ROM Hack How to find pointers on NTR Debugger memory dumps? (NTR CFW)

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
So on the last couple of weeks I've been working on several cheat methods (RAM hacking, ROM hacking and Save Data Editing) but one thing I can't figure out are pointers!

Sure dumping a few times the RAM and finding then changing a static value is extremely easy to do, but finding the address that writes on that dynamic address is the real challenge.

Now, obviously pointers are extremely easy to find when running (or reading memory live) a game on an emulator like Citra, but the problem is that not all games are supported on this moment. I have found several pointers on FE:A with Citra and Cheat Engine and it was extremely easy!

The question is, how can I find pointers while dumping memory with ntr debugger?

Is there any way I can read live the ram memory of the 3ds? If so, that would be extremely helpful on finding pointers.

Another thing I've found is that it seems that Gateway can help in finding pointers with some PC software and dumping ram, but it seems that it uses very different memory regions than that of ntr debugger. (Physical or virtual memory, perhaps?!)

I've been searching around and really haven't found any way to find pointers with memory dumps so I'm wondering what people here say/know about it. :)
 

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
Well I bought a gateway card as it seems its a lot easier to find pointers that way.

Once I get it and find some pointers, I'll update.
 

DesuIsSparta

Well-Known Member
Member
Joined
Oct 13, 2015
Messages
580
Trophies
0
XP
1,037
Country
United States
Unfortunately, the closest thing you can do at the moment is hook into the NTR TCP protocol yourself and handle the returned bytes that way..

The 3DS is extremely slow, and since NTR sends the read RAM in it's own packet via TCP on LAN, it is incredibly slow. It can take 4 full minutes to receive. You can program it so you can read the bytes while they're being returned but it's a mess unless you're experienced with that... i'm not.

Cell9 is not releasing the source for NTR, so we won't really ever be able to contribute and see if optimization is an option. Also, he only logs in the forum once in a while and his native language is Chinese so conversations are possible but short.

The fastest way at the moment seems to be with Gateway... I wish I had a Gateway. There's no other way I can think of to access the RAM instantly, since it can only be done from the console itself.
 
Last edited by DesuIsSparta,

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
Unfortunately, the closest thing you can do at the moment is hook into the NTR TCP protocol yourself and handle the returned bytes that way..

The 3DS is extremely slow, and since NTR sends the read RAM in it's own packet via TCP on LAN, it is incredibly slow. It can take 4 full minutes to receive. You can program it so you can read the bytes while they're being returned but it's a mess unless you're experienced with that... i'm not.

Cell9 is not releasing the source for NTR, so we won't really ever be able to contribute and see if optimization is an option. Also, he only logs in the forum once in a while and his native language is Chinese so conversations are possible but short.

The fastest way at the moment seems to be with Gateway... I wish I had a Gateway. There's no other way I can think of to access the RAM instantly, since it can only be done from the console itself.

Yea I read in many forums Gateway is the way to go when reading RAM live. I think if they could do it, I can code an app that works in a similar way than gateway on that regard and associate it with ntr or create another solution altogether.

Either way, when the gateway card arrives ill try to find a few pointers and update this thread.
 

DesuIsSparta

Well-Known Member
Member
Joined
Oct 13, 2015
Messages
580
Trophies
0
XP
1,037
Country
United States
Yea I read in many forums Gateway is the way to go when reading RAM live. I think if they could do it, I can code an app that works in a similar way than gateway on that regard and associate it with ntr or create another solution altogether.

Either way, when the gateway card arrives ill try to find a few pointers and update this thread.

Honestly the only thing I can think of, is engineering a device similar to gateway which functions solely as a RAM box, and has a fast enough (50mb/s) transfer speeds. Perhaps USB 3.0 is the way to go there.. Costs a bunch of money and won't really be worth it in the end.. but I can't think of a solution that doesn't involve modding the device.
 

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
Honestly the only thing I can think of, is engineering a device similar to gateway which functions solely as a RAM box, and has a fast enough (50mb/s) transfer speeds. Perhaps USB 3.0 is the way to go there.. Costs a bunch of money and won't really be worth it in the end.. but I can't think of a solution that doesn't involve modding the device.

That's interesting. I wonder how hard it would be to code one.
 

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
Ok so I've been playing with the gateway card and I've been dumping ram to find pointers.

IT'S A SUCCESS! I could certainly find pointers for some values!

Now the biggest problem I have is that to create a ntr plugin I >NEED< to read that pointer address to get the value address for me to write whatever value I want.

