Sorry to ask this... but I don't really understand what this does!

I made it for to be used for cheat devices for PS2 games.
I haven't updated the one in this post since. I didn't know at the moment I was making it that PS2 cheat devices had a 199 line limit on the amount of codes you can turn on.
I'm making a version that works within that limit.
The memory scanner is intended to allow you to search for whatever you want, store the results, test the results, and then find the address of the code you found. All you would need is a cheat device, like: Codebreaker, Gameshark, Action Replay MAX, XPloder, or whatever.

That attachment doesn't fit within the 199 line limit, I'm working on one that does and still allows you to do a lot without needing to turn the game off and change something.

I think this could prove quite useful for the PS2-side search functions of Artemis, down the road. Thanks for sharing it

I am sort of lost on what this is supposed to exactly do, all you refer to is "scanning". Is this only supposed to do memory searches and compare changes?

You say you wanted this to be a cheat device? I've actually built a few of those successfully, and released a few half-ass'ed versions (in reference to the G.U.I.) to the public.

Your 199 line limit... Why? Why not limit it to how much RAM your console has?

also your extra search function, whats the limit on how many addresses it can do a 2nd comparison on? are you just malloc'ing memory or is it a set array size (i havent looked at the code)

This isn't software or anything I'm developing. Nothing like that. This is just a long code that can be typed into any cheat device and used to scan the memory for whatever you specify, store the results, remove results with extra scans, test the addresses and cycle through the remaining results, and then get the address of the code you found.

There's a 199 line limit because I only own a codebreaker version 9.2, and that only allows 199 lines of code on at a time. I don't know what the limit on the number of lines of code that are on is for other cheat devices, I'm just working with what I have.

I don't want this to be a cheat device, it's a series of functions, ASM code to be typed into a cheat device.

So far every PS2 game I've ever done a save dump with never seems to use memory space from 00098000 to 00100000. I put my code there and store results there.

I have changed it a lot since that attachment. I've finally typed it all in and have been testing it today. I've managed to make it allow me to change the value my first scan value and what I can use to AND with the address to find what it is. I'm not sure how I missed it because it should have worked, but the last save dump I did an hour ago with Twisted Metal Black somehow didn't store anything from the first scan even though I was very certain I pressed the correct buttons. Must have been a tiny mistake or something I could easily fix when I get back to it.

I'm still working on it.


I repeat, this is not software or anything like that. It's just code to be typed into a cheat device and used to find other codes.

Ahhh... Now I understand, just a cheat device assistant so-to-speak. That is something that could come in handy, run as a code with a cheat device gotcha.

Since this is just a "code" to be used with a cheat device, you are forced to needing a 3rd party *hook* for it (another words it's not universal must be pre-configured with a game or at least 1 more code added to configure it).

If you stepped out of the CodeBreaker world, and either use the device I designed and built OR build your own, you wouldn't have to worry about 199 line limits

Now that I have that part understood, you say this is only supposed to search for a certain value, store it in a designated memory address, and then you perform a memory dump of any sort (live dump, save dump, etc.) and view the data it stored?

My question is, exactly what would you be scanning for and are you able to modify the arguments for the scanner at run-time?

You don't need to do a dump to get the address.
Here's a run through what I just finished doing about 30 minutes ago (I finally got the thing to work perfectly):

I chose Twisted Metal Black, I wanted to find infinite lives. You start the level with 3 lives.

1. I did a first scan for 1 unsigned bytes that had the value "03".
2. Next, I did an extra scan for values that didn't change.
3. After doing that a few times, I switched the extra scan to keep results that decreased. I got myself killed, so my lives decreased by 1. I scanned, and the game paused for about 30 seconds and then resumed.
4. I switched the extra scan back to "keep if the value didn't change". I did a few more scans like that.
5. I got myself killed again, then changed the scan to keep results that decreased and then I scanned.
6. I quit and restarted the game.
7. I used my function "Reset Currently Selected Result".
8. I tried the function "Apply Old Value". No effect, so I used the function "Cycle Through Results".
9. I applied an old value again, no effect and I cycled through the results again.
10. I applied old value, and my lives shrunk from 3 to 1.
11. I started changing the value of the LUI and ORI in my "Get Address" function. I turned on 1 bit at a time, and then tried the function. If I didn't get a pause, the bit was off, and if it paused the bit was on. I kept doing that and got the address "00426030".
12. I did a save dump for the heck of it, and there were only 3 remaining results and all had the value "01".

