sys-netcheat 101: From the basics to relative addresses, trainers and Android usage

Discussion in 'Switch - Tutorials' started by RattletraPM, Feb 13, 2019 at 9:37 PM.

  1. RattletraPM
    OP

    RattletraPM GBATemp's unofficial 蒸気イーブイ

    Member
    8
    Jan 18, 2017
    Italy
    Shinjuku Station
    logo.

    • Hey, welcome to my tutorial! :D

      If you've never heard about it, sys-netcheat is an open-source system module that allows you to cheat in Nintendo Switch games. For this reason it's commonly referred to as a free alternative to SX OS' cheat functionality.
      Despite this, not many people seem to use it to its full capabilities (or even at all) and I believe one of the reasons is because there aren't many guides out there except for the basic one included in the ReadMe.

      ...And this is why I'm writing my own one here. This guide is meant to be as comprehensive and up-to-date as possible, explaining both simple tasks (such as the setup process and using the tool's basic memory editing functions) and advanced ones that I haven't seen mentioned online yet (creating scripts and trainers based around it or using it on the go from your Android device, for example). Thus, it was created using a mix of the module's official documentation, community resources and personal research.

      I've also taken extra steps to make the guide understandable to both beginners and experts alike. Most people who just want to have a small help to get through a certain game will want to read its first two or three parts while power users may be interested in its second half - which is going to be a bit more difficult, but will teach you how to make use of this tool to its full potential.

      Before getting started, however, here's an important advice: make sure to backup its save file if you care about it!
      It doesn't matter which platform, tools or whatever - if you edit the game's memory in the wrong way you might end up corrupting your save data permanently. This can be avoided by simply creating a backup of your save beforehand just in case. It takes only a few seconds but it can save hundreds of headache-inducing hours later. Don't say I didn't warn you!

      Finally, do NOT use this homebrew to cheat in online matches. Not only you're ruining the game for everyone else but you're also putting a big red flag on your account if it hasn't been banned already. You have been warned.

      Hopefully my work will draw more people's attention to this otherwise underappreciated homebrew and, of course, I also hope you'll find this guide useful! ^_^

    • So, you're ready to start? Great! In order to follow this guide you're going to need the following:

      • A Nintendo Switch with either Atmosphère v0.8.2 (or higher) or Kosmos v11.7 (or higher). This guide gives for granted that the CFW has been set up and works correctly.
      • sys-netcheat (only if you have Atmosphère, Kosmos includes it by default)
      • A computer with either Windows/macOS/Linux or an Android phone
      • If you have Atmosphère, you need a way to access your Switch's microSD from your PC (card reader/rajikosto's UMS tool/nxmtp/etc...)
      • netcat (all platforms) or SysNetCheatGUI (Windows only - but it reportedly runs well on other OSes using Wine), which you can get from here:
        • Windows - netcat / SysNetCheatGUI. Extract the ZIP of whichever you decide to choose to a folder.
        • macOS - Good news, macOS includes netcat by default!
        • Linux - Some distros inlcude netcat by default (eg. Ubuntu / Debian). If yours doesn't then either install it using your package manager or compile it from source.
        • Android - First download Termux, then open it and run "pkg install netcat" (without quotes, when asked for confirmation reply Y)
      • A working internet connection (Protip: your phone's Wi-Fi hotspot works here too!) - Use 90DNS if you don't want to get banned
      • Patience

      At the time of writing, sys-netcheat's latest version DOES NOT work under ReiNX: it depends on some Atmosphère components that haven't been ported over yet. If you copy over the KIP it will accept connections just fine, however trying to change or freeze a value will do nothing.


      All good? Alrighty, we'll start by installing & enabling the module then! Aside from a small difference (making sure that an option has been turned on) it's no different than the others, so it'll be a breeze if you already know how to install KIPs.

      -If you're running Kosmos you can skip ahead to point #4-

      1. Plug your microSD into your computer
      2. This next step will vary if you're booting Atmosphère using fusee-primary or by loading the required KIPs separately via Hekate:
      fusee-primary
      Hekate
      1. Plug the microSD back into your Switch if you've removed it before.
      2. Boot your Switch's CFW via your preferred method. If you're using Kosmos, be sure to go to "More configs" and then choose either "CFW + sys-netcheat" or "Stock + sys-netcheat" once you're into Hekate!
      3. Wait until the Switch is fully booted up. Success! Click on the next tab above.

      If the Switch hangs at boot you either have conflicting KIPs (for example I've noticed sys-netcheat and sys-ftpd don't go well together) or you have made a mistake while following the installation process. Disable any other KIPs you've got, double check everything and try again.


    • Now that sys-netcheat has been set up and loaded, it's time to learn how to use it!
      This part will be what most people will care about as it'll teach you how to search and edit values in a game's memory. Keep in mind to keep your game open while following this guide, otherwise the memory addresses will change and you'll have to start all over again!

      Do not worry if some parts are lenghty, a good bunch of them is taken up by images and examples for your own convenience!

      Connecting

      Warning: Spoilers inside!

      Searching for a value

      Warning: Spoilers inside!

      Changing a value stored in memory

      Warning: Spoilers inside!

      Freezing values

      Warning: Spoilers inside!

      Now, some of you who already tried sys-netcheat could think "Well, so far this is a bit more detailed and up to date rather than the guide in the ReadMe but so far I didn't learn much more than what I already knew!"
      If that applies to you, don't you worry: we were just getting started! :P

      If you ever get stuck, check the last part of this guide (the FAQ)!

    • So, if you've been paying attention you'll know by now that the addresses you've found will no longer work if you close the game. This means whenever you want to use a cheat you'll have to search for your specific value every time... right?

      Well, yes and no. You see, the problem here is caused by the game's base address changing every time you open it. This isn't a problem for more advanced memory editors which will automatically give you relative addresses (for example, Cheat Engine on Windows does that), however sys-netcheat only supports absolute addresses, meaning that it doesn't take into account the process' base one at all.

      And here is where things get interesting: most of the time what actually changes is just the base address, not the relative ones of a specific value (unless the program itself is made to do so). This also applies to games running on the Switch so, if we can find a way to make our addresses relative, we can effectively just make a single initial search and then work by ourselves from there!

      Now, there is no easy way to get the process' base address using sys-netcheat but this doesn't mean we're out of luck. In fact, we can use a dead simple yet effective trick: we're going to search for a value that never changes in our game's memory and make out addresses relative to that one instead.

      This is usually as easy as looking for an u64 with value 0 and picking the first result. However, be extra sure that whatever you've picked will actually stay the same all the time! In order to do so just play the game for a while - test different levels, areas, battles, etc and make constant searches. If your address pops up everytime, you've got yourself a good candidate!

      Once you've got it, all you have to do is to subtract the address you've just got to the ones you've previously found - just keep in mind that the addresses are shown as hexadecimal so remember set your calculator to HEX :P

      Then, once you open your game once more, it's time to do the opposite: search for that same value again, get the new address and add the result of the aforementioned subtraction to it. Yes, it's that simple.

      Here's the mandatory Kirby example:
      Warning: Spoilers inside!

      Keep in mind that the offsets may change between different game languages, versions, revisions and the like! If a new version of the game gets released, for example, you may have to perform searches again to find the value and recalculate the relative offsets.
      (The above is true for basically all platforms ever released, but it's always good to remind it)

      That's it, really - a simple trick that solves an immensely annoying problem. It'll also be absolutely crucial for what we're going to do next.

    • And now we've reached what I think is the best part. Here we're going to mix pretty much everything I've told you so far so be sure to have had a good amount of practice before reading. A good knowledge of a scripting language is also recommended (I'm going to use Bash and Batch scripts here as they're some of the most common, but you can easily adapt this to whatever language you want).

      Netcat is known as "the swiss army knife of TCP/IP connections" for a reason. What we're using it for here is to act as a way to interface us with sys-netcheat, however it can do much, much more. While a lot of the additional functions aren't compatible or necessary for our goals, one thing that's going to be extremely useful to us is that it's been made with scripting in mind and you bet we're going to take advantage of that here.

      One thing worth mentioning is that while the following instructions will be good for Windows, macOS and Linux, they will need to be changed a bit to work on Android as Termux uses a slightly different version of netcat. This will be covered in the next part.

      First off, if you've been playing with netcat a bit, you've probably noticed that the are a few switches to execute a script or command through it (such as -c, -e, --lua-exec). Those cannot be used in our case as sys-netcheat doesn't actually provide a remote shell. However, netcat also accepts inputs via stdin and this will indeed work here. So, we can just echo our command and pipe it to netcat, for example:
      Code:
      echo "help" | nc switch_ip 5555
      Will show the help screen as soon as it connects to our Switch! Still, netcat will wait for another command instead of quitting as soon as it's done printing stuff onscreen. This can be avoided by using the -w switch, which acts as a timeout if the connection stays idle for the specified number of seconds. Add a little stdout redirection to a file and we've got this:
      Code:
      echo "help" | nc -w 3 switch_ip 5555 > out.txt
      In the above example netcat will connect to sys-netcheat, send the "help" command, wait for 3 seconds until the connection times out and write the result to a file called out.txt. This little command is already useful per se: you could make shortcuts to perform searches, change specific values (in this case writing to a file is not necessary) or list frozen addresses with a single click.

      Still, why stop there? With a few additions we can make a simple script that allows us to use relative addresses with ease:
      Bash
      Batch
      Using the scripts above is simple: you just need to edit the IP and RELADDR variables, putting your Switch's IP and relative address there respectively. You can also edit the BASTXT (name of the text file containing the base address), OUTFILE (name of the temporary text file storing the search results) and SEARCH (parameters for the initial search, this usually doesn't have to be changed as previously said) variables if you want to have a little bit more customization.

      How the scripts work is simple: first, they'll look for a file containing the base address. If it's not found, they'll search for it in the game's memory using some predefined search parameters (default: ssearch u64 0, then get the first address from the list). On the other hand, if the file is found then the base address is loaded from it and a relative address will be calculated using the value stored in RELADDR. Finally, a command is executed to write a predefined value located at the previously calculated address (default: poke with datatype u32 and value 100, if you want to edit the command go to line 23 [Bash] or 30 [Batch]).

      Those scripts can already prove useful by themselves as they make working with relative addresses a fairly straightforward procedure, however they have a much, much bigger potential. You know what happens when we get a bunch of relative addresses, the scripts above, a simple menu and mix it all together?

      We get ourselves our very own basic game trainer!

      Bash
      Batch

      And presto, here's they are! I've uploaded everything to a ZIP for your own convenience, which you can download from here.

      Before calling it a day, however, keep in mind when making a trainer to always specify for which game version, language, etc. it's meant for. As said before, different game versions/revisions/languages/etc. may break your stuff so always take your time to test things out and let the user know what is compatible and what isn't.

      Oh, and one last note too: all the code you see here is released under the WTFPL. You're free to modify, improve, break, share and generally do whatever you want with it. Go nuts.

    • If you've been paying attention in the previous part (hopefully) you've read that the scripts won't work out of the box in Termux. What gives? It has a Bash shell and netcat so they should just fine!
      Well, spoiler alert, not quite. It's true, the shell is indeed Bash but as it turns out, Termux has been lying to you about netcat all along! Dun-dun-dunnnnn~!

      Here's what I mean: the netcat package doesn't actually provide one of the many netcat variations out there: it installs Ncat instead, which is a different tool compatible with the former with the same command name. However some of the switches are different, so we'll need to take that into account.

      What we need to do is very simple: netcat's -w switch corresponds to Ncat's -i switch. So we need to replace every occurrence of this:
      Code:
      nc -w
      With this:
      Code:
      nc -i
      If you do so, the scripts will run just fine! If you don't know how to run them in Termux I advise you to copy them to your internal storage, follow this guide to allow access your phone's storage and then run the following commands (be mindful to replace fname with your script's filename):
      Code:
      cp ~/storage/shared/fname .
      chmod +x fname
      After that, you can just run it as any other shell script from your home directory (aka, like so: ./fname)

      However, there's something even better you can do on Android. If you don't fancy the idea of using a terminal emulator on the go to access your cheats, I feel you, it is a bit impractical afterall. Luckily Termux gives us an alternative, Termux:Widget!

      Thanks to it, you'll have a quick way to run your scripts from your home menu. You can get it from Google Play but it costst around 2 EUR there, however they're free on F-Droid (no, that's not piracy - both listings are official and reportedly the Google Play one is not free as it's a way to support the developer)

      Protip: You can download Termux:Widget's APK from the link above without installing F-Droid's app, just keep in mind that in order to work both Termux and Widget must be installed from the same source (installing one from Google Play and the other from F-Droid won't work!)

      Once that's said and done, a folder called .shortcuts should have been created in your home dir (check with ls -a, if there is none then create it). All you need to do is to copy your scripts in there (remember to mark them as executable!), then put the widgets on your home screen.

      There are two available: one lists all the scripts in the aforementioned folder and the other is a quick launch button for a specific scripts. Choose whichever combination you like!

      [​IMG]

      This, combined with Rekado and a mobile hotspot can really turn your phone into the ultimate RCM injector setup :P

      • Q: sys-netcheat won't let me connect after I put the Switch to sleep/I connect a lot of times!
      • A: This is sadly a known issue and there's no solution at the moment. A workaround is to use Atmosphère's reboot to payload to reboot your Switch but, of course, it's a bit awkward. Still, it works for the time, until the dev finds a fix at least.

      • Q: You've mentioned unsigned integers but how do I search for other data types? (eg. strings, signed integers, floats,...)
      • A: It's possible to find those using sys-netcheat but it's a bit more complicated than it needs to be. For example, I've succesfully replaced strings both in homebrew games and Pokèmon LGPE, however you need to take into account several things in order to do so (string encoding, endianess, zero-termination and also the length will probably exceed whatever data type you chose). If you want to search for strings then just keep in mind that most official Switch games will use wide chars to provide Unicode support. Signed integers are technically more feasible (use two's complement) but don't even bother with floats and doubles, sys-netcheat is just too barebones for that.

      • Q: A cheat I've made works in some levels/screens/occasion but doesn't in others!
      • A: Different games have different quirks. For example, you may have noticed the cheats I've made for the lives in Kirby are different for a single level and the world map. It's just due to how the game is made - for example in Sonic Mania Plus this doesn't happen but the life counter is tied to whatever save slot you're using. Sometimes you may even have to change different addresses.

      • Q: I can't find a value!
      • A: Are you sure you're looking for the right one and it's an integer? If so, try again - patience and perseverance are key here!
     
    Last edited by RattletraPM, Feb 17, 2019 at 5:07 PM
    ELY_M, Frexxos, lordelan and 6 others like this.
  2. jakibaki

    jakibaki GBAtemp Regular

    Member
    7
    Mar 3, 2017
    Germany
    Wow, great work! Would you mind me linking that guide in the sys-netcheat main thread?
     
    lordelan, linuxares and RattletraPM like this.
  3. RattletraPM
    OP

    RattletraPM GBATemp's unofficial 蒸気イーブイ

    Member
    8
    Jan 18, 2017
    Italy
    Shinjuku Station
    Not at all, I'd be very glad if you do! ^_^
     
    lordelan and linuxares like this.
  4. linuxares

    linuxares I'm not a generous god!

    Moderator
    14
    Aug 5, 2007
    Sweden
    I will try maybe tomorrw, but I can get Sysnetcheat GUI to boot fine on Wine.
     
  5. Mat37

    Mat37 GBAtemp Advanced Fan

    Member
    4
    Dec 3, 2016
    France
    Does it matter ?
    Does the sysmodule work with monster hunter ? When i press search on any value nothing happens while it works on other games
     
  6. RattletraPM
    OP

    RattletraPM GBATemp's unofficial 蒸気イーブイ

    Member
    8
    Jan 18, 2017
    Italy
    Shinjuku Station
    It's the only game I haven't been able to use it with, for some reason it's not able to detect its process.
     
  7. Mat37

    Mat37 GBAtemp Advanced Fan

    Member
    4
    Dec 3, 2016
    France
    Does it matter ?
    Well rip then. Wanted to use that to farm faster as i don't know if it's possible to mod weapon's stats or monsters' HP
     
  8. Idontknowwhattoputhere

    Idontknowwhattoputhere Advanced Member

    Newcomer
    1
    Jan 19, 2019
    United Kingdom
    Tested on arch linux with wine
    sysnet gui works fine
     
    linuxares likes this.
  9. RattletraPM
    OP

    RattletraPM GBATemp's unofficial 蒸気イーブイ

    Member
    8
    Jan 18, 2017
    Italy
    Shinjuku Station
    Gotcha, I've only included native tools in the guide but I'll add a quick note now!
     
    linuxares likes this.
  10. Idontknowwhattoputhere

    Idontknowwhattoputhere Advanced Member

    Newcomer
    1
    Jan 19, 2019
    United Kingdom
    Wines hit and miss with software working
    Maybe @mleeneg can port it over to linux without using wine
     
  11. RattletraPM
    OP

    RattletraPM GBATemp's unofficial 蒸気イーブイ

    Member
    8
    Jan 18, 2017
    Italy
    Shinjuku Station
    Yeah, it was one of the reasons why I went for native software at first.
    Still, if someone would make a macOS/Linux native client I'll gladly include it here too!
     
  12. Idontknowwhattoputhere

    Idontknowwhattoputhere Advanced Member

    Newcomer
    1
    Jan 19, 2019
    United Kingdom
    Oh and might want to change the kosmos version its 11.9.1 not 11.7
     
  13. RattletraPM
    OP

    RattletraPM GBATemp's unofficial 蒸気イーブイ

    Member
    8
    Jan 18, 2017
    Italy
    Shinjuku Station
    Good catch, I meant 11.7 or higher there ^^"
     
  14. Idontknowwhattoputhere

    Idontknowwhattoputhere Advanced Member

    Newcomer
    1
    Jan 19, 2019
    United Kingdom
    People might go searching for an outdated kosmos version in the future its why i mentioned it :)
     
    RattletraPM likes this.
  15. linuxares

    linuxares I'm not a generous god!

    Moderator
    14
    Aug 5, 2007
    Sweden
    No need for me to test then, since I run Manjaro so it's the same thing x3
     
Loading...