 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
 Posted: Sat Apr 29, 2023 9:10 am Post subject: Finding address from assembly code using AOB scan |
 |
|
Hello, newbie here.
I am trying to find the z coordinate (up and down) in breath of the wild (cemu).
I can successfully find the right address and edit it, but I was unsuccessful in finding the pointers for this address. I tried using pointer scans (always empty result) and just the general way by finding what accesses it, then using the possible hex value needed to find the pointer. In the end I get hundreds of pointers and I don't want to spend my time finding the right one, since they are all multi-level pointers.
I found out how to use AOBinjection to always find the value of arrows, and made an infinite arrow script.
I wanted to know how I could use AOBinjection or AOBscan to find the address of the z coordinate, provided the disassembly code for what accesses the z coord address also accesses many other addresses. Some of those addresses are fake values of the z coord and some idk. I thought about using the dissect structure to see the unique things between the real address and the others that are accessed by this code. Am I moving in the right direction, and if so, how would I implement this into the auto assembler code?
Thanks
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 29, 2023 9:33 am Post subject: |
|
|
Is this even playable on CEMU? When I checked, it was too laggy on my system.
Once you have found the correct address, right-click on it in the cheat table to see what accesses it. In the new window that pops up, right-click on an empty white space and check to see if the opcodes access any other addresses. Return to game for a moment and then back to CE. If any results show (1) next to them, then you may use that instruction to capture the address every time.
|
|
| Back to top |
|
|
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
| Posted: Sat Apr 29, 2023 9:46 am Post subject: |
|
|
| ++METHOS wrote: | Is this even playable on CEMU? When I checked, it was too laggy on my system.
Once you have found the correct address, right-click on it in the cheat table to see what accesses it. In the new window that pops up, right-click on an empty white space and check to see if the opcodes access any other addresses. Return to game for a moment and then back to CE. If any results show (1) next to them, then you may use that instruction to capture the address every time. |
Yes, it's very much playable and people are making mods for it everyday. Maybe you tried it some time ago when it was harder to run.
nope, it's accessing a very large amount of addresses instantly multiple times a second.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 29, 2023 10:01 am Post subject: |
|
|
You have me curious about this now. I want to check to see if things have improved.
Regarding the results, did you see an (8) next to all of the instructions?
|
|
| Back to top |
|
|
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 29, 2023 10:20 am Post subject: |
|
|
I realized just now that I was thinking of the Switch emulator, not CEMU. Nonetheless, I am curious to try this out on CEMU now. 
Regarding your results, you must follow the instructions that I have provided. Since this is being emulated, it may not be that you end up with any viable results. However, your identifier is likely being stored in one of the registers and can be easily filtered out.
|
|
| Back to top |
|
|
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
| Posted: Sat Apr 29, 2023 10:43 am Post subject: |
|
|
| ++METHOS wrote: | I realized just now that I was thinking of the Switch emulator, not CEMU. Nonetheless, I am curious to try this out on CEMU now.
Regarding your results, you must follow the instructions that I have provided. Since this is being emulated, it may not be that you end up with any viable results. However, your identifier is likely being stored in one of the registers and can be easily filtered out. |
yep, it's on cemu. there are graphic mods that make it look much nicer so don't worry much about looks being bad.
Regarding the results, my bad. I misunderstood your reply and didn't do it properly. I did it and I played a bit, and after all that, I ended up with one code that was accessing only 1 address (it had a (1) next to it). However, upon getting the array of bytes and putting it into the auto assembly script, the address returned did not give the right value for the z coordinate, and when i changed it the game crashed.
here's the code for the auto assembly script.
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(Zcoord,4D 8B 74 2D 50 49 0FCE 49 C1 C6 20 66 49 0F6E CE 0F5A C9 E9 3B010000 66 45 8B 74 2D 50 66 41 C1 C6 08 4D 0FB7 F6 44 89 B4 24 70030000 66 45 8B 74 2D 52 66 41 C1 C6 08 4D 0FB7 F6 44 89 B4 24 74030000 66 0F2A 8C 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 8E E0000040 E9 E5000000 66 45 8B 74 2D 50 66 41 C1 C6 08 4D 0FBF F6 44 89 B4 24 70030000 66 45 8B 74 2D 52 66 41 C1 C6 08 4D 0FBF F6 44 89 B4 24 74030000 66 0F2A 8C 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 8E E0000040 E9 8F000000 45 8A 74 2D 50 4D 0FB6 F6 44 89 B4 24 70030000 45 8A 74 2D 51 4D 0FB6 F6 44 89 B4 24 74030000 66 0F2A 8C 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 8E E0000040 E9 45000000 45 8A 74 2D 50 4D 0FBE F6 44 89 B4 24 70030000 45 8A 74 2D 51 4D 0FBE F6 44 89 B4 24 74030000 66 0F2A 8C 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 8E E0000040 66 0F10 94 E4 88000000 49 89 C6 41 C1 EE 10 41 83 E6 07 41 83 FE 04 0F84 E3000000 41 83 FE 05 0F84 2D000000 41 83 FE 06 0F84 19010000 41 83 FE 07 0F84 6F000000 4D 8B 74 35 50 49 0FCE 49 C1 C6 20 66 49 0F6E D6 0F5A D2 E9 3B010000 66 45 8B 74 35 50 66 41 C1 C6 08 4D 0FB7 F6 44 89 B4 24 70030000 66 45 8B 74 35 52 66 41 C1 C6 08 4D 0FB7 F6 44 89 B4 24 74030000 66 0F2A 94 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 96 E0000040 E9 E5000000 66 45 8B 74 35 50 66 41 C1 C6 08 4D 0FBF F6 44 89 B4 24 70030000 66 45 8B 74 35 52 66 41 C1 C6 08 4D 0FBF F6 44 89 B4 24 74030000 66 0F2A 94 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 96 E0000040 E9 8F000000 45 8A 74 35 50 4D 0FB6 F6 44 89 B4 24 70030000 45 8A 74 35 51 4D 0FB6 F6 44 89 B4 24 74030000 66 0F2A 94 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 96 E0000040 E9 45000000 45 8A 74 35 50 4D 0FBE F6 44 89 B4 24 70030000 45 8A 74 35 51 4D 0FBE F6 44 89 B4 24 74030000 66 0F2A 94 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 96 E0000040 66 0F10 9C E4 38010000 C5F95CD9 66 0F5A DB 0F5A DB 49 89 C6 41 C1 EE 10 41 83 E6 07 41 83 FE 04 0F84 E3000000 41 83 FE 05 0F84 2D000000 41 83 FE 06 0F84 19010000 41 83 FE 07 0F84 6F000000 4D 8B 74 35 40 49 0FCE 49 C1 C6 20 66 49 0F6E C6 0F5A C0 E9 3B010000 66 45 8B 74 35 40 66 41 C1 C6 08 4D 0FB7 F6 44 89 B4 24 70030000 66 45 8B 74 35 42 66 41 C1 C6 08 4D 0FB7 F6 44 89 B4 24 74030000 66 0F2A 84 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 86 E0000040 E9 E5000000 66 45 8B 74 35 40 66 41 C1 C6 08 4D 0FBF F6 44 89 B4 24 70030000 66 45 8B 74 35 42 66 41 C1 C6 08 4D 0FBF F6 44 89 B4 24 74030000 66 0F2A 84 24 70030000 49 89 C6 41 C1 EE 14 41 81 E6 F0030000 4D 01 FE 66 41 0F59 86 E0000040 E9 8F000000 45 8A 74 35 40 4D 0FB6 F6 44 89 B4 24 70030000 45 8A 74 35 41 4D 0FB6 F6) // should be unique
label(_zcoord)
registersymbol(_zcoord)
Zcoord:
_zcoord:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
unregistersymbol(_zcoord) |
I would then add an address manually _zcoord and it would display the value.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 29, 2023 11:12 am Post subject: |
|
|
This is a signature for finding the value and not the instruction? If so, have you tried creating a script for the instruction and just capturing/storing the coordinate address that way?
Also, that's gross. Maybe use this to generate your signature [credit: aSwedishMagyar]:
| Code: | function getModuleName(base)
local name = getNameFromAddress(base,true,false)
local modules = enumModules()
local currentModule = nil
local i
for k = 1,#modules do
local startPoint = modules[k].Address
local endPoint = getModuleSize(modules[k].Name)
if base > startPoint and base < startPoint+endPoint then
currentModule = modules[k]
break
end
end
if currentModule then return currentModule.Name end
return nil
end
function checkAOB(bytes,curModule)
local base = nil
if curModule then base = curModule.Address else base = 0x0 end
local moduleStrSize = getModuleSize(curModule)
moduleStrSize = moduleStrSize and moduleStrSize or 0x7fffffffffff
local memScanner = createMemScan()
local memFoundList = createFoundList(memScanner)
memScanner.firstScan(
soExactValue,vtByteArray,rtRounded,bytes,nil,
base,base+moduleStrSize,"",
fsmNotAligned,"",true,false,false,false)
memScanner.waitTillDone()
memFoundList.initialize()
local foundAdder = nil
if memFoundList.Count == 1 then
foundAdder = true
end
memScanner.destroy()
memFoundList.destroy()
return foundAdder
end
function generateWildcardAOB(base)
local name = getNameFromAddress(base,true,false)
local modules = enumModules()
local currentModule = nil
local i
for k = 1,#modules do
local startPoint = modules[k].Address
local endPoint = getModuleSize(modules[k].Name)
if base > startPoint and base < startPoint+endPoint then
currentModule = modules[k]
break
end
end
if currentModule == nil then showMessage("Unable to Find Module");return end
local minLen = 2
local maxLen = 120
local wCardFormat = '??'
local addSpace = false
local AOB = createStringList()
local AOBWildCard
local current = 0
local isX64
if currentModule then isX64 = currentModule.Is64Bit else isX64 = targetIs64Bit() end
local done = false
maxLen = maxLen + minLen
for i = 1,maxLen do
local size = getInstructionSize(base+current)
local byteVal = readBytes(base+current,1)
local byte = string.format('%02X',byteVal)
byte = byte=='CC' and wCardFormat or byte
AOB.add(byte)
if isX64 and checkOpCode(byteVal) then
current = current + 1
size = size - 1
byte = string.format('%02X',readBytes(base+current,1))
if addSpace then AOB.add(' ') end
AOB.add(byte)
end
AOBWildCard = string.gsub(AOB.text, "%c", "")
if i > minLen then if checkAOB(AOBWildCard,currentModule) then --print("Ran for ",i-minLen," iterations.")
;break
end
end
current = current + size
if addSpace then AOB.add(' ') end
for j = 1,size-1 do AOB.add(wCardFormat);if addSpace then AOB.add(' ') end end
end
AOBWildCard = string.gsub(AOB.text, "%c", "")
AOB.destroy()
if i == maxLen then print("Unable to find unique AOB");return nil end
if currentModule == nil then name = process
else name = currentModule.Name end
--print(name)
--print(AOBWildCard)
speak('Scan Completed')
writeToClipboard(AOBWildCard)
return {AOBWildCard,name}
end
function checkOpCode(byteVal)
if byteVal >= 0x40 and byteVal <=0x49 then return true end
if byteVal == 0x0F then return true end
return false
end
function addGenerateAOBMenu()
local parent = getMemoryViewForm().Menu.Items
generateAOBmenuitem = createMenuItem(parent)
parent.add(generateAOBmenuitem)
generateAOBmenuitem.Caption = 'Generate AOB'
generateAOBmenuitem.OnClick = function() createThread( function(th) generateWildcardAOB(getMemoryViewForm().DisassemblerView.SelectedAddress) end) end
end
addGenerateAOBMenu() |
Save as .lua file and drop into your autorun folder. Make sure your speakers/headphones are turned on.
|
|
| Back to top |
|
|
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
| Posted: Sat Apr 29, 2023 11:20 am Post subject: |
|
|
| ++METHOS wrote: | This is a signature for finding the value and not the instruction? If so, have you tried creating a script for the instruction and just capturing/storing the coordinate address that way?
Also, that's gross. Maybe use this to generate your signature [credit: aSwedishMagyar]:
| Code: | function getModuleName(base)
local name = getNameFromAddress(base,true,false)
local modules = enumModules()
local currentModule = nil
local i
for k = 1,#modules do
local startPoint = modules[k].Address
local endPoint = getModuleSize(modules[k].Name)
if base > startPoint and base < startPoint+endPoint then
currentModule = modules[k]
break
end
end
if currentModule then return currentModule.Name end
return nil
end
function checkAOB(bytes,curModule)
local base = nil
if curModule then base = curModule.Address else base = 0x0 end
local moduleStrSize = getModuleSize(curModule)
moduleStrSize = moduleStrSize and moduleStrSize or 0x7fffffffffff
local memScanner = createMemScan()
local memFoundList = createFoundList(memScanner)
memScanner.firstScan(
soExactValue,vtByteArray,rtRounded,bytes,nil,
base,base+moduleStrSize,"",
fsmNotAligned,"",true,false,false,false)
memScanner.waitTillDone()
memFoundList.initialize()
local foundAdder = nil
if memFoundList.Count == 1 then
foundAdder = true
end
memScanner.destroy()
memFoundList.destroy()
return foundAdder
end
function generateWildcardAOB(base)
local name = getNameFromAddress(base,true,false)
local modules = enumModules()
local currentModule = nil
local i
for k = 1,#modules do
local startPoint = modules[k].Address
local endPoint = getModuleSize(modules[k].Name)
if base > startPoint and base < startPoint+endPoint then
currentModule = modules[k]
break
end
end
if currentModule == nil then showMessage("Unable to Find Module");return end
local minLen = 2
local maxLen = 120
local wCardFormat = '??'
local addSpace = false
local AOB = createStringList()
local AOBWildCard
local current = 0
local isX64
if currentModule then isX64 = currentModule.Is64Bit else isX64 = targetIs64Bit() end
local done = false
maxLen = maxLen + minLen
for i = 1,maxLen do
local size = getInstructionSize(base+current)
local byteVal = readBytes(base+current,1)
local byte = string.format('%02X',byteVal)
byte = byte=='CC' and wCardFormat or byte
AOB.add(byte)
if isX64 and checkOpCode(byteVal) then
current = current + 1
size = size - 1
byte = string.format('%02X',readBytes(base+current,1))
if addSpace then AOB.add(' ') end
AOB.add(byte)
end
AOBWildCard = string.gsub(AOB.text, "%c", "")
if i > minLen then if checkAOB(AOBWildCard,currentModule) then --print("Ran for ",i-minLen," iterations.")
;break
end
end
current = current + size
if addSpace then AOB.add(' ') end
for j = 1,size-1 do AOB.add(wCardFormat);if addSpace then AOB.add(' ') end end
end
AOBWildCard = string.gsub(AOB.text, "%c", "")
AOB.destroy()
if i == maxLen then print("Unable to find unique AOB");return nil end
if currentModule == nil then name = process
else name = currentModule.Name end
--print(name)
--print(AOBWildCard)
speak('Scan Completed')
writeToClipboard(AOBWildCard)
return {AOBWildCard,name}
end
function checkOpCode(byteVal)
if byteVal >= 0x40 and byteVal <=0x49 then return true end
if byteVal == 0x0F then return true end
return false
end
function addGenerateAOBMenu()
local parent = getMemoryViewForm().Menu.Items
generateAOBmenuitem = createMenuItem(parent)
parent.add(generateAOBmenuitem)
generateAOBmenuitem.Caption = 'Generate AOB'
generateAOBmenuitem.OnClick = function() createThread( function(th) generateWildcardAOB(getMemoryViewForm().DisassemblerView.SelectedAddress) end) end
end
addGenerateAOBMenu() |
Save as .lua file and drop into your autorun folder. Make sure your speakers/headphones are turned on. |
Hey, thanks for the lua script provided. I'm assuming this will make it so that i don't have to copy the bytes of many instructions and it will get it automatically?
