TX 金手指手冊

這個是TX的原始英文手冊 僅用于記錄 喜歡金手指的可以開始研究起來了

感覺上比GW的要復雜很多 有點像是WiiU的

TX 金手指手冊

1. Introduction

This small guide attempts to shed some light on finding your own cheat codes
for Switch games using the SX OS Cheat finder as well as detailing the specifics
about the SX OS Cheat Code Format.

2. Address Space Layout Randomization

The Nintendo Switch Operating System (Horizon OS) implements Address Space
Layout Randomization (from here on ASLR) for every process. What this means
is that the absolute base address of for example a game's executable or a
game's heap memory are not fixed in stone. SX OS does *not* disable this ASLR
as it would effectively make your console less secure. The downside of this is
that you as a cheat hunter will need to keep this in mind when finding cheats,
but we've tried our best to encapsulate/hide these details at a high level.

When working with pointers in the SX OS Cheat Engine you can have three different
type of pointers:
* MAIN - memory addresses/pointers relative to the game's NSO executable
* HEAP - memory addresses/pointers relative to the start of the game's heap
* BASE - memory addresses/pointers that are neither part of MAIN/HEAP,
they are displayed a relative to the address space base (usually 0x8000000)

Throughout the SX OS Cheat finder every memory address is thus displayed as:
[MAIN+xxxx], [HEAP+xxxx], [BASE+xxxx]

When writing actual cheat codes you need to specify what kind of address you are
reading/writing from, we support reading/writing from/to both MAIN and HEAP memory.

Remember that having cheat codes which write to a magic HEAP address are most of
the time not very stable/reliable cheat codes, because the layout of the HEAP is
not always fully deterministic and often times depends on how someone navigates
through a game. In these cases it is better to study the game logic more and find
pointers (or pointers to pointers, etc.) until you traced back to an address that
resides in MAIN (a pointer in BSS or RO for example). At the end of this guide
you will find a small case study of how the included codes for
"Mega Man Legacy Collection" work.

3. SX OS Cheat Code Format

SX OS Cheat Codes are loosely inspired by older cheat engines such as Action Replay.
While old Action Replay cheat codes usually had a fixed width per code, some code
types in the SX OS cheat engine can have a different length.

Cheat codes are placed inside the sxos folder on your microSD card. In order
for SX OS to pick up your cheat codes they need to be correctly placed in the
right subfolders. This subfolder format works like this:
/sxos/titles/<titleID>/cheats/<buildID>.txt

Where titleID is the titleID of the game and buildID are the first 8bytes of the
game's build ID formatted as ascii hexadecimals. Both the titleID and buildID for
a running game are displayed below the SXOS logo when you navigate to the cheats
tab in the SX OS Menu. The buildID is needed to properly deal with different
versions of the same game, which might lead to incompatibilities for cheat codes.
When SX OS detects you have cheats on your SD cards for the currently running game
but the buildID mismatches, it offers you to copy over the cheats from the other
buildID to the one of the version you are currently running, if you want to
experiment with (or fix) the compatibility of certain cheat codes.

A basic cheat code definition will look like this:

[Infinite Health] 11111111 22222222
11111111 22222222
11111111 22222222

Where 'Infinite Health' is the displayed name of the code and the lines containing
'11111111 22222222' are all the codes that belong to this cheat.

The cheat engine supports up to 16 'scratch' registers which can be used for
arbitrary purposes like stashing offsets or memory locations.

There is one special type of code. The "master code" which is not defined by
enclosing the name in '[' and ']' but using '{' and '}' instead. The master code
cannot be disabled and is executed before any other (enabled) cheat code. These
exists to avoid duplication in multiple cheats which share certain characteristics.
An example of master code usage can be seen in the case study for the
"Mega Man Legacy Collection" cheats you will find further down in this guide.

Below is an overview of the various code types currently implemented in the SX
OS Cheat Engine.

# Code Type 0: Write to memory

0TMR00AA AAAAAAAA YYYYYYYY (YYYYYYYY)

T = width of write (1/2/4/8)
M = memory type (0 = main nso, 1 = heap)
R = register to be added as offset
A = address relative to (M)

With code type 0 you can do a write to memory.

# Code Type 1: Conditional statements

1TMC00AA AAAAAAAA YYYYYYYY (YYYYYYYY)

T = width of comparison value (1/2/4/8)
M = memory type (0 = main nso, 1 = heap)
C = Condition to use for comparison

A = Address relative to (M)

# Code Type 2: End of conditional statement

20000000

This code type terminates an conditional block (Code type 3 or 8)

# Code Type 3: Looping

300R0000 VVVVVVVV

R = Register to use for loop counter
V = Loop count

310R0000

This code type is used at the end of the loop, use the same R value as
for the start of the loop.

# Code Type 4: Load register with value

400R0000 VVVVVVVV VVVVVVVV

This code type will load one of the registers with a specific value

R = Register to be filled
V = Value to be put in register

# Code Type 5: Load register with value from memory

5TMRI0AA AAAAAAAA

T = Width of value to be loaded from memory (1/2/4/8)
M = memory type (0 = main nso, 1 = heap)
R = Load from register index
I = Load from register flag, set to 1 to load from register R instead of address A
A = Address relative to (M)

# Code Type 6: Store value to memory address from register

6T0RIor0 VVVVVVVV VVVVVVVV

T = Width of value to be stored to memory
R = Register index containing the memory address
I = Increment register flag, set to 1 to increment the register by T after storing
o = add additional offset from register 'r'
r = offset register index
V = value to be stored to memory

# Code Type 7: Apply arithmic operation to register

7T0RC000 VVVVVVVV

T = Width of value (1/2/4/8)
R = Register index to apply arithmic operation to
C = Arithmic operation to apply:
0 = addition, 1 = subtraction, 2 = multiplication, 3 = shift left, 4 = shift right
V = Value to be used during arithmic operation

# Code Type 8: Check for buttons being pressed

8kkkkkkk

k = keypad value to check against. the hex values for the various keys are:

0000001 - A
0000002 - B
0000004 - X
0000008 - Y
0000010 - Left Stick Pressed
0000020 - Right Stick Pressed
0000040 - L
0000080 - R
0000100 - ZL
0000200 - ZR
0000400 - Plus
0000800 - Minus
0001000 - Left
0002000 - Up
0004000 - Right
0008000 - Down
0010000 - Left Stick Left
0020000 - Left Stick Up
0040000 - Left Stick Right
0080000 - Left Stick Down
0100000 - Right Stick Left
0200000 - Right Stick Up
0400000 - Right Stick Right
0800000 - Right Stick Down
1000000 - SL
2000000 - SR

Multiple button values can be combined by OR'ing them together. For example
A+B becomes 0000003, and A+B+X+Y becomes 000000f.

This code type otherwise behaves the same as the conditional code type 1.

4. Using the Cheat Finder in SX OS

SX OS Comes with a cheat searcher functionality that will help you in identifying
the memory locations you need in order to write your own cheat codes. You start
by launching a game, when you reach a point in the game where you want to start
searching for cheats you hit the home button, and navigate to the album viewer (SX OS Menu).

You can start a cheat search by navigating to "Cheat Searcher" in the cheat tab of the
SX OS menu. You will be prompted to pick what kind of value you want to start
a cheat search for. If you dont know the answer you can try to approximate it. Lets say
you want to hunt down the memory location of your in-game coins, and you know
that you can accumulate over 1000 coins, you know for sure the data type you are
looking for is gonna be bigger than 8-bit. This takes some experimentation and
expertise to get used to.

Once you select the data type a memory dump for the running game will be created
on your microSD card. This initial memory dump will take a while, it is advised
to use a fast microSD card with enough free space. If you are looking for a
specific/exact value, you can now select "Next Search" and pick "Exact Value",
here you can enter the exact value you're looking for (in hexadecimal). Once the
comparison is done it will tell you how many candidate memory locations it found
and whether they are few enough to manually explore.

If there's too many candidates left, you simply exit the SX OS Rom Menu and go
back to the game. Try to grab/lose some coins (or whatever item you're trying
to cheat) and head back into the SX OS menu's cheat tab, pick "Next Search" and
specify the condition. This can be "exact value" again if you know the value
you're looking for, or simply "less than" if you know you just lost some of the
desired item/stats. Keep iterating the searches until the cheat searcher tells
you there's few enough candidate memory locations left for you to start
exploring manually.

Manually exploring memory location candidates can be done by going to "View candidates"
in the cheats menu. When you select a candidate from the list you will be brought
to the builtin hex editor where you can change the values at these memory locations.
Once you change a value you can go back to the game and see if your change had
any/the desired effect to help in concluding whether you found the right memory
location.

