Cheat Engine

shadowghost0 · How do I cheat? Reputation: 0 Joined: 08 Jan 2015 Posts: 3

Hello, CEF! This is my very first topic here and I'm only making it because I ran out of ways to figure this issue out. So... Let's hope someone may give me a hand. Thanks before hand!

Topic's name is lame, but I can not think on a better (or clearer) one.
I'm bit familiarized with CE, although I am far from expert. I'm using 6.4.

The game I'm trying to modify is a Playstation one game. Ace Combat 2. Running on ePSXe 1.7. What I'm trying to do is to modify or freeze a "watch" (Attachment eg1) or a chronometer (Attachment eg2) on a mission. Let me explain... This mission begins with a counter marking the hour. At mission start it displays 14:57 (02:57 PM) and when it reaches 15:00 (03:00 PM), the watch changes to a chronometer starting at 01:30 (one minute and thirty seconds) and decreasing until 00:00. All this time thing and chronometer is mission-related and ONLY appears on this single mission.
What I want to do is to freeze or be able to modify this value. While it is a "watch" or the chronometer, it doesn't really matter which one.

That's where the pain starts... I simply can not find the CORRECT memory adress for this counter. Before you think I am stupid and did not made the correct search, I pretty much did EVERY possible search. Ok, perhaps not all, but I all could [know how to] handle/search.
No point on specify a value type. I just always put it on 'all'. Same for 'fast scan'... always uncheck it. 'Writable, executable and Copyonwrite' I tried every "combination" with multiple searches.
Scan type. Here's the adventure. Going for exact value puts me on a dead end. It searches two time and then 0 addresses found. (Plus, assuming that the counter value is a decimal one.)
Unknown initial value it's the only one I can make some progress. Make a search, tons of addresses. Pause game, search for 'unchanged value' to remove much of the useless adresses, rescan a couple of times. It usually leaves me with a 3 millions values. I do some more unchanged value, then I do some pointless things in game (without counter changing from 14:57) and again, unchanged value.
That's the part where I am not so sure about the results. I do a 'unchanged scan' hoping to eliminate some useless adresses, but what if the counter is changing on the memory (milisecond, centiseconds, deciseconds, etc)? If the game is handling the counter like this, unchanged value would eliminate the correct address leading me to a dead end.
If I try 'changed value' the problem is the amout of results. Even if the counter changes. The minimum I could narrow using this, was something like 3k adresses... and to push my patience to the limit, when I search 'changed value' for EVERY SECOND CHANGE (while the counter has already turned into a decreasing chronometer) I could narrow it to a hundred or even less. But only after much searches.

While fiddling, trying to find the adress, I found the graphical representation (see attachments 'graphical address1' and 2) of the minutes/seconds (depends of what kind the counter is at the moment). However... freezing or trying to change the value have no sucess. The counter proceeds to change, CE forces the value to stay put at whichever value it was before, BUT the game "overrides" CE and resolve the counter back to it's normal fashion. I even tried to change it on memory viewer (attachment mem vwr1), but again, it "overrides" my action.

What I can think of it... it's that there is some adress (that I can't pinpoint) controlling the graphical representation/adress.

There are some attachments. I can only post 5 due to forum limitations. I can post them on my next reply, if they are of some use. The pics shows memory viewer while the game running (and counter decreasing) and some adresses while counter is at 0.

Anyway, I think I've already wrote too much. Sorry for the huge text and for any english mistakes. I'm not a english born speaker.

PS.: I know images should be 1024x768, but if I would resize them, there's no way one could read it. (Plus, 1024x768 it's very low res nowadays...)

panraven · Posted: Fri Jan 09, 2015 1:46 am Post subject:

PS only have 2m ram, almost all ps code and runtime data are there.
If I remember correctly, epsxe use a fixed (pc) memory range as psx ram.
Try to find it and limit the search range.

If you have problem locate the exact range, try search the serial number of the game, one of them should be in the beginning 64k of the ps ram.
Also search some easy to find value of the ps ram, eg. missle count, that you can actually modified. Compare these address should narrow the possible range of ps ram.
For example, if you find serial number in address #4,#17,#99,#204, and find missile count in address #23, then the ps ram should start from around #17.
Then set the ce search range of length 2m. It may include some pc memory, but should exclude most derived pc memory that cause confusion.

To stop the timer, it depend on how the timer represent.

If it is a time-left counter, said, it start from 90 * 30 (1:30=90sec=2700frame for 30frame/sec, just for example) and decreasing as game time going, it may be easier to search the timer, so that to modify it.

But seems it is not the case from your finding...

The game may also record the timer counter or frame number when countdown begin, and derived the time-left from current frame number and the recorded one.
If it is the case, it may be hard to 'stop' the timer, since the running of the game may also depend on the frame number progressing, even the frame number can be found.

shadowghost0 · How do I cheat? Reputation: 0 Joined: 08 Jan 2015 Posts: 3

Thanks for the reply!
If I understood it correclty. You are saying that a need to narrow down the memory range to the game only, so it will be easier to find a value? Like the initial game boot adress and the final adress? If it's this, check the attachment to see if that region is one of the game's initial adress. (I am assuming it is since there is "cdrom:SLUS_004.04" which is region code ID or something like that.)

About serial number... I am not quite sure about what number you are talking, ergo, I can't find it. lol
If there is a way to explain where this number should be or where I can find it, I would appreciate.

