Conversation Between FamiliaWerneck and daniilS
Showing Visitor Messages 1 to 5 of 5
-
July 16th, 2015 2:01 AMFamiliaWerneckThe hook is what I place in the hijacked routine so it jumps to my hack (sorry, didn't get the hook... =/). And you need the full version of ida indeed, come to the irc (chat link in my signature) and see if Touched is online, he can help.
You still seem to have some trouble understanding pushing and popping. I don't 'call' any registers by pushing lr, and pushing lr doesn't execute anything; neither does it 'pop information back'.
The stack is simply a big chunk of free space used for temporarily storing things. If you need to backup the value of a register (so I don't need to push them if I'm not going to backup their values? I can simply use the registers with their original values without pushing and popping?), you can push it to the stack, do whatever you want with it, and pop it afterwards to restore the previous value (how do I know what is its previous value?). When a routine uses a bl to go to another routine, the address it should return to is put in lr. Because I also use a bl inside my routine, I need to save the current return address on the stack. When I'm done, I simply pop the return address onto r3 and bx to it, thus returning to the instruction after the previous bl. If I didn't modify lr, I could've just used bx lr at the end.
There also is a standard within the game that makes it so that any subroutine that's called from another routine may overwrite r0 to r3. That's why I don't push them. R7 is only checked (damn this routine really used an ugly and hacky way to see if it is a poke and may actually be bugged, I'll need to check in ida later today), not modified, so there's no reason to push it again (Didn't see you push it in the first place. Also, how can you compare its value to something, if you haven't load any address or information or anything in r7?) And something probably made me think back then that r10 would be overwritten after returning to the function that called this one, so it is safe to use too in that case (I do need to confirm this). -
July 16th, 2015 1:04 AMdaniilSThe hook is what I place in the hijacked routine so it jumps to my hack. And you need the full version of ida indeed, come to the irc (chat link in my signature) and see if Touched is online, he can help.
You still seem to have some trouble understanding pushing and popping. I don't 'call' any registers by pushing lr, and pushing lr doesn't execute anything; neither does it 'pop information back'.
The stack is simply a big chunk of free space used for temporarily storing things. If you need to backup the value of a register, you can push it to the stack, do whatever you want with it, and pop it afterwards to restore the previous value. When a routine uses a bl to go to another routine, the address it should return to is put in lr. Because I also use a bl inside my routine, I need to save the current return address on the stack. When I'm done, I simply pop the return address onto r3 and bx to it, thus returning to the instruction after the previous bl. If I didn't modify lr, I could've just used bx lr at the end.
There also is a standard within the game that makes it so that any subroutine that's called from another routine may overwrite r0 to r3. That's why I don't push them. R7 is only checked (damn this routine really used an ugly and hacky way to see if it is a poke and may actually be bugged, I'll need to check in ida later today), not modified, so there's no reason to push it again. And something probably made me think back then that r10 would be overwritten after returning to the function that called this one, so it is safe to use too in that case (I do need to confirm this). -
July 15th, 2015 5:13 PMFamiliaWerneckI tried using the free version of IDA Pro, but couldn't open the idb... =/
By hook, you mean the "word 0x08offset" things in the end of the routine, right?
@pushes link register to the stack (a function will happen, and after it's done it will return here)(did you call the other registers too by just calling lr?)
I looked again in some ASM Tutorials, as I didn't remember what was the link register. From Knizz' tutorial - I think - I got that when you push the link register, it will execute a function, or something like that, and pop the information back to the function that called it; and then, resume the code.
I didn't get though how could you use r3, r7, r1, etc. without pushing them into the stack...
Thus, I asked if you called all the registers by just pushing the link register into the stack. -
July 15th, 2015 1:11 PMdaniilSTo understand this code, you'd need to take a look at where I placed the hook. One thing does look a little odd to me now that I look at this routine again after all this time, so I'll have to check it in ida when I'm on my pc again tomorrow. Also, could you elaborate what you commented next to the first push?
-
July 15th, 2015 11:38 AMFamiliaWerneckCheck this, bro:
Spoiler:This effect was written by me for the Heal Ball (***it's your post, your routine, not mine***):
Spoiler:.text
.align 2
.thumb
.thumb_func
.global afterpoketranscalc @align to 2 bytes long, thumb functions and all that
main: @starts the real program
push {lr} @pushes link register to the stack (a function will happen, and after it's done it will return here)(did you call the other registers too by just calling lr?)
recycle:
ldr r3, memcpy @not a clue what memcpy does, but it's a word and it's stored at r3 (perhaps the data on the Pokémon that you just captured)
bl bxr3 @calls bxr3, that jumps to the address stored at r3
calc:
cmp r7, #0x64 @I don't know what is stored at r7, but this compares this value to #0x64 (number of bytes per party Pokémon = 100 bytes or #0x64)
bne ender @and if r7 is not equal to #0x64, it ends the routine (the data stored at r7 would not be a Pokémon's if it's not 100 bytes long)
ldr r3, somevar @loads somevar address (ball index?) to r3
ldrb r3, [r3] @loads the value of the address at r3 to r3 (1 byte long, half word)
cmp r3, #14 /*ball index of heal ball here*/ @checks if this is the ball which can use this routine (if this line is deleted, every Pokéball)
bne ender @if it's not the ball that is allowed to heal a Pokémon, the routine ends
healstuff:
ldr r3, poke_quantity @don't know what poke_quantity does, but I think it's the number of Pokémon I have in my party
ldrb r1, [r3] @loads the value at the address stored in r3 at r1 (1 byte long)
mov r10, r1 @moves the information from register 1 to register 10
mov r1, #1 @moves the information at r1 by #1 (don't know why, starting to get lost on what is being done)
strb r1, [r3] @stores the value at r1 back at r3 (I'll stop here, 'cause I just finished loosing myself)
Up until now, all good? Or I got something wrong along the way?
heal_recycle:
mov r3, pc
add r3, #0x1d
push {r3}
push {r4-r7}
mov r7, r10
mov r6, r9
mov r5, r8
push {r5-r7}
sub sp, sp, #4
mov r1, #0
mov r8, r1
mov r1, r0
mov r10, r1
mov r6, sp
ldr r3, healpoke
b bxr3
heal_finish:
ldr r3, poke_quantity
mov r1, r10
strb r1, [r3]
ender:
pop {r3}
bxr3:
bx r3
.align 2
memcpy: .word 0x081e5e78+1
somevar: .word 0x0203fe00
partyadr: .word 0x02024284
poke_quantity: .word 0x02024029
healpoke: .word 0x080a0076+1
In this code you must change the values at the ball index and somevar. Then assemble it and insert it anywhere. To activate it, place 00 4B 9F 46 XX XX XX XX at 08040B08, where XXXXXXXX is an inverted pointer to this routine.
This is the activation part you mentioned, right? I was just confused, 'cause I thought this routine would be called only by the specific ball, but I think it's called after I catch a Pokémon, and then it checks if it was with the Heal Ball, right?
Something similar to what I've done with kearnseyboy6, so I'm sure I'm understanding every bit of it.
Can you correct me?

