I will be dumping all the knowledge I learned from modding the game in RPCS3 here.
What is Cheat Engine and what does it do
Cheat Engine is a free Memory scanner / Hex editor / debugger created by Eric Heijnen.
What it does basically is allow us to look in the memory of a program, and to some extend, examine the code behind it. Also, it allows us to search for specific memories that we want to edit.
How does a computer store data (memory)
You already know that computer are made up from a bunch of 0’s and 1’s. But how are these 0 and 1 are stored in the memory? The answer is that the computer combines 8 of these 0 and 1 to become a byte, which is in hexadecimal.
Easiest way for you to understand this is by using the calculator in windows 10 and change it into programmer mode, where you can see a bunch of different options. The top is Hex, representing Hexadecimal values (00 to FF), second one is Dec, representing Decimal values (normal digits), and the last one is Bin, representing Binary values (0 and 1).
For example in a game where your health point is currently 60, it will be shown in the memory as 3C in hexadecimal form. As for the Binary values, it is not important for now, but keep it at the back of your head.
Byte, 2 bytes and 4 bytes
A byte consists of two digits, with the first digit representing the first 4 binary and the second digit representing the last 4. For example, in the last example the 3 in the 3C is represented by 0011 in Binary, and C is represented by 1100 in Binary.
One digit of byte ranges from 0 to 9 and after exceeding 9 it will continue from A to F. Hence, the maximum possible value for one byte is FF, which is 255 in decimal. Now, what if I want to store a number greater than 255? The answer is that you can do this by attaching another byte to the side of the first byte, making it a 2 byte. For example, 256 is shown as 01 00, and there are 16 binary digits, each 8 digits representing one byte. (The 0 in 01 is not shown in calculators)
Following the same logic, the maximum value you can store for 2 bytes are FF FF, or 65,535, and the maximum for 4 bytes are FF FF FF FF, or 4,294,967,295 (7F FF FF FF in some cases).
If you count the number of digits in Binary of 4 bytes, you will get 32 digits. Here’s where the 32-bit system on your computer comes from. In a similar vein, 64-bit system uses a 8 byte system.
While RPCS3 is a 64-bit application, it is trying to “emulate” a PS3, which runs a 32-bit system, and thus the bytes in the games are stored in 4 bytes. Hence, most of the data in the game are stored in 4 bytes system.
The above is an example of how memory is presented in the memory viewer in the Cheat Engine. As you can see, the health for my unit is currently at 60, which is 00 00 00 3C in the system.
Floats and decimals
So we have introduced the “normal” values. What if the systems want to use decimal points in their value? The answer to that is float.
In the Windows 10 calculator, it is not possible to convert hex into float, so we will have to use external programs or websites to do it. Here’s one float to hex converter I always use: https://gregstoll.com/~gregstoll/floattohex/
There’s not much to say about float other than the fact that it is always 4 byte long. Here I will list down the most common float numbers I see in the game memory:
1.00 – 3F 80 00 00
1.50 – 3F C0 00 00
2.00 – 40 00 00 00
50.00 – 42 48 00 00
100.00 – 42 C8 00 00
The easiest example of float usage in the game that I could think of is the EX Gauge values. At 50.00, the gauge is half full, and at 100.00 (42 C8 00 00), the gauge is full.
Floats vs values
You might be confused as to why 3F 80 00 00 is not treated as 1,065,353,216, but 1.00. The only answer I can give you is that it is just what the system knows beforehand. It is impossible to know if the 4 byte is a value or a float right away, and the only way to test it is to actually edit the value and see if the system freaks out in some way. However, usually we won’t use the weird value of 1,065,353,216, so it might be a giveaway that the 4 byte is a float value if you see an 3F or 40 at the first byte.
Big Endian and Small Endian
Most of the time, emulators are in Big Endian. I don’t know the specifics of why this is the case, but the concept of Endianess are easy to grasp. Basically think of it as reading from left to right or right to left. Difference in small and big endians are the way the bytes are arranged, and to convert between them, you will just have to swap the positions of the bytes.
So for example we have a value of 10,000 in our game, and it is represented by 00 00 27 10 in 4 byte hex. Since RPCS3 is in Big Endian, to convert it into small endian it would be 10 27 00 00 instead. See how the byte position are swapped? It would mean a different value if you interpret Big Endian values as Small Endian, which in this case turns 10,000 (00 00 27 10) into 270,991,360 (10 27 00 00).
