248
r20:00000019 r21:812D8248 r22:80FB3830 r23:00000000
r24:806BDDCC r25:806BDDE4 r26:00000020 r27:00000000
r28:00000002 r29:80FB3794 r30:00000000 r31:80FB3794

f0:3A83126F f1:4479FFFF f2:3FFFFBC5 f3:40400000
f4:3F000000 f5:3A25C168 f6:4000015B f7:426FFFFF
f8:469BF86F f9:45F39AA3 f10:3F800000 f11:00000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:4479FFFF[/spoiler]

dcx2 · December 20, 2011, 01:01:04 AM

[spoiler]800165EC: 7C661B78 mr r6,r3
800165F0: C0230020 lfs f1,32(r3)
800165F4: C0040000 lfs f0,0(r4)
800165F8: 7CA32B78 mr r3,r5
800165FC: C0660010 lfs f3,16(r6)
80016600: C0A60000 lfs f5,0(r6)
80016604: EC200072 fmuls f1,f0,f1
80016608: C0460024 lfs f2,36(r6)
8001660C: EC6000F2 fmuls f3,f0,f3
80016610: C0840004 lfs f4,4(r4)
80016614: ECA00172 fmuls f5,f0,f5
80016618: C0C60014 lfs f6,20(r6)
8001661C: EC0400B2 fmuls f0,f4,f2
80016620: C0E60004 lfs f7,4(r6)
80016624: EC4401B2 fmuls f2,f4,f6
80016628: C1060028 lfs f8,40(r6)
8001662C: EC8401F2 fmuls f4,f4,f7
80016630: C0E40008 lfs f7,8(r4)
80016634: C0C60008 lfs f6,8(r6)
80016638: EC63102A fadds f3,f3,f2
8001663C: C1460018 lfs f10,24(r6)
80016640: ECA5202A fadds f5,f5,f4
80016644: ECC701B2 fmuls f6,f7,f6
80016648: C126002C lfs f9,44(r6)
8001664C: EC8702B2 fmuls f4,f7,f10
80016650: EC470232 fmuls f2,f7,f8
80016654: C166001C lfs f11,28(r6)
80016658: EC01002A fadds f0,f1,f0
8001665C: ECA6282A fadds f5,f6,f5
80016660: C146000C lfs f10,12(r6)
80016664: EC64182A fadds f3,f4,f3
80016668: EC02002A fadds f0,f2,f0
8001666C: EC2A282A fadds f1,f10,f5
80016670: EC4B182A fadds f2,f11,f3
80016674: EC69002A fadds f3,f9,f0
80016678: 48000908 b 0x80016f80[/spoiler]

The rest of that spoiler is junk. This branch will always take you somewhere else. You should Copy Function on 80016F80. (EDIT: but you probably don't need it. I usually copy more info into notepad than I need; too much is better than too little)

The registers show r4 is also probably on the stack. The stack grows down (stwu r1,-x(r1); x is always negative!), so that means addresses close to r1, but above it, are usually on the stack.

In this case, r3 looks like a good candidate; it's not on the stack so the address probably stays the same as long as you don't change areas or reload the game. XBP on 80176D88 again, then grab the pointer in r3, and go look in MemView auto update to see if there's anything that stands out when you jump around.

toonlink444 · December 20, 2011, 05:12:44 AM

Nothing stood out so I did a test to see if the address changed so I did another breakpoint during the first and this happened.
Before:
[spoiler]CR:48000088 XER:20000000 CTR:00000001 DSIS:02400000
DAR:80FB3894 SRR0:80176D88 SRR1:0000A032 LR:80176D78
r0:8017424C r1:806BD9E8 r2:806AB280 r3:812D82AC
r4:806BDDE4 r5:806BDA30 r6:806BDDE4 r7:806BDDCC
r8:00000000 r9:00000000 r10:00000000 r11:806BDCB8
r12:80274A3C r13:806A4CA0 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:812D8248
r20:00000019 r21:812D8248 r22:80FB3830 r23:00000000
r24:806BDDCC r25:806BDDE4 r26:00000020 r27:00000000
r28:00000002 r29:80FB3794 r30:00000000 r31:80FB3794

