I'm new to hacking on the switch, and as an exercise, I decided try to port this same "No walls" cheat forward from 1.1.4 to 1.2.0. I got noexs up and running, and was able to find the same new offset (0xE95E50) for the "normal" value (0xB9538014).
However, when searching for the normal value for a "2× Move Speed" code (0xBD4F1E61), I've been unable to find it anywhere in the main address space. I'm not sure if I'm missing something, or if the default value has been changed by the update. Any suggestions?
I'd also love to learn more about how you found those default values (0xB9538014 / 0xBD4F1E61) in the first place. Thanks!!
Edit: I went back a few more pages in the thread, and saw that someone had actually updated the movement speed codes. Seems that the new default value is 0xBD4F9661. Still very keen to learn about the process for finding these values.
I don't know the exact way that the walk thru walls cheat was created, but this is a patch in the exefs region.
You can dump your game's exeFS using nxdumptool or use any other tool to extract your game's contents, but if you want to work with exefs cheats, then you'll need to extract the game's update.
These are the files that will be stored in the exefs
More info on what each of these files does can be found
here but a lot of the game's executable contents are going to be that main file.
If you try opening those files in a Hex editor, you'll see a bunch of garbage.
It's because those are the game's binaries, which is compiled code. The switch uses the arm64 instruction set for binaries, so you'll need to understand arm/arm64 in order to start looking at these files.
You'll then want to use an arm64 decompiler, which will take a computer program's binary, and converts it into somewhat readable code. A free one is
ghidra and you can use
this plugin in order to make decompiling switch binaries a LOT easier.
Another option would be IDA Pro. I think IDA Pro is a lot better to use, but it costs a ton of money. You can find a leak of it somewhere... don't ask me though
If you get IDA Pro, then I recommend you check out
nx2elf in order to convert the binary into an .elf file. It will format the binary so that IDA (and probably Ghidra, I haven't used it though) will know what architecture (arm64) this binary is, and it'll help it label some symbols.
Once you finally load it into your decompiler, everything will still look extremely puzzling. This is where the noclip cheat patches
As you can see, the instruction listed there is
In C, the function would look something like this:
PHP:
__int64 __fastcall sub_E95E40(__int64 a1)
{
unsigned int v1; // w20
__int64 v2; // x19
v1 = *(_DWORD *)(a1 + 4992);
v2 = a1;
if ( (unsigned int)((__int64 (*)(void))sub_EC0740)() != 21
&& (unsigned int)sub_EC0740(v2) != 38
&& (unsigned int)sub_EC0740(v2) != 39 )
{
if ( (*(_DWORD *)(v2 + 4072) | 1) == 3 && ((unsigned int)sub_EC0740(v2) == 67 || (unsigned int)sub_EC0740(v2) == 68) )
v1 = 5;
}
else if ( *(_DWORD *)(v2 + 4072) == 1 )
{
v1 = 0;
}
return v1;
}
So it seems like w20 is returning which tile you're walking on
Which, if you either look at the game's binary in a hex editor would be
Don't trust HxD with just the main file alone, as the offsets don't line up... But this is what the offset would look like in memory, if main started at offset 0.
So you can see where the B9538014 came from. It's 14 80 53 B9 (what I have highlighted) backwards, as the Switch's CPU is
little endian.
The patch that is written is 12800014 (14 00 80 12), which in arm64, is
The patch is then changing w20 to 0xFFFFFFFF, which is -1 in a signed integer, which is breaking how the game loads collisions, which is how it lets you walk through walls.
How this was found originally? Reverse engineering. Either the original cheat creator knew how this function worked, or they probably were using a GDB debugger in order to put breakpoints on Animal Crossing, which I really can't figure out how to do that right now.
More information on how to reverse engineer Animal Crossing New Horizons can be found
here , Ninji goes pretty in depth on there too, but he's a lot more experienced than me when it comes to reverse engineering, so you should try asking him if you have any more questions related to reverse engineering.
Hope this helps