Skip to content

Pointer Scanning

Jump to bottom
REghZy edited this page Aug 25, 2025 · 4 revisions

The pointer scanner window can be found in the Tools menu.

image

Finding pointers

At the moment, the pointer scanner can only search for a target address, which is the Search Address field in the setup tab.

Memory Dumping

First make sure you're connected to the console via the xbdm connection.

The easiest way to memory dump the game is to open the module explorer (in the Tools menu), select the game on the left (usually called default.xex), then click the Memory Dump button on the top-right side. You'll see in the engine window's status bar it'll show the progress of the dump.

Note

This button is not in the latest release, you'll need to compile from sources

Alternatively you can go to File > Memory Dump, and specify the module's Base Address and Module Size.

Note down the Base Address field of the game, which is in the Addressing and sizes panel. For example, I'm testing this using black ops 1, so this value is 82000000.

Loading pointer map

  • Click Open Memory File... and select the memory dump file.
  • It will ask if the data is little endian, so click No (assuming you're using xbox 360).
  • It will ask for the base address, paste in the value from the module explorer (82000000 in my case)

Setup pointer scan options

In the Setup tab is all of the options. Once a pointer map is loaded, you don't need to touch Addressable Base or Addressable Length.

  • Max Depth maximum number of offsets a pointer chain can have (e.g. when 4, 820060CC->FF->2CC->565->8F8 is discoverable, since it has no more than 4 offsets).

  • Minimum Offset smallest offset value allowed. This is used to mitigate extremely long scans caused, I think, by linked lists whose nodes' next node pointer is at offset 0. By default, this value is 4, however, this presents another issue: a pointer that points to another pointer will not be discoverable.

    Set this value to 0 if you're not finding anything.

  • There are two maximum offsets (which are the maximum allowed offset from a base address, e.g., when 0x4000, the pointer 82006000->40FF->2FC will not be found).

    The <2 ideally should be equal or larger than the >= 2 field, the general idea being, a small struct won't point to a huge struct, but this isn't always the case, which is why these two fields have the same default value of 0x4000

  • Search Address is the actual address you want to search for, e.g. the ammo count in a game.

  • Alignment is the size of a pointer. You shouldn't necessarily need to change this.

Running the scan

Once all options are configured, click Run Scan.

Depending on the size of the game and, mainly, the Max Depth, the scan could take between a few milliseconds and a few decades.

For Black Ops 1, scanning for the static address of player 1's X position (8303A62C) yields me quite a few results in a few seconds

image

Note

Double-click the results to open a dialog, which shows the pointer chain and resolved addresses, all of which can be copied and pasted.

These pointer chains can then be copied into the address of a saved address back in the engine window.

Clone this wiki locally