Homebrew RELEASE Noexs Remote Debugger

[DocKlokMan]

That reminds me I need to actually pretty-print those results lol. Anything where mod is 349 means it's a Noexs error.

See this for reference:
https://github.com/mdbell/Noexes/blob/master/server/source/noexs/include/errors.h#L8


Oh and Noexs originally was a port of TCPGecko, just after we had about half of it working we realized there is too much different between the Wii(U) and the switch. Wound up being easier to just start over from scratch.

Yeah, so far this is my experience:
Scan PIDs and attach to process: works
Search HEAP for Known value: Game pauses and proceeds to dump 3GB at 3-4 MB/s, so it takes roughly 20 minutes for the scan to finish.
After scan results appear: Game did not resume. When pressing Run game get error "Unable to resume".
Detach from PID and game resumes. Re-attach and game auto pauses again.
Changed value in-game while detached, re-attached and ran comparison search: expected results found.

Since game will not resume while attached I cannot test poking or locking the value.

At this point the Switch fell asleep and would not wake. Forced restart needed.

From what I've seen though this has great potential. Will post more as I manage to test more out.

 

[straumli]

Thanks for sharing the videos, looks indeed very nice. reminds me of action replay kits on the Amiga, manipulating memory addresses

 

[matt123337]

Yeah, so far this is my experience:
Scan PIDs and attach to process: works
Search HEAP for Known value: Game pauses and proceeds to dump 3GB at 3-4 MB/s, so it takes roughly 20 minutes for the scan to finish.
After scan results appear: Game did not resume. When pressing Run game get error "Unable to resume".
Detach from PID and game resumes. Re-attach and game auto pauses again.
Changed value in-game while detached, re-attached and ran comparison search: expected results found.

Since game will not resume while attached I cannot test poking or locking the value.

At this point the Switch fell asleep and would not wake. Forced restart needed.

From what I've seen though this has great potential. Will post more as I manage to test more out.

The 3-4MB/s is due to your network, if you have a router that supports 5GHz try using that (I get between 10-25MB/s). Can you also check the console (run the command "java -jar JNoexes.jar" from terminal/command line) for anything being logged when you see "Unable to resume"? I haven't actually seen that problem and it could be another networking issue on your end.

 

[DocKlokMan]

The 3-4MB/s is due to your network, if you have a router that supports 5GHz try using that (I get between 10-25MB/s). Can you also check the console (run the command "java -jar JNoexes.jar" from terminal/command line) for anything being logged when you see "Unable to resume"? I haven't actually seen that problem and it could be another networking issue on your end.

Tried it again, still slow transfer speeds but the game was able to resume this time. Poking and locking worked perfect. Will be trying an unknown value search next.

EDIT: Success, found the address for Hearts and Stamina. When I have the time I may try and get the pointers for them.

EDIT2: And the meal time! This is fantastic.

 

[BullyWiiPlaza]

@matt123337
I'm not sure if it's still relevant but I got the Capstone Java bindings to work. You just need to place the capstone.dll in the root of your application or the resources folder. Then I have the following class for PowerPC disassembling (I think the Switch uses a different architecture but you'll easily figure out how to adapt it):

import capstone.Capstone;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.val;

import java.nio.ByteBuffer;

import static capstone.Capstone.CS_ARCH_PPC;
import static capstone.Capstone.CS_MODE_BIG_ENDIAN;

/**
 * PowerPC disassembler engine powered by the Capstone disassembly framework
 */
@AllArgsConstructor
public class PowerPCDisassembler
{
    private static final Capstone CAPSTONE;

    static
    {
        CAPSTONE = new Capstone(CS_ARCH_PPC, CS_MODE_BIG_ENDIAN);
    }

    @Getter
    private int[] machineCode;

    @Getter
    private int address;

    public static Capstone.CsInsn[] disassemble(int[] machineCode, int address)
    {
        val machineCodeByteArray = toByteArray(machineCode);
        return CAPSTONE.disasm(machineCodeByteArray, address);
    }

    private static byte[] toByteArray(int[] array)
    {
        val byteBuffer = ByteBuffer.allocate(array.length * 4);
        val intBuffer = byteBuffer.asIntBuffer();
        intBuffer.put(array);
        return byteBuffer.array();
    }

    Capstone.CsInsn[] disassemble()
    {
        return disassemble(machineCode, address);
    }

    public static void initializeDisassembler()
    {
        // Purposely empty
    }
}

Alternatively you can still use objdump from devkitPro and parse it. I use that for JGecko U to provide a platform-independent disassembler if people have devkitPro installed.

 

[tomGER]

Awesome work!

