Skip to content

Emulation and memory searching

Gong Xian edited this page Oct 13, 2023 · 14 revisions

For the purpose of hacking Sakura Taisen 3, Demul and Flycast are suitable emulators. Of these two, Flycast is recommended for general use. While Demul is closed-source and has not been updated in many years, it does map its emulated memory in a straightforward, 1:1 fashion. Flycast is being actively developed and has far superior accuracy and compatibility, but to retrieve its base addresses for its emulated memory, it is necessary to enable logging and read the log file, which will contain addresses in 64-bit memory space.

As neither of these emulators have built-in debugging features, Cheat Engine is used as an ad-hoc memory viewer/editor and RAM dumping tool. Flycast can be compiled with a gdb server to enable remote debugging with gdb-multiarch.

As Cheat Engine is only available for Windows, this guide assumes the use of Windows 10 or a similar version. Wine has not been tested.

This is a summary of information found in this Dreamcast-Talk thread, and practical examples of using Demul and Cheat Engine to change font widths, including the use of breakpoints, can be found there. That thread should be consulted for further instructions on the use of Cheat Engine for ROM hacking purposes.

Requirements


  1. Set up your emulator of choice according to your preferences and acquire the Dreamcast Japan BIOS files. For Demul, ensure that buttons are mapped for loading and saving states.
    • For Flycast, open the settings and enable Advanced > Log to File. This will write flycast.log to the Flycast directory.
  2. Install the newest version of Cheat Engine.
    • For Flycast, Cheat Engine will need to search outside of private memory. In Cheat Engine, open Edit > Settings. In the Scan Settings section, enable the MEM_MAPPED checkbox.
  3. Load Sakura Taisen 3, then open the emulator process in Cheat Engine. Use the 64-bit version of Cheat Engine for Flycast.
    • In Flycast, change the Video setting Transparent Sorting to Per Pixel to eliminate some text glitches.
  4. Each emulator has different methods for mapping emulated memory.
    • Demul always uses the addresses 2c000000 and 2cffffff for emulated RAM.
    • Flycast uses dynamic addresses for emulated RAM.
      • Open flycast.log in a text editor and search the bottom of the file for a line that looks like this: N[VMEM]: BASE 00007ff4af2a0000 RAM(16 MB) 00007ff4bb2a0000 VRAM64(8 MB) 00007ff4b32a0000 ARAM(2 MB) 00007ff4cf2a0000
      • The RAM(16 MB) address is the start of emulated RAM. Add 0x1000000 - 1 to the address to get the end address, which in this example would be 7ff4bb2a0000 and 7ff4bc29ffff.
      • You can use the built-in Windows Calculator for hexadecimal calculations in the Programmer mode.
  5. In the Memory Scan Options in Cheat Engine, set the Start and Stop fields to the above addresses for your emulator before searching for values.
    • For Demul, toggle Config > Pause when Focus is Lost as needed.
  6. Calculating memory addresses:
    • For Demul, simply subtract 0x60000000 from Dreamcast addresses to get the equivalent address to use in Cheat Engine. In other words, change the 8c prefix to 2c or vice versa.
    • For Flycast, remove the 8c prefix from a Dreamcast address and add the remainder to the emulated RAM base address. Subtract the base address and add the 8c prefix to get the Dreamcast address.

Memory Viewer Tips

Offset Addresses with Flycast

If you're using Flycast, although the cheat table will need to use offsets of the emulated RAM base address, relative addresses can be used in the Memory Viewer for an analogous view of Dreamcast memory addresses.

  1. In the Memory Viewer window, go to the emulated RAM base address.
  2. With the byte at that address selected, right click on it and select Show relative addresses, or press Ctrl-Enter.
  3. Addresses on the left margin will now show offsets of the base address. These are equivalent to the Dreamcast addresses without the 8c prefix.

Other Tips

  • Open a second window in the Memory Viewer using File > New window. This will allow for easier searching for addresses referenced by pointers while keeping the original position.
  • With Flycast, the AllocationBase address will match the emulated RAM start address when viewing that region.
  • The keyboard keys - and + change the selected byte by 1.
  • Memory can be edited by directly pasting bytes into the Memory Viewer with Ctrl-V. This can be done for such tasks as testing custom assembly code before committing it in Ghidra, patching modified strings into a region containing script files, or testing edited font tiles by pasting bitmap data into the SKFONT.CG region. Keep in mind that all such edits will be lost after loading a save state.
    • You may need to first Change page protection to Read/write in the right-click menu to make edits to the region of memory that contains the executable.
  • To save a RAM dump, open File > Save memory region (Ctrl-S). The Demul option Config > Pause when Focus is Lost should be enabled before doing this. In the From and To fields, enter the emulated RAM address range, and check the Don't include Cheat Engine header in file option. Save the file, dismissing the warning that Cheat Engine raises regarding the header. The saved memory region file should be exactly 16,777,216 bytes.