I Need Help Making Scripts (AOB\Code Injection) for SNES emulator (Retroarch\Snes9x)

[GaltradrielSophy]

Hello, everyone!

I'm trying to make a simple "one hit kill" script for a game called Terranigma for the SNES just for fun, but I'm having lots of trouble with it due to a bunch of different reasons:

1 - Values are 2 Bytes and 2 Bytes Big Endian
2 - The instruction writing to my value actually writes to pretty much EVERYTHING (more than 800 different things at once)
3 - "Find out what addresses this instruction accesses" makes the emulator SUPER slow (1-2 FPS) due to how many different addresses it accesses at the same time, all the time

Despite my efforts, I couldn't make the script work. As soon as I activate it, the emulator crashes completely. I am positive that I'm missing something dumb.

Code: Select all

// ORIGINAL CODE - INJECTION POINT: snes9x_libretro.dll+21355

snes9x_libretro.dll+21324: 75 77                    - jne snes9x_libretro.dll+2139D
snes9x_libretro.dll+21326: 41 8D 8C 24 00 C0 FF FF  - lea ecx,[r12-00004000]
snes9x_libretro.dll+2132E: 80 E5 7E                 - and ch,7E
snes9x_libretro.dll+21331: 48 8B 0D F8 D2 26 00     - mov rcx,[snes9x_libretro.dll+28E630]
snes9x_libretro.dll+21338: 0F 85 12 01 00 00        - jne snes9x_libretro.dll+21450
snes9x_libretro.dll+2133E: 8B A9 48 04 00 00        - mov ebp,[rcx+00000448]
snes9x_libretro.dll+21344: 48 8B 1D E5 CF 26 00     - mov rbx,[snes9x_libretro.dll+28E330]
snes9x_libretro.dll+2134B: 48 83 F8 12              - cmp rax,12
snes9x_libretro.dll+2134F: 76 66                    - jna snes9x_libretro.dll+213B7
snes9x_libretro.dll+21351: 45 0F B7 E4              - movzx r12d,r12w
// ---------- INJECTING HERE ----------
snes9x_libretro.dll+21355: 66 42 89 34 20           - mov [rax+r12],si
// ---------- DONE INJECTING  ----------
snes9x_libretro.dll+2135A: 80 7B 32 00              - cmp byte ptr [rbx+32],00
snes9x_libretro.dll+2135E: 75 1D                    - jne snes9x_libretro.dll+2137D
snes9x_libretro.dll+21360: 8B 43 04                 - mov eax,[rbx+04]
snes9x_libretro.dll+21363: 8D 04 68                 - lea eax,[rax+rbp*2]
snes9x_libretro.dll+21366: 89 43 04                 - mov [rbx+04],eax
snes9x_libretro.dll+21369: 3B 43 40                 - cmp eax,[rbx+40]
snes9x_libretro.dll+2136C: 7C 0F                    - jl snes9x_libretro.dll+2137D
snes9x_libretro.dll+2136E: 66 90                    - nop 2
snes9x_libretro.dll+21370: E8 9B 58 FF FF           - call snes9x_libretro.dll+16C10
snes9x_libretro.dll+21375: 8B 43 40                 - mov eax,[rbx+40]
}

So mov [rax+r12],si is the instruction accessing everything.

I tried a bunch of different approaches to isolate the differences with the HP values (right now I don't mind if everything in the game dies with a single hit, I just want the script not to crash my game), such as:
Comiss with XMN3
Cmp values
Cmp int
Just make a blank script that only cmp (sometimes crashed the game as well)

So far, nothing really worked.

My theory is that there is something I must do with "si", since it is not "rsi" and can't be compared properly, or I'm using the cmp wrong.
I also think I'm doing something wrong with the cmp and mov commands since I'm dealing with 2 byte values and 2 byte big endian for the first time.

I already know how to make the One Hit Kill script (and some other basic scripts) for non-emulated games without a problem. But I can't seem to make this work for SNES games, sadly (I checked another game called "ARCANA" and the instruction that writes to everything is the exact same one, so it IS an emulator thing.

Oh, I also found the static addresses and the proper array of bytes that never change, too.


Could anyone please point me into the right direction? I'm at a loss at the moment.



