Tweet
This entire tutorial was written by and all credit to mgr.inz.Player
of the Cheat Engine forums
Example game: Sonic Adventure 2 Battle GSNE8P
Launch dolphin with /d switch.
1) Run game. Click pause (main dolphin window). Now, choose from "view" this one "registers".
2) You will find PC register there. Double click it then right click it and choose "copy".
3) Paste this value to CE and do 4byte scan (exact, hex).
4) In dolphin click play, wait a while, click pause
5) repeat step 2 and 3 (next scan)
6) that way, you will find instruction pointer. PC register.
7) add it to CE. Name it "Dolphin GC - PC register"
You will have PC register from GameCube CPU, which is inside Dolphin process (because it is an emulator). For me, Dolphin4 32bit, PC register can be found here: Dolphin.exe+A4FB00
Now, with CE, find rings address. Do "what accesses this address". I got this:
ECX (=801CC1D0) keeps rings address (the address that will be in real GameCube).
(801CC1D0 & 3FFFFFFF) + 0AC80000 = is address you found with CE.
Close "what access" window. Set "break on access" breakpoint. Emulation will freeze immediately.
Look at "PC register". It will be:
800625B8
OK, remove all breakpoints (CE breakpoints). And resume thread execution (F9 key).
Set breakpoint in Dolphin. Try 800625B8.
I got it here:
hmm, lha instruction, at address 800625bc.
lha r0, 0x0068 (r3) - translates to: store value into R0 register, value from memory pointed by R3+68.
Quick glance at "registers tab", R3 is 801cc168
801CC168 + 68 is 801CC1D0. Bingo.
of the Cheat Engine forums
Example game: Sonic Adventure 2 Battle GSNE8P
Launch dolphin with /d switch.
1) Run game. Click pause (main dolphin window). Now, choose from "view" this one "registers".
2) You will find PC register there. Double click it then right click it and choose "copy".
3) Paste this value to CE and do 4byte scan (exact, hex).
4) In dolphin click play, wait a while, click pause
5) repeat step 2 and 3 (next scan)
6) that way, you will find instruction pointer. PC register.
7) add it to CE. Name it "Dolphin GC - PC register"
You will have PC register from GameCube CPU, which is inside Dolphin process (because it is an emulator). For me, Dolphin4 32bit, PC register can be found here: Dolphin.exe+A4FB00
Now, with CE, find rings address. Do "what accesses this address". I got this:
| Code: |
| 105FC8DB - 8B C1 - mov eax,ecx 105FC8DD - 81 E0 FFFFFF3F - and eax,3FFFFFFF 105FC8E3 - 0FB7 80 0000C80A - movzx eax,word ptr [eax+0AC80000] << 105FC8EA - 0FC8 - bswap eax 105FC8EC - C1 F8 10 - sar eax,10 EAX=00007100 EBX=7C9010E0 ECX=801CC1D0 EDX=0F6E0020 ESI=801CC168 EDI=00000000 ESP=1FF5FF0C EBP=1FF5FF24 EIP=105FC8EA |
ECX (=801CC1D0) keeps rings address (the address that will be in real GameCube).
(801CC1D0 & 3FFFFFFF) + 0AC80000 = is address you found with CE.
Close "what access" window. Set "break on access" breakpoint. Emulation will freeze immediately.
Look at "PC register". It will be:
800625B8
OK, remove all breakpoints (CE breakpoints). And resume thread execution (F9 key).
Set breakpoint in Dolphin. Try 800625B8.
I got it here:
| Code: |
| 800625b4 rlwinm r0, r29, 1, 0, 30 (7fffffff) 800625b8 add r3, r3, r0 <---- break here 800625bc lha r0, 0x0068 (r3) 800625c0 stw r0, 0x0904 (r31) 800625c4 lwz r0, 0x0904 (r31) |
hmm, lha instruction, at address 800625bc.
lha r0, 0x0068 (r3) - translates to: store value into R0 register, value from memory pointed by R3+68.
Quick glance at "registers tab", R3 is 801cc168
801CC168 + 68 is 801CC1D0. Bingo.
Comment