Before you begin
This tutorial needs your Cheat Engine to be fully set up. If you haven’t done so, please follow the tutorial in the link below.
This tutorial will use 1.10 version of the game, and will not work on other versions.
Aside from that, please make sure that you are using is the latest version of RPCS3, or have a version close to what I used (0.0.6-7972). Older versions of the emulator will too cause offsets in the game’s memory address.
How it works (You can skip this)
I believe that anyone who have used Cheat Engine in the past will have a basic understanding on how to search for a value in games. Well, it is not much different in this game. If you have a value that is easily observable (e.g. health, ammo), you can find and change it in Cheat Engine with ease. However, apart from health and ammo, other values in the game such as EX or Boost are represented by a gauge, which their real value is hard to determine . The only way to discover these values are through changed / unchanged scans in Cheat Engine to single out the correct address. With that said, I will conclude my findings on how the hidden value behaves in the game down below.
Boost Gauge Value – Full Boost gauge value is 10000. It will be empty when it reaches 0. Value Type – 4 byte big endian.
EX Gauge Value – Full EX Gauge value is 100. It will be empty when it reaches 0. Value Type – Float big endian
However, there is one problem with the address that I found. These addresses are not permanent, and instead they relies on the scenario of the battle. Any changes to the stage (map) or the controlling unit in the game will cause the address to shift. To combat this, I initially tried finding pointers in the game, but proved futile when there is no way for Cheat Engine to read pointer values in big endian. Hence, I resorted to Array of byte (AoB) scans, which in simpler terms, search for a byte arrangement in the game, which we can use in this situation. Before I delve deep into the AoB shenanigans, I would like to explain how the game control and manage these addresses.
So in Full Boost, every unit will be given a range of addresses that stores their information in battle. In every battle, the system will allocate each unit with a set of addresses depending on the number of units currently on the stage. Fortunately the system will always allocate the player’s address first, before moving on to others. With that, we can easily determine which address are ours, and which addresses are for the CPUs.
Now lets talk about the shift in address that previously mentioned. In the game, when the system allocate address to a unit, it usually comes in the form like this:
341DF0000 – 1st unit
341E40000 – 2nd unit
What I found is that the 4th and 5th digit of the address will shift for each unit on the battle, and the last 4 digits are shifted to represent a specific properties of the unit, thus giving a “range” to these addresses.
For example, I will use Destiny Gundam (Player) vs Turn A (CPU) in testing map. If you search for Destiny’s health, the address you found will be 341DF0164, while Turn A’s address to be 341E40164. As for the boost value addresses, it is found out to be 341DF0998 and 341E409D8 for Destiny and Turn A respectively. We can generalize the address format as such:
aaaXXYYYY, XX = Shift (Offset) for unit & stage; YYYY = Shift (Offset) for different properties
YYYY = 0000, starting point for the address range
YYYY = 0164, Health – 4 byte big endian
YYYY = 0998, Boost – 4 byte big endian
YYYY = 09D8, EX – Float big endian
With that done, we can move toward stage offsets. In this case, those XX in the address will also shift depending on the stages. If I change the current map to Side 7, the health address for Destiny Gundam will be 341E30164, and 341E80164 for Turn A. Hence, it can be concluded the XX in the address depends on two factors, and will be unique for each stage unless you use the same unit and map, which is not possible given the nature of arcade and FB mission mode.
So to solve this problem, we will employ the use of AoB scans. Before we use the scan however, we need to find a combination of byte arrangement that will exist in all the address range. Fortunately, not far from the start of the address range at YYYY = 0014, I found an array of byte that is present in all the unit offset address.
