Kodewerx

Our culture has advanced beyond all that you could possibly comprehend with one hundred percent of your brain.
It is currently Thu Mar 28, 2024 9:03 am

All times are UTC - 8 hours [ DST ]


Forum rules





Post new topic Reply to topic  [ 20 posts ] 
Author Message
PostPosted: Wed May 23, 2012 4:18 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
Hi,
I have a problem. I can't get how to create Struct Writes. I looked at the AR code type documentary for it for tens of thausand times.. but i don't really understand how to create a struct write code..
I already asked in the ARCentral Forum. Someone helped me alot by giving me a program to calculate Struct write codes, by adding the 2 Addresses and putting the 2 RAM dumps into the Folder of the Program. It works fine. But it does not work if the address is larger than 0x81000000.
i always get no results.
So.. please.. can someone give me some explicite instruction how to create a struct write code?
also could someone show me how to do it with this example?
scan 1: 80BFE584 42000000
scan 2: 80BFE5C4 42000000
struct write: 421B96EC 00F44200

How do i have to calculate it?


Thanks


Top
 Profile  
Reply with quote  
PostPosted: Thu May 24, 2012 12:58 am 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
Try 431B96EC 00F44200 ?

If the address is >= 0x81000000, make sure bit 25 is set in the code 'address' portion.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Thu May 24, 2012 3:48 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
i know the base address will be 43.
but gcnpcc is still not able to calculate it. and also XX1B96EC will be wrong i think.
i just need to know an explicite manual unstruction how to calculate it


Top
 Profile  
Reply with quote  
PostPosted: Thu May 24, 2012 3:12 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
What address is >=81000000? The pointer's location or the address of the value in one(both?) of the dumps?

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Thu May 24, 2012 7:09 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
Good question. o_O

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Fri May 25, 2012 1:49 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
ok, i hacked the code again.

dump 1
81363010 01000003

dump 2
81362F18 01000003


Top
 Profile  
Reply with quote  
PostPosted: Fri May 25, 2012 4:23 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
Are you using GCNrd to hack?

I can teach you how to manually find pointers if you are. (though if gcnpcc didn't find it (and you used gcnpcc correctly), you probably wont have any luck finding one manually)

If you're using WiiRD or Gecko dotNet, it's a bit harder to narrow down the results because they don't have variable value support for known values. (WiiRD claims to, but it is broken iirc)

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 08, 2012 6:07 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
sorry for late answer. i was buryed last time.
OK. i rehacked the code again

also i use WiiRdGUI to hack codes on GameCube aswell

dump 1:
813631F8 01000003

dump 2:
81363158 01000003

best results are:

[801B776C]+1AF278
[811AB114]+668358
[80CF7C74]+6D6638
[811D0CA4]+18EEB8
[80CEB714]+6D6638
[811B4744]+1A8C58
[803C0FC8]+663918
[80CEB774]+6D6638
[8137DBB4]+5DD58
[8137DC54]+5DD58
[801B77D4]+1AF278
[801B7FEC]+6D3F58
[81541800]+2CD8B8
[80CF7DD4]+6D6638
[801B964C]+6D3F58
[801B7788]+1AF298
[801B77AC]+1AF278
[801BAA24]+163B78
[80CEB6D4]+6D6638
[801B77B0]+1A7258

and i created a pointer code:
48000000 801B776C
141AF278 01000003
E0000000 80008000

sometimes this codes works, sometimes it doesn't
i also tryed doing it with other results WiiRdGUI gave me, but same result or nothing happens


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 08, 2012 8:05 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
  1. Are you certain the value is exactly 32-bit?
  2. Those are some strange looking offsets; all large numbers, all end with an 8.
  3. It could require multiple pointer-offset combination searches to locate a base pointer that remains static.

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 08, 2012 8:40 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
Those offsets are much much bigger than what's typical. The default config file limits offsets to 0x0000F088.
Do you have Negative offsets enabled in the config file? All of those are positive but usable pointers CAN use negative offsets sometimes.

