Relative Address Cheat Searching Method

[kelvSYC]

Is there a general method of searching for relative address cheats? If so, how?

[Pugsy]

When I get a spare moment I'll knock you up a quick how-to (I don't know if anybody but myself has done any dynamic cheats so I suppose I should share my method).

It is really quite straightforward though you will need a MAME debug build still though...if it was possible to search for 3 bytes with the cheat engine there would be no need for the debugger though unfortunately you can only search for 1,2 or 4 bytes which is no good for finding dynamic cheats for the neogeo games.

Give me a game which requires dynamic cheats which currently has no dynamic cheats (energy or time or something straightforward please) and I'll use that as a worked example.

[kelvSYC]

I've heard requests for samsho2's energy bar.

If you look really closely at the bar, it's divided into roughly 32 sections, and each section is a value of 0x01. Thus, the max possible value is 0x2 and the min 0x00.

[Pugsy]

Ok here it is for what it's worth.... I've got a tendency to waffle I'm afraid Let me know how you get on...


This is presuming you are using a debug MAME. I'm using samsho2 as an example and I am looking for infinite energy for PL1 - the method is easy to alter for different games and/or other things (this is mainly a method used for neogeo games - the only real system that utilises dynamic addressing for 'useful' locations). It's not a method for beginners, it assumes cheat finding skills, a basic understanding of hexadecimal addressing and an ability to decode my waffling.

Code: Select all

1. Start MAME as you would normally - don't forget you must use the debug MAME build with either -debug on the commandline or DEBUG 1 in the ini file 

2. You will find that after a short while MAME will be on the debugger screen, at this stage just press F12 to start the game. [REMEMBER F12 in the debugger will return you to the game] 

3. Commence play 

4. Start a Energy Search and reduce the results using standard methods. In the example I reduced the results to 2 possibles 100AC6 & 10373B, by using watches I can discount 100AC6 as it's the time location. So that leaves us with 10373B 80 = Full Energy. NOTE: You have to find the value as quickly as possible because the location will change the next time the level changes, so you would have to start the search from the beginning. You can test the address you find by poking it directly if it's the correct location you will find it will have the desired affect on that level. 

5. Press the tilde key (the tilde key is the key under Esc and about TAB and the the left of 1). You will now be in the debugger, remember the fact that we found the address 0010373B in step 4 (Note the preceding 0s - we will need them). 

6. Press TAB 3 times so that the cursor is in the address window. Now press S to commence a search and type in the value as per step 5...but drop the last byte as that will be part of the index. So in this case we would type in 00 10 37, then press RETURN to execute the search - you can repeat the search by  pressing S and hitting RETURN (the last search values are still set). For every search result note down the address, you can safely ignore any results in ROM locations or where it crosses word boundaries (ie it shows as XX00 1037 instead of 0010 37XX). In this example you will find that S 00 10 37 only returns one ROM location at 00003680, so we can safely ignore it. However, there are no other occurences so we are goosed.....or are we? 

7. If there are no possibilities then remember that the location we are looking for contains an address that hopefully points to a page of memory limited in size. In most cases this seems to be no greater than 256 bytes and is mostly forward indexed (+ve rather than -ve). So assuming that 10373B is the extreme case it is 256 bytes away from the start of the memory page base location, then the base location of the page would be 10363C. So we need to repeat Step 6 but this time with S 00 10 36 as the search instruction, ignoring ROM locations and word boundary crossing, from this we get the following results:- 

Address     Contents 
100A46       00103680 
100A5E       00103680 
102AEC       00103680 
102D2C       00103680 
103F2C       00103680 
10404C       00103680 
104DCC       00103680 
10500C       00103680 
1057EC       00103680 
105A2C       00103680 
105C6C       00103680 
10644C       00103680 

8. From the Step 7 results you can see that all the results point to a page of memory starting at 00103680, since we know the energy location is 0010373B we can work out that the index value is = BB (Cheat Location - Start Address of page = 10373B -103680). 

9. Now you need to narrow the location down either by loads of watches on several levels or by excessive testing, personally I place a watch on all the locations and try the first location first, second location second etc etc. [ NOTE: A lot of neogeo games which utilise dynamic addressing seem to like to use a value in the range 100AXX as the pointer location. ] Here are the cheats to try first... 


:samsho2:83000000:00100A46:00000080:000000BB:Infinite Energy PL1 [POSSIBILITY NO. 1] 
:samsho2:83000000:00100A5E:00000080:000000BB:Infinite Energy PL1 [POSSIBILITY NO. 2] 
:samsho2:83000000:00102AEC:00000080:000000BB:Infinite Energy PL1 [POSSIBILITY NO. 3] 
:samsho2:83000000:00102D2C:00000080:000000BB:Infinite Energy PL1 [POSSIBILITY NO. 4] 

{ One more interesting thing to note, you may find that several locations will have the desired affect as the pointers maybe held in several places in memory, it really doesn't matter which one you use. }

10. Once you find out the location which works bear in mind that the game will use the same page for other things like Power etc, Note PL2 will generally use a different page though the location holding the pointer is generally right next to the pointer for the other Player (the index will generally be the same though...which is nice :) ). 

