Cheat Engine

[bungholio]

I find codes for PS3 games. dnawrkshp released NetCheat and I've got my PS3 converted to DEX and everything so I can scan things while playing. I was playing Far Cry 2 and trying to find a code for infinite ammo, grenades, molotovs, and syringes. I can find them in memory, so I made 2 different 1GB dumps from address 00000000 to 40000000 with both having entirely different addresses for everything each time. I know how to do stuff involving finding multilevel pointers, I've done that before. I opened the dump in cheat engine and realized I don't know how to change it in such a way that pointer scans searches for addresses as big endian instead of little endian. I've looked around on these forums a little and found 2 different lua script things from Dark Byte, but they don't seem to be helping my problem and the posts are over 1 1/2 years old.

1 dump has grenades at address 3223404C. I can't do a pointer scan because it has all of the byte orders reversed so when I can manually find these:
319DC684 32233FD0 0x7C
32233EB4 32233F30 0x11C
34728484 32233F30 0x11C

Cheat Engine won't find anything. It sees these:
D03F2332
303F2332
303F2332

I know nothing of the autoassembler or LUA scripting, I'm a moron in those departments. Any solutions so I could do a pointer scan would be wonderful.

[Dark Byte]

CE doesn't do big endian pointers for now

Anyhow, how does the PS3 handle memory, and if it uses a virtual memory mechanism like the PC, is this dump a Virtual memory dump, or a physical memory dump?

[bungholio]

It assigns virtual memory locations. Most games usually have anything in the 30000000 to 40000000 range, but not all of them. The eboot for games starts at address 00010000, and usually never goes any higher than 02000000.

Games aren't very random with the virtual memory assigning. Whatever you see the first time will basically always be the same exact place. Nothing like 1 time it's 143E9224 to 153E9224, and then something entirely different the next time. They all basically just pick a spot and use that same exact spot every time you play.


Would you know of a tool to reverse byte orders then so it would work? All I can find is RegExr but that Adobe Air program can't handle much of any memory at a time, so I'm usually stuck with 00010000 at a time so I'd need to manually use it 4096 or 16384 times to reverse all of the bytes which would take an eternity.

[Dark Byte]

I mean are pointers stored in the dump equivalent to the file position?

So, if the pointer hold the value 0x32233FD0 then in the file at offset 0x32233FD0 is the address that pointer mentions?

But if the dump is a physical memory dump, then address 0 to fff might be virtual address f0000000 to f0000fff and 1000 to 1fff might be virtual address 12345000 to 12345fff

[bungholio]

[Dark Byte]

Try this:
http://cheatengine.org/temp/cheatengine-x86_64-bigendianfileaccess.rar

(Extract to your ce folder and execute cheatengine-x86_64-bigendianfileaccess.exe )

As long as memory addresses are 4 byte aligned, this will byteswap the memory ce reads so it becomes big endian.
(it will make strings and code useless, but if you only wish to find a pointer, this is useful)

If you do a pointerscan, make sure you deselect the option that the memory must be in a static address

[bungholio]

It is behaving just a little oddly, but it works.
I set it to find them from 30000000 to 32000000 and it finds 0. I set it to 30000000 to 33000000 and it finds a ton, and most are in the 30000000 to 32000000 range like I wanted it to search.

It won't let me sort the results, "List index (-1) out of bounds". It's not too important, but whatever I'm looking for should be as close to 30000000 as possible to be the most likely correct result.

I'm also not sure if I'm able to do multiple scans using 2 different data dumps or if I'm just doing something wrong or hitting a bug. I open dump 1, do a pointer search for my address. Open the other dump, do a pointer rescan for the new address and always end up with 0 results even though from looking I can see a couple they have in common.








EDIT
There's a strong chance I might not ever find pointers with that modified version of cheat engine. I've been looking through the CodeUnique cheat database and looking at the codes that involve pointers. Most of the time whatever you are looking for is located in the 30000000 to 40000000 range, but a large majority of pointer codes get their static address from the area at the end of the eboot file. So most codes find their static point in the 00700000 to 02000000 region, that usually leads into the address in that 30000000 to 40000000 range. Cheat engine crashes at 512MB. I know for a fact from looking at my data dumps that there is nothing but 0s all throughout 10000000 to 30000000.


Is there some sort of limit I can raise or something to get it to stop crashing, or just make it not bother with that 512MB range of 0s?


I moved everything from 00000000-10000000 to 20000000 and then scanned through 20100000-40000000 with 3 levels of pointers and got thousands of results, but without being able to find the ones from the 20100000-30000000 range I'll never get anywhere. I just keep getting that out of bounds index (-1) error trying to sort by address even though I don't know if that would work. I still don't understand how it finds nothing with 30000000-32000000 but finds thousands with 30000000-33000000 with most of them in the 30000000-32000000 range.

[DANNY G]

very interesting.any news on a update for this.would be a great help.many thanks.

[bungholio]

I don't know about programming, but having a small and simple tool to just reverse the bytes would make things compatible. I tried hunting on the internet, and something that seems that simple is impossible to find if not nonexistent.

The one problem is that 512MB limit. I've never seen a PS3 elf file larger than 30MB, and the RAM region is usually mapped to 0x30000000 to 0x3FFFFFFF which is 256MB. I wish it could load those 2 sections individually at once having them mapped to their correct regions. The problems would be gone. It would interpret the pointers correctly and be under the 512MB limit.