SX OS Cheat Hacker Guide

========================

--[ 1. Introduction

This small guide attempts to shed some light on finding your own
cheat codes
for Switch games using the SX OS Cheat finder as well as detailing
the specifics
about the SX OS Cheat Code Format.

--[ 2. Address Space Layout Randomization

The Nintendo Switch Operating System (Horizon OS) implements Address

Space
Layout Randomization (from here on ASLR) for every process. What this
means
is that the absolute base address of for example a game's executable
or a
game's heap memory are not fixed in stone. SX OS does *not* disable
this ASLR
as it would effectively make your console less secure. The downside
of this is
that you as a cheat hunter will need to keep this in mind when
finding cheats,
but we've tried our best to encapsulate/hide these details at a high
level.

When working with pointers in the SX OS Cheat Engine you can have
three different
type of pointers:
* MAIN - memory addresses/pointers relative to the game's NSO
executable
* HEAP - memory addresses/pointers relative to the start of the
game's heap
* BASE - memory addresses/pointers that are neither part of
MAIN/HEAP,
they are displayed a relative to the address space base
(usually 0x8000000)

Throughout the SX OS Cheat finder every memory address is thus

displayed as:
[MAIN+xxxx], [HEAP+xxxx], [BASE+xxxx]
When writing actual cheat codes you need to specify what kind of
address you are
reading/writing from, we support reading/writing from/to both MAIN
and HEAP memory.

Remember that having cheat codes which write to a magic HEAP address
are most of
the time not very stable/reliable cheat codes, because the layout of
the HEAP is
not always fully deterministic and often times depends on how someone
navigates
through a game. In these cases it is better to study the game logic
more and find
pointers (or pointers to pointers, etc.) until you traced back to an
address that
resides in MAIN (a pointer in BSS or RO for example). At the end of
this guide
you will find a small case study of how the included codes for
"Mega Man Legacy Collection" work.

--[ 3. SX OS Cheat Code Format

SX OS Cheat Codes are loosely inspired by older cheat engines such as

Action Replay.
While old Action Replay cheat codes usually had a fixed width per
code, some code
types in the SX OS cheat engine can have a different length.

Cheat codes are placed inside the sxos folder on your microSD card.
In order
for SX OS to pick up your cheat codes they need to be correctly
placed in the
right subfolders. This subfolder format works like this:
/sxos/titles/<titleID>/cheats/<buildID>.txt

Where titleID is the titleID of the game and buildID are the first
8bytes of the
game's build ID formatted as ascii hexadecimals. Both the titleID and
buildID for
a running game are displayed below the SXOS logo when you navigate to
the cheats
tab in the SX OS Menu. The buildID is needed to properly deal with
different
versions of the same game, which might lead to incompatibilities for
cheat codes.
When SX OS detects you have cheats on your SD cards for the currently
running game
but the buildID mismatches, it offers you to copy over the cheats
from the other
buildID to the one of the version you are currently running, if you
want to
experiment with (or fix) the compatibility of certain cheat codes.

A basic cheat code definition will look like this:

[Infinite Health]
11111111 22222222
11111111 22222222
11111111 22222222

Where 'Infinite Health' is the displayed name of the code and the
lines containing
'11111111 22222222' are all the codes that belong to this cheat.

The cheat engine supports up to 16 'scratch' registers which can be

used for
arbitrary purposes like stashing offsets or memory locations.

There is one special type of code. The "master code" which is not
defined by
enclosing the name in '[' and ']' but using '{' and '}' instead. The
master code
cannot be disabled and is executed before any other (enabled) cheat
code. These
exists to avoid duplication in multiple cheats which share certain
characteristics.
An example of master code usage can be seen in the case study for the
"Mega Man Legacy Collection" cheats you will find further down in
this guide.

Below is an overview of the various code types currently implemented

in the SX
OS Cheat Engine.

# Code Type 0: Write to memory

0TMR00AA AAAAAAAA YYYYYYYY (YYYYYYYY)

 T = width of write (1/2/4/8)
M = memory type (0 = main nso, 1 = heap)
R = register to be added as offset
A = address relative to (M)

With code type 0 you can do a write to memory.