But how does this affects the memory edits? Since Cheat Engine supports Small Endian by default, you need to add a new custom type of value type into Cheat Engine before you can start searching for values inside the game. Please follow this tutorial for the setups. Also, if you want to use LUA functions, it will always returns in small endian, which might be problematic since you will need to convert it back and forth. Moreover, in earlier versions of RPCS3 it will be a pain in the ass to look through the memory viewer in Cheat Engine since all the bytes are arranged in small endian and all of the byte positions are swapped. However, this is not the case for later versions of RPCS3, namely 0.0.6 onward, as it is shown in the correct endianess in the memory viewer, but I have no idea why (the screenshots in this tutorial are all done in 0.0.6-8231).
Memory address
With value types and endianess out of the way, I will now explain how memory are indexed.
Memory address, as its name suggests, is the address value assigned for each byte in your memory. Think of a byte as a house, each with an address attached to it. The addresses are hexadecimal in nature.
Back to the health example from above, take a look at the left side of the memory viewer, 341DF0164. That is the address of the first byte, which is 00. Here’s the memory address for each byte:
341DF0164 – 00
341DF0165 – 00
341DF0166 – 00
341DF0167 – 3C
And by that, the next byte 341DF0168 will be the new starting byte for the second 4 byte.
Simple enough, right? Here’s the difficult part: Searching for the right address. You might have noticed the health value only occupies the memory region of 341DF0164 to 341DF0167, a mere 4 byte in a 9 digit large hex address. This means that the greatest challenge is to search for the relevant addresses that we want, and it is not easy.
Fortunately we have Cheat Engine’s search function, which is the essential step before for any memory editing to be done.
Difference between real PS3 and RPCS3
Before I go into the detail of searches, I would like to explain some differences in memory addresses between PS3 and RPCS3. In PS3, the system allocates a region of memory for the game to store information, and the memory address are usually 4 bytes (8 digits) hexadecimal values. In RPCS3 however, since the system is trying to emulate a PS3, it shifts the whole memory region under a larger memory address, consisting of 9 digits. I will refer this as the “emulator offset” from now on.
It might sound confusing, so let me give you an example. Here, let’s get Whitelord’s selecting Boss CPU cheat code developed originally for the PS3:
ARCADE/MS MODE BOSS SELECTOR
00002000 40AF402C 000138D1
00002000 = Write the specified byte at the specified memory address
40AF402C = The memory address to be written into
000138D1 = The byte to write
This line of code is trying to write the value of 000138D1 to the memory address of 40AF402C, in order to swap out EX-S with Destroy Gundam.
In RPCS3 however, if we try to modify the value at the 40AF402C address, it will not work. In RPCS3, the system actually shifts the 40AF402C address by 300000000, which when combined will become 340AF402C. 340AF402C is the address of EX-S, which is what we wanted to modify. You may notice that the 40AF402C part of the address remains unchanged, because RPCS3 is essentially “dumping” the PS3 allocated memory address to another bigger playground so that it can emulate the console better. This is why RPCS3 memory addresses are 9 digits long while PS3 are 8 digits long. This is super important to pointers, which I will get into in the advanced modding tutorial.
Also, this is the reason why you would see my range of searches to be fixed from 300000000 to 3FFFFFFFF throughout the tutorials, since the relevant data we need are all in this memory region.
Searching for memory addresses
Before you start to search anything in RPCS3, make sure you already followed the basic setup outlined in the tutorial here. Also, you will need to hook the Cheat Engine with the RPCS3 process every time you start the game or Cheat Engine.
Searching for memory addresses, is essentially a filter process. By providing the condition you want, you can let Cheat Engine do the search on the memory to search for the relevant memory addresses you want, and filter out the memory address that holds the incorrect value as per your condition, rinse and repeat until you get the address that you want.
I don’t think I need to teach how to search for values that you can already see such as health bar or ammo. There are plenty of online basic tutorial out there and there’s a built in tutorial in Cheat Engine to get you started. What I want to focus on here is on the Unknown values and Array of Byte searches.
