Pages: 1
Posted on 08-10-12, 02:20 am (rev. 5 by ImageBot on 11-21-16, 02:26 am)
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9480
Posts: 2190/4444
Since: 06-08-11

Important Note


This is a tutorial on how to make your own RAM dump and import it in IDA Pro. This will give you an IDA Pro database with no function names at all, you'll have to figure them out yourself. I've already done lots of progress with NSMB, so if you want to ASM hack NSMB, grab the databse file from the uploader instead, it contains lots of function names! This tutorial is useful if you want to hack other games, or want to know how the RAM dump is done (which is always a good thing!)


Making a RAM dump


Step 1: Open the ROM in NO$GBA Debugger

Step 2: Go in-game (or whatever part of the game you want to analyze the code)
This is necessary because game's code is split in overlays, which can be loaded and unloaded. If you aren't ingame, the overlay that contains the "interesting" in-game code might not be loaded.

Step 3: Right-click on the bottom half of the screen (the RAM viewer) and select Goto.

Step 4: Enter the address 01FF8000. This is the beginning of the DS's RAM.
(The main RAM starts at 0x02000000, but there's also an extra region of RAM at 0x01FF8000-0x01FFFFFF, called the ITCM, which also contains code, so we dump both at the same time)

Step 5: Go to Utility -> Hexdump to File. Enter the size 00408000. This is the size of the RAM (00400000, 4MB) plus the size of the ITCM (00008000, 32KB). And save the file somewhere, for example let's name it nsmb.hex.

You should now get a text file around 20MB that looks like this. Check that it really begins at 01FF8000, otherwise you've done it wrong.
01FF8000 00 C0 90 E5 04 30 90 E5 48 20 9F E5 48 10 9F E5 .....0..H ..H... 01FF8010 00 C0 82 E5 04 30 82 E5 08 C0 90 E5 0C 20 90 E5 .....0....... .. 01FF8020 38 30 9F E5 00 C0 81 E5 04 20 81 E5 B8 C1 D0 E1 80....... ...... 01FF8030 2C 20 9F E5 2C 10 9F E5 B0 C0 C3 E1 10 C0 90 E5 , ..,........... 01FF8040 14 30 90 E5 00 C0 82 E5 04 30 82 E5 BA 01 D0 E1 .0.......0...... ....


Step 6: Grab hex2bin. Open it with Java. Select the .hex file you should create it and let it convert it. You should now get a 4MB .hex.bin file.


Importing it in IDA Pro


Step 7: Now go to IDA Pro.

Step 8: File -> Open, and select the .hex.bin file you just created.
Select "ARM Processors: ARM" as the processor type and click OK.
In the next window, set the options exactly like this:

Click OK again.

Step 9: Done!


Now what?


There's something to do now. ARM instructions can be two types. ARM code which is 4 bytes per instruction, and Thumb code which is 2 bytes per instruction. All commercial games I've seen use only ARM code.

The thing is that IDA Pro supports the two modes, and it sometimes gets confused as to which one it's using, it tries to "guess" and sometimes fails. To fix this, go to View -> Open subviews -> Segment Registers. You'll see that in some places the "T" column is set to 1. That's because IDA Pro has "guessed" there's Thumb code in there. It's WRONG. Let's delete all the segment registers change points. Do Control+A and press Del. Now all "01"s should be gone and there'll be no more ARM/Thumb confusion!

Now, IDA Pro can't automatically detect what is data and what is code. You need to help it by marking stuff you know as code. For example, you can go to the ROM entry point at 0x02000800, and mark that position as code (It's code in all ROMs, it's where the execution starts).

Press G, enter 0x02000800. You'll see that IDA Pro has taken you to that address. Now press C to tell IDA pro that address is code. When you mark something as code, IDA Pro automatically analyzes the code and marks as code all the code that can be accessed from the code you marked. This way, if you mark the entrypoint as code, it can identify most of the code in RAM. It still won't find all of it because it's not smart enough to follow function pointers and similar stuff.

Now, to disassemble stuff!
Posted on 08-16-12, 03:26 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9480
Posts: 2291/4444
Since: 06-08-11
Tutorial's out now!

* Dirbaio bumps
Posted on 08-16-12, 03:27 pm
Roy Koopa


Karma: 3991
Posts: 2122/2722
Since: 06-26-11
Me gusta!
Please continue with the ASM tutorials Like you said, only 2 people with ASM hacking skills (ok mine are bad, wahtever) isnt nice
_________________________
See a lots of creative DS Hacking here
If you want to support me, you might check out my Patreon Page : )
Posted on 08-16-12, 05:36 pm
Shyguy


Karma: 155
Posts: 19/90
Since: 07-10-12
Nice tutorial, but which version of ida pro do I need?
Posted on 08-16-12, 05:41 pm (rev. 1 by  Dirbaio on 08-16-12, 05:41 pm)
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9480
Posts: 2292/4444
Since: 06-08-11
Posted by Gericom
Nice tutorial, but which version of ida pro do I need?

I'm using 6.1, but I was using 5.something before and it worked fine too. Any new version will work.