For samsho2 we hence have these dynamic cheats:- 

:samsho2:83000000:00100A46:00000080:000000BB:Infinite Energy PL1 
:samsho2:83000001:00100A46:00000000:000000BB:Drain All Energy Now! PL1 
:samsho2:83000000:00100A46:00000020:000000F0:Always have Maximum Power PL1 
:samsho2:83000000:00100A46:00000000:000000F0:Always have Minimum Power PL1 
:samsho2:83000000:00100A4A:00000080:000000BB:Infinite Energy PL2 
:samsho2:83000001:00100A4A:00000000:000000BB:Drain All Energy Now! PL2 
:samsho2:83000000:00100A4A:00000020:000000F0:Always have Maximum Power PL2 
:samsho2:83000000:00100A4A:00000000:000000F0:Always have Minimum Power PL2 

Dynamic Cheat Finding Method (c) Pugsy 2000-2002 ;-) 
 

EDIT: Fixed some gramattical errors, I really should read things through before posting..apologies for some of the long sentences.

EDIT 2: Oops, fixed a cut and paste error on the maximum power cheats - thats what happens when you cut corners

[Bugfinder]

Very nice explanation, thanks Martin!

[ianpatt]

I use a slightly different method for dynamic address cheats. First, I use the standard cheat finding method to find the address I want to modify. Then, I place a "break on read" or "break on write" using the debugger and run the game. When the value changes, the debugger pops up showing the section of code that accessed the data. Then, I trace through the disassembly to find how the CPU found the base pointer and offset. The easiest case is a simple base+displacement, which would look something like this:

Code: Select all

stb r3, r12(0x20)

In that case, I would then do a search through memory for the value stored in r12. That search, plus the displacement (0x20) are all you need to make the cheat.

[Pugsy]

I place a "break on read" or "break on write" using the debugger and run the game.

I haven't run the latest MAME with the debugger (so if I'm wrong I'm sorry) but I'm guessing the "break on read" and "break on write" still only exist on a certain 'cough' MAMEdev's compile...

You sort of hinted you would release the modifications back in April in viewtopic.php?t=546&highlight=break+read but so far nothing

I think they would be quite useful for a whole host of things...even your dynamic cheat finding method would be possible

[ianpatt]

Oh. I thought I released that a while ago.

Use the #defines at the top of memory.c to disable it when not in use - when enabled it causes a noticiable speed hit. You can also log all memory accesses to a file.

Debugger commands:

• LM - toggle memory logging
• MPR - break on read address
• MCR - clear read break
• MPW - break on write address
• MCW - clear write break

There are hardcoded limits for the memory areas logged defined in mamedbg.c. Look for MEM_UPPER_LOG_LIMIT.

Let me know if you have problems merging the files.

source

[Pugsy]

Thanks Ian


I will try it later and will let you know if I have any problems.

[Dave]

Does anyone know how to obtain the same results with the new debugger, or at least point me to a good guide? Anyway, does it have any useful improvement or do I have to recompile with the old debugger?
Thanks

[Pugsy]

It's been a while since a searched for dynamic/relative address cheats but the guide above should still work fine with a slight tweak. Biggest problem I see in my guide is that the new debugger doesn't include a search command (at least I couldn't see one in my last debug build...). There are two possible workarounds you can either use Ian's method (though you'll need to be able to understand a little bit of assembler - fortunately the new debugger has the built in watchpointfunctions for Ian's method) or you utilise the cheat engine for the search (without multiple simultaneous cheat searches though still makes it a pain and you still can't search on 3 bytes either)

Personally I'd consider a build with the old debugger for the time being as being the best option. I'm still not quite used to Aaron's superduper debugger , the sheer number of options for watchpoints/breakpoints is bewildering to say the least. The old debugger might not be as powerful but at least it did what I needed....but gotta bite the bullet sooner or later I guess.

BTW, why do you ask? Is there any particular game you are thinking of finding cheats for?

[Dave]

For instance, I would like to find a cheat to kill with 1 hit every enemy and boss in [ga2]. With the normal search mode I found some addresses that seem to be indexed values...
Actually I'm not sure I have to do a search for relative addresses in this case. Am I wrong?

[Pugsy]

If you find a cheat that works for say the first boss and the next time you load the game the first boss cheat doesn't work (or works very occasionally) then you need a dynamic cheat. If however the cheat you find never works then you just haven't found the right cheat...to make a dynamic cheat you first have to make sure that you can find a working cheat at least once.