Zelda: Breath of the Wild (CEMU)

[QuarryTen]

Not all of the cheats work, only some from the alt and the universal section of the table are working for me (CEMU 1.15.10) and I'm super appreciative for the effort, guys. But what really concerns me is that the max items and max arrows cheats use 100% of my CPU when I tick these cheats. Why is that and are there any alternatives to getting max items without the fear of blowing my CPU up?

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[Anno444]

My modified table for Cemu 1.17.1. Some of the stuff was moved under 'BaseMemory'.

Requires 'Float Big Endian' custom type:

Code: Select all

alloc(TypeName,256)
alloc(ByteSize,4)
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(UsesFloat,1)


TypeName:
db 'Float Big Endian',0

ByteSize:
dd 4

UsesFloat:
db 1


ConvertRoutine:
[64-bit]
xor eax,eax
mov eax,[rcx] //eax now contains the bytes 'input' pointed to
bswap eax //convert to big endian
ret
[/64-bit]

[32-bit]
push ebp
mov ebp,esp
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value
bswap eax
pop ebp
ret 4
[/32-bit]


ConvertBackRoutine:
[64-bit]
bswap ecx //convert the little endian input into a big endian input
mov [rdx],ecx //place the integer the 4 bytes pointed to by rdx
ret
[/64-bit]

[32-bit]
push ebp
mov ebp,esp
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+c] //load the address into ebx
bswap eax

mov [ebx],eax //write the value into the address
pop ebx
pop eax
pop ebp
ret 8
[/32-bit]

And 4 Byte Big Endian:

Code: Select all

alloc(TypeName,256)
alloc(ByteSize,4)
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)

TypeName:
db '4 Byte Big Endian',0

ByteSize:
dd 4

//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: stdcall int ConvertRoutine(unsigned char *input);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
xor eax,eax
mov eax,[rcx] //eax now contains the bytes 'input' pointed to
bswap eax //convert to big endian

ret
[/64-bit]

[32-bit]
//jmp dllname.functionname
//or manual:
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//example:
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value

bswap eax

pop ebp
ret 4
[/32-bit]

//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
ConvertBackRoutine:
//jmp dllname.functionname
//or manual:
[64-bit]
//parameters: (64-bit)
//ecx=input
//rdx=address of output
//example:
bswap ecx //convert the little endian input into a big endian input
mov [rdx],ecx //place the integer the 4 bytes pointed to by rdx

ret
[/64-bit]

[32-bit]
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address of output
//example:
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+c] //load the address into ebx

//convert the value to big endian
bswap eax

mov [ebx],eax //write the value into the address
pop ebx
pop eax

pop ebp
ret 8
[/32-bit]

Some of these codes require specific action in game first. Like, to be able to activate 'Horse Infinite Whips', you need to speed up your horse once.

Cemu.7z

Password: 12345

(26.96 KiB) Downloaded 196 times

[vosszaa]

Could anyone update the table for CEMU 1.17.3 please =3

[jelly time]

any plans to update for newer cemu versions?

[SunBeam]

Some of these codes require specific action in game first.

The reason this is required is the same one as to why, in Unity Engine, you can't find a certain aob you'd scan for unless you'd perform some action. And that is because both Unity and CEMU compile code when it is needed (the "just-in time" - JIT - logic).

In other lines, I've managed to get the game running in a pack with CEMU 1.17.3, managed to find - based on my old notes - CEMU RVA Base, Code Base and the global pointer used to calculate leap distances towards structure layouts. I've updated the AOBs to support multiple CEMU versions, hoping they're stable and work across several updates (at least). Now.. from here to actually inlining my findings with the current scripts in Drivium's table.. it will take a bit of running around. But eventually you will get a stable means to pin-point addresses without hooks and make use of pointers for easy filtering. Just keep in mind the CEMU code and game code are separate. The only issue is what I said above, finding some means to force JIT-ing of what the scripts tamper So you wouldn't need to do something "at least once" (saw the video).

[Metalred3]

Any updated table available?

[peterlaurence]

How do you guys find values like for example weapon durability with newest Cemu version 1.21.1b? Non of the tables here works, except the infinite stamina.

[peterlaurence]

Any updated table available?

I see... Can you share your working scripts with the latest version of cemu?

[sal1000]

Is there gonna be an update for latest version of cemu?

[XeroZen]

My modified table for Cemu 1.17.1. Some of the stuff was moved under 'BaseMemory'.

