[HN Gopher] Using Ghidra to Reverse Engineer Super Monkey Ball f...
___________________________________________________________________
Using Ghidra to Reverse Engineer Super Monkey Ball for GameCube
Author : coldpie
Score : 239 points
Date : 2021-03-02 14:01 UTC (8 hours ago)
(HTM) web link (www.smokingonabike.com)
(TXT) w3m dump (www.smokingonabike.com)
| jeofken wrote:
| I wonder if anyone has any reading resources for reversing old
| DOS programs written in fortran - namely SCORE, the music
| notation program, still unparalleled in productivity, beauty, and
| preciseness, but with a dead author and no source code.
| dmix wrote:
| I find it funny that their goal is to make the game technically
| harder to make it a better game in general - by reducing the
| points you get - incentivizing you to explore the other levels
| mores. Instead of your typical game hacks that make it easier or
| add cool things. Even though I get this is just a tutorial.
| letitbeirie wrote:
| The craziest thing about Super Monkey Ball to me is that F-Zero
| GX runs on the same engine, just sped way up.
| bombcar wrote:
| I wonder if Dolphin lets you load a "cheatsheet" or something
| where you can tell it to modify certain values in memory after
| loading from the ISO - so you don't have to modify the original
| source ISO at all.
| Deathmax wrote:
| That's what cheat codes allow you to do. The Dolphin wiki
| documents various "enhancements" you can apply with cheat codes
| (https://wiki.dolphin-
| emu.org/index.php?title=The_Legend_of_Z... as an example).
| bluesign wrote:
| Nice reversing article for GameCube, but I think original scoring
| is much better.
|
| It is preventing you to play same easy levels over and over
| again, and as fast as possible bringing you to your skill level.
| Very good adaptive difficulty, it is actually punishing players
| for choosing to play easy levels behind theirs skill level,
| keeping game constant challenge.
|
| PS: haven't played the game, assuming later levels are more
| difficult
| 2pEXgD0fZ5cF wrote:
| Can anybody recommend some good resources and/or books (or some
| kind of roadmap) to get into practical reverse engineering
| "starting from zero" (as in: a person with general higher level
| programming experience)?
| walls wrote:
| 'Practical Malware Analysis' was required reading for all RE
| candidates at my previous job.
|
| It's very windows focused but teaches skills that are
| (somewhat) easily transferable.
| jhatemyjob wrote:
| pokered or pokecrystal
| dilDDoS wrote:
| HackTheBox (hackthebox.eu) has some great reverse engineering
| challenges that you can learn a lot from, and have a clear
| difficulty progression. The non-retired challenges are all free
| with a basic account, but if you're starting from scratch, it
| might be beneficial to try out a premium account to access
| retired challenges (and their associated write-ups).
| Cloudef wrote:
| Get a debugger and disassembler. Read their manual.
| NtGuy25 wrote:
| As someone else said. Practical Malware Analysis is great. The
| ghidra book by Eagle is also decent as well.
|
| The best thing for RE learning though is to use Visual Studio
| to write a few programs. From the debugger view you can use the
| assembly, and see what your program ends up in.
|
| You also want to think about it as the programmer. You have a
| MASSIVE program. You want to see where it creates files. You
| know that on windows, it HAS to go through CreateFile, or at
| least NTcreatefile function or system call. So you can watch
| for these, or look where they are called in Ghidra. Now you can
| mark all the functions in the chain using xrefs (What
| references this) and then get all the functions that use
| createfile out of the way!
|
| And lastly, as a programmer, you know the apis. So think of
| what cases someone would use printf for example. There's not
| many. You know by the use of printf, there's some sort of
| logging at that location. If they use openfile. You have a good
| idea that all the code surrounding that call is going to be
| about the file being opened.
|
| TL;DR. Start from api calls, and work backwards. Use your
| knowledge as a dev for what these api calls are used for. And
| walk that call chain and mark. Eventually every function is
| mapped.
| elitepleb wrote:
| https://beginners.re/
| blinkingled wrote:
| I think the author made these available for free in the past
| but now they are paywalled. (Nothing wrong with that at all,
| just thought it would help others trying to find the download
| on the site.)
| coldpie wrote:
| Hey, article author here. I'm not very good at this stuff, it's
| just applying knowledge I've picked up over my career working
| in systems-level programming and various little game hacking
| projects.
|
| The one thing I'd say is a real pre-requisite is to learn C.
| And I mean really learn C: pointers, including arithmetic and
| aliasing; memory allocation; stack vs heap; statics and
| globals. C is the _lingua franca_ of this environment, and
| learning C will give you a good window into what the compiler
| is doing to turn your code into what 's actually running on the
| CPU.