Unknown values
I will use boost gauge as an example in this section. Since we only have a visual representation of a gauge instead of values, and we don’t know the initial value of the gauge, we can only search for the values we want using unknown initial value searching.
Set up the Cheat Engine like this, the most important part is to Change the Scan Type to Unknown Initial value and 4 Byte Big Endian. How do we know the boost is a value not a float? The answer is we don’t know, we will just have to guess, and I will go with 4 Byte Big Endian this time. Pause the game while scanning is optional, but it allows us to freeze the game while the Cheat Engine is doing the scanning process. Also, You don’t have to use 300000000 and 3FFFFFFFF for Start and Stop, I just used it because I know the memory address I want falls in that region (look at the above section), and this speeds up my search a lot.
With that done, please make sure that your boost gauge is full and press on the First Scan button.
Once it is done, you should see that it Found a ton of addresses. This is Cheat Engine indexing all of the values in the memory region and storing it for future comparison.
Now let’s try to filter it down to just 2 or 3 addresses by using Next Scan.
There are quite a few options to be chosen from the scan type after you have done your first scan, and there are here to help you filter out the memory addresses. All of these are pretty self-explanatory, so I will just go with the most generic one, Changed Value.
As it’s name implies, the options searches for memory addresses that has their values changed when compared to the first scan. Now try to use some of your boost, and before it replenishes click on the Next Scan button (you want to check if any values are changed when compared with the full boost gauge from the initial scan).
Once you have done that, you will see a list of memory addresses popping up in the results section. It is still too early to see each address one by one, so let’s just filter more out. Usually I would suggest you to Change the Scan Type to Unchanged Value and do the next scan, but since you won’t be maintaining the altitude and will be falling to the ground (which will replenish your boost), I would suggest you remain the Changed Value and click on the next scan after your boost have been replenished (compare between full boost gauge with the previous used boost gauge value).
When you are done with it, there should still be a ton of addresses left. Now change your Scan Type to Unchanged Value, and without using any boost gauge value, press the Next Scan button.
Since you have not used your boost since your last Changed Value filter, any memory address with changed value will be filtered out using the Unchanged Value option. You should see that the number of addresses found diminishes quickly. Here’s a tip to Unchanged Value scan, you can spam the Unchanged Value next scan provided you don’t change the value in any way. This will filter out most of the false addresses that changes even if you did not change your value (Boost Gauge value in this case).
Another tip is do some actions that does not change your boost gauge value while spamming the Unchanged Value Scan, such as walking or shooting. This will greatly decrease your number of Found addresses, since doing actions like this changes a lot of values.
Now that I have lowered the addresses Found to just 32,324 by using Unchanged Value. The number could not be lowered anymore, so it is time to revert back to Changed Value. Now you can see the overall pattern of this: Changed and Unchanged scans. By doing enough iterations of these, you should be able to reduce the number by 2 digits. In my case I lowered it to just only 20 memory address.
Now all these 20 memory address are related to the boost gauge value. How do we determine which one is the true address for it? Answer: Hunch and trial and error. Usually I would look for some reasonable values like 100 or 50 or 1, which I would then observe each one and see if the value changes depending on what I do. For this case, my prime suspect is the 10000, since it decreases when I use the boost gauge, and became 0 when I depleted it. Also it being a round 10,000 makes sense in gaming. However, there are two addresses with the value of 10,000. Which one should I choose? Answer: Why not both?
Now, I added both of these values into the Cheat Table below. The easiest way to check if the memory address is correct is to freeze (Active) the value on the memory address by checking the box on the left.
First I tried on Suspect 1, by freezing the value and try to fly up. Unfortunately, the value still decreases, which means that this is not the one.
Then I moved on to Suspect 2, and it worked! Infinite Boost!
Now before we go parade I just wanted to point out there’s actually a third suspect in the memory list, which is the first address.
You might recall that floats are basically 4 bytes too right? Since Cheat Engine has no way to differentiate between a 4 byte value and float value, usually 4 byte scans will include some float values in it and vice versa. The easiest way to recognize this is to change the entire list to Float, and you would see that the first value is actually a Float 1.00 value. Fortunately it is not the memory addresses we wanted, or else we might had completely missed it.
With this, I would like to end the tutorial here.
Gundam Extreme VS Full Boost - Cheat Engine & RPCS3 