Search for values in game console emulator

A video game console is a dedicated electronic machine designed to play video games. Often the output device is a separate television or a computer monitor. The main input device is a controller. There was a time when video game consoles were easily distinguishable from personal computers: consoles used a standard TV set for display, and did not support standard PC accessories such as keyboards or modems. However, as consoles have become more enhanced, the distinction has blurred: some consoles can have full Linux operating systems running with hard drives and keyboards (like the Sony PlayStation 2). Cartridges were previously common storage devices for console game data, but due to technological advances most video games are now stored on CDs, or higher capacity DVDs. Older game consoles and their software now live on in emulators as they are no longer supported by their manufacturers. A console emulator is a program for a computer, that can emulate a video game console or handheld, so a computer can be used to play games that were created for that console or to develop games for that console. Cartridge contains ROM memory. Console games for emulators are generally distributed as ROM images (or simply "ROMs") on the Internet. Software that emulates a console may be improved with additional capabilities that the original system did not have, such as anti-aliasing, audio interpolation, save states, online multiplayer options, or the incorporation of cheat cartridge functionality. NES game console contains main CPU memory 64kB. A popular NES console emulator is VirtualNES. VirtualNES has this 64kB in own process address space. The NES main memory appears in the VirtualNES address space at 0059AAF0 - 005AAAF0. This address 0059AAF0 is zero address of NES. Obviously, ArtMoney has to scan process memory in the address range 0059AAF0 - 005AAAF0. It will be faster "up to" ten times than a full scan. ArtMoney stores emulator addresses (not PC), uses relative addressing, and these addresses don't depend on the emulator type and version. The ArtMoney table will always work on different emulators. "Zero addresses" for different emulators and other emulator information are stored in a file - artmoney.emul. This file stores records that contain the name of a game console, name and version of the emulator, zero address of the emulator, PC address and the size of a memory block. Start the search and select your emulator from the list. If you cannot find your emulator in the list, you have to find a zero address for this emulator and add it to artmoney.emul. If you have found a zero address for a new emulator, please send artmoney.emul file to us.

For example, let's find some zero addresses for a few emulators.
Main CPU memory size is 16 Mb. CPU has write access at E00000-FFFFFF. Most games only access it at FF0000-FFFFFF (RAM size is 64kB). Let's find a PC address where FF0000 is located in emulator Gens 2.11. Use PAR codes to find it. Standard PAR code format is just AAAAAAVV where A=address and V=value. These codes are in Hex, the address being a console CPU address. You can input the PAR codes in any emulator, and this code writes your value in console CPU address. Gens 2.11 PAR code format is AAAAAA:VVVV. Select "File\Game Genie" in gens, input a code FF0000:ABC1, and press "Add Code". Highlight this code and click OK. Switch to ArtMoney and search for "ABC1" (integer 2 bytes). Return to Gens. Add a new PAR code FF0000:ABC2. Switch to ArtMoney and filter for "ABC2" (integer 2 bytes). We have found this value at 0081A500.

And other addresses:
E00000 - 0081A500
F00000 - 0081A500
FE0000 - 0081A500
FF0000 - 0081A500
FFFFFF - 0082A500

Sega address range E00000-FF0000 does not exist in Gens 2.11. PC address range 0081A500-0082A500 is only what we need. The address 0081A500 is our zero address.

Attention! Emulator "Kega Fusion" uses reverse bytes order. Work RAM is FF0000-FFFFFF like in Genesis.
Additional RAMs 020000-03FFFF, 200000-23FFFF.
And subprocessor RAM 000000-07FFFF 512Kb.
PAR codes don't work in emulators for MegaCD mode.

Attention! Emulator "Kega Fusion" uses reverse bytes order.
Main CPU memory size is 16 Mb. There are two types of cartridge LoROM and HiROM. CPU has write access in at 7E0000-7FFFFF called "Work RAM" (size 128Kb). Second "Work RAM" is C00000-CFFFFF for HiROM cartridge only. Most games only access it at 7E0000-7FFFFF.

Let's find a PC address where 7E0000 is located in emulator Zsnesw 1.36. Input PAR codes in Zsnesw on SNES address 7E0000 C00000. Zsnesw PAR code format is AAAAAAVV. We have found addresses:
7E0000 - 006D598
C00000 - 01C60068

The address 006D598. is our zero address.

