gbadev.org forum archive

This is a read-only mirror of the content originally found on forum.gbadev.org (now offline), salvaged from Wayback machine copies. A new forum can be found here.

Coding > Best way to reverse-engineering GBA binaries?

#45839 - Vince - Wed Jun 15, 2005 6:07 pm

Hello to all of you,

I am one of the authors of if2a, the F2A/F2AUltra flashing software. I am in the process of going on with the reverse-engineering of the F2A Ultra features. To do that, I need to reverse-engineer the F2A Ultra loader (CIZ) as not much information can be obtained anymore from the memory dumps/sniffs.

Where I am:
+ I have an accurate disassembly of the binary using objdump as well as the reference datasheet for the ARM7 + GBATek excellent GBA spec. I have checked the disasm against VBA one and they both match so it seems correct to me.

+ I am using VBA (both Win32 normal and Linux SDL version) to understand what is being done under the hood. Unfortunately, the normal version (with the GUI) does not allow memory/register modification (I am running it through Wine so I may be wrong). The SDL version which embeds the debugger does not allow me to put breakpoints on addresses, only on symbols/lines/functions (whihc I don't have). Moreover, it seems impossible to launch the debugger before starting the emulation, something that annoys me. The VBA documentation is quite scarce on that matter and I would appreciate help here.

+ I have used objcopy to create an ELF file from the binary. I still need to change the section name as all goes into .data but this seems a viable approach to load it into an arm-built GDB and to connect to VBA. Once my GBA/VBA works, I can start building symbol tables by hand/using objcopy using information gathered from the reverse.

+ I am also thinking about scripting the objdump disasm in order to add function/jump detection. Is this a good approach?

What do you think about my method? I am sure there are more efficient ways to do that but I would like to use free tools (I don't want to buy IDAPro).

Thanks or your help on that matter, I've tried to gather as much info as I could but the forums is not full of information here (most people say they reverse engineer things but do not say how they did it...).

Vince
_________________
Reclaim control of your F2A/F2AU with if2a !!

#45968 - caitsith2 - Fri Jun 17, 2005 11:12 am

I guess that puts no$gba shareware debugger version out fo the question. ($15US). Very handy for reverse engineering.

#45970 - arundel - Fri Jun 17, 2005 11:44 am

How about mappyVM?
_________________
http://www.nausicaa.net

#45980 - Vince - Fri Jun 17, 2005 1:43 pm

Hello,

Thanks you both for your help here. I should have taken a look at more GBA emulators before asking for help here. I will check MappyVM as you suggested.

caitsith2 : I could all the more afford the $15 of no$gba as I have heard only praises about it all the time. Just that there is a difference between $15 and $300 ...

I will keep you informed on how it goes.

Vincent
_________________
Reclaim control of your F2A/F2AU with if2a !!

Last edited by Vince on Fri Jun 17, 2005 1:52 pm; edited 1 time in total

#46015 - MumblyJoe - Sat Jun 18, 2005 4:58 am

I am curious as to what switches you used to do the objdump and objcopy. I just tried it out of curiousity, and I can make an elf from a binary in elf32-bigarm but the when I try to objdump it it claims it doesn't support elf32-big.
_________________
www.hungrydeveloper.com
Version 2.0 now up - guaranteed at least 100% more pleasing!

#46017 - tepples - Sat Jun 18, 2005 5:59 am

MumblyJoe wrote:
it claims it doesn't support elf32-big.

Processors hardwired to be little-endian include the 6502, the 65C816, the Intel 8086 and successors, the Zilog Z80, the Sharp Z80-clone (for Game Boy). Processors used in a little-endian configuration include MIPS CPUs in PlayStation systems, Hitachi SH4 CPU in Sega Dreamcast, and ARM CPUs in GBA, Nintendo DS, and Sega Dreamcast.

Processors hardwired to be big-endian include Motorola MC68000 and successors and IBM PowerPC series. Processors used in a big-endian configuration include the Hitachi CPUs in Saturn.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.

#46023 - MumblyJoe - Sat Jun 18, 2005 10:00 am

Thanks tepples, my mistake.

What I tried however, is nopt affected by this.

This works to make an elf file.
Code:
arm-elf-objcopy -O elf32-littlearm -I binary mb_child.arm7 mb_child.arm7.elf


This however...
Code:
arm-elf-objdump -d mb_child.arm7.elf


Produces this error...
Code:
mb_child.arm7.elf:     file format elf32-little

arm-elf-objdump: Can't disassemble for architecture UNKNOWN!


so it appears that it doesn't know that it is ARM I want, was just wondering how Vince did it with these tools.
_________________
www.hungrydeveloper.com
Version 2.0 now up - guaranteed at least 100% more pleasing!

#46025 - MumblyJoe - Sat Jun 18, 2005 10:17 am

Sorry, never mind. It appears the -B flag does what I need.
_________________
www.hungrydeveloper.com
Version 2.0 now up - guaranteed at least 100% more pleasing!

#46175 - Vince - Tue Jun 21, 2005 10:08 am

Hello,

Yes, as you said, this was the -B which was missing. Thanks to Tepples as well for the BE/LE/hard/soft explanation.

You can try to compare with the disasm that an emulator (say VBA) produces to see whether your output is right.

Do not forget to adjust the VMA as well, otherwise, the adresses will be shifted.

Vince
_________________
Reclaim control of your F2A/F2AU with if2a !!