[Release] InsaneLinker for ROM Hacking (exefs)

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by banxian, Feb 6, 2015.

  1. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    This linker is designed to merge object file into flat binary code, for eg, bootloader, payloads.

    here is a special version for ROM hacking.

    update in 0.21:
    added thumbfunc+1 support. added relocation branch overflow check. (missing in 0.2)

    http://filetrip.net/3ds-downloads/d...-insanelinker-for-romhacking-0-21-f33070.html

    special thanks:
    specialthanks.jpg

    Steps to make ROM with patched exefs (you can found a working demo in reply #6)
    1. you need decrypt exefs and exheader, then extract code.bin from exefs.
    2. write patch in assembly with _il_ mark. a simple template:

    Code:
        .syntax unified
     
        .arch    armv6
        .eabi_attribute 25, 1
     
    malloc = func_capcom_malloc
    free = func_capcom_free
     
        .text
     
        .align    2
        .code    32
    _il_patch_mid_inNNMain:
        BL      my_func_mayunittestfunc
    // need for insane linker
        .size    _il_patch_mid_inNNMain, . - _il_patch_mid_inNNMain
     
    
    _il_patch prefix used for patch exists opcodes inside code.bin. you need rename same place in IDA pro to tell me right place to overwrite.
    rename like this feel:
    Code:
    .text:00104708 2488 10 05 00 EB                BL      func_initfs_hid_cfg
    .text:0010470C
    .text:0010470C                _il_patch_mid_inNNMain: <- press 'N' here
    .text:0010470C 2488 85 00 00 EB                BL      func_mayunittestfunc
    
    if you need append new codes at the end of exists '.text', please use _il_addon prefix instead.
    Code:
        .align    2
        .hidden    my_func_mayunittestfunc
        .globl    my_func_mayunittestfunc
        .code    32
    // append to end of original code
    _il_addon_codes:
    // before align?
        .func
    my_func_mayunittestfunc:
        STMFD          SP!, {R3-R5,LR}
        BL        _Z11mh4gexptestv
        BL        func_mayunittestfunc
        LDMFD          SP!, {R3-R5,PC}
        .endfunc
     
    // end of addon codes
        .size    _il_addon_codes, . - _il_addon_codes
     
    
    contents between _il_addon_codes and .size will append to tail of exists '.text' section. due the call from _il_patch_mid_inNNMain, we just executed extra function before original func_mayunittestfunc call.

    let's add implementation for our _Z11mh4gexptestv, before .size mark:

    Code:
    ...
        .endfunc
     
        .align    2
        .code    32
    _Z11mh4gexptestv:
        //LDR    R0, = _il_addon_dummyconst
        ////LDR    R0, = _il_addon_dummydata
        //LDR    R0, = _il_addon_dummybss
        BX    LR
        .pool
     
    // end of addon codes
    ...
    
    here we used a empty BX LR for sample. sure you can reference to symbols in local assembly or original code.bin.
    Warning, by the design, the end of RW data is same beginning for ZI bss, thus we can't inject additional bytes between the same point.
    you can consider place it to .text, .const or .bss instead.

    _il_addon in .text will append to code.bin's text, and so on.

    Code:
        .section    .rodata
    _il_addon_dummyconst:
        .asciz    "const"
        .size    _il_addon_dummyconst, . - _il_addon_dummyconst
        .align    2
     
    //    .data
    //_il_addon_dummydata:
    //    .asciz    "data"
    //    .size    _il_addon_dummydata, . - _il_addon_dummydata
    //    .align    2
     
        .bss
    _il_addon_dummybss:
        .ds.w    1
        .size    _il_addon_dummybss, . - _il_addon_dummybss
        .align    2
    
    3. once you have your .s file, assemble it with arm-linux-androideabi-as-new or other assembler you like.
    4. now you may have a .o file, for eg, MH4GExporter.o, we need object file, exheader, code.bin, symbol list for code.bin to use insanelinker.
    5. use exefs2elf.py (or makeelf if you havn't python&binutils installed) to generate elf and analyst by IDA. export symbols from IDA pro using InsaneSymbolExporter.py. if your .s used new symbols which your newly marked them after export, re-export before linking.
    6. link with such command:
    insanelinker -i code.bin -o code_insane.bin --exheader=exheader.bin --newexheader=exheader_insane.bin --symbols=idaexp.txt MH4GExporter.o
    the linker will try to resolve external symbols from idaexp.txt, and use any information from exheader/object file to do statically relocation.
    if you havn't see any error msg with `!!!!!` mark, the output exheader_insane.bin and code_insane.bin is ready to merge back to ROM/CXI.
    if there some unsolved symbol in log, you need check you spell or you haven't renamed it in IDA pro.
    7. merge code_insane.bin and exheader_insane.bin back to ROM, if you need a patched CCI ROM image. if you need a CIA fake patch, merge to CXI instead of CCI. this can be done using mergerom 0.32.
    8. if you need build CIA patch, use merged CXI now. I suggest make_cia for this job.
    here is the real command I used in exporter build, sure without linker, just patch in 010Editor...

    mergerom ncch0_game_10_rc.cxi --exefs=exefs_rc.bin --code=..\workdir\exefs\code_exp.bin --exheader=exh_exp_upd_rc.bin
    make_cia -o mh4g_down_10_rc_eximp.cia --major=1 --minor=0 --micro=7 --content0=ncch0_game_10_rc.cxi --id_0=00000004 --content1=ncch0.bin.0001.00000005 --id_1=00000005
     
    Nanquitas, d0k3, LITTOMA and 4 others like this.


  2. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    I want to fork another project for homebrew from this point.

    first need collect many exefs for same or similar firmware, select largest one as base,
    rename recognized 'nn library functions', mark game developer's routines/variables as 'gap'.
    then if we write our nnMain inplementation, and link our objects with marked code.bin,
    we can make homebrew based on `semi-official` 9.x SDK.
    I just want to naming it to "haCkTR-SDK".
    almost nn functions will keeped by well-done game engine, the missed symbols can grab from other games or leaked 4.2.8 SDK or leaked dev console tools or bravo-heats anonymous.

    infact if I develop on lower SDK and modify exheader/codebin/plainregion to fit higher SDK/kernel version, my ROM may crash on startup. this is the reason I can't make a full patch from official sdk with different version.

    sure it need lots of manually work, I am afraid can't done by myself.
    even I don't know it's legal develop or will sue by nintendo.

    any suggestions?
     
  3. Lord M

    Lord M GBAtemp Advanced Fan

    Member
    872
    190
    Oct 31, 2014
    Italy
    WHat are this exactly? Mean you can patch/modify game memory/exefs like infinite money and put in rebuilded game?
     
  4. Ericthegreat

    Ericthegreat Not New Member

    Member
    1,812
    316
    Nov 8, 2008
    United States
    Vana'diel
    Yes. As far as I can tell.
     
  5. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    for eg, if someone is skilled in MTFramwork, an enemy HP inspector can be added in MH3G/4/4G/4U.
    but not me.
    I just can build hack ROM based on CTR librarie functions, not the game engine level.

    I patched marioland1p.gb only 1byte some years ago, to get 1up after every die, because I can figure out the special opcode which decrements left life. (maybe decx -> incx)
    in morden games, we need many bytes to get same result, because sometimes developer choice use virtual method to apply different calculate under different context.
     
  6. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    http://filetrip.net/dl?GsrE2qS26c

    a real demo to lock max hp/stamin in MH4G. contains assembly source, makefile and other needed files.
    patched some UI display routine to fill curr/max value to 150.
    based on MH4G 1.0, sure you can port to 1.2 by mark same 2 symbols in IDA.
    func_capcom_maysomeobj_sprintf can locate by 1st call after reference to "+%1d",
    and _il_patch_mid_func_capcom_ui_status_mainpage can be found near LDR R3, =0x12D and MOV R2, #3, the 1st BL to func_capcom_maysomeobj_sprint.


    install cia, launch game, open status panel: lock on (about twice a second), close status panel: lock off.
    I also changed attack/defense but seems no effect.

    http://filetrip.net/dl?2aSWJslJtA

    Item dumper source. symbol file is generated from 1.0 exefs, too.

    you may need update the paths in Makefile to fit your rom decrypt goodies directory.
     
  7. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,888
    5,036
    Mar 17, 2010
    Norway
    Alola
    Nice work. This should make ROM hacking and translation patches more capable.
     
  8. ultrazonn

    ultrazonn Newbie

    Newcomer
    6
    0
    Feb 20, 2015
    Italy
    Can you explayn me what this tool exactly do an what I have to do in order to use it?
     
  9. _eyCaRambA_

    _eyCaRambA_ GBAtemp Advanced Fan

    Member
    522
    139
    Apr 22, 2009
    United States
    Right around the corner™
    It freezes stamina and health at 150 as long as the Status menu is opened. As banxian mentioned, it's just a demo/proof of concept.
    Uninstall any previous patch for MH4G, then install the cia you find in the download folder.
     
  10. _eyCaRambA_

    _eyCaRambA_ GBAtemp Advanced Fan

    Member
    522
    139
    Apr 22, 2009
    United States
    Right around the corner™
    It freezes stamina and health at 150 as long as the Status menu is opened. As banxian mentioned, it's just a demo/proof of concept.
    Uninstall any previous patch for MH4G, then install the cia you find in the download folder.
     
    ultrazonn likes this.
  11. ultrazonn

    ultrazonn Newbie

    Newcomer
    6
    0
    Feb 20, 2015
    Italy
    Ok thanks I'll try it. How to delete previous pathches from the game?
     
  12. _eyCaRambA_

    _eyCaRambA_ GBAtemp Advanced Fan

    Member
    522
    139
    Apr 22, 2009
    United States
    Right around the corner™
    Uninstall the patch in DevMenu / BigBlueMenu etc. ;)
     
    ultrazonn likes this.
  13. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    And only for JPN region. you can try re-compile from source with MH4U patch's code.bin
     
  14. gudenau

    gudenau Never a unique idea

    Member
    3,258
    1,225
    Jul 7, 2010
    United States
    /dev/random
    Now we just need this to be on the fly...
     
  15. cearp

    cearp the ticket master

    Member
    7,481
    4,714
    May 26, 2008
    Tuvalu
    this is crazy, thanks :) i'm still waiting to play mh4g on n3ds, but very cool!
     
  16. Zidapi

    Zidapi GBAtemp Psycho!

    Member
    3,024
    1,805
    Dec 1, 2002
    On-the-fly memory editing is already available via NTR-CFW and Spider3DStools. Is that what you mean?
     
  17. cearp

    cearp the ticket master

    Member
    7,481
    4,714
    May 26, 2008
    Tuvalu
    but would mh4g even work with ntr cfw? i don't think so right? (maybe)
     
  18. gudenau

    gudenau Never a unique idea

    Member
    3,258
    1,225
    Jul 7, 2010
    United States
    /dev/random
    Basicly, but a for new versions with a gw like setup. I may do this, at some point...
     
  19. Lord M

    Lord M GBAtemp Advanced Fan

    Member
    872
    190
    Oct 31, 2014
    Italy
    You can try to apply this procedure with address and value of a game found in NTR Client?
    If you want try, this is the address and value for max rupees on Zelda: ALBW USA:

    028b5fa8 : 270e
    (address in NTR client is +14000000, so ->
    168b5fa8)
     
  20. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    I select status UI as my hook point,
    because it's a 3 in 1 target: switch, timer, and a pointer ready for read/write.

    offsets for status structural is leaved in comments:

    Code:
    my_func_capcom_ui_status_mainpage_locker:
    // R4 = currplayerinfo (for display)
    // +34C/34E = curr/max hp
    // +354/358 = curr/max stamina
    // +350/35C = 64 00 00 00 | 96 00 00 00 prevmax?currmax? 140|140/140|148
    // +37E = defense fixed short = 768
    // +37C = attack base = 236 -> 849
    
    it's maybe a challenge to me if I want to inject a extra switch in start -> option menu.
    I have no idea about capcom's mtFramework at all.
    I also found some produce executed after quest clear/retire/failed, but still a long distance to a monster hp visible patch.
     
  21. banxian
    OP

    banxian Member

    Newcomer
    40
    63
    Oct 30, 2014
    Switzerland
    a little utility makeelf, generate elf from code.bin and exheader.bin.
    buggy source include.

    usage:
    makeelf --exheader=exheader.bin -i code.bin -o game.elf -v

    TODO: accept exefs.bin and extract onfly. and merge symbols into debug info.
     

    Attached Files:

    Nanquitas, _eyCaRambA_ and cearp like this.