For example, a pointer is 0x145EAEB0 which value is 80455c15 (or 0x155c4580). Then at 0x155c4580 I find my 4byte value, the one the game uses. (i.e. 6101 or 353 in decimal).

Now, the code I believe it should work on a ntr plugin is:

Code:
int valueG = READU32(0x145EAEB0);
WRITEU16(valueG, 0x0000FFFF);

But the only problem I have is actually reading the pointer address which contains the dynamic address.

Does anyone know how I can do that?

It's really easy to do it with NTR Debugger [ read(0x145EAEB0, 0x4, pid=0x29) ] but I would totally prefer to make it work in one single cheat.plg file without me reading the pointer manually from NTR Debugger.

Any help? Or anyone that can help on this? Or does anyone know someone that can help with this?

I'm sure if I can figure this out, finding cheats with GW and then translating to NTR would help in creating a lot more cheats!

PS: Once I find a way to read an address within the plg file, I will make a tutorial on how to do everything and how to find the pointers! ;)
 
Last edited by omegapirate,

MichiS97

"Leftist snowflake milennial"
Member
Joined
Jun 14, 2011
Messages
1,813
Trophies
2
Age
26
Location
Munich
XP
3,570
Country
Germany
Ok so I've been playing with the gateway card and I've been dumping ram to find pointers.

IT'S A SUCCESS! I could certainly find pointers for some values!

Now the biggest problem I have is that to create a ntr plugin I >NEED< to read that pointer address to get the value address for me to write whatever value I want.

For example, a pointer is 0x145EAEB0 which value is 80455c15 (or 0x155c4580). Then at 0x155c4580 I find my 4byte value, the one the game uses. (i.e. 6101 or 353 in decimal).

Now, the code I believe it should work on a ntr plugin is:

Code:
int valueG = READU32(0x145EAEB0);
WRITEU16(valueG, 0x0000FFFF);

But the only problem I have is actually reading the pointer address which contains the dynamic address.

Does anyone know how I can do that?

It's really easy to do it with NTR Debugger [ read(0x145EAEB0, 0x4, pid=0x29) ] but I would totally prefer to make it work in one single cheat.plg file without me reading the pointer manually from NTR Debugger.

Any help? Or anyone that can help on this? Or does anyone know someone that can help with this?

I'm sure if I can figure this out, finding cheats with GW and then translating to NTR would help in creating a lot more cheats!

PS: Once I find a way to read an address within the plg file, I will make a tutorial on how to do everything and how to find the pointers! ;)
return (*(vu8*)(0x00776312));

I'm using this to read a single byte, change vu8 to vu16 to read two bytes :)
How exactly can you convert Gateway codes to NTR though?
 
  • Like
Reactions: omegapirate

ShiroKyouma

Well-Known Member
Newcomer
Joined
Dec 29, 2015
Messages
88
Trophies
0
XP
169
Country
Ok so I've been playing with the gateway card and I've been dumping ram to find pointers.

IT'S A SUCCESS! I could certainly find pointers for some values!

Now the biggest problem I have is that to create a ntr plugin I >NEED< to read that pointer address to get the value address for me to write whatever value I want.

For example, a pointer is 0x145EAEB0 which value is 80455c15 (or 0x155c4580). Then at 0x155c4580 I find my 4byte value, the one the game uses. (i.e. 6101 or 353 in decimal).

Now, the code I believe it should work on a ntr plugin is:

Code:
int valueG = READU32(0x145EAEB0);
WRITEU16(valueG, 0x0000FFFF);

But the only problem I have is actually reading the pointer address which contains the dynamic address.

Does anyone know how I can do that?

It's really easy to do it with NTR Debugger [ read(0x145EAEB0, 0x4, pid=0x29) ] but I would totally prefer to make it work in one single cheat.plg file without me reading the pointer manually from NTR Debugger.

Any help? Or anyone that can help on this? Or does anyone know someone that can help with this?

I'm sure if I can figure this out, finding cheats with GW and then translating to NTR would help in creating a lot more cheats!

PS: Once I find a way to read an address within the plg file, I will make a tutorial on how to do everything and how to find the pointers! ;)

Waiting for the tutorial. :D
 
D

Deleted User

Guest
Unfortunately, the closest thing you can do at the moment is hook into the NTR TCP protocol yourself and handle the returned bytes that way..

The 3DS is extremely slow, and since NTR sends the read RAM in it's own packet via TCP on LAN, it is incredibly slow. It can take 4 full minutes to receive. You can program it so you can read the bytes while they're being returned but it's a mess unless you're experienced with that... i'm not.

Cell9 is not releasing the source for NTR, so we won't really ever be able to contribute and see if optimization is an option. Also, he only logs in the forum once in a while and his native language is Chinese so conversations are possible but short.

The fastest way at the moment seems to be with Gateway... I wish I had a Gateway. There's no other way I can think of to access the RAM instantly, since it can only be done from the console itself.
I know this sounds strange, but I wonder if it'd be possible to solder wires to the board in a way that would let people dump the RAM like that.
That's very likely a 'no' but, eh. Never hurts to ask.
 

Nanquitas

Well-Known Member
Member
Joined
Sep 29, 2015
Messages
2,345
Trophies
0
Age
30
Location
South of France :)
XP
3,336
Country
France
Ok so I've been playing with the gateway card and I've been dumping ram to find pointers.

IT'S A SUCCESS! I could certainly find pointers for some values!

Now the biggest problem I have is that to create a ntr plugin I >NEED< to read that pointer address to get the value address for me to write whatever value I want.

For example, a pointer is 0x145EAEB0 which value is 80455c15 (or 0x155c4580). Then at 0x155c4580 I find my 4byte value, the one the game uses. (i.e. 6101 or 353 in decimal).

Now, the code I believe it should work on a ntr plugin is:

Code:
int valueG = READU32(0x145EAEB0);
WRITEU16(valueG, 0x0000FFFF);

But the only problem I have is actually reading the pointer address which contains the dynamic address.

Does anyone know how I can do that?

It's really easy to do it with NTR Debugger [ read(0x145EAEB0, 0x4, pid=0x29) ] but I would totally prefer to make it work in one single cheat.plg file without me reading the pointer manually from NTR Debugger.

Any help? Or anyone that can help on this? Or does anyone know someone that can help with this?

I'm sure if I can figure this out, finding cheats with GW and then translating to NTR would help in creating a lot more cheats!

PS: Once I find a way to read an address within the plg file, I will make a tutorial on how to do everything and how to find the pointers! ;)

Hello !

Your code should work but replace int with unsigned int. ;)
Code:
unsigned int pointer = READU32(0x145EAEB0);
WRITEU16(pointer, 0xFFFF);
 
  • Like
Reactions: Deleted User

DesuIsSparta

Well-Known Member
Member
Joined
Oct 13, 2015
Messages
580
Trophies
0
XP
1,037
Country
United States
I know this sounds strange, but I wonder if it'd be possible to solder wires to the board in a way that would let people dump the RAM like that.
That's very likely a 'no' but, eh. Never hurts to ask.

Well of course you can create your own hardware to dump the system's RAM but then you're still stuck with the same problem NTR offers you: How do you interact with said RAM?

It's absolutely 100% possible to write Gateway's method of memory hacking without a Gateway. Unfortunately, I don't have the programming knowledge nor enough information on firmwares to create my own CFW designed to do so. If I were able to, I'd write NTR a different way. NTR isn't written poorly but the developer does not share the source code (i've already asked), nor are there many updates for it.. so it's lacking pretty hard in some places.

For the time being, the best we have is Gateway and NTR. Perhaps I'll look into creating a CFW sometime in the future, but at the time I just can't do it..
 
  • Like
Reactions: Deleted User

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
Absolutely wonderful people!

I will test with the few codes people posted here and I will get back :)

Hopefully I get back with good news! haha
 

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
Why don't just make a plugin to read / write the memory ?

That's what I'm trying to do xD

Hello !

Your code should work but replace int with unsigned int. ;)
Code:
unsigned int pointer = READU32(0x145EAEB0);
WRITEU16(pointer, 0xFFFF);

It seems I cant use READU32 as it's not defined. I tried to define it but there are always errors to compile :/

return (*(vu8*)(0x00776312));

I'm using this to read a single byte, change vu8 to vu16 to read two bytes :)
How exactly can you convert Gateway codes to NTR though?

So I've been playing with that line but I can't seems to make it work for some reason.

I tried:

Code:
int valueG = *(vu32*)(0x145EAEB0);
WRITEU16(valueG, 0x0000FFFF);

Any help? xD
 

Nanquitas

Well-Known Member
Member
Joined
Sep 29, 2015
Messages
2,345
Trophies
0
Age
30
Location
South of France :)
XP
3,336
Country
France
Yeah, i meant in a more globally way, not a specific game's plugin. ;)

Here's my macros definition:
Code:
#ifndef READU8
#    define READU8(addr)             *(volatile unsigned char*)(addr)
#endif
#ifndef READU16
#    define READU16(addr)             *(volatile unsigned short*)(addr)
#endif
#ifndef READU32
#    define READU32(addr)             *(volatile unsigned int*)(addr)
#endif

Why do you think it's not working ? How do you use it ?
 
  • Like
Reactions: omegapirate

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
Yeah, i meant in a more globally way, not a specific game's plugin. ;)

Here's my macros definition:
Code:
#ifndef READU8
#    define READU8(addr)             *(volatile unsigned char*)(addr)
#endif
#ifndef READU16
#    define READU16(addr)             *(volatile unsigned short*)(addr)
#endif
#ifndef READU32
#    define READU32(addr)             *(volatile unsigned int*)(addr)
#endif

Why do you think it's not working ? How do you use it ?

Well I tried defining it that way and it could compile xD

Problem still persists when trying to use it as:

Code:
unsigned int valueG = READU32(0x145EAEB0);
WRITEU32(valueG, 0x0000FFFF);

Even tried with writeu16 but it doesn't seem to work either.

What I'm going to try is with the valueG variable as signed and without signed/unsigned.

Also 2 things i believe are happening:

1. the valueG is not represented as hex when trying to write the 0xFFFF so it could be a problem.
2. the valueG is encoded in little/big endian and I need to translate it before using it on the writeu32 line
3. i know i said 2 things, but still, it could be that valueG is not represented as hex when trying to write 0xFFFF and/or is also coded in little/big endian.

Can anyone confirm whether or not that should work? xD

Im a coder but C in general i dont remember a thing!
 

Nanquitas

Well-Known Member
Member
Joined
Sep 29, 2015
Messages
2,345
Trophies
0
Age
30
Location
South of France :)
XP
3,336
Country
France
Well I tried defining it that way and it could compile xD

1. the valueG is not represented as hex when trying to write the 0xFFFF so it could be a problem.
2. the valueG is encoded in little/big endian and I need to translate it before using it on the writeu32 line
3. i know i said 2 things, but still, it could be that valueG is not represented as hex when trying to write 0xFFFF and/or is also coded in little/big endian.

1. Doesn't matter, the compiler doesn't make difference between 0x1 or 1, it's just more convenient for you to write a big number.
2. Nope, i use this way in my FF plugin to read dynamic address.
3. CF 1.

Now:
- If you try to freeze the value you have to loop it, especially if the game rewrite the real number right after the modification;
- Are you sure you triggering the code ?
- Maybe the address is not the good one ? :/

If you link the code i can try to help, but the code you wrote ahead is working. ;)
 
  • Like
Reactions: omegapirate

omegapirate

Well-Known Member
OP
Newcomer
Joined
May 25, 2012
Messages
47
Trophies
0
XP
98
Country
Mexico
1. Doesn't matter, the compiler doesn't make difference between 0x1 or 1, it's just more convenient for you to write a big number.
2. Nope, i use this way in my FF plugin to read dynamic address.
3. CF 1.

Now:
- If you try to freeze the value you have to loop it, especially if the game rewrite the real number right after the modification;
- Are you sure you triggering the code ?
- Maybe the address is not the good one ? :/

If you link the code i can try to help, but the code you wrote ahead is working. ;)

Ok so unfortunately I can't link to the code as it's one I created from dumping ram with gateway xD

But here's the code:

::Generated Code(Goomba atk)
6145EAEB0 00000000
B145EAEB0 00000000
00000000 00000000
D2000000 00000000

So basically the thing is that pointer 0x145EAEB0 (a static pointer) contains the address of DMA where the atk of the goomba is.

How can I know this code should work?

Well, using the 2 dumped rams with gateway, I both went to the static pointer 0x145EAEB0 and both had a dynamic address. Then I went to those dynamic addresses and I could find the attack of the goomba.

I firstly used gateway cheat finder to get the attack of the goomba and then I changed it to 0xFFFF and the attack obviously increased. Obviously as it's dynamic, after the fight, the address was different but the pointer (0x145EAEB0) is static and that's what I need for me to find and change the dynamic address.

The code above of 4 lines basically locates the static pointer, gets the value of the static pointer which is the dynamic address and then we can write on the dynamic address.

I'm trying to do the same process but with NTR so that's why converting codes from gateway to NTR is quite a job sometimes xD
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    We just question @AncientBoi
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
    BigOnYa @ BigOnYa: Yup, by the weird smelly green bushy looking plants.