FF6 Hacking
Hacks, Resources and Tutorials
Narshe School
Assembly / Hex
IDA Pro newbie Tutorial (GBA, SNES, loader script, GDB debugger)
Search
Members
HelpUsers browsing this thread: 2 Guest(s)
IDA Pro newbie Tutorial (GBA, SNES, loader script, GDB debugger)
coder
Posts: 3,971
Threads: 279 Thanks Received: 237 Thanks Given: 58 Joined: Oct 2011 Reputation: 65 Status
|
Part 2: Turn IDA Pro in a GBA debugger (with GDB server)
What you'll need:
1) mGBA Emulator (0.4 version available as of 02/02/2016)
2) IDA Pro (6.8 used here)
3) a GBA rom (FF6A (E) is used here)
Step 1: Setting up mGBA GDB server
Open mGBA and click Tools -> Start GDB server. Enter 23946 as Local port and 127.0.0.1 (localhost) as Bind address (Fig.A). I guess any free TCP port could do but on the IDA side the documentation use and default value is 23946. You can now start your rom and should see nothing but a black screen, this is normal.
Step 2: Setting up IDA debugger
In IDA Pro you can set a breakpoint where you'd like the game to stop if you got beginning of code disassembled already but that optional. Go to "Debugger -> Select debugger". In the popup window, select Remote GDB debugger. Click Ok, a warning will appear (*), click Ok again. Now go to "Debugger -> Process options". You Application and Input file paths should both be the path to the rom. The application is what you want to debug and Input file the file used to create the database, in occurence here the rom. Your Hostname must be 127.0.0.1 and port 23946 (Fig.B).
Optionally you can go to "Debugger -> Debugger options -> Set specific options" and enter -1 as the Max packet size value. This will ensure the value will change to the max packet size mGBA can send/receive once the process is linked. You can also enter 128 which is the max value of mGBA (Fig.C). Same thing.
After that go to "Debugger -> Attach Process" and select "attach to the process set on target" (Fig.D). Click Ok. You will have a warning saying the segment are 32-bits and the application is 16-bit but I don't know what has been done wrong, if anything is wrong actually (more testing will say...). If you've done everything well, you should see your GBA game on emulator start and IDA Pro entering in debug mode. Even if you did not disassemble some code where the game goes you can do "Next Op" even on data because it runs the code from the emulator. However you can't use the "generate code" function (pressing "C") in debug mode.
You now have full access To all registers and flags as well as setting unlimited write breakpoints in RAM or read breakpoints in rom. I'm not 100% sure all RAM transfer will be done to IDA Pro because of GDB not mapping the whole memory warning at beginning of step 2 (*). Only time will say. Another note is that if you quit debug mode, you might have to close mGBA and restart the GDB server in order to re-attach to the process with IDA Pro. I haven't found yet a way if any to re-enter debug mode without restarting the emulator, the rom and either reattach or restart the process.
I spent some significant time figuring this out today. There is no tutorial to my knowledge on the internet about this process, only bits of info here and there. I guess it is known by many and easy to figure out for people used to IDA, but it's not something you can get on the first try if you have no info and you're still a IDA newbie. I hope this tutorial will be time saving for a few people.
More to come!
What you'll need:
1) mGBA Emulator (0.4 version available as of 02/02/2016)
2) IDA Pro (6.8 used here)
3) a GBA rom (FF6A (E) is used here)
Step 1: Setting up mGBA GDB server
Open mGBA and click Tools -> Start GDB server. Enter 23946 as Local port and 127.0.0.1 (localhost) as Bind address (Fig.A). I guess any free TCP port could do but on the IDA side the documentation use and default value is 23946. You can now start your rom and should see nothing but a black screen, this is normal.
Fig.A (Click to View)
![[Image: idagdb3.png]](https://www.ff6hacking.com/misc/tutorials/IDA/idagdb3.png)
Step 2: Setting up IDA debugger
In IDA Pro you can set a breakpoint where you'd like the game to stop if you got beginning of code disassembled already but that optional. Go to "Debugger -> Select debugger". In the popup window, select Remote GDB debugger. Click Ok, a warning will appear (*), click Ok again. Now go to "Debugger -> Process options". You Application and Input file paths should both be the path to the rom. The application is what you want to debug and Input file the file used to create the database, in occurence here the rom. Your Hostname must be 127.0.0.1 and port 23946 (Fig.B).
Optionally you can go to "Debugger -> Debugger options -> Set specific options" and enter -1 as the Max packet size value. This will ensure the value will change to the max packet size mGBA can send/receive once the process is linked. You can also enter 128 which is the max value of mGBA (Fig.C). Same thing.
After that go to "Debugger -> Attach Process" and select "attach to the process set on target" (Fig.D). Click Ok. You will have a warning saying the segment are 32-bits and the application is 16-bit but I don't know what has been done wrong, if anything is wrong actually (more testing will say...). If you've done everything well, you should see your GBA game on emulator start and IDA Pro entering in debug mode. Even if you did not disassemble some code where the game goes you can do "Next Op" even on data because it runs the code from the emulator. However you can't use the "generate code" function (pressing "C") in debug mode.
You now have full access To all registers and flags as well as setting unlimited write breakpoints in RAM or read breakpoints in rom. I'm not 100% sure all RAM transfer will be done to IDA Pro because of GDB not mapping the whole memory warning at beginning of step 2 (*). Only time will say. Another note is that if you quit debug mode, you might have to close mGBA and restart the GDB server in order to re-attach to the process with IDA Pro. I haven't found yet a way if any to re-enter debug mode without restarting the emulator, the rom and either reattach or restart the process.
Fig.B (Click to View)
![[Image: idagdb1.png]](https://www.ff6hacking.com/misc/tutorials/IDA/idagdb1.png)
Fig.C (Click to View)
![[Image: idagdb4.png]](https://www.ff6hacking.com/misc/tutorials/IDA/idagdb4.png)
Fig.D (Click to View)
![[Image: idagdb2.png]](https://www.ff6hacking.com/misc/tutorials/IDA/idagdb2.png)
I spent some significant time figuring this out today. There is no tutorial to my knowledge on the internet about this process, only bits of info here and there. I guess it is known by many and easy to figure out for people used to IDA, but it's not something you can get on the first try if you have no info and you're still a IDA newbie. I hope this tutorial will be time saving for a few people.
More to come!
![[-]](https://www.ff6hacking.com/forums/ff9/collapse.png)
« Next Oldest | Next Newest »
 |
 |
|||
|
||||
 |
 |
Users browsing this thread: 2 Guest(s)
2017