Cheat Engine

[pedrohh]

Hi everyone! First post here, so apologies if I'm doing something wrong.

I'm new to Cheat Engine.

I'm running Super Smash Bros Ultimate on the Ryujinx emulator and have already found the dynamic address for the player's HP / stocks (it works during the current emulator session). I want to read that value from a Python script, so I need the static base pointer that, combined with offsets, resolves to the dynamic HP address.

Problem: I can't find the base pointer. I tried Pointer Scans, but they take a very long time and return no results, (I think this might be related to the fact that I’m using an emulator). I also manually inspected memory regions and couldn't identify the nex level pointer. I might be doing something wrong here.

Questions:

How can I locate a static address (with the full chain of offsets) that gives me the HP / stocks value?

Are there other approaches that could also lead me to the dynamic address I’m looking for (for example, AOB scans)?

Thanks in advance for any practical tips or suggestions.

[ParkourPenguin]

This isn't something someone new to CE should be doing, but I'll post my thoughts.

You're working with two different architectures. There's your native architecture that the emulator is running on and the emulated architecture that the game is running on. You'll have to find pointer paths in the context of both architectures.
In the emulated architecture, the simplest case is that the value you found is static (in the context of the emulated architecture). This means the value's location in the memory space of the emulated architecture doesn't change. This is common to see in older consoles (e.g. gameshark codes for gameboy / ds games), but I'm not sure if newer consoles use random dynamic memory allocation. If they do, then you'll have to make your own pointer scanner that correctly handles pointers for the emulated architecture (probably just big endian, maybe bit packing).
Regarding the emulator itself, it's easier. Find the base address of the relevant emulated architecture's memory region (debugging can probably lead you to it if you know how to read assembly) and do the usual pointer scan for that address.
Then put those two paths together. In the simple case where the value is static in the emulated architecture, this simply means adding a very big offset as the final offset (could be gigabytes). If it's not static, then resolve the rest of the pointer path through the emulated architecture yourself.

There could be esoteric implementations of the emulator that do weirder things. Maybe the pointer scanner would just work in those cases, or maybe there would still be really big offsets that prevent it from working.


Other approaches:
I'm against making an aobscan for mutable data. Obviously, mutable data can be changed. Finding a pattern that doesn't change is adverse to that. Still, it's a simple method I've seen many people do, so maybe I'm just being unnecessarily antagonistic.

Any emulator for a modern console probably JIT-compiles the emulated architecture's machine code. You can do an AOB injection that copies the address to some memory you control (search "injection copy"), effectively making your own "static pointer". Doing this from python is more annoying: you'll have to know how to assemble instructions correctly (e.g. RIP-relative addressing). Also, finding a unique aob pattern for the code might be challenging too.

Some emulators implement a GDB stub that might be useful for debugging the emulated architecture. I've never played around with that before and haven't put much thought into what can be done with it.