ROM Hack Question Pointer Search Tutorial??????

Smoker1 · Sep 20, 2019

I need a Pointer Search that will work for the following.........
Switch using Atmosphere 0.9.3|S
Have EdiZon

I have tried JNoexs+SX OS Code Builder, but I get Issues. I will use 1 Game that is getting to me as an Example.....

I find the Addresses/Values needed

I then go by The Following Tutorial, shared by @phonz
https://gbatemp.net/threads/cheat-codes-ams-and-sx-os-add-and-request.520293/page-55#post-8356895

Now in the Tutorial, it is shown using JNoexs v1.1.1. But 1.1.2 does not create a Dump like the previous. So I go by what was Suggested, and go by the 1st Dump that was made for the Search in Question, for both.....

NOTICE THE ADDRESS AND THE RESULTING CODE. ALSO THE OFFSET SECTION.

However, there are times, when trying to Convert with the Code Builder, I get this Error.....

Or if I am able to get Results that create a Code, none of them work.
NOTE: for the Game in Question, the Codes when I found them, were located in the HEAP Section. Also, the Addresses change, so they do in fact require a Pointer, and must be run after the Game has been run, or it will give a Error, just like the NeoGeo Games.

Basically, all these Switch Games that have Pointers for, on behalf of us Noobs, I ask - HOW??????????? Wouldn't it be better for Users to be able to create their own Codes instead of hounding Pages with Requests, over and over again?

Info needed -
Tools Required????
Programs Required????
Which CFW is Required - SX OS, Atmosphere???? Can both be used?
How can Memory Dumps be made, and used for Pointer Searches????

Falo · Sep 20, 2019

Heap is the RAM of games, some have fixed addresses, but normally Heap should ALWAYS be considered dynamic and there should always be a pointer to it.
The base-pointer itself must be contained in main memory, it cannot be anywhere else or it is a wrong pointer, so a memory address outside of main memory is always wrong.
If the pointer is lower then main, like in your screenshot, then it is wrong, because it must be inside of main memory, not outside.

Your problem is:
- you try to find a multi-level pointer by searching just 1 level
- you're not searching in main memory

But the biggest problem is your target, "Johnny Turbo's Arcade Fighter's History"
This target is a PC Engine game, emulated inside of Unity Engine.

This means:
- you need to find a pointer to the emulator memory inside of main
- then find the pointer to the values inside emulator memory
depending on how the emulator was coded, this could be a 4 or 5 level pointer.

main is 0x0 - 0x813CFBF, any address outside of this range is wrong for the base pointer.

Smoker1 said:
Tools Required????
Programs Required????

- Ida Pro
- Il2CppDumper
- dnSpy
- noexes

Smoker1 said:
Which CFW is Required - SX OS, Atmosphere???? Can both be used?

Atmosphere

Smoker1 said:
How can Memory Dumps be made, and used for Pointer Searches????

Just search for something in noexes, it creates a *.tmp file, this file is your memory dump.

phonz · Sep 20, 2019

When you see [main-xxxxxxxx] the minus/negative means you are searching in an area thats not in Main.
Which won't get you anywhere if you are looking for a pointer.
The base address for the pointer has to be in memory that isn't dynamic (IE Main) or else it won't work.

When you create your memory dump you should restart your search, Select the Start (and pointer start)/Stop point of the main memory in the tools tab.
Then search for whatever you want to create the dump of that area, AND then (in my experience) hit restart one more time and that pops the dumped ram into a file (I think its a .bin or .dat? or .tmp? in the tmp folder).

Jnoexs is pretty limited though as it will NOT search beyond 2 pointers deep.
In those cases you can manually try and map your way through the RAM using something like SXOS RAM viewer, but that will take some time.

There is @BullyWiiPlaza universal pointer searcher tool as well, but I'm not entirely sure jnoexs dumps work with it?
Switch memory registers are 64bit I think (000000XX XXXXXXXX), and I'm not sure how his tool handles that. But it's actively updated so maybe it likes switch memory dumps now *shrug*

Hope this clears some things up for yeh.

PS. I didn't write that tutorial, credits go to @talixme . I just re-upped the images.
I often reference it and repost it because it's pretty straight forward and easy to understand.

I might recommend EdiZone/WerWolv's discord server if you need any questions answered regarding EdiZone cheat creation.
And IIRC, @WerWolv was looking into attempting to create a pointer searcher in his tool.
He already has a *void search which I think? will let you search for a vlaue without alignment (ie, not 8/16/32/64 bit). Which can be helpful when you are manually trying to navigate RAM for pointers. But I don't think there is a memory viewer yet.

Smoker1 · Sep 20, 2019

@phonz - Yeah I was looking around, saw it was from someone else, forgot who, so I just put you sharing it. Yeah, I looked up the UPST, but was wondering if it worked with the Switch Memory. I asked the Dev, but have had no Reply yet.
Well WerWolv is away for Schooling, last I heard, but I know there have been occasional work done on the GitHub Page, so there may be intermittent Work being done on Free Time. Just cant wait till the Unknown Search is improved upon (currently, you need to know the Value).