 

[matt123337]

@matt123337
I'm not sure if it's still relevant but I got the Capstone Java bindings to work. You just need to place the capstone.dll in the root of your application or the resources folder. Then I have the following class for PowerPC disassembling (I think the Switch uses a different architecture but you'll easily figure out how to adapt it):

import capstone.Capstone;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.val;

import java.nio.ByteBuffer;

import static capstone.Capstone.CS_ARCH_PPC;
import static capstone.Capstone.CS_MODE_BIG_ENDIAN;

/**
 * PowerPC disassembler engine powered by the Capstone disassembly framework
 */
@AllArgsConstructor
public class PowerPCDisassembler
{
    private static final Capstone CAPSTONE;

    static
    {
        CAPSTONE = new Capstone(CS_ARCH_PPC, CS_MODE_BIG_ENDIAN);
    }

    @Getter
    private int[] machineCode;

    @Getter
    private int address;

    public static Capstone.CsInsn[] disassemble(int[] machineCode, int address)
    {
        val machineCodeByteArray = toByteArray(machineCode);
        return CAPSTONE.disasm(machineCodeByteArray, address);
    }

    private static byte[] toByteArray(int[] array)
    {
        val byteBuffer = ByteBuffer.allocate(array.length * 4);
        val intBuffer = byteBuffer.asIntBuffer();
        intBuffer.put(array);
        return byteBuffer.array();
    }

    Capstone.CsInsn[] disassemble()
    {
        return disassemble(machineCode, address);
    }

    public static void initializeDisassembler()
    {
        // Purposely empty
    }
}

Alternatively you can still use objdump from devkitPro and parse it. I use that for JGecko U to provide a platform-independent disassembler if people have devkitPro installed.

I didn't look into it too much, but it was loading the library and some functions were working (like get version) but I was getting some vague memory access violations. Wasn't a huge issue at the time, and what I have works for now. I'll probably look into it more later.

And I mean no offence, but I was trying to avoid having my software be anything like JGeckoU. Y'all got some serious feature bloat.

 

[DocKlokMan]

I didn't look into it too much, but it was loading the library and some functions were working (like get version) but I was getting some vague memory access violations. Wasn't a huge issue at the time, and what I have works for now. I'll probably look into it more later.

And I mean no offence, but I was trying to avoid having my software be anything like JGeckoU. Y'all got some serious feature bloat.

It's looking good. I managed to find the meal time and freeze it. Ever consider having a float value option? That way we can see values as floats, may make it easier (certainly would have for the meal time. It's stored as (seconds*30) as a float hex value.

 

[mezz0]

thank you for sharing!

 

[matt123337]

It's looking good. I managed to find the meal time and freeze it. Ever consider having a float value option? That way we can see values as floats, may make it easier (certainly would have for the meal time. It's stored as (seconds*30) as a float hex value.

Great idea! Any chance you could post your suggestion(s) as issues on github? A bit easier to track there.

 

[KeyZiro]

Excellent work !

 

[fadx]

Great work, it's awesome to see all these remote memory editing applications!

 

[Thijsje183]

Looks good!
But could someone explain me how to build the Client?

 

[matt123337]

Looks good!
But could someone explain me how to build the Client?

Open the iml project in IntelliJ and you should be able to build it from there (iirc you need Java8 and java 10, all because the SceneBuilder doesn't use the latest jdk :/)

 

[KeyZiro]

Is there an option to go directly to a pointer ?

 

[matt123337]

Is there an option to go directly to a pointer ?

What do you mean? To find one or resolve one?

 

[KeyZiro]

What do you mean? To find one or resolve one?

I mean to follow one you already found so you don't have to check it manually

 

[matt123337]

I mean to follow one you already found so you don't have to check it manually

Oh uh that's also in my todo list. a cheap workaround for now would be to just add the addresses into the watchlist as a 64-bit value.


Oh and just a heads up... All your pointers should be within the CODE_MUTABLE memory region right after the main module, and should be calculated relative to it. If it's anywhere else it'll be at a totally different address next time you start the game (due to ASLR)


An example from blossom tails:

Player X:    [main+3cfa320] + 10
Player Y:    [main+3cfa320] + 18
Health    :    [main+3cfa320] + 60
Money    :    [main+3cfa320] + 150
Mushroom:    [main+3cfa320] + 174
Feather    :    [main+3cfa320] + 17c
Scroll    :    [main+3cfa320] + 188
Magic    :    [main+3cfa320] + 194

 

[BullyWiiPlaza]

And I mean no offence, but I was trying to avoid having my software be anything like JGeckoU. Y'all got some serious feature bloat.

lol, this is what happens if something is developed for about 2 years. Plus, nearly all features are actually needed so why is it bad? Not even all ideas are implemented yet due to some technical difficulties I guess. Your software might get there as well later, you are quite closely following JGecko U's paths with functionality according to I've seen in the GUI though. People will want more and more stuff.

 

[DarkFlare69]

This worked for me on my first try, which isn't something I can say about a lot of things. Thanks for releasing!