Problem with "No Health Regeneration" hack

[Bully@Wiiplaza]

Breaking on the health address gives me the following:
[spoiler]
80104720:  FC400818   frsp   f2,f1
80104724:  C00303AC   lfs   f0,940(r3)
80104728:  C06303A8   lfs   f3,936(r3)
8010472C:  FC020040   fcmpo   cr0,f2,f0
80104730:  D02303A8   stfs   f1,936(r3)
80104734:  40810008   ble-   0x8010473c
80104738:  D00303A8   stfs   f0,936(r3)
8010473C:  7C800775   extsb.   r0,r4
80104740:  4D820020   beqlr-   [/spoiler]
This is the same function for...
- getting hit
- regaining health
- not affecting health

If I check the LR, it is the same for...
- regaining health
- not affecting health

[spoiler]
 CR:882228A8  XER:00000000  CTR:80104720 DSIS:02400000
DAR:808D4458 SRR0:80104730 SRR1:0000B032   LR:801354E8
 r0:00000001   r1:80703200   r2:806F5120   r3:808D40B0
 r4:00000001   r5:8070320C   r6:BFED31BD   r7:BFFD31BD
 r8:40019999   r9:00000000  r10:00000000  r11:FFFFFFFD
r12:80104720  r13:806F1000  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:00000000
r24:00000000  r25:80F83760  r26:805D0000  r27:808D40B0
r28:8084B720  r29:808D6E40  r30:808D40B0  r31:808D40B0

 f0:42C80000   f1:3FCCCCCD   f2:3FCCCCCD   f3:3F800000
 f4:00000000   f5:00000000   f6:00000000   f7:00000000
 f8:A117EBA0   f9:3D78EDED  f10:3D78EDEA  f11:3240A92C
f12:40400000  f13:30C4F3CB  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:00000000  f29:00000000  f30:00000000  f31:00000000