|
| It's also good to understand how computers actually work. I
| strongly recommend the book "Code" by Charles Petzold
| (Microsoft Press, be wary of counterfeits and don't buy from
| Amazon). It starts literally from scratch. Like, light bulbs
| with electricity and a switch. Then it builds on that to create
| a fundamental CPU, and then shows how to go from there into the
| real CPUs used today, including an introduction to assembly
| language and machine code. It's a fantastic book if you ever
| want to do anything low-level on a computer.
|
| Once you've got C and a basic level of understanding of
| assembly/machine code, I think you're ready to do something
| real. Start simple. The NES runs on a 6502, which is 8-bit, has
| three registers and only a handful of opcodes, and is single-
| threaded. In the past I've used FCEUX-DSP's debugger
| features[1], but I think these days most people use Mesen. You
| can use the same basic techniques I did in these articles: scan
| memory for the values you want (the player's score or life
| count; the player character's velocity), then set watch points
| to find the code that modifies them, then go understand what
| that code is doing and change it to do what you want. Give
| yourself infinite lives or a crazy high jump in Super Mario
| Bros or something.
|
| From there you can move on to more modern CPUs and such, but
| the complexity goes _way_ up once you move on from environments
| where most stuff was actually written in ASM or very simple C
| without fancy compilers. I was very relieved to see how
| readable Super Monkey Ball's disassembly actually was.
|
| [1] My first real game RE project was dumping PNG pictures of
| the levels in M.C. Kids for NES, for comparison on TCRF:
|
| https://gitlab.com/mcmapper/mcmapper/-/blob/master/main.c
|
| https://tcrf.net/Proto:M.C._Kids
| corysama wrote:
| Thanks for the article! Over in
| https://www.reddit.com/r/ReverseEngineering/ there are a
| bunch more people who would really appreciate it if you also
| posted there.
| coldpie wrote:
| Thanks for the suggestion, I have done that. If you know of
| other communities that might enjoy the article, please do
| feel free to pass it along anywhere you like.
| rcfox wrote:
| From my experience: learning C will help you learn assembly,
| which will help you actually learn C.
| samwestdev wrote:
| The book "Code" is by Petzold Charles
| coldpie wrote:
| Indeed, fixed. Thanks.
| JohnCurran wrote:
| This gets asked a fair bit. Here's an HN link tree you can
| follow to get you started:
|
| https://news.ycombinator.com/item?id=26296951
| bumbada wrote:
| For learning programming I always recommend that you have a
| specific project in mind, so instead of following a book, you
| follow your project's needs and use books as a reference.
|
| I learned (intel x86)assembly from joining a cracking group
| when I was adolescent, it was my first programming language.
| Nothing beats being taught by masters of the craft and
| competing and contributing as a team.
|
| Today I teach kids ARM assembly using microcontrollers like
| arduino unos or nanos and controlling a motor or servo, then I
| add more and more complexity like explaining klipper
| architecture, so they learn c and python.
|
| With kids, the social part is very important, and making real
| things that move and react on the real world too. I suspect is
| of great help for adults too.
|
| It is probably too dull to learn assembler today, on your own
| (alone) on a powerful computer. With a microcontroller you have
| a machine that is so constrained in resources that you really
| need to use c or assembly.
|
| HN has very good resources about assembly, you can search them
| on google "hacker news assembly" or "hacker news reverse
| engineer", use zotero to aggregate the links.
| pluc wrote:
| is your answer to "how do I learn to reverse-engineer things"
| to learn Assembly? If so why?
| pjc50 wrote:
| Well, the assembly is literally all you have, so you're not
| going to make much progress otherwise..
| secondcoming wrote:
| Because if you're dumping binaries, or attaching to running
| processes, you'll be looking at assembly code.
| barbecue_sauce wrote:
| Pretty sure that's the whole basis of reverse engineering.
| ackbar03 wrote:
| My 2 cents is do some CTF questions. PicoCTF's are good for
| beginners, they have a good progression in difficulty.
|
| And once your more or less proficient then just crack some
| software. Find something old, like protected by purchasing key
| or whatever, and on the simpler side, don't go straight for
| photoshop or whatever. Its gonna take a long time but even if
| you don't succeed you'll get a much better feel for it in the
| process. Best way to learn is by doing, thats my experience
| anyways.
| _joel wrote:
| There's places like https://crackmes.one/ too
| yomansat wrote:
| This series, for reverse engineering a multi-player game that's
| meant to be hacked:
|
| https://www.youtube.com/watch?v=RDZnlcnmPUA&list=PLhixgUqwRT...
| o_p wrote:
| I really hope Ghidra becomes the standard in reverse engineering,
| but the good old IDA with decompilers is just too good for now
| complexplane wrote:
| I'm actually from a Super Monkey Ball 2 hacking community which,
| among other things, has been working on a Ghidra decompilation
| for a bit over a year now. We collaborate on a shared Ghidra
| server and have tons of stuff labelled and annotated at this
| point!
|
| As an example, here's a full decompilation of the camera code
| which runs after the ball passes through the goal:
| https://cdn.discordapp.com/attachments/463221047471374337/79...
