Hacking Technical Discussion on NSMB Wii

[AMPonzi]

First, I'd like to ask those that simply just want to play the game to refer to the other thread. I'm more interested here in what exactly the game is doing to detect a backup. So here goes:

http://www.ibm.com/developerworks/eserver/...chguide-v2.html

Using the above link to download the architecture for the PowerPC CPU in the Wii at the time of the spec, here's what I've come up with.

Thanks to NeverSoft for pointing me in the right direction.

Old Command: 94 21 FF D0 = 10010100001000011111111111010000
New Command: 4E 80 00 20 = 01001110010000000000000000100000

The first 6-bits represent the instruction opcode

So for the old command, the first 6 bits are a hex 25 or decimal 37 which is an STU (Store Word with Update D-Form) command which is broken down this way:

I[0..5] = 100101 = opcode = 37 (25h)
I[6..10] = 00001 = RS = 1 (1h)
I[11..15] = 00001 = RA = 1 (1h)
I[16..31] = 1111111111010000 = D = (FFD0h)

For the new command, the first 6 bits are a hex 13 or decimal 19 which when combined with the extend opcode makes it a BCLR (Branch Condition to Link Register) command which is broken down this way:

I[0..5] = 010011 = opcode = 19 (13h)
I[6..10] = 10010 = BO = 18 (12h)
I[11..15] = 00000 = BI = 0 (0h)
I[16..18] = 000 = NOT USED
I[19..20] = 00 = BH = 0 (0h)
I[21..30] = 000010000 = extended opcode = 16 (10h)
I[31] = 0 = LK = 0 (0h)

Obviously, the first command is the one triggering the error. The code for that particular instruction states the following:

EA

 

[WiiPower]

From what i know the patch does not fix when the "problem" is detected, but inside the function to display the error and go into an infinite loop. And the patch is to jump back where the function is called, everytime it is called, which could be very often. You need to go up in the code to find out where the detection happens. That value you found might be a trigger the dection function sets and is checked later.

 

[AMPonzi]

Ahhh that would make sense... so basically it just branches back to the function that calls the error message and proceeds with the next instruction there. So basically, it'd have to be a reverse trace. Or more simply, just check the stack at that point. I'll have to look up how PowerPC call stack works. Good call.

What would be the best way of doing this check? Dolphin doesn't crash with the backup so that makes it a bit more difficult, but also slightly more interesting because you think it would crash if something wasn't implemented...

 

[WiiPower]

Sorry i can't help you with that. If the game passed the backup check the function we patch is not executed, right? If it was executed anyways and checks for a variable, then you could manipulate it to crash and then look at the stack.

I think debugging is also possible with an usb gecko and Gecko OS (or NeoGamma), but i guess if you had an usb gecko, you would be doing that already.

 

[AMPonzi]

Nope, no USB Gecko... hmmmm... going to try and play the game in Dolphin and see if I notice anything strange? It seems almost like a random amount of time before it crashes out on modchip which is weird.

 

[WiiPower]

It is some random amount of time on usb too. If dolphin has the issue too, it may take several minutes. I got reports it crashes eventually, even when doing nothing, i think you want to try it this way.

 

[AMPonzi]

I'm going to download the source for Dolphin and write some code to throw an error upon reaching that particular memory address and then output to a log file the call stack. That will at least get me started.

 

[AMPonzi]

One thing I notice now about the patch is the fact that it replaces the code at 001AB610-001AB613 with the same code at 001AB60C-001AB60F (immediately before it).

This essentially decrements the counter twice to the command at 001AB608: 38210050

001110|00001|00001|0000000001010000

This is an add immediate function... which basically adds hex 50 to the value at address 00001 and stores it in register 00001... which would go to the next function which would... hmmm, not sure on this one

EDIT: The branch doesn't decrement the counter, it branches to the address in the link register... gee whiz

Come on people, help me out!

 

[taktularCBo]

Send this to the guys of Wiikey, till now I think they diden't found anything how to fix it!

 

[WiiPower]

I thing the patch is the 1st command at the entrypoint of the error function, and the patched command is comparable to a "return". I would say the command just before the patch is the end of the function that is defined before the error function, nothing more, nothing less. But keep in mind that i have no real idea of assembler, so i could be totally wrong.

 

[sm98]

I thing the patch is the 1st command at the entrypoint of the error function, and the patched command is comparable to a "return". I would say the command just before the patch is the end of the function that is defined before the error function, nothing more, nothing less. But keep in mind that i have no real idea of assembler, so i could be totally wrong.

yeah you're right there, it's just a return/blr and yep to the previous functions return/blr is just above it too, nothing sinister there.

so what's the odds that there's a thread running just to check/enforce the copy protection? hmm i wonder

 

[cracker]

Interesting info. Thanks for posting it. I am always interested in learning new opcodes (PPC is foreign to me). Not to mention am interested in modifying code on any system.

 

[hqyhqyhqy]

I agree with the views of wiipower。

However, you can't use USB GECKO debugging NSMB, this games will delete WIIRD hook handle.

The hack point is actually very easy to find:

play game on Dolphin with Debugger("-d") mode,and wait this game crash.
then push "show pc" button ,you can see current code address.
you can see function return address at "LR".

then you can open IDApro goto this address,To see which function call it,and fix it.

 

[AMPonzi]

Unfortunately, Dolphin won't get past the number of players screen at that point it just hangs...

 

[hqyhqyhqy]

Unfortunately, Dolphin won't get past the number of players screen at that point it just hangs...

Dolphin debugger can't record more stackframe(callstack),but it can find current code address,
this function is ONLY ONE ?usb gecko can get current code address ONLY in breakpoint mode.

BTW:
Are you a member of DeSmuME development team?

I checkout the dsemu code form you to learn a few things about arm9 The day before yesterday

 

[shepe]

Unfortunately, Dolphin won't get past the number of players screen at that point it just hangs...

There was a fix for this posted around the time all the problems turned up iirc it had something to do with changing the audio plugin used il see if I can find the post!

Edit:

Found this post a few pages back

To be able to play New Super Mario Bros. Wii on Dolphin with NO errors, hangs which confirms that the scrubbed rip is no bad dump you will need the latest build found here :

http://cid-ec92aae47a89073b.skydrive.live....in?view=details

You will also need Gamecube DSP.zip? found here and place the files in Dolphin\Sys\GC

http://snesorama.us/board/showthread.php?p=390729

And use the settings found here :

http://forums.ngemu.com/1757454-post24.html

Remember to use the LLE Sound plugin in settings. That is the most important thing otherwise you will get stuck at how many players screen.

 

[AMPonzi]

Unfortunately, Dolphin won't get past the number of players screen at that point it just hangs...

Dolphin debugger can't record more stackframe(callstack),but it can find current code address,
this function is ONLY ONE ?usb gecko can get current code address ONLY in breakpoint mode.

BTW:
Are you a member of DeSmuME development team?

I checkout the dsemu code form you to learn a few things about arm9 The day before yesterday

I was way back when... need to remove that from my signature