80135350:  9421FFE0   stwu   r1,-32(r1)
80135354:  7C0802A6   mflr   r0
80135358:  3C80805E   lis   r4,-32674
8013535C:  90010024   stw   r0,36(r1)
80135360:  3884E720   subi   r4,r4,6368
80135364:  93E1001C   stw   r31,28(r1)
80135368:  7C7F1B78   mr   r31,r3
8013536C:  A004002C   lhz   r0,44(r4)
80135370:  28000003   cmplwi   r0,3
80135374:  40820018   bne-   0x8013538c
80135378:  3C60805D   lis   r3,-32675
8013537C:  38631884   addi   r3,r3,6276
80135380:  4BF8B811   bl   0x800c0b90
80135384:  7C600775   extsb.   r0,r3
80135388:  41820174   beq-   0x801354fc
8013538C:  881F05EE   lbz   r0,1518(r31)
80135390:  C0429DC8   lfs   f2,-25144(r2)
80135394:  7C000775   extsb.   r0,r0
80135398:  FC601090   fmr   f3,f2
8013539C:  41820074   beq-   0x80135410
801353A0:  881F0994   lbz   r0,2452(r31)
801353A4:  C0029E38   lfs   f0,-25032(r2)
801353A8:  7C000775   extsb.   r0,r0
801353AC:  EC620032   fmuls   f3,f2,f0
801353B0:  4082000C   bne-   0x801353bc
801353B4:  38000000   li   r0,0
801353B8:  48000044   b   0x801353fc
801353BC:  3C60805F   lis   r3,-32673
801353C0:  38800000   li   r4,0
801353C4:  38638D40   subi   r3,r3,29376
801353C8:  3C630001   addis   r3,r3,1
801353CC:  34039030   subic.   r0,r3,28624
801353D0:  41820008   beq-   0x801353d8
801353D4:  80839FAC   lwz   r4,-24660(r3)
801353D8:  28040001   cmplwi   r4,1
801353DC:  41820014   beq-   0x801353f0
801353E0:  28040002   cmplwi   r4,2
801353E4:  41820014   beq-   0x801353f8
801353E8:  38000002   li   r0,2
801353EC:  48000010   b   0x801353fc
801353F0:  38000003   li   r0,3
801353F4:  48000008   b   0x801353fc
801353F8:  38000001   li   r0,1
801353FC:  28000002   cmplwi   r0,2
80135400:  40820024   bne-   0x80135424
80135404:  C0029E18   lfs   f0,-25064(r2)
80135408:  EC420032   fmuls   f2,f2,f0
8013540C:  48000018   b   0x80135424
80135410:  881F095C   lbz   r0,2396(r31)
80135414:  7C000775   extsb.   r0,r0
80135418:  4182000C   beq-   0x80135424
8013541C:  C0029E3C   lfs   f0,-25028(r2)
80135420:  EC620032   fmuls   f3,f2,f0
80135424:  880DAAF5   lbz   r0,-21771(r13)
80135428:  7C000775   extsb.   r0,r0
8013542C:  40820050   bne-   0x8013547c
80135430:  807F0704   lwz   r3,1796(r31)
80135434:  3803FFFE   subi   r0,r3,2
80135438:  28000001   cmplwi   r0,1
8013543C:  41810040   bgt-   0x8013547c
80135440:  881F0E59   lbz   r0,3673(r31)
80135444:  7C000775   extsb.   r0,r0
80135448:  41820010   beq-   0x80135458
8013544C:  C00DAB64   lfs   f0,-21660(r13)
80135450:  EC630032   fmuls   f3,f3,f0
80135454:  48000028   b   0x8013547c
80135458:  C03F0C74   lfs   f1,3188(r31)
8013545C:  C0029E40   lfs   f0,-25024(r2)
80135460:  FC010040   fcmpo   cr0,f1,f0
80135464:  40810010   ble-   0x80135474
80135468:  C00D8500   lfs   f0,-31488(r13)
8013546C:  EC630032   fmuls   f3,f3,f0
80135470:  4800000C   b   0x8013547c
80135474:  C00D84FC   lfs   f0,-31492(r13)
80135478:  EC630032   fmuls   f3,f3,f0
8013547C:  C03F0EA0   lfs   f1,3744(r31)
80135480:  C0029DD4   lfs   f0,-25132(r2)
80135484:  FC010040   fcmpo   cr0,f1,f0
80135488:  4C401382   cror   2,0,2
8013548C:  40820060   bne-   0x801354ec
80135490:  C05F03AC   lfs   f2,940(r31)
80135494:  7FE3FB78   mr   r3,r31
80135498:  C02D84F8   lfs   f1,-31496(r13)
8013549C:  D0410008   stfs   f2,8(r1)
801354A0:  EC230072   fmuls   f1,f3,f1
801354A4:  C01F0578   lfs   f0,1400(r31)
801354A8:  C07F03A8   lfs   f3,936(r31)
801354AC:  EC000072   fmuls   f0,f0,f1
801354B0:  EC00182A   fadds   f0,f0,f3
801354B4:  D001000C   stfs   f0,12(r1)
801354B8:  FC001040   fcmpo   cr0,f0,f2
801354BC:  4C401382   cror   2,0,2
801354C0:  4082000C   bne-   0x801354cc
801354C4:  38A1000C   addi   r5,r1,12
801354C8:  48000008   b   0x801354d0
801354CC:  38A10008   addi   r5,r1,8
801354D0:  81830000   lwz   r12,0(r3)
801354D4:  38800001   li   r4,1
801354D8:  C0250000   lfs   f1,0(r5)
801354DC:  818C0124   lwz   r12,292(r12)
801354E0:  7D8903A6   mtctr   r12
801354E4:  4E800421   bctrl   
801354E8:  48000014   b   0x801354fc
801354EC:  C01F0578   lfs   f0,1400(r31)
801354F0:  EC020032   fmuls   f0,f2,f0
801354F4:  EC010028   fsubs   f0,f1,f0
801354F8:  D01F0EA0   stfs   f0,3744(r31)
801354FC:  80010024   lwz   r0,36(r1)
80135500:  83E1001C   lwz   r31,28(r1)
80135504:  7C0803A6   mtlr   r0
80135508:  38210020   addi   r1,r1,32
8013550C:  4E800020   blr   [/spoiler]
the 801354D8:  C0250000   lfs   f1,0(r5) loads the "updated" health value from memory, so that the 80104730:  D02303A8   stfs   f1,936(r3) can store it back. Problem is that r5 contains more data than only health (changes continuously, basically each frame). I can´t get the write breakpoint off to find something that does the health regain thingy. Finding an fadds or fsubs was the plan. Any suggestions?

