Need Help Again With ASM

Started by Crapulecorp, November 07, 2012, 12:36:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Crapulecorp

November 07, 2012, 12:36:33 AM Last Edit: November 07, 2012, 12:40:16 AM by Crapulecorp
Hi Everyone i am trying to hack JAWS: Ultimate Predator [SJAE5G].

I found the health adresses in 90 range and it change every level :

90E98278 42C80000
9019B6F8 42C80000.....


So i tried to find a pointer code, pointer in pointer code and no luck with Wiird and GeckoDotnet.

The last thing to do is to use an ASM code so i found it with the breakpoint tab.

8053DB8C 7FE3052E stfsx f31,r3,r0

But with the Nop instruction the code is working for everyone.

If someone can help me it would be nice Thanks. :) :) :)

dcx2

#1
November 08, 2012, 04:55:25 AM
I bet r3 is the pointer to the character whose health you are modifying.  But it seems weird to be using stfsx for this, because the health offset should be in the same place for all people.  Maybe r0 is telling us whose health is being modified?

Try to XBP on 8053DB8C and Step Log, then do something to change a few people's health.  See whether r3 or r0 is telling you whose health is being modified.

Bully@Wiiplaza

#2
November 08, 2012, 11:47:53 AM Last Edit: November 08, 2012, 11:50:41 AM by Bully@Wiiplaza
Quote from: dcx2 on November 08, 2012, 04:55:25 AMMaybe r0 is telling us whose health is being modified?
I agree. r0 surely is the offset for players and you´ll want to compare and only skip the store when you´re affected. I´ve had that happening pretty often.

Hook: 8053DB8C

cmpwi r0, 0xXXXX
beq _END
stfsx f31,r3,r0
_END:

C253DB8C 00000002
2C00XXXX 41820008
7FE3052E 00000000

All you have to figure now is the XXXX values. Alternatively, look at the registers and see if it´s counting player slots or something when different people are hit...
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully

Deathwolf

#3
November 08, 2012, 08:32:03 PM
Not sure if this works for specific players... but it works for modifing the f: .

stwu r1,-80(r1)     #Create free space
stmw r14,8(r1)
cmpwi r0, 0xXXXX  # Compare Character
bne- END              # If not, load the original instruction
lis r14,0x42C8        # Our own health register. (r14)
ori r14,r14,0x0000
stw r14,0 (r3)        # Store the health value of r14 into r3.
END:
lmw r14,8(r1)
addi r1,r1,80
stfsx f31,r3,r0        # Original instruction.
lolz

Bully@Wiiplaza

#4
November 08, 2012, 09:17:03 PM Last Edit: November 08, 2012, 09:22:18 PM by Bully@Wiiplaza
What are you doing?
r0 may not be 0 therefore you messed up the destination. Also, the stack frame is pointless. Finally, it will overwrite the value making the code useless... :eek:
Code Select

cmpwi r0, 0xXXXX
bne _END

lis r12, 0x42C8
stwx r12,r3,r0
b _SKIP

_END:

stfx f31,r3,r0

_SKIP:This is how it works:
Store max health if P1, otherwise execute default instruction.
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully

Crapulecorp

#5
November 08, 2012, 11:44:38 PM
Thanks a lot dcx2, Deathwolf and Bully@Wiiplaza for helping me.
I am glad this forum is still alive.  :) :) :)

Here are the registers when i am hit :

[spoiler]  CR:28202488  XER:00000000  CTR:802CF8F0 DSIS:00000000
DAR:00000000 SRR0:8053DB8C SRR1:0000B032   LR:8053DB5C
  r0:00000018   r1:8084DF00   r2:807DA8E0   r3:90CB34BC
  r4:90CB34B4   r5:00000000   r6:00000000   r7:00000000
  r8:00000000   r9:911B8BA8  r10:8084DF90  r11:8084DF60
r12:80508098  r13:807D7FA0  r14:80850948  r15:00000000
r16:00000000  r17:00000000  r18:00000014  r19:00000000
r20:00000000  r21:90CB304C  r22:911B8EAC  r23:80850458
r24:00000000  r25:80850500  r26:00000038  r27:8084DFA4
r28:00000000  r29:911BB2BC  r30:00000000  r31:90CB2FF0

  f0:40DEA762   f1:3F800000   f2:3E8FD1B1   f3:3D41B3FC
  f4:4F000000   f5:3DBA2E6E   f6:3D886B35   f7:3EAAAAAA
  f8:3E124924   f9:3DBA2E6E  f10:3D886B35  f11:3D4BDA59
f12:305B7C0D  f13:33529424  f14:00000000  f15:00000000
f16:00000000  f17:00000000  f18:00000000  f19:00000000
f20:00000000  f21:00000000  f22:00000000  f23:00000000
f24:00000000  f25:00000000  f26:00000000  f27:00000000
f28:00000000  f29:59800004  f30:3F800000  f31:3F800000[/spoiler]

After that i set breakpoint to 8053DB8C and enabled Step logs.

But the breakpoint starts immediatly and not when i'm just hit.

The Step logs :

[spoiler]8053DB8C:  7FE3052E   stfsx   f31,r3,r0   f31 = 1   r3 = 90CB34BC   r0 = 00000018   [90CB34D4] = 3F800000

8053DB8C:  7FE3052E   stfsx   f31,r3,r0   f31 = 1   r3 = 90CB34BC   r0 = 00000014   [90CB34D0] = 3F800000

8053DB8C:  7FE3052E   stfsx   f31,r3,r0   f31 = 1   r3 = 90DE85B4   r0 = 00000010   [90DE85C4] = 3F800000

8053DB8C:  7FE3052E   stfsx   f31,r3,r0   f31 = 87,4   r3 = 90E7C0C4   r0 = 00000004   [90E7C0C8] = 42B39999 (When i am hit)

8053DB8C:  7FE3052E   stfsx   f31,r3,r0   f31 = 87,4   r3 = 90E7C0C4   r0 = 00000004   [90E7C0C8] = 4296CCCB (When i am hit)[/spoiler]

After that i tried to find a pointer code and i succeed :

MATCH: (90E7BE68+54) (==90E7C0C8-90E7C074)
      -(90E7BE68+54) (==90E7BF78-90E7BF24)
USE: [(90E7BE68+54)] IN YOUR POINTER CODE.

So i used this codetype for 90 range pointer :

48000000 XXXXXXXX
DE000000 90009380
14YYYYYY ZZZZZZZZ
E0000000 80008000

Unlimited Health
48000000 90E7BE68
DE000000 90009380
14000054 42C80000
E0000000 80008000

Sadly this pointer codes worked only on 3 levels.

So i made another pointer search with new levels and now i found pointer in pointer :
[spoiler]
PointerSearch v3 Copyright-2008,2009,2010 Dr.Pepper

Searching for data1/dump_80.bin...found.
Searching for data2/dump_80.bin...found.
Searching for data3/dump_80.bin...file not found.
Searching for data1/dump_90.bin...found.
Searching for data2/dump_90.bin...found.
Searching for data3/dump_90.bin...file not found.
Processing data[123] dumps into database: [121221212121212121212121212212112121212112121221]

No matches found in simple pointer search... moving to pointer in pointer mode.

MATCH: ((90CB4208+348)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((90cb4208+348)[==Fx90cb4208,Px90e74410]+54) ==Px90e74868
USE: [(90CB4208+348)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((80840B00+348)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((80840b00+348)[==Fx80840b00,Px90e74410]+54) ==Px90e74868
USE: [(80840B00+348)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((80809514+3AC)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((80809514+3ac)[==Fx80809514,Px90e743ac]+54) ==Px90e74868
USE: [(80809514+3AC)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((807556FC+3AC)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((807556fc+3ac)[==Fx807556fc,Px90e743ac]+54) ==Px90e74868
USE: [(807556FC+3AC)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((8075569C+3AC)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((8075569c+3ac)[==Fx8075569c,Px90e743ac]+54) ==Px90e74868
USE: [(8075569C+3AC)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((90CB4398+408)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((90cb4398+408)[==Fx90cb4398,Px90e74350]+54) ==Px90e74868
USE: [(90CB4398+408)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((8084D0F8+408)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((8084d0f8+408)[==Fx8084d0f8,Px90e74350]+54) ==Px90e74868
USE: [(8084D0F8+408)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((8084C910+408)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((8084c910+408)[==Fx8084c910,Px90e74350]+54) ==Px90e74868
USE: [(8084C910+408)+54] IN YOUR POINTER IN POINTER CODE

MATCH: ((8084855C+408)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((8084855c+408)[==Fx8084855c,Px90e74350]+54) ==Px90e74868
USE: [(8084855C+408)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((8084840C+408)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((8084840c+408)[==Fx8084840c,Px90e74350]+54) ==Px90e74868
USE: [(8084840C+408)+54] IN YOUR POINTER IN POINTER CODE.

MATCH: ((8075E740+408)[==FX90E7BE68,PX90E7C074]+54) ==PX90E7C0C8
* data2((8075e740+408)[==Fx8075e740,Px90e74350]+54) ==Px90e74868
USE: [(8075E740+408)+54] IN YOUR POINTER IN POINTER CODE.

Found 11 matches. (6secs)
Total time spend 11s[/spoiler]
The codetype for Pointer in pointer for 80 range :

48000000 XXXXXXX
DE000000 80008180
58010000 YYYYYYY
DE000000 80008180
14ZZZZZZ 00000000
E0000000 80008000

But for 90 range i just have to change the DE000000 80008180 to DE000000 90009380 in this codetype ?

And last thing when i nop the 8053DB8C 7FE3052E stfsx f31,r3,r0 everyone health don't decrease but i can't move.

Deathwolf

#6
November 09, 2012, 12:23:40 AM
You could also try use the F6 codeype!

F600000Y 90009340       # Y= amount of search Lines, search in the Range between 9000-9340
XXXXXXXX XXXXXXXX    # X= search Lines.
140000ZZ 42C80000     # Z= If found, add ZZ Bytes to it and Write the value.
E0000000  80008000

However, for this you have to get 2x 32 Bit values (XXXXXXXX XXXXXXXX) which are near at the  Main address and they should be ONLY ONCE in the RAM.

You have to use the hooktype: OSsleepthread.
lolz

Bully@Wiiplaza

#7
November 09, 2012, 08:08:32 AM Last Edit: November 09, 2012, 08:11:38 AM by Bully@Wiiplaza
Wait, if the instruction executes without getting hit and freezes your character when nop´ed, it is used for more than just health. I always suggest making an ASM code instead of pointer. I don´t want to remember how often pointers backstabbed me...

Please try my last template with cmpwi r0, 0x0004!
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully
Print
Go Up Pages1
User actions