Here are a few scripts that I tried:

Code: Select all

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"snes9x_libretro.dll"+21355) 
alloc(number,4)
label(returnhere)
label(originalcode)
label(exit)

number:
dw 7C

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
comiss xmm3,[number]
jbe originalcode
jmp exit

originalcode:
mov [rax+r12],si
jmp exit

exit:
jmp returnhere

"snes9x_libretro.dll"+21355:
jmp newmem
returnhere:



 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"snes9x_libretro.dll"+21355:
db 66 42 89 34 20
//mov [rax+r12],si

Code: Select all

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"snes9x_libretro.dll"+21355) 
alloc(number,8)
label(returnhere)
label(originalcode)
label(exit)

number:
dw BC

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
comiss xmm3,[number]
jbe originalcode
movss xmm3,[number]
jmp exit

originalcode:
mov [rax+r12],si
jmp exit

exit:
jmp returnhere

"snes9x_libretro.dll"+21355:
jmp newmem
returnhere:



 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"snes9x_libretro.dll"+21355:
db 66 42 89 34 20
//mov [rax+r12],si

Code: Select all

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,"snes9x_libretro.dll"+21355) 
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push eax
movd eax,xmm3
cmp eax,000000BC
je originalcode
jmp exit

originalcode:
mov [rax+r12],si

exit:
pop eax
jmp returnhere

"snes9x_libretro.dll"+21355:
jmp newmem
returnhere:



 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"snes9x_libretro.dll"+21355:
db 66 42 89 34 20
//mov [rax+r12],si

Code: Select all

{ Game   : retroarch.exe
  Version: 
  Date   : 2023-08-04
  Author : Zvezda

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,snes9x_libretro.dll,66 42 89 34 20 80 7B 32 00 75) // should be unique
alloc(newmem,$1000,INJECT)

label(code)
label(return)

newmem:
 cmp [rsi+FC],(int)0
 je code
 jne return

code:
  mov [rax+r12],si
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 66 42 89 34 20

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: snes9x_libretro.dll+21355

snes9x_libretro.dll+21324: 75 77                    - jne snes9x_libretro.dll+2139D
snes9x_libretro.dll+21326: 41 8D 8C 24 00 C0 FF FF  - lea ecx,[r12-00004000]
snes9x_libretro.dll+2132E: 80 E5 7E                 - and ch,7E
snes9x_libretro.dll+21331: 48 8B 0D F8 D2 26 00     - mov rcx,[snes9x_libretro.dll+28E630]
snes9x_libretro.dll+21338: 0F 85 12 01 00 00        - jne snes9x_libretro.dll+21450
snes9x_libretro.dll+2133E: 8B A9 48 04 00 00        - mov ebp,[rcx+00000448]
snes9x_libretro.dll+21344: 48 8B 1D E5 CF 26 00     - mov rbx,[snes9x_libretro.dll+28E330]
snes9x_libretro.dll+2134B: 48 83 F8 12              - cmp rax,12
snes9x_libretro.dll+2134F: 76 66                    - jna snes9x_libretro.dll+213B7
snes9x_libretro.dll+21351: 45 0F B7 E4              - movzx r12d,r12w
// ---------- INJECTING HERE ----------
snes9x_libretro.dll+21355: 66 42 89 34 20           - mov [rax+r12],si
// ---------- DONE INJECTING  ----------
snes9x_libretro.dll+2135A: 80 7B 32 00              - cmp byte ptr [rbx+32],00
snes9x_libretro.dll+2135E: 75 1D                    - jne snes9x_libretro.dll+2137D
snes9x_libretro.dll+21360: 8B 43 04                 - mov eax,[rbx+04]
snes9x_libretro.dll+21363: 8D 04 68                 - lea eax,[rax+rbp*2]
snes9x_libretro.dll+21366: 89 43 04                 - mov [rbx+04],eax
snes9x_libretro.dll+21369: 3B 43 40                 - cmp eax,[rbx+40]
snes9x_libretro.dll+2136C: 7C 0F                    - jl snes9x_libretro.dll+2137D
snes9x_libretro.dll+2136E: 66 90                    - nop 2
snes9x_libretro.dll+21370: E8 9B 58 FF FF           - call snes9x_libretro.dll+16C10
snes9x_libretro.dll+21375: 8B 43 40                 - mov eax,[rbx+40]
}

