トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS

解説/FEBuilderGBA/Disassembler_EN

Last-modified: 2018-01-13 (土) 10:53:02 (6d)

disassembler

ROM analysis using disassembler with FEBuilderGBA (for hacker)

FEBuilderGBA is a tool to easily modify GBAFE,
It can also help those who want to analyze the code seriously.

This time, we will introduce the disassembler and the map file which are the basis of the analysis.

Disassembler.

FEBuilderGBA has its own disassembler routine and map file generation routine.
With this you can get the asm source code with comments automatically inserted.

StepA01

Please select Menu Tool -> Disassembler from the menu.
https://i.imgur.com/FqhJSoD.jpg

Such source code is generated.

08E4F6E0 B500   push {, lr}
08E4F6E2 46C0   mov r8, r8
08E4F6E4 4B05   ldr r3, [pc, #0x14] # pointer:08E4F6FC -> 0202BCF4 (Gold )
08E4F6E6 6819   ldr r1, [r3, #0x0] # pointer:0202BCF4 (Gold )
08E4F6E8 2000   mov r0, #0x0
08E4F6EA 46C0   mov r8, r8
08E4F6EC 4A04   ldr r2, [pc, #0x10] # pointer:08E4F700
08E4F6EE 4291   cmp r1 ,r2
08E4F6F0 DB00   blt #0x8e4f6f4
    08E4F6F2 2001   mov r0, #0x1
08E4F6F4 4A03   ldr r2, [pc, #0xc] # pointer:08E4F704 -> 030004B0 (DATA Numbers clogged with event instruction 40050000XXXXXXXX )
08E4F6F6 6310   str r0, [r2, #0x30] # pointer:030004E0
08E4F6F8 2000   mov r0, #0x0
08E4F6FA BD00   pop {, lr}
08E4F6FC BCF4 0202   //LDRDATA
08E4F700 C350 0000   //LDRDATA
08E4F704 04B0 0300   //LDRDATA

StepA01

From the menu, select Tools -> Disassembler.
https://i.imgur.com/Y0oSzvT.jpg

StepA02

In the disassembler, if you enter the address of the function you want to see, its contents will be displayed.
However, I do not know where the function is.

Let's get all the source code here.
Please select "Print to all files".
https://i.imgur.com/FqhJSoD.jpg

StepA03

You can choose whether to output the ASM source code or create a mapfile to importable for IDA.
In the latest version, We can also create a sym file for no$gba debugger.


For now, I will generate ASM source code this time.
It takes about 1 hour to generate ASM source code, so it is recommended to run it before going to bed.
https://i.imgur.com/fxIsbFe.jpg

StepA04

Press the button and enter the file name you want to save.
Asm is output to the specified file endlessly.
It will take about 1 hour.
https://i.imgur.com/16fcu45.jpg

Difference from disarm

Unlike disarm, FEBuilderGBA has the following functions.

  1. We can trace all LDR destination pointers.
  2. Names are automatically assigned to functions and memories whose functions are currently known using asmmap.
  3. We will briefly describe other data parts such as images.
  4. All numbers are output as # 0x1234 in hexadecimal notation.

    However, the following restrictions apply.
  5. It only supports thumb mode.


About mapfile

All information known to FEBuilderGBA is output to the mapfile.

  1. Structure information that can be changed. romfe*.cs
  2. Information held by rom to disamble.
  3. Information on the address provided by the patch file.
  4. Information on lz77 compressed data existing in ROM.
  5. Simple display with multiple consecutive 0x00 and 0xFF as empty areas.
  6. Information on known functions and data areas. /config/data/asmmap*.txt

    However, there is not enough information yet.
    Please tell me if you know information about unknown functions.
    In addition, because structures such as structures known by FEBuilderGBA and patches are also used as mapfile of disassembler,
    The more you post a patch etc, the worse the disassembler automatically smarter.