Finding pointers in emulators

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
Drivium
Fearless Donors
Fearless Donors
Posts: 198
Joined: Tue Apr 04, 2017 2:47 am
Reputation: 55

Finding pointers in emulators

Post by Drivium » Tue Mar 24, 2020 11:59 pm

I'm struggling to find pointers in an emulator. Pointer scan isn't working well (again, because emulator) I suspect it's related to my current skill level. I've gotten through the entire cheat engine tutorial, but it hasn't prepared me for what I'm seeing here.

In CEMU, I'm playing New Super Mario Bros U. I'm searching for the lives value. I've found it. I do a "what writes to this address" scan and I get this:

Image

I'm used to seeing, "your address is probably...", but I get nothing. Not sure what I do from here.

Hoping someone can point me in the right direction. Is there any easier way to work this backwards to a pointer?

zachillios
Table Makers
Table Makers
Posts: 512
Joined: Fri Mar 03, 2017 9:05 am
Reputation: 273

Re: Finding pointers in emulators

Post by zachillios » Wed Mar 25, 2020 12:11 am

Virtual Memory works differently than normal RAM since the emulator is quite literally emulating the instructions used on the game. So in my experience pointer scanning is either A: more trouble than it's worth, or B: doesn't work in general. You'd be better off using AOB scans to make "pointers" in emulators. Here's an example for Fatal Frame 5 on Cemu I made.

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>24</ID>
      <Description>"Score Enable"</Description>
      <Options moHideChildren="1"/>
      <LastState/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscan(score,00 00 ?? ?? 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00)
label(chapterscore)
registersymbol(chapterscore)

score:
chapterscore:



[DISABLE]
//code from here till the end of the code will be used to disable the cheat
unregistersymbol(chapterscore)




</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>20</ID>
          <Description>"Score"</Description>
          <LastState Value="" RealAddress="00000000"/>
          <VariableType>Custom</VariableType>
          <CustomType>4 Byte Big Endian</CustomType>
          <Address>chapterscore+30</Address>
        </CheatEntry>
        <CheatEntry>
          <ID>32</ID>
          <Description>"Total Score"</Description>
          <LastState Value="" RealAddress="00000000"/>
          <VariableType>Custom</VariableType>
          <CustomType>4 Byte Big Endian</CustomType>
          <Address>chapterscore+6CB0</Address>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
  </CheatEntries>
</CheatTable>
????????`&

Drivium
Fearless Donors
Fearless Donors
Posts: 198
Joined: Tue Apr 04, 2017 2:47 am
Reputation: 55

Re: Finding pointers in emulators

Post by Drivium » Wed Mar 25, 2020 1:17 am

I get that you have to do multiple scans (I even created a tool for comparing aobs: viewtopic.php?t=6781), but I'm curious what your method is. Usually, I search for the value, say lives, then I scan for what writes to it, then I create a script to nop it via aob. I don't have as much luck finding in-memory addresses to create things like a player base OR if they work for me, they don't seem to work for anyone else.

Do you find your first address, then browse memory and look for anything in particular around your target address? Any clues I should be looking for to know I've got a good area to target for an aob? In many games, if I find a solid aob for lives, I'll need an entirely new aob for something like coins. Ideally, I'd find one aob, and offset it for all other values, but struggling to find such an aob in many games. Again, must be something I'm missing.

Can you walk me through your process for finding a reliable aob for in-memory addresses (life counts, coins, etc - anything with a value you'd want freedom to modify)? I'd be super grateful for any guidance you could provide. I keep getting messages from people who the table isn't working for, yet some others, seem to be able to make super reliable cheats for CEMU. Must be something I'm missing. Thanks in advance.

zachillios
Table Makers
Table Makers
Posts: 512
Joined: Fri Mar 03, 2017 9:05 am
Reputation: 273

Re: Finding pointers in emulators

Post by zachillios » Wed Mar 25, 2020 2:38 am

Drivium wrote:
Wed Mar 25, 2020 1:17 am
I get that you have to do multiple scans (I even created a tool for comparing aobs: viewtopic.php?t=6781), but I'm curious what your method is. Usually, I search for the value, say lives, then I scan for what writes to it, then I create a script to nop it via aob. I don't have as much luck finding in-memory addresses to create things like a player base OR if they work for me, they don't seem to work for anyone else.

Do you find your first address, then browse memory and look for anything in particular around your target address? Any clues I should be looking for to know I've got a good area to target for an aob? In many games, if I find a solid aob for lives, I'll need an entirely new aob for something like coins. Ideally, I'd find one aob, and offset it for all other values, but struggling to find such an aob in many games. Again, must be something I'm missing.

Can you walk me through your process for finding a reliable aob for in-memory addresses (life counts, coins, etc - anything with a value you'd want freedom to modify)? I'd be super grateful for any guidance you could provide. I keep getting messages from people who the table isn't working for, yet some others, seem to be able to make super reliable cheats for CEMU. Must be something I'm missing. Thanks in advance.
Below is the video I used to figure out how to do it, but you have the gist of it. Find the address, browse it then look anywhere near it to find static values and use that as basis for your AOB. I also recommend using a HEX calculator to find the pointers actual address.

Drivium
Fearless Donors
Fearless Donors
Posts: 198
Joined: Tue Apr 04, 2017 2:47 am
Reputation: 55

Re: Finding pointers in emulators

Post by Drivium » Wed Mar 25, 2020 2:52 am

My tool has a hex calculator also ;). I checked out the video. Nothing I didn't know, unfortunately.

User avatar
SunBeam
Administration
Administration
Posts: 3342
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1738

Re: Finding pointers in emulators

Post by SunBeam » Sat Mar 28, 2020 1:42 am

I recommend starting to trace the code in a debugger till the actual image of your game is loaded. You'll want to make use of common APIs, like VirtualAlloc, ReadFile, etc. - any others you can think of that help in the process of determining a starting point. MSDN is your friend: https://docs.microsoft.com/en-us/window ... rtualalloc. You have a big tree to search in to the left. "But I don't know how to trace in a debugger" - luckily, Corona is here to help you; due to home isolation, you now have time to study :P Don't whine, please.

User avatar
TioEdu
Cheater
Cheater
Posts: 33
Joined: Sat Nov 02, 2019 5:40 pm
Reputation: 27

Re: Finding pointers in emulators

Post by TioEdu » Mon Mar 30, 2020 8:51 am

if you found a way to find statistical pointers in the emulators (YUZU, CITRA) let me know, please.

Drivium
Fearless Donors
Fearless Donors
Posts: 198
Joined: Tue Apr 04, 2017 2:47 am
Reputation: 55

Re: Finding pointers in emulators

Post by Drivium » Mon Mar 30, 2020 8:17 pm

SunBeam wrote:
Sat Mar 28, 2020 1:42 am
I recommend starting to trace the code in a debugger till the actual image of your game is loaded. You'll want to make use of common APIs, like VirtualAlloc, ReadFile, etc. - any others you can think of that help in the process of determining a starting point. MSDN is your friend: https://docs.microsoft.com/en-us/window ... rtualalloc. You have a big tree to search in to the left. "But I don't know how to trace in a debugger" - luckily, Corona is here to help you; due to home isolation, you now have time to study :P Don't whine, please.
Hope my request didn't come across as whining. Hungry for knowledge! Luckily, sitting alone in a room and researching is what I do best. Now, I know what I'm searching for. Thank's for the "pointer". Boom. I just thought I'd reach out to the community so I'm not trying to figure out a problem that's already been solved. Sounds like I'll be the first. Challenge accepted! :P

Post Reply

Who is online

Users browsing this forum: notpikachu