[HN Gopher] Using Ghidra to Reverse Engineer Super Monkey Ball f... ___________________________________________________________________ Using Ghidra to Reverse Engineer Super Monkey Ball for GameCube Author : coldpie Score : 239 points Date : 2021-03-02 14:01 UTC (8 hours ago) (HTM) web link (www.smokingonabike.com) (TXT) w3m dump (www.smokingonabike.com) | jeofken wrote: | I wonder if anyone has any reading resources for reversing old | DOS programs written in fortran - namely SCORE, the music | notation program, still unparalleled in productivity, beauty, and | preciseness, but with a dead author and no source code. | dmix wrote: | I find it funny that their goal is to make the game technically | harder to make it a better game in general - by reducing the | points you get - incentivizing you to explore the other levels | mores. Instead of your typical game hacks that make it easier or | add cool things. Even though I get this is just a tutorial. | letitbeirie wrote: | The craziest thing about Super Monkey Ball to me is that F-Zero | GX runs on the same engine, just sped way up. | bombcar wrote: | I wonder if Dolphin lets you load a "cheatsheet" or something | where you can tell it to modify certain values in memory after | loading from the ISO - so you don't have to modify the original | source ISO at all. | Deathmax wrote: | That's what cheat codes allow you to do. The Dolphin wiki | documents various "enhancements" you can apply with cheat codes | (https://wiki.dolphin- | emu.org/index.php?title=The_Legend_of_Z... as an example). | bluesign wrote: | Nice reversing article for GameCube, but I think original scoring | is much better. | | It is preventing you to play same easy levels over and over | again, and as fast as possible bringing you to your skill level. | Very good adaptive difficulty, it is actually punishing players | for choosing to play easy levels behind theirs skill level, | keeping game constant challenge. | | PS: haven't played the game, assuming later levels are more | difficult | 2pEXgD0fZ5cF wrote: | Can anybody recommend some good resources and/or books (or some | kind of roadmap) to get into practical reverse engineering | "starting from zero" (as in: a person with general higher level | programming experience)? | walls wrote: | 'Practical Malware Analysis' was required reading for all RE | candidates at my previous job. | | It's very windows focused but teaches skills that are | (somewhat) easily transferable. | jhatemyjob wrote: | pokered or pokecrystal | dilDDoS wrote: | HackTheBox (hackthebox.eu) has some great reverse engineering | challenges that you can learn a lot from, and have a clear | difficulty progression. The non-retired challenges are all free | with a basic account, but if you're starting from scratch, it | might be beneficial to try out a premium account to access | retired challenges (and their associated write-ups). | Cloudef wrote: | Get a debugger and disassembler. Read their manual. | NtGuy25 wrote: | As someone else said. Practical Malware Analysis is great. The | ghidra book by Eagle is also decent as well. | | The best thing for RE learning though is to use Visual Studio | to write a few programs. From the debugger view you can use the | assembly, and see what your program ends up in. | | You also want to think about it as the programmer. You have a | MASSIVE program. You want to see where it creates files. You | know that on windows, it HAS to go through CreateFile, or at | least NTcreatefile function or system call. So you can watch | for these, or look where they are called in Ghidra. Now you can | mark all the functions in the chain using xrefs (What | references this) and then get all the functions that use | createfile out of the way! | | And lastly, as a programmer, you know the apis. So think of | what cases someone would use printf for example. There's not | many. You know by the use of printf, there's some sort of | logging at that location. If they use openfile. You have a good | idea that all the code surrounding that call is going to be | about the file being opened. | | TL;DR. Start from api calls, and work backwards. Use your | knowledge as a dev for what these api calls are used for. And | walk that call chain and mark. Eventually every function is | mapped. | elitepleb wrote: | https://beginners.re/ | blinkingled wrote: | I think the author made these available for free in the past | but now they are paywalled. (Nothing wrong with that at all, | just thought it would help others trying to find the download | on the site.) | coldpie wrote: | Hey, article author here. I'm not very good at this stuff, it's | just applying knowledge I've picked up over my career working | in systems-level programming and various little game hacking | projects. | | The one thing I'd say is a real pre-requisite is to learn C. | And I mean really learn C: pointers, including arithmetic and | aliasing; memory allocation; stack vs heap; statics and | globals. C is the _lingua franca_ of this environment, and | learning C will give you a good window into what the compiler | is doing to turn your code into what 's actually running on the | CPU. | | It's also good to understand how computers actually work. I | strongly recommend the book "Code" by Charles Petzold | (Microsoft Press, be wary of counterfeits and don't buy from | Amazon). It starts literally from scratch. Like, light bulbs | with electricity and a switch. Then it builds on that to create | a fundamental CPU, and then shows how to go from there into the | real CPUs used today, including an introduction to assembly | language and machine code. It's a fantastic book if you ever | want to do anything low-level on a computer. | | Once you've got C and a basic level of understanding of | assembly/machine code, I think you're ready to do something | real. Start simple. The NES runs on a 6502, which is 8-bit, has | three registers and only a handful of opcodes, and is single- | threaded. In the past I've used FCEUX-DSP's debugger | features[1], but I think these days most people use Mesen. You | can use the same basic techniques I did in these articles: scan | memory for the values you want (the player's score or life | count; the player character's velocity), then set watch points | to find the code that modifies them, then go understand what | that code is doing and change it to do what you want. Give | yourself infinite lives or a crazy high jump in Super Mario | Bros or something. | | From there you can move on to more modern CPUs and such, but | the complexity goes _way_ up once you move on from environments | where most stuff was actually written in ASM or very simple C | without fancy compilers. I was very relieved to see how | readable Super Monkey Ball's disassembly actually was. | | [1] My first real game RE project was dumping PNG pictures of | the levels in M.C. Kids for NES, for comparison on TCRF: | | https://gitlab.com/mcmapper/mcmapper/-/blob/master/main.c | | https://tcrf.net/Proto:M.C._Kids | corysama wrote: | Thanks for the article! Over in | https://www.reddit.com/r/ReverseEngineering/ there are a | bunch more people who would really appreciate it if you also | posted there. | coldpie wrote: | Thanks for the suggestion, I have done that. If you know of | other communities that might enjoy the article, please do | feel free to pass it along anywhere you like. | rcfox wrote: | From my experience: learning C will help you learn assembly, | which will help you actually learn C. | samwestdev wrote: | The book "Code" is by Petzold Charles | coldpie wrote: | Indeed, fixed. Thanks. | JohnCurran wrote: | This gets asked a fair bit. Here's an HN link tree you can | follow to get you started: | | https://news.ycombinator.com/item?id=26296951 | bumbada wrote: | For learning programming I always recommend that you have a | specific project in mind, so instead of following a book, you | follow your project's needs and use books as a reference. | | I learned (intel x86)assembly from joining a cracking group | when I was adolescent, it was my first programming language. | Nothing beats being taught by masters of the craft and | competing and contributing as a team. | | Today I teach kids ARM assembly using microcontrollers like | arduino unos or nanos and controlling a motor or servo, then I | add more and more complexity like explaining klipper | architecture, so they learn c and python. | | With kids, the social part is very important, and making real | things that move and react on the real world too. I suspect is | of great help for adults too. | | It is probably too dull to learn assembler today, on your own | (alone) on a powerful computer. With a microcontroller you have | a machine that is so constrained in resources that you really | need to use c or assembly. | | HN has very good resources about assembly, you can search them | on google "hacker news assembly" or "hacker news reverse | engineer", use zotero to aggregate the links. | pluc wrote: | is your answer to "how do I learn to reverse-engineer things" | to learn Assembly? If so why? | pjc50 wrote: | Well, the assembly is literally all you have, so you're not | going to make much progress otherwise.. | secondcoming wrote: | Because if you're dumping binaries, or attaching to running | processes, you'll be looking at assembly code. | barbecue_sauce wrote: | Pretty sure that's the whole basis of reverse engineering. | ackbar03 wrote: | My 2 cents is do some CTF questions. PicoCTF's are good for | beginners, they have a good progression in difficulty. | | And once your more or less proficient then just crack some | software. Find something old, like protected by purchasing key | or whatever, and on the simpler side, don't go straight for | photoshop or whatever. Its gonna take a long time but even if | you don't succeed you'll get a much better feel for it in the | process. Best way to learn is by doing, thats my experience | anyways. | _joel wrote: | There's places like https://crackmes.one/ too | yomansat wrote: | This series, for reverse engineering a multi-player game that's | meant to be hacked: | | https://www.youtube.com/watch?v=RDZnlcnmPUA&list=PLhixgUqwRT... | o_p wrote: | I really hope Ghidra becomes the standard in reverse engineering, | but the good old IDA with decompilers is just too good for now | complexplane wrote: | I'm actually from a Super Monkey Ball 2 hacking community which, | among other things, has been working on a Ghidra decompilation | for a bit over a year now. We collaborate on a shared Ghidra | server and have tons of stuff labelled and annotated at this | point! | | As an example, here's a full decompilation of the camera code | which runs after the ball passes through the goal: | https://cdn.discordapp.com/attachments/463221047471374337/79... | | We also have the ability to inject C++ directly into the game for | modding. I'm also the author of ApeSphere, a practice mod for | SMB2 with features like savestates: | https://github.com/complexplane/apesphere . Take a look at | rel/savestate.cpp for a taste of what we can do. | guitarbill wrote: | do you have any tips for setting up a shared Ghidra server? the | user management especially seemed scary, and has kept me from | setting one up in the past. | imwillofficial wrote: | I'd love to learn this skill, but unsure where to get started. | samwestdev wrote: | I'd love to do something like this for various NES games. Can | Ghidra hook up to some NES emulators? | tom_ wrote: | Ghidra didn't do a great job of 6502 when I tried using it a | couple of years ago, due to poor support for a couple of the | 6502's addressing modes, but maybe it's improved? | | This Github bug summarises the problem I was having with it: | https://github.com/NationalSecurityAgency/ghidra/issues/201 | g051051 wrote: | The version 9.2 release notes mention improvements to the | 6502 processor specification: | | > Many improvements and bug fixes have been made to existing | processor specifications: ARM, AARCH64, AVR8, CRC16C, | PIC24/30, SH2, SH4, TriCore, X86, XGATE, 6502, 68K, 6805, | M6809, 8051, and others. | | Perhaps it's better for your use case now? | jhatemyjob wrote: | you dont need Ghidra for that | mikepurvis wrote: | I expect you'll have a tougher time there because NES games | were written directly in assembler, so there won't be the | characteristic patterns that a decompiler can use to recognize | particular control flows-- I believe C wasn't really standard | until the N64 era, which was part of what made high-level | emulation (see: UltraHLE) possible. | | On the other hand, hand-authored assembly is easier to read | directly, because, of course, it was written and read in that | form originally anyway! | bluesign wrote: | Still bankswitching etc will cause a lot of problems for | disassembler. | | Best option for NES is to use emulator debugger for sure. | monksy wrote: | I miss the game Super Monkey Ball. That was one of those games | that was supper approachable, and easily competitive with friends | in the same room. | | They have released something for the ps4 but I haven't opened the | box yet. | | Also, this makes me want to get out the | https://www.cs.virginia.edu/~cr4bd/3330/F2018/bomblab.html lab | and try the disassembler he's using. | aquova wrote: | An indie developer announced today that their Super Monkey | Ball-inspired game will be going into early access on Steam | later this month: https://www.youtube.com/watch?v=YN_XnekG6Ac | | It looks to be incredibly close to those original games. | G4E wrote: | There was MTP Target, a clone with penguin which had a pretty | active community circa 2008[1][2] | | I loved this game. It had an IRC server included so you could | chat while in game, a forumboard, and a pretty diverse | community. The gameplay was simple to learn but difficult to | master, with a lot of fun for everyones. | | Sadly, it was open-source but not so much. The sole developer | never opened up the source of the server, and even the client's | were not keep up to date, so it was impossible to play | elsewhere than the official server. | | The sole developer had a little revenue stream by selling | premium account (which enabled the possibility to use custom | skins and access to a private server) and never accepted to let | the community fix bugs or host other servers. There was quiet a | bit of friction and drama between him and some members of the | community, and in the end he prefered letting the game die than | giving it to the community. | | [1] http://web.archive.org/web/20111028123349/http://www.mtp- | tar... [2] | http://web.archive.org/web/20110310131659/https://www.mtp-ta... | [3] https://fr.m.wikipedia.org/wiki/Mtp_Target | markus_zhang wrote: | Is the bomb lab the same one as in CS61A? I did that one and it | was extremely interesting. Sadly I'm not really sure how to go | from there to start a reverse engineering life but at least I'm | taking some univ courses. | PEJOE wrote: | I've seen bomblab, etc, at a couple of universities. Does | anyone know the history of these exercises? I saw them at CMU | as well. Really cool that these are used across several great | programs. | monksy wrote: | I think it originated at CMU. At Elon we had an automatic | grader that gave limited amount of tries tied to your grade. | wdevanny wrote: | I believe they are a part of Computer Systems: A Programmer's | Perspective by Bryant and O'Hallaron. You can see a list of | the labs at http://csapp.cs.cmu.edu/3e/labs.html. | dimator wrote: | It really was a highly enjoyable game, both 1p and with a | party. I'm pretty sure it was the only thing we needed 4 | controllers for :) | | The speed runs for that game are mind melting, if you're into | watching those. ___________________________________________________________________ (page generated 2021-03-02 23:00 UTC)