91wii

 找回密码
 玩家注册

QQ登录

只需一步,快速开始

每月13号收费 下次是2月1号收费 每个月3号之前缴费 每月5号收费 每月7号收费
搜索
热搜: Switch ps3 ps4 3ds Wii
查看: 1102|回复: 3

[技术向] 用cheat engine 修改任意 Cemu 游戏

[复制链接] x 0
发表于 2019-10-24 21:06:30 | 显示全部楼层 |阅读模式
本帖最后由 jackpasser 于 2019-10-24 22:59 编辑

长期以来, 修改任天堂内存或者存档都很费事, 因为其数据不是普通的16位存储形式, 而是以一种 大端字节序(Big Endian)的形式储存 一般修改引擎不提供这种储存结构的修改, 此次通过cheat engine内添加代码使CE支持达成了修改目的!!



1,准备 cheat engine 一个 , cemu 可加载游戏, 打开cheat engine 和 cemu 加载要修改的游戏, 点击左上电脑图标,选择Cemu进程

捕获1.PNG 捕获.PNG

2,在CE数据类型处,点击右键, 选择定义新的"自定义类型"(自动编译)
未标题-1.jpg 捕获2.PNG

3,分别添加下面2组代码, 并保存, 一个是2字节, 一个是4字节的

  1. alloc(TypeName,256)
  2. alloc(ByteSize,4)
  3. alloc(ConvertRoutine,1024)
  4. alloc(ConvertBackRoutine,1024)

  5. TypeName:
  6. db '2 Byte Big Endian',0

  7. ByteSize:
  8. dd 2

  9. //The convert routine should hold a routine that converts the data to an integer (in eax)
  10. //function declared as: stdcall int ConvertRoutine(unsigned char *input);
  11. //Note: Keep in mind that this routine can be called by multiple threads at the same time.
  12. ConvertRoutine:
  13. //jmp dllname.functionname
  14. [64-bit]
  15. //or manual:
  16. //parameters: (64-bit)
  17. //rcx=address of input
  18. xor eax,eax
  19. mov ax,[rcx] //eax now contains the bytes 'input' pointed to
  20. xchg ah,al //convert to big endian

  21. ret
  22. [/64-bit]

  23. [32-bit]
  24. //jmp dllname.functionname
  25. //or manual:
  26. //parameters: (32-bit)
  27. push ebp
  28. mov ebp,esp
  29. //[ebp+8]=input
  30. //example:
  31. mov eax,[ebp+8] //place the address that contains the bytes into eax
  32. mov ax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value
  33. and eax,ffff //cleanup
  34. xchg ah,al //convert to big endian

  35. pop ebp
  36. ret 4
  37. [/32-bit]

  38. //The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
  39. //function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
  40. ConvertBackRoutine:
  41. //jmp dllname.functionname
  42. //or manual:
  43. [64-bit]
  44. //parameters: (64-bit)
  45. //ecx=input
  46. //rdx=address of output
  47. //example:
  48. xchg ch,cl //convert the little endian input into a big endian input
  49. mov [rdx],cx //place the integer the 4 bytes pointed to by rdx

  50. ret
  51. [/64-bit]

  52. [32-bit]
  53. //parameters: (32-bit)
  54. push ebp
  55. mov ebp,esp
  56. //[ebp+8]=input
  57. //[ebp+c]=address of output
  58. //example:
  59. push eax
  60. push ebx
  61. mov eax,[ebp+8] //load the value into eax
  62. mov ebx,[ebp+c] //load the address into ebx

  63. //convert the value to big endian
  64. xchg ah,al

  65. mov [ebx],ax //write the value into the address
  66. pop ebx
  67. pop eax

  68. pop ebp
  69. ret 8
  70. [/32-bit]
复制代码

  1. alloc(TypeName,256)
  2. alloc(ByteSize,4)
  3. alloc(ConvertRoutine,1024)
  4. alloc(ConvertBackRoutine,1024)

  5. TypeName:
  6. db '4 Byte Big Endian',0

  7. ByteSize:
  8. dd 4

  9. //The convert routine should hold a routine that converts the data to an integer (in eax)
  10. //function declared as: stdcall int ConvertRoutine(unsigned char *input);
  11. //Note: Keep in mind that this routine can be called by multiple threads at the same time.
  12. ConvertRoutine:
  13. //jmp dllname.functionname
  14. [64-bit]
  15. //or manual:
  16. //parameters: (64-bit)
  17. //rcx=address of input
  18. xor eax,eax
  19. mov eax,[rcx] //eax now contains the bytes 'input' pointed to
  20. bswap eax //convert to big endian

  21. ret
  22. [/64-bit]

  23. [32-bit]
  24. //jmp dllname.functionname
  25. //or manual:
  26. //parameters: (32-bit)
  27. push ebp
  28. mov ebp,esp
  29. //[ebp+8]=input
  30. //example:
  31. mov eax,[ebp+8] //place the address that contains the bytes into eax
  32. mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value

  33. bswap eax

  34. pop ebp
  35. ret 4
  36. [/32-bit]

  37. //The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
  38. //function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
  39. ConvertBackRoutine:
  40. //jmp dllname.functionname
  41. //or manual:
  42. [64-bit]
  43. //parameters: (64-bit)
  44. //ecx=input
  45. //rdx=address of output
  46. //example:
  47. bswap ecx //convert the little endian input into a big endian input
  48. mov [rdx],ecx //place the integer the 4 bytes pointed to by rdx

  49. ret
  50. [/64-bit]

  51. [32-bit]
  52. //parameters: (32-bit)
  53. push ebp
  54. mov ebp,esp
  55. //[ebp+8]=input
  56. //[ebp+c]=address of output
  57. //example:
  58. push eax
  59. push ebx
  60. mov eax,[ebp+8] //load the value into eax
  61. mov ebx,[ebp+c] //load the address into ebx

  62. //convert the value to big endian
  63. bswap eax

  64. mov [ebx],eax //write the value into the address
  65. pop ebx
  66. pop eax

  67. pop ebp
  68. ret 8
  69. [/32-bit]
复制代码
4,保存后CE数据类型多出了2 Byte Big Endian 和 4 Byte Big Endian选项, 选择其中一个后, 就可以查找游戏数据了, 比如这次我查找的是铁拳TT2,修改金钱 ,就填入当前金钱数, 然后搜索一次(不用16进制), 就出来了2个地址, 买个东西后,数据发生变化的那一个就是正确地址, 就可以随意修改了
捕获4.PNG 捕获5.PNG



--------------------------------------------------------------------------------------------------------------------------------完结-------------------------------------------------------------------------------------------------------------------------------------


捕获5.PNG
捕获4.PNG
捕获2.PNG
未标题-1.jpg
捕获.PNG
捕获1.PNG
发表于 2019-10-28 11:12:27 | 显示全部楼层
大神,请问如何用CE修改EPSXE里的数据?用上面的编码可以么?
发表于 2019-10-28 16:49:18 | 显示全部楼层
2006年发布的WII,距今13年还在更新新帖。厉害了。
发表于 2019-11-3 13:56:50 | 显示全部楼层
可以的兄弟,看看pdf有教程
您需要登录后才可以回帖 登录 | 玩家注册

本版积分规则


小黑屋|手机版|91wii ( 陕ICP备19022175号|黑公网安备 23010302000201号 )

GMT+8, 2019-11-13 12:05 , Processed in 5.136881 second(s), 14 queries , Gzip On, Redis On.

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表