ROM Hack Good ARM7/9 Binary Disassembler?

[Gryphon93]

I just wanted to check if anyone knows of a good Nintendo DS binary disassembler.

I've tried ndsdis2, and it works, most of the time. I've also tried CrystalTile2, and it's the best of the two. However, CrystalTile have some messed up characters/strings in some of the comments. I guess those are Japanese/Chinese (wherever CrystalTile is made) characters that I can't show on my computer, which annoys me quite a bit.

So, are there any other alternatives that I could test? If not, is there a version of Crystal Tile that I can change the character encoding in, or something like that?

 

[FAST6191]

Between those tools and the disassemblers in emulators (no$gba dev, desmume and ideas) most of my DS disassembly needs are sorted. After this it is usually IDA ( https://www.hex-rays.com/products/ida/index.shtml ) or nothing, you might be able to just get by with some of the GBA stuff (ARM9 and ARM7 are not all that different in most ways -- http://imrannazar.com/ARM-Opcode-Map ) but I do not suggest dropping down to the GBA stuff if you can help it. That said the freeware IDA has ARM7 support if memory serves.

When you say comments were you using the NEF stuff that CT2 added (and no$gba supports) or the basic press F11 and type stuff?

I am not sure what exists in the way of objdump (arm-eabi-objdump if you go searching in the devkits). I use their assembler pretty much all the time for the fragments I tend to deal in but have not really had cause to investigate the disassembler, equally you might have to spend some time prepping the binaries to feed it (no chance of the binary compression being supported really and I would not count on too much automatic binary fetching support though you should be able to define offsets in command).

All that said what were the failings of ndsdis2 when you came to it?

 

[Gryphon93]

Well, I may have expressed myself the wrong way when I said that ndsdis2 doesn't work as it's supposed to. It does work, but it falls short on a few points.

The first one is that I can't disassemble a binary file directly, I have to use the ROM to disassemble the part I want.

Secondly, I don't know if it gives me the correct result, since the output file (dumped from the terminal) is full of "unknown" instructions, which seems a bit strange to me. Those "unknown" instructions may be some other kind of data though (like strings or something).

Thirdly, it's doesn't give as good comments as CrystalTile (e.g. CrystalTile views the data stored in the registers used in store/load instructions).

I'm aware that the last point is the most nitpicking point of all I've listed, however, it helps a lot when looking through the binary.

So, to answer your question about the comments in CrystalTile. I just go into the ASM Viewer and CrystalTile writes a comment after each instruction to describe what happens on that particular row. It's the default settings. I just viewed the binary file in the ASM Viewer. I hope that answered your question.

 

[SifJar]

arm-eabi-objdump -D -b binary -m arm arm9.bin > _9_ARM.s
arm-eabi-objdump -D -b binary -m arm arm7.bin > _7_ARM.s
arm-eabi-objdump -D -b binary -m arm -M force-thumb arm9.bin > _9_THUMB.s
arm-eabi-objdump -D -b binary -m arm -M force-thumb arm7.bin > _7_THUMB.s

There's commands for using arm-eabi-objdump with NDS arm7 and arm9 binaries. Not entirely sure of the difference with including the "-M force-thumb" part, maybe it's clearer to you.

You can get arm-eabi-objdump from devkitARM (in the "bin" folder of devkitARM).

I got these commands from here: http://webcache.googleusercontent.com/search?q=cache:yR1EQpK3Jg0J:forum.wiibrew.org/read.php?27,21540 &cd=1&hl=en&ct=clnk&gl=uk (bottom post)

EDIT: I have no idea if this is any better than CrystalTile or ndsdis2, but it does allow you to disassemble individual binaries instead of the full ROM.

 

[Gryphon93]

Haha, thanks SifJar! I tried it out right before you posted it. What a coincidence. It's pretty much like ndsdis2's output from what I can see. I have to take a better look to make sure though. CrystalTile has been the best one so far, at least when it comes to the comments. I'm not done checking out all the options for objdump though. Rather the opposite. I just started trying it out.

Thanks for all your help so far!

 

[FAST6191]

You can disassemble directly with ndsdis2 - the NH9 and and NH7 switches will allow you do to a raw/blind disassemble on any given file (good if you have a memory dump or have "decrypted"/decompressed a binary, have an overlay that needs looking at or just want to direct it somewhere).

The unknown instructions are just that -- things the disassembler can not make sense of as they might not be assembly instructions (the ARM and THUMB instructions sets do not encompass everything from 00000000 to FFFFFFFF and 0000 to FFFF respectively). The binary can include anything and everything; I have actually had games store everything in overlays but even in general over the years I have pulled fonts, levels, text and more out of binaries over the years to say nothing of the general includes like the values for an array in raw hex. Do a strings search on an ARM9.bin file for a handful of games and see what you get. NDSdis2 has missed out things in the past (see some of the changelogs) but right now it is considered reasonably solid.

I would not place too much stock in the "view the registers" thing -- many times it works but it can vary wildly during operation so they are at best good suggestions. More generally (and related to the unknowns above) it is why your emulator will have an auto mode in its disassembler where standalone disassemblers (some aspects of IDA aside) will output both ARM and THUMB or need to be forced into one or the other. I would be careful when using terms like comments as well -- typically when looking at disassembled code the only comments are those the would be hacker makes. However the NEF stuff is quite nice and will allow you to do things like define a memory address by a reference/label if you wanted which is why I was curious there.