Just keep in mind that IDA Pro databases (.idb files) created with one version don't work in earlier versions. To open the NSMB database you need 6.1
Posted on 08-16-12, 05:47 pm (rev. 3 by  Gericom on 08-17-12, 09:45 am)
Shyguy


Karma: 155
Posts: 20/90
Since: 07-10-12
Posted by Dirbaio
Posted by Gericom
Nice tutorial, but which version of ida pro do I need?

I'm using 6.1, but I was using 5.something before and it worked fine too. Any new version will work.

Just keep in mind that IDA Pro databases (.idb files) created with one version don't work in earlier versions. To open the NSMB database you need 6.1

Okay, I will look for it.

Edit: I got it, but hex2bin doesn't work!
Edit2: Nevermind, I think I need to update java to version 1.7...
Edit3: Now it works! Thanks for this nice tutorial!
Posted on 10-18-12, 10:28 pm


Karma: 218
Posts: 1/22
Since: 10-18-12
Hi I am new here! I found this place while searching for just this information! Thank you for describing how to open a RAM dump in IDA pro. It did the trick!

New Super Mario Bros. DS is interesting in many ways. I am currently trying to figure out WHAT calls the background HDMA (scanline) scrolling. The code is at 1FFFC20. It is not easy to setup scrolling of the DS screens with HDMA as it requires good timing, and NSMBDS does it surprisingly well, but I can't figure out who calls it. The code is called from a code location unknown to me at FFFF028C (this code is independent of the game loop, and is not run from the V-Blank).
Posted on 10-18-12, 10:43 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9480
Posts: 2723/4444
Since: 06-08-11
Hi and welcome

I have looked a bit at HDMA, and there are some interesting variables and functions in the IDB file in the uploader, but I never got to fully figure out how it works, probably due to laziness... (BTW if you're disassembling NSMB, use that one instead of starting from scratch!)

That function is called from 01FFD13C.
And that other func is not called directly, it's set as the VBlank interrupt at 02005A60. This means that function is automatically called every Vblank. I guess that's the key for the timing. And that may be the reason you're seeing it's called from that weird address. 0xFFFFxxxx addresses are from the DS's BIOS, not NSMB's code. It must be some interrupt handler things.
Posted on 10-19-12, 07:58 pm


Karma: 218
Posts: 2/22
Since: 10-18-12
Posted by Dirbaio
Hi and welcome

I have looked a bit at HDMA, and there are some interesting variables and functions in the IDB file in the uploader, but I never got to fully figure out how it works, probably due to laziness... (BTW if you're disassembling NSMB, use that one instead of starting from scratch!)

Thanks. I'll look into it. And I don't think you are lazy.

That function is called from 01FFD13C.
And that other func is not called directly, it's set as the VBlank interrupt at 02005A60. This means that function is automatically called every Vblank. I guess that's the key for the timing. And that may be the reason you're seeing it's called from that weird address. 0xFFFFxxxx addresses are from the DS's BIOS, not NSMB's code. It must be some interrupt handler things.

Oh, I was actually making a mistake looking at interrupts of ARM7 instead of ARM9.
You are right, 02005A60 sets the VBlank interrupt for stages. There are neighbour routines setting that intterupt up for the title screen and the world map as well.

A question about multiplayer game:
I usually play using two NSMBDS carts (no download play) (and getting ass kicked by my wife, she is much better at Mario than me). Is it still running as if it is download play, only not downloading? I don't really get the whole "patching multiplayer" when editing the multiplayer levels.
Is it possible to disassemble the multiplayer ROM code (if it is different from the main game)?
Posted on 10-19-12, 08:08 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9480
Posts: 2726/4444
Since: 06-08-11
Multiplayer and singleplayer use the same code. There are some variables that tell the game mode and all. There's isMvsL mode, which is 0 when playing single player, or 1 or 2 when multiplayer. (I dunno what's the difference between 1 and 2..)

There are many places in the code where it checks this variable and does something different. For example in getCoin(), it checks for MvsL mode. In MvsL mode it does the powerup every 8 coins thing, and in single player it gives 1up every 100 coins.

The multiplayer NARC patch buttons copy the multiplayer level files into the narc files in the ARCHIVE/ folder. The game loads the levels from there. That thing is because when playing over DLP, only the NARCs are donwloaded. But even when playing multiplayer with two carts, it loads the files from the NARCs.

It's possible to get it to load everything from the ROM, see this thread.
Posted on 10-19-12, 08:24 pm (rev. 1 by  gridatttack on 10-19-12, 08:25 pm)
Birdo


Karma: 3251
Posts: 850/2016
Since: 06-28-11
Posted by Powerline
A question about multiplayer game:
I usually play using two NSMBDS carts (no download play) (and getting ass kicked by my wife, she is much better at Mario than me). Is it still running as if it is download play, only not downloading? I don't really get the whole "patching multiplayer" when editing the multiplayer levels.
Is it possible to disassemble the multiplayer ROM code (if it is different from the main game)?


If you are interested in editing multiplayer levels, you can also check This Thread and what  Dirbaio linked too

(also there is this hack which has edited MvsL levels)
_________________________

Pages: 1