[oyyzj]

Don't know if this helps you to understand, this is what I know:

Xmm0 to Xmm15 is always FLOAT. therefor always 4 Bytes. If you force a 4 bytes value writing into a 2 bytes registry it will always crash. so your 3 attemps from above will always fail.

the last attemps crash because if cmp [rsi+FC],(int)0 is not TRUE. you force it do nothing and jump return, since mov [rax+r12],si writes to everything, you basically NOP'ed everything and game is forced to crash.

good luck on your next attemps

[GaltradrielSophy]

Oh, fantastic! Thank you so much!

It seems I pasted the wrong script in my post (which is why it is incomplete and doesn't have the proper jumps, and keeps noping everything). Sadly, it still crashes the game.

From what you told me, the XMM are a no go, so I'll see what else I can try to use.

Is there anything special I need to do when comparing or dealing with things like "si" or "di" -> instead of the common RSI or RDI that I'm familiar with? A simple cmp doesn't seem to work with them, and I'm not sure if using RSI would work for "si" and vice-versa.


I saw someone mention that maybe the game crashes with cmp if the compared value is null. Is there a way to fix that so it doesn't crash if it is null?

[GaltradrielSophy]

I made a different attemp with a different approach I got from one of the many questions in this forum (viewtopic.php?t=17578), but it also crashed as soon as the script was triggered.

I tried it with EAX and R14 (since R14 was free and EAX didn't seem to be)

Code: Select all

{ Game   : retroarch.exe
  Version:
  Date   : 2023-08-05
  Author : Gal

  This script does blah blah blah
}

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(onehitkill,snes9x_libretro.dll,66 42 89 34 20 80 7B 32 00 75) // should be unique
alloc(newmem,$1000,onehitkill)

label(code)
label(return)
label(pops)


newmem:
//offs F8 138 178 238
//hex 0000 064E
//int 0 1614

push r14
mov r14,[rsi+F8]
test r14,r14
jz @f
   mov r14,[rsi+138]
   test r14,r14
   jz @f
      mov r14,[rsi+178]
      test r14,r14
      jz @f
         cmp [r14+238],(int)1614
pop r14
jne code
mov [rax+r12],si
jmp return

@@:
pop r14

pops:
pop r14

code:
  mov [rax+r12],si
  jmp return

onehitkill:
  jmp newmem
return:
registersymbol(onehitkill)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
onehitkill:
  db 66 42 89 34 20

unregistersymbol(onehitkill)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: snes9x_libretro.dll+21355

snes9x_libretro.dll+21324: 75 77                    - jne snes9x_libretro.dll+2139D
snes9x_libretro.dll+21326: 41 8D 8C 24 00 C0 FF FF  - lea ecx,[r12-00004000]
snes9x_libretro.dll+2132E: 80 E5 7E                 - and ch,7E
snes9x_libretro.dll+21331: 48 8B 0D F8 D2 26 00     - mov rcx,[snes9x_libretro.dll+28E630]
snes9x_libretro.dll+21338: 0F 85 12 01 00 00        - jne snes9x_libretro.dll+21450
snes9x_libretro.dll+2133E: 8B A9 48 04 00 00        - mov ebp,[rcx+00000448]
snes9x_libretro.dll+21344: 48 8B 1D E5 CF 26 00     - mov rbx,[snes9x_libretro.dll+28E330]
snes9x_libretro.dll+2134B: 48 83 F8 12              - cmp rax,12
snes9x_libretro.dll+2134F: 76 66                    - jna snes9x_libretro.dll+213B7
snes9x_libretro.dll+21351: 45 0F B7 E4              - movzx r12d,r12w
// ---------- INJECTING HERE ----------
snes9x_libretro.dll+21355: 66 42 89 34 20           - mov [rax+r12],si
// ---------- DONE INJECTING  ----------
snes9x_libretro.dll+2135A: 80 7B 32 00              - cmp byte ptr [rbx+32],00
snes9x_libretro.dll+2135E: 75 1D                    - jne snes9x_libretro.dll+2137D
snes9x_libretro.dll+21360: 8B 43 04                 - mov r14,[rbx+04]
snes9x_libretro.dll+21363: 8D 04 68                 - lea r14,[rax+rbp*2]
snes9x_libretro.dll+21366: 89 43 04                 - mov [rbx+04],r14
snes9x_libretro.dll+21369: 3B 43 40                 - cmp r14,[rbx+40]
snes9x_libretro.dll+2136C: 7C 0F                    - jl snes9x_libretro.dll+2137D
snes9x_libretro.dll+2136E: 66 90                    - nop 2
snes9x_libretro.dll+21370: E8 9B 58 FF FF           - call snes9x_libretro.dll+16C10
snes9x_libretro.dll+21375: 8B 43 40                 - mov r14,[rbx+40]
}

