Users browsing this thread: 1 Guest(s)
IDA Pro newbie Tutorial (GBA, SNES, loader script, GDB debugger)

#1
Posts: 3,966
Threads: 279
Thanks Received: 234
Thanks Given: 56
Joined: Oct 2011
Reputation: 65
Status
Tissue-aware
A) Tutorial goal
1) Disassemble partially a SNES ROM (first steps)
2) Disassemble partially a GBA ROM (first baby steps)
3) Understand some very basic IDA Pro functionalities

B) What is needed
1) IDA Pro (6.8 used here)
2) IDA SDK
3) Visual Studio community (free)
4) FF3us ROM (1.0 used in example)
5) FF6A ROM (European version used in example but it really doesn't matter)



C) Example with FF3us ROM

Hello, I'm your host , Troy McClure. I'm going to show you basic stuff with IDA Pro. I only started to use it recently so bare with me, I don't have answers to all questions but knows enough to get interesting results. Unless other disassemblers, IDA Pro will take every branches and jumps possible from the first function which in theory could disassemble a whole game with one click. It's not exactly the case with SNES or GBA games, but we are still way ahead of disassemblers that do only sequential disassembling creating garbage code when hitting data.

Step 1: Setting up SNES loader & processor

I'm not giving a Visual Studio newbie tutorial here!

Download and build loader project: https://github.com/gocha/ida-snes-ldr
Download and build Processor project: https://github.com/gocha/ida-65816-module

Copy both files respectively in the loaders and procs folders of your IDA installation.

Step 2: Basic disassembling

Open IDA, and click File -> Open and select your ROM. Select the good processor and click set (see Fig.1). Then click ok.

There should be hundreds of functions disassembled shown on left (function window). I have not checked all of them but those I've check had the right code at the right place, meaning it works well.



Step 3: Manual disassembling example

You'll see in the function window bank C1 is completely overlooked except the entry function (C1/0000). This is because a jump table is used by the JMP at C1/0005 and IDA won't take all possible paths in this case (Fig.2). Now let's use the function at C1/002D as an example (C1/0020 in jump table). To disassemble data (unrecognized code by IDA) into code, simply put your cursor on C1/002D and press "C". You should have something similar to Fig.3.

Now this is where assembly knowledge come handy. You can see a BRK instruction at C1/0072 meaning something went wrong. Also the first two LDAs suggest data is pulled from end of bank C1. There is two problems here: the DB register point to C1 and index register has the wrong value. IDA does not know the registers values at that point because you're manually disassembling from a new point 0 that is not point 0 (simply put). You need to tell IDA the registers values at that point.

Select the whole code portion in red and right click -> undefine. This will set back the code as unknown data. Put your cursor on C1/002D and click Edit -> Segments -> Change segment register values. Now put the Index register (X) to 0 and the DB one (B) to 7E (Fig.4). Press ok. You should now see the modified registers next to the address C1/002D:

[Image: idasnes3.PNG]


Press"C" again and voila, the routine should be like what it's suppose to be. (Edit: Not exactly, all the "word" labels should be "byte" labels I think, this can me modified by changing the M flag/register)

IDA will also take all paths if applicable and disassemble more routines. You can "record" (dunno how to say it) your new segment into a function by pressing "P" (while cursor on C1/002D). The result should be like Fig.5.

When selection a memory address or routine label, you can see all the use or calls to / from by pressing CTRL+X / CTRL+J (with context menu shown in Fig.6)








D) Example with FF6A(E)  ROM

Step 1: Setting up the GBA loader

Download the GBA loader: Modified Version | Original (buggy) version found here
Copy the nintendo_gba.py file in the loaders folder of your IDA installation.

Step 2: Loading the GBA rom

Open IDA, and click File -> Open and select your ROM. Select the good processor and click set (see Fig.7 *the loader should be selected as well but its not shown in the image). Select "Processor option". Make sure "No automatic ARM/Thumb switch" checkbox is unchecked (Fig.8). Click "Edit ARM architecture options". Make sure ARMv4T is selected, Thumb and Yes for ARM (Fig.9). Click "Ok". Return to "New File" menu and click "Ok".

Now the magic is being done. Wait until the analysis finish and you should have hundreds of function disassembled. Not sure if all the code is disassembled though.





Conclusion


IDA Pro is a powerful disassembler. There's lot of feature I haven't checked yet. There are different charts generated to help you understand the code (example Fig.14). I'm not sure if it has debugging capabilities when playing a ROM, maybe 3rd party plugins exists to do so.