 

[Gryphon93]

I would not place too much stock in the "view the registers" thing -- many times it works but it can vary wildly during operation so they are at best good suggestions.

I think Crystal Tile only shows constants that it finds in the binary, if that makes sense. I may as well mention that I'm analyzing the binaries for Iron Master (surprising, right?) to see what I can find out about the game. All those "text" comments which Crystal Tile shows actually make sense. They appear in the same order as they do in the game (and the "dialog scripts"), with some instructions in between. If only some of the comments in Crystal Tile wasn't garbled, I would be able understand better.

Thanks for pointing out how to get ndsdis2 to disassemble any file. I missed it in the readme.

 

[Normmatt]

IDA PRO is much better than any of the free arm dsassemblers and I highly recommend getting it if you want to do any serious reverse engineering work.

 

[Gryphon93]

Yeah, I know IDA PRO is much better than the free disassemblers. However, that's the thing, it's not free. Well, I just can't afford it when it costs more €650 for the Starter edition (or whatever it's called). I dislike piracy, so I don't want to download a cracked version of the software either. So, I'm stuck with the free tools, and I think I'll be able to manage. I just wanted to hear if there are more alternatives. Thanks for the suggestion though!

By the way, is there any way to export what you see in the ASM Viewer in CrystalTile? I searched around a bit, but I couldn't find anything about it. It would be nice if I could dump the output into a file and view it in Vim.

 

[pwsincd]

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Dont know if it has the functionality you require but there is a freeware version of ida 5 .

 

[FAST6191]

Re exporting from CT2. Yeah you can, the translation is a bit odd here but if you have the disassembly window open you can click the edit pulldown menu, "export image" and choose a file name. After this you type in a decimal number and it will export that many "lines" from the current selection onwards in the format you have it selected in.

 

[SifJar]

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Dont know if it has the functionality you require but there is a freeware version of ida 5 .

It doesn't have the same functionality. It lacks support for most of the processor architectures IDA Pro has. I think it's fully featured for the processors it does support, but from memory they're only x86 processors, not ARM.

 

[pwsincd]

This is what i see :

EDIT : no your right the icons are greyed and prompt a message saying this version doesnt support bla bla...

 

[Gryphon93]

Re exporting from CT2. Yeah you can, the translation is a bit odd here but if you have the disassembly window open you can click the edit pulldown menu, "export image" and choose a file name. After this you type in a decimal number and it will export that many "lines" from the current selection onwards in the format you have it selected in.

Ah, I tested that before I asked about it. I didn't output anything that time, but that may not be too strange since I only tried to export 1 line.

Thanks for mentioning IDA Pro Free, pwsincd! As you said yourself, the Free edition doesn't support ARM. I might try out the Evalutation version of IDA Pro, but I'll see about that later.

I found another disassembler for ARM. It's called ARMu and is for the ARMv5TE architecture - the same architecture that the ARM9 processor in the NDS uses. I'll give it a try.

[EDIT] I found this Online Disassembler as well: http://onlinedisassembler.com/odaweb/.
[EDIT 2] I'm not 100% sure, but it seems like ODA is just objdump. I haven't looked it up, to be honest, but I'm quite sure it is.

 

[Coto]

no$gba dev is quite useful, at least in most CPU status flags, handled interrupts and stack tracing. But I can't see the ARM7 side, so it's better to have a IWRAM7 checker handy (one has to build it).

DeSmuMe lacks real IME / IE / IF interrupt vector? Though it's overall good enough to check opcodes on NDSRAM / IWRAM

arm-eabi-objdump -D -b binary -m arm arm9.bin > _9_ARM.s
arm-eabi-objdump -D -b binary -m arm arm7.bin > _7_ARM.s
arm-eabi-objdump -D -b binary -m arm -M force-thumb arm9.bin > _9_THUMB.s
arm-eabi-objdump -D -b binary -m arm -M force-thumb arm7.bin > _7_THUMB.s

There's commands for using arm-eabi-objdump with NDS arm7 and arm9 binaries. Not entirely sure of the difference with including the "-M force-thumb" part, maybe it's clearer to you.

-marm -mthumb-interwork reduces stack overhead as thumb mode instructions are simpler (but a bit more convolute to create complex stuff). ARM9 is capable of ARM/thumb code. Also thumb is 16bit (2byte) compared to ARM 32bit (4byte) little endian.

ARM7 is capable of:
-mthumb -mthumb-interwork

which is thumb code only.

 

[Coto]

here is the IWRAM checker. It's just a homebrew but you can see areas from (ARM7) 0x03800000 until 0x03810000. In usermode, realtime. (From ARM9)

Also features a small ARM7 test. Writes a pattern starting the unused area (assigned by the stub and linker).
My NDS7 code takes 6.3KB (1024*6 + 341) bytes so uses at most 0x1C00

http://www.mediafire.com/download/g1xzojte3br2mvo/IWRAMCH.nds