[Paul44]

^ when jz true, you'll perform 2 pop r14 ?!
tip: limit to just 1 pop r14, which you'll place right after 'code:', and make sure all jmps pass via 'code'...

also:
...
pop r14
jne code
mov [rax+r12],si
jmp return
=> does not make sense, as in both cases you'll basically execute the same opcode

and:
use 'jz short @f': you explicitly "force" a short jump (no idea if it can go wrong without it though)

**********

major tip: if you have not yet tackled the CE tutorial, then you should as it'll tell you 2 things:
1. whether or not this is something you'd like to do/research (iow is it your "thing" or not ?)
2. it'll give you a pretty good idea what to expect - research-wise - in months to come...

and yep: what happens to you, happens/ed to all tablemakers; it's called 'experience'

[GaltradrielSophy]

Thank you so much for your help Paul44!

Sadly, the emulator still crashed immediately with the latest tweaks.

Code: Select all

The code looked like this:
{ Game   : retroarch.exe
  Version:
  Date   : 2023-08-05
  Author : Gal

  This script does blah blah blah
}

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(onehitkill,snes9x_libretro.dll,66 42 89 34 20 80 7B 32 00 75) // should be unique
alloc(newmem,$1000,onehitkill)

label(code)
label(return)
label(pops)


newmem:
//offs F8 138 178 238
//hex 0000 064E
//int 0 1614

push r14
mov r14,[rsi+F8]
test r14,r14
jz short @f
   mov r14,[rsi+138]
   test r14,r14
   jz short @f
      mov r14,[rsi+178]
      test r14,r14
      jz short @f
         cmp [r14+238],(int)1614
jne code
mov [rax+r12],si
jmp return

@@:
pop r14

pops:
pop r14

code:
  pop r14
  mov [rax+r12],si
  jmp return

onehitkill:
  jmp newmem
return:
registersymbol(onehitkill)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
onehitkill:
  db 66 42 89 34 20

unregistersymbol(onehitkill)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: snes9x_libretro.dll+21355

snes9x_libretro.dll+21324: 75 77                    - jne snes9x_libretro.dll+2139D
snes9x_libretro.dll+21326: 41 8D 8C 24 00 C0 FF FF  - lea ecx,[r12-00004000]
snes9x_libretro.dll+2132E: 80 E5 7E                 - and ch,7E
snes9x_libretro.dll+21331: 48 8B 0D F8 D2 26 00     - mov rcx,[snes9x_libretro.dll+28E630]
snes9x_libretro.dll+21338: 0F 85 12 01 00 00        - jne snes9x_libretro.dll+21450
snes9x_libretro.dll+2133E: 8B A9 48 04 00 00        - mov ebp,[rcx+00000448]
snes9x_libretro.dll+21344: 48 8B 1D E5 CF 26 00     - mov rbx,[snes9x_libretro.dll+28E330]
snes9x_libretro.dll+2134B: 48 83 F8 12              - cmp rax,12
snes9x_libretro.dll+2134F: 76 66                    - jna snes9x_libretro.dll+213B7
snes9x_libretro.dll+21351: 45 0F B7 E4              - movzx r12d,r12w
// ---------- INJECTING HERE ----------
snes9x_libretro.dll+21355: 66 42 89 34 20           - mov [rax+r12],si
// ---------- DONE INJECTING  ----------
snes9x_libretro.dll+2135A: 80 7B 32 00              - cmp byte ptr [rbx+32],00
snes9x_libretro.dll+2135E: 75 1D                    - jne snes9x_libretro.dll+2137D
snes9x_libretro.dll+21360: 8B 43 04                 - mov r14,[rbx+04]
snes9x_libretro.dll+21363: 8D 04 68                 - lea r14,[rax+rbp*2]
snes9x_libretro.dll+21366: 89 43 04                 - mov [rbx+04],r14
snes9x_libretro.dll+21369: 3B 43 40                 - cmp r14,[rbx+40]
snes9x_libretro.dll+2136C: 7C 0F                    - jl snes9x_libretro.dll+2137D
snes9x_libretro.dll+2136E: 66 90                    - nop 2
snes9x_libretro.dll+21370: E8 9B 58 FF FF           - call snes9x_libretro.dll+16C10
snes9x_libretro.dll+21375: 8B 43 40                 - mov r14,[rbx+40]