The 24 bytes YY = 0014 (341DF0014) for Destiny Gundam:
40 06 2C 00 00 00 00 01 00 00 00 01 3F 80 00 00 00 00 00 00 4F FF 2F 60
For Turn A (341E40014):
40 06 2C 00 00 00 00 01 00 00 00 01 3F 80 00 00 00 00 00 00 4F FF 2F C0
Now you might ask, isn’t there a difference in the last byte? This is where the wildcard byte comes in. To allow more usage flexibility, AoB scans have the wildcard function where you can replace bytes in the array, and the wildcard byte can be anything in the byte array. In this case, we will replace the last byte with *, and as long as the byte arrangement in front (non-wildcard bytes) are the same, the AoB scan will still be able to locate the byte array.
40 06 2C 00 00 00 00 01 00 00 00 01 3F 80 00 00 00 00 00 00 4F FF 2F ??
However when you try to scan the byte array above, you might have gotten 0 results. Why you ask? It is because one example is not enough to determine which byte is changing. If I changed the stage or unit combinations, I will get different results for the byte array. So now I just have to replace those changing bytes with wildcards and we are good to go!
40 06 ?? ?? 00 00 00 01 00 00 00 01 ?? ?? 00 00 00 00 00 ?? 4F FF ?? ??
Just a side note I would like to add is that too many wildcards in an AoB scan might result you with false positives, so try to strike a balance between identifiability and exclusivity while choosing your byte array. Conversely, if you chose a very generic byte array you might find more results that you don’t want.
Now with the byte array ready, we can put it into the search bar and start to scan it. You can then replace the YYYY value of the address you found to the properties that you like to modify.
Unfortunately you still need to repeat the scan process for each stage, but it is still better than trying to find the values manually without AoB.
Phew, that’s a lot of stuff. Now lets get you to the main tutorial.
Main tutorial
Finding the address that controls your unit
To serve as an example, I will use Destiny vs Turn A in this tutorial. This is applicable with other units but please bear in mind the address that you found will not be the same as mine. Also, I am using the testing map.
Once you are in the battle, get back to Cheat Engine and select Array of byte as your Value Type.
Copy and paste the following bytes into the search bar (The space between the bytes are crucial)
40 06 ?? ?? 00 00 00 01 00 00 00 01 ?? ?? 00 00 00 00 00 ?? 4F FF ?? ??
[Optional] After you have pasted it, change your Memory scan option’s start and end address to the following:
Start:300000000
Stop:3ffffffff
If you cannot find any address, consider skipping this step.
With that said, proceed to press the First Scan button and wait for a few seconds. There should be some results on your left. The number of address found correlates with the number of units that are present on the field (there might be exceptions). In the case of Destiny vs Turn A, there will only be two results. The address that you found will be different for different scenarios, and if you are curious on how to differentiate it you can check the explanation chapter above.
Right click on the first address, and select “Add selected address to address list”
这时你的地址列表里应该会有3个地址选项, 鼠标右击第一个然后选择更改记录 -> 地址。
Now, navigate down to the address list down below and you should find three addresses added. Right click on the first address and select Change record > Address.
在窗口开启后,把里面的地址后面4个数字改成0164,然后再把类型改成逆向4字节。
Replace the last 4 digits of your address to 0164, and change the value type to 4 byte big endian.
按下了确定后,回到地址列表,鼠标右击你刚刚换的地址,然后选择以十进制显示
Once you have done that, right click on the address that you have changed and select Show as decimal. You now should see your health.
重复同样的步骤在第二和第三个地址,只是需要换的最后4个数字可以参考下面:
The steps above are for your health value. To find your boost and EX gauge values, just repeat the same steps but change the last 4 digits of your address and the value type as follow:
Health – 0164, 4 byte big endian
Boost Gauge – 0998, 4 byte big endian
EX Gauge – 09D8, Float big endian
And voila! You can now change your health, boost or EX values!
However, please be reminded that this will only work for the current stage. If you changed your stage, you need to do the steps above all over again.
If you feel doing the same steps for every stage is tedious, you can try the trainer that I have made that lets you retain the values that you set from the previous battle. I will explain this in detail in the future.
Gundam Extreme VS Full Boost - Cheat Engine & RPCS3 