# Code Type 1: Conditional statements

1TMC00AA AAAAAAAA YYYYYYYY (YYYYYYYY)

T = width of comparison value (1/2/4/8)

M = memory type (0 = main nso, 1 = heap)
C = Condition to use for comparison
A = Address relative to (M)
Y = Value to compare against

List of valid conditions:

- 1: Greater Than
- 2: Greater Than or Equal To
- 3: Lower Than
- 4: Lower Than or Equal To
- 5: Equal To
- 6: Not Equal To

# Code Type 2: End of conditional statement

20000000

This code type terminates an conditional block (Code type 3 or 8)

# Code Type 3: Looping

300R0000 VVVVVVVV

R = Register to use for loop counter

V = Loop count

310R0000

This code type is used at the end of the loop, use the same R value
as
for the start of the loop.
 # Code Type 4: Load register with value

400R0000 VVVVVVVV VVVVVVVV

This code type will load one of the registers with a specific value

R = Register to be filled
V = Value to be put in register

# Code Type 5: Load register with value from memory

5TMRI0AA AAAAAAAA

T = Width of value to be loaded from memory (1/2/4/8)

M = memory type (0 = main nso, 1 = heap)
R = Load from register index
I = Load from register flag, set to 1 to load from register R
instead of address A
A = Address relative to (M)

# Code Type 6: Store value to memory address from register

6T0RIor0 VVVVVVVV VVVVVVVV

T = Width of value to be stored to memory

R = Register index containing the memory address
I = Increment register flag, set to 1 to increment the register by
T after storing
o = add additional offset from register 'r'
r = offset register index
V = value to be stored to memory

# Code Type 7: Apply arithmic operation to register

7T0RC000 VVVVVVVV

T = Width of value (1/2/4/8)

R = Register index to apply arithmic operation to
C = Arithmic operation to apply:
0 = addition, 1 = subtraction, 2 = multiplication, 3 = shift
left, 4 = shift right
V = Value to be used during arithmic operation
 # Code Type 8: Check for buttons being pressed

8kkkkkkk

k = keypad value to check against. the hex values for the various
keys are:

0000001 - A
0000002 - B
0000004 - X
0000008 - Y
0000010 - Left Stick Pressed
0000020 - Right Stick Pressed
0000040 - L
0000080 - R
0000100 - ZL
0000200 - ZR
0000400 - Plus
0000800 - Minus
0001000 - Left
0002000 - Up
0004000 - Right
0008000 - Down
0010000 - Left Stick Left
0020000 - Left Stick Up
0040000 - Left Stick Right
0080000 - Left Stick Down
0100000 - Right Stick Left
0200000 - Right Stick Up
0400000 - Right Stick Right
0800000 - Right Stick Down
1000000 - SL
2000000 - SR

Multiple button values can be combined by OR'ing them together. For

example
A+B becomes 0000003, and A+B+X+Y becomes 000000f.

This code type otherwise behaves the same as the conditional code
type 1.

--[ 4. Using the Cheat Finder in SX OS

SX OS Comes with a cheat searcher functionality that will help you in
identifying
the memory locations you need in order to write your own cheat codes.
You start
by launching a game, when you reach a point in the game where you
want to start
searching for cheats you hit the home button, and navigate to the
album viewer (SX OS Menu).

You can start a cheat search by navigating to "Cheat Searcher" in the

cheat tab of the
SX OS menu. You will be prompted to pick what kind of value you want
to start
a cheat search for. If you dont know the answer you can try to
approximate it. Lets say
you want to hunt down the memory location of your in-game coins, and
you know
that you can accumulate over 1000 coins, you know for sure the data
type you are
looking for is gonna be bigger than 8-bit. This takes some
experimentation and
expertise to get used to.

Once you select the data type a memory dump for the running game will
be created
on your microSD card. This initial memory dump will take a while, it
is advised
to use a fast microSD card with enough free space. If you are
looking for a
specific/exact value, you can now select "Next Search" and pick
"Exact Value",
here you can enter the exact value you're looking for (in
hexadecimal). Once the
comparison is done it will tell you how many candidate memory
locations it found
and whether they are few enough to manually explore.

If there's too many candidates left, you simply exit the SX OS Rom
Menu and go
back to the game. Try to grab/lose some coins (or whatever item
you're trying
to cheat) and head back into the SX OS menu's cheat tab, pick "Next
Search" and
specify the condition. This can be "exact value" again if you know
the value
you're looking for, or simply "less than" if you know you just lost
some of the
desired item/stats. Keep iterating the searches until the cheat
searcher tells
you there's few enough candidate memory locations left for you to
start
exploring manually.