Oh, the reason why both cases execute the same code (meaning there should be absolutely no change to the original game code) is just so I can check if the game\emulator isn't crashing already just with these comparisons like it was doing before.

I figured it would be easier to do that than to worry about making the emulator not crash AND try and execute the cheat at the same time, when I can't seem to figure out the crashing issue


Honestly, I feel like I'm forgetting about something very simple and "dumb", but I can't seem to grasp what it is.

[Messy6666]

affraid you have your stackflow wrong.... which will cause crashing
ofcourse can't say anything about functionality



hope this helps

[GaltradrielSophy]

Thank you so much Messy6666!

Sadly, the emulator continues to crash immediately (even if we don't do anything, just compare values and stuff).

I'll try changing r14 for something else and see if the problem remains.

I think this may be caused by how the emulator is programed.

Interestingly enough, I can change the values manually without a problem (with the Memory View). Guess my script must include something else to differentiate it from the rest of the 800+ things the same instruction is writing\reading at the same time.


I'm wondering if "si" and "rsi" are not working together the way I thought they would.
Could it be converting the value from 2 bytes to 4 bytes, or something like that?

[Messy6666]

this is ofc a bit hard to answer because i don't have that program you working on.
but seeing

Code: Select all

snes9x_libretro.dll+21324: 75 77                    - jne snes9x_libretro.dll+2139D
snes9x_libretro.dll+21326: 41 8D 8C 24 00 C0 FF FF  - lea ecx,[r12-00004000]
snes9x_libretro.dll+2132E: 80 E5 7E                 - and ch,7E
snes9x_libretro.dll+21331: 48 8B 0D F8 D2 26 00     - mov rcx,[snes9x_libretro.dll+28E630]
snes9x_libretro.dll+21338: 0F 85 12 01 00 00        - jne snes9x_libretro.dll+21450
snes9x_libretro.dll+2133E: 8B A9 48 04 00 00        - mov ebp,[rcx+00000448]
snes9x_libretro.dll+21344: 48 8B 1D E5 CF 26 00     - mov rbx,[snes9x_libretro.dll+28E330]
snes9x_libretro.dll+2134B: 48 83 F8 12              - cmp rax,12
snes9x_libretro.dll+2134F: 76 66                    - jna snes9x_libretro.dll+213B7
snes9x_libretro.dll+21351: 45 0F B7 E4              - movzx r12d,r12w
// ---------- INJECTING HERE ----------
snes9x_libretro.dll+21355: 66 42 89 34 20           - mov [rax+r12],si
// ---------- DONE INJECTING  ----------

and your

Code: Select all

mov r14,[rsi+F8]

i think you have the wrong base address there ( rsi+f8 ) because later si is used as a value to store ( health? ).
pointing to "wrong" memorie locations can causing crashes also.

looking at the original code it can be in [rbx], [rcx] or even [rax]...
impossible for me to say.... just not in [rsi]
( si is just a sub-part of the full 64 bit rsi register )

i humbly suggest trying to delve a bit more into the wonderful world of assembly in general.

Good luck

[oyyzj]

I didn't understand the following:

- GaltradrielSophy is trying to write something so desperate in r14 and at the end r14 goes in nowhere. so why the work with mov and test and cmp for a zero result?

- since the base adr. is [rax] + [r12] offset as registry, why tampering with [rsi] + [offset]?