  Find
Quote  
[-] The following 1 user says Thank You to madsiur for this post:
  • Catone (01-30-2016)

#2
Posts: 3,966
Threads: 279
Thanks Received: 234
Thanks Given: 56
Joined: Oct 2011
Reputation: 65
Status
Tissue-aware
Part 2: Turn IDA Pro in a GBA debugger (with GDB server)


What you'll need:

1) mGBA Emulator (0.4 version available as of 02/02/2016)
2) IDA Pro (6.8 used here)
3) a GBA rom (FF6A (E) is used here)

Step 1: Setting up mGBA GDB server

Open mGBA and click Tools -> Start GDB server. Enter 23946 as Local port and 127.0.0.1 (localhost) as Bind address (Fig.A). I guess any free TCP port could do but on the IDA side the documentation use and default value is 23946. You can now start your rom and should see nothing but a black screen, this is normal.


Step 2: Setting up IDA debugger

In IDA Pro you can set a breakpoint where you'd like the game to stop if you got beginning of code disassembled already but that optional. Go to "Debugger -> Select debugger". In the popup window, select Remote GDB debugger. Click Ok, a warning will appear (*), click Ok again. Now go to "Debugger -> Process options". You Application and Input file paths should both be the path to the rom. The application is what you want to debug and Input file the file used to create the database, in occurence here the rom. Your Hostname must be 127.0.0.1 and port 23946 (Fig.B).

Optionally you can go to "Debugger -> Debugger options -> Set specific options" and enter -1 as the Max packet size value. This will ensure the value will change to the max packet size mGBA can send/receive once the process is linked. You can also enter 128 which is the max value of mGBA (Fig.C). Same thing.

After that go to "Debugger -> Attach Process" and select "attach to the process set on target" (Fig.D). Click Ok. You will have a warning saying the segment are 32-bits and the application is 16-bit but I don't know what has been done wrong, if anything is wrong actually (more testing will say...). If you've done everything well, you should see your GBA game on emulator start and IDA Pro entering in debug mode. Even if you did not disassemble some code where the game goes you can do "Next Op" even on data because it runs the code from the emulator. However you can't use the "generate code" function (pressing "C") in debug mode.

You now have full access To all registers and flags as well as setting unlimited write breakpoints in RAM or read breakpoints in rom. I'm not 100% sure all RAM transfer will be done to IDA Pro because of GDB not mapping the whole memory warning at beginning of step 2 (*). Only time will say. Another note is that if you quit debug mode, you might have to close mGBA and restart the GDB server in order to re-attach to the process with IDA Pro. I haven't found yet a way if any to re-enter debug mode without restarting the emulator, the rom and either reattach or restart the process.




I spent some significant time figuring this out today. There is no tutorial to my knowledge on the internet about this process, only bits of info here and there. I guess it is known by many and easy to figure out for people used to IDA, but it's not something you can get on the first try if you have no info and you're still a IDA newbie. I hope this tutorial will be time saving for a few people.

More to come!
  Find
Quote  

#3
Posts: 3,966
Threads: 279
Thanks Received: 234
Thanks Given: 56
Joined: Oct 2011
Reputation: 65
Status
Tissue-aware
I modified both tutorials in order to not undo a step of the first one in the second one and added some extra comments and details.

There's a few reads and resources to understand ARM reverse engineering and IDA Pro better. Extra options (if any) of the screens used in both tutorials described in detail in the IDA Pro Book (2nd edition). I'm including more general resources as well:

1) IDA Pro Book, 2nd edition, by Chris Eagle, 2011 (Copyrighted but pdf easy to find on internet)
2) Reverse Engineering code with IDA PRO, 5 authors, 2008 (Copyrighted but pdf easy to find on internet)
3) Reverse Engineering with IDA Pro (2006 presentation by Chris Eagle)
4) Reverse Engineering ARM based devices (2004 presentation by Job de Hass)
5) Reverse Engineering for beginners Alternate (Dennis Yurichev, 2015, ARM examples included)
6) Practical Reverse Engineering, 3 authors, 2014, (Copyrighted but pdf available on internet, ARM examples included in book)
7) ARM basic reverse engineering (by SeungJin Beist Lee, IDA Pro examples included)
  Find
Quote  

#4
Posts: 3,966
Threads: 279
Thanks Received: 234
Thanks Given: 56
Joined: Oct 2011
Reputation: 65
Status
Tissue-aware
I modified the first post with a version of the GBA loader that doesn't map the header region twice, resulting in shifting everything by the header size (0xC0 bytes). For now, header infos (e.g. rom name) are not displayed and the first 0xC0 bytes are not labeled as "Header" since I can't find the exact reason of the bug, so I just commented out everything related to the header segment creation. Sloppy solution for now... modified loader can be found here if you don't wanna scroll up.
  Find
Quote  



Forum Jump:

Users browsing this thread: 1 Guest(s)


Theme by Madsiur2017Custom Graphics by JamesWhite