THREAD: How to find addresses in games [Detailed]
  1. 11-27-2015, 11:46 AM
    Bch's Avatar
    Bch
    Guest
    Bch's Avatar
    Bch
    Guest
    n/a
    Posts
    n/a
    Reputation
    Once upon a time...
    NextGenUpdate
    How to find addresses


    Note: I know this in the wrong section but the problem is, this is the most active section, if it goes in Learning Center which has like 0 active users 99% of the time no one will see it, and i will keep getting questioned on how to do it, and to make a tutorial on it, even though i have. Maybe put it in learning center and make a thread link from gta or whatever...


    Introduction
    I understand people have posted tutorials in the past, but people think they do not go into the level of detail they need, and various people asked me to make a tutorial on how I would find addresses. I will cover some quite complex theories for beginners who have had no past experience, so you many need to look up some stuff yourself but i will try go into as much detail as possible. I will split it into sections so you can skip over the stuff you know.


    Memory
    PS3 has memory, the memory is divided into two sections. Part 1 is the actual game code, the mechanics of the game. The second part is used to store variables, so stuff the game needs to remember, such as the amount of health you have, your position in the game etc.


    Viewing Memory
    So as you may, or may not know, a computer can only process 1's, and 0's, which you may also know is binary. Binary is base 2, where as the counting system we are all tought as a child is base 10 (8 fingers, 2 thumbs easier to count). Although we could view memory as binary, it would be a lot more complex as it would be a series of 1's and 0's which to use, would be pretty meaningless. Instead memory is displayed in hexadecimal which is another numbering system, this system is Base 16, which means it has numbers 0-9, then it goes A-F. So the value A would = 10. Both addresses (the location in memory), and the values which are at those address are in hexadecimal. Each data type is stored differently in memory, but they all end up being converted into binary 1's and 0's at some point, which means when you try to reverse this it can cause small problems.


    Binary (More Detail, not required)
    So because everything is stored in binary, we need to convert from Decimal (base 10) to binary and back. Then also convert from hexadecimal to binary and back. Infact we can convert from any base, to any base if required. As a simple example, lets say we have 8 bits (1 byte), and we want to store the value 72. To convert from decimal to binary we write the 2^n where n is 0 to the number of bits we are using - 1. Then from left to right include and deduct the value from the number we want. For example

    2^7 | 2^6 | 2^5 | 2^4 | 2^3 | 2^2 | 2^1 | 2^0
    128 | 64 | 32 | 16 | 8 | 4 | 2 | 1
    0 | 1 | 0 | 0 | 1 | 0 | 0 | 0

    So, we write out our powers of 2, then we check to see if our numbers goes into the current value we are at, so these are the steps i took;
    1) Does 128 go into 72? No, write 0, move to the right
    2) Does 64 go into 72? Yes, write 1, our value is now 72 - 64 = 8, move to the right
    3) Does 32 go into 8? No, write 0, move to the right
    3) Does 16 go into 8? No, write 0, move to the right
    3) Does 8 go into 8? Yes, write 1, our value is now 8 - 8 = 0, move to the right
    3) Does 4 go into 0? No, write 0, move to the right
    3) Does 2 go into 0? No, write 0, move to the right
    3) Does 1 go into 0? No, write 0, move to the right
    Therefore in binary, 72 is 01001000

    So we can convert from decimal to binary, but how do we go from binary to decimal?
    So lets say we are given the binary value 10110101, and we want to get the decimal value from it. All we do is put 2^0 at the right, and do 2^n till we get to the left most bit. Then for every number which has a 1, we add together.

    1 0 1 1 0 1 0 1
    2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
    128 64 32 16 8 4 2 1

    128 + 32 + 16 + 4 + 1 = 181

    Relatively straight forward, however lets say we was asked to make the number 312 in an 8bit number, lets try and see what happens.
    2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
    128 64 32 16 8 4 2 1
    1 1 1 1 1 1 1 1
    So i currently have the number 255, however i have used up all 8 bits and don't have enough memory to store the required number.
    This is why programming languages have different variable types, such as int16 (2 bytes long, 16bits), int32 (4 bytes long, 32bits and most common size), and for large numbers int64 (8bytes long, 64bits). Also a computer can store negative numbers by using the left most bit as -128, then + the remaining which is called two's complement, i suggest you read up on that as its quite interesting and useful.

