ROM Hack Question TempAR Switch Version

Stoned · Dec 11, 2018

Can anyone add support for the switch at TempAR?
Then we would be able to create codes for dynamic addresses.
Unfortunately I have no knowledge in programming languages.
But maybe there is someone who could do it

Yohoki · May 4, 2019

I'm just releasing a Vita Version. Maybe someone will help add a Switch version? I've got the source code and would love to add the Switch to it. If I don't get any help, I may try and add it myself if I find some free time to learn it all.

https://github.com/Yohoki/TempAR-Vita/

Yohoki · May 4, 2019

Can you give me some info on what plugin the switch guys use for making cheats? I don't have a switch, so I'll need to look everything up to add a function for it... If it's possible.

Falo · May 4, 2019

We don't use plugins, the CFW itself has a built in cheat engine.
https://github.com/Atmosphere-NX/Atmosphere/blob/master/docs/cheats.md

The Switch uses 64 Bit addresses (8 byte), PSP/Vita uses 32 Bit (4 byte).
But i don't think it's possible to make a TempAR for Switch, because a full Memory Dump is 4 GB.
And to remove the SD Card, you need to power off the console, transfering a 4 GB file via FTP takes to long.

A much better solution would be waiting for atmosphere to add a debugger api for GDB, this would allow us to debug games from PC.

Yohoki · May 4, 2019

Falo said:
We don't use plugins, the CFW itself has a built in cheat engine.
https://github.com/Atmosphere-NX/Atmosphere/blob/master/docs/cheats.md

The Switch uses 64 Bit addresses (8 byte), PSP/Vita uses 32 Bit (4 byte).
But i don't think it's possible to make a TempAR for Switch, because a full Memory Dump is 4 GB.
And to remove the SD Card, you need to power off the console, transfering a 4 GB file via FTP takes to long.

A much better solution would be waiting for atmosphere to add a debugger api for GDB, this would allow us to debug games from PC.

Ah. Ok. Thanks for the info. There's no way to do a smaller dump, then? We use dumps on vita as well, but we only make them large enough to cover the areas we need. Usually between 81000000 and 89000000. If the code we are looking for is at 83450000, then we only dump 81000000 - 84000000...

I haven't looked too deep at the code, but I don't see why it CAN'T be made to work with a 64bit address. I'd have to look into it.

Falo · May 4, 2019

Switch uses ASLR, each time you load an app, it has a different image base (like on PC).
It would be possible to make smaller dumps, if Edizon or any other homebrew adds support for that.
Currently no Homebrew exits for making memory dumps.

Yohoki · May 4, 2019

I see. That's too bad, then. A quick google search confirms that. Binaries are loaded randomly into the entire address space by a function with a random seed. That makes me wonder how the built in cheat menu works, then... Do you have to make those codes every time you load the game??? That would be a nightmare.

I have no idea, just speculation, but the way I think it would work would be that the cheat menu is somehow attached to the binary's memory space and codes are made by offsetting the cheat menu's address... If that was the case, it would still be possible, but the cheat menu would have to dump starting from it's address.

Looking at the doc you gave, It does seem like something similar is being done. It mentions attaching to the program and using offsets of region bases. So that's at least a positive sign to me that it's possible to defeat this random placement. In that case, that's not an issue with the pointer searcher at all. The only issue is dumping. they'd have to implement a way to dump just the regions.

So, there's 3 things that need done for a TempAR pointer searcher to be made.

1, Atmosphere's cheat menu needs to have a Region dump added. One that dumps starting from the beginning or the region containing the game's data.

2, Atmosphere's cheat menu needs a pointer code type. I didn't see one in the document, so maybe one's been added already.

3, TempAR needs to be able to read 64bit addresses.

If the first 2 get implemented, I'll look into adding 64bit support and a Switch mode. There's no point in me even trying at this point, though if there's no way to easily dump and recover just the required areas. Even less if there's no way to actually make a pointer code type, yet.

