Breath of The Wild - Finding the Entity List

[kriNon]

Hey all,
So I'm working on trying to find where the entity list is stored in memory in Zelda: Breath of the Wild. I am running BOTW on Cemu emulator for Wii U, and so because this game is being emulated, some of the usual methods involving finding pointers will not work.

Here are the steps I have taken in an effort to find the entity list:
First I dropped an item in game, spawning an entity. I have previously found the coordinates of my player, and so I am able to stand on top of the item I dropped to get a rough estimate of its coordinates. I then searched for these coordinates, slightly moved the item, searched again, and repeated until I found the coordinates of the item.

Now that I have the coordinates of the item, I used Cheat Engine's "Find out what accesses this Address", and found two opcodes that were accessing the address. Only one of the opcodes was actually writing to the address, and so I used the "Find out which addresses this instruction accesses" functionality to get a list of addresses accessed by it. In that list of addresses I found coordinates for other objects too, not just the object I had dropped. I am unsure at the moment whether this opcode only accesses item entities, or if it accesses all object entites.

I wanted to be able to find this instruction easily in the future, as it had been difficult to find it, and so what I did was I looked at the base address of the memory region that this opcode was stored in, and then I searched Cemu.exe for a pointer that pointed to this memory region. I then could easily search this region to find the opcode.

The relevant opcode reads:

Code: Select all

mov [r13+rcx+00],r14d

Now I have minimal experience with any assembly languages, however from what I can tell, I believe that this is x86 ASM, and that what it is doing is reading from register r14d, and writing to the coordinates stored in r13+rcx+00. I am slightly confused by what the +00 is doing, as I would expect that it is doing nothing.

That would mean that r13 and rcx added together would store the coordinates in memory of item entities. As such, I believe that I should somehow be able to work backwards from these to try to find the entity list. I'm not certain whether or not I am on the right track to find the entity list, and so I was hoping for some advice from someone more experienced than me. I'm not really sure what I should be doing next, or how I would be able to work backwards from the information that I have.

Thanks!

[TimFun13]

So, first it's x64 ASM. And as for the "+00", "[r13+rcx]" is valid so it's most likely just a compiler thing (i.e. it's just how the compiler was written). And you want to find the base address and the size, so see what R13 and RCX are and the smaller one would likely be the offset from the base. But typically the entity list is found with the player coordinates, and to be honest hooking the entity list is more of a MP thing; might be worth checking fearlessrevolution, just know the "show your work" and "don't ask for someone to do it for" rules are strictly enforced there. But it'll have a lot more people with experience with entity lists, just not sure if they really know emulators.

But hopefully someone else can add some more information.

[SunBeam]

If I'm reading it right, [r13+rcx] should be an address in a list of addresses, appointed by either r13 or rcx. As Tim said, one of the two should be the base of the list (the start address) while the other should be the calculated offset (where in that list is your address). Since you posted one line of code, we can't expand on it. But yeah, x64.

As far as ASM is concerned, you're inside an emulator. That emulator is used for more than your game. As such, the various code you'll find writing or reading stuff will be used for other read/writes as well. In short, you will need some filtering applied to make sure that code is only dealing with what you want it to deal with (and not the rest).