Breath of The Wild - Finding the Entity List

Add topics here with methods, analysis, code snippets, mods etc. for a certain game that normally won't make it in the Tables or Requests sections.
Post Reply
kriNon
What is cheating?
What is cheating?
Posts: 1
Joined: Thu Feb 14, 2019 5:11 pm
Reputation: 0

Breath of The Wild - Finding the Entity List

Post by kriNon » Fri Feb 22, 2019 1:24 am

Hey all,
So I'm working on trying to find where the entity list is stored in memory in Zelda: Breath of the Wild. I am running BOTW on Cemu emulator for Wii U, and so because this game is being emulated, some of the usual methods involving finding pointers will not work.

Here are the steps I have taken in an effort to find the entity list:
First I dropped an item in game, spawning an entity. I have previously found the coordinates of my player, and so I am able to stand on top of the item I dropped to get a rough estimate of its coordinates. I then searched for these coordinates, slightly moved the item, searched again, and repeated until I found the coordinates of the item.

Now that I have the coordinates of the item, I used Cheat Engine's "Find out what accesses this Address", and found two opcodes that were accessing the address. Only one of the opcodes was actually writing to the address, and so I used the "Find out which addresses this instruction accesses" functionality to get a list of addresses accessed by it. In that list of addresses I found coordinates for other objects too, not just the object I had dropped. I am unsure at the moment whether this opcode only accesses item entities, or if it accesses all object entites.

I wanted to be able to find this instruction easily in the future, as it had been difficult to find it, and so what I did was I looked at the base address of the memory region that this opcode was stored in, and then I searched Cemu.exe for a pointer that pointed to this memory region. I then could easily search this region to find the opcode.

The relevant opcode reads:

Code: Select all

mov [r13+rcx+00],r14d
Now I have minimal experience with any assembly languages, however from what I can tell, I believe that this is x86 ASM, and that what it is doing is reading from register r14d, and writing to the coordinates stored in r13+rcx+00. I am slightly confused by what the +00 is doing, as I would expect that it is doing nothing.

That would mean that r13 and rcx added together would store the coordinates in memory of item entities. As such, I believe that I should somehow be able to work backwards from these to try to find the entity list. I'm not certain whether or not I am on the right track to find the entity list, and so I was hoping for some advice from someone more experienced than me. I'm not really sure what I should be doing next, or how I would be able to work backwards from the information that I have.

Thanks!

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1611
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 577

Re: Breath of The Wild - Finding the Entity List

Post by TheyCallMeTim13 » Fri Feb 22, 2019 4:18 am

So, first it's x64 ASM. And as for the "+00", "[r13+rcx]" is valid so it's most likely just a compiler thing (i.e. it's just how the compiler was written). And you want to find the base address and the size, so see what R13 and RCX are and the smaller one would likely be the offset from the base. But typically the entity list is found with the player coordinates, and to be honest hooking the entity list is more of a MP thing; might be worth checking Guided Hacking, just know the "show your work" and "don't ask for someone to do it for" rules are strictly enforced there. But it'll have a lot more people with experience with entity lists, just not sure if they really know emulators.

But hopefully someone else can add some more information.
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

Post Reply

Who is online

Users browsing this forum: No registered users