Searching Part 2

Last updated: 08-02-2022

Hidden Values/Unknown Values (1 to 6 hours)

Here is the make it or break it part of memory editing. A lot people will fail this step, either because they can't understand it or don't want to put in the effort to get good at it. If you can reliably find these, you will be better than 90% of people who cheat games. The method to find these two are the same so I have put them together. However, these are 2 different types of values but some people will use them interchangeably. These are how I choose to define them:

Hidden Value: Any value that a developer uses as a method to either stop cheaters from finding the real value or obfuscate the real value. I don't include display values (values that don't actually hold a real value but hold a value to be displayed to the player, these will usually allow the developer to add special effects to a value changing. Think Mario's coins, you get 100, you get an extra life, coins count down from 100 to 0.), as these aren't usually active anti-cheat measures. If you have ever tried finding a value to change for an RPG Maker game (on PC) then you have seen this already (real value * 2 + 1 = saved value). This is an active anti-cheat measure, but once you figure it out, you can use it to find the value (current real hp = 100, 100 * 2 + 1 = 201, Search for 201, then narrow down to find address to change/freeze).

Unknown Values: Any value that is not an easily identifiable value. Easy examples would be a breath gauge, health bar, run speed or invisible enemy health bar. Once you find these values, they can be semi-unknown (because you figured out the hero's health is between 0 and 100 but you don't know the exact value in between). Some values can be considered true unknown or unsearchable known, and can only be found through creative searches. Items Ids would be an example of this. You could find a value for the number of potions then figure out the item id from that. Even if you have the correct item id and searched for it, you would find thousands if not millions of the same value and the list may never get down far enough to find the real value you want.

Semi-Unknown Values: These are values that you can make some educated guesses on. For example, you can know the max value of search, but don't know exactly how much that value is between the max value and 0. You can see that the value is at 1/2 of the bar and you know that the max value of the bar is 1000. Is that value 500? 499? 501.76485? We can treat these types of values either as regular unknowns, or a known value search (we will go into this more towards the end of this section with Pokemon HP).

Now, how to find these values. We are not going to cover unsearchable values, but if there is enough interest, I'll put together a guide on how things are grouped together in memory (For example, player run speed is probably near player stamina). I consider searchable unknown values as ones that:

A. the player can see some indicator of (this is honestly optional once you get better at it)

B. The player can make or indicate some kind of change to

The first two tricks are this:

  1. Patience

  2. Focus

I am completely serious about this. This process can take a long time and one mistake can completely ruin your search (although, sometimes it is recoverable with undo search like on JNoExsClient). It is best to start slow and be methodical. I had a co-worker who would write out his entire to-do list, then would check them off as he did them and it worked every time. Myself, I'm a little more freestyle. The next important thing to remember is to vary what you are doing. Don't always do > searches, mix it up with a <, or a != 0. Just make sure you are setting up your value that way too.

Finding an Unknown Value (Skill Cooldown)

For this section we are going to find a Pokemon's skill cooldown (easier) and a Pokemon's Hit Points (harder). Since I won't be able to see what Pokemon you are using or what skills that Pokemon has, we have to get a little theoretical (and this is the big problem with creating cheats, other people can only give you vague advice due to the nature of how games store values in memory). When working on cheats by yourself, if you can't find a value using your search terms, try using different ones. For example if U16 is not working, try U8, if that isn't working then try FLT, if that still isn't working, try using fuzzy searches of those memory types like we are about to do now. The important thing to not is that if you don't know the exact memory type, you will need to figure it out. The search settings I give in this guide are based specifically on what we are trying to find (since I have already found them dozens of times over the course of this guide, I'm giving you the best search settings to speed up the learning process). Now, since we will be measuring skill cooldowns, we will need to be in an Expedition. So go ahead, launch an Expedition and pause at the start of it.

Pokemon_Quest_7.jpg

I'm going to focus on my Onix's Rock Throw (1), but first you need to make sure that “Auto” mode (2) is off. This will allow us to setup our searches a little easier. Since we don't currently know what the value is, we have to start with an unknown search. In this example, I would suggest using the skill, then once the cooldown starts to go down, pausing the game and doing the first Unknown search. This will help us find the cooldown value instead of something like if the skill is active or not.

Pokemon_Quest_8.jpg

As you can see the skill is on cool down, so go ahead and use these search settings:

[U32] [DIFF] [HEAP] [ ]

Remember, DIFF and Unknown are the same thing and since this is a fuzzy search, we don't have a value in the fourth window. Now after that search we are going to allow the game to run a second then pause and search again.

Pokemon_Quest_9.jpg

Before we get back to the game, let us remember what I said at the start of this section, we don't want to do a bunch of the same searches in a row. So we are going to let the game play out, and when the cooldown finishes, we want to activate the skill, then pause the game once the cooldown starts.

Pokemon_Quest_10.jpg

Now the cooldown is longer than our previous search, so we want to use these search settings:

[U32] [++] [HEAP] [ ]

This still gives us over 8 million results. This is why I talk about patience. This process is a LOT slower than finding an exact value but the positive side of it is that it will almost always find the value you are looking for (if your search settings are correct). It is also very important to remember where your last search was tested at (another reason to pause the game before searching). If you aren't entirely sure (for example, some where in the middle), do a search near the start or end of the cooldown. I want you to try and do these searches yourself and try to get down to less than 50 results. Remember, patience and focus, don't get distracted and take your time to do it right.

