Hacking IDA Pro Wii U Loader

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
122
Country
United States
I didn't like the way IDA's default ELF loader was handling Wii U ELF's and how it didn't handle RPL's and RPX's (not that I expected it to), so I decided to just create my own.

Features:
- Compressed section handling
- Creates extern segment for imported functions
- Symbol table loading
- Adds imports and exports

These are pretty basic features but do make analyzing a lot easier than it would be with the default ELF loader.

How to use:
- Copy wiiu.ldw into your IDA/loaders directory
- You can now load an RPL/RPX into IDA

This was compiled using the IDA 6.1 SDK. I don't have any IDA lower than 6.1, so I'm not sure if it will for work for lower versions, but I know it does work fine for IDA 6.6. This loader will only work for 32-bit IDA Pro.

Download:
http://www.mediafire.com/download/6i9tr6dev117mxt/wiiu.rar

Source Code:
https://github.com/aerosoul94/ida_game_elf_loaders/tree/master/src/wiiu

If you have any suggestions on improvements, you're always welcome to let me know. I do have a few other plugins I plan on releasing.
 
Last edited by FIX94, , Reason: added source

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
122
Country
United States
This is excellent! Thank you. What other plugins do you have in the works?

Well, the Wii U compiler creates switch tables that aren't handled by IDA's ppc processor module. So this plugin I'm working on should fix that.
Here it is how the default ppc module handles it:
Text View:
ef6fc01bd8.png

Graph View:
e1d106bbbc.png


And with the plugin:
7112e20551.png


It's a simple fix that just creates X-Ref to each branch instruction after it, and adds those case comments.
 
Last edited by aerosoul94,
  • Like
Reactions: Margen67

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
33,885
Trophies
2
Website
trastindustries.com
XP
22,634
Country
United Kingdom
Could anyone give an explanation about what this means and what it could bring to the Wii U scene? Thanks in advance!
IDA ( https://www.hex-rays.com/products/ida/ ) is probably the best general purpose and also programmable debugger/disassembler around, it is certainly the one favoured by most people doing any kind of hacking work -- pick any conference like C3, defcon, blackhat... and add IDA to a search with it in and you will find any number of examples of high end work using it. For instance

Though it is very well developed compared to most alternatives, especially outside the x86/x64 world of the PC, it does not do it all out of the box. This is where the programmable thing comes in and people tend to then make modules for it so it handles new processors/memory layouts/executable formats and quirks of hardware and software development (like the switch tables thing mentioned in later posts).

What its immediate effect upon things will be, probably very little as far as bringing new people into the scene, though those looking for exploits in disassembled Wii U code would probably do well to adopt this if they had not written their own. Later on if people decide to take up Wii U ROM hacking then it will be very nice indeed.
 

NWPlayer123

Well-Known Member
Member
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
Are there any plans to add support for selecting the actual imports (IE if I loaded a library from a game and it was trying to import the main RPX or a library like coreinit I have the option of loading the file for it)? I must say though, it's been super useful thus far.
 

FM360

Kappa
Member
Joined
Mar 8, 2015
Messages
266
Trophies
0
Location
North Korea
Website
www.youtube.com
XP
276
Country
Afghanistan
Well, the Wii U compiler creates switch tables that aren't handled by IDA's ppc processor module. So this plugin I'm working on should fix that.
Here it is how the default ppc module handles it:
Text View:
2274e08169.png

Graph View:
3500588a31.png


And with the plugin:
116454fb33.png


It's a simple fix that just creates X-Ref to each branch instruction after it, and adds those case comments.

Image links are broken
 

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
122
Country
United States
Are there any plans to add support for selecting the actual imports (IE if I loaded a library from a game and it was trying to import the main RPX or a library like coreinit I have the option of loading the file for it)? I must say though, it's been super useful thus far.

You mean loading an imported library into a database? You want to see the library's code in the same database?
 

NWPlayer123

Well-Known Member
Member
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
You mean loading an imported library into a database? You want to see the library's code in the same database?

Not necessarily, but I'm not sure what the point of making fimport sections is if they aren't used at all (which was why I was asking). For example in Mario Party 10, tenst.rpx has the core engine and then all minigames and boards are seperate RPLs, so I was wondering if it'd be possible to turn fimport/dimport sections into something like the extern section is now, so the code points to symbols/functions in the rpx.
YWQbIOp.png
 

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
122
Country
United States
Not necessarily, but I'm not sure what the point of making fimport sections is if they aren't used at all (which was why I was asking). For example in Mario Party 10, tenst.rpx has the core engine and then all minigames and boards are seperate RPLs, so I was wondering if it'd be possible to turn fimport/dimport sections into something like the extern section is now, so the code points to symbols/functions in the rpx.
YWQbIOp.png

It is possible to patch imported calls to point anywhere, using the relocation tables available in each ELF. Where they branch to is what it's set by default. After being linked by the kernel however, they should be redirected (using the relocations I mentioned) to point to the actual loaded library code. The only reason I included those sections is because they have the SHF_ALLOC flag set.
 
  • Like
Reactions: NWPlayer123

dibas

Well-Known Member
Newcomer
Joined
Sep 16, 2008
Messages
76
Trophies
0
XP
882
Country
Bahamas, The
AFAIK there is no built-in edit (and/or save) functionality in either IDA Pro or this loader. Editing in RAM after the binary has been loaded seems to be the most straightforward way of patching stuff currently.
 

CosmoCortney

i snack raw pasta and chew lollipops
Member
Joined
Apr 18, 2013
Messages
1,760
Trophies
1
Location
on the cool side of the pillow
Website
follow-the-white-rabbit.wtf
XP
2,832
Country
Germany
AFAIK there is no built-in edit (and/or save) functionality in either IDA Pro or this loader. Editing in RAM after the binary has been loaded seems to be the most straightforward way of patching stuff currently.
The problem is that there is no write permission for the .rpl's memory range.
I'd just like to use free areas in any game's executable to let it execute my custom code. That's how the Wind Waker Chaos Edition was made
 

dibas

Well-Known Member
Newcomer
Joined
Sep 16, 2008
Messages
76
Trophies
0
XP
882
Country
Bahamas, The
The problem is that there is no write permission for the .rpl's memory range.
There should be, though, if I understood you correctly. Thanks to kexploit we can write to wherever we want in Cafe_OS. If you can't write to the rpl's memory range, you may need to adjust the range kexploit maps +w.
 
Last edited by dibas,
General chit-chat
Help Users
    The Real Jdbye @ The Real Jdbye: gays