An ASM Memory Scanner

[bungholio]

It's incomplete. It's the text files and PIS file for PS2Dis to put things in an understandable order. I need to add all of the button combinations to make things work still. The text files are commented on every line except for "jr ra". It should be very understandable. When I'm done with it, all people will need to do to make it work for a game it add 4 lines:
enable code (or codes)
replace the "jr ra" in the scesifsendcmd function with the jump
2 lines for the joker


Here's the list of complete and perfect things:
1. First Scan (1, 2, or 4 bytes)
It scans and stores the address and value of results within the parameters you set. It has 5 scan types:

1. Store if equal to
2. Store if not equal to
3. Store if greater than
4. Store if less than
5. Combine the greater than and less than to create a range a value must be within to store it

2. Extra Scans (bytes)
It goes through the results and removes results not within the parameters. It checks the current value and compares it with the old value. If it keeps them, it replaces the old value with the current one. It has 6 scan types:

1. Keep if the value didn't change
2. Keep if the value changed
3. Keep if the value increased
4. Keep if the value decreased
5. Keep if the value increased by ???????? amount
6. Keep if the value decreased by ???????? amount

3. First Scan (1 bit)
The longest and perfect scan. It scans for exactly 1 bit turned on, and then stores an address and the 1 bit. Make sure the bit is on before scanning.

4. First Scan (multiple bits)
Just scans for a byte that isn't 0. Needs the 2nd scan next. Make sure the bit is on before scanning.

5. Second Scan (multiple bits)
Make sure the bit is off before scanning. It checks what changed, and treats them as bits. It also removes results that didn't change.

6. Extra Scans (any bits)
You will toggle whether to keep results if the bits are all on or all off.

7. Reset Currently Selected Result
Just sets which result you will test first. Also good if you somehow get lost.

8. Cycle Through Results
Toggle whether go up/down to the next/previous result to test.

9. Apply Old Value (bytes)
It just applies the last stored value to whichever result you have selected so you know if you have the correct one selected.

10. Turn Bits Off
FF - bits = bits that can be on. It ANDs the current value with that to turn them off.

11. Turn Bits On (Combined)
It ORs the bits with the current bits at an address to combine them.

12. Turn Bits On (Only Results)
It replaces whatever the current bits are with the exact stored bits.

13. Find the Address/Value
It uses AND and pauses to determine what the result address or value is. It works for every game.


It can toggle whether you are comparing signed or unsigned values too.
It uses OR to change which values you are scanning for or what to AND the address/value by to find it.


It's incomplete. I hope I'm done within the next 10 days, I've been working like crazy and am about done, I just need to organize it. This will be updated very soon, possibly even done.


My only problem is I know almost nothing about the operations for floats, so I'm not sure how to make a scan function for floats.



The first scan worked perfect with Twisted Metal Black. I used a save dump to check. I hope it's helpful in some way for Project Artemis. I'm kind of afraid that there's a low limit to the amount of lines of code I can turn on with a cheat device, which will probably screw this over a bit, in which case I'll just turn on the functions I know I'll be using.

[Dastan]

Sorry to ask this... but I don't really understand what this does!

[bungholio]

I made it for to be used for cheat devices for PS2 games.
I haven't updated the one in this post since. I didn't know at the moment I was making it that PS2 cheat devices had a 199 line limit on the amount of codes you can turn on.
I'm making a version that works within that limit.
The memory scanner is intended to allow you to search for whatever you want, store the results, test the results, and then find the address of the code you found. All you would need is a cheat device, like: Codebreaker, Gameshark, Action Replay MAX, XPloder, or whatever.

That attachment doesn't fit within the 199 line limit, I'm working on one that does and still allows you to do a lot without needing to turn the game off and change something.

[Lazy Bastard]

I think this could prove quite useful for the PS2-side search functions of Artemis, down the road. Thanks for sharing it

[Gtlcpimp]

I am sort of lost on what this is supposed to exactly do, all you refer to is "scanning". Is this only supposed to do memory searches and compare changes?

You say you wanted this to be a cheat device? I've actually built a few of those successfully, and released a few half-ass'ed versions (in reference to the G.U.I.) to the public.

Your 199 line limit... Why? Why not limit it to how much RAM your console has?

[cYs Driver]

also your extra search function, whats the limit on how many addresses it can do a 2nd comparison on? are you just malloc'ing memory or is it a set array size (i havent looked at the code)

[bungholio]

This isn't software or anything I'm developing. Nothing like that. This is just a long code that can be typed into any cheat device and used to scan the memory for whatever you specify, store the results, remove results with extra scans, test the addresses and cycle through the remaining results, and then get the address of the code you found.

There's a 199 line limit because I only own a codebreaker version 9.2, and that only allows 199 lines of code on at a time. I don't know what the limit on the number of lines of code that are on is for other cheat devices, I'm just working with what I have.

I don't want this to be a cheat device, it's a series of functions, ASM code to be typed into a cheat device.

So far every PS2 game I've ever done a save dump with never seems to use memory space from 00098000 to 00100000. I put my code there and store results there.

I have changed it a lot since that attachment. I've finally typed it all in and have been testing it today. I've managed to make it allow me to change the value my first scan value and what I can use to AND with the address to find what it is. I'm not sure how I missed it because it should have worked, but the last save dump I did an hour ago with Twisted Metal Black somehow didn't store anything from the first scan even though I was very certain I pressed the correct buttons. Must have been a tiny mistake or something I could easily fix when I get back to it.

I'm still working on it.


I repeat, this is not software or anything like that. It's just code to be typed into a cheat device and used to find other codes.

[Gtlcpimp]

Ahhh... Now I understand, just a cheat device assistant so-to-speak. That is something that could come in handy, run as a code with a cheat device gotcha.

Since this is just a "code" to be used with a cheat device, you are forced to needing a 3rd party *hook* for it (another words it's not universal must be pre-configured with a game or at least 1 more code added to configure it).

If you stepped out of the CodeBreaker world, and either use the device I designed and built OR build your own, you wouldn't have to worry about 199 line limits

Now that I have that part understood, you say this is only supposed to search for a certain value, store it in a designated memory address, and then you perform a memory dump of any sort (live dump, save dump, etc.) and view the data it stored?

My question is, exactly what would you be scanning for and are you able to modify the arguments for the scanner at run-time?

[bungholio]

You don't need to do a dump to get the address.
Here's a run through what I just finished doing about 30 minutes ago (I finally got the thing to work perfectly):

I chose Twisted Metal Black, I wanted to find infinite lives. You start the level with 3 lives.

1. I did a first scan for 1 unsigned bytes that had the value "03".
2. Next, I did an extra scan for values that didn't change.
3. After doing that a few times, I switched the extra scan to keep results that decreased. I got myself killed, so my lives decreased by 1. I scanned, and the game paused for about 30 seconds and then resumed.
4. I switched the extra scan back to "keep if the value didn't change". I did a few more scans like that.
5. I got myself killed again, then changed the scan to keep results that decreased and then I scanned.
6. I quit and restarted the game.
7. I used my function "Reset Currently Selected Result".
8. I tried the function "Apply Old Value". No effect, so I used the function "Cycle Through Results".
9. I applied an old value again, no effect and I cycled through the results again.
10. I applied old value, and my lives shrunk from 3 to 1.
11. I started changing the value of the LUI and ORI in my "Get Address" function. I turned on 1 bit at a time, and then tried the function. If I didn't get a pause, the bit was off, and if it paused the bit was on. I kept doing that and got the address "00426030".
12. I did a save dump for the heck of it, and there were only 3 remaining results and all had the value "01".

I then restarted the game and entered this with codebreaker:
00426030 00000004
I tried it, and infinite lives. I found the ASM to change how many lives I started with before, and it was different depending on whether it was store mode or those other few. I don't know if this infinite lives code only affects story mode, I'm not checking at the moment. I only want to make the scanner work perfect and then I'll get to that.


A method of dumping the game can make things go faster.

There isn't a method discovered yet to dump data to the memory card for every game, so I use the pause method that works for all games.



This is all I have tried so far that works perfectly:
1. First bytes scan, equal to scan type. I didn't try the other ones, but they should work perfect.
2. Extra bytes scan, "keep if value didn't change, keep if value decreased, keep if value increased". I didn't try the other ones, but they should be perfect.
3. Reset Currently Selected Result
4. Cycle Through Results
5. Apply Old Value
6. Get Address


I am setting this up so you can change the value to compare to for the first scan (including the extra value for the range scan), can change the value for the extra scan for the increased/decreased by X amount scan, and the get address value to AND with the address of your result. You can also change the scan types while playing.


These are the few things that change from game to game:
1. enable code. I use the JAL in the scesifsendcmd function for every game, it looks identical for every game. Many enable codes are already that address. You can find it easy with PS2Dis and labelmates.
2. the jump to my function (Add "0c" to the JAL in scesifsendcmd to replace the jump return)
3. 2 lines for the joker.
4. 2 lines to switch between the 2 scan types for extra bit scans.

That's only 6 lines you change from game to game. You can change where you want to start scanning with the game too. The only problem is you can't turn everything on at the same time, even the you can still turn on a lot and get what you need to done.

At the moment, I'm wondering if I should make it a little less friendly on buttons to change scans. I can definitely save many lines if I change it so people would need to change 1 line to change to a scan.


I feel proud, it worked. After nearly a whole day of yelling at my TV, which had no effect on making things work, I finally fixed it and I found the lives address for Twisted Metal Black.


Now I need to test the bit scans tomorrow, and if they work, rewrite the thing to make it completely compact, test again, and give it to everyone else with instructions.

[Gtlcpimp]

You don't need to do a dump to get the address.
Here's a run through what I just finished doing about 30 minutes ago (I finally got the thing to work perfectly):

I chose Twisted Metal Black, I wanted to find infinite lives. You start the level with 3 lives.

1. I did a first scan for 1 unsigned bytes that had the value "03".
2. Next, I did an extra scan for values that didn't change.
3. After doing that a few times, I switched the extra scan to keep results that decreased. I got myself killed, so my lives decreased by 1. I scanned, and the game paused for about 30 seconds and then resumed.
4. I switched the extra scan back to "keep if the value didn't change". I did a few more scans like that.
5. I got myself killed again, then changed the scan to keep results that decreased and then I scanned.
6. I quit and restarted the game.
7. I used my function "Reset Currently Selected Result".
8. I tried the function "Apply Old Value". No effect, so I used the function "Cycle Through Results".
9. I applied an old value again, no effect and I cycled through the results again.
10. I applied old value, and my lives shrunk from 3 to 1.
11. I started changing the value of the LUI and ORI in my "Get Address" function. I turned on 1 bit at a time, and then tried the function. If I didn't get a pause, the bit was off, and if it paused the bit was on. I kept doing that and got the address "00426030".
12. I did a save dump for the heck of it, and there were only 3 remaining results and all had the value "01".

I then restarted the game and entered this with codebreaker:
00426030 00000004
I tried it, and infinite lives. I found the ASM to change how many lives I started with before, and it was different depending on whether it was store mode or those other few. I don't know if this infinite lives code only affects story mode, I'm not checking at the moment. I only want to make the scanner work perfect and then I'll get to that.


A method of dumping the game can make things go faster.

There isn't a method discovered yet to dump data to the memory card for every game, so I use the pause method that works for all games.