Pokemon_Quest_11.jpg

As you can see, I still have 39 results but some of them are 0 and most of them are very large numbers that don't make sense. The reason for this is that we searched for a U32 instead of a Float. Floats are almost always used for anything that has a decimal place, timers, bars, factions, percentages, etc. There are 2 features I want to go over with you. The first is switching between decimal and hexadecimal While on the search results, you can press R and it will switch between the 2. This is not completely useful to us right now, but in case you accidentally press it, you should now know how to get it back. The other feature is how to switch memory types displayed. If you notice this (1) part of the search type, it says U32 (like we have been searching), but if you hold ZL and press either L or R, you can switch it to different types displayed. Go ahead and hold ZL and press R until you are displaying F32, it should look like this:

Pokemon_Quest_12.jpg

Now those look like percentages, or at least decimals. If you see my first 3 and last 3 results, they display 0.91, which is about what my current cooldown is. We can freeze each one and see what it does. Okay, so that didn't work, and some of them caused the cooldown display to become glitchy. This are display values (similar to the ones we found with known values). These are the actual graphs for the player to see. That doesn't help us right now, so let's look at result #4. If you compare that result to how long it take the skill to come off of cooldown, you should notice that it is the actual cooldown time in seconds! So let's try freezing it! Sure enough, that address is the cooldown timer remaining. Now think back to the searches performed to get here. Are there some other searches we could have run to narrow down the results? Maybe watch how the cooldown operates at different points (like when the skill is active, what is the cooldown at? 0? Hmm, maybe that is why I had you search once the bar is moving). Can we make a cheat out of this value? Try freezing the cooldown at 0 and using the skill, what happens? What about setting the cooldown to 0 once the cooldown activates? (Make sure you go back to f32 to change the values since this is actually a f32 value). Nothing seems to be working... so can we still use this for a cheat? The short answer is yes, but it won't be a simple cheat (we will go over this more when we get to advanced cheat creation!). I would suggest practicing this a few times with the other Pokemon skills and once you are comfortable we can move on to Pokemon HP.

Finding a Semi-Unknown Value (HP)

Now to find a Pokemon's HP value. Normally, this means we will have to start our unknown search and then only decrease search values (--). This makes it more difficult due to some games have things like a timer that counts in the background (like a mission timer, or boss enrage timer). This can be true for the inverse too (again mission timer or enemy defeat counts). This is why it is important to vary your searches to remove any results you may not want. Let's think about what kind of search we need to do. We are going to find our Pokemon's HP in battle, we know what our Pokemon's max HP is (by looking at the Pokemon Equip screen) so we can try a Semi-Unknown search. I'll be using my Snorlax for this search.

Pokemon_Quest_13.jpg

Let's start a new Expedition. Once started, pause, and search using the follow search settings:

[U32] [==] [HEAP] [***]

*** use your own Pokemon's max hp value here

Pokemon_Quest_14.jpg

As you can see, there are only 567 results. This is good because we don't have a lot to look through, but let's play the game, reduce our Pokemon's hp and do another search.

Pokemon_Quest_15.jpg

As you can see, my Snorlax has taken some damage. Let's search with these search settings:

[U32] [<] [HEAP] [***]

*** for this example I would leave this as your Pokemon's max HP

Pokemon_Quest_16.jpg

As you can see, we are down to 48 results. This is a reasonable number where we could try and work through what possible values are correct (or just notice that the highlighted one is the real value, but we are going to ignore it for now). But let's do one more search to really narrow down our results. Go back to the game, let it play for a sec, and pause.

Pokemon_Quest_17.jpg

As you can see, my Snorlax has most of his hp available. I'm going the use the following search settings:

[U32] [>] [HEAP] [***]

*** I used 600, which is about 75% of max hp, this gives me a buffer to make sure I remove as many invalid results but don't accidentally remove the result I want.

Pokemon_Quest_18.jpg

As you can see, we are down to 17 results, but we have a lot of results that are more than our Pokemon's max HP (816). We can either do another search to remove all the values above that max hp or, just ignore them. I'm going to ignore them and focus on that 2nd result. Could 743 be our Pokemon's HP? It diffidently looks like it could be. So let's set the value (highlight it and press A) to 816 (our max HP), then freeze it (press X) and see what happens in our game.

Pokemon_Quest_19.jpg

If you noticed, our Pokemon's hp bar didn't instantly go up, but after taking damage the HP bar went to full. We will need to remember this when we go to create our cheats.

Starter Guide Conclusion

Congratulations! If you have worked your way to this point in the guide, you should feel comfortable being able to find a value in a game. I would suggest trying this out in a different game without the guide to see if you can find values by yourself. You will need to be able to do this reliably in order to create cheats for games, so the more practice the better! Here is some advice to get you started. Generally speaking U16 is a fairly safe search to start with. Until you get more experience on how to determine values, I would start with this. If you still can't find the value, try float or U8. If you still can't find it, ask for help from an experienced cheat creator. Most of us don't have a problem answering if you have given honest effort first. The reason you aren't able to find a value could be because there is a trick to the game, the value is encrypted (like in XCOM 2), the value you are searching for doesn't actually exist, or you simply messed up on your search. An experienced cheat creator will be able to help find out which of this issue it is. Once you feel like you can find any value you are looking for we can move on to actually creating a cheat!

Next