| |||
Views: 88,433,507 |
Main | FAQ | Uploader | IRC chat | Radio | Memberlist | Active users | Latest posts | Calendar | Stats | Online users | Search | 04-18-24 10:34 PM |
|
Guest: Register | Login |
0 users currently in ROM Hacking Related Releases | 1 guest | 1 bot |
Main - ROM Hacking Related Releases - Tool source code dumpage: a SM64 disassembler | New thread | New reply |
Cellar Dweller |
| ||
Snifit Level: 39 Posts: 137/287 EXP: 384956 Next: 19815 Since: 02-19-07 From: Arkansas Last post: 4044 days Last view: 3212 days |
Due to a possible prolonged loss of internet access starting in the next few days, I'm hurriedly posting the source code for a reverse engineering tool that I had been working on. This is not a tool that I would normally consider release quality, so I'm not posting it in the releases forum. The code is a ugly and slow, but may be useful for certain SM64 hackers who can code in C.
It takes a SM64 US ROM in ABCD order and an optional symbol list as arguments, and spits out a bunch of stuff on stdout. I suggest using the less pager or redirecting to a file. A symbol list based on Nagra's is posted here too. n64_dis_0.01.tar.gz syms.txt |
KP9000 |
| |||
Boomboom Level: 90 Posts: 569/1975 EXP: 6949187 Next: 239422 Since: 02-19-07 Last post: 3572 days Last view: 3196 days |
|
messiaen |
| ||
Cheep-cheep Level: 32 Posts: 77/193 EXP: 204319 Next: 2123 Since: 05-26-08 From: Porto Alegre, Brazil Last post: 4435 days Last view: 4763 days |
Wow, this will certainly be 'ultra' useful, even for people disassembling other N64 games. The Makefile in the package was null, but this worked for me:
I have not checked yet how the syms.txt is used for the output, but are the function names supposed to be printed (I ask because it didn't happen to me) ? I'm compiling also a list of some useful functions shared by many objects, things such as CreateStar(float x, float y, float x), ScaleObject and this kind of stuf . |
Cellar Dweller |
| ||
Snifit Level: 39 Posts: 139/287 EXP: 384956 Next: 19815 Since: 02-19-07 From: Arkansas Last post: 4044 days Last view: 3212 days |
Did you supply the symbol file as the second command line argument? If you did, it should print the names of functions at the start of the function and at any JAL instruction.
If you get the symbol file working, feel free to post your edited version. To keep the file neat, I have been adding the entries in order by address. If you want to add another location to start disassembling from (you may want to do this if you find that functions that you are interested in are being missed), have a look at main.c. Note that jump tables and functions are in separate starting point lists. |
messiaen |
| ||
Cheep-cheep Level: 32 Posts: 78/193 EXP: 204319 Next: 2123 Since: 05-26-08 From: Porto Alegre, Brazil Last post: 4435 days Last view: 4763 days |
I supplied it as the second line argument, but I always get on this infinite loop:
syms.c: 53
Also, is there something wrong with this? Even if I supply a valid ROM as the first argument, it doesn't pass this conditional: main.c: 74
It only worked for me when I removed it. |
Cellar Dweller |
| ||
Snifit Level: 39 Posts: 140/287 EXP: 384956 Next: 19815 Since: 02-19-07 From: Arkansas Last post: 4044 days Last view: 3212 days |
On the main.c one, try changing the mode from "r" to "rb".
As for the syms.c loop, I'm thinking it might be an OS dependent issue such as line endings. What OS and compiler are you using? What is printed before and while the loop is stuck? |
messiaen |
| ||
Cheep-cheep Level: 32 Posts: 79/193 EXP: 204319 Next: 2123 Since: 05-26-08 From: Porto Alegre, Brazil Last post: 4435 days Last view: 4763 days |
I'm using Mingw/GCC 3.4.2 on Windows XP (with Bloodshed's Dev-cpp IDE).
The problem apparently isn't on the newlines but rather on the "comma", as ftell(s) returns "11" (0x0b) while on that infinite loop, which happens to be the position of the first comma in the syms.txt file.