|
| We also have the ability to inject C++ directly into the game for
| modding. I'm also the author of ApeSphere, a practice mod for
| SMB2 with features like savestates:
| https://github.com/complexplane/apesphere . Take a look at
| rel/savestate.cpp for a taste of what we can do.
| guitarbill wrote:
| do you have any tips for setting up a shared Ghidra server? the
| user management especially seemed scary, and has kept me from
| setting one up in the past.
| imwillofficial wrote:
| I'd love to learn this skill, but unsure where to get started.
| samwestdev wrote:
| I'd love to do something like this for various NES games. Can
| Ghidra hook up to some NES emulators?
| tom_ wrote:
| Ghidra didn't do a great job of 6502 when I tried using it a
| couple of years ago, due to poor support for a couple of the
| 6502's addressing modes, but maybe it's improved?
|
| This Github bug summarises the problem I was having with it:
| https://github.com/NationalSecurityAgency/ghidra/issues/201
| g051051 wrote:
| The version 9.2 release notes mention improvements to the
| 6502 processor specification:
|
| > Many improvements and bug fixes have been made to existing
| processor specifications: ARM, AARCH64, AVR8, CRC16C,
| PIC24/30, SH2, SH4, TriCore, X86, XGATE, 6502, 68K, 6805,
| M6809, 8051, and others.
|
| Perhaps it's better for your use case now?
| jhatemyjob wrote:
| you dont need Ghidra for that
| mikepurvis wrote:
| I expect you'll have a tougher time there because NES games
| were written directly in assembler, so there won't be the
| characteristic patterns that a decompiler can use to recognize
| particular control flows-- I believe C wasn't really standard
| until the N64 era, which was part of what made high-level
| emulation (see: UltraHLE) possible.
|
| On the other hand, hand-authored assembly is easier to read
| directly, because, of course, it was written and read in that
| form originally anyway!
| bluesign wrote:
| Still bankswitching etc will cause a lot of problems for
| disassembler.
|
| Best option for NES is to use emulator debugger for sure.
| monksy wrote:
| I miss the game Super Monkey Ball. That was one of those games
| that was supper approachable, and easily competitive with friends
| in the same room.
|
| They have released something for the ps4 but I haven't opened the
| box yet.
|
| Also, this makes me want to get out the
| https://www.cs.virginia.edu/~cr4bd/3330/F2018/bomblab.html lab
| and try the disassembler he's using.
| aquova wrote:
| An indie developer announced today that their Super Monkey
| Ball-inspired game will be going into early access on Steam
| later this month: https://www.youtube.com/watch?v=YN_XnekG6Ac
|
| It looks to be incredibly close to those original games.
| G4E wrote:
| There was MTP Target, a clone with penguin which had a pretty
| active community circa 2008[1][2]
|
| I loved this game. It had an IRC server included so you could
| chat while in game, a forumboard, and a pretty diverse
| community. The gameplay was simple to learn but difficult to
| master, with a lot of fun for everyones.
|
| Sadly, it was open-source but not so much. The sole developer
| never opened up the source of the server, and even the client's
| were not keep up to date, so it was impossible to play
| elsewhere than the official server.
|
| The sole developer had a little revenue stream by selling
| premium account (which enabled the possibility to use custom
| skins and access to a private server) and never accepted to let
| the community fix bugs or host other servers. There was quiet a
| bit of friction and drama between him and some members of the
| community, and in the end he prefered letting the game die than
| giving it to the community.
|
| [1] http://web.archive.org/web/20111028123349/http://www.mtp-
| tar... [2]
| http://web.archive.org/web/20110310131659/https://www.mtp-ta...
| [3] https://fr.m.wikipedia.org/wiki/Mtp_Target
| markus_zhang wrote:
| Is the bomb lab the same one as in CS61A? I did that one and it
| was extremely interesting. Sadly I'm not really sure how to go
| from there to start a reverse engineering life but at least I'm
| taking some univ courses.
| PEJOE wrote:
| I've seen bomblab, etc, at a couple of universities. Does
| anyone know the history of these exercises? I saw them at CMU
| as well. Really cool that these are used across several great
| programs.
| monksy wrote:
| I think it originated at CMU. At Elon we had an automatic
| grader that gave limited amount of tries tied to your grade.
| wdevanny wrote:
| I believe they are a part of Computer Systems: A Programmer's
| Perspective by Bryant and O'Hallaron. You can see a list of
| the labs at http://csapp.cs.cmu.edu/3e/labs.html.
| dimator wrote:
| It really was a highly enjoyable game, both 1p and with a
| party. I'm pretty sure it was the only thing we needed 4
| controllers for :)
|
| The speed runs for that game are mind melting, if you're into
| watching those.
___________________________________________________________________
(page generated 2021-03-02 23:00 UTC)