oh hey I just have to write some powerpc assembly and find somewhere to patch it into an existing game.
no problem. usual shit to do on your day off.
I found that the scripting engine of Wheel of Fortune (2010, Wii) has an "adapter" system, which seems to basically be logging. But the key method is:
void SimpleVMAdapter::_report(char *message) {
}
it's empty. But it's still called, with logs.
so I just need to redefine it to point to something that actually logs, and I'm golden.
maybe it'll work if I just patch the vtable entry to point to OSReport?
or I'll explode the stack and crash the console and maybe even the emulator
nope. didn't work, didn't break either.
thankfully I've already patched Dolphin to add string support and I can just set a conditional
yep, this game is logging a bunch of state info as it starts up and everything. Nifty.
I found a perfect function to replace it with, except for CALLING CONVENTIONS
*shakes fist*
naturally the function I want to replace is 4 bytes before PVAlloc, which is used to allocate all memory for the scripting language, so overwriting it would be SLIGHTLY BAD
fuck the vtables. what if I pull out the whole vtable call and replace the report() call to instead just hit OSReport instead?
maybe that'll be easier and do less exploding of the everything
NOPE BECAUSE THEY'RE JUST HITTING THE NULL FUNCTION STRAIGHT FROM THE SCRIPTING LANGUAGE
so I just need to write a function using the __thiscall calling convention that routes the one parameter to OSReport, find somewhere to stuff it in the binary, and then modify the vtable to point to it.
should be easy!
note: this is a lie. it is not, in fact, easy
WHAT THE FUCK IS A MFSPR?
oh god this is one of those architectures with link registers. save me
oh good all the code is calling OSReport with relative offsets.
so I have to calculate the offset.
THIS IS WHY ASSEMBLERS WERE INVENTED
oh and I can't solve this until I decide WHERE to put my code!
fuck!
memcpy? probably shouldn't overwrite that function.
how about the destructor for the App class?
when is that going to get called? this is a console game. it can't be shut down. it just gets powered off at some point.
especially because all it does is free some memory.
I don't exactly worry about my emulated wii leaking some memory when I power it off
I have apparently crashed my assembler
got it.
just needed to go to offset 0x14E1F8 in main.dol and patch in 9421FFF07C0802A690010014386400004BEFED41600000006000000060000000800100147C0803A6382100104E800020, then patch 0x4E5810 with 80155438
EASY AS PIE
