How did you guys figure out which DOL offsets to edit with whatever values? I want to use InternetExplorer's code:
Code:
Boot to Character Select Screen (v1.02) [InternetExplorer]:
041a45a0 3c000202
041a45a4 901e0000
along with a few of the other codes to make a tournament-ready Melee ISO.
okay, i have no idea how far you understand how machine code/dolphin/etc goes, but what the hell,
here goes my try at explaining how to inject a code into the main.dol
FIRST: WHAT DOES THE CODE ACTUALLY DO?
Boot to Character Select Screen (v1.02) [InternetExplorer]:
041a45a0 3c000202
041a45a4 901e0000
this code simply overwrites a word in memory with something custom
04yy yyyy XXXX XXXX : 32bits ram write (ba) writes XXXXXXXX at ba+address(yy yyyy)
(you should know that from IE´s tutorial)
(for other/more complex codes you could also use
http://gamehacking.org/faqs/wiicodetypes.html
to be able to fathom the syntax and function of it)
in a nutshell:
--> replace what is saved in 801a 45a0 with "3c00 0202"
--> replace what is saved in 801a 45a4 with "901e 0000"
SECOND: HOW IS IT POSSIBLE TO INJECT THIS CODE?
For this you should know how the main.dol works in general.
(All this is based on assumptions i´ve got from reverse engineering codes and
stuff from other people, so some stuff may not be 100% correct. If that´s the case
i would appreciate it if someone would correct me)
When the game is loaded dolphin/your wii/your cube copies the content of the main.dol
into its ram and just continuously executes it until either you turn it of, it crashes
or some other end condition is met.
So when we use the code above this happens:
->system loads main.dol in ram
->before the game starts it replaces the content of 0x801a 45a0 && 0x801a 45a4
with "3c00 0202" and "901e 0000"
So, according to simple logic all we have to do is
find the position (offset) of
0x801a 45a0 in the main and replace the word there
with "3c00 0202".
(theoretically you would have to search for the second offset as well but they are both
executed right after each other)
If the code was more complex you would need to find
free space in the main.dol, inject the code there and then branch to it, but that´s a
different topic and would create more questions right now than it would answer.
THIRD: FINDING THE OFFSETS THAT NEED TO BE EDITED
Let us take a look at those 2 and the surrounding lines in debug dolphin:
-------------------------------------------------------------------------------
WITHOUT the code (Vanilla):
mem-address instruction (code line) instruction(hex)
801a4598 stb r0, 0 (r30) 981e0000
801a459c b ->0x801A45A8 4800000c
801a45a0 li r0, 40 38000028
801a45a4 stb r0, 0 (r30) 981e0000
801a45a8 li r0, 45 3800002d
WITH the code:
mem-address instruction (code line) instruction(hex)
801a4598 stb r0, 0 (r30) 981e0000
801a459c b ->0x801A45A8 4800000c
801a45a0 lis r0, 0x0202 3c000202
801a45a4 stw r0, 0 (r30) 901e0000
801a45a8 li r0, 45 3800002d
-------------------------------------------------------------------------------
The second table is optional, but it helps in terms of visual representation to understand how
codes work.
Now if you want to know what the instructions do you have to set a break point and look at both cycles
(one with code, the other without) step by step.
li r0,40 --> r0 has 0000 0040 stored
lis 0x0202 --> r0 has 0202 0000 stored
(then later the game looks at the content of r0 and based on that decides what to load,
just that it will now load the CSS instead of the first screen)
But to get back on track we need to
find "38000028" (instruction that is then going to be
loaded into memory address 801a45a0)
in the main.dol and replace it with "3c000202".
That is easily done with a hex editor and the search function.
Again, if there is a simpler way to just convert mem-addresses to .dol-offsets it would be
really nice for someone to tell me.
So, i opened up the main.dol and searched for
"38000028" --> 55+ results,
at this point we could just try every single one until it works but that is way to tedious,
so we are going to search for multiple lines following each other i.e:
"981e0000 4800000c 38000028 981e0000 3800002d" --> 1 result found @0x1A1178
Why? Because any simple instruction like "li r0, 40" is very, VERY likely to be all over
the place, because sadly that´s just the way Assembler is (why can´t this be c++ -.-).
However, the chances of the 5 instructions above happening in that order multiple times is incredibly small.
Maybe it could happen that you will find 2 or 3 results, but trail-and-error with a single digit number of
attempts is way less time consuming and way less cumbersome that trying every single one.
So now that we know where to inject we give it a test run.
"38000028" @0x1A1180 replaced with "3c000202"
& "981e0000" @0x1A1184 replaced with "901e0000"
---> WORKS
= DONE!!!
FORTH(IMPORTANT!): SHARE THE KNOWLEDGE YOU´VE JUST EARNED WITH THE REST OF THE COMMUNITY
Boot to Character Select Screen (v1.02)
-Game boots to the CSS instead of the main menu
[InternetExplorer]
Version -- DOL Offset ------ Hex to Replace ---------- ASM Code
1.02 ------ 0x1A1180 ---- 38000028 -> 3c000202 ---- (li r0, 40 -> lis r0, 0x0202)
------- 0x1A1184 ---- 981e0000 -> 901e0000 ---- (stb r0, 0 (r30) -> stw r0, 0 (r30))
FIFTH(OPTIONAL): BRING THE MODIFIED ISO TO YOUR NEXT SMASH GATHERING AND BRAG ABOUT YOUR SUPERIOR HACKING SKILLS