Cheat Creation

Last updated: 08-02-2022

Introduction

Before we can start creating a cheat for any of the values we found, we need to identify how that value is stored in memory. Values can be stored either Statically or Dynamically. This makes a significant difference on how our cheats can be created. If a value is Static in memory, that means it will always get assigned that address. That means we can create a cheat that always writes a value to a specific location (usually in the MAIN). Nice and easy! Unfortunately, most values are stored Dynamically. This means that the will move every time the game is launched. For this guide, we are going to focus on Dynamic cheats as these are more complicated but I will demonstrate what to look for when you find a static address value at the end of this section.

In order to create a cheat for a dynamically stored address, we need to find a Pointer. A pointer is how the game's code knows where the value is stored. If you have experience on PC using Cheat Engine, this may start to sound familiar to you. The problem is that the Switch does not use the same memory format as PC, so there is no manually finding a pointer. Luckily we have a tool called PointerSearcher that will take care of all the math we need to do and it is fairly straightforward to use.

Getting Set Up (3 to 7 hours)

We will be using Super Kirby Smash for this section of the guide. This game is even simpler than Pokemon Quest, so it shouldn't take you more than a few minutes to find all the values needed. The reason for changing games is because Pokemon Quest doesn't actually load the values in memory, it loads the whole save file. This causes the values we found to move an unknown number of shifts over. We will come back to Pokemon Quest in our Expert guide when we cover ASM cheats. So, go ahead, play through the Super Kirby Smash Tutorial (takes less than 5 minutes) and find the values for Gem Apples, Fire Gems, Water Gems, and Light Gems and bookmark them. Use these Search Settings:

U32] [==] [HEAP] [***]

*** Value you are searching for

You should have something like this:

Kirby_1.jpg

I want you to look at my fire/water/light gems addresses (1). Notice they are all right next to each other? Remember when I mentioned things can be next to each other? We are missing Rare gems, so could Rare gems be that next address? Go ahead and enter memory viewer (Press R3, also known as Pressing R Stick) and change the address to something (I did 50):

Kirby_2.jpg

Now go back to the game and check to see if Rare Gems changed (may have to leave and re-enter the shop).

Kirby_3.jpg

While we are at it, let's get our HP (Stamina) value too (and anything else you may want). HP is a little tricky due to the display value isn't our actual HP. My character has a base HP of 60 and an additional HP from armor of 19, giving me a total of 79 HP. The game actually stores this as 790 in a U32. So get into a fight, search for your known starting hp, then use the same technique as finding Pokemon Quest's HP (by doing Semi-Known Searches). Vigor is also very easy to find as it is also a U32 (pretty much every value in this game is stored in a U32). So you should be able to find these 8 values without much difficulty.

Kirby_4.jpg

We can now move onto finding our Pointers to make cheats for these values. I'll explain later, but for now, make sure you are inside a quest and pause the game.

Finding Pointers

We will be using PointerSearcher.exe to find our pointers. Go ahead an open it and I will go through a few things.

Kirby_5.jpg

First, you will need to input your switch's IP address(1) (it can be found in your Switch's Settings -> Internet), then click on the “Attach to” button (2). This should cause your Attach to, IP Address and Sys Module Version backgrounds to change to green. This should also freeze your game (this will prevent values from changing while the memory is being downloaded). Click on “Dump ptr” button (3) to start downloading the game data onto your PC. Where the file is being saved to and the games stats will be displayed here (4). It will take a few seconds (or more likely minutes, depending on game size) to complete. Now if you made the bookmarks, like I suggested, you can click on the “Download Bookmarks” button (5). Your Bookmarks will show up in this area (6) showing you their address and what label you named them. You can then drag them one at a time into Target Address 1, 2 or 3 (7). For now, let's just do Apple Gems into Target Address 1 (make sure you are on the line with the game information).

The Max Depth, Offset Num, and Offset Range (8) are probably the most misunderstood fields and have led to numerous arguments between cheat creators. Everyone has their personal preference when it comes to these fields. The short answer is that if you find correct pointers, then what you used in the fields is good. I personally prefer to find the shortest pointers possible (since that limits the possible ways the pointer can break). Let's break down each of the fields. Max Depth is the maximum number (levels) of pointers the program will look for. The default value is 4 and anything larger than this will take a lot longer to process. Offset Num is how much variability the program will allow when looking at pointers. The default value is 1, which means that it will have no variability If the Max Depth is 4, and Offset Num is 1, the program will only find level 4 pointers. If Max Depth is 4 and Offset Num is 2, the program will find Level 3 and Level 4 pointers. Offset Range is how big of a number each pointer level can be. The default is 0x800, which will cover most basic games, but some games will need more levels or a larger range. I personally set my Offset Range to 0xF000 to start. So go ahead and use these settings:

Max Depth 4, Offset Num 4, Offset Range F000

You should get something like this:

Kirby_6.jpg

As you can see, I got 10 results. You should have gotten the same (or at least very similar), if you didn't, that means you either are doing something different (we are doing Apple gems) or you didn't follow the guide correctly. These results are possible pointers. PointerSearcher is pretty much brute forcing to find them. This isn't a bad thing, it just means most if not all of them are not going to work. So how do we check them? Well, we have to close the game, relaunch it then check each one of these to see if they “point” to the correct new address. Now we did a lot of work getting all of these values, so why waste that time... we could, for example, use Notepad to write down all of the information we have gathered so we don't have do unnecessary steps all over again. I would highly suggest doing it regardless because games get updated, and having your old notes on hand can help you remember important information (like how Kirby's health is 10 times the display value in combat)

Example of my Dump Info file:

Kirby_7.jpg

and a picture of my Game info file:

Kirby_8.jpg

As you can see, it doesn't have to be anything complicated, just stuff to help you remember. Go ahead and finish getting all the pointers for the rest of the values you found, then disconnect PointerSearcher.exe from your switch, close the game, then relaunch it. This will force the switch to allocate new memory addresses to the game (and our game's PID will also change), and allow us to check our pointers using JNoExsClient.

Were you able to find them all? What about HP? Any one of three things happened.

  1. You followed steps of the guide, didn't find anything and didn't think to adjust your search settings.

  2. You followed steps of the guide, didn't find anything and realized you needed to adjust your search settings (good on you!)

  3. You didn't download the game state during a fight and may or may not have a list of almost worthless pointers. Go back to start of the section and try again.

Why was it important for us to download the game state during a fight? The game will not always need information to be stored. For example HP, the game does not need to know what your character's current HP while you are in town, so it may not have a valid pointer while you are in town. This isn't always true for games, but it is a good idea to keep in mind when you start to create cheats on your own.

Let's take a look at the pointers we have found:

Kirby_9.jpg

For Apple Gems, I found 10, while Fire and Water gems I found 4 each. Now while PointerSearcher is a great tool, it's not perfect. All it tries to do is brute force a calculation to find pointers. This means that it may give us invalid pointers. With practice and experience you will be able to see trends and find correct pointers. For example, notice that the first 4 of all 3 searches are all similar with only the last section being different. Take this one for example:

[[[[main+A12000]+68]+1CC8]+F0]+????

Remember how we found each of the Gems next to each other, and that Apple Gems were -0x30 from Fire Gems? Well notice that is exactly what we can see with these pointers. So since they are all next to each other, they should have similar pointers. So what about those other 6 pointers for Apple Gems? They might still be valid pointers, but you may not want to use them. The reason why is because of updates. Think about how much work you had to do to find all these values? Do you want to do this EVERY time the game updates? Or if you can use a common pointer, you only need to find 1 value to find the updated pointer, then update the rest of the cheats based on this. We will go over this more in another section when we cover updating cheats. For now, let's focus finding some good pointers. Now most of the stuff we are trying to find only have a few pointers. This won't be the case very often. Take our HP search for example. I have 47 results, which is few enough to check every one, but we can do a 2nd dump and use PointerSearcher to narrow down the possible results. Unfortunately for this game it will not work (as we will see anyway in a few moments). Regardless, we have a list of pointers we need to find out which ones are good or not. For that, we are going to use JNoExsClient. Go ahead, close your game (make sure you have all the info saved we have gathered so far) and relaunch it. We need to do this to make sure that the game has changed it's location in memory. Once you are back in game and at the village, pause the game and launch JNoExsClient. As you can see, there are several tabs available.

On this first tab, Tools, we have our most common tasks and information. Here we will be able connect to our switch, view memory information, and parse our pointers. We will come back to this in a little bit.

The second tab, Search, we have our search functions similar to what we have with Edizon-SE. It is possible to use this instead of Edizon-SE but it tends to take longer for it to work since it has to download the memory from your switch then scan it on your computer.

The third tab, Pointer Search, is another way to find pointers. Unfortunately, I find this tab almost worthless. What few pointers I have found using this tab have usually been wrong or not as good as using PointerSearcher.

The fourth tab, Memory Viewer, is one of the more important tabs. This will allow us to look at the memory for the game (similar to Edizon-SE). We can input any address and look at it here.

The fifth tab, Watch List, is also important as it is similar to bookmarks in Edizon-SE. We can add an address to watch and/or Freeze.

The sixth tab, Disassembler, is really only going to be used for ASM cheats (which will be covered MUCH later).

Let's go back to the first tab and go through connecting it:

Kirby_10.jpg

1st we need to connect our switch to JNoExsClient. We have to use the Network (1), so enter your switch's IP Address, then click on the Connect/Disconnect Button (2). Once you are connected, you will need to Refresh PIDs (3), then select the PID for the game (it is usually the last one but you can confirm with the TID under the buttons) and click on Attach to Process (5) button. If you get an error about unable to attach, it means that another program/process is currently connected (only one thing can attach at a time, so it could be you didn't disconnect correctly from PointerSearcher. You can click on detach from process then attach to process and it should work now. You know it is working properly when your game freezes. You can actively pause or resume with the buttons at the bottom center of the program.

Now that we are connected, we can start testing the pointers we found for Apple Gems. Make sure the game is running (not paused) and copy one of the pointers we found into the Expression: box, then click the Parse button.

Kirby_11.jpg

You should have gotten an address. We can now check that address by copying it and pasting it in the Memory Viewer tab. This will allow us to see if this address is actual correct.

Kirby_12.jpg

You can paste the address in the Address box (1) and click the Update button. I would also suggest check the Auto Refresh box, which will allow the memory to constantly update instead of only when you click the Update buttons. There should be a highlighted box (2) which will show you the address and will show you the value (3) in hexadecimal Now you may notice that that the value in 2 and 3 are in different orders. Memory is stored based on Endianness, namely Big-Endianness and Little-Endianness. By default, JNoExsClient uses Big-Endianness. If you are not used to low level computer systems, you may want to switch to Little-Endianness (which makes it look more similar to how normal people write numbers). You can Toggle the Switch Endianess (Yes it is misspelled) box (4) to see the difference to find which you are more comfortable with.

As you can see, I have 0x222 which is 0d546. This is the correct value in game. While we are still in the village, go ahead and check the rest of the pointers we found except the HP Pointers.

Did all of the pointers you find work? This will not be the case in most games. Most of the time you will only find 2 or 3 good pointers out of a list of a hundred. This is why you will need to narrow down results in PointerSearcher with multiple dumps. Now we need to check our HP Pointers. Make sure you know your HP value then launch a quest and pause the game once the fight starts. Now we can start checking our pointers, just like the others.

Did all of these pointers work too? Again this is not usual but for now we have one more thing to test before I explain what is going on. Go ahead and either quit or complete the quest. Once you are back in the village, go ahead and try those HP Pointers again. What happened? They didn't work at all. Again, this is why I stressed the importance of when you do your dumps and tests. If the conditions are not correct, you won't find a good pointer.

Now back to why all of our pointers worked. It's because all of our values (with the exception of HP) are actually Static Memory values. If you go back to Edizon-SE and look at the Bookmarks you made the first time, you will notice that the values match up with your current session (this is quick way to check if a value is statically stored). If these values were found in the MAIN or early in HEAP, we can create a simple static value code. If they are deep in HEAP or are dynamically stored, then we will need a pointer code to point to the correct address before our static value code. To understand what I mean, we need to talk about Code Types.

Next