Scanning for memory addresses with Cheat Engine and ZSNES

Cheat Engine (CE) is an open source memory scanner/hex editor/debugger that works for Windows applications. Another way to put it is that CE is used to explore the memory that is dynamically allocated (by Windows) in games.

Many users in the CE community provide cheat tables for games. These cheat tables are basically lists of memory addresses that directly correspond to certain data in a game, e.g. movement speed, or health points. Each entry in the list can be toggled on or off and they allow you to tamper with the value that corresponds to these memory addresses, effectively changing your stats in the game and making you a devious cheater.

Maybe I have a differing opinion than others, but Cheat Engine is an absolutely great way to really dive deep into computer science fundamentals (bits, bytes, hexadecimals...), data structures, pointers, the internal workings of memory, and a little bit of assembly language if you want to create new injectable scripts for these games. You don't need to be a gamer to toy around with this tool and I highly recommend it for any C.S. student.

About

In this mini-guide, I am going to load up an RPG game called Shadowrun on an SNES emulator and try to find the memory address for the HP stat manually. Then, I am going to forcibly change the value at this memory location to a certain number, so that whenever I take damage, my HP doesn't go down; it stays at the number I set it to, making me invincible.

Getting Started

First, you're going to need Cheat Engine and an emulator + game file. This guide is also intended for Windows users only.

ZSNES

ZSNES is a Super Nintendo emulator. This is the emulator that I will be using for this small guide. Other emulators should work fine too.

ZSNES can be downloaded here.

The game that I will be using is called Shadowrun and you will be able to find the ROM (.sfc) file by googling around.

Cheat Engine

Cheat Engine can be downloaded here

1. Load the files

The first thing you'll want to do is start the game on your emulator. Once the emulator is up and running, then you'll want to load Cheat Engine. Note that the order in which you start the applications here doesn't really matter.

Once Cheat Engine is up, Go to File > Open Process and select your emulator.
On my screen, it will look something like this:

2. Scan for addresses

You will see a few scan options, i.e. First Scan, Next Scan, and Undo Scan.

The idea here is to use the First Scan only once to retrieve hundreds of thousands of memory addresses occupied by your game, then repeatedly use Next Scan to filter down these addresses by the criteria that you want.

In this case, the criteria I want is just the HP of my character. Since the HP in this game is a small integer (0-255), I will be using the Value Type - Byte for the scans. The Value Type is always an important consideration. If for example, you wanted x/y/z coordinates, you are probably better off setting the Value Type to Float/Double.

Unfortunately, filtering memory addresses by values such as bytes, floats, strings, etc. can be a bit complicated. At this step, you are practically trying to reverse engineer the game; you are thinking about how and where the data is stored by the game programmer(s). This is typically the most difficult aspect of hacking games, and it helps to understand what data you're trying to get, and how that data is changed.

For instance, if I care about my character's HP, then I can expect my character's HP values to change if I get attacked by an enemy. The HP values don't just change though, but they always decrease whenever I get attacked by an enemy. Therefore, if I want to find the memory address for my character's HP, I should scan for addresses in a pattern like so:

Order of activities
What I do in the game	What I do on Cheat Engine	Why?
My character just sits idly	First Scan - Unknown Initial Value	This is the first scan, so it doesn't really matter what I do here. The first scan is *needed* though, because that is the only way I'll get *all* the memory addresses.
Let my character take some damage (by an enemy)	Next Scan - Decreased value	My HP went down, so somewhere in memory, the HP value should have been decremented.
Let my character take some damage (by an enemy) again	Next Scan - Decreased value	My HP went down, so somewhere in memory, the HP value should have been decremented.
...	...	...

By following the pattern above, you can filter down from 10,000,000 addresses to 10 or 20 addresses! Normally, you will have to scan many times for this to happen.

Note: You can set up hotkeys on Cheat Engine so that you don't have to constantly bounce between the scope of Cheat Engine and the game emulator via ALT-TAB.

3. Search for the right address

As idealistic you might be, more often than not, you are not going to just have 1 single address for the value that you're looking for. You may get a couple, or maybe 4 or 5, who knows? The reason for this is simply put - pointers. More on this later.

With ZSNES and Shadowrun, only a single entry comes up for the HP that looks close to a good candidate. The HP value corresponds to the game's HP value. Note in the screenshot below, that there are 36 found entries. 0x0072EA06 is the "good candidate" address, where as the rest are most likely garbage data or data that we don't care for. The image explains why in greater detail.

4. Adding the address to the list

Now all you need to do is add this address by double-clicking the entry in the memory list, and at the bottom of CE, a new row entry should appear like so. All you need to do now is toggle the row entry by checking the box under the "Active" column, then change the "Value" for that entry to 30.

5. Unlimited Health

Now, whenever you take damage by an enemy, you'll notice that your health bar stays where its at. When you go to the menu, your HP will always be at 30 (Max health).