Requires 'Float Big Endian' custom type:

Code: Select all

alloc(TypeName,256)
alloc(ByteSize,4)
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(UsesFloat,1)


TypeName:
db 'Float Big Endian',0

ByteSize:
dd 4

UsesFloat:
db 1


ConvertRoutine:
[64-bit]
xor eax,eax
mov eax,[rcx] //eax now contains the bytes 'input' pointed to
bswap eax //convert to big endian
ret
[/64-bit]

[32-bit]
push ebp
mov ebp,esp
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value
bswap eax
pop ebp
ret 4
[/32-bit]


ConvertBackRoutine:
[64-bit]
bswap ecx //convert the little endian input into a big endian input
mov [rdx],ecx //place the integer the 4 bytes pointed to by rdx
ret
[/64-bit]

[32-bit]
push ebp
mov ebp,esp
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+c] //load the address into ebx
bswap eax

mov [ebx],eax //write the value into the address
pop ebx
pop eax
pop ebp
ret 8
[/32-bit]

And 4 Byte Big Endian:

Code: Select all

alloc(TypeName,256)
alloc(ByteSize,4)
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)

TypeName:
db '4 Byte Big Endian',0

ByteSize:
dd 4

//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: stdcall int ConvertRoutine(unsigned char *input);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
xor eax,eax
mov eax,[rcx] //eax now contains the bytes 'input' pointed to
bswap eax //convert to big endian

ret
[/64-bit]

[32-bit]
//jmp dllname.functionname
//or manual:
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//example:
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value

bswap eax

pop ebp
ret 4
[/32-bit]

//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
ConvertBackRoutine:
//jmp dllname.functionname
//or manual:
[64-bit]
//parameters: (64-bit)
//ecx=input
//rdx=address of output
//example:
bswap ecx //convert the little endian input into a big endian input
mov [rdx],ecx //place the integer the 4 bytes pointed to by rdx

ret
[/64-bit]

[32-bit]
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address of output
//example:
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+c] //load the address into ebx

//convert the value to big endian
bswap eax

mov [ebx],eax //write the value into the address
pop ebx
pop eax

pop ebp
ret 8
[/32-bit]

Some of these codes require specific action in game first. Like, to be able to activate 'Horse Infinite Whips', you need to speed up your horse once.
Cemu.7z

Can you please update it for the latest version of cemu, or if there is any other way hope you can share it with us. Thanks a lot for ur effort.

[Turtle]

@Drivium
@Sunbeam

I'm using the cheats in the Graphics Pack, does anyone know how to convert the infinite mid-air jump cheat into a graphics pack style cheat?

For example in the Graphic Pack cheats Infinite Hearts looks like this:

[BotW_InfiniteHearts_V208]
moduleMatches = 0x6267BFD0

0x02D452A4 = nop


[BotW_InfiniteHearts_V176V192]
moduleMatches = 0xFD091F9F,0xD472D8A5

0x02D44D44 = nop

Can a similar Graphics Pack cheat file be made for infinite mid-air jump?

What I mean is in: \Cemu\cemu_1.22.4\cemu_1.22.4\graphicPacks\downloadedGraphicPacks\BreathOfTheWild\Cheats

Each Cheat has a folder, and an .asm file, the contents of the .asm file are like the Hearts code I posted above.
Can a folder and corresponding .asm file be made to have infinite mid-air jumps?

Know What I mean?

[Razapudroshko]

what is master code and where is it? nothing works


i push this MC and nothing happens

[zeus22t]

Any chance of updating for EU version 208

[Razapudroshko]

[Moonjump R+B]
580F0000 02d1ea00
580F1000 00000198
580F1000 00002d18
780F0000 00000130
640f0000 00000000 3f800000
80000082
640f0000 00000000 bf800000
20000000

[Speed x4]
580F0000 02d1ea00
580F1000 00000198
580F1000 00002d18
780F0000 0000011c
640f0000 00000000 40800000 smd please, convert it to table or smth that will work with latest cemu) This codes works on my Switch SX OC. but not with cemu (

[SkyliFans]

[Moonjump R+B]
580F0000 02d1ea00
580F1000 00000198
580F1000 00002d18
780F0000 00000130
640f0000 00000000 3f800000
80000082
640f0000 00000000 bf800000
20000000

How do I get the codes in Cemu please? The files in the Cheats folder have .asm extensions.