Cheat Engine

[DQ323]

hello everybody.

I need help. I'm trying to find the static address in a Super Nintendo game that I'm emulating on snes9x, the game in question is Samurai Shodown. Whenever I search and find the address I need, I try to use the pointer scan to find a pointer, but even when I restart the emulator and search for the address again, which is a dynamic address, I can't find any pointer. I tried following the steps in this tutorial, but without success.

[ParkourPenguin]

Due to how emulators work, you're not likely to find a pointer using the pointer scanner. There's probably one offset that's ridiculously big- on the same order of magnitude as the emulated architecture's total memory size.

Try to find the last node / offset manually by debugging the emulator, then do a pointer scan for that node. If you don't know how to read assembly, this is easier said than done.

[DQ323]

[++METHOS]

Try increasing max offset to something like 80000, changing max level to 2 and unchecking the box that says addresses must be 32-bit aligned.

Also, try this using SNESGT, if you are not successful.

[ParkourPenguin]

See the CE tutorial for information on how to find pointers manually.

You're probably looking for some instruction like "mov ebx,[rdi+rcx]", where rdi = 0x1632BD0800 and rcx = 0x18EC8. rdi is clearly the base address (last node) and rcx is the offset.
If it's something like "mov ebx,[rdx]", the offset was calculated prior to that instruction. e.g. "lea rdx,[rsi+rcx]" somewhere above that in the disassembler

Apparently the SNES only has 128 KB of general purpose ram, so it's not impractical to use the pointer scanner if you increase the max offset enough (i.e. 131071). Just don't use a high max level. e.g. start at 3 and see what happens.
Depending on the implementation of the emulator, this might not work.

[DQ323]

Wow, thanks to your help, I'm starting to walk on my own two feet haha ​​Thanks for your guidance.

Using the tips, even increasing the offset value and the max level, I always get a similar number of pointers, something around 550.

I still don't understand why there are so many pointer addresses and
I still have some doubts regarding the static address to which the pointer should point, whenever I restart the emulator, as shown in the image.

Is the address snes9x.exe + 003053CC the real static address?

[++METHOS]

It is not uncommon to have many pointer addresses. Just pick one that is continuously reliable.

If you want something more fool-proof, then injection may be a better approach.

As ParkourPenguin noted, emulators are usually easy to work with because the instructions that contain base address + offset are often all you need in order to filter out whatever it is that you are trying to manipulate.

So, for example, an instruction such as mov al,[ecx+eax], will often hold the base address in exc and the offset in eax. If you check the value of eax when attaching the debugger, this will usually be the ID that you can use for your filter.

With older, emulated games, you will often find that most, interesting values are all being handled by the same instruction (within the same data structure). So, when you find the money value, and check to see what is accessing it, you may see that the offset value is 4, for example. Then, when you find the health value, you may see that the offset value is 8, and so forth. The 4 and 8 are what you can use for your ID's or filters.

You can build a table using a single injection point, and then sort everything using the appropriate offset values. This is also an easy way to find all interesting values, without even having to search for them. Once you identify the offset value for each particular address that you are interested in, you can add it to your table without even having to alter your script, depending on how you structure things.

[DQ323]

I'm doing the CE tutorials and also watching some on YouTube to better understand how pointers work and today I'm going to see some assembly basics to try to start doing code injection.

At the moment, I would like to understand how the CE locates the static address and then takes the dynamic address and adds it to the offset to always have it pointed to when restarting the application.

In the previous image, I have the "fixed base address" of:
snes9x.exe + 003053CC and right next to it a little arrow -> 01D8A810

How does the CE start from the base address and arrive at 01D8A810? Where do I see the static address that is represented by snes9x.exe + 003053CC?

I really appreciate everyone's attention for guiding me and I'm grateful for sharing their knowledge. They have been very helpful even though I don't understand everything quickly.

[++METHOS]

You can look at tutorials for how to manually traverse pointer paths by working backwards. Here is one:

https://www.youtube.com/watch?v=QVLeInTi3qI

Although, once you learn assembly, you probably won't need to deal with pointers in this way at all, in most cases. Learning assembly/scripting is what I would recommend.

[ParkourPenguin]

Here's another video by DB showing both the pointer scanner and manual methods:
https://www.youtube.com/watch?v=3dyIrcx8Z8g

CE locates the static address by using the windows API. Windows basically tells CE "snes9x.exe is located here: ...", and CE adds 0x3053CC to it to get the base address of the pointer path.
If you want to know the exact address, run this Lua code:

[DQ323]

[++METHOS]

I think, you do not need to understand how CE arrives at that address. Simply learn about injection. That will be more beneficial, in my opinion.

In the case of old SNES emulators, where injection may not be a viable option, then the pointer scanner will work just fine and should not even take long at all if done correctly.

That being said, I could be wrong about the value of learning how CE arrives at the address. It is all subjective at the end of the day.

[ParkourPenguin]