5. Case Study of "Mega Man: Legacy Collection" cheat codes.

Currently we only provide a single example of working cheat codes. We would love
to spend all of our time on finding more cheats, but we have different priorities. ;-)

The cheats we found are a slightly interesting example though of the various code
types the SX OS Cheat Engine currently offers.

Mega Man: Legacy Collection is a collection of old Mega Man games originally
released for the NES back in the day. The switch "port" of these games is actually
a NES emulator in disguise. The meat of our Mega Man cheat codes hinges on the
"master code" which finds the virtual NES' memory start address, from there we
can apply any RAM patches to the NES memory as we wish. Let's have a look at how
this works.

The full master code looks like this:

{Master Code}
580f0000 00d3a2a0
580f1000 038cb840
580f1000 00000008
780f0000 0000000f

The usage of '{' and '}' indicates that this is a master code, eg. a code that
cannot be disabled and is always ran at the start of your cheat code list.

Lets break down the master code line by line:
580f0000 00d3a2a0

Code type 5 is 'Load register with value from memory', here we load a 8 byte (64bit)
value, relative from MAIN (0) into register 'f' (15). The offset from the start of
MAIN is 0xd3a2a0.

In pseudocode this would be something like:

register_f = read64(MAIN + 0xd3a2a0)

The next line reads:
580f1000 038cb840

This one is very similar to the first code, but notice how we have an '1' there.
if you look this up in the SX OS Code Format description above you can see this
is the 'Load from register flag'. If set to '1' we will take the address from the
register specified in the register index field rather than a memory location
relative from MAIN or HEAP. In pseudocode this would be:

register_f = read64(register_f + 0x38cb840)

The following line '580f1000 00000008' is more of the same, this time reading
the next pointer from offset 8, or in pseudocode:

register_f = read64(register_f + 0x8)

Then finally we we end with '780f0000 0000000f'. Which uses code type 7 to do
some basic arithmic to the memory location in register f. In pseudo code this
would be:

register_f = register_f + 15

So in essence all the "master code" does is follow a bunch of pointers and
eventually end up with a pointer in register F that holds the start of the virtual
NES' memory. This register f value can then be used in any cheat codes that need
to write/read from the virtual NES' memory in order to give Mega Man exciting
super powers! ;-)

Let's have a quick look at one of the game specific cheat codes for Mega Man 1:

[MM1 Infinite Health] 400e0000 00000000 0000006a
610f01e0 00000000 0000001c

The first line '400e0000 00000000 0000006a' is using code type #4 to load a
register with a specific value. In this case we load register E with value 0x6a.
0x6a is the RAM offset for Mega Man's health.

The following line '610f01e0 00000000 0000001c' is using code type #6, which
is "Store value to memory address from register" to write to this location.

Here we say write a 1 byte (8bit) value to the address: register_f + register_e.
The value to be written is 0x1c, the maximum value Mega Man's health can have
in Mega Man 1.

6. Closing Words

We hope this guide outlines the possibilities of the cheat engine and the
need for decent master codes a bit. We are looking forward to many community
contributions with new cheat codes and of course suggestions for improving our
cheat code finder and engine.

Yours Sincerely,

Team Xecuter -- Rocking the switch in 2018 and beyond!

七支劍
笑話
2B

發表評論

您必須登錄才能發表評論!

目前評論:2   其中:訪客  2   博主  0

  1. avatar The?Flash 會員 4

    以后七只劍大大開發金手指估計也方便多了,希望跟PSP的cmf一樣直接拿來就用。

  2. avatar The?Flash 會員 4

    我來補個機翻:
    SX操作系統黑客指南
    旅游業的發展
    –〔1〕。介紹
    這個小指南試圖找出你自己的欺騙代碼。
    使用SX OS欺騙查找器的切換游戲以及詳細說明
    關于SX操作系統的欺騙代碼格式。
    –〔2〕。隨機地址空間分配
    任天堂交換機操作系統(地平線操作系統)實現地址空間
    Layout Randomization(從這里ASLR)的每一個過程。這意味著什么
    是絕對基礎地址,例如游戲的可執行文件或
    游戲的堆內存不是固定在石頭上的。SX OS不*禁用這個ASLR
    因為它會有效地降低你的控制臺的安全性。這方面的缺點是
    當騙子找到騙子時,你必須記住這一點。
    但是我們已經盡力把這些細節封裝在很高的層次上。
    當使用SX操作系統欺騙引擎中的指針時,可以有三種不同的方法。
    指針類型:
    *相對于游戲的NSO可執行文件的主內存地址/指針
    *相對于游戲堆開始的堆內存地址/指針
    *基內存地址/指針既不是主/堆的一部分,
    它們相對于地址空間基(通常為0x800)顯示。
    在整個SX OS欺騙查找器中,每個存儲器地址被顯示為:
    [主體+xxxx ],[堆+xxxx],[基地+xxxx ]
    當編寫實際的作弊代碼時,您需要指定您的地址。
    讀/寫,我們支持從主/堆內存讀取/寫入。
    記住,有一個寫給魔法堆地址的欺騙代碼是大多數的。
    時間不太穩定/可靠的欺騙代碼,因為堆的布局是
    不總是完全確定的,而且常常取決于某人如何導航。
    通過游戲。在這種情況下,最好對游戲邏輯進行更多的研究和發現。
    指針(或指向指針的指針等),直到你找到一個地址
    駐留在主(例如BSS或RO中的指針)。在本指南的末尾
    你會發現一個小案例研究如何包含代碼
    “百萬人遺產收藏”作品。
    –〔3〕。SX操作系統欺騙代碼格式
    SX操作系統的欺騙代碼被舊的欺騙引擎(如動作重放)松散地啟發。
    雖然舊的動作重放欺騙代碼通常有固定的寬度,每個代碼,一些代碼
    SX OS欺騙引擎中的類型可以具有不同的長度。
    欺騙代碼被放置在你的MICROSD卡上的SXOS文件夾中。整齊
    對于SX操作系統來拾取您的欺騙代碼,它們需要正確地放置在
    右子文件夾。這個子文件夾格式是這樣工作的:
    /SXOS/頭銜/騙子/TXT
    其中TITILID是游戲的TITILID,BuffID是第一個8字節的
    游戲的構建ID被格式化為ASCII十六進制。TITILID和BuffID
    一個運行游戲顯示在SXOS標志下方,當你導航到騙子
    在SX操作系統菜單中選項卡。建設需要妥善處理不同
    相同游戲的版本,這可能導致欺騙代碼的不兼容。
    當SX OS檢測到你的SD卡上有欺騙,用于當前運行的游戲
    但建筑不協調,它提供你復制的騙局從另一個
    如果您想運行當前版本的版本
    實驗(或修復)某些欺騙代碼的兼容性。
    一個基本的欺騙代碼定義將是這樣的:
    [無限健康] 11111111 22222222
    11111111 22222222
    11111111 22222222
    其中“無限健康”是代碼的顯示名稱和包含的行
    “11111111 22222222”都是屬于這個騙子的密碼。
    欺騙引擎支持最多16個“劃痕”寄存器,可用于
    任意目的,如保存偏移或存儲位置。
    有一種特殊類型的代碼。未定義的“主代碼”
    用“{”和“}”代替“[‘和’]”中的名稱。主代碼
    無法禁用并在任何其他(啟用的)欺騙代碼之前執行。這些
    在多個騙局中存在重復的共享特征。
    在案例研究中可以看到主代碼使用的一個例子。
    “超級男人遺產收藏”騙局,你會發現進一步下跌在本指南。
    下面是SX中當前實現的各種代碼類型的概述
    操作系統欺騙引擎。
    代碼類型0:寫入內存
    0TDMRAAAAAAAAAAA YYYYYYY(YYYYYYY)
    t =寫入寬度(1/2/4/8)
    M=內存類型(0=主NSO,1=堆)
    r=要添加的寄存器作為偏移量
    A=相對于(m)的地址
    使用代碼類型0,可以對內存進行寫入。
    代碼類型1:條件語句
    1TMC900AA AAAAAAAA YYYYYYY(YYYYYYY)
    t =比較值的寬度(1/2/4/8)
    M=內存類型(0=主NSO,1=堆)
    C=用于比較的條件
    A=相對于(m)的地址
    y=比較值
    第2類:條件語句結束
    二千萬
    此代碼類型終止一個條件塊(代碼類型3或8)。
    代碼類型3:循環
    300萬VVVVVV
    R=循環計數器使用寄存器
    V=循環計數
    310R0