    Hexadecimal (More Detail, not required)
    So converting from decmial to hex can be done, however it is much easier to convert from binary to hex. All we need to do is split the binary number into 4 bit sections. If the binary number had 10 bits, we would just add 2 zeros to the front to make it a multiple of 4.
    So lets use a previous number of 10110101, which was the decimal value 181. This number is 8 which is a multiple of 4 so we dont need to add any zeros.

    1) Split up number into 4s,
    1011 0101
    2) Calculate the left side and right side as seperate binary numbers (ie, 2^0 to 2^3 each side)
    2^3 2^2 2^1 2^0 2^3 2^2 2^1 2^0
    8 4 2 1 8 4 2 1
    8 + 2 + 1 = 11 4 + 1 = 5
    3) Convert any numbers which are greater than 9 to hex (0123456789ABCDEF)
    11 = B
    4) Join the alphanumeric characters together, so 181 in hex is B5.

    A key thing to note with hexadecimal is that the notation is to use a 0x infront of the hex number so that we and the computer know it is a hex number instead of another base. So if you see 0x315FBA, you ignore the leading 0x.

    How data is stored in memory
    You understand how its stored in binary, however displayed to you as hexadecimal to make it easier to see and understand, but everything is stored in the same way, as numbers. So text, floating point numbers, normal numbers, negative numbers, are all stored as postive numbers in memory. So the decimal to binary tutorial above shows you how a 8bit, unsigned (meaning non negative) value would be stored in memory. Which in that case would give us a value range of 0-255. If we had that as two's compliment, our range would be -128 to 127. Floating point numbers are stored differently, they are stored with a mantissa, and exponent. In decimal terms an example would be 4.02 x 10^2, a mantissa which is 4.02, the exponent which is power of 2. Finally a string (characters) is stored as numbers too, and going by the ASCII standard, they assign each character to a numberical value which can be seen in an ascii table such as
    You must login or register to view this content.
    However strings are the easiest to notice in memory if you have a ASCII representation of all the memory along side the bytes.

    Data Types and Ranges - Source (You must login or register to view this content.)
    Integer 16bit (aka short) - –32,768 to 32,767
    Integer 32bit (most common) - –2,147,483,648 to 2,147,483,647
    Integer 64bit (aka long) - –9,223,372,036,854,775,808 to 9,223,372,036,854,775,807
    Unsigned Integer 16bit (aka ushort) - 0 to 65,535
    Unsigned Integer 32bit (aka uint) - 0 to 4,294,967,295
    Unsigned Integer 64bit (aka ulong) - 0 to 18,446,744,073,709,551,615
    Floating Point 32bit (most common in games) - 3.4E +/- 38.
    Floating Point 64bit (aka double) - 1.7E +/- 308
    String - Length in memory is usually until the string hits a null byte
    Vector3 - 3 floating point 32bit numbers (xyz usually).


    Memory Scanning
    So now we know what memory is, how it is displayed and how different value types are stored in memory, how do we find them?
    In these examples i will be using cheat engine and ProDG debugger, however you can use others like CCAPI Debugger. However i do recommend using TMAPI as memory scanning can be very slow with CCAPI. First, we need to know the value of something that we want to change, or atleast a rought idea of the value (eg a percentage between x and y). You also need to know what TYPE of value it is, is it a string, float, integer etc, is it 16bit, 32bit and so on.
    One of the easiest things to find is money, ammo etc, things which you can see a numerical value for, and can change in game.
    The game i am doing is Borderlands: The pre-Sequel
    First open netcheat/ccapi debugger, connect and attach, then press Find Ranges. (Games don't use all regions of memory, and each game uses different memory regions).

    My Results
    You must login or register to view this content.

    So as you know, memory is split into to parts, code and variable data. The code will be in the range 00000000 - 10000000, Then all games i have seen don't use memory past 70000000. So you want to check your results between 10000000 and 70000000, you want to see which is the largest region and most likely where the variables will be. From my results i can tell it's most likely going to be 4000000 to 46000000 so thats my first place to scan. If its not in there i will try 10000000 to 16000000, then 50000000 to 50800000, then finally 30000000 to 30300000. Once you find one address in one of those regions, all other address should be in the same region. *Although not always

    So first i tried the 40000000 to 4600000 range and i didn't find anything, so now i will try 10000000 to 16000000 range. So im going to try find the money i have, currently i have $42, and i know it's not a float number, its not a string so it must be an integer. Now it could be unsigned which would make sense, because why would you have negative money, however game developers usually do not use an unsigned type unless the value is never going to be negative AND a large number. So by chance im going to assume they are lazy deveopers who choose the most common type which is int 32 bit (4 bytes).