This is where 801354D8:  C0250000   lfs   f1,0(r5) leads me to...
[spoiler]
 CR:482228A8  XER:00000000  CTR:80326C20 DSIS:02400000
DAR:808D4458 SRR0:801354D8 SRR1:0000B032   LR:80135384
 r0:00000001   r1:80703200   r2:806F5120   r3:8086D5B0
 r4:00000001   r5:80703208   r6:BFED31BD   r7:BFFD31BD
 r8:40019999   r9:00000000  r10:00000000  r11:FFFFFFFD
r12:80574784  r13:806F1000  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:00000000
r24:00000000  r25:80F83760  r26:805D0000  r27:8086D5B0
r28:80FFAD60  r29:8087F580  r30:8086D5B0  r31:8086D5B0

 f0:42C93333   f1:41900000   f2:42C80000   f3:42C80000
 f4:00000000   f5:00000000   f6:00000000   f7:00000000
 f8:A117EBA0   f9:3D78EDED  f10:3D78EDEA  f11:3240A92C
f12:40400000  f13:30C4F3CB  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:00000000  f29:00000000  f30:00000000  f31:00000000

80703190   FFFFFFFD   80574784   806F1000   00000000
807031A0   00000000   04700000   00000000   00000000
807031B0   00000001   00000000   00000000   00000019
807031C0   000000D0   CD000000   80F83760   805D0000
807031D0   8086D5B0   80FFAD60   8087F580   80001C38
807031E0   80000000   80842340   8086D5B0   8086D5B0
807031F0   40590000   00000000   40590000   00000000
80703200   80703220   80001C3C   *42C80000*   42C93333
80703210   00000000   00000000   00000000   805745C8
80703220   80703260   80131D54   3EEF277A   3F43255B
80703230   80FFAD60   00000001   805D54E0   8086D5B0
80703240   00000000   00000000   00000000   00000000
80703250   00000000   00000000   00000000   00000000
80703260   80703270   80108A48   00000000   807032A0
80703270   807032A0   80129E80   808834A0   808834A0
80703280   807032A0   8041C470   805D0000   80846F40
[/spoiler]

[dcx2]

You may be able to test r12 at this instruction

801354E0:  7D8903A6   mtctr   r12

This is loading a pointer for a function to call into CTR so you can bctrl to it.  Chances are this runs for all kinds of stuff not related to health.  If you're lucky, r12 will be a specific value only for health effects.

---

You should also look at the full call stack and not just the LR, when your breakpoint hits for getting hit and regaining health etc.  There may be something further up the stack than the most recent function call.

[Bully@Wiiplaza]

You may be able to test r12 at this instruction

801354E0:  7D8903A6   mtctr   r12

This is loading a pointer for a function to call into CTR so you can bctrl to it.  Chances are this runs for all kinds of stuff not related to health.  If you're lucky, r12 will be a specific value only for health effects.

r12 doesn´t ever change and it´s doing only health effects, such as healing, getting damaged and idling. r3 plus offset points to the health address. It´s pointing to 80104720:  FC400818   frsp   f2,f1[spoiler]
 CR:482228A8  XER:00000000  CTR:80326C20 DSIS:02400000
DAR:808640F8 SRR0:801354E0 SRR1:0000B032   LR:80135384
 r0:00000001   r1:80703200   r2:806F5120   r3:80889E30
 r4:00000001   r5:80703208   r6:BFED31BD   r7:BFFD31BD
 r8:40019999   r9:00000000  r10:00000000  r11:FFFFFFFD
r12:80104720  r13:806F1000  r14:00000000  r15:00000000
r16:00000000  r17:00000000  r18:00000000  r19:00000000
r20:00000000  r21:00000000  r22:00000000  r23:00000000
r24:00000000  r25:80869FA0  r26:805D0000  r27:80889E30
r28:8086D280  r29:8088CBC0  r30:80889E30  r31:80889E30[/spoiler]Since I should look at the call stack, I did. What´s important to figure here? It looks like that "Regaining Health" and "Idling" have the exact same Call Stack. I´m sure that it´s right, however.
[spoiler]Regaining Health
80104730
80131D50
80108A44
80129E7C
803E8994
803E3F3C
801D9B78
8040E9D8
8040296C
8044468C
801ADFD0
80008380
800076E0
802CACB8
80008A34
80292B58
80292EA0
80006470

Getting Hit
80104730
80103308
80282760
80177FAC
8031CDD4
8031BD98
8031C024
80302B40
802803CC
8027E2F8
800083A4
800076E0
802CACB8
80008A34
80292B58
80292EA0
80006470

Idling
80104730
80131D50
80108A44
80129E7C
803E8994
803E3F3C
801D9B78
8040E9D8
8040296C
8044468C
801ADFD0
80008380
800076E0
802CACB8
80008A34
80292B58
80292EA0
80006470[/spoiler]