Announcement

**Viper187** · 11-09-2010, 09:07:50 PM

There's pretty much no way a static hooking address is going to be valid on Win7, assuming the functions for dumping are even working properly. I wrote the app on XP. You'll have to figure out the offset on your own. I left instructions in the readme...

I really wanted to do a rewrite and come up with a way to at least attempt auto-hooking emulators for a few systems based on things that always show up in RAM, but I never got very far on that project. I guess I'm getting a little like Parasyte.

Now this is where it gets interesting. Most of the options are pretty self-explanatory. The hard part is finding start offsets/pointers. What you need to find out about your emulator before you can hack console codes is where exactly the console RAM is located within the emulator's RAM. Start by loading a game in the emulator that we already have codes for and setting up a plain old PC game hook; you can also use other PC hacking tools if desired. Now hack a code you already know the console address for. I'll use Goldeneye running on PJ64 1.6 as an example. I hacked ammo for my right gun on the Dam level. Came up with 3B1737FC. The console address is D37FC. Can you subtract? Good. The N64 RAM begins at 3B0A0000. Are we done? Well, some emulators always load console RAM to the same place, some don't. Open the emulator again with a different game loaded and do the same thing again. If you come up with the same starting address (3B0A0000 in our case), you're set; that's your "RAM Start." Otherwise, we need to go a step farther and look for a pointer to the start address. This is really simple, believe it or not. Find your start address again. Once again, we'll say we figured it out to be 3B0A0000 for the start of console RAM. Now, do a 32-bit search for that value. Yes, SEARCH FOR '3B0A0000' NOOBS. You'll probably see 20 or so results. A lot of times, the first one is all you need. Record them all to a text file though. First one on my list is 4D6A1C. To check this, load up the emulators again and find a start address AGAIN. If this address is once again found at that location (4D6A1C) then the pointer should be good. Now hack something.

**natsumerio** · 11-10-2010, 01:14:40 PM

I left instructions in the readme.

I downloaded v1.06 from a topic from kodewerx, & while it had 2 text files, neither one was named readme. I even read both of them, but found no readme contents.
Before you responded, I tried exactly the same steps as before in the hope of being able to out-wait the delay for a few hours, but I now only get this error message, despite doing everything the same as before.

Unable to dump RAM from process (DumpRAM, 1) -- Error 299

Today, I set the Presets box to Project64 v1.6 (Pointer), & finally got some results (in only 2 or 3 seconds too). I am now going to try to use the following how-to-hack info from the following site,
http://forum.cheatengine.org/viewtopic.php?p=2949473
as well as your advice about finding the address-offset.

One question about finding the address offset. You said

I'll use Goldeneye running on PJ64 1.6 as an example. I hacked ammo for my right gun on the Dam level. Came up with 3B1737FC. The console address is D37FC.

How do I find out where the console address is? What tool did you use to find it? T-Search perhaps?

Anyway, I know that you have few/no plans to update RenegadeEX v1.06, but you should make sure that a download of it (at least the one from here) has the readme text file. You should also update the readme text file to tell Windows 7 users to set the Presets box to Project64 v1.6 (Pointer), with the disclaimer that it might not work for Windows 7 64-bit versions.

& your help has been appreciated.

**Viper187** · 11-10-2010, 01:30:56 PM

It's an HTML file (RenegadeEx.html to be specific). I don't like text readmes. and yeah, tsearch is what I usually use. Oh, if you want hacking tutorials, try EnHacklopedia.

**Parasyte** · 11-10-2010, 06:37:56 PM

Originally posted by Viper187 View Post

I guess I'm getting a little like Parasyte.

Well, *THAT* figures.

Also, it looks like RenegadeEx most recent version is v1.08. Not that it will help.

By the way, Windows 7 uses ASLR. So you're pretty much fucked until Viper stops doing "the Parasyte" and rewrites REx.

Although, it will be impossible to brute-force search the memory on a 64-bit OS. An optimal solution would be a cooperative debugging technique like SRDP. Too bad it will never be finished, because I'm involuntarily a lone wolf on the project.

**macrox** · 11-11-2010, 07:56:04 PM

Viper,

Our recent communication on my retirement gave me thought on what you said....how you missed the game. You are still young and full of energy and talent. Perhaps you should consider undertaking the upgrade for your program to WIN 7....don't let this very useful and powerful tool die in the wake of the XP demise. Your tool id universal. Yes there are many emulators now with code search engines but your tool still far surpasses them in it full power. Anyway...this old sage's last two cents worth of wisdom. mac

**Abystus** · 01-04-2011, 12:36:52 AM

Yea I would also hate to run a sandbox just to hack 64 games. I'm sure it wouldn't take much to get it working with windows 7. Any chance of an update in the near future Viper? Really sad to see people giving up on such great projects, if only the emulators themselves had these great hacking tools...

**Parasyte** · 01-04-2011, 01:12:57 AM

Sometimes, they do.

**LiquidManZero** · 01-04-2011, 08:35:17 PM

There's one thing though, ASLR only applies to some software. For things that doesn't come up with, REX works perfectly well with 64bit win7. Though, the more obnoxious emulators like pcsx2 do very much have the issue even on XP.

Announcement

RenegadeEX, need help using it.

RenegadeEX, need help using it.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment