Tutorial Noexs Hacking Guide

wiitendo84

Well-Known Member
OP
Member
Joined
Jan 3, 2014
Messages
1,250
Trophies
1
Age
37
Location
New Albany, Indiana
XP
2,833
Country
United States
NOEXS cheat Code search guide

Now with Videos

Getting Started

Link to setup noexs
Big thanks to Biggles for this

https://gbatemp.net/threads/tutoria...switch-hekate-atmosphere.569079/#post-9119379


First thing is connecting to the switch.
Load your game you want to hack.
I always wait until the game starts to attach.
Input your switch IP address in the bottom of the Noexs client.
Click connect.
Click on refresh pids.
Scroll all the way down to the bottom and click on the last number.
Click attach to process and it should connect.
(If you get a error saying couldn't attach or tcpgecko already attached,
what that means is that dmnt cht is active and you either have to deactivate it
from the hekate.ini or you can hold L button down while loading the game up.)



So there are a total of 6 tabs at the top.
We're going to go into some small detail of each one of them.

TOOLS is of course where we attach to the processes and switch, but it also has
all of the memory locations to the left of it.
There are many different types in it but the ones we mostly focus on are Main and
Heap. Most times a code is found in Heap but it's not stable. So we use whats called
pointers to keep the value to be written to the address. Pointers are found in the Main
area of memory. Essentially an address in main points to an address in heap by offsets.
This tells the memory that a value should be written to an address at an offset from
this location. It could be minus or plus. It all depends. It seems that some pointers can be found in heap memory as well. This is proving to be something since the lego codes I found had pointers in Heap rather than Main.

SEARCH is where we search for values either unknown or known. If a health bar is looked
for it would be unknown. But if health is 100 then we would look for 100 but in hex. It
doesn't mean that the value would be 100, but most likely it would be. If you don't know
decimal to hex, all you have to do is type in the decimal number in the value box and
click convert to hex.
You can search different data types up to 64 bit. Search conditions allow you to change
from equal to less than to greater than etc.

POINTER SEARCH is where you can search for pointers for a address in heap. You can use this to search for pointers in Main memory and heap memory as well. Keep in mind Heap addresses are not always guaranteed to work. I'll add more
details on this later. It will most definitely require it's own section on how to use it. It also seems
that Noexs will not find pointers if it's +0 or +8 and it can't parse them as well. Thank you DannyDarth
for the info.

MEMORY VIEWER allows you to see the memory addresses in real time. Still new to this so
if someone has more info on how to better use this let me know and I'll add it in.

WATCH LIST allows you to keep an eye on a address and also allows you to lock it to a
value or to even see what that address has for a value. This also helps when you want
to look for pointers for an address you found in Heap.

DISASSEMBLER Shout out to Falo for information on this.
So the disassembler requires tools like Ida Pro or Ghidra to be useful.
This isn't really useful for normal users. But I'll put the info in that he added in the comments.
If you find a possible code patch in Ida Pro, you can enter the memory address in the form of
[main + offset} into it. Which will allow you to see and edit the code in real time. Still is a bit complicated
for us normal users.
It is seemingly really slow, missing a good amount of features as well. As it gets updated, this will as well.

DIFFERENT TYPES OF CODES

Lives are usually found using the method of known values. You know how many lives you have
so you either gain or lose some to change the value.

Something thats a lot more complex in finding would be a moon jump code. This would most likely
be found by using unknown searches. Very time consuming but awesome effect.

Health is one that could be found by using both methods depending on what you're searching for.
If it has a value of lets say 100 on screen like in the game Turok. You would use a known value search but
in the game Mortal Kombat where it's a bar representation, you would use an unknown value. Its
kind of weird but like I said it all depends on the game.

MAKING CODES

KNOWN VALUE
Now you want to make your own codes.
The easiest ones to make are usually something that you can find easily. Lets say
a cheat code for money or gold.
Lets say you have 32 coins.
First type 32 into value and click convert decimal to hex.
The value 32 changes to 20.
Click search.
This may take a while so allow it to finish.
On the right hand side there where be a list of addresses. What you want to do is get those
down to as few as possible. So gather some more coins.
Lets say the new value is 40 coins. Type that in and click convert.
We do this until we get down to just a few locations.
Now that you have that down to a few addresses, lets start to poke them.
Click on each and down on the bottom of those addresses is a box that says value and poke.
Type in either an amount that is higher or lower than what you have and click poke.
If it changes, you found your address. If not, keep going until you do.

New Video

UNKNOWN VALUE
This is the same process as above but you don't know the value.
So click on search condition and change it to unknown.
Click Search to look at all values.
Now either gain some or lose some. So for health bars, lose some health.
Click search again. This will search for whatever search condition you have chosen.
Whether it be greater than, lesser than, equal to, etc.
Continue to do so until you have only a few options left. Then once again just poke
the values to either add to it or decrease to it.

**
Back in the GameCube era, there were times when lives and health were actually set
to one lower than what was shown on screen. Like lives being 3 on screen but in hex
they had the value at 2. So essentially 0=1 life, 1=2 lives, etc. I haven't seen
this yet but just as a precaution I wanted you all to know that.

POINTER SEARCH
Thanks to Deathwing Zero for a more detailed explanation on this!!!

Go to Tools and right click on MAIN in the memory section. Select Pointer Search Main
While still in the MAIN memory section right click on the first CODE_MUTABLE and select
Pointer search Min.
Right Click on the last CODE_MUTABLE right before sdk and select Pointer Search Max.
Find your address and copy and paste it into the address tab in pointer search.
Go to Browse and select your first ram dump you did. It will always be the biggest.
Now at this point you can choose to do your max offset and max depth.
If you aren't finding pointers with your offset, try making it a bit bigger.
Once you have everything correct including the beginning of MAIN memory address at the bottom,
click search.
Now it should pull up some locations after a bit.
Take the MAIN beginning address and add the offset to it to get a new address
Take that address and go to Watch List and click add. Type that address in and hit enter.
Change the type from 32 to 64 and click update.
This should bring up a value.
Take that value and add or minus the second offset to that.
If its the right pointer, it give you an address to poke which should be the same one you found earlier.
This can be used the same way for heap, just do pointer main and pointer min on the first address of heap.
Pointer max on the last address of Heap.

Now the depth should be used if you believe that the address you're looking for has more than one
pointer. This could take a bit of time to find. It may be my laptop but it took me 6 hours to finish the
search only to realize that I had a very low offset...So be mindful of that as well. I think Noexs can
support up to 3 in depth. Might be wrong on that but haven't tried it either.

[Hold L and A 550,000,000 level stud]
80000041
581F0000 9F087A88
781F1000 00000070
641F1000 00000000 20C85580
20000000
Looking at this code you will notice the first 1 on the middle addresses.
It will be 0 for main but since my codes use heap it's a 1. 581F0000
On the 3rd line you will see there is another 1 as well.
That means it's a negative offset. 781F1000

Video guys and gals...




Since this hasn't been updated for a while I wanted to talk about a new tool that was released in December 2019.
User Takumi4685 released a pointer searcher tool he created. This has made making codes 1000x easier.
This tool uses Noexs memory dumps that include both Heap and Main.
To use this you need to make sure that you get the start and end of both Main and Heap memory.
So to use it click on path and choose the noexs dump that you made at the beginning of the code search.
Then input the start of Main. Input the ending of Main. Input the start of Heap. Input the ending of Heap. And input the address that you found for what you were looking for.
Click on read 1st dump. On version 3, it now has a progress bar that tells you how long you have to wait.
When it is done, you just have to mess with the depth, offset number and offset range.
I've been able to find success in finding depths of 2 to 10.
Offset number I usually find it in 2 to 4.
Offset range I usually set to FFF to FFFF.
If it produces "too many results" utilize another memory dump and click narrow down results.
It should be able to find what you need.



SX OS
Up until now I've talked about Noexs. SX OS has a search function as well.
I've not used it but the basics are the same, save for that SX OS has to have hex as its values. There's
no way to click convert decimal to hex on it. So either make sure you have a calculator that allows you
to convert decimal to hex or go to your computer and type in decimal to hex calculator in google to bring one up.

KNOWN
To start you get to where you want to find the cheat whether it be health or gold or coins.
Hit the home button and go to the album viewer (SX OS Menu).
Navigate to cheat searcher in the cheat menu.
Once again choose your bit size and it should start a ram dump.
Now choose next search and equal to if you know your value and put in the value in hex.
This now runs through the ram dump and finds the value that you were searching for.
If there are once again too many addresses, you either gain or lose some.
Do another search and continue to do so until you have very few addresses left.
One of these should be the address you need.
In the view candidates section, it will allow you to poke these addresses to see which one is correct.

POINTERS
 
Last edited by wiitendo84,

eyeliner

Has an itch needing to be scratched.
Member
Joined
Feb 17, 2006
Messages
2,001
Trophies
1
Age
41
XP
3,473
Country
Portugal
Pictures, for the love of the all mighty god of cheating.
A bit of formatting and embellishment would go a long way

In the end I can only say:
Thank you for the guide.
 
  • Like
Reactions: Hmed

merlin555

Master
Member
Joined
Oct 27, 2014
Messages
1,578
Trophies
1
XP
5,460
Country
Germany
Great Guide !!

It is important to use the JAVA version 10.0.2 in Windows.
Or has anyone already done that with the 11s and 12s.
Java 10 has already integrated the JAVAFX.

I've already tried to install it on Linux ?
So far without success.
Must be a Linux 64Bit system, because JAVA 10.0.2 for Linux only gives the 64Bit version.
Ubuntu, Freebsd, Mageia, Knoppix.
But nowhere does the Noexs client work.

Then there is already a guide here:
https://gbatemp.net/threads/noexs-remote-debugger.512668/page-9

--------------------- MERGED ---------------------------

See here:
JAVA installation for Linux:
https://stackoverflow.com/questions/49507160/how-to-install-jdk-10-under-ubuntu
 

wiitendo84

Well-Known Member
OP
Member
Joined
Jan 3, 2014
Messages
1,250
Trophies
1
Age
37
Location
New Albany, Indiana
XP
2,833
Country
United States
Great Guide !!

It is important to use the JAVA version 10.0.2 in Windows.
Or has anyone already done that with the 11s and 12s.
Java 10 has already integrated the JAVAFX.

I've already tried to install it on Linux ?
So far without success.
Must be a Linux 64Bit system, because JAVA 10.0.2 for Linux only gives the 64Bit version.
Ubuntu, Freebsd, Mageia, Knoppix.
But nowhere does the Noexs client work.

Then there is already a guide here:
https://gbatemp.net/threads/noexs-remote-debugger.512668/page-9

--------------------- MERGED ---------------------------

See here:
JAVA installation for Linux:
https://stackoverflow.com/questions/49507160/how-to-install-jdk-10-under-ubuntu[/QUOTE

I knew about that guide but there were many who didn't. So instead of searching through several pages,
I thought having a tutorial in the tutorial section would be helpful and easier to find.
 

wiitendo84

Well-Known Member
OP
Member
Joined
Jan 3, 2014
Messages
1,250
Trophies
1
Age
37
Location
New Albany, Indiana
XP
2,833
Country
United States
Since my Switch is down at the moment. If any of you would like to add pictures just let me know and we can figure it out by either sending it to me or whatnot.

--------------------- MERGED ---------------------------

Noexs Will not find pointers if its +0 or +8 and it also cannot parse them.

What do you mean by +0 or +8? I'm still new to this so having some more info I can add to this will help.
 

Falo

Well-Known Member
Member
Joined
Jul 22, 2012
Messages
630
Trophies
0
XP
2,180
Country
Germany
DISASSEMBLER i actually haven't used. So hopefully someone out here has a bit more
knowledge on how to effectively use this.

The Disassembler is not really useful on itself, you need other tools like Ida Pro and Ghidra.

If you found a possible code patch location in Ida Pro, then you can enter the memory address (main+offset) into it.
This allows you to see and edit the games code in real time, but this is far too complicated for any normal user.

For now, it is really slow, misses a lot of features and normal users will never use it.

Here a picture of it in action:
noexes_disassembler.jpg
 

wiitendo84

Well-Known Member
OP
Member
Joined
Jan 3, 2014
Messages
1,250
Trophies
1
Age
37
Location
New Albany, Indiana
XP
2,833
Country
United States
So my switch is completely dead. I've went ahead and ordered a replacement tablet that is hackable. Going to keep it for parts only. Figured the screen and some of the internals may be ok. It'd be a bit before I can add pics up for this ok.
 

dsrules

Well-Known Member
Member
Joined
Sep 20, 2005
Messages
7,137
Trophies
1
XP
4,302
Country
So my switch is completely dead. I've went ahead and ordered a replacement tablet that is hackable. Going to keep it for parts only. Figured the screen and some of the internals may be ok. It'd be a bit before I can add pics up for this ok.
what do you mean by completely dead? did you installed autorcm?
 

wiitendo84

Well-Known Member
OP
Member
Joined
Jan 3, 2014
Messages
1,250
Trophies
1
Age
37
Location
New Albany, Indiana
XP
2,833
Country
United States
Yeah its fried on the motherboard. Theres a burn mark going across it where the battery piece hooks up to it. A nice little black scorch. Lol. Its cool though. I should be able to use some pieces as replacement parts in the future if need be.

EDIT
So I have some photos I am trying to upload for the tutorial. Any suggestions as to where I can put them up so I can link them here in the tutorial post.
 
Last edited by wiitendo84,

wiitendo84

Well-Known Member
OP
Member
Joined
Jan 3, 2014
Messages
1,250
Trophies
1
Age
37
Location
New Albany, Indiana
XP
2,833
Country
United States
You may have to disable dmnt cht from the hekate.ini
Holding L button on the shoulder while launching the game should deactivate cheats so it can attach to it. Try rebooting both the switch and computer as well.

Also my replacement tablet should be in tomorrow morning so Ill be back either tomorrow night with pictures or the following day.
Also if youre using cheats on the game from a cheat txt file, you will get that error if you have them enabled.
Edit 2
My replacement tablet has been delivered. It's literally like just a few digits off of my old one lol. Boots up fine, can get on eshop, going to set it up now and try everything out. Of course make a backup of my nand.
 
Last edited by wiitendo84,

wiitendo84

Well-Known Member
OP
Member
Joined
Jan 3, 2014
Messages
1,250
Trophies
1
Age
37
Location
New Albany, Indiana
XP
2,833
Country
United States
So it seems that some games dont have working pointers in main memory but do have them in heap. My lego harry potter codes I did are examples of using pointers in heap rather than main memory. Unusually that means they wont boot up every time you start the game but so far mine have booted each time I started it.
 

WerWolv

EdiZon and Tesla Developer
Developer
Joined
Mar 30, 2018
Messages
252
Trophies
0
Age
22
XP
1,800
Country
Switzerland
Very nice guide! I'm going to recommend that one from now on to people asking about how to make cheats. Thanks a lot :)
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Julie_Pilgrim @ Julie_Pilgrim: i love how the crowd still cheered when thousand miles played lmao