Author
|
Topic: Recompilable disassembly of SNES games (Read 896 times)
|
Azleafan00
Guest
|
 |
« on: June 14, 2007, 02:34:02 pm » |
|
Using Geiger's build of Snes9x, we have a way to produce a recompilable disassembly for any SNES game : the method is based on the "usage map" (which is basically a code/data logger) and the "trace/trace once" features.
One would need to play through the whole game with tracing enabled, and try to trigger as many routines as possible. At the end of each session, save the usage map, and the trace log. After you've played the game extensively, merge everything.
In the process, there might be some code and data left that was never accessed, ... hopefully something like 5% of the ROM. In theory, it's not needed to recompile a working ROM (would need to be fixed manually later though)
How useful would that be though ? I don't really understand what perspectives this could create, especially as such an uncommented disassembly remains "raw" material.
|
|
|
|
|
Nightcrawler
Guest
|
|
« Reply #1 on: June 14, 2007, 06:04:45 pm » |
|
It's certainly not worth the time and effort to trace an entire game. And you'll never get all the code disassembled that way. It's a monumental task to play a game and have every single line of the code execute through all branches... Fixing it later would be a huge nightmare.
Sorry, but I don't think this is practical or useful.
|
|
|
|
|
byuu
Guest
|
|
« Reply #2 on: June 14, 2007, 06:19:40 pm » |
|
A) You'd never get 100% of the code identified this way, but yes, you can store the rest as db commands.
B) The log would be virtually useless. The point of having code is so that you can change it: rewrite blocks, insert code, delete code ... any of this will throw off all of your labels, and even if you managed to create labels and tests for all branches and jumps (and magically also handle indirect jumps somehow), you'd still not be able to use this as the code you didn't find could come back to screw you.
This isn't what we need. What we really need are statistical analysis tools. Things like, take a trace log, run it through an application that finds out the call flow of instructions and builds hierarchies. Right now, you make a trace and you have what is essentially a straight list of 100,000 or so opcodes. All in the direct order of execution. But this is not at all how code works.
An analyzer could rip out function start / stop offsets, find out where they are invoked from, allow you to label the subroutines found, label all the variables you have RE'd to have more descriptive names, add comments, and allow you to come a hell of a lot closer to having actual sources to the game in question. Imagine all the work it'd save in a multi-year translation project where you end up coming across the same reused functions again and again, and forgetting what exactly they do.
For debugging, things like stack tracing could also greatly assist, at least for the majority of games that don't perform stack magic (pea + rts, pha + rts, etc).
|
|
|
|
|
Skeud
Guest
|
|
« Reply #3 on: June 15, 2007, 06:06:42 pm » |
|
In fact, we need IDA for SNES  |
|
|
|
|
Dan
Guest
|
|
« Reply #4 on: June 19, 2007, 12:11:15 pm » |
|
It's certainly not worth the time and effort to trace an entire game. And you'll never get all the code disassembled that way. It's a monumental task to play a game and have every single line of the code execute through all branches... Fixing it later would be a huge nightmare.
Sorry, but I don't think this is practical or useful.
Hm, I wouldn't say it's useless. For example, the sonic hacking community (or some guy in it) has disassembled sonic the hedgehog to a set of recompilable source code files. And some pretty nifty hacks have resulted from this. |
|
|
|
|
Azleafan00
Guest
|
|
« Reply #5 on: June 19, 2007, 08:26:25 pm » |
|
Nightcrawler :I was getting enthusiastic after tracing like 90% of a game in 5 hours, ... but I guess that figuring out the remaining 10% would indeed take 10 times as much time. Additionnally, it depends on the kind of game, playing a RPG exhaustively would be close to impossible. On the "execution through all branches" issue, we could use a disassembler which takes both paths whenever it finds a conditional branch, to identify a nice part of the code that wasn't traced, thus improving on a known usage map in an automated way. byuu :Yea the indirect branching is a problem. I think it would be useful if the tracer could log the jump destination whenever it goes through an indirect jump. (Building some kind of jump tables). I don't see how a "post-play" analyser could figure that info otherwise, unless you trace instructions every time they are encountered, which produces a huge log. I just discovered the Trapper utility, which has some of the features you mention. It should come in handy next time I have to trace stuff with Geiger's. Skeud :Can you list the most interesting features of IDA ? Sounds interesting ... Dan :Do you have a link about that project ? I'd like to see if it was a raw disassembly or if they did actually comment the code. (which is what the Nesdev guys recently did with SMB1, I think it was a 4 months effort)
|
|
|
|
|
Dan
Guest
|
|
« Reply #6 on: June 20, 2007, 07:49:17 am » |
|
I never knew that SMB1 disassembly existed, thanks for letting me know! I took a quick look in google, and found this: http://www.s2beta.com/forums/index.php?showforum=13There's stickies at the top of that forum with links, I believe. |
|
|
|
|
Nightcrawler
Guest
|
|
« Reply #7 on: June 20, 2007, 07:53:34 am » |
|
|
|
|
|
|
Dan
Guest
|
|
« Reply #8 on: June 20, 2007, 09:12:24 am » |
|
I wasn't entirely clear, that link was for the sonic the hedgehog disassembly. My bad! |
|
|
|
|
Skeud
Guest
|
|
« Reply #9 on: June 20, 2007, 03:55:42 pm » |
|
Skeud :
Can you list the most interesting features of IDA ? Sounds interesting ...
Ida home pageBesides being the best decompiler available, plugins can be written, to allow more functions, and support new processors. But it is expensive (there is a demo version, but limited to the x86). If you work in a security company, they can buy it for you. |
|
|
|
|
MathOnNapkins
Guest
|
|
« Reply #10 on: June 20, 2007, 04:30:13 pm » |
|
IDA would be amazing to have for SNES, unfortunately, I looked pretty extensively a while ago, and nothing seems to support the 65c816. Shame.
|
|
|
|
|
Spikeman
Guest
|
|
« Reply #11 on: June 20, 2007, 04:36:48 pm » |
|
Here's my idea of how you could do this (probably how IDA works actually): 1) Run through the code, you may have to emulate it in case in generates code/moves it and the code jumps to it, as you run log the instructions. 2) When you hit conditional branches either start the jump and if it didn't jump on two separate threads or come back to the other possibility when done with the first, to make sure you run through all the code. 3) Compile all the logged instructions into a readable disassembly. Make labels for places that are branched to. This would be the extent of the program. 4) You go through and comment/rename labels.  |
|
|
|
|
MathOnNapkins
Guest
|
|
« Reply #12 on: June 21, 2007, 01:57:23 am » |
|
I wrote a disassembler that does that >_>. You give it a starting point and an end point and it tries to do all of the above and more. It's meant to disassemble one routine at a time. It discards all analysis of the code after it's done. If I logged it to a database, you'd have something similar to IDA.
|
|
|
|
|
|
RHDN Forum Archive
