04-21-2014, 06:26 AM
I've seen several threads on people asking if this was possible so, here ya go.
Also you don't need the debug fast versions either.
This entire tutorial was written by and all credit to mgr.inz.Player
of the Cheat Engine forums
Example game: Sonic Adventure 2 Battle GSNE8P
Launch dolphin with /d switch.
1) Run game. Click pause (main dolphin window). Now, choose from "view" this one "registers".
2) You will find PC register there. Double click it then right click it and choose "copy".
3) Paste this value to CE and do 4byte scan (exact, hex).
4) In dolphin click play, wait a while, click pause
5) repeat step 2 and 3 (next scan)
6) that way, you will find instruction pointer. PC register.
7) add it to CE. Name it "Dolphin GC - PC register"
You will have PC register from GameCube CPU, which is inside Dolphin process (because it is an emulator). For me, Dolphin4 32bit, PC register can be found here: Dolphin.exe+A4FB00
Now, with CE, find rings address. Do "what accesses this address". I got this:
Code:
105FC8DB - 8B C1 - mov eax,ecx
105FC8DD - 81 E0 FFFFFF3F - and eax,3FFFFFFF
105FC8E3 - 0FB7 80 0000C80A - movzx eax,word ptr [eax+0AC80000] <<
105FC8EA - 0FC8 - bswap eax
105FC8EC - C1 F8 10 - sar eax,10
EAX=00007100
EBX=7C9010E0
ECX=801CC1D0
EDX=0F6E0020
ESI=801CC168
EDI=00000000
ESP=1FF5FF0C
EBP=1FF5FF24
EIP=105FC8EA
ECX (=801CC1D0) keeps rings address (the address that will be in real GameCube).
(801CC1D0 & 3FFFFFFF) + 0AC80000 = is address you found with CE.
Close "what access" window. Set "break on access" breakpoint. Emulation will freeze immediately.
Look at "PC register". It will be:
800625B8
OK, remove all breakpoints (CE breakpoints). And resume thread execution (F9 key).
Set breakpoint in Dolphin. Try 800625B8.
I got it here:
Code:
800625b4 rlwinm r0, r29, 1, 0, 30 (7fffffff)
800625b8 add r3, r3, r0 <---- break here
800625bc lha r0, 0x0068 (r3)
800625c0 stw r0, 0x0904 (r31)
800625c4 lwz r0, 0x0904 (r31)
hmm, lha instruction, at address 800625bc.
lha r0, 0x0068 (r3) - translates to: store value into R0 register, value from memory pointed by R3+68.
Quick glance at "registers tab", R3 is 801cc168
801CC168 + 68 is 801CC1D0. Bingo.
-------------------------------------
-Part 2-
Above method isn't perfect. Sometimes "Dolphin GC - PC register" is much older. (still, not far from exact instruction)
Example (this time, writing data - you used "break on write" in CE):
You've got "Dolphin GC - PC register" value: 800637EC
To get exact instruction do this:
1) remove breakpoints from CE
2) with dolphin set breakpoint to 800637EC
3) do something in game, so it will trigger breakpoint.
4) in CE, set "break on access" (or "break on write") on "rings" address
5) do clicks on "step" button in Dolphin, keep looking at memory viewer from CE.
6) if "memory viewer" window caption change to "debugging", you got right instruction.
That way, I found this address of instruction (which updates "rings"): 8006381C
(as you see "Dolphin GC - PC register" was close enough, 12 clicks on "step" button)
Code:
8006380c rlwinm r24, r3, 0, 31, 31 (00000001)
80063810 li r28, 0
80063814 lha r29, 0x0068 (r31)
80063818 add r0, r29, r4
8006381c sth r0, 0x0068 (r31) <--- store updated "rings" value
80063820 lha r0, 0x0068 (r31)
80063824 addi r31, r31, 104
Also you don't need the debug fast versions either.
This entire tutorial was written by and all credit to mgr.inz.Player
of the Cheat Engine forums
Example game: Sonic Adventure 2 Battle GSNE8P
Launch dolphin with /d switch.
1) Run game. Click pause (main dolphin window). Now, choose from "view" this one "registers".
2) You will find PC register there. Double click it then right click it and choose "copy".
3) Paste this value to CE and do 4byte scan (exact, hex).
4) In dolphin click play, wait a while, click pause
5) repeat step 2 and 3 (next scan)
6) that way, you will find instruction pointer. PC register.
7) add it to CE. Name it "Dolphin GC - PC register"
You will have PC register from GameCube CPU, which is inside Dolphin process (because it is an emulator). For me, Dolphin4 32bit, PC register can be found here: Dolphin.exe+A4FB00
Now, with CE, find rings address. Do "what accesses this address". I got this:
Code:
105FC8DB - 8B C1 - mov eax,ecx
105FC8DD - 81 E0 FFFFFF3F - and eax,3FFFFFFF
105FC8E3 - 0FB7 80 0000C80A - movzx eax,word ptr [eax+0AC80000] <<
105FC8EA - 0FC8 - bswap eax
105FC8EC - C1 F8 10 - sar eax,10
EAX=00007100
EBX=7C9010E0
ECX=801CC1D0
EDX=0F6E0020
ESI=801CC168
EDI=00000000
ESP=1FF5FF0C
EBP=1FF5FF24
EIP=105FC8EA
ECX (=801CC1D0) keeps rings address (the address that will be in real GameCube).
(801CC1D0 & 3FFFFFFF) + 0AC80000 = is address you found with CE.
Close "what access" window. Set "break on access" breakpoint. Emulation will freeze immediately.
Look at "PC register". It will be:
800625B8
OK, remove all breakpoints (CE breakpoints). And resume thread execution (F9 key).
Set breakpoint in Dolphin. Try 800625B8.
I got it here:
Code:
800625b4 rlwinm r0, r29, 1, 0, 30 (7fffffff)
800625b8 add r3, r3, r0 <---- break here
800625bc lha r0, 0x0068 (r3)
800625c0 stw r0, 0x0904 (r31)
800625c4 lwz r0, 0x0904 (r31)
hmm, lha instruction, at address 800625bc.
lha r0, 0x0068 (r3) - translates to: store value into R0 register, value from memory pointed by R3+68.
Quick glance at "registers tab", R3 is 801cc168
801CC168 + 68 is 801CC1D0. Bingo.
-------------------------------------
-Part 2-
Above method isn't perfect. Sometimes "Dolphin GC - PC register" is much older. (still, not far from exact instruction)
Example (this time, writing data - you used "break on write" in CE):
You've got "Dolphin GC - PC register" value: 800637EC
To get exact instruction do this:
1) remove breakpoints from CE
2) with dolphin set breakpoint to 800637EC
3) do something in game, so it will trigger breakpoint.
4) in CE, set "break on access" (or "break on write") on "rings" address
5) do clicks on "step" button in Dolphin, keep looking at memory viewer from CE.
6) if "memory viewer" window caption change to "debugging", you got right instruction.
That way, I found this address of instruction (which updates "rings"): 8006381C
(as you see "Dolphin GC - PC register" was close enough, 12 clicks on "step" button)
Code:
8006380c rlwinm r24, r3, 0, 31, 31 (00000001)
80063810 li r28, 0
80063814 lha r29, 0x0068 (r31)
80063818 add r0, r29, r4
8006381c sth r0, 0x0068 (r31) <--- store updated "rings" value
80063820 lha r0, 0x0068 (r31)
80063824 addi r31, r31, 104