I then restarted the game and entered this with codebreaker:
00426030 00000004
I tried it, and infinite lives. I found the ASM to change how many lives I started with before, and it was different depending on whether it was store mode or those other few. I don't know if this infinite lives code only affects story mode, I'm not checking at the moment. I only want to make the scanner work perfect and then I'll get to that.


A method of dumping the game can make things go faster.

There isn't a method discovered yet to dump data to the memory card for every game, so I use the pause method that works for all games.



This is all I have tried so far that works perfectly:
1. First bytes scan, equal to scan type. I didn't try the other ones, but they should work perfect.
2. Extra bytes scan, "keep if value didn't change, keep if value decreased, keep if value increased". I didn't try the other ones, but they should be perfect.
3. Reset Currently Selected Result
4. Cycle Through Results
5. Apply Old Value
6. Get Address


I am setting this up so you can change the value to compare to for the first scan (including the extra value for the range scan), can change the value for the extra scan for the increased/decreased by X amount scan, and the get address value to AND with the address of your result. You can also change the scan types while playing.


These are the few things that change from game to game:
1. enable code. I use the JAL in the scesifsendcmd function for every game, it looks identical for every game. Many enable codes are already that address. You can find it easy with PS2Dis and labelmates.
2. the jump to my function (Add "0c" to the JAL in scesifsendcmd to replace the jump return)
3. 2 lines for the joker.
4. 2 lines to switch between the 2 scan types for extra bit scans.

That's only 6 lines you change from game to game. You can change where you want to start scanning with the game too. The only problem is you can't turn everything on at the same time, even the you can still turn on a lot and get what you need to done.

At the moment, I'm wondering if I should make it a little less friendly on buttons to change scans. I can definitely save many lines if I change it so people would need to change 1 line to change to a scan.


I feel proud, it worked. After nearly a whole day of yelling at my TV, which had no effect on making things work, I finally fixed it and I found the lives address for Twisted Metal Black.


Now I need to test the bit scans tomorrow, and if they work, rewrite the thing to make it completely compact, test again, and give it to everyone else with instructions.

I see, but here is what will be the biggest problem for you: Results. If you do not limit how many results per scan are allowed, you will eventually start over-writing game data and/or surpassing the actual RAM size from logging results (if that many occur). Since you are storing the whole address, which is 4 bytes, how many results you get * 4 is how many bytes consumed by the results. So if you have 1,000 results, you just consumed 4,000 bytes of RAM. This may not always be the issue if you do 16/32 bit searches, but 8 bit searches will typically be where this main problem will occur (individual bit searching will result in extreme results when doing a large search).

I will provide you with a lovely example that will make game swapping for you EXTREMELY easier so you do not modify the function at all. Do not bother making it so you have to modify the function, that is a pain in the butt. Instead, make the function universal, that way you can simply change arguments used by it and it still produce the same output. Another words, have it read a certain block of RAM as configuration (such as the "Joker Address").

Here is the example ASM:
Here is the output of the example in hexadecimal RAW format:
(Compiled using the "Code Designer" application I have personally designed and written )

When you set it up to read a block of RAM designated as arguments (or Configurations) then you only need to add the configurations as a 3rd party code, with my example it would be exampled as "20095000 00123450"

I have the results limited. Nothing is overwritten.
My jump is constantly executed and tells the game 7 things that are used for every other function:
1. Joker address
2. My special stack, only needed for 12 bytes of data at this point.
3. Store the return address. I'll probably remove it when I rewrite because I never change it. It doesn't need to be preserved.
4. Where to start storing results
5. Where to stop storing results
6. Where to start scanning for results
7. Where to stop scanning for results
8. Load the pressed buttons

After all of that, it compares the pressed buttons in branches and goes to other functions if you press the correct buttons. That way, every function has those things set.


The jump replaces a jump return that is immediately after the JAL in scesifsendcmd. I only use the temporary "t" registers and "at", nothing needs to be preserved to work. scesifsendcmd is about 10 lines of code, no branches or anything that ends with the JAL and then the jump return, no need to preserve any "t" registers, and it's almost identical for every game. I only say "almost" because I haven't seen it change once from any game, but there must be one of them where it is different.


I have no idea of how to comprehend other ASM code. I am a moron, I wouldn't deny it a bit. That hasn't stopped me from making this work though.

Today it is official for me. The memory scanner works. All byte scans work, and the bit scans too, even though I need to fix those. Today I will rewrite and compact the code, and then retest it and when it's perfect, submit it.