    My current scan (2,711 results at end)
    Large Image
    Spoiler:
    You must login or register to view this content.


    So if the value is in that range, it will be one of those 2,711 results, so i will find some more money, then rescan my results for the new value.

    Repeat this process till hopefully you get 1 or a few addresses remaining

    Next scan (5 result)
    Large Image
    Spoiler:
    You must login or register to view this content.


    Next scan (5 result)
    Large Image
    Spoiler:
    You must login or register to view this content.



    Alright so i've found five addresses remaning, most likely 4 will be mirror addresses and one will be the actual address. So we need to check each one and see if any are correct, open ProDG debugger and go to each address, change the value and see if your money changes

    Not Changed
    Large Image
    Spoiler:
    You must login or register to view this content.


    Changed
    Large Image
    Spoiler:
    You must login or register to view this content.


    So the correct address is 0x156B7AF8. Now we could just write 2,147,483,647 which as you know is the largest int32, or we can edit the game code, to stop money going down when we buy stuff. If you only want to edit the value you would just code it you would do it like
    C# - PS3.Extension.WriteInt32(0x156B7AF8, 2147483647);
    SPRX - *(int*)0x156B7AF8 = 2147483647; The next part will be on how to edit the game code so it doesn't decrease.


    Game Code Editing
    So lets say we have an address, such as the money address, and we want the game to stop changing the value when we buy something, our first step is to find the function in game which changes our value. To do this, we need to use something called a hardware breakpoint. Hardware breakpoints will hit a piece of code when ever something either writes, or reads to the address you put the breakpoint on. So because we want the game to stop writing to the address, we will place a write hardware breakpoint onto our address. My money address is 0x156B7AF8. (You can't use CCAPI Debugger for this, you need to use ProDG debugger)

    Open debugger, go to Debug -> Hardware Breakpoints
    You must login or register to view this content.

    Enter the address which you found, and tick "on WRITE", then press OK
    You must login or register to view this content.

    Now in your game, you want to do the thing you want to patch. For example because i want to stop money decreasing when i buy stuff, i need to spend some money to execute the required function in memory. Once you hit the breakpoint it will look like your PS3 has frooze which is fine so don't turn off your system. Once hit it should look something similar to this in debugger (make sure you have the correct windows open, go to Window menu at top you need Memory and Disassembly open)
    Large Image
    Spoiler:
    You must login or register to view this content.


    The yellow arrow is the game code line which the game is currently on, you should notice it start with a "s", most likely "stw" which is store 4 bytes. This is basically writing the new value to the address, which in my case is a deducted amount of money. Now theres a couple things you can do here, the first thing is to NOP it, which basically is deleting that line of code, so while the breakpoint is on, if we go to the address we hit (which in my case is 0x63EC3Cool Man (aka Tustin), and write 60 00 00 00 in memory view.
    You must login or register to view this content.

    You should notice that the instruction now says "nop", so to continue the game we can simply press play, then when you buy items your money should no longer deduct, or if its health it should no longer descrease etc. Make sure you go back to Debug -> Hardware Breakpoints and Press Disable so it no longer looks for the breakpoint.

    Our other alternative which is more complex, is to edit a previous command to set the value of the register which is being wrote to the address.
    So this is my code, yours will be different
    Large Image
    Spoiler:
    You must login or register to view this content.


    If you look in Registers, you will notice r9 holds the address, and r11 holds the value which its writing (my money), so we need to change the value of r11 to however much money we want to be constantly wrote to the address every time you spend money. So in my case, there is the instruction mr, r11, r0, which moves the value of r0 into r11, then we also have a and instruction r11, r11, r0, so in this case we can simply replace the and r11, r11, r0 command with a li r11, 0xFFFF instruction which if you know PPC, means set r11 = 0xFFFF, also we can only use 2 bytes at a time with PPC per instruction. So lets use a PPC compiler to get the bytes
    You must login or register to view this content.

    Now lets write the bytes to 0x063EC34 which in my case is 1 instruction before the store instruction, remember its different for every case so learn some simple ppc insturctions to understand what to change.

    So just before it writes the bytes, it sets r11 = 0x1234, and then will store that value at the address
    Large Image
    Spoiler:
    You must login or register to view this content.


    Which therefore constantly gives me $4,660 (0x1234) each time i buy something
    Large Image
    Spoiler:
    You must login or register to view this content.


    The same process can be used for health, patch it to stop being hit therefore you have godmode, unlimited ammo etc.
    Last edited by Tears ; 11-30-2015 at 12:14 AM.

  2. The Following 42 Users Say Thank You to Bch For This Useful Post:

    , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

  3. The Following 2 Users Groaned At Bch For This Awful Post:

    ,

  4. 11-27-2015, 11:49 AM
    Helping-Hand's Avatar
    Helping-Hand
    Cake is a lie
    Helping-Hand's Avatar
    Helping-Hand
    Cake is a lie
    3,016
    Posts
    20,195
    Reputation
    Sep 2015
    NextGenUpdate
    Nice work and highly detailed Smile
  5. The Following 2 Users Say Thank You to Helping-Hand For This Useful Post:

    ,

  6. 11-27-2015, 11:51 AM
    TROPICAL_TV's Avatar
    TROPICAL_TV
    Do a barrel roll!
    TROPICAL_TV's Avatar
    TROPICAL_TV
    Do a barrel roll!
    127
    Posts
    510
    Reputation
    Jul 2015
    NextGenUpdate
    Damnn nice tutorial man! u Always put nice tuts on here beach Thanks for that! Geo
  7. 11-27-2015, 12:02 PM
    6,769
    Posts
    64,213
    Reputation
    May 2009
    NextGenUpdate
    Originally Posted by Beach View Post
    How to find addresses


    Note: I know this in the wrong section but the problem is, this is the most active section, if it goes in Learning Center which has like 0 active users 99% of the time no one will see it, and i will keep getting questioned on how to do it, and to make a tutorial on it, even though i have. Maybe put it in learning center and make a thread link from gta or whatever...


    Introduction
    I understand people have posted tutorials in the past, but people think they do not go into the level of detail they need, and various people asked me to make a tutorial on how I would find addresses. I will cover some quite complex theories for beginners who have had no past experience, so you many need to look up some stuff yourself but i will try go into as much detail as possible. I will split it into sections so you can skip over the stuff you know.


    Memory
    PS3 has memory, the memory is divided into two sections. Part 1 is the actual game code, the mechanics of the game. The second part is used to store variables, so stuff the game needs to remember, such as the amount of health you have, your position in the game etc.


    Viewing Memory
    So as you may, or may not know, a computer can only process 1's, and 0's, which you may also know is binary. Binary is base 2, where as the counting system we are all tought as a child is base 10 (8 fingers, 2 thumbs easier to count). Although we could view memory as binary, it would be a lot more complex as it would be a series of 1's and 0's which to use, would be pretty meaningless. Instead memory is displayed in hexadecimal which is another numbering system, this system is Base 16, which means it has numbers 0-9, then it goes A-F. So the value A would = 10. Both addresses (the location in memory), and the values which are at those address are in hexadecimal. Each data type is stored differently in memory, but they all end up being converted into binary 1's and 0's at some point, which means when you try to reverse this it can cause small problems.


    Binary (More Detail, not required)
    So because everything is stored in binary, we need to convert from Decimal (base 10) to binary and back. Then also convert from hexadecimal to binary and back. Infact we can convert from any base, to any base if required. As a simple example, lets say we have 8 bits (1 byte), and we want to store the value 72. To convert from decimal to binary we write the 2^n where n is 0 to the number of bits we are using - 1. Then from left to right include and deduct the value from the number we want. For example

    2^7 | 2^6 | 2^5 | 2^4 | 2^3 | 2^2 | 2^1 | 2^0
    128 | 64 | 32 | 16 | 8 | 4 | 2 | 1
    0 | 1 | 0 | 0 | 1 | 0 | 0 | 0

    So, we write out our powers of 2, then we check to see if our numbers goes into the current value we are at, so these are the steps i took;
    1) Does 128 go into 72? No, write 0, move to the right
    2) Does 64 go into 72? Yes, write 1, our value is now 72 - 64 = 8, move to the right
    3) Does 32 go into 8? No, write 0, move to the right
    3) Does 16 go into 8? No, write 0, move to the right
    3) Does 8 go into 8? Yes, write 1, our value is now 8 - 8 = 0, move to the right
    3) Does 4 go into 0? No, write 0, move to the right
    3) Does 2 go into 0? No, write 0, move to the right
    3) Does 1 go into 0? No, write 0, move to the right
    Therefore in binary, 72 is 01001000

    So we can convert from decimal to binary, but how do we go from binary to decimal?
    So lets say we are given the binary value 10110101, and we want to get the decimal value from it. All we do is put 2^0 at the right, and do 2^n till we get to the left most bit. Then for every number which has a 1, we add together.

    1 0 1 1 0 1 0 1
    2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
    128 64 32 16 8 4 2 1

    128 + 32 + 16 + 4 + 1 = 181

    Relatively straight forward, however lets say we was asked to make the number 312 in an 8bit number, lets try and see what happens.
    2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
    128 64 32 16 8 4 2 1
    1 1 1 1 1 1 1 1
    So i currently have the number 255, however i have used up all 8 bits and don't have enough memory to store the required number.
    This is why programming languages have different variable types, such as int16 (2 bytes long, 16bits), int32 (4 bytes long, 32bits and most common size), and for large numbers int64 (8bytes long, 64bits). Also a computer can store negative numbers by using the left most bit as -128, then + the remaining which is called two's complement, i suggest you read up on that as its quite interesting and useful.

    Hexadecimal (More Detail, not required)
    So converting from decmial to hex can be done, however it is much easier to convert from binary to hex. All we need to do is split the binary number into 4 bit sections. If the binary number had 10 bits, we would just add 2 zeros to the front to make it a multiple of 4.
    So lets use a previous number of 10110101, which was the decimal value 181. This number is 8 which is a multiple of 4 so we dont need to add any zeros.

    1) Split up number into 4s,
    1011 0101
    2) Calculate the left side and right side as seperate binary numbers (ie, 2^0 to 2^3 each side)
    2^3 2^2 2^1 2^0 2^3 2^2 2^1 2^0
    8 4 2 1 8 4 2 1
    8 + 2 + 1 = 11 4 + 1 = 5
    3) Convert any numbers which are greater than 9 to hex (0123456789ABCDEF)
    11 = B
    4) Join the alphanumeric characters together, so 181 in hex is B5.

    A key thing to note with hexadecimal is that the notation is to use a 0x infront of the hex number so that we and the computer know it is a hex number instead of another base. So if you see 0x315FBA, you ignore the leading 0x.

    How data is stored in memory
    You understand how its stored in binary, however displayed to you as hexadecimal to make it easier to see and understand, but everything is stored in the same way, as numbers. So text, floating point numbers, normal numbers, negative numbers, are all stored as postive numbers in memory. So the decimal to binary tutorial above shows you how a 8bit, unsigned (meaning non negative) value would be stored in memory. Which in that case would give us a value range of 0-255. If we had that as two's compliment, our range would be -128 to 127. Floating point numbers are stored differently, they are stored with a mantissa, and exponent. In decimal terms an example would be 4.02 x 10^2, a mantissa which is 4.02, the exponent which is power of 2. Finally a string (characters) is stored as numbers too, and going by the ASCII standard, they assign each character to a numberical value which can be seen in an ascii table such as
    You must login or register to view this content.
    However strings are the easiest to notice in memory if you have a ASCII representation of all the memory along side the bytes.

    Data Types and Ranges - Source (You must login or register to view this content.)
    Integer 16bit (aka short) - –32,768 to 32,767
    Integer 32bit (most common) - –2,147,483,648 to 2,147,483,647
    Integer 64bit (aka long) - –9,223,372,036,854,775,808 to 9,223,372,036,854,775,807
    Unsigned Integer 16bit (aka ushort) - 0 to 65,535
    Unsigned Integer 32bit (aka uint) - 0 to 4,294,967,295
    Unsigned Integer 64bit (aka ulong) - 0 to 18,446,744,073,709,551,615
    Floating Point 32bit (most common in games) - 3.4E +/- 38.
    Floating Point 64bit (aka double) - 1.7E +/- 308
    String - Length in memory is usually until the string hits a null byte
    Vector3 - 3 floating point 32bit numbers (xyz usually).


    Memory Scanning
    So now we know what memory is, how it is displayed and how different value types are stored in memory, how do we find them?
    In these examples i will be using cheat engine and ProDG debugger, however you can use others like CCAPI Debugger. However i do recommend using TMAPI as memory scanning can be very slow with CCAPI. First, we need to know the value of something that we want to change, or atleast a rought idea of the value (eg a percentage between x and y). You also need to know what TYPE of value it is, is it a string, float, integer etc, is it 16bit, 32bit and so on.
    One of the easiest things to find is money, ammo etc, things which you can see a numerical value for, and can change in game.
    The game i am doing is Borderlands: The pre-Sequel
    First open netcheat/ccapi debugger, connect and attach, then press Find Ranges. (Games don't use all regions of memory, and each game uses different memory regions).

    My Results
    You must login or register to view this content.

    So as you know, memory is split into to parts, code and variable data. The code will be in the range 00000000 - 10000000, Then all games i have seen don't use memory past 70000000. So you want to check your results between 10000000 and 70000000, you want to see which is the largest region and most likely where the variables will be. From my results i can tell it's most likely going to be 4000000 to 46000000 so thats my first place to scan. If its not in there i will try 10000000 to 16000000, then 50000000 to 50800000, then finally 30000000 to 30300000. Once you find one address in one of those regions, all other address should be in the same region. *Although not always

    So first i tried the 40000000 to 4600000 range and i didn't find anything, so now i will try 10000000 to 16000000 range. So im going to try find the money i have, currently i have $42, and i know it's not a float number, its not a string so it must be an integer. Now it could be unsigned which would make sense, because why would you have negative money, however game developers usually do not use an unsigned type unless the value is never going to be negative AND a large number. So by chance im going to assume they are lazy deveopers who choose the most common type which is int 32 bit (4 bytes).

    My current scan (2,711 results at end)
    Large Image
    Spoiler:
    You must login or register to view this content.


    So if the value is in that range, it will be one of those 2,711 results, so i will find some more money, then rescan my results for the new value.

    Repeat this process till hopefully you get 1 or a few addresses remaining

    Next scan (5 result)
    Large Image
    Spoiler:
    You must login or register to view this content.


    Next scan (5 result)
    Large Image
    Spoiler:
    You must login or register to view this content.



    Alright so i've found five addresses remaning, most likely 4 will be mirror addresses and one will be the actual address. So we need to check each one and see if any are correct, open ProDG debugger and go to each address, change the value and see if your money changes

    Not Changed
    Large Image
    Spoiler:
    You must login or register to view this content.


    Changed
    Large Image
    Spoiler:
    You must login or register to view this content.


    So the correct address is 0x156B7AF8. Now we could just write 2,147,483,647 which as you know is the largest int32, or we can edit the game code, to stop money going down when we buy stuff. If you only want to edit the value you would just code it you would do it like
    C# - PS3.Extension.WriteInt32(0x156B7AF8, 2147483647);
    SPRX - *(int*)0x156B7AF8 = 2147483647; The next part will be on how to edit the game code so it doesn't decrease.


    Game Code Editing
    So lets say we have an address, such as the money address, and we want the game to stop changing the value when we buy something, our first step is to find the function in game which changes our value. To do this, we need to use something called a hardware breakpoint. Hardware breakpoints will hit a piece of code when ever something either writes, or reads to the address you put the breakpoint on. So because we want the game to stop writing to the address, we will place a write hardware breakpoint onto our address. My money address is 0x156B7AF8. (You can't use CCAPI Debugger for this, you need to use ProDG debugger)

    Open debugger, go to Debug -> Hardware Breakpoints
    You must login or register to view this content.

    Enter the address which you found, and tick "on WRITE", then press OK
    You must login or register to view this content.

    Now in your game, you want to do the thing you want to patch. For example because i want to stop money decreasing when i buy stuff, i need to spend some money to execute the required function in memory. Once you hit the breakpoint it will look like your PS3 has frooze which is fine so don't turn off your system. Once hit it should look something similar to this in debugger (make sure you have the correct windows open, go to Window menu at top you need Memory and Disassembly open)
    Large Image
    Spoiler:
    You must login or register to view this content.


    The yellow arrow is the game code line which the game is currently on, you should notice it start with a "s", most likely "stw" which is store 4 bytes. This is basically writing the new value to the address, which in my case is a deducted amount of money. Now theres a couple things you can do here, the first thing is to NOP it, which basically is deleting that line of code, so while the breakpoint is on, if we go to the address we hit (which in my case is 0x63EC3Cool Man (aka Tustin), and write 60 00 00 00 in memory view.
    You must login or register to view this content.