@Falo - PC Engine????? Damn. Only knew it was for Arcade and SNES.
Odd thing is, when I Search for Inf Time, that is the only Address that I end up getting eventually in EdiZon. At first there are a couple of BASE's and a few MAIN's, but then by the 3rd, they go away and I am left with a load of HEAPs. Is there any difference between Signed or Unsigned Results? And the Ending 3 Digits match the MAME Cheat File, also.

Is there any reason why netCheat will not Connect, even when JNoexs will?

--------------------- MERGED ---------------------------

Oh, I did do one suggestion, but instead of doing the Pointer Search in MAIN, I was told to try in just the HEAP Sections. I did get the Code Builder to accept those, but none of them worked, but I had the same problem with the Address/Offset Issue, where it thought the end of the Address was supposed to be the Offset.

BullyWiiPlaza · Sep 21, 2019

phonz said:
There is @BullyWiiPlaza universal pointer searcher tool as well, but I'm not entirely sure jnoexs dumps work with it?
Switch memory registers are 64bit I think (000000XX XXXXXXXX), and I'm not sure how his tool handles that. But it's actively updated so maybe it likes switch memory dumps now *shrug*

Yes, it does. I worked together with 2 people wanting Switch support.

You can put 64-bit addresses and you need to specify the address size to be 8 bytes for better efficiency. And especially consider the module dumps mode since there are modules on Switch. This is very similar to Windows so I could implement both for the price of one kinda.

Link:
https://github.com/BullyWiiPlaza/Universal-Pointer-Searcher

Let me know.

Smoker1 · Sep 21, 2019

How would that work with EdiZon, though? From the Addresses JNoexs was giving me, they are a little different.
FH Time Address in EdiZon
[ HEAP + 0x00038659E5 ]

For JNoexs, the 0s would have a Number for it like the examples, unless EdiZon just removes those, same with SX OS Cheat Engine.

Also, I am basically going off of what I am reading from the EdiZon Search info.....

Set the memory region you want to search in. HEAP contains dynamically allocated values and will be where the majority of the values worth changing will be found. MAIN contains global variables and instructions for game operation. You may find some values here but it's mainly for finding pointers to HEAP values or changing game code. RAM will search the entirety of the Games used memory including memory shared memory and resources. Should only be used as a final resort as this will be extremely slow.

I am wondering what BASE is, because I got that for 1 Game, forgot which.

phonz · Sep 21, 2019

Smoker1 said:
How would that work with EdiZon, though? From the Addresses JNoexs was giving me, they are a little different.
FH Time Address in EdiZon
[ HEAP + 0x00038659E5 ]

For JNoexs, the 0s would have a Number for it like the examples, unless EdiZon just removes those, same with SX OS Cheat Engine.

Also, I am basically going off of what I am reading from the EdiZon Search info.....

I am wondering what BASE is, because I got that for 1 Game, forgot which.

Jnoexs shows the raw address basically, while things like SXOS/EdiZone generally only show HEAP+32bit, or MAIN+32bit, UNLESS it's a BASE address.
HEAP and MAIN tell Edizone/SXOS what to add to the 32bit address to get the full RAM location.
Base addresses are pretty much completely dynamic, so it would show the full address.

Smoker1 said:
... Is there any difference between Signed or Unsigned Results? And the Ending 3 Digits match the MAME Cheat File, also.

Signed values allow for both positive and negative value associations.

ex. Decimal -21 == signed HEX 0xFFEB
but unsigned HEX 0xFFEB = Decimal 65515

phonz · Sep 25, 2019

BullyWiiPlaza said:
Yes, it does. I worked together with 2 people wanting Switch support.

You can put 64-bit addresses and you need to specify the address size to be 8 bytes for better efficiency. And especially consider the module dumps mode since there are modules on Switch. This is very similar to Windows so I could implement both for the price of one kinda.

Link:
https://github.com/BullyWiiPlaza/Universal-Pointer-Searcher

Let me know.

@BullyWiiPlaza
Universal Pointer Searcher doesn't seem to like 64bit Starting Addresses.
Is this intentional?

BullyWiiPlaza · Sep 26, 2019

phonz said:
@BullyWiiPlaza
Universal Pointer Searcher doesn't seem to like 64bit Starting Addresses.
Is this intentional?

This is actually a bug but you should use the "Add Module Dumps Folder" option to add a folder containing all modules:

Furthermore, I fixed the starting address size bug and did a few minor other fixes. You can download the newest version from the same link once again.

phonz · Sep 26, 2019

BullyWiiPlaza said:
This is actually a bug but you should use the "Add Module Dumps Folder" option to add a folder containing all modules:

View attachment 180658

View attachment 180659

Furthermore, I fixed the starting address size bug and did a few minor other fixes. You can download the newest version from the same link once again.