[tdg6661]

Sorry, but what is the purpose of this? And where is the one-hit kill codes? It's the same as the original code after comparing.

Code: Select all

push r14
mov r14,[rsi+F8]
test r14,r14
jz short @f
   mov r14,[rsi+138]
   test r14,r14
   jz short @f
      mov r14,[rsi+178]
      test r14,r14
      jz short @f
         cmp [r14+238],(int)1614
jne code
mov [rax+r12],si
jmp return

@@:
pop r14

pops:
pop r14

You can ttry my script here, but it only comparing values.

Code: Select all

The code looked like this:
{ Game   : retroarch.exe
  Version:
  Date   : 2023-08-05
  Author : Gal

  This script does blah blah blah
}
[ENABLE]
aobscanmodule(onehitkill,snes9x_libretro.dll,66 42 89 34 20 80 7B 32 00 75) // should be unique
alloc(newmem,$1000,onehitkill)

label(code)
label(return)

newmem:
//offs F8 138 178 238
//hex 0000 064E
//int 0 1614

push r14
push r13

xor r14,r14

mov r14,[rsi+F8]
test r14,r14
je code

mov r14,[rsi+138]
test r14,r14
je code

mov r14,[rsi+178]
test r14,r14
je code

xor r13,r13
mov r13d,[r14+238]

cmp r13d,#1614
jne code

// Your script goes here

code:
pop r13
pop r14
mov [rax+r12],si
jmp return

onehitkill:
  jmp newmem
return:
registersymbol(onehitkill)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
onehitkill:
  db 66 42 89 34 20

unregistersymbol(onehitkill)
dealloc(newmem)

Also, because it's an emulator, it's preferable to use LUA rather than ASM if you have static addresses.

[Toga]

^ biggest problem is as Messy pointed out: [rsi + 0f8] is not a valid address
he/she should check it using a breakpoint.

^^ prolly walking through data pointers and testing if they are valid, only none zero ones in this case, trying to exclude Player using [ r14 + 0238 ] ?
again rsi is not the base register to start with here.

[tdg6661]

Oh, I didn't notice it. rsi is not a pointer; it is used to hold values (si). Set a breakpoint (F5) and look for a pointer in a register with a value higher than 2 bytes (0xFFFF). Paste the register value on dissect data/structures and look for the desired value on offsets 0xF8, 0x138, etc. to get the proper address.

Once you've found it, you can modify the following:

Code: Select all

[ENABLE]
aobscanmodule(onehitkill,snes9x_libretro.dll,66 42 89 34 20 80 7B 32 00 75) // should be unique
alloc(newmem,$1000,onehitkill)

label(code)
label(return)

newmem:
//offs F8 138 178 238
//hex 0000 064E
//int 0 1614

push r14
push r13

xor r14,r14

mov r14,[XXX+F8]
test r14,r14
je code

mov r14,[XXX+138]
test r14,r14
je code

mov r14,[XXX+178]
test r14,r14
je code

xor r13,r13
mov r13d,[r14+238]

cmp r13d,#1614
jne code

// Your script goes here

code:
pop r13
pop r14
mov [rax+r12],si
jmp return

onehitkill:
  jmp newmem
return:
registersymbol(onehitkill)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
onehitkill:
  db 66 42 89 34 20

unregistersymbol(onehitkill)
dealloc(newmem)

[GaltradrielSophy]

Thank you so much for your help, everyone!

I had a few busy months and forgot to reply to you all. I still didn't manage to make that pesky code work, but I'll let you guys know as soon as I'm able to!

I learned in the past months that it is due to how the SNES emulator is coded, and has nothing to do with the game itself. Using similar codes to what you all helped me achieve in other emulators like a PS1 emulator works flawlessly, for instance.

Thank you again, and I'll keep you guys updated on how it goes!

[DQ323]

Hello friends, how are you?

I was running some tests with Cheat Engine to identify the issue in the thread and how I could assist, but I encountered another problem. Maybe you can help me:

When I found the memory address corresponding to the character's health and saved it in Cheat Engine, everything was fine. Then I closed SNES9x, and when I reopened it, it didn't recognize the previously saved memory address, and I had to search for it all over again. How can I find and save a fixed memory address in SNES9x for quicker future searches?