Post subject: Tutorial: Cheat Engine (RAM Watch)
Player (34)
Joined: 3/8/2012
Posts: 398
Location: Windfall Island
I have found that the 64-bit version of Dolphin is different, I'm not sure on how to use it. This tutorial only applies to 32-bit Dolphin. Okay, a couple of people have wanted to know how to use cheat engine for Dolphin. Download Cheat Engine (http://cheatengine.org/) and follow the tutorial a bit. It helps to be comfortable with the program. First, open Dolphin and cheat engine. Press the computer/magnifying glass in the corner and connect it to Dolphin. In Cheat Engine, click Edit, then Settings. Go to Scan Settings and check MEM_PRIVATE, MEM_IMAGE, and MEM_MAPPED. The first thing you will want to do is add the Big Endian search types. Right click on the value type and click "Define new custom type(Auto Assembler)". Paste the following:
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)

TypeName:
db '2 Byte Big Endian',0

ByteSize:
dd 2

//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: stdcall int ConvertRoutine(unsigned char *input);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
xor eax,eax
mov ax,[rcx] //eax now contains the bytes 'input' pointed to
xchg ah,al //convert to big endian

ret
[/64-bit]

[32-bit]
//jmp dllname.functionname
//or manual:
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//example:
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov ax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value
and eax,ffff //cleanup
xchg ah,al //convert to big endian

pop ebp
ret 4
[/32-bit]

//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
ConvertBackRoutine:
//jmp dllname.functionname
//or manual:
[64-bit]
//parameters: (64-bit)
//ecx=input
//rdx=address of output
//example:
xchg ch,cl //convert the little endian input into a big endian input
mov [rdx],cx //place the integer the 4 bytes pointed to by rdx

ret
[/64-bit]

[32-bit]
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address of output
//example:
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+c] //load the address into ebx

//convert the value to big endian
xchg ah,al

mov [ebx],ax //write the value into the address
pop ebx
pop eax

pop ebp
ret 8
[/32-bit]
Press ok, then create another custom search type:
alloc(TypeName,256) 
alloc(ByteSize,4) 
alloc(ConvertRoutine,1024) 
alloc(ConvertBackRoutine,1024) 
alloc(UsesFloat,4) 

TypeName: 
db 'Float Big Endian',0 
ByteSize: 
dd 4 
UsesFloat: 
db 01 

ConvertRoutine: 
[32-bit] 
push ebp 
mov ebp,esp 
mov eax,[ebp+8] //place the address that contains the bytes into eax 
mov eax,[eax]   //place the bytes into eax 
bswap eax 
pop ebp 
ret 4 
[/32-bit] 

[64-bit] 
//rcx=address of input 
mov eax,[rcx] //eax now contains the bytes 'input' pointed to 
bswap eax 
ret 
[/64-bit] 

ConvertBackRoutine: 
[32-bit] 
push ebp 
mov ebp,esp 
//[ebp+8]=input 
//[ebp+c]=address of output 
push eax 
push ebx 
mov eax,[ebp+8] //load the value into eax 
mov ebx,[ebp+c] //load the address into ebx 
bswap eax 
mov [ebx],eax //write the value into the address 
pop ebx 
pop eax 

pop ebp 
ret 8 
[/32-bit] 

[64-bit] 
//ecx=input 
//rdx=address of output 
bswap ecx 
mov [rdx],ecx //place the integer the 4 bytes pointed to by rdx 
ret 
[/64-bit]
These are used for searching for 2 Byte and 4 Byte float values. Now here comes the annoying part. Dolphin opens up the game in a random area in the memory, so you'll need to find a pointer for the beginning that memory. The reason that you have to do this is because each version of Dolphin uses a different pointer. The memory always starts with the internal name of the game. To find it, right click on the iso you want to use and click properties. The internal name of the game is shown at the top. Now, start the game in Dolphin and search for the game name as a String. There should be 2 addresses that end with 0000. Usually the first one is correct, so let's use this. Add it to the address list and right click it, and select "Pointer scan for this address". Wait until the progress bar goes all the way across the screen and until this box opens up. Press stop and you should get a list like this. The first value is usually the right one. The correct one to add will have only one offset, and it will be an offset of 0. Double click it, add it to the list, and if you double click on the Address column for it, it'll look something like this. I keep this pointer simply to make things easier. To save time and processing power, you can set Cheat Engine to start the scans at the value that it points to, so it doesn't scan a bunch of Dolphin's values. Now, go ahead and find some value, in this example I use health. Copy and paste the pointer value that you found for the start of the memory, and set the offset to the difference between the Health value, and the start of the memory. The Health address is 0B0C623B. The Starting address is 0AD30000. 0B0C623B - 0AD30000 = 39623B. Interesting note: The offset is also equal to the address for an Action Replay code. Single byte scans can still be used normally. Instead of 2 byte and 4 byte, use the supplied scans. All the values you get MUST use pointers, or else they will be lost whenever Dolphin is reset. The main pointer will work for all games, so you only need to find it once. Here is a picture of an example scan for speed. Note the settings, and the memory region. Special thanks to this topic: http://tasvideos.org/forum/viewtopic.php?t=11885
IronSlayer wrote:
Your counterargument would be like me saying that the Earth is round and then you telling me that I need to show it's flat so I can "prove us all wrong".
Seems legit.
Active player (322)
Joined: 1/15/2012
Posts: 343
Am I doing it wrong ? http://i.imgur.com/cHE9X.png http://i.imgur.com/KVozW.png 0 adress end with 0000, I'm not sure why... What should I do ? And thanks for the tuto, it will be usefull :)
Joined: 11/21/2006
Posts: 94
In Cheat Engine, Edit > Settings > Scan Settings > check "MEM_MAPPED".
Editor, Experienced player (569)
Joined: 11/8/2010
Posts: 4035
I'm glad you didn't leave, Abahbob. This is a great tutorial. I might use it sometime later.
Active player (322)
Joined: 1/15/2012
Posts: 343
Miles wrote:
In Cheat Engine, Edit > Settings > Scan Settings > check "MEM_MAPPED".
Awesome, now I got four adressess ending with 0000 x) I'll take the first one as in the tut' :) Thanks.
Player (34)
Joined: 3/8/2012
Posts: 398
Location: Windfall Island
I totally forgot about changing settings :P The more I try to leave, the more I get pulled back in. :/
IronSlayer wrote:
Your counterargument would be like me saying that the Earth is round and then you telling me that I need to show it's flat so I can "prove us all wrong".
Seems legit.
Editor, Experienced player (859)
Joined: 8/12/2008
Posts: 845
Location: Québec, Canada
Thank you, Abahbob! This tutorial is magnificient!! I'll try searching for addresses as soon as possible.
Active player (322)
Joined: 1/15/2012
Posts: 343
I was wondering, can we use an AR Code to find a RAM adress ? For exemple, I find a code which gives 99 points and looks like 98NC-6Q2H-7XU7A K1NR-NH5P-82PTP Can I find the RAM adress where the number of points is ?
Player (146)
Joined: 7/16/2009
Posts: 686
STBM wrote:
Can I find the RAM adress where the number of points is ?
Some googling gave me this. I suppose it should be about the same for GameCube.
Active player (322)
Joined: 1/15/2012
Posts: 343
Scepheo wrote:
STBM wrote:
Can I find the RAM adress where the number of points is ?
Some googling gave me this. I suppose it should be about the same for GameCube.
So I put the GC AR Code in hexa using GCNCrypt and then use that. Thanks ! :D
Player (34)
Joined: 3/8/2012
Posts: 398
Location: Windfall Island
STBM wrote:
Scepheo wrote:
STBM wrote:
Can I find the RAM adress where the number of points is ?
Some googling gave me this. I suppose it should be about the same for GameCube.
So I put the GC AR Code in hexa using GCNCrypt and then use that. Thanks ! :D
Also, just putting the code into dolphin, then checking it should turn it into hex.
IronSlayer wrote:
Your counterargument would be like me saying that the Earth is round and then you telling me that I need to show it's flat so I can "prove us all wrong".
Seems legit.
Active player (322)
Joined: 1/15/2012
Posts: 343