f0:3A83126F f1:4479FFFF f2:3FFFFBC5 f3:40400000
f4:3F000000 f5:3A25C168 f6:4000015B f7:426FFFFF
f8:469BF86F f9:45F39AA3 f10:3F800000 f11:00000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:4479FFFF[/spoiler]
After:
[spoiler]CR:48000088 XER:20000000 CTR:00000001 DSIS:02400000
DAR:80FB3894 SRR0:80176D88 SRR1:0000A032 LR:80176D78
r0:8017424C r1:806BD9E8 r2:806AB280 r3:812E4D0C
r4:806BDDE4 r5:806BDA30 r6:806BDDE4 r7:806BDDCC
r8:00000000 r9:806BDA7C r10:00000020 r11:806BDCB8
r12:80274A3C r13:806A4CA0 r14:00000000 r15:00000000
r16:00000000 r17:00000000 r18:00000000 r19:812E4CA8
r20:00000019 r21:812E4CA8 r22:80FB3830 r23:00000000
r24:806BDDCC r25:806BDDE4 r26:00000020 r27:00000000
r28:00000006 r29:80FB3794 r30:00000000 r31:80FB3794

f0:3A83126F f1:4479FFFF f2:3FFFFBC5 f3:40400000
f4:3F000000 f5:00000000 f6:3FFFFBC5 f7:C53EC3E6
f8:3F800000 f9:80000000 f10:80000000 f11:80000000
f12:00000000 f13:00000000 f14:00000000 f15:00000000
f16:00000000 f17:00000000 f18:00000000 f19:00000000
f20:00000000 f21:00000000 f22:00000000 f23:00000000
f24:00000000 f25:00000000 f26:00000000 f27:00000000
f28:00000000 f29:00000000 f30:00000000 f31:4479FFFF[/spoiler]
Edit: Here's 80016F80's function anyway:
[spoiler]80016F80: D0230000   stfs   f1,0(r3)
80016F84: D0430004   stfs   f2,4(r3)
80016F88: D0630008   stfs   f3,8(r3)
80016F8C: 4E800020   blr
[/spoiler]

dcx2 · December 20, 2011, 03:33:16 PM

I have SMG1 so I will look into this tomorrow and make sure we aren't barking up the wrong tree before we continue.

toonlink444 · December 20, 2011, 06:15:54 PM

alright good plan I'll keep searching/

toonlink444 · December 22, 2011, 12:23:47 AM

Well I have decided to try this code again later. All of my progress has been posted here so I can pick it up where I left off later. I have created a new topic on my next idea. It will be easier but I just need one piece of info.

Bully@Wiiplaza · December 22, 2011, 08:07:09 AM

seriously, dcx2.
I originally asked you for help on that same SMG Moonjump (and yes, itÂ´s like the coordinates because of the psq instructions) and you ignored me.
But now, since someone else asks, you do help. ItÂ´s for an offline game and I can now follow on how it gets solved, too.
What was the point, then? I could also ask someone to put *my* question and it will be answered...

toonlink444 · December 22, 2011, 08:04:29 PM

Quote from: Bully@Wiiplaza on December 22, 2011, 08:07:09 AM
seriously, dcx2.
I originally asked you for help on that same SMG Moonjump (and yes, itÂ´s like the coordinates because of the psq instructions) and you ignored me.
But now, since someone else asks, you do help. ItÂ´s for an offline game and I can now follow on how it gets solved, too.
What was the point, then? I could also ask someone to put *my* question and it will be answered...

Chill man it happens to me too.

Bully@Wiiplaza · December 24, 2011, 10:15:30 PM

Quote from: toonlink444 on December 22, 2011, 08:04:29 PMChill man it happens to me too.

I was just wondering about that illogicalness :P

dcx2 · December 25, 2011, 06:00:15 PM

hey toonlink, I looked at your breakpoint's address in Memory Viewer with auto-update on. The address in r3 when you XBP @803E0C4C is not a good candidate. Auto-update shows that these coordinates are only changed when you're touching the ground, and if you're jumping then they aren't changing anymore. This should have caused you to disqualify this result.

I did a little bit of searching on my own and found a different address. This address was hit by two write breakpoints. I walked the stack for one, but it failed the XBP test. Fortunately, the other one did not fail the XBP test.

You can use an XBP @803125E8 and look at r3 and/or r4 to get a pointer to Mario's real coordinates. That address passes the XBP test, and MemView auto-update shows that it updates in real time while jumping.

Try to write-breakpoint-step-poke the value in r3. If it fails, follow the chain via r4's pointer and try the WBP-step-poke that.

WiiRd forum

News:

Teleporting code

dcx2

toonlink444

dcx2

toonlink444

dcx2

toonlink444

toonlink444

Bully@Wiiplaza

toonlink444

Bully@Wiiplaza

dcx2