    You should notice that the instruction now says "nop", so to continue the game we can simply press play, then when you buy items your money should no longer deduct, or if its health it should no longer descrease etc. Make sure you go back to Debug -> Hardware Breakpoints and Press Disable so it no longer looks for the breakpoint.

    Our other alternative which is more complex, is to edit a previous command to set the value of the register which is being wrote to the address.
    So this is my code, yours will be different
    Large Image
    Spoiler:
    You must login or register to view this content.


    If you look in Registers, you will notice r9 holds the address, and r11 holds the value which its writing (my money), so we need to change the value of r11 to however much money we want to be constantly wrote to the address every time you spend money. So in my case, there is the instruction mr, r11, r0, which moves the value of r0 into r11, then we also have a and instruction r11, r11, r0, so in this case we can simply replace the and r11, r11, r0 command with a li r11, 0xFFFF instruction which if you know PPC, means set r11 = 0xFFFF, also we can only use 2 bytes at a time with PPC per instruction. So lets use a PPC compiler to get the bytes
    You must login or register to view this content.

    Now lets write the bytes to 0x063EC34 which in my case is 1 instruction before the store instruction, remember its different for every case so learn some simple ppc insturctions to understand what to change.

    So just before it writes the bytes, it sets r11 = 0x1234, and then will store that value at the address
    Large Image
    Spoiler:
    You must login or register to view this content.


    Which therefore constantly gives me $4,660 (0x1234) each time i buy something
    Large Image
    Spoiler:
    You must login or register to view this content.


    The same process can be used for health, patch it to stop being hit therefore you have godmode, unlimited ammo etc.


    Nice tut bro ^^
  8. 11-27-2015, 12:02 PM
    Vinny's Avatar
    Vinny
    Bounty hunter
    Vinny's Avatar
    Vinny
    Bounty hunter
    142
    Posts
    295
    Reputation
    Oct 2013
    NextGenUpdate
    Yo how did i get here lol
  9. 11-27-2015, 05:49 PM
    Kryptus's Avatar
    Kryptus
    Former Staff Manager
    Kryptus's Avatar
    Kryptus
    Former Staff Manager
    5,219
    Posts
    214,619
    Reputation
    Dec 2013
    NextGenUpdate
    I've wanted for a long time to look more into memory. This is extremely helpful. Tiphat
  10. The Following User Thanked Kryptus For This Useful Post:


  11. 11-27-2015, 11:49 PM
    esc0rtd3w's Avatar
    esc0rtd3w
    Bounty hunter
    esc0rtd3w's Avatar
    esc0rtd3w
    Bounty hunter
    162
    Posts
    2,456
    Reputation
    May 2011
    NextGenUpdate
    kudos man, nice work Smile
  12. 11-28-2015, 06:56 AM
    ello's Avatar
    ello
    Do a barrel roll!
    ello's Avatar
    ello
    Do a barrel roll!
    110
    Posts
    290
    Reputation
    Aug 2012
    NextGenUpdate
    ok so lets say for a game like helldivers i use netcheat to find the unlocks points let say i have 11.
    i narrow it down to 2 addresses but there both mirror adresses.
    how do i go about that?
    idk if you get what im trying to ask tho =(
  13. 11-28-2015, 10:36 AM
    Bch's Avatar
    Bch
    Guest
    Bch's Avatar
    Bch
    Guest
    n/a
    Posts
    n/a
    Reputation
    Once upon a time...
    NextGenUpdate
    Originally Posted by ello View Post
    ok so lets say for a game like helldivers i use netcheat to find the unlocks points let say i have 11.
    i narrow it down to 2 addresses but there both mirror adresses.
    how do i go about that?
    idk if you get what im trying to ask tho =(


    Hmm, sometimes mirror addresses are in one memory region and the actual address might be another, if you are using TMAPI, and your wired then do a full scan of memory from around 10000000 to 70000000 and you should pick it up, it might take a little longer but aslong as your tmapi it shouldnt' be too long. Also try get a higher number like 20+ for a large scan, because theres ALOT more small numbers n memory than larger, so the larger your number the less results you'll get on first scan meaning it'll be quicker :p. Also never do a first scan of 0 because that will give you millions of results and crash netcheat.
  14. 11-28-2015, 12:09 PM
    Danny_HD's Avatar
    Danny_HD
    Haxor!
    Danny_HD's Avatar
    Danny_HD
    Haxor!
    27
    Posts
    730
    Reputation
    Jun 2015
    NextGenUpdate
    Sweet seb5594