RPCS3 Forums

Full Version: Drakengard 3 Cheating
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I don't want to grind Drakengard 3 and looking for some cheats, can't find any. Please help
(10-29-2021, 11:04 AM)Monyh Wrote: [ -> ]I don't want to grind Drakengard 3 and looking for some cheats, can't find any. Please help

How to use Artemis r6.1 Game Patches with RPCS3 Tutorial 2022 | PS3 Emulator - YouTube

RPCS3 Tutorial Update v.2 | Artemis (r6.3) Game Patches enabled | PS3 Emulator - YouTube

Chidreams Emulation GamePlay shows in his videos how to use Artemis PS3 cheats to hack both "RAMBO The Video Game" and "Assault Heroes" with rpcs3 patch manager but his method can be used to hack any Sony PlayStation 3 game/rom even Drakengard 3.

Don't forget to exit rpcs3 after running Drakengard 3 for at least few seconds before you open rpcs3.log to find Drakengard 3 ppu hash.

ArtemisPS3/Drakengard 3 BLUS31197 01.01.ncl at master · bucanero/ArtemisPS3 · GitHub
ArtemisPS3/Drakengard 3 BLUS31197 NPUB31251 01.00.ncl at master · bucanero/ArtemisPS3 · GitHub
ArtemisPS3/Drakengard 3 BLUS31197 v01.01 av01.01.ncl at master · bucanero/ArtemisPS3 · GitHub

Make sure that you copy the correct codes for the version of Drakengard 3 that you want to cheat because else or otherwise if you copy and use the wrong codes then the game may become unplayable or even worse rpcs3 may crash.

If you play version 01.00 then copy the codes from 01.00.ncl
If you play version 01.01 then copy the codes from 01.01.ncl
If you play version NPUB31251 then copy the codes from the middle link

Under the "patch:" line in the imported_patch.yml file:

For all lines that starts with 0 in the ncl file use be32 (big endian 32 bits) in the imported_patch.yml file and since the two numbers after that (address/offset and value) are hexadecimal then don't forget to prepend 0x to each hexadecimal number.

Also don't forget to enclose them with [] square brackets or parenthesis and make sure that each word is comma , separated and at last save imported_patch.yml inside the patches directory/folder.

The format of the imported_patch.yml, inside the patches directory/folder, must be https://wiki.rpcs3.net/index.php?title=H...me_Patches

If you saved the imported_patch.yml file inside the patches directory/folder correctly then all the Drakengard 3 cheats should appear in the rpcs3 patch manager window and you just have to check/tick all of them or these that you want anyway before booting the game!

Also subscribe Chidreams Emulation GamePlay if you want. He uploads imported_patch.yml (cheats written in language that rpcs3 patch manager understands) for some Sony PlayStation 3 games/roms and he may upload imported_patch.yml for Drakengard 3 one day. You just download the imported_patch.yml file into the patches directory/folder and enable cheats that you are interested in the patch manager, boot the game and enjoy!

If Artemis doesn't offer you the cheats that you need or want then you will have to use Cheat Engine to achieve what you want.

Download and install Cheat Engine from Downloads (cheatengine.org)

But note that the setup won't ask you where to install Cheat Engine but the setup always installs Cheat Engine always in the system drive that is C most of the time.

Also note that the MEM_MAPPED check box in the Cheat Engine Scan Settings window must be checked/ticked because otherwise you won't find anything even if you use the correct big endian type.

And also note that you must define and use big endian types to find the address of your progress because otherwise you won't find anything even if you checked/ticked the MEM_MAPPED check box in the Cheat Engine Scan Settings window.

Use Big Endian Types for Cheat Engine · GitHub to define big endian types for "2 bytes", "4 bytes" and float.

The type of the variable that you want to increase or decrease is probably either "4 bytes big endian" or "float big endian".

Once you found and added the address of your progress into the address list then just increase or decrease the number to whatever value you want by double clicking on the Value column and row of your progress.

Also make sure that under the "Memory Scan Options" the rpcs3.exe in the drop down list is selected and the "Start" box of Cheat Engine main window is set to 300000000 (3 followed by 8 0s) and the "Stop" box of Cheat Engine main window is set to 400000000 (4 followed by 8 0s) because all the variables and data of the emulated Sony PlayStation 3 game/rom reside in this range.

Make sure that you set both "Start" and "Stop" boxes in the Cheat Engine main window to these numbers to shorten the duration of Cheat Engine memory scans significantly.

This is a pain when Cheat Engine memory scans last too much time.

If you can see the number on your screen then use "Exact Value" for the first scan. Otherwise if you see a bar then use "Unknown initial value" for the first scan.

When your progress changes use either "Increased Value", "Decreased Value" or "Changed Value" for the next scan. If you see a lot of values change while you do nothing then use "Unchanged value" for the next scan to eliminate them from the found addresses list because these variables are probably not what you are looking for.

Keep doing this until you find the address of the progress variable that you are looking for.

Note that some variables are dynamic and this means that they may be moved to another address.

If the variable that you are interested in has been moved to another address then you will have to delete the record from the address list and you will have to find the new address of the same variable again and this is very annoying.

In that case if you found the address of a dynamic variable then before the variable moves to another address you can do one of the following actions:

1. Either "Find out what accesses this address" or "Find out what writes to this address" to find the opcode that accesses and modifies the variable.

In your case this may be a "mov" opcode followed by an "add" or "sub" opcode that increases your progress.