Let's find a PC address where 7E0000 is located in emulator Snes9X 1.43. Our zero address depends on operating system, for Windows 98 - 00D74240, For Windows 2000 - 013F0048. We have to find a pointer to a zero address. Search for the pointer in Windows 98, and then do "save the filtration". Re-boot PC and load Windows 2000. Run ArtMoney, do "load the filtration", and filter for the pointer. We have found the pointer at 0085C1A0. Main CPU memory size is 64 Kb. CPU has write access in at C000-FFFF (size is 16Kb).
Let's find a PC address where C000 is located in emulator Kega Fusion 3.4. Use PAR codes on C000. The address 00DEC048 is our zero address. Main CPU memory size is 64 Kb. CPU has write access in at 0000-8000 (size is 32kB). Most games only access it at 6000-8000 (size is 8kB). The address 0059AAF0 is a zero address for VirtualNES. CPU similars to the Z80 processor. Memory size is 64 Kb.
A000-BFFF switchable RAM 8Kb
C000-DFFF internal RAM 8Kb
Use "Memory Editor" in VisualBoyAdvance to find a zero address.
ARM7TDMI 32bit RISC CPU up to 4Gb memory.
02000000-0203FFFF On-board WorkRAM 256kB
03000000-03007FFF In-chip WorkRAM 32kB
Use "Memory Editor" in VisualBoyAdvance to find a zero address. Work RAM is 80000000 - 801FFFFF (2Mb).
Memory map:
000000 - 000100 CPU Internal RAM (Timers / DMA / z80 / etc.)
000100 - 006BFF Work RAM
006C00 - 006FFF CPU Workspace
007000 - 007FFF Sound RAM
008000 - 00BFFF Video RAM
200000 - 3FFFFF ROM
800000 - 9FFFFF Extra ROM (for 32 Mbit games)
FF0000 - FFFFFF BIOS
RAM Bank 1 is 100000 - 10FFFF (64Kb). Let's find a PC address where 100000 is located in emulator Nebula 2.25 and game Metal Slug 2 (mslug2.zip).
Create a file NENULA\CHEATS\mslug2.dat
[0]
Name=Zero
0=ZeroA1,100000,A1
1=ZeroA2,100000,A2
2=ZeroA3,100000,A3
Default=0

Select "Game->Cheats->Zero->ZeroA1" in Nebula menu. Switch to ArtMoney and search for "A1" (integer 1 byte). Return to the Nebula. Select "Game->Cheats->Zero->ZeroA2" in Nebula menu. Switch to ArtMoney and filter for "A2" (integer 1 byte). We have found this value at 037F8058. Search for the pointer to this address. We have found our pointer at 00732678 to the zero address. Work RAM is 000000 - 1FFFFF (2mb).
Cheat menu doesn't work in Nebula emulator. Work RAM is FF0000-FFFFFF (64Kb) like in Sega Genesis. Let's find a PC address where FF0000 is located in emulator Nebula 2.25 and game Alien Vs Predator (avsp.zip).
Create a file NENULA\CHEATS\avsp.dat
[0]
Name=Zero
0=ZeroA1,FF0000,A1
1=ZeroA2,FF0000,A2
2=ZeroA3,FF0000,A3
Default=0

Select "Game->Cheats->Zero->ZeroA1" in Nebula menu. Switch to ArtMoney and search for "A1" (integer 1 byte). Return to the Nebula. Select "Game->Cheats->Zero->ZeroA2" in Nebula menu. Switch to ArtMoney and filter for "A2" (integer 1 byte). We have found this value at 037F8058. Search for the pointer to this address. We have found our pointer at 00732678 to the zero address. RAM is 00000000 - 00200000 (2Mb). Run FreeDo Beta 1.8 and select CPU->DEBUG. Enter this command w 0x00000000 0xAA. Switch to ArtMoney and search for "AA" (integer 1 byte). Return to the FreeDo. Enter this command w 0x00000000 0xBB. Switch to ArtMoney and filter for "BB" (integer 1 byte) We have found this value at 00432800. It is our zero address.

Attention! Emulator "FreeDo" uses reverse bytes order. The 8086 "family" of processors uses segments to control data and code. The later 8086-based processors have larger instruction sets and more memory capacity, but they still support the same segmented architecture. The segment and offset together create a 20-bit physical address. 20-bit addresses can access up to 1 megabyte of memory. Extended memory refers to the memory addresses above the 1 MB range. Access to extended memory is available only via EMM386.SYS or HIMEM.SYS drivers. Most games only access at basic memory (first megabyte).

Let's find a zero address. Run this code in DOS Emulator.
xor AX,AX
mov BX,Value
mov ES,AX
mov ES:0,BX

Change "Value" and filter in ArtMoney. For NTVDM (standard DOS emulator in Windows 2000/XP) the zero address is 00000000.
For WINOA386 (standard DOS emulator in Windows 95/98) the zero address does not exist. DOS memory is defragmented.
For DosBox emulator you can easily find a zero address and a pointer. RAM area is 00000000 - 001FFFFFF (32Mb). For TLB version of PCSX2, use the memory dump editor (Debug - Memory Dump). For VM version of PCSX2, use artmoney process map and find memory block by size 2000000.

Attention! PCSX2 emulator VM (Virtual Memory) version has memory protection (you cannot write to process memory). Enable "Use own functions for access to memory" option to bypass it (available only in ArtMoney Pro). Work RAM is 00000000 - 00800000 (8Mb).
Main CPU memory size is 64 Kb. RAM area is 8000-FFFF. Run Blue MSX 2.7 and select Tools->Debugger and use Memory Editor to find a zero address. Work RAM is 1F0000 - 1F2000 (8Kb). 00200000-002FFFFF : Work RAM Low (1MB)
06000000-07FFFFFF : Work RAM High (1MB) System RAM is 0C000000-0FFFFFFF (16Mb)
Back    Contents    Forward

Copyright (C) 1996-2010, System SoftLab
Last update of this page: April 30, 2010.