IDA Pro Wii U Loader

Discussion in 'Wii U - Hacking & Backup Loaders' started by aerosoul94, Feb 24, 2015.

  1. aerosoul94
    OP

    aerosoul94 Newbie

    Newcomer
    4
    25
    Feb 24, 2015
    United States
    I didn't like the way IDA's default ELF loader was handling Wii U ELF's and how it didn't handle RPL's and RPX's (not that I expected it to), so I decided to just create my own.

    Features:
    - Compressed section handling
    - Creates extern segment for imported functions
    - Symbol table loading
    - Adds imports and exports

    These are pretty basic features but do make analyzing a lot easier than it would be with the default ELF loader.

    How to use:
    - Copy wiiu.ldw into your IDA/loaders directory
    - You can now load an RPL/RPX into IDA

    This was compiled using the IDA 6.1 SDK. I don't have any IDA lower than 6.1, so I'm not sure if it will for work for lower versions, but I know it does work fine for IDA 6.6. This loader will only work for 32-bit IDA Pro.

    Download:
    http://www.mediafire.com/download/6i9tr6dev117mxt/wiiu.rar

    If you have any suggestions on improvements, you're always welcome to let me know. I do have a few other plugins I plan on releasing.
     
    Last edited by aerosoul94, Feb 29, 2016


  2. yahoo

    yahoo G͝B͢A͜t͞em҉p̡ R̨e͢g̷ul̨aŗ

    Member
    339
    236
    Aug 4, 2014
    United States
    What rpl's are you looking at?
     
  3. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    This is excellent! Thank you. What other plugins do you have in the works?
     
    TotalInsanity4 and jammybudga777 like this.
  4. aerosoul94
    OP

    aerosoul94 Newbie

    Newcomer
    4
    25
    Feb 24, 2015
    United States
    Well, the Wii U compiler creates switch tables that aren't handled by IDA's ppc processor module. So this plugin I'm working on should fix that.
    Here it is how the default ppc module handles it:
    Text View:
    [​IMG]
    Graph View:
    [​IMG]

    And with the plugin:
    [​IMG]

    It's a simple fix that just creates X-Ref to each branch instruction after it, and adds those case comments.
     
    Last edited by aerosoul94, Jul 17, 2015
    Margen67 likes this.
  5. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Ooh, very nice. I'm glad someone finally did this. This should actually be really useful.
     
  6. JorgeSalgado

    JorgeSalgado GBAtemp Regular

    Member
    102
    11
    Sep 5, 2012
    Could anyone give an explanation about what this means and what it could bring to the Wii U scene? Thanks in advance!
     
    Margen67 and Fpsrussia117 like this.
  7. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,163
    8,903
    Nov 21, 2005
    IDA ( https://www.hex-rays.com/products/ida/ ) is probably the best general purpose and also programmable debugger/disassembler around, it is certainly the one favoured by most people doing any kind of hacking work -- pick any conference like C3, defcon, blackhat... and add IDA to a search with it in and you will find any number of examples of high end work using it. For instance


    Though it is very well developed compared to most alternatives, especially outside the x86/x64 world of the PC, it does not do it all out of the box. This is where the programmable thing comes in and people tend to then make modules for it so it handles new processors/memory layouts/executable formats and quirks of hardware and software development (like the switch tables thing mentioned in later posts).

    What its immediate effect upon things will be, probably very little as far as bringing new people into the scene, though those looking for exploits in disassembled Wii U code would probably do well to adopt this if they had not written their own. Later on if people decide to take up Wii U ROM hacking then it will be very nice indeed.
     
    Adr990, FragAguy, SrTommy and 2 others like this.
  8. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Are there any plans to add support for selecting the actual imports (IE if I loaded a library from a game and it was trying to import the main RPX or a library like coreinit I have the option of loading the file for it)? I must say though, it's been super useful thus far.
     
  9. FM360

    FM360 Kappa

    Member
    261
    138
    Mar 8, 2015
    Afghanistan
    North Korea
    Image links are broken
     
  10. aerosoul94
    OP

    aerosoul94 Newbie

    Newcomer
    4
    25
    Feb 24, 2015
    United States
    You mean loading an imported library into a database? You want to see the library's code in the same database?
     
  11. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Not necessarily, but I'm not sure what the point of making fimport sections is if they aren't used at all (which was why I was asking). For example in Mario Party 10, tenst.rpx has the core engine and then all minigames and boards are seperate RPLs, so I was wondering if it'd be possible to turn fimport/dimport sections into something like the extern section is now, so the code points to symbols/functions in the rpx.
    [​IMG]
     
  12. aerosoul94
    OP

    aerosoul94 Newbie

    Newcomer
    4
    25
    Feb 24, 2015
    United States
    It is possible to patch imported calls to point anywhere, using the relocation tables available in each ELF. Where they branch to is what it's set by default. After being linked by the kernel however, they should be redirected (using the relocations I mentioned) to point to the actual loaded library code. The only reason I included those sections is because they have the SHF_ALLOC flag set.
     
    NWPlayer123 likes this.
  13. filfat

    filfat Musician, Developer & Entrepreneur

    Member
    1,228
    856
    Nov 24, 2012
    This is bloody lovely! Thank you mate!

    [​IMG]
     
    TotalInsanity4 and NWPlayer123 like this.
  14. CosmoCortney

    CosmoCortney The Hacker Furry

    Member
    1,538
    1,462
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Awesome!
    Got the plugin working and opened a .rpx.
    Will the .rpx be properly compressed after editing it?
    And is there a way to display it like this:
    upload_2015-10-4_20-54-32.png

    There I can see the padding (all the 0) to write my custom code
     
  15. dibas

    dibas Advanced Member

    Newcomer
    70
    141
    Sep 16, 2008
    Bahamas, The
    AFAIK there is no built-in edit (and/or save) functionality in either IDA Pro or this loader. Editing in RAM after the binary has been loaded seems to be the most straightforward way of patching stuff currently.
     
  16. CosmoCortney

    CosmoCortney The Hacker Furry

    Member
    1,538
    1,462
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    The problem is that there is no write permission for the .rpl's memory range.
    I'd just like to use free areas in any game's executable to let it execute my custom code. That's how the Wind Waker Chaos Edition was made
     
  17. dibas

    dibas Advanced Member

    Newcomer
    70
    141
    Sep 16, 2008
    Bahamas, The
    There should be, though, if I understood you correctly. Thanks to kexploit we can write to wherever we want in Cafe_OS. If you can't write to the rpl's memory range, you may need to adjust the range kexploit maps +w.
     
    Last edited by dibas, Oct 4, 2015
  18. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Yea, you can remap it, but some games might misbehave (like Splatoon).
     
    paulloeduardo and CosmoCortney like this.
  19. CosmoCortney

    CosmoCortney The Hacker Furry

    Member
    1,538
    1,462
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Will we see an exploit doing this?
     
  20. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Already have :P The OSDriver exploit remaps coreinit and the loader to R/W
     
    CosmoCortney likes this.