Manually exploring memory location candidates can be done by going to

"View candidates"
in the cheats menu. When you select a candidate from the list you
will be brought
to the builtin hex editor where you can change the values at these
memory locations.
Once you change a value you can go back to the game and see if your
change had
any/the desired effect to help in concluding whether you found the
right memory
location.

--[ 5. Case Study of "Mega Man: Legacy Collection" cheat codes.

Currently we only provide a single example of working cheat codes. We

would love
to spend all of our time on finding more cheats, but we have
different priorities. ;-)

The cheats we found are a slightly interesting example though of the

various code
types the SX OS Cheat Engine currently offers.

Mega Man: Legacy Collection is a collection of old Mega Man games

originally
released for the NES back in the day. The switch "port" of these
games is actually
a NES emulator in disguise. The meat of our Mega Man cheat codes
hinges on the
"master code" which finds the virtual NES' memory start address, from
there we
can apply any RAM patches to the NES memory as we wish. Let's have a
look at how
this works.
The full master code looks like this:

-- 8< ------------------------
{Master Code}
580f0000 00d3a2a0
580f1000 038cb840
580f1000 00000008
780f0000 0000000f
-- 8< ------------------------

The usage of '{' and '}' indicates that this is a master code, eg. a
code that
cannot be disabled and is always ran at the start of your cheat code
list.

Lets break down the master code line by line:

580f0000 00d3a2a0

Code type 5 is 'Load register with value from memory', here we load a
8 byte (64bit)
value, relative from MAIN (0) into register 'f' (15). The offset from
the start of
MAIN is 0xd3a2a0.

In pseudocode this would be something like:

register_f = read64(MAIN + 0xd3a2a0)

The next line reads:

580f1000 038cb840

This one is very similar to the first code, but notice how we have an
'1' there.
if you look this up in the SX OS Code Format description above you
can see this
is the 'Load from register flag'. If set to '1' we will take the
address from the
register specified in the register index field rather than a memory
location
relative from MAIN or HEAP. In pseudocode this would be:

register_f = read64(register_f + 0x38cb840)

The following line '580f1000 00000008' is more of the same, this time
reading
the next pointer from offset 8, or in pseudocode:

register_f = read64(register_f + 0x8)

Then finally we we end with '780f0000 0000000f'. Which uses code type
7 to do
some basic arithmic to the memory location in register f. In pseudo
code this
would be:

register_f = register_f + 15

So in essence all the "master code" does is follow a bunch of

pointers and
eventually end up with a pointer in register F that holds the start
of the virtual
NES' memory. This register f value can then be used in any cheat
codes that need
to write/read from the virtual NES' memory in order to give Mega Man
exciting
super powers! ;-)

Let's have a quick look at one of the game specific cheat codes for
Mega Man 1:

[MM1 Infinite Health]

400e0000 00000000 0000006a
610f01e0 00000000 0000001c

The first line '400e0000 00000000 0000006a' is using code type #4 to

load a
register with a specific value. In this case we load register E with
value 0x6a.
0x6a is the RAM offset for Mega Man's health.

The following line '610f01e0 00000000 0000001c' is using code type

#6, which
is "Store value to memory address from register" to write to this
location.

Here we say write a 1 byte (8bit) value to the address: register_f +

register_e.
The value to be written is 0x1c, the maximum value Mega Man's health
can have
in Mega Man 1.

--[ 6. Closing Words

We hope this guide outlines the possibilities of the cheat engine and
the
need for decent master codes a bit. We are looking forward to many
community
contributions with new cheat codes and of course suggestions for
improving our
cheat code finder and engine.

Yours Sincerely,

Team Xecuter -- Rocking the switch in 2018 and beyond!

SX OS 作弊黑客指南
========================

-[1.简介

这本小指南试图为您找到自己的作弊代码提供一些启示
使用 SX OS 作弊查找器的 Switch 游戏，以及详细说明
关于 SX OS 作弊代码格式。

-[2.地址空间布局随机化

Nintendo Switch 操作系统（Horizon OS）实现地址空间

每个过程的布局随机化（在此处为 ASLR）。这是什么意思
是例如游戏可执行文件或
游戏的堆内存不是一成不变的。SX OS *不*禁用此 ASLR
因为它会有效降低控制台的安全性。缺点是
作为作弊猎人，您在寻找作弊时需要牢记这一点，
但我们已尽力在较高的层次上封装/隐藏这些细节。

在 SX OS 作弊引擎中使用指针时，您可以使用三种不同的指针
指针类型：
* MAIN-相对于游戏 NSO 可执行文件的内存地址/指针
* HEAP-相对于游戏堆开始的内存地址/指针
* BASE-不属于 MAIN / HEAP 的内存地址/指针，
它们显示为相对于地址空间基础的地址（通常为 0x8000000）

因此，在整个 SX OS 作弊查找器中，每个内存地址都显示为：
[MAIN + xxxx]，[HEAP + xxxx]，[BASE + xxxx]

在编写实际的作弊代码时，您需要指定您的地址类型
读取/写入，我们支持对 MAIN 和 HEAP 存储器的读取/写入。

请记住，大多数情况下，拥有写入魔术 HEAP 地址的作弊代码

时间不是很稳定/可靠的作弊代码，因为 HEAP 的布局是
并非总是完全确定性的，并且通常取决于某人的导航方式
通过游戏。在这些情况下，最好多研究游戏逻辑并找到
指针（或指向指针的指针等），直到您追溯到
驻留在 MAIN 中（例如 BSS 或 RO 中的指针）。本指南末尾
您将找到一个小案例研究，了解其中包含的代码如何
“超级英雄遗产收藏”的作品。

-[3. SX OS 作弊代码格式

SX OS 作弊代码大致是由较早的作弊引擎（如动作重播）启发而来。
虽然旧的 Action Replay 作弊代码通常每个代码具有固定的宽度，但某些代码
SX OS 作弊引擎中的类型可以具有不同的长度。

作弊代码位于 microSD 卡上的 sxos 文件夹中。为了

为了让 SX OS 提取您的作弊代码，需要将它们正确放置在
正确的子文件夹。该子文件夹格式的工作方式如下：
/sxos/titles/<titleID>/cheats/<buildID>.txt

其中 titleID 是游戏的 titleID，buildID 是游戏的前 8 个字节

游戏的版本 ID，格式为 ascii 十六进制。的 titleID 和 buildID
当您导航到作弊项时，正在运行的游戏会显示在 SXOS 徽标下方
SX OS 菜单中的选项卡。需要 buildID 来正确处理不同的
同一游戏的版本，可能会导致作弊代码不兼容。
当 SX OS 检测到您的 SD 卡上存在作弊行为时，当前正在运行的游戏
但是 buildID 不匹配，它可以让您从另一个复制
如果您想将 buildID 更改为当前正在运行的版本之一
试验（或修复）某些作弊代码的兼容性。

基本的作弊代码定义如下所示：

[无限健康]
11111111 22222222
11111111 22222222
11111111 22222222

其中“ Infinite Health”是代码的显示名称以及包含以下内容的行

'11111111 22222222'是属于该作弊项的所有代码。

作弊引擎最多支持 16 个“ scratch”寄存器，可用于
任意用途，例如存储偏移量或内存位置。

有一种特殊类型的代码。未定义的“主代码”
将该名称括在“ [”和“]”中，但改用“ {”和“}”。主码
不能被禁用，并且必须在任何其他（启用的）作弊代码之前执行。这些
避免重复具有某些特征的多个作弊。
主代码用法的示例可以在针对
“ Mega Man Legacy Collection”作弊技巧将在本指南中进一步介绍。