Also, I don't understand by what you mean in your first question. The sequence of bytes are the ones for the instruction that accesses the address with the z coord value, and in the end, I want the value of that address, not the instruction itself. Can you please elaborate on what you mean by creating a script for the instruction?
Again, I'm a newbie, so apologies for not getting it quick
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 29, 2023 1:06 pm Post subject: |
|
|
There are (2) addresses or locations that you are dealing with. One for the instruction, and one for the coordinate value. You can use AOB to find the value or the instruction.
It is better to find the instruction, then use that as your injection point to capture the coordinate address.
Are you sure that you have the correct address for Z coordinate? What method(s) are you using to find it?
|
|
| Back to top |
|
|
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
| Posted: Sat Apr 29, 2023 1:12 pm Post subject: |
|
|
| ++METHOS wrote: | There are (2) addresses or locations that you are dealing with. One for the instruction, and one for the coordinate value. You can use AOB to find the value or the instruction.
It is better to find the instruction, then use that as your injection point to capture the coordinate address.
Are you sure that you have the correct address for Z coordinate? What method(s) are you using to find it? |
In summary, here is what I'm doing.
1. I scan for 2 byte big endian unknown value (I know it's 2 byte big endian because I have a cheat table for this game made by a youtuber)
2. I climb something and scan for increase/decrease
3. I find like a thousand values that are the same.
4. keep changing the value of half of the addresses I added until I narrow it down to one real value that has an effect in game when I change it
5. I see what accesses this address and do the step you told me and then play a bit until I find one instruction which has a (1) next to it
6. I open it in disassembler then press ctrl A to make a script
7. I use the above mentioned script to find the address or value (tbh idk what the script does exactly I copy pasted and apparently it's supposed to get the address that the instruction accesses)
8. Add a manual address _zcoord
9. ̶P̶r̶o̶f̶i̶t̶ no profit ;(
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 29, 2023 2:39 pm Post subject: |
|
|
You will want to search for (float) big endian.
Always test your values before proceeding further. In the case of coordinates, you can do this by a freeze test or a teleport test.
Because this is an emulator, the AOB signatures may be trash. What I gave you for generation will probably be trash, also. I have a different tool that you can use (if you want).
Here is a script that you can test (it is working for me):
https://ufile.io/80vlsoq2
|
|
| Back to top |
|
|
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
| Posted: Sat Apr 29, 2023 3:00 pm Post subject: |
|
|
| ++METHOS wrote: | You will want to search for (float) big endian.
Always test your values before proceeding further. In the case of coordinates, you can do this by a freeze test or a teleport test.
Because this is an emulator, the AOB signatures may be trash. What I gave you for generation will probably be trash, also. I have a different tool that you can use (if you want).
Here is a script that you can test (it is working for me): |
I did test the values. I froze it and teleported and all worked properly.
thanks alot for the script! It doesn't work for me, maybe that's because of the cemu version or something I don't really know. I looked at the script, and to be honest with you, I have no idea what is happening lol. I will try to read it more tmr as it is late for me, and I will see what I can do.
just a question though: following aobscan, you wrote an address or something 4F8B741560490FCE49C1C62066490F6ECE0F5AC9E9xxxxxxxx664 etc. what is this value, is it hex or what exactly? I thought you could only do aobscan for array of bytes.
again, thanks for the script, but as I said, I'm a newbie so I want to learn how to do it myself. You've provided lots of help tho so I understand if you don't want to help anymore.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 29, 2023 3:39 pm Post subject: |
|
|
I am happy to help. I have free time from my work today.
I suspected that the script might not work for you. I am using the latest version of CEMU (rom from ziperto). You should be able to replicate my steps and put together the same thing for yourself though.
The script is very simple. I can give you the steps for you to replicate.
The AOB signature is hex. The 'x' are just wildcard variables. The signature was auto-generated.
Steps:
1. Find Z coordinate value and test it.
2. Right-click on the address inside of the cheat table and check the option to see what 'accesses'.
3. There were no exclusive instructions, so I just chose one that was being accessed the most.
4. Looking at the instruction mov r14,[r13+r10+60], I suspected that the ID might be stored in r13 or r10 (which is very common with emulators).
5. With the debugger window still open and running, I highlighted the instruction that I was interested in, and looked in the bottom window to see what the values were for r13 and r10, respectively.
6. r10 looked good, so I copied the value and created a script that would compare r10 to the value that I copied. (there are ways to test this, but I skipped over it, because I saw that the filter was probably good when I activated my script)
7. The script filters out all addresses except for the Z coordinate address (we hope), then stores that address inside of a symbol that we created. Once the script is finished, we save it to our table and then activate it.
8. Once activated, we 'Add Address Manually' in the upper-right corner of the cheat table.
9. We set the address as a pointer, then paste the name of the symbol that we created (which, in this case, was coordinates_address) inside the bottom text field. We check that the data type is correct and we click okay.
10. Once added, you should see the coordinate address correctly being displayed (if it's flickering, then your filter is not good enough). From there, we just copy/paste the address two more times and adjust the offset for each pointer so that we get the other coordinates.
11. Save the table. Close Cemu and restart Cemu. Reattach CE. Activate script. Still working? Profit.
EDIT:
If you find that the identifier is not reliable after some time, then you may need to update or improve it. I think, with emulators like this, things can be more of a pain, though, and may not be worth pursuing. There are built-in cheats for this, also, so.
|
|
| Back to top |
|
|
BeamingTerror
How do I cheat?
![]() Reputation: 0
Joined: 29 Apr 2023
Posts: 9
|
| Posted: Sun Apr 30, 2023 5:25 am Post subject: |
|
|
| ++METHOS wrote: | I am happy to help. I have free time from my work today.
I suspected that the script might not work for you. I am using the latest version of CEMU (rom from ziperto). You should be able to replicate my steps and put together the same thing for yourself though.
The script is very simple. I can give you the steps for you to replicate.
The AOB signature is hex. The 'x' are just wildcard variables. The signature was auto-generated.
Steps:
1. Find Z coordinate value and test it.
Edit: Lmao how do I review you and give you +1 rep
2. Right-click on the address inside of the cheat table and check the option to see what 'accesses'.
3. There were no exclusive instructions, so I just chose one that was being accessed the most.
4. Looking at the instruction mov r14,[r13+r10+60], I suspected that the ID might be stored in r13 or r10 (which is very common with emulators).
5. With the debugger window still open and running, I highlighted the instruction that I was interested in, and looked in the bottom window to see what the values were for r13 and r10, respectively.
6. r10 looked good, so I copied the value and created a script that would compare r10 to the value that I copied. (there are ways to test this, but I skipped over it, because I saw that the filter was probably good when I activated my script)
7. The script filters out all addresses except for the Z coordinate address (we hope), then stores that address inside of a symbol that we created. Once the script is finished, we save it to our table and then activate it.
8. Once activated, we 'Add Address Manually' in the upper-right corner of the cheat table.
9. We set the address as a pointer, then paste the name of the symbol that we created (which, in this case, was coordinates_address) inside the bottom text field. We check that the data type is correct and we click okay.
10. Once added, you should see the coordinate address correctly being displayed (if it's flickering, then your filter is not good enough). From there, we just copy/paste the address two more times and adjust the offset for each pointer so that we get the other coordinates.
11. Save the table. Close Cemu and restart Cemu. Reattach CE. Activate script. Still working? Profit.
EDIT:
If you find that the identifier is not reliable after some time, then you may need to update or improve it. I think, with emulators like this, things can be more of a pain, though, and may not be worth pursuing. There are built-in cheats for this, also, so. |
dude, I don't know what to say. You are amazing. It works now, I did it myself according to your steps and it worked!
To answer your last statement, I am only doing this to learn, I won't even use this cheat for botw, or any other one. I'm making cheats for most of the games I'm currently playing, and I've never used one of them outside of testing haha.
Anyways, your efforts are extremely appreciated! thanks alot for your time friend!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
next to all of the instructions?