This is all I have tried so far that works perfectly:
1. First bytes scan, equal to scan type. I didn't try the other ones, but they should work perfect.
2. Extra bytes scan, "keep if value didn't change, keep if value decreased, keep if value increased". I didn't try the other ones, but they should be perfect.
3. Reset Currently Selected Result
4. Cycle Through Results
5. Apply Old Value
6. Get Address


I am setting this up so you can change the value to compare to for the first scan (including the extra value for the range scan), can change the value for the extra scan for the increased/decreased by X amount scan, and the get address value to AND with the address of your result. You can also change the scan types while playing.


These are the few things that change from game to game:
1. enable code. I use the JAL in the scesifsendcmd function for every game, it looks identical for every game. Many enable codes are already that address. You can find it easy with PS2Dis and labelmates.
2. the jump to my function (Add "0c" to the JAL in scesifsendcmd to replace the jump return)
3. 2 lines for the joker.
4. 2 lines to switch between the 2 scan types for extra bit scans.

That's only 6 lines you change from game to game. You can change where you want to start scanning with the game too. The only problem is you can't turn everything on at the same time, even the you can still turn on a lot and get what you need to done.

At the moment, I'm wondering if I should make it a little less friendly on buttons to change scans. I can definitely save many lines if I change it so people would need to change 1 line to change to a scan.


I feel proud, it worked. After nearly a whole day of yelling at my TV, which had no effect on making things work, I finally fixed it and I found the lives address for Twisted Metal Black.


Now I need to test the bit scans tomorrow, and if they work, rewrite the thing to make it completely compact, test again, and give it to everyone else with instructions.

I see, but here is what will be the biggest problem for you: Results. If you do not limit how many results per scan are allowed, you will eventually start over-writing game data and/or surpassing the actual RAM size from logging results (if that many occur). Since you are storing the whole address, which is 4 bytes, how many results you get * 4 is how many bytes consumed by the results. So if you have 1,000 results, you just consumed 4,000 bytes of RAM. This may not always be the issue if you do 16/32 bit searches, but 8 bit searches will typically be where this main problem will occur (individual bit searching will result in extreme results when doing a large search).

These are the few things that change from game to game:
1. enable code. I use the JAL in the scesifsendcmd function for every game, it looks identical for every game. Many enable codes are already that address. You can find it easy with PS2Dis and labelmates.
2. the jump to my function (Add "0c" to the JAL in scesifsendcmd to replace the jump return)
3. 2 lines for the joker.
4. 2 lines to switch between the 2 scan types for extra bit scans.

I will provide you with a lovely example that will make game swapping for you EXTREMELY easier so you do not modify the function at all. Do not bother making it so you have to modify the function, that is a pain in the butt. Instead, make the function universal, that way you can simply change arguments used by it and it still produce the same output. Another words, have it read a certain block of RAM as configuration (such as the "Joker Address").

Here is the example ASM:

Code:

/*

 Function Init.

I preserved register 'a0' to prevent any mishaps with the parent function

*/

address $00095010

addiu sp, sp, $FFE0
sq ra, $0000(sp)
sq a0, $0010(sp)

lui a0, $0009

jal $00095100 // Jump and Link to the function main()
lw a0, $5000(a0) // Load the "Joker Address" into the argument 'a0'

lq a0, $0010(sp)
lq ra, $0000(sp)
jr ra
addiu sp, sp, $0020


address $00095100


// main function here

nop
nop
nop

Here is the output of the example in hexadecimal RAW format:

Code:

20095010 27BDFFE0
20095014 7FBF0000
20095018 7FA40010
2009501C 3C040009
20095020 0C025440
20095024 8C845000
20095028 7BA40010
2009502C 7BBF0000
20095030 03E00008
20095034 27BD0020
20095100 00000000
20095104 00000000
20095108 00000000

(Compiled using the "Code Designer" application I have personally designed and written )

When you set it up to read a block of RAM designated as arguments (or Configurations) then you only need to add the configurations as a 3rd party code, with my example it would be exampled as "20095000 00123450"