Tomvita's tools

Easy ASM hacking toturial

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
Here is a tutorial using some recently added features of Breeze and pointersearcher se.
The game NieR:Automata The End of YoRHa Edition 1.0.2 TID: 0100B8E016F76000 BID: 992787E2B5425994 is used in the example

This tutorial only covers the easy hack and not every game has easy hack.

This is the hack state after some some minutes of hacking ( the time taken did not cover the game playing time, this is a good game to use as an example also because it does not put too much demand on wasting time running here and there in game )

2022100708131600-CCFA659F4857F96DDA29AFEDB2E166E6.jpg

Search for HP. (about 5 mins)
The first boss is a good candidate to search for HP. Since it has a substantial health bar which gives you time to do multiple search.
What I usually do is start with float. I go to search manager and activate the moon jump preset ( it's a good starting point for most search for float not just moon jump ). Set the auto start and auto continue to 1 for faster actions. Do a first search using this setup by press X.
Hit the boss and see the health bar reduce. This game is very nice in that it shows you how much you have reduced the HP. So take note of the number and do a --val (press ZL+Left "Less cycle" until you get this) search of the quantity of hurt you have inflicted on the Boss. After just a few search nothing was found. So the reasonable assumption is HP is not in float. Next we try u32. By observation we can tell the HP is a fairly large number in the thousands. Do a range search that we can reasonably think covers what the HP might be, for example we assume the HP is between 500 and 50000. Using u32 [A..B] we start a first search on the boss HP again. This time we end up with a few candidates that looks promising. Next step is to hack the number. Discover the candidate that reduce the Boss's HP. At this point you can instant kill the Boss ( don't kill it, you need it alive ) but you want to check by hitting the Boss and see the changed bar reduce ( general principal always check that what you get is the real value and not just the display value, though in this case they are the same ). Now you have found the Boss HP memory address and ready to proceed to the next step.

2022100708273700-CCFA659F4857F96DDA29AFEDB2E166E6.jpg

Find the code that access HP ( about 1 min )
Use a debugger that supports GDB and set a break point on the boss HP found above. Here you can use pointer searcher se to help transfer data between Switch and the PC. First add the Boss HP to bookmark (press + on the candidate), then on pointer searcher se fetch the bookmark. Drag and drop the address from the bookmark fetched to one of the target address box, click on the drop value and do a copy (so you can paste it later). Click on "detach dmnt" (lower left side of the screen). Launch your debugger and attach to the game, set a break point on what you have on the clip board. Go hack and play the game until the hit point is hit. You want both read and write to the boss HP. Copy the address of the code back to pointer searcher se and add a label next to these address. Click on the check mark to select what you have just added and click "upload bookmark with label" to upload this to switch.

Do the above two steps for Hero HP and you will have what I have in the below screen. The address of code that access the HP of hero and enemy.
This game is nice again in that the code that access enemy HP and hero HP is not the same making it much easier. This game is nice again in that the code that access this boss hp that we found above also seems to work on most enemy ( I don't know if it works on all as I am not that far along playing the game)

1665104218441.png

Making code (about 10 mins)
Import bookmark uploaded by pointer searcher se (ZL+"+"). "Bookmark to Cheat" (ZL+Y) to add these as cheats for the next step.
2022100709181300-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
Goto cheats and edit cheat on "read en hp"
at this code x0+0x860 has the address of the Boss HP found in step one above but we don't know what else this code access yet
So we "Add utility codes" on this code. This will produce three codes for you. "Activate read en hp" is the code that inject a code on the game at this code address [main+2F41A8]. This code will save what is x0+0x860 and the content pointed by this pointer in a buffer for us to examine. Depending on the game code this buffer will need to be clear from time to time to make room and to clear what is no longer relevant. "Pointer to buffer .." is pointing to the buffer, add this to bookmark to access the buffer.
"Add utility codes" requires a file to be copied to the game directory created by Breeze when you save cheat to file. The directory will be shown on screen as shown below, and you copy asm1.txt from breeze directory there before you can use the "Add utility codes" successfully. "asm1.txt" can be customized for each game, therefore it is fetch from the game directory instead of breeze directory.

2022100709241200-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
2022100709292700-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
2022100709480900-CCFA659F4857F96DDA29AFEDB2E166E6.jpg

Play the game a bit and see what is in the buffer. Goto the bookmark you have just added and click on the rstick. The cursor is pointed on the first entry. The format is pointer followed by value. Look around and have a feel of what this code access. Look at the number 1142, that match the hero hit point and it probably is (needs to be verified). To hack value you have to follow the pointer by pressing ZL+Y. The other one is for show only and may not be the current value even as many code access memory not just the one we hacked. After playing around a bit this code location seems to be not so useful (for now).
2022100710170100-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
Next we try the others. Same drill.
Enemy HP write and Hero HP write turns out to be good ones. ( Read code is normally executed more frequently and if everything else being equal read is then better )
Now we proceed to create hack.
Look around the code above the write with Breeze. Right click on the bookmark and move the cursor up a bit then ZL+X to look at the disassembly.
In this case a very promising sign to see a subtract on the register that is subsequently written to the enemy hp address
If we amplify the amount subtracted by a lsl you can have various power of 2 amplification. In this case a 2^6 amplification is applied to the damage to enemy. Test it a bit and verify that it works then add this address to bookmark then to cheat code.
(go back to memory explorer, put cursor on the address, press +, go to bookmark then add the bookmark to cheat)
2022100710331100-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
For hero we found the same thing but we want the damage to be zero so we change w22 to #0
2022100710393700-CCFA659F4857F96DDA29AFEDB2E166E6.jpg

Thanks for reading
 

Attachments

  • 992787E2B5425994.txt
    2.1 KB · Views: 7
Last edited by TomSwitch,

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
1665133428669.png
Same thing with gold. Hack and see what happens.
Turns out that it inconveniently apply to both buy and sell. To use this injection point then a direct hack of value on w9 is desired. In this case a code cave is needed.
Write the code and put it in asm.txt and place it in the game directory
ldr w9,Million
b code1+4
Million: .word 1000000

Use the "Add ASM" button which will read from asm.txt and assemble the code into cheat code format
2022100718161700-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
After pressing the button this is what you get
The first line is the original which I keep for it's usefulness during development, it can be deleted before release
2022100718184300-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
2022100718384300-658869B88AA1FDCC49A23B839C9A6794.jpg
Buy or sell will activate the code and make gold 1M

One special note about using Breeze to create ASM hack is when the button is press free space is scanned and the code is placed at the beginning of that free space. If the code is never activated to place code into memory the next time the button is press to make another code it will occupy the same space which is very bad. Be sure to activate any code so the automated process to allocated code cave won't created code that will conflict with each other.

This same problem applies to all ASM hack, the space available to ASM code author is the same small blank at the end of normal code. If you mix ASM code there is not much reason to be safe from this hazard.

[off]
04000000 0064C148 0B010129

[gold 1m]
04000000 0064C148 141D466E
04000000 00D9DB00 18000049
04000000 00D9DB04 17E2B992
04000000 00D9DB08 000F4240
 

Attachments

  • asm.txt
    57 bytes · Views: 5
Last edited by TomSwitch,
  • Like
Reactions: jhmiller and ZER-O

Eiffel2018

Well-Known Member
Member
Joined
Aug 23, 2020
Messages
1,582
Trophies
3
Age
24
XP
10,181
Country
Hong Kong
Seems like it is a nice feature,
As far as I understand, breeze now decompiles the main section and display the asm instructions, which is more and more like the Cheat Engine on the PC do.
Hope you can connect dnmt2 directly with breeze in the near future, and then call the breakpoint function.
Because now I use IDA PRO, there is no way to list all the breakpoint results during the game running, it breaks every time and needs to be skipped manually, and can find the next breakpoint after that...
 

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
Seems like it is a nice feature,
As far as I understand, breeze now decompiles the main section and display the asm instructions, which is more and more like the Cheat Engine on the PC do.
Hope you can connect dnmt2 directly with breeze in the near future, and then call the breakpoint function.
Because now I use IDA PRO, there is no way to list all the breakpoint results during the game running, it breaks every time and needs to be skipped manually, and can find the next breakpoint after that...
Memory break point is very much on my wish list too
 

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
Seems like it is a nice feature,
As far as I understand, breeze now decompiles the main section and display the asm instructions, which is more and more like the Cheat Engine on the PC do.
Hope you can connect dnmt2 directly with breeze in the near future, and then call the breakpoint function.
Because now I use IDA PRO, there is no way to list all the breakpoint results during the game running, it breaks every time and needs to be skipped manually, and can find the next breakpoint after that...
Want to give this a try?
1665736104738.png
I modified gen2 to add a few extra commands
setw to setup the address
watch hit count shows how many different hits (up to 30)
If the address is memory the hits are code that access the address
If the address is code the hits are unit value of the register i (set with seti)
If you use cont to let the game run you can use the command line while the game is running
If you want to use IDA pro use F9.

Will crash on HOS15, tested on ATM1.4/HOS14.1.2 earlier version (not too old) may work too. I can't compile latest ATM library ( don't have the libnx changes required, until then no HOS15 support )
 

Attachments

  • 010000000000d609.zip
    71.2 KB · Views: 1
Last edited by TomSwitch,
  • Wow
Reactions: Eiffel2018

Eiffel2018

Well-Known Member
Member
Joined
Aug 23, 2020
Messages
1,582
Trophies
3
Age
24
XP
10,181
Country
Hong Kong
Want to give this a try?
View attachment 331800
I modified gen2 to add a few extra commands
setw to setup the address
watch hit count shows how many different hits (up to 30)
If the address is memory the hits are code that access the address
If the address is code the hits are unit value of the register i (set with seti)
If you use cont to let the game run you can use the command line while the game is running
If you want to use IDA pro use F9.

Will crash on HOS15, tested on ATM1.4/HOS14.1.2 earlier version (not too old) may work too. I can't compile latest ATM library ( don't have the libnx changes required, until then no HOS15 support )
You're too smart to think of directly modifying the source code of dnmt2.....I didn't even think about it. This can really do a lot of things.

(I have been busy recently, and I am still working hard on Unreal Engine. Maybe I will find you later.)
You can use this function to list all trigger addresses without interrupting the game, which should be useful to many people
 
  • Like
Reactions: ZER-O and khuong

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
This is the same code recompiled with HOS15 compatibility. ( I merge the three pending commit required for 15 compatibility to my libnx fork )
 

Attachments

  • 010000000000d609.zip
    70.7 KB · Views: 1

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
Added a few more commands that can be used now and some features that needs Breeze to use.
gen2 will detach dmnt, now no need to use anything thing else to detach dmnt so gen2 can attach
attach will attach to the game, no need to look down the list but if you want to use IDA pro gui then you have to use it to attach.
detach will detach if you didn't use the gui to attach and now want it.

This need only works with atm1.4, should work with both HOS14 and HOS15
 

Attachments

  • 010000000000d609.zip
    72.2 KB · Views: 1
  • Like
Reactions: Eiffel2018

Eiffel2018

Well-Known Member
Member
Joined
Aug 23, 2020
Messages
1,582
Trophies
3
Age
24
XP
10,181
Country
Hong Kong
Added a few more commands that can be used now and some features that needs Breeze to use.
gen2 will detach dmnt, now no need to use anything thing else to detach dmnt so gen2 can attach
attach will attach to the game, no need to look down the list but if you want to use IDA pro gui then you have to use it to attach.
detach will detach if you didn't use the gui to attach and now want it.

This need only works with atm1.4, should work with both HOS14 and HOS15
Would like to ask, Tom

There has always been a problem when the atmospheric gdb is connected to IDA. You can't press F7/F8 to jump to the next instruction, but jump to instruction of other threads. We can press F7/F8 three or four times to return to the current thread.

And there is no such problem when IDA connects to other GDBs, for example https://github.com/mossvr/sys-gdbstub can use F7/F8 smoothly

Is this a problem with dnmt.gen2 and is there a way to fix it?
 

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
Would like to ask, Tom

There has always been a problem when the atmospheric gdb is connected to IDA. You can't press F7/F8 to jump to the next instruction, but jump to instruction of other threads. We can press F7/F8 three or four times to return to the current thread.

And there is no such problem when IDA connects to other GDBs, for example https://github.com/mossvr/sys-gdbstub can use F7/F8 smoothly

Is this a problem with dnmt.gen2 and is there a way to fix it?
There seems to be compatibility problem with IDA pro, I see what I can do on the gen2 end.
 

TomSwitch

Well-Known Member
OP
Member
Joined
Jan 10, 2019
Messages
4,347
Trophies
1
Age
44
XP
14,218
Country
United States
A peak at what is to come. UI not ready for general users yet.
What you can do from Breeze:
Watch a memory see what code access the memory.
Look at the disassembly of these code.
Edit the game code.
Choose a code to watch what memory it access.
Edit the game memory.

Put the sysmodule in contents, restart Switch. ( You need ATM1.4, do not install with lower version, may work with higher version, time will tell )
I have just update the two files, make sure you discard the previous one

Find a memory of interest.
In this case the coin has qty 29061. Let's find out what code access this memory.
2022102316352800-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
At memory explorer place the cursor then press ZL+up to goto gen2 menu
2022102316392300-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
ZL+"+" to attach GEN2 to game.
ZL+R to execute the watch.
If you press L you will see the screen above.
Since you have not gone back to the game no data captured yet.
No go to the game (let the game code run).
Looks like only one line access this memory and it did so 2677 times while you play
2022102316522300-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
Press - to detach Gen2 and go back to dmnt. You can now look at the code by choosing the line.
2022102316542200-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
2022102316554700-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
At this screen you can choose a instruction and press L to watch this instruction to see what data it access.
2022102316575400-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
The code access 56 different addresses during the time you let it run.
Press - to switch to dmnt.
2022102316595000-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
You see the values at the address and you can select it to go to memory explorer to look around.
Repeat the process between watch code and watch memory until you find a good place to hack.
Post automatically merged:

The bypass for the need of a GDB connection to be open cause crash when the switch sleep
Post automatically merged:

This post auto merge is super annoying. Who's dump idea is it?
Post automatically merged:

Fixed the sleep crash. Now working ( limited test )
https://github.com/tomvita/Breeze-Beta/releases/tag/beta55preview1
 
Last edited by TomSwitch,

Site & Scene News

Group statistics

Members:
210
Threads:
44
Messages:
138