Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Questions about using Debug Disassembly
10-29-2014, 10:28 AM (This post was last modified: 10-29-2014 10:43 AM by Kolrath.)
Post: #1
Questions about using Debug Disassembly
I've had experience using Cheat Engine in the past and the Nintendo DS DeSmuME emulators built in editor. The DeSmuME one was shockingly easy to use for minor changes with a known value.

I'm just starting to look into using PPSSPPs Disassembly and I was wondering if there is a way to easily search for a given value?

For example; I know the number is 50, but I'm unsure where it might be stored. Is there a way to do a general search through the memory addresses for any storing this particular value?

If so, is there then a way to change the value in the game and then refine my search of those addresses to that new number?

Thanks in advance for any replies.
Find all posts by this user
Quote this message in a reply
10-29-2014, 11:42 AM
Post: #2
RE: Questions about using Debug Disassembly
Not really, you can use search(ctrl+f / ctrl+s ~ makes life easy;p), but it's mostly usefull for searching opcodes and functions. If you type in some value like "50" it would stop on every address or opcode which includes "50" which is not something you want to do when having mb's of memory to search through.
PPSSPP disassembly is very powerfull tool, don't remember any emulator I used where I spent soo much time with it's built-in tools as thisTongue, but at the same time it's not something to use without having some kind of experience with assembly.

To just search for some values you'll have better luck with external programs like cheat engine which have many advanced scan features and can compare results.
Just a few notes about CE + PPSSPP:
- you have to select "mem_mapped" in edit>settings>scan settings otherwise you'll not even find psp memory inside ppsspp(except memory mirrors which changing will do nothing;p),
- you cannot freeze values with any decent refresh rate since it might crash,
- you will also have to either calculate emulated psp address or make use of a pointer/aob scan to get the actual address since it's not static, it's generally better to do it before searching for values, to limit scan only to psp memory,
- last thing which should be obvious - CE supports only x86 assembly, so you're loosing like most of it's advanced features when using it for emulators, basically use it only as a search engine.

http://forums.ppsspp.org/showthread.php?tid=6594 - Custom PPSSPP Shaders!
http://forums.ppsspp.org/showthread.php?tid=3590&pid=117172#pid117172 - simple CE scripts to help creating CWCheats,
https://github.com/LunaMoo/PPSSPP_workarounds - CWCheat workarounds.
Find all posts by this user
Quote this message in a reply
10-29-2014, 04:55 PM
Post: #3
RE: Questions about using Debug Disassembly
Thanks for the reply. I really appreciate the info!

It's been quite awhile since I've done anything with assembly although the PPSSPP Disassembly certainly seems like a powerful tool. In this case though it does seem like I'll have to also use Cheat Engine.

Thanks for the information about using Cheat Engine with PPSSPP. Certainly saves me some research time.

You wouldn't happen to know the memory range to set CE to when working with PPSSPP would you?

I remember when I last used CE it was in conjunction with the Playstation 2 emulator PCSX2 to remove a blur effect from the game Disgaia 2 and I had to set CE to search within a memory address range of 20000000 to 24FFFFFF.

When you mention about not being able to freeze values with any decent refresh rate due to crashing... how decent of a refresh rate are we talking? If a game is running at a stable 30 fps would freezing a value be reliable enough to use it for short term experimentation and tracking down of the right memory address?

If so, then I should be able to do enough experimenting to allow me to track down the right value to tweak and enable me to make a CWCheat for some more rigorous testing.
Find all posts by this user
Quote this message in a reply
10-29-2014, 08:28 PM (This post was last modified: 10-29-2014 08:35 PM by LunaMoo.)
Post: #4
RE: Questions about using Debug Disassembly
Maybe a refresh rate of few seconds could avoid problems, but with such speed you could as well type it manually.:X If the game resets something, it's more than likely not what you wanted to change, althrough might be usefull to check what code sets it using disassembly, since it can also lead to proper value.


There is no static range, as I mentioned you have to make yourself a pointer(ppsspp version dependant but will work for all games) or use aob scan(game dependant but will work on all ppsspp versions) to find where psp game is loaded in memory. Then you can set your scan range based on that and also use it to calculate real psp or cw cheat address(0 in cw cheat is basically 8800000 in psp). Dynamic memory allocation is standard for pc apps/games from quite a long time and both pointers and aob scan are CE basic functionality which you can find lots of tutorials for in case that's something you never used.

I generally preffer aob scan script since I update more often than I change games;p. I just search for a pattern from 0x8804000 in ppsspp disassembly ~ which is where game is loaded to psp memory. Then set that as start for scan(I also subtract 0x4000 from it to keep it easy for cw cheats), and +24mb for end.
As for pointer method, when you load any game first time after running ppsspp, in the log console one of the first entries you will find an address at which psp memory got loaded(the first one, don't bother with mirrors) and you can make a pointer for that. Just add 8mb to that address and you'll have psp game memory start then again +24mb to that to get memory end.(that's because psp memory is 8mb for kernel after which 24mb for game, even when psp 2000+ had more, commercial games doesn't really use it)

You can as well just use that information from ppsspp console, but if you don't write any aob scan script nor make yourself a pointer you will have to do it every single time you run ppsspp and you will have no way to save anything usefull to cheat table either.

Edit: Here's an example how it shows in console log:
Code:
30:21:998 EmuThread.cpp:169 I[BOOT]: Done.
30:35:848 System.cpp:324 I[BOOT]: PPSSPP v0.9.9.1-700-gbc5bec2 Windows 64 bit
30:35:850 MemMap.cpp:339 I[MM]: Memory system initialized. RAM at 000000000BCF0000 (mirror at 0 @ 0000000088770000, uncached @ 00000000C8770000)
so in this example, 0xBCF0000 + 0x800000(8mb) = 0xC4F0000 which would be where game was loaded to and what I could set as scan start in CE, for scan end it would be 0xC4F0000 + 0x1800000(24mb) = 0xDCF0000

http://forums.ppsspp.org/showthread.php?tid=6594 - Custom PPSSPP Shaders!
http://forums.ppsspp.org/showthread.php?tid=3590&pid=117172#pid117172 - simple CE scripts to help creating CWCheats,
https://github.com/LunaMoo/PPSSPP_workarounds - CWCheat workarounds.
Find all posts by this user
Quote this message in a reply
10-29-2014, 10:45 PM
Post: #5
RE: Questions about using Debug Disassembly
Have not read all the posts, but ppsspp *also* has a memory viewer (separate window or the bottom pane of disasm when you view ram) which is where you'd search for "50". I guess to search for a common integer value 50 in ram anywhere, you'd search for "32 00 00 00" (that's 50 in hex little endian as a 32-bit integer.)

From there you can set a breakpoint and find what code even modifies that variable.

-[Unknown]
Find all posts by this user
Quote this message in a reply
10-30-2014, 10:41 PM
Post: #6
RE: Questions about using Debug Disassembly
Thank you both for the information!

Lunamoo, I really appreciate all the detailed information. I've never had to use pointers or aob scan in the times I've used CE so that went a long way in helping me.

Thanks for the recommendation of using aob scan and the way that you use it yourself. I also tend to change versions more often than I change games so thats all quite good to know.

That example will come in handy too. I hadn't really paid much attention to the console log previously. I generally only turned it on when I was experience something I believed was an error and then only kept it on long enough to see what messages it was kicking out during it.


[Unknown], thanks once again for always taking the time to answer my questions or provide useful information. I only checked out the PPSSPP memory viewer briefly so far. It seems that CE will be easier for me to actually track down the things I'm looking for, but it does sound like memory viewer would be a great tool for taking a better look at whats going on side.


I really appreciate the two replies. All good information to know. I wouldn't doubt that I'll have more questions down the road at some point.
Find all posts by this user
Quote this message in a reply
11-03-2014, 06:15 AM (This post was last modified: 11-03-2014 06:16 AM by Kolrath.)
Post: #7
RE: Questions about using Debug Disassembly
I've had some success using the console log method you mentioned. I used it as a way to mess around with the game Grand Knights History and see how the game keeps track of days and how it determines how many days your soldiers have left to train.

It was a good learning experience although I had some issues where I could change the "day counter" to whatever value I wanted but if I attempted to freeze the "day counter" as a given value it would seem to change memory addresses. Anti-cheat or something maybe?

