Tomvita's tools

A short excursion into ASM with EdiZon SE and GDB

TomSwitch

Well-Known Member
OP
Member
GBAtemp Patron
Joined
Jan 10, 2019
Messages
4,907
Trophies
3
Age
44
XP
15,911
Country
United States
Just knee deep into ASM hacking. I share this to spur discussion. This is not a tutorial on ASM hacking.

The game: SHIN MEGAMI TENSEI Ⅴ 1.0.1 TID: 0100B870126CE000 BID: A6A06F3BAEFE4D75

The item I looked at: HP of the combatants

The tools: Atmosphere 1.2.4 with GDB enabled, Edizon se 3.8.25, IDA pro

Refer to release note on edizon se 3.8.25g on enabling GDB.

I use edizon se to search for HP during a combat. Since it is displayed during combat and it is turn base it is very easy to find the memory location. After finding the memory location now it is time to look for how the code that touch this memory looks like.

I add the found address as a bookmark. Launch pointer searcher se to download the bookmark. ( You can also just reading it off screen and type it )

Now we need to detach dmnt and make sure nothing is attached to the game. Launch edizon se, press ZL+B to detach dmnt ( and the "no auto attach" setting enabled if you are using profile to launch edizon se ). You should see a screen like this if you use profile to launch edizon se and you must exit this screen by pressing home. If you use hbmenu to launch edizon se just ZL+B will do.
2021112313150700-CCFA659F4857F96DDA29AFEDB2E166E6.jpg

Now with dmnt detached you are ready to ask GDB to attach to the game.

On the PC side launch IDA pro without loading anything.
1637644770930.png
1637644801975.png
put in the IP address of your switch and port 22225. In Debug options you need to specify ARM64
1637644889026.png
1637644959248.png
Identify the game. It is normally Application but in this case it is Project. You can also note down from edizon se screen above that the PID is 221.
1637645078435.png
Successfully attached to the game.
Next we need to set a trace watch on the memory.
Press g. Type or paste the address here.
1637645166232.png
2021112313364300-CCFA659F4857F96DDA29AFEDB2E166E6.jpg
1637646029602.png
1637646067913.png
right click and set it to double word
1637646122248.png
right click and add write trace
press F9 to continue the game
1637646336589.png
Play the game until HP is being written to. The game will freeze.
1637646542545.png
Click on suspend and see where the code is writing to HP.
1637646595334.png
Hover over [X8] and see that it is the memory location.
W9 has the new value.
1637646751889.png
Can be seen in the register windows too.
X9 is the full 64 bit register and W9 is the lower half of X9 with only the lower order 32 bits.

Next look for the start of the sub routine by clicking on address that are 32bit aligned. i.e. ends with 0,4,8,C
Press C to disassemble the code.
This is a trial and error process.

1637647274975.png
This looks promising, it is preparing the stack.
Press P here
1637647381160.png
Press F5 and IDA pro try to make C code out of the assembly, let's see whether the code make sense.
1637647445536.png

1637647542836.png
Looks promising, the highlighted line is where we stopped.
*v28 is where the HP is and looks like the lines above are responsible for what is written and where v28 is pointing to.

Unfortunately GDBstub from Atmosphere don't work that well with IDA pro. I am only able to make use of F4 (jump to cursor) and it does not work on the same address subsequently, you have to F4 to another line before you can F4 on this line again.

It is still very useful to explore the code.

First let's check what the two group above do.
1637648195408.png

Put F4 on the if and observe the result then put F4 on the else and observe the result.

It looks like the top is for HP and the bottom is for MP.

From the code it can be seen that HP is with a offset of 148 0x94 and MP is with a offset of 156 0x98. ( already knew the address of HP and MP by normal edizon se search and can use that information to understand the code )

With F4ing it can be seen that this code walk through the whole party engaged in combat.

Next look for what code change v27. Click on v27 and look for code that modify it. In this case it is line 189 and it hints at the memory block of each participant in the combat is offset by 0x2E0.

1637648757079.png

Detach to be able to use Edizon se and other tools.
1637649765541.png

Switch between dmnt and GDB as often as you like.

If IDA pro looks like it is going crazy due to GDB incompatibility quickly detach or risk a switch crash.

1637650054017.png
Create a manual memory region to get offset display relative to main.
Type get info, you can also use edizon se for this information, but this you can cut and paste so it is easier.
1637650296763.png
1637650444107.png
1637650495165.png

Thanks for reading.

Special thanks to Eiffel2018 from whom I learned most of what is written here.
For more advanced topic check out this thread https://gbatemp.net/threads/atmospheres-gdb.602435/

 
Last edited by TomSwitch,

TomSwitch

Well-Known Member
OP
Member
GBAtemp Patron
Joined
Jan 10, 2019
Messages
4,907
Trophies
3
Age
44
XP
15,911
Country
United States
Code reuse is what makes ASM hack difficult after we have found the place where the code made the memory write.
The hard part is adapting a code that has multiple use. In the above example it's both the HP and MP of your team and the enemy. You want to distinguish between friend and foe. That v19 at line 189 is the index to the table and after some research we know that v19 = 0 to 3 is friend but still the code change needed is no easy task.

An easy one is where just one instruction change is needed. This happens when the code is dedicated to do one task only.
For example
Voice of Cards: The Isle Dragon Roars 1.0.1 TID: 010071400F836000 BID: 3F8C7198A5AFAA4D
This is gold coin.
The code limit gold coins to 99999. So one single byte change will do the trick here.

[Spend money to have 99999]
04000000 019A0C74 1a89c101

[Spend money to have 99999 off]
04000000 019A0C74 1a89b101

1637682225854.png

1637682772290.png

Just need to change
CSEL W1, W8, W9, LT
to
CSEL W1, W8, W9, GT

and instead of limiting your gold to 99999 the code now wants you to have at least 99999
 
Last edited by TomSwitch,

TomSwitch

Well-Known Member
OP
Member
GBAtemp Patron
Joined
Jan 10, 2019
Messages
4,907
Trophies
3
Age
44
XP
15,911
Country
United States
The making of ASM moon jump code for Castle On The Coast 1.0.1 TID: 01009A3015CA4000 BID: 175C020B5E904EB6

Find memory address for moon jump.
Create break point for address. Found MEMORY:0000006EAB9FC568 STR S0, [X19,#0xCC] writing to target.
Check if found code always gives the moon jump address. (disable break on target, using F4 to run to this code)

Turns out this code does not only write to the target. Need to find condition where it will yield the target address.
Hunt for start of routine (press C to see disassembly). Looking for "SUB SP, SP ..". Ask IDA Pro to analyses procedure. (press P)

Use F4 to see if some branch only execute at the desired time.

Jackpot! loc_6EAB9FC4B8 only execute when B is press to jump. At this point [X19,#0xCC] is consistently the moon jump target.
Create jump to code cave.
Save X19 for moon jump code.


1639027354120.png

code cave
Reserve some stack space (generic, get more than needed for future expansion)
Save registers X27..X30 (only used X27, extra registers for future expansion)
Used X27 to Save X19 to memory (this is game dependent)
Restore registers X27..X30 (generic)
Run code that the hack overwrite.
Return.
1639028890683.png
 
Last edited by TomSwitch,

Group statistics

Group owner:
TomSwitch
Members:
221
Threads:
44
Messages:
138

Site & Scene News