Edit: then again, I might not even have to change to allow 64bit addresses, since it is only offsets.... unless a single region takes up more than 0xFFFFFFFF space, then 32bits would be enough for a 32bit offset to cover the entire region. Even multi-level pointers wouldn't be an issue, if they're bound to the same region. I'm looking at what I think is how much space things are being allotted. Most of them say the size is 0x80000000 or 0x40000000.... So the biggest offset would fit fine with 32bits.

We use the real addresses in Vita, but I believe PSP used Offsets, so the functionality is already there for that and it already supports 32bit.

Falo · May 4, 2019

Memory dumping is techically already possible with Edizon, but there is no function to save it as file.

And Pointer writing is done like this:

5TMR00AA AAAAAAAA
7T0RC000 VVVVVVVV
6T0RIor0 VVVVVVVV VVVVVVVV

the 5 stores the value from Memory into a register
the 7 adds a value to it
the 6 writes a value to the register address

like this:
580F0000 025ce340
780F0000 000020b0
640F0000 00000000 00000078

translates to:
R15 = read64(Main + 0x25CE340);
R15 += 0x20B0;
write_reg32(R15, 0x78);

Yohoki · May 4, 2019

And those offsets never go higher than 32bit? This is probably possible then. Or is the AA part of "5TMR00AA" also part of the offset?

Edit: doesn't actually matter. Making it compatible with 64bit addresses was actually really easy. Increasing offsets to include 5 words isn't an issue either.

Works fine so far. Just need to add code gen. Can't really test without a region dump, though. I don't see why it wouldn't work if that option becomes available. Maybe I could try it by dumping a PC game.

Falo · May 4, 2019

Offsets are 64 Bit, but they are limited to 40 Bit from the cheat engine.
So the highest possible offset is 1.099.511.627.775 (1023 GB) no game executable is that big, most are 10 MB - 200 MB.

example Memory layout:
BASE: 0x8000000
HEAP: 0x3906000000
MAIN: 0x32F7204000

then Main + 0x25CE340 would be 0x32F97D2340

Main is the game's executable, Heap is the Memory.
Base Pointer can be anywhere in these two, but most base pointer should be in Main.

Yohoki · May 6, 2019

Did a little looking around and found this little tool anyway. It seems like it does everything TempAR does and more. Probably better to try and get it working instead.

https://github.com/mdbell/Noexes

Deleted User · May 6, 2019

Falo said:
We don't use plugins, the CFW itself has a built in cheat engine.

Why shouldn't that be possible at the moment! A developer named @exelix11 has made such an overlays program work...

Atmosphère, some fresh air in the community. pic.twitter.com/w9WQlhxaDg
— exelix (@exelix11) March 10, 2019

linuxares · May 6, 2019

Noexes I know a lot of the folks use right now to find pointers. I tried to get it to work on Linux but seems to be a windows right now.

exelix11 · May 6, 2019

Ping.
Me and a few others are working on a custom overlay, currently broken on 8.0 and workign on a fix.
Among the planned features there's a client for atmosphere's cheat service, still no eta.

Yohoki · May 6, 2019

exelix11 said:
Ping.
Me and a few others are working on a custom overlay, currently broken on 8.0 and working on a fix.
Among the planned features there's a client for atmosphere's cheat service, still no eta.

That's good to hear. Hope it goes well for you!

You guys seem to have the pointer issue handled as well. I won't worry about adding a 64-bit searcher to my TempAR build, then. There seems to already be a couple ways already made, or in-progress. I really only replied to this thread because it popped up when making my own, so I'm glad it's sparked some interest and given some good answers.

ioritree · May 7, 2019

exelix11 said:
Ping.
Me and a few others are working on a custom overlay, currently broken on 8.0 and workign on a fix.
Among the planned features there's a client for atmosphere's cheat service, still no eta.

awesome!, i like this cheat menu.

ROM Hack Question TempAR Switch Version

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Deleted User

Guest

The inadequate, autocratic beast!

Developer

Well-Known Member

Active Member

Similar threads

Popular threads in this forum