Ok, I need your help please. Here is the codes I have : (m) 1GAV-A2HZ-2QCPA AJXQ-DFYU-A6JQ6 FUGU-9JMQ-2WVXT and Feed Egg Once For Full Growth 98NC-6Q2H-7XU7A K1NR-NH5P-82PTP It's for Billy Hatcher US (which is the one I'm using). I tried to put them in proprieties>AR Codes to test them. It doesn't seem to work in-game, I'm not sure if I'm doing something wrong. Secondly, the Feed Egg Once For Full Growth code decrypted is : 040C48D0 388000FF So I guess the adress this code is changing is 040C48D0... But it doesn't work : I tried to create a pointer with "Dolphin.exe"+048E22F8 and add 040C48D0, it doesn't work. And my "start adress" is 0B3E0000, so I don't think I can make 040C48D0 - 0B3E0000... ... I really don't know what to do, I tried to find the adress manually of course but it didn't work. At all. I keep finding some strange values which seems coherant but after 5 minutes of game time, they start to go crazy... :-( Help please !
Player (34)
Joined: 3/8/2012
Posts: 398
Location: Windfall Island
STBM wrote:
Ok, I need your help please. Here is the codes I have : (m) 1GAV-A2HZ-2QCPA AJXQ-DFYU-A6JQ6 FUGU-9JMQ-2WVXT and Feed Egg Once For Full Growth 98NC-6Q2H-7XU7A K1NR-NH5P-82PTP It's for Billy Hatcher US (which is the one I'm using). I tried to put them in proprieties>AR Codes to test them. It doesn't seem to work in-game, I'm not sure if I'm doing something wrong. Secondly, the Feed Egg Once For Full Growth code decrypted is : 040C48D0 388000FF So I guess the adress this code is changing is 040C48D0... But it doesn't work : I tried to create a pointer with "Dolphin.exe"+048E22F8 and add 040C48D0, it doesn't work. And my "start adress" is 0B3E0000, so I don't think I can make 040C48D0 - 0B3E0000... ... I really don't know what to do, I tried to find the adress manually of course but it didn't work. At all. I keep finding some strange values which seems coherant but after 5 minutes of game time, they start to go crazy... :-( Help please !
Well, if the code is: 040C48D0 388000FF Then the address is 000C48D0. The 04 at the beginning is telling what to do at that address (change it to this, add this much, subtract this much, or w/e). I do not know what (M) codes even do actually. I've looked, but I haven't actually found out why they do anything and what they do. All you'll want to do is get that start pointer, and change the offset to 000C48D0, don't mess with the "Dolphin + xxxxxxxx"
IronSlayer wrote:
Your counterargument would be like me saying that the Earth is round and then you telling me that I need to show it's flat so I can "prove us all wrong".
Seems legit.
Joined: 2/2/2013
Posts: 23
Location: Georgia
Has anyone looked into using it on 64 bit dolphin?
RachelB
She/Her
Player (129)
Joined: 12/3/2011
Posts: 1579
Phailsku wrote:
Has anyone looked into using it on 64 bit dolphin?
It's more or less exactly the same.
Player (34)
Joined: 3/8/2012
Posts: 398
Location: Windfall Island
Yeah there is a problem in this tutorial, some settings need to be changed for it to work. I'll add those when I have access to my computer.
IronSlayer wrote:
Your counterargument would be like me saying that the Earth is round and then you telling me that I need to show it's flat so I can "prove us all wrong".
Seems legit.
Skilled player (1737)
Joined: 9/17/2009
Posts: 4979
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
I tried pasting the code, but it keeps giving the message: Error in line 17 ([64-bit]): This instruction can't be compiled
Experienced player (984)
Joined: 8/30/2012
Posts: 373
When I do a scan for the game ID (G8ME01) I can't find an address ending with 0000. http://gyazo.com/0678c40f6ebdb899d182acf6c2bc58f7 Does anyone know why?
Previous TASes: Frogger's Adventures: The Rescue Paper Mario: The Thousand-Year Door any% x 8 Paper Mario 64 Luigi's Mansion Sonic Heroes - Team Sonic Mario Kart Wii ILs
RachelB
She/Her
Player (129)
Joined: 12/3/2011
Posts: 1579
Did you do this?
In Cheat Engine, click Edit, then Settings. Go to Scan Settings and check MEM_PRIVATE, MEM_IMAGE, and MEM_MAPPED.
Skilled player (1737)
Joined: 9/17/2009
Posts: 4979
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
RachelB wrote:
Did you do this?
In Cheat Engine, click Edit, then Settings. Go to Scan Settings and check MEM_PRIVATE, MEM_IMAGE, and MEM_MAPPED.
This is how my settings look like: Using CE 6.2, btw.
Experienced player (984)
Joined: 8/30/2012
Posts: 373
I didn't have ME_MAPPED checked. I'll test this out in a bit and hope it works! Thanks
Previous TASes: Frogger's Adventures: The Rescue Paper Mario: The Thousand-Year Door any% x 8 Paper Mario 64 Luigi's Mansion Sonic Heroes - Team Sonic Mario Kart Wii ILs
Experienced player (588)
Joined: 2/5/2011
Posts: 1417
Location: France
I can't get it to work with Virtual Consoles games but it works perfectly with other games... Any help?
Current: Rayman 3 maybe? idk xD Paused: N64 Rayman 2 (with Funnyhair) GBA SMA 4 : E Reader (With TehSeven) TASVideos is like a quicksand, you get in, but you cannot quit the sand
Joined: 10/16/2013
Posts: 7
I can't get it to work, i get "Virtualalloc failed, please try the 64-bit version instead" or something like that
Experienced player (984)
Joined: 8/30/2012
Posts: 373
Is there any way to get this to work on newer versions of Dolphin?
Previous TASes: Frogger's Adventures: The Rescue Paper Mario: The Thousand-Year Door any% x 8 Paper Mario 64 Luigi's Mansion Sonic Heroes - Team Sonic Mario Kart Wii ILs
Joined: 1/13/2014
Posts: 56
Malleoz wrote:
Is there any way to get this to work on newer versions of Dolphin?
Try using this lua script made by yoshifan. I've used it and its pretty good.