You can assemble the opcodes or inject a shellcode that increases your progress much more than what the developers of Drakengard 3 intended so you have to grind much less time than what the developers of Drakengard 3 intended.

Note that every opcode or instruction may access (read from or write to) more than one memory address and assembling it (changing it or modifying it) to another opcode may affect all these addresses that this opcode accesses and this might cause the game or rom or even rpcs3 emulator to become unstable or even crash!

In that case you must inject a shellcode that tests (cmp and then jz or jnz) when the opcode accesses your progress and then execute a shellcode that increases this progress much more so you have to grind less time than normal.

If you have troubles assembling the opcodes or injecting the shellcode then you can do a "Find out what addresses this instruction accesses" and then find the address of your progress, copy it to the address list and then increase your progress to whatever number you want.

But for this to work you must configure rpcs3 to use a recompiler and not an interpreter because otherwise you might assemble an opcode that the interpreter uses in order to work properly and break interpreter which might cause rpcs3 to crash immediately! Also prefer recompiler more than interpreter for better performance because recompiler is much faster than interpreter in general!

Also note that all the changes and modifications that you made to the logic of Drakengard 3 by assembling some of it's opcodes or injecting a shellcode will all be undone when you stop the emulation or exit rpcs3.

This means that the next time you boot Drakengard 3 you will have to repeat all these assembling opcodes or shellcode injection again!

And also note that all the codes of Drakengard 3 are created by the recompiler of rpcs3 (if rpcs3 is configured to use a recompiler rather than an interpreter) at runtime when you boot it with rpcs3 and on the next boot all the addresses of the opcodes may be different hexadecimal numbers so remembering all the addresses of all the opcodes that you assembled is helpless.

This means that the next time you boot Drakengard 3 with rpcs3 you will have to find all the addresses of these opcodes again.

One way is to again find the address of the progress variable and then either "Find out what accesses this address" or "Find out what writes to this address".

Better way is to find the start and end addresses of the function or procedure that contains all the opcodes that you want to assemble and just remember all the bytes that the function or procedure is made of.

If you remember all the bytes of the function or procedure then you can use Cheat Engine "Array of byte" scan and you will quickly find the address of the function or procedure that contains the opcodes that you want to assemble.

Just remember all the offsets of all the opcodes that you want to assemble relative to the start or end address of the function or procedure that contains them and that's it!

But note that the executable code of the emulated Sony PlayStation 3 rom or game is in the 100000000 (1 followed by 8 0s) to 300000000 (3 followed by 8 0s) so make sure that the Start box in the Cheat Engine main window is set to 100000000 and the Stop box in the Cheat Engine main window is set to 300000000 before doing a "Array of byte" scan.

To find both the start and end addresses of a function or procedure do the following actions:

To find the end address of the function or procedure:

After using either "Find out what accesses this address" or "Find out what writes to this address" then step over until the instruction pointer (eip or rip) or program counter reaches a "ret" (return) opcode.

This "ret" opcode is probably the end of the function or procedure so the address of this "ret" opcode is probably the end address of the function or procedure that you are looking for.

Now to find the start address of the function or procedure:

Another step over to find out the "call" opcode that lead the instruction pointer (eip or rip) or program counter to this function or procedure.

If you take a look at the operand of this "call" opcode then you find out the start address of this function or procedure and you are done!

A quick way to quickly find both the start and end addresses of the function or procedure with Cheat Engine is to right click any opcode of the function or procedure and then on the context menu click on "Select current function".

If you do this then the entire function or procedure will be highlighted in the memory view window of Cheat Engine so just scroll up and down and find where the highlight starts and where the highlight ends to find out both the start and end addresses of the function or procedure!

Another way to deal with a dynamic variable that sometimes moves to another address is to use a pointer that always points at this variable no matter where this variable resides in the dynamic memory of the game and rpcs3 emulator.

To make this pointer you will have to do pointer scanning.

Here is a video that teaches it's viewers how to do a pointer scanning:

https://www.youtube.com/watch?v=rBe8Atevd-4

If the variable that you are interested in is dynamic but is also a field of a structure then you can quickly find it once you know the structure that this field variable is part of by doing a structure scan.

But to find out this structure you will have to dissect it.

Here is a video that teaches it's viewers how to dissect data or structure:

https://www.youtube.com/watch?v=yFBPQ8VjNCg

If you are frustrated that Drakengard 3 doesn't always allow you to save your progress whenever you want to then you are always welcome to try out rpcs3 save state new feature.

Just press Ctrl+S to save your progress but note that the emulation of Drakengard 3 will stop immediately after doing that and I don't know why so you better do this when you must stop playing the game right now and you will have to continue playing it later because rpcs3 save state and boots are slow.

To continue where you left off boot the save state file that rpcs3 created when you pressed Ctrl+S.

But note that rpcs3 will delete the save state file after booting it and I don't know why so I recommend you to backup the save state file before booting it with rpcs3 because if rpcs3 will crash when you play your game then all your progress will be lost and you will have to use the last save that Drakengard 3 system made.

All the save state files should reside in the "savestates" directory/folder if I recall or remember correctly.

When rpcs3 debugger will support access, write and read breakpoints as pcsx2 debugger does then use these access, write and read breakpoints of rpcs3 debugger more than Cheat Engine "Find out what accesses this address" and "Find out what writes to this address" because if you assemble opcodes using rpcs3 debugger and not Cheat Engine debugger then you will be able to save all the changes by saving the state with Ctrl+S!

Another advantage is that the address of the opcode viewed by rpcs3 debugger may be constant and can be remembered as it is with pcsx2 debugger!