Despite that I was still able to create a CWCheat that would work to change the "day counter' in the game, though only one time ever as the address would change after that.

So thanks again for mentioning the console log method.

I didn't look into the pointer method since I tend to change PPSSPP versions often.

I'm also still quite in the dark on the aob scan script method. I've never had to work with dynamic memory or aob scan scripts before and even after reading various guides and things I'm still a bit lost in regards to them.

It was said above...
(10-29-2014 08:28 PM)LunaMoo Wrote:  I generally preffer aob scan script since I update more often than I change games;p. I just search for a pattern from 0x8804000 in ppsspp disassembly ~ which is where game is loaded to psp memory. Then set that as start for scan(I also subtract 0x4000 from it to keep it easy for cw cheats), and +24mb for end.

I'm not fully grasping this.

What do you mean by you "search for a pattern from 0x8804000" in PPSSPP disassembly?

I'm also not understanding what your saying about subtracting 0x4000 from "it" (which I assume is the pattern you found?) to keep it easy for CW Cheats.

I'm guessing the +24mb for End thing is pretty much what I was doing in the console method where I'd add 0x1800000(24mb) to my Start point to find my End point.

Would it be much trouble to ask for an example of this aob scan script method to see how you go about searching for a pattern and the like?


I've also tried checking out the PPSSPP tools a bit more like the Disassembly and Memory Viewer, but I seen to be impressively incompetent with them.
Find all posts by this user
Quote this message in a reply
11-03-2014, 01:53 PM (This post was last modified: 11-03-2014 01:53 PM by LunaMoo.)
Post: #8
RE: Questions about using Debug Disassembly
Let's look at this example:
   
As you can see before 0x8804000 there are only 0's, you'll not make any pattern for aob scan from there, so that's why I'm using pattern from 0x8804000, I then set a label where the result of aob scan points in my script, when I add any entry to cheat table, I want it then to look like "label+CW cheat address", so I don't have to convert anything, but just use the second part of the address as CW cheat if I ever would need it and add 0x8800000 to it, to get psp address for the debugger.


.7z  Example AOB Scan Script.7z (Size: 728 bytes / Downloads: 382)
In that example cheat table, you'll see a simple aob scan script which sets the label, and entries which uses this label as a pointer, example cheat address there is "memoryS+5B155C" which in CW cheat would be just 0x5B155C. Also to remember when creating cw cheat, you also have to keep it's own format, in all cw cheats(except next lines of multi-line cheats), first number before the address is used to point into cheat type, in case of 32 bit write it would be 0x2, so in cw cheat the line with that cheat would look like "_L 0x205B155C 0x*value*".
It's real psp address, which is used in debugger(and also some other cheat formats used in some plugins for real psp) would be 0x5B155C + 0x8800000 = 0x8DB155C.
   
I could directly edit it in disassembly, using it's memory viewer at the bottom(which is also usefull for modifying opcodes slightly when we don't want to replace them completely).

Or add new memory breakpoint for it to check what functions read, write or both into that address(for writing, you can also check "On change"), which is really usefull for most common cheats like god mode, but pretty much any other ones as well which aren't just "edit once and forget" since you can basically change how the game works.
   
To set it you either right click in an empty space under "Breakpoints" tab and add new which get's the window from above or which I often do, double click on it in disassembly above, then right click on it in breakpoints and choose "edit" to change it to memory
   
since double clicking sets an execute breakpoint and at this point we don't actually look at game code yet.

From things worth mentioning about breakpoints, you can set much bigger size of a memory breakpoint, which is usefull for some things, like maybe finding code that reads or writes some graphic address you got from GE debugger or bigger table of items in game memory, and when using execute breakpoints, you can also set a condition, very usefull when the same function is used for lots of other things and stops all the time when you want it to only stop when for example a0==0 etc.

http://forums.ppsspp.org/showthread.php?tid=6594 - Custom PPSSPP Shaders!
http://forums.ppsspp.org/showthread.php?tid=3590&pid=117172#pid117172 - simple CE scripts to help creating CWCheats,
https://github.com/LunaMoo/PPSSPP_workarounds - CWCheat workarounds.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: