Cheat Engine

[47iscool]

Need a little help here. I know that CE can give you pcsx2's emulated ASM address when you select "find what reads/writes to this address", basically the ESI is what you want, just add a "2" to the beginning of the given address or several behind it. I also know that the RAM is mounted from 0x20000000 to 0x22000000. Thanks to DarkByte for this phenomenal tool I have been able to make walk through walls codes for several PS2 games (they are located at Gamehacking.org)

But now I have hit a roadblock, I want to make ASM codes for GameCube and Wii using CE and Dolphin. One thing I have found out is this after setting a read on Sonic's rings in SA2B:

105A58CE - 66 C1 C1 08 - rol cx,08
105A58D2 - 81 E2 FFFFFF3F - and edx,3FFFFFFF
105A58D8 - 66 89 8A 0000780A - mov [edx+0A780000],cx <<
105A58DF - 8B CF - mov ecx,edi
105A58E1 - 81 C1 68000000 - add ecx,00000068

EAX=00000007
EBX=00000000
ECX=00000800
EDX=001CC1D0
ESI=00000000
EDI=801CC168
ESP=1D94FC2C
EBP=00000008
EIP=105A58DF

The EDX value is the GameCube rings RAM address, but the problem is I don't how to get the ASM code that stops him from losing rings when he's hit. Another thing, this address here:0xA780000 is where the emulated RAM starts. There is one person I know that figured how to get the ASM by using CE with Dolphin but he's not answering me on how it's done.

So I will ask, is there anyone here that has figured how to do it? If not maybe someone can give me some ideas on where/how to start?

Thanks

[Rydian]

You're best served by using debugging tools within the emulator itself, not something external.

http://code.google.com/p/dolphin-emu/wiki/DeveloperGuide

[47iscool]

[mgr.inz.Player]

That one person probably had found "instruction pointer" or something like that.


"only support execution breakpoints"
Is there "instruction pointer" in that dolphin debugger? If yes, find address that keeps instruction pointer and add it to CE.

Find and add rings address, then set "break on write" breakpoint with CE.
How to set break on write? Highlight rings address, press ctrl+b, in "memory viewer" (hex view part) right click and choose "display type" and click data type you want (if rings is 4byte value, choose 4byte decimal, if 2bytes value, choose 2byte decimal), ok, now right click rings value (in hexview part) and choose "data breakpoint -> break on write".

Go to game, loose some rings ( if you accidentally gained some rings, game froze, you must press F9 in "memory viewer" window, press F9 it at least one time)


While you loose some rings, game will freeze. Look at "instruction pointer" value inside CE. Now you know which instruction (pointed by "instruction pointer" is overwriting rings).


Note: in above method, "instruction pointer" can point to exact instruction (the one which overwrites) or next instruction (instruction which is right after "overwriting instruction").

[47iscool]

[Dark Byte]

Dolphin is an emulator. That means that the code that accesses something, is the same for everything. That includes walking speed, rendering 3d objects and networking

One thing you could do is compare the saved stack snapshots and see if you can find a way to distinguish a ring loss from everything else. (e.g the stack might contain a pointer to the emulated instruction. And based on that instruction it's the ring loss code, or the render pixel code)

[47iscool]

[Dark Byte]

the find what accesses options save stack snapshots by default.

In more info, click on the S button. Then rightclick in the stackview window and you'll find a option to add a snapshot to the compare in a structure dissect window

[47iscool]

[Dark Byte]

choose "lock and add this view to a structure dissect window"

[47iscool]

[Dark Byte]

Put multiple besides eachother.
Find out what writes your rings and make sure the first access is the one where you lose one
Then again find what writes your rings and make sure the first access is the one where you gain one

Now compare the two stack snapshots with eachother

[mgr.inz.Player]

@47iscool, launch dolphin with /d switch.

1) Run game. Click pause (main dolphin window). Now, choose from "view" this one "registers".

2) You will find PC register there. Double click it then right click it and choose "copy".

3) Paste this value to CE and do 4byte scan (exact, hex).

4) In dolphin click play, wait a while, click pause

5) repeat step 2 and 3 (next scan)

6) that way, you will find instruction pointer. PC register.

7) add it to CE. Name it "Dolphin GC - PC register"


You will have PC register from GameCube CPU, which is inside Dolphin process (because it is an emulator). For me, Dolphin4 32bit, PC register can be found here: Dolphin.exe+A4FB00

Now, with CE, find rings address. Do "what accesses this address". I got this:

[47iscool]

@mgr.inz.Player Thank you so much!!! Now I can make GC and Wii ASM codes! Very very happy now thanks a million! Would you mind if I copied and pasted this info over at Gamehacking.org and credited you?

A lot of people would love to be able to make ASM codes for these two systems but don't have a USB gecko.

So again thank you @DarkByte for the awesome Cheat Engine amd thank you @mgr.inz.Player for the info on how to get the ASM.

[mgr.inz.Player]

Above method isn't perfect. Sometimes "Dolphin GC - PC register" is much older. (still, not far from exact instruction)

Example (this time, writing data - you used "break on write" in CE):
You've got "Dolphin GC - PC register" value: 800637EC




To get exact instruction do this:

1) remove breakpoints from CE
2) with dolphin set breakpoint to 800637EC
3) do something in game, so it will trigger breakpoint.
4) in CE, set "break on access" (or "break on write") on "rings" address
5) do clicks on "step" button in Dolphin, keep looking at memory viewer from CE.
6) if it main window caption change to "debugging", you got right instruction.




That way, I found this address of instruction (which updates "rings"): 8006381C
(as you see "Dolphin GC - PC register" was close enough, 12 clicks on "step" button)