RealTime RAM Hacking Guide
Written by: Qjimbo

Preface
Hi, and welcome to my realtime ram hacking guide. In this document I'll be covering the basic aspects of hacking an emulators ram realtime in order to achieve things that would be much harder to do normally. However, to really benifit the most from this you have to know how to program in at least Visual Basic or Delphi, but thankfully these languages are fairly easy to pick up.

TSearch and RAM Editing Basics
The first thing I'll be covering here is using a program called TSearch to edit the ram. This program allows you to open up any process and generally does most of the hard work for you, and easily lets you modify values. To start you off on your journey of ram hacking, we're going to modify how many rings sonic has.

::Editing variables realtime with TSearch. Example: Rings

1) Download TSearch here. Then run TSearch.exe. Take some time to get used to it if you need to.
2) Run your chosen emulator, preferably Gens/Gens+ or Kega. I'll be using Gens+.
3) Go onto TSearch and click the downarrow next to Open Process. Choose your emulator from the list.

4) Go back to your emulator, and load up any version of Sonic. I'll be using Sonic 2.
5) Start a game, and grab a few rings. Then pause your game and click the magnifying glass icon on the left of the window.

6) In the window search for an Exact Value, type in how many rings you have in the Value box, and select the type as 1 byte. The reason it is 1 byte is beacuse 1 byte can hold a number from 0 to 255, and the number we are searching for is no bigger than 255.

7) Hit OK, and Tsearch will search the ram for that number. It's likely you will get a lot of results. It found 36152 occarances of 3 when I searched it. However it is very easy to narrow it down! Go back to you game and collect a few more rings.
8) Now go back to TSearch and click the Magnifying glass with 3 dots next to it. This handy function will allow you to search for values within your results.

9) Now search for what your rings are currently at hit OK.

10) And bam, one result. This time I was lucky, sometimes you can hit co-incidences where a value changes to the same as your rings, and have to repeat the "grab more rings and search again" procedure.

11) Double clicking on this result will move it to the "Cheat List". Double clicking on the value column will allow you to edit it's value. I've put in the number 10.

12) Now ingame this will appear as 6, or whatever the number was before, until you collect another ring. Once I collected a ring, the number jumped up to 11.

And there you have it, the ability to modify variables in genesis ram realtime. Easy no?

::Using Saxman's hacking guide in conjunction with RealTime ram hacking

Using the address we found in the last tutorial (in my case $6C6160), we can combine this information with Saxman's guide's topic on basic configurations in a Genecyst savestate, avaliable here.

If we take our value $6C6160, and subtract $012298, we should get the difference between savestate addresses. To perform calculations such as this, open up calculator, put it in scientific mode and choose Hex. The number we get is $6B3EC8.
This number will only work in Gens+, and most likely the only version I have, which is one of the downsides to RAM hacking. RAM Hacking is very emulator specific, and as soon as a new emulator version is out, you have to find this savestate/ram base number again.

However once you have this number, you can add it to any of the values in Saxman's guide to edit that value realtime. If we take the number $01228A, which is the location of Player1's lives in a savestate. If we then add this to our ram base value, you get the location of Player 1's lives in RAM. In my case $6C6152. Click the new cheat button in TSearch to enter this value in:


However after entering this, the number turned up as 0.

However, if I increased the address by 1, I got the lives. I'm not totally sure what causes these anomolies. If we compare the savestate version to the one in ram:
Savestate: 0200000000000000000000000100004C
------RAM: 020000000000000000000000014C
The 4C value is the rings, and as you can see, the savestate and ram versions are different. The only way to really combat this is to have a savestate open, and open up the hex editor in TSearch. Using Saxman's guide will give you roughly the right address.

Programming with memory hacking techniques

For quick tests and stuff, TSearch is fine, but if you want to really maximise the potential of RAM hacking, especially if you want to use it in distributable hacks, you have to learn how to access the ram yourself through programming. If you are an expert programmer, you can read the following MSDN articles and work it out:
FindWindow API
GetWindowThreadProcessId API
OpenProcess API

However, if you are not I will explain the basics for opening a process in Delphi:
1) Firstly, you have to get the Window Handle for the Emulator using the FindWindow API.
FindWindow(PChar(titlesearch),nil);