Memory Search

There have been several questions about how to use memory search/watch and I (Truncated) think we need a guide. This page is a TODO, and under construction.

Suggested sections:

Intro: What this page is, what memory search can and cannot be used for.
Data formats and how things are stored in RAM (1-4 bytes, signed/unsigned)
How to search (generally)
Usage examples (in different emulators)

Examining memory addresses is useful in the making of TASes for looking at important values that are hidden from the player or difficult to determine just by looking at the screen. They are also important for using input bots, but bots will not be covered on this page.

Memory search is also known as "cheat search", which is a misleading name.

Table of contents [expand all] [collapse all]

The search box
How values are stored
What to search for
Discrete known values
Continuous or hidden ordered values
Volatile unordered values
Links

The search box

The search box consists of:

list box of memory addresses
buttons that say "start" (or "new search"), "search", and "cheats" or similar
option group that has options "previous value" and "entered value"
option group that has "less than", "equal to", etc.
possibly option groups for unsigned/signed/hex and 8-bit/16-bit/32-bit.
possibly "update values" check box
search field

Before searching anything, click "start". This resets any current search and initializes the memory addresses to those currently in the game.

If you want to compare memory addresses at this point to memory addresses at another point, click "OK" (not "cancel" if any) and go to the other point in the game and access the box again.

"Previous value" means to compare memory addresses at the current point to memory addresses stored previously. Use the comparison option group ("less than", "equal to", etc.), and other appropriate option groups, and click "search". The memory addresses which satisfy the selected comparison appear and the others are discarded.

"Entered value" means to compare memory addresses at the current point to a value in the search field. Use the comparison option group ("less than", "equal to", etc.), other appropriate option groups, and enter the number in the search field and click "search". The memory addresses which satisfy the selected comparison appear and the others are discarded.

"Update values" means to reinitialize remaining memory addresses when clicking "OK" (store current memory addresses). Some emulators do this by default.

See below for other options.

How values are stored

Usually, values are stored in memory as the number they are given. There are cases where it is stored as the given number plus 128 or plus 1 or minus 1.

If values can only be positive, it is stored as unsigned; if values can be negative, it is stored as signed, so if you are searching for -10 of something, either make sure it is searching for signed (so it will interpret 246 in memory as -10) or search for 246 (or hex F6 if there is a hexadecimal option).

For values greater than 255, values are 2 bytes (16 bits) usually little-endian (low byte first), so if there is a 16-bit option, use it, and search for the value. If there isn't, you can still use the 8-bit option to find the low byte (search the low byte only), then look at the next byte for the high byte. The value of the low byte is the original value mod 256. If using hexadecimal option with 16-bit option, enter the bytes to search in reverse, as big-endian (high byte first), and enter exactly 4 digits; no more, no less.

For values greater than 65535, values are 4 bytes (32 bits) usually little-endian. Same as above except use the 32-bit option. If using hexadecimal option with 32-bit option, enter the bytes to search in reverse, as big-endian (high byte first), and enter exactly 8 digits; no more, no less.

Values that aren't whole numbers can be stored in two possible ways: integer plus fractional, or floating-point. If there are no related options, search for the value on the assumption that it is stored as an integer. If it is stored as integer plus fractional, search for the integer, and hope the fractional is nearby in memory. The integer part alone usually suffices. If it is stored as floating-point, it is almost impossible to find.

If you think you find the memory address which holds the important information, you can test it by watching the value in memory and playing.

Whenever you find the memory which you are looking for, always look at the memory around it. Related values are often found nearby each other. For example, if you find the 2-byte x-position of your character, you can almost always find the 2-byte y-position of your character right after it.

What to search for

Before you begin searching, you must know that which you are searching for, and how it will (probably) be stored in memory.

It is possible to look for:

Discrete known values, such as the amount of health a character has if given, number of lives, or any other given stat of a character.

Continuous or hidden ordered values, such as x-y position of a character in pixels, health of a character on a continuous bar, or hidden health of a miniboss.

Volatile unordered values, such as values used in an RNG.

Discrete known values

First, go to any point in the game where the value of the desired stat is known. In the search box, click "start", then select "entered value", "equal to", and any other appropriate options. Then enter the value into the search field and click "search".

You may have to do this multiple times for different values because other addresses may have that value. The better the values are, the less you have to search.

Bad values to search for are 0, 1, -1 (255), 127, -128 (128), and low positive values. Try to get the desired value to be something other than these.

If searching fails, try searching for value+128, then value+1, then value-1. In rare cases, searching fails because the tricky programmers stored the value as [value XOR magic number], with the sole purpose of making it harder for cheaters to discover.

Why search for discrete known values when they are already known (apart from using cheats)? Because sometimes important hidden values are located in the nearby memory. Also, it might be more convenient to watch it in memory rather than accessing 5 menus to check it all the time. If you find something, always check the memory around it.

Continuous or hidden ordered values

This is the most common case.

First, pick two points in the game where the value of the desired stat differs (but don't make it too large if there is no 16-bit search). Go to one point, and in the search box, click "start", then "OK". Go to the other point and access the box again. Select "previous value", and select the comparison which best describes the expected change in the desired stat (e.g. "greater than"). Do not use any comparison with "equal to" in it. Select any other appropriate options, and click "search".

You will have to pick multiple points because other addresses will remain from the comparison. Just make sure that at the point you pick, the value of the desired stat differs from the previous point.

It is possible that the desired stat overflows past 255, which means that 8-bit searches will not find the address. If this happens, use 16-bit search, or try again at different points.

If nothing comes up, try the reverse comparison (i.e. "greater than" <-> "less than"). Sometimes the ordering of the values is reversed from expectation, such as boss health stored as damage done rather than health remaining.

If you find something, always check the memory around it.

Volatile unordered values

This is for finding changing, unpredictable values that could indicate a variable used in a RNG. It does not always succeed and the technical reward is not always useful.

Pick two points in the game where you believe the RNG differs. Try to make it close; it could be one frame apart (but not always, and could be situation-dependent). Search as described for continuous or hidden ordered values above except use the "not equal to" comparison.

Keep picking points until you reach a few addresses remaining. Make sure that at the point you pick, you believe the value of the RNG should differ from the previous point.

Now examine the addresses' current and previous values. A few of them may be off by 1, or there may be a group of addresses whose current values are all identical, as well as the previous values. Any unusual address, one which stands out, could be the RNG.

To test if it could be the RNG, watch the address in memory and play the game. The address should change often and have unpredictable sequences of values. It's often hard to tell a RNG address from another address, unless the RNG addresses change every frame.

If you think you find something, always check the memory around it. Other variables that behave similarly around it is possible evidence of a RNG address.

If you don't find anything at first, keep trying, in different game situations. The RNG might be hard to find, change only at certain situations, or be indistinguishable from a continuously incrementing memory address. It might not even exist, if values are strictly determined from prior observable results, for example.

Failure to find the RNG addresses does not mean that there is no RNG.

Why could it be useful to find RNG addresses? The goal is not to find the secret formula for the RNG, unless you are experienced at disassembly. Knowing where RNG addresses are means knowing when they change, and knowing when they change can help luck manipulation.

Links

Data Crystal, a site with some useful RAM addresses.

MemorySearch last edited by FractalFusion on 2008-05-29 09:59:11
Page info and history | Latest diff | List referrers