ROM Hack Discussion Animal Crossing: New Horizons -- Reverse Engineering, Glitches, Bugs, etc. thread!

[Mopquill]

For that specific code? Yes. You would need to change the address (474856C4 in the heap) in order to replace a different Amiibo. In any case it would need to be an Animal Crossing Amiibo (the only ones that seem to be properly read by the game), and preferably one of the Villager ones (as I'm not sure making a non-villager Amiibo summon a villager won't cause issues).

I can find the address for a different Animal Crossing Amiibo if you want. Just don't expect a quick response.

Another way would be to make a code that writes that value 473 times, spaced 0x1C bytes apart, starting at HEAP+0x474852F0 and ending at HEAP+0x47488690; this would make every single Animal Crossing Amiibo summon the code-defined villager, but it's such a blunt approach I can't guarantee it won't have side-effects. For starters, you would need to restart the game in order to use any other Amiibo.

If you're not opposed, I can add a "Curt code" bit to my villager generator.

I think I've got it programmed, I'll enable it if you are good with it; I figure it'll save you effort of people bugging you for codes.

 

[conanac]

Does anyone have the updated code to change turnip prices? I looked through the last 30 pages+searched but didn't see it.

Try this one for version 1.2.0:

Spoiler

[turnip buying at 1 and selling at 990]
04100000 AB2B0B38 00000001
04100000 AB2B0B44 000003DE
04100000 AB2B0B48 000003DE
04100000 AB2B0B4C 000003DE
04100000 AB2B0B50 000003DE
04100000 AB2B0B54 000003DE
04100000 AB2B0B58 000003DE
04100000 AB2B0B5C 000003DE
04100000 AB2B0B60 000003DE
04100000 AB2B0B64 000003DE
04100000 AB2B0B68 000003DE
04100000 AB2B0B6C 000003DE
04100000 AB2B0B70 000003DE

Enjoy

 

[FabioCapela]

I think I've got it programmed, I'll enable it if you are good with it; I figure it'll save you effort of people bugging you for codes.

Go for it.

Though AFAIK the last request was to change the amiibo used, not the villager received; changing the amiibo is a reasonably more complex change.

 

[estoe]

ok i don't know what im doing wrong, but i entered the codes for the gold tool DIYs and they work. But the codes for the tools themselves don't. Can anyone post the codes for those?

 

[DocKlokMan]

This is still a work in progress. I'm trying to grab pointer info from the currently selected villager on the Map app in the Nook phone to improve this but in the meantime, here's an eviction cheat:

[Evict Villager X]
400A0000 00000000 0000000X
780A2000 00012AB0
021A0000 AAEB0AF2 00000002
021A0000 AAEB0B24 00000001

X corresponds to a villager's index number. It can be 0 - 9. There's no good way to know which villager is which index (unless you load your save in NHSE but then you might as well use that to do the same thing). Some restrictions, only evict one villager a day. Activating them will have them in their packing stage and ready for someone from another town to invite them. They'll move out the next day and leave an empty plot ready for a camper or mystery island villager or villager from someone else's island.

If anyone can help with finding a pointer to villager data via the Map app on the Nook phone, hit me up, Values to look for:

Villager 0: HEAP+0xAAE9EBF8
Villager 1: HEAP+0xAAEB16A8
Villager 2: HEAP+0xAAEC4158
Villager 3: HEAP+0xAAED6C08
Villager 4: HEAP+0xAAEE96B8
Villager 5: HEAP+0xAAEFC168
Villager 6: HEAP+0xAAF0EC18
Villager 7: HEAP+0xAAF216C8
Villager 8: HEAP+0xAAF34178
Villager 9: HEAP+0xAAF46C28

 

[Mopquill]

Go for it.

Though AFAIK the last request was to change the amiibo used, not the villager received; changing the amiibo is a reasonably more complex change.

Cool! And yeah, I saw that, but that wouldn't be too much harder for me to implement, I'd just need to make a big file correlating each villager with an offset from the base amiibo address. That can be a later thing. XD

This is still a work in progress. I'm trying to grab pointer info from the currently selected villager on the Map app in the Nook phone to improve this but in the meantime, here's an eviction cheat:

Very nice!

 

[h448]

This is still a work in progress. I'm trying to grab pointer info from the currently selected villager on the Map app in the Nook phone to improve this but in the meantime, here's an eviction cheat:

[Evict Villager X]
400A0000 00000000 0000000X
780A2000 00012AB0
021A0000 AAEB0AF2 00000002
021A0000 AAEB0B24 00000001

X corresponds to a villager's index number. It can be 0 - 9. There's no good way to know which villager is which index (unless you load your save in NHSE but then you might as well use that to do the same thing). Some restrictions, only evict one villager a day. Activating them will have them in their packing stage and ready for someone from another town to invite them. They'll move out the next day and leave an empty plot ready for a camper or mystery island villager or villager from someone else's island.

If anyone can help with finding a pointer to villager data via the Map app on the Nook phone, hit me up, Values to look for:

Villager 0: HEAP+0xAAE9EBF8
Villager 1: HEAP+0xAAEB16A8
Villager 2: HEAP+0xAAEC4158
Villager 3: HEAP+0xAAED6C08
Villager 4: HEAP+0xAAEE96B8
Villager 5: HEAP+0xAAEFC168
Villager 6: HEAP+0xAAF0EC18
Villager 7: HEAP+0xAAF216C8
Villager 8: HEAP+0xAAF34178
Villager 9: HEAP+0xAAF46C28

Wouldn't the villager index simply be the order you invited them? Assuming you haven't had anyone leave quite yet.

 

[Mopquill]

Mkay, I have the amiibo code on the generator. There's an extra line break in there for some reason, I'll fix it later.

 

[DocKlokMan]

Wouldn't the villager index simply be the order you invited them? Assuming you haven't had anyone leave quite yet.

The index doesn't shift. If you have 10 villagers, evict villager 2, then get an 11th villager the 11th villager becomes villager 2. After a few evictions and new people moving in it'd be impossible to remember who took who's spot.

 

[h448]

The index doesn't shift. If you have 10 villagers, evict villager 2, then get an 11th villager the 11th villager becomes villager 2. After a few evictions and new people moving in it'd be impossible to remember who took who's spot.

Well, yes, but if you haven't kicked any people out yet it would just be in the original order you invited them. I placed their houses in order to visually help me remember the order they're in as well, but I guess most people probably didn't do that.

 

[FabioCapela]

The index doesn't shift. If you have 10 villagers, evict villager 2, then get an 11th villager the 11th villager becomes villager 2. After a few evictions and new people moving in it'd be impossible to remember who took who's spot.

Given that the first two bytes are the species and variant, you could use a loop and a comparison to go through all the villagers and only evict a specific one defined in the code. Not as elegant as a code that allows you to select from the map, but easier to use and less error-prone than a code based on the index.

 

[DocKlokMan]

Given that the first two bytes are the species and variant, you could use a loop and a comparison to go through all the villagers and only evict a specific one defined in the code. Not as elegant as a code that allows you to select from the map, but easier to use and less error-prone than a code based on the index.

I thought of that but then you'd need to know the Species and variant of the character you want to evict which would just lead to everyone and their grandmother asking for an XXX or YYY evict code and we'd have 300+ cheats for to evict every villager.

I didn't find any pointers using the map, so instead I'm going to try searching for a talking pointer. Something like, hold L and talk to a villager to evict them.

 

[RyDog]

I'm new to hacking on the switch, and as an exercise, I decided try to port this same "No walls" cheat forward from 1.1.4 to 1.2.0. I got noexs up and running, and was able to find the same new offset (0xE95E50) for the "normal" value (0xB9538014).

However, when searching for the normal value for a "2× Move Speed" code (0xBD4F1E61), I've been unable to find it anywhere in the main address space. I'm not sure if I'm missing something, or if the default value has been changed by the update. Any suggestions?

I'd also love to learn more about how you found those default values (0xB9538014 / 0xBD4F1E61) in the first place. Thanks!!

Edit: I went back a few more pages in the thread, and saw that someone had actually updated the movement speed codes. Seems that the new default value is 0xBD4F9661. Still very keen to learn about the process for finding these values.

I don't know the exact way that the walk thru walls cheat was created, but this is a patch in the exefs region.
You can dump your game's exeFS using nxdumptool or use any other tool to extract your game's contents, but if you want to work with exefs cheats, then you'll need to extract the game's update.
These are the files that will be stored in the exefs

More info on what each of these files does can be found here but a lot of the game's executable contents are going to be that main file.
If you try opening those files in a Hex editor, you'll see a bunch of garbage.

It's because those are the game's binaries, which is compiled code. The switch uses the arm64 instruction set for binaries, so you'll need to understand arm/arm64 in order to start looking at these files.
You'll then want to use an arm64 decompiler, which will take a computer program's binary, and converts it into somewhat readable code. A free one is ghidra and you can use this plugin in order to make decompiling switch binaries a LOT easier.
Another option would be IDA Pro. I think IDA Pro is a lot better to use, but it costs a ton of money. You can find a leak of it somewhere... don't ask me though
If you get IDA Pro, then I recommend you check out nx2elf in order to convert the binary into an .elf file. It will format the binary so that IDA (and probably Ghidra, I haven't used it though) will know what architecture (arm64) this binary is, and it'll help it label some symbols.
Once you finally load it into your decompiler, everything will still look extremely puzzling. This is where the noclip cheat patches

As you can see, the instruction listed there is

LDR             W20, [X0,#0x1380]

In C, the function would look something like this:

__int64 __fastcall sub_E95E40(__int64 a1)
{
  unsigned int v1; // w20
  __int64 v2; // x19

  v1 = *(_DWORD *)(a1 + 4992);
  v2 = a1;
  if ( (unsigned int)((__int64 (*)(void))sub_EC0740)() != 21
    && (unsigned int)sub_EC0740(v2) != 38
    && (unsigned int)sub_EC0740(v2) != 39 )
  {
    if ( (*(_DWORD *)(v2 + 4072) | 1) == 3 && ((unsigned int)sub_EC0740(v2) == 67 || (unsigned int)sub_EC0740(v2) == 68) )
      v1 = 5;
  }
  else if ( *(_DWORD *)(v2 + 4072) == 1 )
  {
    v1 = 0;
  }
  return v1;
}

So it seems like w20 is returning which tile you're walking on
Which, if you either look at the game's binary in a hex editor would be

Don't trust HxD with just the main file alone, as the offsets don't line up... But this is what the offset would look like in memory, if main started at offset 0.
So you can see where the B9538014 came from. It's 14 80 53 B9 (what I have highlighted) backwards, as the Switch's CPU is little endian.
The patch that is written is 12800014 (14 00 80 12), which in arm64, is

MOV             W20, #0xFFFFFFFF

The patch is then changing w20 to 0xFFFFFFFF, which is -1 in a signed integer, which is breaking how the game loads collisions, which is how it lets you walk through walls.

How this was found originally? Reverse engineering. Either the original cheat creator knew how this function worked, or they probably were using a GDB debugger in order to put breakpoints on Animal Crossing, which I really can't figure out how to do that right now.

More information on how to reverse engineer Animal Crossing New Horizons can be found here , Ninji goes pretty in depth on there too, but he's a lot more experienced than me when it comes to reverse engineering, so you should try asking him if you have any more questions related to reverse engineering.

Hope this helps

 

[wangch]

https://dev.azure.com/project-pokemon/NHSE/_build?view=runs latest builds here

I also suggest failure
Software display offset

 

[Julikako86]

The Cheats "Walking trough walls (Press L)" and "Speed Up (Press B)" don't work in the latest version. Anyone can help me please?

 

[wangch]

You mean NHSE? I'd recommend you to just drag and drop the whole backup folder into the editor, not just main.dat file. I've been doing that and I don't get any errors using NHSE so far.

I have the same error
It used to work normally, but now it prompts error offset
Open main directly or drag the whole folder to prompt error

 

[Neo1103]

So it seems there still no free camera mod yet?

--------------------- MERGED ---------------------------

I have the same error
It used to work normally, but now it prompts error offset
Open main directly or drag the whole folder to prompt error

what version of the game are you on?

 

[RyDog]

How to port exefs cheats to new updates?
You'll need to compare binaries.
I'll look at this cheat for example, because I happen to still have my 1.1.4 binary.

[Movement Speed x3 (Hold B)]
04000000 00E7C920 BD4F1E61 // Writes 0xBD4F1E61 to MAIN + E7C920
80000002                                    // If B is pressed
04000000 00E7C920 1E211001 // Writes 0x1E211001 to MAIN + E7C920
20000000

More info on how Atmosphere cheats work is here
But simply put, that cheat broken down means that it's patching 0xE7C920 in the game's binary.

 LDR             S1, [X19,#0xF1C]

is BD4F1E61, the original instruction.

This looks like it's setting up a parameter to set your velocity?
The Sx registers are floating point registers, and it looks like S1 might be your current velocity and S0 is force?
The psuedocode/C code would look something like this probably...

float s1 = *(float*) *playerVelocity + 0xF1C;
float s0 = *force; // ? don't know if this is true or not, but thats what it looks like
if (s1 == s10)
{
    s0 = s1 - s0;
    if (s0 == s10)
    // other code I don't feel like explaining
}

The path is writing

FMOV            S1, #3.0

so instead of loading your current velocity, it's just telling that code that S1 is 3.0, when your normal velocity goes up to 1.0, so it'll just set your velocity to 3.0 - S0.

I'm just explaining how this function works. It's good to know what a exeFS cheat does before trying to port it.

Now onto porting it.

This should be really simple. IDA has a binary search, so go to where the offset of this instruction is on the update's binary file in the hex editor, highlight some bytes, copy it, and do a binary search on the new update's binary.

Each arm64 instruction is 32 bytes long, so you'll probably want to highlight at least 64 byes

You'll then do a binary search on the new update's exeFS to find any bytes. I couldn't find anything, so what must've happened is the function must've been rewritten, or Nintendo changed something that was in that class, so the code was recompiled... Which means that different registers must've been used.

That's no problem. This is why you need to understand how some of the game's code works. If you go to around this area in the exeFS, you should try looking for a function that looks like this:

loc_E7C944                              ; CODE XREF: sub_E7C490+49C↑j
.text:0000000000E7C944                 B.LE            loc_E7C96C
.text:0000000000E7C948                 FSUB            S0, S1, S0
.text:0000000000E7C94C                 FCMP            S0, S10
.text:0000000000E7C950                 CSET            W8, LS
.text:0000000000E7C954                 FCMP            S1, S0

If you remember earlier, that was how the game handled force?
Well that's a pretty simple function to search for.
You can either do a binary search of that function, or try looking around the exeFS for that function.
I ended up doing a binary search, and ended up finding the offset of this function!

So this should be the offset of the new code
Main + 0xF06FA8
As you can see, the instruction was changed from

LDR             S1, [X19,#0xF1C]

to

LDR             S1, [X19,#0xF94]

so it seems like where the game reads the velocity has changed a little.
That's no problem. The hexadecimal representation of this instruction is
BD4F9661 (61 96 4F BD)
Theoretically, this cheat should work:

[Movement Speed x3 (Hold B)]
04000000 00F06FA8 BD4F9661
80000002
04000000 00F06FA8 1E211001
20000000

 

[RyDog]

One final thing to add!
You can change the exeFS on the fly while using NoExes.
On the main tab in Noexes, you'll see a whole bunch of "pools" of memory.
If you right click on the one called main, and click on the dissembler part, it'll load you at offset 0 in the game's binary.

Because of ASLR, this offset will always be different, so you'll need to do this every time you reboot your game.
From there, you can use Windows calculator in programmer mode, or you can just google main start address + offset in exefs that you want to patch like this:

And then plug that into the dissembler part,
It'll give you a decompiled look at what the game's code looks like at that address.

If you select the address, you can then change the instruction that you want and click assemble, and it will patch that offset for you.
In this video, I showcase that speed cheat I just ported, but in different speeds.


So yeah, I hope this helps you understand how those cheats work
@macserv or to anyone else who's curious on how it works.

 

[OblivionReign]

The Cheats "Walking trough walls (Press L)" and "Speed Up (Press B)" don't work in the latest version. Anyone can help me please?

Look through the pages it's been posted several times within the last 20