以下是 SX 中当前实现的各种代码类型的概述
操作系统作弊引擎。

＃代码类型 0：写入内存

0TMR00AA AAAAAAAA YYYYYYYY（YYYYYYYY）

T =写入宽度（1/2/4/8）
M =内存类型（0 =主 nso，1 =堆）
R =要添加为偏移量的寄存器
A =相对于（M）的地址

使用代码类型 0，您可以对内存进行写操作。

＃代码类型 1：条件语句

1TMC00AA AAAAAAAA YYYYYYYY（YYYYYYYY）

T =比较值的宽度（1/2/4/8）
M =内存类型（0 =主 nso，1 =堆）
C =用于比较的条件
A =相对于（M）的地址
Y =要比较的值

有效条件列表：
-1：大于
-2：大于或等于
-3：比
-4：低于或等于
-5：等于
-6：不等于

＃代码类型 2：条件语句的结尾

20000000

此代码类型终止条件块（代码类型 3 或 8）

＃代码类型 3：循环

300R0000 VVVVVVVVV

R =用于循环计数器的寄存器
V =循环计数

310R0000

此代码类型在循环结束时使用，使用与 R 相同的 R 值
为循环的开始。
＃代码类型 4：使用值加载寄存器

400R0000 VVVVVVVV VVVVVVVVV

此代码类型将使用特定值加载其中一个寄存器

R =要填写的寄存器
V =要存入寄存器的值

＃代码类型 5：使用内存中的值加载寄存器

5TMRI0AA AAAAAAAA

T =要从内存中加载的值的宽度（1/2/4/8）
M =内存类型（0 =主 nso，1 =堆）
R =从寄存器索引加载
I =从寄存器加载标志，设置为 1 从寄存器 R 而不是地址 A 加载
A =相对于（M）的地址

＃代码类型 6：将值从寄存器存储到内存地址

6T0RIor0 VVVVVVVV VVVVVVVV

T =要存储到存储器中的值的宽度
R =包含存储器地址的寄存器索引
I =递增寄存器标志，设置为 1 以便在存储后将寄存器递增 T
o =从寄存器'r'添加额外的偏移量
r =偏移寄存器索引
V =要存储到存储器的值

＃代码类型 7：应用算术运算进行注册

7T0RC000 VVVVVVVV

T =值的宽度（1/2/4/8）
R =寄存器索引，将算术运算应用于
C =适用的算术运算：
0 =加法，1 =减法，2 =乘法，3 =左移，4 =右移
V =在算术运算中使用的值

＃代码类型 8：检查按钮是否被按下

8kkkkkkk
 k =要检查的键盘值。各种键的十六进制值为：

0000001-
0000002-B
0000004-X
0000008-是
0000010-按下左摇杆
0000020-按下右摇杆
0000040-大
0000080-R
0000100-ZL
0000200-ZR
0000400-加
0000800-减号
0001000-左
0002000-以上
0004000-对
0008000-下
0010000-左摇杆左
0020000-左摇杆
0040000-左摇杆右
0080000-左踩
0100000-右摇杆左
0200000-右粘
0400000-右摇杆右
0800000-右踩
1000000-SL
2000000-SR

可以通过将多个按钮值进行“或”运算来组合多个按钮值。例如
A + B 变为 0000003，而 A + B + X + Y 变为 000000f。

否则，此代码类型的行为与条件代码类型 1 相同。

-[4.在 SX OS 中使用作弊查找器

SX OS 带有作弊搜索器功能，可帮助您识别
您需要编写自己的作弊代码的存储位置。你先来
通过启动游戏，当您到达游戏中要开始的位置时
要搜索作弊，请单击主页按钮，然后导航到相册查看器（SX OS 菜单）。

您可以通过导航到“作弊搜索器”中的作弊标签来开始作弊搜索。
SX OS 菜单。系统将提示您选择要启动的价值类型
作弊搜索。如果您不知道答案，则可以尝试近似。可以说
您想寻找游戏中硬币的存储位置，并且您知道
您可以累积超过 1000 个硬币，您肯定知道您所使用的数据类型
寻找大于 8 位。这需要一些实验，
专业知识以适应。

选择数据类型后，将为正在运行的游戏创建内存转储
在您的 microSD 卡上。建议此初始内存转储需要一段时间。
使用具有足够可用空间的快速 microSD 卡。如果您正在寻找
具体/确切值，您现在可以选择“下一个搜索”并选择“确切值”，
在这里，您可以输入要查找的确切值（十六进制）。一旦
比较完成后，它将告诉您找到了多少个候选内存位置
以及它们是否足够少以至于无法手动探索。

如果剩余的候选人过多，您只需退出 SX OS Rom 菜单并转到

回到游戏。尝试抢/丢一些硬币（或您尝试的任何物品
作弊），然后返回 SX OS 菜单的作弊标签，选择“下一步搜索”，然后
指定条件。如果您知道该值，则可以再次为“精确值”
您正在寻找，或者只是“少于”，如果您知道自己只是失去了一些
所需的项目/统计。不断重复搜索，直到作弊者告诉为止
您剩余的候选存储位置已经很少，可以开始使用
手动探索。

手动浏览内存位置候选者可以通过转到“查看候选者”来完成
在秘籍菜单中。当您从列表中选择候选人时，您将被带到
到内置的十六进制编辑器，您可以在其中更改这些存储位置的值。
更改值后，您可以返回游戏并查看您的更改是否
任何/期望的效果，以帮助确定您是否找到了正确的记忆
位置。

-[5.“ Mega Man：旧版收藏”作弊代码的案例研究。

目前，我们仅提供一个有效的作弊代码示例。我们会喜欢
将所有时间都花在寻找更多作弊上，但是我们有不同的优先级。;-)

我们发现的作弊是各种代码的一个有趣的例子
输入 SX OS 作弊引擎当前提供的类型。

洛克人：遗产收藏最初是旧洛克人游戏的集合
当天为 NES 发布。这些游戏的切换“端口”实际上是
变相的 NES 模拟器。我们的《洛克人》作弊代码的内容取决于
从那里找到虚拟 NES 的内存起始地址的“主代码”
可以根据需要将任何 RAM 补丁应用于 NES 存储器。让我们来看看如何
这可行。
完整的主代码如下所示：

-8 <------------------------
{主码}
580f0000 00d3a2a0
580f1000 038cb840
580f1000 00000008
780f0000 0000000f
-8 <------------------------

“ {”和“}”的用法表示这是一个主代码，例如。一个代码
不能被禁用，并且总是在作弊代码列表的开头运行。

让我们逐行分解主代码：
580f0000 00d3a2a0

代码类型 5 是“使用内存中的值加载寄存器”，这里我们加载 8 字节（64 位）

从 MAIN（0）到寄存器'f'（15）的相对值。从开始的偏移量
MAIN 为 0xd3a2a0。

用伪代码，这将类似于：

register_f = read64（MAIN + 0xd3a2a0）

下一行显示为：
580f1000 038cb840

这与第一个代码非常相似，但是请注意我们那里有一个“ 1”。
如果您在上面的 SX OS 代码格式说明中查找此内容，则可以看到此内容
是“从寄存器加载标志”。如果设置为“ 1”，我们将从
在寄存器索引字段而不是内存位置中指定的寄存器
来自 MAIN 或 HEAP 的亲戚。用伪代码可以是：

register_f = read64（register_f + 0x38cb840）

下面的行“ 580f1000 00000008”更多相同，这次阅读

从偏移量 8 开始的下一个指针，或者使用伪代码：

register_f = read64（register_f + 0x8）

然后最后我们以'780f0000 0000000f'结尾。哪个使用代码类型 7 来执行

寄存器 f 中存储位置的一些基本算术运算。用伪代码
将是：
 register_f = register_f + 15

因此，实质上，所有“主代码”所做的就是遵循一堆指针，
最终以寄存器 F 中的指针结尾，该指针保存虚拟的开始
NES 的记忆。然后，该寄存器 f 值可用于任何需要的作弊代码中
从虚拟 NES 的内存中写入/读取，以使《洛克人》令人兴奋
超级大国！;-)

让我们快速看一下《洛克人 1》的游戏特定作弊代码之一：

[MM1 无限生命]
400e0000 00000000 0000006a
610f01e0 00000000 0000001c

第一行'400e0000 00000000 0000006a'使用代码类型＃4 加载

用特定值注册。在这种情况下，我们将值 0x6a 加载到寄存器 E 中。
0x6a 是 Mega Man 健康状况的 RAM 偏移量。

以下代码行“ 610f01e0 00000000 0000001c”使用的代码类型为＃6，

为“将值从寄存器存储到存储器地址”写入该位置。

在这里，我们说将一个 1 字节（8 位）的值写入地址：register_f +

register_e。
要写入的值是 0x1c，Mega Man's health 可以具有的最大值
在洛克人 1。

-[6.结束语

我们希望本指南概述了作弊引擎和
需要体面的主码。我们期待着许多社区
具有新的作弊代码的贡献，当然还有改进我们的建议
作弊代码查找器和引擎。

此致，

Xecuter 团队-在 2018 年及以后摇摆不定！