-
Notifications
You must be signed in to change notification settings - Fork 1
Emulation and memory searching
For the purpose of hacking Sakura Taisen 3, Demul and Flycast are suitable emulators. Of these two, Flycast is recommended for general use. While Demul is closed-source and has not been updated in many years, it does map its emulated memory in a straightforward, 1:1 fashion. Flycast is being actively developed and has far superior accuracy and compatibility, but to retrieve its base addresses for its emulated memory, it is necessary to enable logging and read the log file, which will contain addresses in 64-bit memory space.
As neither of these emulators have built-in debugging features, Cheat Engine is used as an ad-hoc memory viewer/editor and RAM dumping tool. Flycast can be compiled with a gdb server to enable remote debugging with gdb-multiarch.
As Cheat Engine is only available for Windows, this guide assumes the use of Windows 10 or a similar version. Wine has not been tested.
This is a summary of information found in this Dreamcast-Talk thread, and practical examples of using Demul and Cheat Engine to change font widths, including the use of breakpoints, can be found there. That thread should be consulted for further instructions on the use of Cheat Engine for ROM hacking purposes.
- Demul or Flycast
- Cheat Engine
- Dreamcast BIOS files
- Set up your emulator of choice according to your preferences and acquire the Dreamcast Japan BIOS files. For Demul, ensure that buttons are mapped for loading and saving states.
- For Flycast, open the settings and enable Advanced > Log to File. This will write flycast.log to the Flycast directory.
- Install the newest version of Cheat Engine.
- For Flycast, Cheat Engine will need to search outside of private memory. In Cheat Engine, open Edit > Settings. In the Scan Settings section, enable the MEM_MAPPED checkbox.
- Load Sakura Taisen 3, then open the emulator process in Cheat Engine. Use the 64-bit version of Cheat Engine for Flycast.
- In Flycast, change the Video setting Transparent Sorting to Per Pixel to eliminate some text glitches.
- Each emulator has different methods for mapping emulated memory.
- Demul always uses the addresses
2c000000
and2cffffff
for emulated RAM. - Flycast uses dynamic addresses for emulated RAM.
- Open flycast.log in a text editor and search the bottom of the file for a line that looks like this:
N[VMEM]: BASE 00007ff4af2a0000 RAM(16 MB) 00007ff4bb2a0000 VRAM64(8 MB) 00007ff4b32a0000 ARAM(2 MB) 00007ff4cf2a0000
- The
RAM(16 MB)
address is the start of emulated RAM. Add0x1000000 - 1
to the address to get the end address, which in this example would be7ff4bb2a0000
and7ff4bc29ffff
. - You can use the built-in Windows Calculator for hexadecimal calculations in the Programmer mode.
- Open flycast.log in a text editor and search the bottom of the file for a line that looks like this:
- Demul always uses the addresses
- In the Memory Scan Options in Cheat Engine, set the Start and Stop fields to the above addresses for your emulator before searching for values.
- For Demul, toggle Config > Pause when Focus is Lost as needed.
- Calculating memory addresses:
- For Demul, simply subtract
0x60000000
from Dreamcast addresses to get the equivalent address to use in Cheat Engine. In other words, change the8c
prefix to2c
or vice versa. - For Flycast, remove the
8c
prefix from a Dreamcast address and add the remainder to the emulated RAM base address. Subtract the base address and add the8c
prefix to get the Dreamcast address.
- For Demul, simply subtract
If you're using Flycast, although the cheat table will need to use offsets of the emulated RAM base address, relative addresses can be used in the Memory Viewer for an analogous view of Dreamcast memory addresses.
- In the Memory Viewer window, go to the emulated RAM base address.
- With the byte at that address selected, right click on it and select Show relative addresses, or press Ctrl-Enter.
- Addresses on the left margin will now show offsets of the base address. These are equivalent to the Dreamcast addresses without the
8c
prefix.
- Open a second window in the Memory Viewer using File > New window. This will allow for easier searching for addresses referenced by pointers while keeping the original position.
- With Flycast, the AllocationBase address will match the emulated RAM start address when viewing that region.
- The keyboard keys
-
and+
change the selected byte by 1. - Memory can be edited by directly pasting bytes into the Memory Viewer with Ctrl-V. This can be done for such tasks as testing custom assembly code before committing it in Ghidra, patching modified strings into a region containing script files, or testing edited font tiles by pasting bitmap data into the SKFONT.CG region. Keep in mind that all such edits will be lost after loading a save state.
- You may need to first Change page protection to Read/write in the right-click menu to make edits to the region of memory that contains the executable.
- To save a RAM dump, open File > Save memory region (Ctrl-S). The Demul option Config > Pause when Focus is Lost should be enabled before doing this. In the From and To fields, enter the emulated RAM address range, and check the Don't include Cheat Engine header in file option. Save the file, dismissing the warning that Cheat Engine raises regarding the header. The saved memory region file should be exactly 16,777,216 bytes.
Formats
- ASCR format
- SBX/SBN
- LIP file
- SKFONT.CG
- ADCG texture
- BPV1 container
- LC1 file
- EYECATCH.BIN
- OpOption.bin
- Miscellaneous information
English translation technical details
Translation Instructions
- Extracting assets and rebuilding disc images
- Ghidra setup
- Emulation and memory searching
- Debugging Flycast with gdb-multiarch
- Script files
- Custom font tiles
- Map labels
- Editing compressed graphics
- Texture locations
- SRPG strings
- Menu strings
- Video encoding