Awesome thanks.

Can I ask what tool you used to dump all the Nintendo Switch RAM into their segmented chunks like that?
Technically you could do this with something like Jnoexs, but you would have to do it manually as far as I know and that would, in some cases, take and hour or two.
Or is that image a dump from anotehr device/PC?

Thanks again, @BullyWiiPlaza
Love your work.

BullyWiiPlaza · Sep 26, 2019

phonz said:
Awesome thanks.

Can I ask what tool you used to dump all the Nintendo Switch RAM into their segmented chunks like that?
Technically you could do this with something like Jnoexs, but you would have to do it manually as far as I know and that would, in some cases, take and hour or two.
Or is that image a dump from anotehr device/PC?

Thanks again, @BullyWiiPlaza
Love your work.

Thanks.

The user @tastymeatball told me the following in a private message:

edit: rewrote my Ram Dumper so that now heap memory regions which are directly behind each other are combined in one file. So Smash only creates about 100 files.

I'm not sure if this tool is posted or anything, I only got the memory dumps from him so I could test and develop my pointer searcher based on these.

Gamerjin · Sep 26, 2019

so, i dont know if this question is already answered from the different device part:
does this include the RAM dumper used in sxos?

phonz · Sep 26, 2019

SXOS dumps it all into a single file and i think it just includes MAIN+HEAP (whatever the game sees).
But main can also extend into subsdkX, and I'm not entirely sure SXOS dumps those parts? It should in theory though.
https://switchbrew.org/wiki/ExeFS
But I don't think I've ever seen them mapped in SXOS Memory Viewer. It might be that they just group it with Main though.

Stoned · Sep 27, 2019

BullyWiiPlaza said:
Thanks.
The user @tastymeatball told me the following in a private message:

I'm not sure if this tool is posted or anything, I only got the memory dumps from him so I could test and develop my pointer searcher based on these.

He Shared his tool whit me, and i will try my Luck in Combination whit your Pointer tool.

Gamerjin · Sep 27, 2019

ok, so next question:
in the sample picture the target is 10 digits long, however, i cant use 10 digits in the RAM viewer in sxos. are the extra 2 digits needed? if so, how can i find them in sxos?

Smoker1 · Sep 27, 2019

OK, so I am getting a SX Os Pro (Dongle/Jig), and wondering if the Memory Dump will work with HxD to find Pointers in the Dump? Or, if there is a way to get TempAR to compare Dumps, especially if the Pointer I need is for say 8,16, or 32Bit.

phonz · Sep 28, 2019

aye, 10 digits. You need to search for a 64bit value if you are searching the memory manually.
It will be 000000XX XXXXXXXX.
The first two XX digits kinda tell you what part of the ram its looking in.

If you are using SXOS, you can browse through memory regions manually and SXOS will automatically parse these 64bit addresses into MAIN/HEAP+XXXXXXXX (you can disable this feature though). It does this because the switch is kinda dynamically allocates where it stores MAIN and HEAP.
So it uses the base address for heap/main and adds it to XXXXXXXX for the actual RAM location.
BASE addresses is just a straight up full RAM address + 0x8000000 (I think, don't quote me on that one).
Just remember though, if you are manually stepping through the ram, the numbers are little endian. But I imagine everyone in this topic is already aware of that.

Hopefully @tastymeatball publishes his tool. The more software options available the better.
Until then, Jnoexs has been treating me well enough. I have yet to try dumping memory from Jnoexs into different hunks and comparing with UPS. Hopefully that works and I can deal with 2+ level pointers a little easier xD.
I've manually stepped backwards through some Jnoexs pointer results and they lead me to completely incorrect addresses. Not sure why it includes those in it's results.

wiitendo84 · Nov 23, 2019

So I'm using the tool tastymeatball made. I got everything as far as what is needed but it still doesn't find any pointers...I put the address for health in for the address. I've changed the address size to 8. But it seems like it can't find any pointers whatsoever for the game. Was wondering if there was something I did wrong as far as setting the universal pointer searcher up. Using the modules option. All of the bin files are in there. Any suggestions @BullyWiiPlaza

wiitendo84 · Nov 23, 2019

Alright. I got it to work but it keeps shutting down my pc...

phonz · Nov 23, 2019

wiitendo84 said:
Alright. I got it to work but it keeps shutting down my pc...

heh, whaaat?
Is your CPU overheating?

also, I may have to nudge @tastymeatball in a couple months when im back for this dump tool of theirs.

ROM Hack Question Pointer Search Tutorial??????

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Nintendo Hacking <3

Well-Known Member

Well-Known Member

Well-Known Member

Nintendo Hacking <3

Well-Known Member

Nintendo Hacking <3

No emulator code questions

Well-Known Member

Well-Known Member

No emulator code questions

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum