Hacking IDA Pro Wii U Loader

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
142
Country
United States
I didn't like the way IDA's default ELF loader was handling Wii U ELF's and how it didn't handle RPL's and RPX's (not that I expected it to), so I decided to just create my own.

Features:
- Compressed section handling
- Creates extern segment for imported functions
- Symbol table loading
- Adds imports and exports

These are pretty basic features but do make analyzing a lot easier than it would be with the default ELF loader.

How to use:
- Copy wiiu.ldw into your IDA/loaders directory
- You can now load an RPL/RPX into IDA

This was compiled using the IDA 6.1 SDK. I don't have any IDA lower than 6.1, so I'm not sure if it will for work for lower versions, but I know it does work fine for IDA 6.6. This loader will only work for 32-bit IDA Pro.

Download:
http://www.mediafire.com/download/6i9tr6dev117mxt/wiiu.rar

Source Code:
https://github.com/aerosoul94/ida_game_elf_loaders/tree/master/src/wiiu

If you have any suggestions on improvements, you're always welcome to let me know. I do have a few other plugins I plan on releasing.
 
Last edited by FIX94, , Reason: added source

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
142
Country
United States
This is excellent! Thank you. What other plugins do you have in the works?

Well, the Wii U compiler creates switch tables that aren't handled by IDA's ppc processor module. So this plugin I'm working on should fix that.
Here it is how the default ppc module handles it:
Text View:
ef6fc01bd8.png

Graph View:
e1d106bbbc.png


And with the plugin:
7112e20551.png


It's a simple fix that just creates X-Ref to each branch instruction after it, and adds those case comments.
 
Last edited by aerosoul94,
  • Like
Reactions: Margen67

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Could anyone give an explanation about what this means and what it could bring to the Wii U scene? Thanks in advance!
IDA ( https://www.hex-rays.com/products/ida/ ) is probably the best general purpose and also programmable debugger/disassembler around, it is certainly the one favoured by most people doing any kind of hacking work -- pick any conference like C3, defcon, blackhat... and add IDA to a search with it in and you will find any number of examples of high end work using it. For instance


Though it is very well developed compared to most alternatives, especially outside the x86/x64 world of the PC, it does not do it all out of the box. This is where the programmable thing comes in and people tend to then make modules for it so it handles new processors/memory layouts/executable formats and quirks of hardware and software development (like the switch tables thing mentioned in later posts).

What its immediate effect upon things will be, probably very little as far as bringing new people into the scene, though those looking for exploits in disassembled Wii U code would probably do well to adopt this if they had not written their own. Later on if people decide to take up Wii U ROM hacking then it will be very nice indeed.
 

NWPlayer123

Well-Known Member
Member
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
Are there any plans to add support for selecting the actual imports (IE if I loaded a library from a game and it was trying to import the main RPX or a library like coreinit I have the option of loading the file for it)? I must say though, it's been super useful thus far.
 

FM360

Kappa
Member
Joined
Mar 8, 2015
Messages
267
Trophies
0
XP
299
Country
Iran
Well, the Wii U compiler creates switch tables that aren't handled by IDA's ppc processor module. So this plugin I'm working on should fix that.
Here it is how the default ppc module handles it:
Text View:
2274e08169.png

Graph View:
3500588a31.png


And with the plugin:
116454fb33.png


It's a simple fix that just creates X-Ref to each branch instruction after it, and adds those case comments.

Image links are broken
 

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
142
Country
United States
Are there any plans to add support for selecting the actual imports (IE if I loaded a library from a game and it was trying to import the main RPX or a library like coreinit I have the option of loading the file for it)? I must say though, it's been super useful thus far.

You mean loading an imported library into a database? You want to see the library's code in the same database?
 

NWPlayer123

Well-Known Member
Member
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
You mean loading an imported library into a database? You want to see the library's code in the same database?

Not necessarily, but I'm not sure what the point of making fimport sections is if they aren't used at all (which was why I was asking). For example in Mario Party 10, tenst.rpx has the core engine and then all minigames and boards are seperate RPLs, so I was wondering if it'd be possible to turn fimport/dimport sections into something like the extern section is now, so the code points to symbols/functions in the rpx.
YWQbIOp.png
 

aerosoul94

Member
OP
Newcomer
Joined
Feb 24, 2015
Messages
5
Trophies
0
XP
142
Country
United States
Not necessarily, but I'm not sure what the point of making fimport sections is if they aren't used at all (which was why I was asking). For example in Mario Party 10, tenst.rpx has the core engine and then all minigames and boards are seperate RPLs, so I was wondering if it'd be possible to turn fimport/dimport sections into something like the extern section is now, so the code points to symbols/functions in the rpx.
YWQbIOp.png

It is possible to patch imported calls to point anywhere, using the relocation tables available in each ELF. Where they branch to is what it's set by default. After being linked by the kernel however, they should be redirected (using the relocations I mentioned) to point to the actual loaded library code. The only reason I included those sections is because they have the SHF_ALLOC flag set.
 
  • Like
Reactions: NWPlayer123

dibas

Well-Known Member
Newcomer
Joined
Sep 16, 2008
Messages
76
Trophies
1
XP
925
Country
Bahamas, The
AFAIK there is no built-in edit (and/or save) functionality in either IDA Pro or this loader. Editing in RAM after the binary has been loaded seems to be the most straightforward way of patching stuff currently.
 

CosmoCortney

i snack raw pasta and chew lollipops
Member
Joined
Apr 18, 2013
Messages
1,768
Trophies
2
Location
on the cool side of the pillow
Website
follow-the-white-rabbit.wtf
XP
3,007
Country
Germany
AFAIK there is no built-in edit (and/or save) functionality in either IDA Pro or this loader. Editing in RAM after the binary has been loaded seems to be the most straightforward way of patching stuff currently.
The problem is that there is no write permission for the .rpl's memory range.
I'd just like to use free areas in any game's executable to let it execute my custom code. That's how the Wind Waker Chaos Edition was made
 

dibas

Well-Known Member
Newcomer
Joined
Sep 16, 2008
Messages
76
Trophies
1
XP
925
Country
Bahamas, The
The problem is that there is no write permission for the .rpl's memory range.
There should be, though, if I understood you correctly. Thanks to kexploit we can write to wherever we want in Cafe_OS. If you can't write to the rpl's memory range, you may need to adjust the range kexploit maps +w.
 
Last edited by dibas,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
    AdRoz78 @ AdRoz78: Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit...