Noexs Hacking Guide

Discussion in 'Switch - Tutorials' started by wiitendo84, Jul 18, 2019.

  1. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    NOEXS cheat Code search guide

    Now with Videos

    Getting Started

    This guide is assuming that you have Noexs installed and set up correctly.
    First thing is connecting to the switch.
    Load your game you want to hack.
    I always wait until the game starts to attach.
    Input your switch IP address in the bottom of the Noexs client.
    Click connect.
    Click on refresh pids.
    Scroll all the way down to the bottom and click on the last number.
    Click attach to process and it should connect.
    (If you get a error saying couldn't attach or tcpgecko already attached,
    what that means is that dmnt cht is active and you either have to deactivate it
    from the hekate.ini or you can hold L button down while loading the game up.)



    So there are a total of 6 tabs at the top.
    We're going to go into some small detail of each one of them.

    TOOLS is of course where we attach to the processes and switch, but it also has
    all of the memory locations to the left of it.
    There are many different types in it but the ones we mostly focus on are Main and
    Heap. Most times a code is found in Heap but it's not stable. So we use whats called
    pointers to keep the value to be written to the address. Pointers are found in the Main
    area of memory. Essentially an address in main points to an address in heap by offsets.
    This tells the memory that a value should be written to an address at an offset from
    this location. It could be minus or plus. It all depends. It seems that some pointers can be found in heap memory as well. This is proving to be something since the lego codes I found had pointers in Heap rather than Main.

    SEARCH is where we search for values either unknown or known. If a health bar is looked
    for it would be unknown. But if health is 100 then we would look for 100 but in hex. It
    doesn't mean that the value would be 100, but most likely it would be. If you don't know
    decimal to hex, all you have to do is type in the decimal number in the value box and
    click convert to hex.
    You can search different data types up to 64 bit. Search conditions allow you to change
    from equal to less than to greater than etc.

    POINTER SEARCH is where you can search for pointers for a address in heap. You can use this to search for pointers in Main memory and heap memory as well. Keep in mind Heap addresses are not always guaranteed to work. I'll add more
    details on this later. It will most definitely require it's own section on how to use it. It also seems
    that Noexs will not find pointers if it's +0 or +8 and it can't parse them as well. Thank you DannyDarth
    for the info.

    MEMORY VIEWER allows you to see the memory addresses in real time. Still new to this so
    if someone has more info on how to better use this let me know and I'll add it in.

    WATCH LIST allows you to keep an eye on a address and also allows you to lock it to a
    value or to even see what that address has for a value. This also helps when you want
    to look for pointers for an address you found in Heap.

    DISASSEMBLER Shout out to Falo for information on this.
    So the disassembler requires tools like Ida Pro or Ghidra to be useful.
    This isn't really useful for normal users. But I'll put the info in that he added in the comments.
    If you find a possible code patch in Ida Pro, you can enter the memory address in the form of
    [main + offset} into it. Which will allow you to see and edit the code in real time. Still is a bit complicated
    for us normal users.
    It is seemingly really slow, missing a good amount of features as well. As it gets updated, this will as well.

    DIFFERENT TYPES OF CODES

    Lives are usually found using the method of known values. You know how many lives you have
    so you either gain or lose some to change the value.

    Something thats a lot more complex in finding would be a moon jump code. This would most likely
    be found by using unknown searches. Very time consuming but awesome effect.

    Health is one that could be found by using both methods depending on what you're searching for.
    If it has a value of lets say 100 on screen like in the game Turok. You would use a known value search but
    in the game Mortal Kombat where it's a bar representation, you would use an unknown value. Its
    kind of weird but like I said it all depends on the game.

    MAKING CODES

    KNOWN VALUE
    Now you want to make your own codes.
    The easiest ones to make are usually something that you can find easily. Lets say
    a cheat code for money or gold.
    Lets say you have 32 coins.
    First type 32 into value and click convert decimal to hex.
    The value 32 changes to 20.
    Click search.
    This may take a while so allow it to finish.
    On the right hand side there where be a list of addresses. What you want to do is get those
    down to as few as possible. So gather some more coins.
    Lets say the new value is 40 coins. Type that in and click convert.
    We do this until we get down to just a few locations.
    Now that you have that down to a few addresses, lets start to poke them.
    Click on each and down on the bottom of those addresses is a box that says value and poke.
    Type in either an amount that is higher or lower than what you have and click poke.
    If it changes, you found your address. If not, keep going until you do.

    New Video


    UNKNOWN VALUE
    This is the same process as above but you don't know the value.
    So click on search condition and change it to unknown.
    Click Search to look at all values.
    Now either gain some or lose some. So for health bars, lose some health.
    Click search again. This will search for whatever search condition you have chosen.
    Whether it be greater than, lesser than, equal to, etc.
    Continue to do so until you have only a few options left. Then once again just poke
    the values to either add to it or decrease to it.

    **
    Back in the GameCube era, there were times when lives and health were actually set
    to one lower than what was shown on screen. Like lives being 3 on screen but in hex
    they had the value at 2. So essentially 0=1 life, 1=2 lives, etc. I haven't seen
    this yet but just as a precaution I wanted you all to know that.

    POINTER SEARCH
    Thanks to Deathwing Zero for a more detailed explanation on this!!!

    Go to Tools and right click on MAIN in the memory section. Select Pointer Search Main
    While still in the MAIN memory section right click on the first CODE_MUTABLE and select
    Pointer search Min.
    Right Click on the last CODE_MUTABLE right before sdk and select Pointer Search Max.
    Find your address and copy and paste it into the address tab in pointer search.
    Go to Browse and select your first ram dump you did. It will always be the biggest.
    Now at this point you can choose to do your max offset and max depth.
    If you aren't finding pointers with your offset, try making it a bit bigger.
    Once you have everything correct including the beginning of MAIN memory address at the bottom,
    click search.
    Now it should pull up some locations after a bit.
    Take the MAIN beginning address and add the offset to it to get a new address
    Take that address and go to Watch List and click add. Type that address in and hit enter.
    Change the type from 32 to 64 and click update.
    This should bring up a value.
    Take that value and add or minus the second offset to that.
    If its the right pointer, it give you an address to poke which should be the same one you found earlier.
    This can be used the same way for heap, just do pointer main and pointer min on the first address of heap.
    Pointer max on the last address of Heap.

    Now the depth should be used if you believe that the address you're looking for has more than one
    pointer. This could take a bit of time to find. It may be my laptop but it took me 6 hours to finish the
    search only to realize that I had a very low offset...So be mindful of that as well. I think Noexs can
    support up to 3 in depth. Might be wrong on that but haven't tried it either.

    [Hold L and A 550,000,000 level stud]
    80000041
    581F0000 9F087A88
    781F1000 00000070
    641F1000 00000000 20C85580
    20000000
    Looking at this code you will notice the first 1 on the middle addresses.
    It will be 0 for main but since my codes use heap it's a 1. 581F0000
    On the 3rd line you will see there is another 1 as well.
    That means it's a negative offset. 781F1000

    Video guys and gals...




    SX OS
    Up until now I've talked about Noexs. SX OS has a search function as well.
    I've not used it but the basics are the same, save for that SX OS has to have hex as its values. There's
    no way to click convert decimal to hex on it. So either make sure you have a calculator that allows you
    to convert decimal to hex or go to your computer and type in decimal to hex calculator in google to bring one up.

    KNOWN
    To start you get to where you want to find the cheat whether it be health or gold or coins.
    Hit the home button and go to the album viewer (SX OS Menu).
    Navigate to cheat searcher in the cheat menu.
    Once again choose your bit size and it should start a ram dump.
    Now choose next search and equal to if you know your value and put in the value in hex.
    This now runs through the ram dump and finds the value that you were searching for.
    If there are once again too many addresses, you either gain or lose some.
    Do another search and continue to do so until you have very few addresses left.
    One of these should be the address you need.
    In the view candidates section, it will allow you to poke these addresses to see which one is correct.

    POINTERS

    As of right now there is no easy way to make pointers with sx os if any. Hopefully there will be a memory dump searcher like most other consoles have had before. If someone wants to PM me on how to build one using java, I may give it a shot.


    One other thing is that SX OS doesn't have a built in pointer search. While its not easy to find the pointer
    like this, its not impossible. As I find out more about how this cheat search works, I'll update it here as I can.

    I will add pictures to this when I fix my switch along with more cleanup and clearer instructions as well.
     
    Last edited by wiitendo84, Aug 1, 2019
    DSSP, Hmed, jakibaki and 6 others like this.
  2. eyeliner

    eyeliner Has an itch needing to be scratched.

    Member
    7
    Feb 17, 2006
    Portugal
    Pictures, for the love of the all mighty god of cheating.
    A bit of formatting and embellishment would go a long way

    In the end I can only say:
    Thank you for the guide.
     
    Hmed likes this.
  3. merlin555

    merlin555 GBAtemp Advanced Fan

    Member
    7
    Oct 27, 2014
    Germany
    Great Guide !!

    It is important to use the JAVA version 10.0.2 in Windows.
    Or has anyone already done that with the 11s and 12s.
    Java 10 has already integrated the JAVAFX.

    I've already tried to install it on Linux ?
    So far without success.
    Must be a Linux 64Bit system, because JAVA 10.0.2 for Linux only gives the 64Bit version.
    Ubuntu, Freebsd, Mageia, Knoppix.
    But nowhere does the Noexs client work.

    Then there is already a guide here:
    https://gbatemp.net/threads/noexs-remote-debugger.512668/page-9

    — Posts automatically merged - Please don't double post! —

    See here:
    JAVA installation for Linux:
    https://stackoverflow.com/questions/49507160/how-to-install-jdk-10-under-ubuntu
     
  4. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
     
  5. merlin555

    merlin555 GBAtemp Advanced Fan

    Member
    7
    Oct 27, 2014
    Germany
    Good idea!
     
  6. DannyDarth

    DannyDarth Advanced Member

    Newcomer
    2
    Oct 14, 2018
    United States
    Noexs Will not find pointers if its +0 or +8 and it also cannot parse them.
     
  7. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    Since my Switch is down at the moment. If any of you would like to add pictures just let me know and we can figure it out by either sending it to me or whatnot.

    — Posts automatically merged - Please don't double post! —

    What do you mean by +0 or +8? I'm still new to this so having some more info I can add to this will help.
     
  8. Falo

    Falo GBAtemp Advanced Fan

    Member
    9
    Jul 22, 2012
    Germany
    The Disassembler is not really useful on itself, you need other tools like Ida Pro and Ghidra.

    If you found a possible code patch location in Ida Pro, then you can enter the memory address (main+offset) into it.
    This allows you to see and edit the games code in real time, but this is far too complicated for any normal user.

    For now, it is really slow, misses a lot of features and normal users will never use it.

    Here a picture of it in action:
    noexes_disassembler.
     
    DaBlackDeath likes this.
  9. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    So my switch is completely dead. I've went ahead and ordered a replacement tablet that is hackable. Going to keep it for parts only. Figured the screen and some of the internals may be ok. It'd be a bit before I can add pics up for this ok.
     
  10. dsrules

    dsrules GBAtemp Guru

    Member
    10
    Sep 20, 2005
    what do you mean by completely dead? did you installed autorcm?
     
  11. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    Yeah its fried on the motherboard. Theres a burn mark going across it where the battery piece hooks up to it. A nice little black scorch. Lol. Its cool though. I should be able to use some pieces as replacement parts in the future if need be.

    EDIT
    So I have some photos I am trying to upload for the tutorial. Any suggestions as to where I can put them up so I can link them here in the tutorial post.
     
    Last edited by wiitendo84, Jul 19, 2019
  12. cchou

    cchou Newbie

    Newcomer
    2
    Oct 26, 2018
    Taiwan
     
  13. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    You may have to disable dmnt cht from the hekate.ini
    Holding L button on the shoulder while launching the game should deactivate cheats so it can attach to it. Try rebooting both the switch and computer as well.

    Also my replacement tablet should be in tomorrow morning so Ill be back either tomorrow night with pictures or the following day.
    Also if youre using cheats on the game from a cheat txt file, you will get that error if you have them enabled.
    Edit 2
    My replacement tablet has been delivered. It's literally like just a few digits off of my old one lol. Boots up fine, can get on eshop, going to set it up now and try everything out. Of course make a backup of my nand.
     
    Last edited by wiitendo84, Jul 19, 2019
  14. FunThomas

    FunThomas GBAtemp Advanced Fan

    Member
    5
    Jan 10, 2016
    Gambia, The
    is there a plan to support usb connection for faster memory transfer for near future ?
     
  15. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    I have no idea. I just wrote a small tutorial on how to look for the codes as of right now. If it gets implemented later on, I will update it with how to hook it up.
     
  16. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    So it seems that some games dont have working pointers in main memory but do have them in heap. My lego harry potter codes I did are examples of using pointers in heap rather than main memory. Unusually that means they wont boot up every time you start the game but so far mine have booted each time I started it.
     
  17. WerWolv

    WerWolv EdiZon Developer

    Member
    6
    Mar 30, 2018
    Switzerland
    Very nice guide! I'm going to recommend that one from now on to people asking about how to make cheats. Thanks a lot :)
     
  18. arismendy64

    arismendy64 Member

    Newcomer
    1
    Dec 1, 2013
    United States
    can you do a guide for the codes you found, on which code go to ,here and there for the sxos convertion, thanks .
     
  19. Zaybokk

    Zaybokk GBAtemp Fan

    Member
    3
    Jan 28, 2014
    United Kingdom
    FÓDLAN
    i followed the steps-( not connecting) , how to connect by usb to switch?
     
  20. wiitendo84
    OP

    wiitendo84 GBAtemp Regular

    Member
    4
    Jan 3, 2014
    United States
    New Albany, Indiana
    Usb is not implemented yet.
     
    Zaybokk likes this.
Loading...