That's the thing. I dunno how the game treats the timer. As I said, on mission start the time is a regular watch. After it reaches 15:00 (03:00 PM) it changes to a time-left counter and as far as my fruitless searches did something... I know that the real time is not represented by a 'commom' number. Only the graphical HUD representation of it is literally the number showing. You can see it by the attachements above.

Hmm, you think the timer maybe related to frame count? Like... one "blink" (frame), one, let's say... millisecond added to the time? Feel free to develop your thought.

panraven · Posted: Fri Jan 09, 2015 3:42 pm Post subject:

ah, my serial is what game code means, here 'SLUS_004.04;1'.

From my little experience on making psx action replay cheats, I seldom encounter code that handle value beside integer. Searching use integer should be fine, for runtime data, use 4bytes, but 2byte search may have a use, read following.

'frame' or 'blink', we don't how the game developer call it, but it is a measure of game world time, which should stop when you popup a setting menu, for example.

There may be the case the time-left is a decreasing counter on its own as said before, but then you should easily find it with 4byte integer search and narrowed memory range.

So for the other case, the time-left is derived by the 'blink' counter that you never can modify, and some other value ,ie, mission time length.

The mission time length should not change during the mission, and so you cannot find it by decreasing/increasing. The actually value may not be 90 too, it may be some multiple of 90, or even some multiple of 90 and minus 1.

You may try some number 90*30 (frame/s) or 90*1000 (millisec) or 90*60 ... 90*256 etc.
So here you have to found the fixed unknown value, but with good guessing.

Try search this unknown value (try 90*30 then 90*1000 etc one by one ) with 4bytes integer, alignment 4 within ps memory 2m range 1st .
If you can found this value with 4 byte length, it should be runtime data, modifying this value should have immediate effect. Try change it a bit higher to see if the timer displayed change... prepare crash of the emu Smile

Now, if all 4bytes candidate failed, let's try 2bytes.

This unknown value may appear on psx program code (mips assember in binary form here), most psx mips code is 4byte length. but it usually load a 4bytes immediate value with 2 instruction, 2bytes (lower and higher 2byte part of the 4 bytes integer) in each.

Note that if the 4bytes value is large, like 90*1000 = 0x15f90, then the 2bytes value to search is 0x5f90 = 24464 in decimal.

Search 2bytes with alignment 4.

However, modifying mips code may not have immediate effect, which should be depending on the implementation of the emu. This is a problem I have no idea.

--

This I could think of, may be there are other situation and method to stop the time counting.

shadowghost0 · How do I cheat? Reputation: 0 Joined: 08 Jan 2015 Posts: 3

I did the 4byte search with the numbers you suggested (90*30; 90*256, so on) and I only could find values that I can not change. I mean, the ones I said up there if I try to change, the game "overrides" it with the correct number. See attachment multi1 for the only resulst I could find. (And this AFTER I narrow down some using the process of "changed/unchanged value". I used changed whenever I unpaused the game and unchanged while the game was paused.)

Furthermore, I didn't understand how should I search for 2byte... I have to put the hex value on the search? I mean... 0x15f90? Question

Plus, I am sending some other attachments.

panraven · Posted: Sat Jan 10, 2015 5:51 am Post subject:

Please check pm, the link left of [Log out].

panraven · Posted: Mon Jan 12, 2015 12:37 am Post subject:

This some part of my pm with shadowghost0:

==========

the timer is counted as the 2nd case, ie. it set a constant timer mark, some kind of count-up counter.
When you search 8100 in ps ram range and change it, you should see the timer displayed change.
Why 8100? The multiplier is 30 (should be frame per sec). the 8100 = 30*270sec.
The 270sec = 3min (180sec) 1st part of the mission + 1.5min(90sec) 2nd part of the mission.

The 8100 is actually the whole mission time limit.

Now it make sense, right? Smile

However, setting the value you find with 8100 only is visual, I still cannot stop the actually counting simply changing this value....

We can change the mission time, however.
Now we know it is 30 per second.
The mission time (elapsed in sec) after past the 3min mark is 180 + (90 - 2nd-part-time-left).

For example, if it displayed 1:02, then 60+2 = 62sec, the value to search is (180 + 90 - 62) * 30 = 6240
But because we cannot catch this exact frame, our 1st search is 'between'.

The following is my setting, the ps ram range may different from yours:

new search:
Pause the game,ie, press 'RUN', calculate the number as above to substitute following 6240
value type: 4bytes
scan type: between:
1st value 6240-30, 2nd value 6240+30
address start: a579a0
address end: c579a0
(this the ps 2m ram)
Make 'writable' and 'executable' GRAY, ie. not blank, not tick
Tick fast scan, value 4, type alignment

Make the 1st search.
15 results in my example.

Now go in game, release pause, let the game run for about 1 sec, pause again.

This time change scan type to 'increase value'.

1 results in my example.

If your epsxe is exactly same version as mine, the result should be:

mission time limit (8100) - be778c
mission time elapsed - b0fe80

When you are running out of time in 2nd part of the mission. Set the mission time elapsed to (180+3)*30 = 5490 should bring you back to beginning of the part 2.

==========

But I'm wrong that the mission-time-elapsed timer cannot be change, for I think it will stop the game progression. So this count-up timer is no different from a count-down timer, but we miss its counting direction

==========
(end)