If you do have negative offsets enabled, look for the smallest reported offsets as your best bets. Then if they do work but only sometimes, as Parasyte said, it would most likely need a pointer to a pointer (not supported in GCN AR CodeTypes but they ARE supported in Gecko CodeTypes). You will need to write an asm hack for your code if it needs pointer to pointer if you're using GCN AR.

It's also possible that it works sometimes just by coincidence. (likely the case for any of those gigantic offsets you posted)

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 09, 2012 4:13 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
ohhh.. sorry.. i did not think about to change max. offset radius of the config .txt from gcnpcc..
thats so ashaming for me D=
i also changed it, and i got some results. but the codes are.. too long
look:
Code 1
421b776c d793c0100 (9 hex digits)
421b776c d793d0003

Code 2
421b7788 d794c0100
421b7788 d794d0003

Code 3
421b77ac d793c0100
421b77ac d793d0003

Code 4
421b77b0 d392c0100
421b77b0 d392d0003

as i enabled negative offsets, i got much longer codes..
any solution?


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 09, 2012 7:48 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
The third line in the config file should look like this:
Max offset radius: 0000F088

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2012 1:58 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
yes, it did before i changed it. as i increased the value i got some results. but the codes are too long (as you can see in my last post)
enableing negative offsets with an offset radius of 0x0000F088 gave me no results


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2012 10:41 am 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
Then there likely isn't a pointer for it. You'll have to do an ASM hack.


I'll try to walk you through an asm hack for it.
The value you're trying to write is "01000003", right? Does this do multiple things? (where each byte is part of the code but since they're aligned, you're just trying to do one 32bit write?)


Just out of curiosity... You're not by chance hacking the Zelda collection or something similar are you?

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2012 11:03 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
it's for F-Zero GX (the game i mostly hack ^^; )
it causes a colorful brighning ring appears around the machine. (there are 3 of these rings and a code to make a glowing sphere around the behicle. and also codes to modify the speed of the spinning rings. it looks really amazing (all of these codes have these big pointer offsets))

and yes, it's a 32 bit write


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2012 11:21 am 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
So the 01 turns it on? And the 03 is for the number of rings?

When you poke the value in, does it work right away and stay active for some time-- or do you need to use a code so the write is constant to see the code working?


For the asm hack we must see it as separate parts. It's most likely not one 32bit value there.

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2012 11:40 am 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
no, no.
each ring has it's own address and value.
look:

ring 1
813631F8 01000003

ring 2
81363110 01000002

ring 3
81363028 01000001

after poking the value for one time, the ring will be there permanently. but when i restart the stage or hit the energy fied or fall out off the track and get saved, the ring diasappears. so it needs to be written in the ram


Top
 Profile  
Reply with quote  
PostPosted: Sun Jun 10, 2012 3:23 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:46 pm
Posts: 2331
Location: *poof*
Title: The Mad Hacker
On the breakpoint tab, set a breakpoint read on 813631F8. (if this address is still where ring 1 is)

When it breaks, copy the register values here. (from the large textarea on top)
Also copy the first few lines of the bottom text area (the instructions).

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Sun Mar 29, 2015 8:48 pm 
Offline
Kommunist
Kommunist
User avatar

Joined: Wed May 23, 2012 3:58 pm
Posts: 12
Location: Under your bed
Title: The Hacker-Furry
Sorry for being late. Finally figured out what email address I was using for here *facepalm*

Well, during the time another hacker has made an assembly code for this. I have also learnt a lot more about breakpoints, PPC ASM and stuff and don't think I'd have any troubles with such codes.
I have found another way, too: 2 8bit pointer writes for each ring (01 and 03) that allow me to use the huge offset!
But thanks anyways :)


Top
 Profile  
Reply with quote  
PostPosted: Sat Apr 04, 2015 1:07 pm 
Offline
Krew (Admin)
Krew (Admin)
User avatar

Joined: Sun Oct 01, 2006 9:26 pm
Posts: 3768
Title: All in a day's work.
lol, welcome back! :D

_________________
I have to return some video tapes.

Feed me a stray cat.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 20 posts ] 

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 120 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group