FF6 Hacking
Hacks, Resources and Tutorials
Narshe School
Assembly / Hex
IDA Pro newbie Tutorial (GBA, SNES, loader script, GDB debugger)
Search
Members
HelpUsers browsing this thread: 2 Guest(s)
IDA Pro newbie Tutorial (GBA, SNES, loader script, GDB debugger)
01-30-2016, 03:30 AM
(This post was last modified: 11-18-2017, 09:09 PM by madsiur.
Edit Reason: modification in accordance to second post
)
coder
Posts: 3,970
Threads: 279 Thanks Received: 236 Thanks Given: 58 Joined: Oct 2011 Reputation: 65 Status
|
A) Tutorial goal
1) Disassemble partially a SNES ROM (first steps)
2) Disassemble partially a GBA ROM (first baby steps)
3) Understand some very basic IDA Pro functionalities
B) What is needed
1) IDA Pro (6.8 used here)
2) IDA SDK
3) Visual Studio community (free)
4) FF3us ROM (1.0 used in example)
5) FF6A ROM (European version used in example but it really doesn't matter)
C) Example with FF3us ROM
Hello, I'm your host , Troy McClure. I'm going to show you basic stuff with IDA Pro. I only started to use it recently so bare with me, I don't have answers to all questions but knows enough to get interesting results. Unless other disassemblers, IDA Pro will take every branches and jumps possible from the first function which in theory could disassemble a whole game with one click. It's not exactly the case with SNES or GBA games, but we are still way ahead of disassemblers that do only sequential disassembling creating garbage code when hitting data.
Step 1: Setting up SNES loader & processor
I'm not giving a Visual Studio newbie tutorial here!
Download and build loader project: https://github.com/gocha/ida-snes-ldr
Download and build Processor project: https://github.com/gocha/ida-65816-module
Copy both files respectively in the loaders and procs folders of your IDA installation.
Step 2: Basic disassembling
Open IDA, and click File -> Open and select your ROM. Select the good processor and click set (see Fig.1). Then click ok.
There should be hundreds of functions disassembled shown on left (function window). I have not checked all of them but those I've check had the right code at the right place, meaning it works well.
Step 3: Manual disassembling example
You'll see in the function window bank C1 is completely overlooked except the entry function (C1/0000). This is because a jump table is used by the JMP at C1/0005 and IDA won't take all possible paths in this case (Fig.2). Now let's use the function at C1/002D as an example (C1/0020 in jump table). To disassemble data (unrecognized code by IDA) into code, simply put your cursor on C1/002D and press "C". You should have something similar to Fig.3.
Now this is where assembly knowledge come handy. You can see a BRK instruction at C1/0072 meaning something went wrong. Also the first two LDAs suggest data is pulled from end of bank C1. There is two problems here: the DB register point to C1 and index register has the wrong value. IDA does not know the registers values at that point because you're manually disassembling from a new point 0 that is not point 0 (simply put). You need to tell IDA the registers values at that point.
Select the whole code portion in red and right click -> undefine. This will set back the code as unknown data. Put your cursor on C1/002D and click Edit -> Segments -> Change segment register values. Now put the Index register (X) to 0 and the DB one (B) to 7E (Fig.4). Press ok. You should now see the modified registers next to the address C1/002D:
![[Image: idasnes3.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idasnes3.PNG)
Press"C" again and voila, the routine should be like what it's suppose to be. (Edit: Not exactly, all the "word" labels should be "byte" labels I think, this can me modified by changing the M flag/register)
IDA will also take all paths if applicable and disassemble more routines. You can "record" (dunno how to say it) your new segment into a function by pressing "P" (while cursor on C1/002D). The result should be like Fig.5.
When selection a memory address or routine label, you can see all the use or calls to / from by pressing CTRL+X / CTRL+J (with context menu shown in Fig.6)
D) Example with FF6A(E) ROM
Step 1: Setting up the GBA loader
Download the GBA loader: Modified Version | Original (buggy) version found here
Copy the nintendo_gba.py file in the loaders folder of your IDA installation.
Step 2: Loading the GBA rom
Open IDA, and click File -> Open and select your ROM. Select the good processor and click set (see Fig.7 *the loader should be selected as well but its not shown in the image). Select "Processor option". Make sure "No automatic ARM/Thumb switch" checkbox is unchecked (Fig.8). Click "Edit ARM architecture options". Make sure ARMv4T is selected, Thumb and Yes for ARM (Fig.9). Click "Ok". Return to "New File" menu and click "Ok".
Now the magic is being done. Wait until the analysis finish and you should have hundreds of function disassembled. Not sure if all the code is disassembled though.
Conclusion
IDA Pro is a powerful disassembler. There's lot of feature I haven't checked yet. There are different charts generated to help you understand the code (example Fig.14). I'm not sure if it has debugging capabilities when playing a ROM, maybe 3rd party plugins exists to do so.
1) Disassemble partially a SNES ROM (first steps)
2) Disassemble partially a GBA ROM (first baby steps)
3) Understand some very basic IDA Pro functionalities
B) What is needed
1) IDA Pro (6.8 used here)
2) IDA SDK
3) Visual Studio community (free)
4) FF3us ROM (1.0 used in example)
5) FF6A ROM (European version used in example but it really doesn't matter)
C) Example with FF3us ROM
Hello, I'm your host , Troy McClure. I'm going to show you basic stuff with IDA Pro. I only started to use it recently so bare with me, I don't have answers to all questions but knows enough to get interesting results. Unless other disassemblers, IDA Pro will take every branches and jumps possible from the first function which in theory could disassemble a whole game with one click. It's not exactly the case with SNES or GBA games, but we are still way ahead of disassemblers that do only sequential disassembling creating garbage code when hitting data.
Step 1: Setting up SNES loader & processor
I'm not giving a Visual Studio newbie tutorial here!
Download and build loader project: https://github.com/gocha/ida-snes-ldr
Download and build Processor project: https://github.com/gocha/ida-65816-module
Copy both files respectively in the loaders and procs folders of your IDA installation.
Step 2: Basic disassembling
Open IDA, and click File -> Open and select your ROM. Select the good processor and click set (see Fig.1). Then click ok.
There should be hundreds of functions disassembled shown on left (function window). I have not checked all of them but those I've check had the right code at the right place, meaning it works well.
Fig.1 (Click to View)
![[Image: idasnes1.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idasnes1.PNG)
Step 3: Manual disassembling example
You'll see in the function window bank C1 is completely overlooked except the entry function (C1/0000). This is because a jump table is used by the JMP at C1/0005 and IDA won't take all possible paths in this case (Fig.2). Now let's use the function at C1/002D as an example (C1/0020 in jump table). To disassemble data (unrecognized code by IDA) into code, simply put your cursor on C1/002D and press "C". You should have something similar to Fig.3.
Now this is where assembly knowledge come handy. You can see a BRK instruction at C1/0072 meaning something went wrong. Also the first two LDAs suggest data is pulled from end of bank C1. There is two problems here: the DB register point to C1 and index register has the wrong value. IDA does not know the registers values at that point because you're manually disassembling from a new point 0 that is not point 0 (simply put). You need to tell IDA the registers values at that point.
Select the whole code portion in red and right click -> undefine. This will set back the code as unknown data. Put your cursor on C1/002D and click Edit -> Segments -> Change segment register values. Now put the Index register (X) to 0 and the DB one (B) to 7E (Fig.4). Press ok. You should now see the modified registers next to the address C1/002D:
Press"C" again and voila, the routine should be like what it's suppose to be. (Edit: Not exactly, all the "word" labels should be "byte" labels I think, this can me modified by changing the M flag/register)
IDA will also take all paths if applicable and disassemble more routines. You can "record" (dunno how to say it) your new segment into a function by pressing "P" (while cursor on C1/002D). The result should be like Fig.5.
When selection a memory address or routine label, you can see all the use or calls to / from by pressing CTRL+X / CTRL+J (with context menu shown in Fig.6)
Fig.2 (Click to View)
![[Image: idasnes1a.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idasnes1a.PNG)
Fig.3 (Click to View)
![[Image: idasnes1b.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idasnes1b.PNG)
Fig.4 (Click to View)
![[Image: idasnes2.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idasnes2.PNG)
Fig.5 (Click to View)
![[Image: idasnes6.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idasnes6.PNG)
Fig.6 (Click to View)
![[Image: idasnes5.png]](https://www.ff6hacking.com/misc/tutorials/IDA/idasnes5.png)
D) Example with FF6A(E) ROM
Step 1: Setting up the GBA loader
Download the GBA loader: Modified Version | Original (buggy) version found here
Copy the nintendo_gba.py file in the loaders folder of your IDA installation.
Step 2: Loading the GBA rom
Open IDA, and click File -> Open and select your ROM. Select the good processor and click set (see Fig.7 *the loader should be selected as well but its not shown in the image). Select "Processor option". Make sure "No automatic ARM/Thumb switch" checkbox is unchecked (Fig.8). Click "Edit ARM architecture options". Make sure ARMv4T is selected, Thumb and Yes for ARM (Fig.9). Click "Ok". Return to "New File" menu and click "Ok".
Now the magic is being done. Wait until the analysis finish and you should have hundreds of function disassembled. Not sure if all the code is disassembled though.
Fig.7 (Click to View)
Fig.8 (Click to View)
![[Image: idagba2.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idagba2.PNG)
Fig.9 (Click to View)
![[Image: idagba3.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idagba3.PNG)
Conclusion
IDA Pro is a powerful disassembler. There's lot of feature I haven't checked yet. There are different charts generated to help you understand the code (example Fig.14). I'm not sure if it has debugging capabilities when playing a ROM, maybe 3rd party plugins exists to do so.
Fig.14 (Click to View)
![[Image: idagba7.PNG]](https://www.ff6hacking.com/misc/tutorials/IDA/idagba7.PNG)
![[-]](https://www.ff6hacking.com/forums/ff9/collapse.png)
« Next Oldest | Next Newest »
 |
 |
|||
|
||||
 |
 |
Users browsing this thread: 2 Guest(s)
2017