Out of curiosity, I searched some reference and couldn't find what does the %as (especifically, the character 'a' before %s) means? I also tried this to see if looking for any character (using %c) instead of the comma would work:
But the output was: "0x80173fd4 is (null) [crashes the program]". Sorry if these are too basic questions/problems . |
Cellar Dweller |
| ||
Snifit Level: 39 Posts: 141/287 EXP: 384956 Next: 19815 Since: 02-19-07 From: Arkansas Last post: 4044 days Last view: 3212 days |
That explains it. I had forgotten that the "a" modifier for the string conversion specifier, "%s", is a non-standard GNU extension. The binaries that are produced with Dev-cpp are linked with Microsoft's C runtime, which does not support the extension.
This is a really ugly hack, but you could try changing "char *name" to "char name[1024]", removing the ampersand from the name variable on the fscanf line, removing the non-standard "a" modifier, and removing the "free(name);" line. Note that this will crash the program if any of the names in the symbol file are too long to fit in the buffer, and will create a security vulnerability that can be exploited by a maliciously crafted symbol file. If I get around to making another release, I intend to fix this a better way. EDIT: You could add a length modifier to prevent a security vulnerability, but it would still break if a too long name is in the symbol file. |
messiaen |
| ||
Cheep-cheep Level: 32 Posts: 80/193 EXP: 204319 Next: 2123 Since: 05-26-08 From: Porto Alegre, Brazil Last post: 4435 days Last view: 4763 days |
With this 'hack', the syms.txt file worked, I'll keep in mind the possible problems.
If you don't mind, could you explain a bit the difference between add_region and schedule_disasm functions? With my limited C kwnoledge, I got a bit lost on all that linked lists . main.c : 85
From this snippet I can see that two of the schedule_disasm functions points to thread entry-points, but why is the 0x803839cc object solidity-related function there? Also, is the add_region supposed to disassemble the entire range between start PC + size? While looking at the output, I missed a few functions that should be in the checksum area range, so I guess the disassembly is a bit more selective? I'm working on a huge syms.txt file, including also the functions called by behavior scripts, when it's done I'll upload it to the board uploader. |
Cellar Dweller |
| ||
Snifit Level: 39 Posts: 143/287 EXP: 384956 Next: 19815 Since: 02-19-07 From: Arkansas Last post: 4044 days Last view: 3212 days |
The add_region function maps parts of the ROM to the simulated address space of the N64 CPU. One of the add_region calls is for the checksum area ASM and the other is for the script interpreter area ASM. I have not added the Mario head intro code simply because I have not had much interest in reverse engineering it.
The schedule_disasm calls specifies starting points for disassembly. The disassembler follows function calls and jumps to find more code to disassemble. Jump tables are missed by this method, so there are also lists of jump tables in main.c. If you want the functions called from scripts to be disassembled by this program, you will need to add a schedule_disasm call for each one. I think that is how the solidity related function got added. |
messiaen |
| ||
Cheep-cheep Level: 32 Posts: 82/193 EXP: 204319 Next: 2123 Since: 05-26-08 From: Porto Alegre, Brazil Last post: 4435 days Last view: 4763 days |
Thanks, now things are much clearer!
Now the only thing missing for this to become a dream tool would be to make it read a user-defined file with the object struct (or other user-defined struct) and map it into the dissassembly, to produce an output like this:
Thanks again for releasing this tool, it'll certainly be very useful. |
messiaen |
| ||
Cheep-cheep Level: 32 Posts: 97/193 EXP: 204319 Next: 2123 Since: 05-26-08 From: Porto Alegre, Brazil Last post: 4435 days Last view: 4763 days |
A few functions/addresses for syms.txt. Some of them come from your notes (and there's a few more to include), and one of two are renamed from Nagra's original list.
|
Main - ROM Hacking Related Releases - Tool source code dumpage: a SM64 disassembler | New thread | New reply |
© 2005-2023 Acmlm, blackhole89, Xkeeper et al. |
MySQL - queries: 92, rows: 115/115, time: 0.017 seconds. |