Close

Results 1 to 5 of 5
  1. #1

    Cemuhook - Need help on memory address conversion from a register

    Hi guys,

    I'm playing with the patches feature of rajkosto's cemuhook (big thanks to him, and also epigramx & Xalphenos for their HOWTO!) and I 'm facing a little problem I could not solve alone so far.
    Here it is: during runtime, I read the value of a register and display it: 457 282 848 <-> 0x1B41 9520. I know for sure this value is a memory address, but the value seems not in the proper range (usually this is something like 0x10aaaaaa for data).
    I think there is a conversion I must do in order to properly use this addres in patches.txt file (obviously a line like "0x1B419520 = .byte 0xFF" is doing nothing), but I don't figure out how to do the conversion.
    I tried to play with the module checksum and the PPC <-> x86 conversion tools but no luck so far, it's still a bit confusing for me...
    Could someone help me please?
    Thanks in advance :-)

    PS : I didn't post in the support forum because I think it's support for cemu only and not cemu hook.

  2. #2
    Super-Moderator
    Join Date
    13.09.2017
    Posts
    188
    Assuming you have correctly found your memory address. Your next step is to find what reads/writes that memory address. You are correct patches.txt can't patch memory addresses so you need to patch the code that writes/reads it. If you provide more information I may be able to help further.

  3. #3
    Hi Xalphenos,

    Thanks for your help. In fact, the whole context is I'd like to call a function which writes in the memory, called "setTradeTicket":
    Click image for larger version. 

Name:	setTradeTicket_asm.png 
Views:	71 
Size:	28,5 KB 
ID:	89
    At @027F6D18, the function stores the value from register r0 into -0x3788(r9), which means the content of @dword_1039C288 minus 0x3788.
    So if I can identify the content of @dword_1039C288, I should then be able to retrieve and store its content easily.
    But when I display the content of r9, I get the value of 0x1B419520, which I think should be somewhat "converted" to be used with cemuhook.

  4. #4
    Super-Moderator
    Join Date
    13.09.2017
    Posts
    188
    To find the contents of dword_1039C288 should be simple enough. Just set a breakpoint on the x86 equivalent to 0x027F6DCD and see what get's read. From what I can tell that should be a memory address. It get's checked to make sure it's not null. Adds 1 to it and then writes some bit of data to that memory address -0x3788. Since it's a memory address you can't directly control it with cemuhook. So you can't convert it to be used with cemuhook. You can add the base address to it for trainer purposes. Otherwise you use cemuhook patches to change the assembly that reads or writes that memory address. So in the example you provided change the assembly so that r0 is the value you want it to be before it gets written to -0x3788(r9).

  5. #5
    Hi Xalphenos,

    Thanks for your help. But in the end I chose a new approach (maybe worse ^^).
    My goal was to make a patch for Xenoblade to add reward tickets when defeating special enemies (those tickets are only gained during online missions), but I was stuck with this memory issue.
    After working on it the whole day, I choose another approach: to add reward tickets when completing offline missions (which have the same internal structure than online missions, only difference is that reward tickets are always zero).
    So far this is working pretty well, but for that I had to find a memory address to be used for sharing information between functions.
    So my next question is: is it possible to identify a memory address that is not used by the game, and so can be used freely?
    In IDA, it seems the decompiler is able to identify which memory is used and which is free:
    Click image for larger version. 

Name:	2017-10-14 19_29_36-IDA - E__Isos_Jeux Consoles_Wii U_Xenoblade Chronicles X EUR v16-1.0.1E (X)_.png 
Views:	36 
Size:	22,9 KB 
ID:	97
    On this screenshot, if I am right, the address 0x1039C180 can be freely used to store a dword. Do you think I am right?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •