ROM Hack [Release] InsaneLinker for ROM Hacking (exefs)

banxian

Active Member
OP
Newcomer
Joined
Oct 30, 2014
Messages
40
Trophies
0
Age
40
XP
266
Country
Switzerland
This linker is designed to merge object file into flat binary code, for eg, bootloader, payloads.

here is a special version for ROM hacking.

update in 0.21:
added thumbfunc+1 support. added relocation branch overflow check. (missing in 0.2)

http://filetrip.net/3ds-downloads/d...-insanelinker-for-romhacking-0-21-f33070.html

special thanks:
specialthanks.jpg


Steps to make ROM with patched exefs (you can found a working demo in reply #6)
1. you need decrypt exefs and exheader, then extract code.bin from exefs.
2. write patch in assembly with _il_ mark. a simple template:

Code:
    .syntax unified
 
    .arch    armv6
    .eabi_attribute 25, 1
 
malloc = func_capcom_malloc
free = func_capcom_free
 
    .text
 
    .align    2
    .code    32
_il_patch_mid_inNNMain:
    BL      my_func_mayunittestfunc
// need for insane linker
    .size    _il_patch_mid_inNNMain, . - _il_patch_mid_inNNMain

_il_patch prefix used for patch exists opcodes inside code.bin. you need rename same place in IDA pro to tell me right place to overwrite.
rename like this feel:
Code:
.text:00104708 2488 10 05 00 EB                BL      func_initfs_hid_cfg
.text:0010470C
.text:0010470C                _il_patch_mid_inNNMain: <- press 'N' here
.text:0010470C 2488 85 00 00 EB                BL      func_mayunittestfunc

if you need append new codes at the end of exists '.text', please use _il_addon prefix instead.
Code:
    .align    2
    .hidden    my_func_mayunittestfunc
    .globl    my_func_mayunittestfunc
    .code    32
// append to end of original code
_il_addon_codes:
// before align?
    .func
my_func_mayunittestfunc:
    STMFD          SP!, {R3-R5,LR}
    BL        _Z11mh4gexptestv
    BL        func_mayunittestfunc
    LDMFD          SP!, {R3-R5,PC}
    .endfunc
 
// end of addon codes
    .size    _il_addon_codes, . - _il_addon_codes

contents between _il_addon_codes and .size will append to tail of exists '.text' section. due the call from _il_patch_mid_inNNMain, we just executed extra function before original func_mayunittestfunc call.

let's add implementation for our _Z11mh4gexptestv, before .size mark:

Code:
...
    .endfunc
 
    .align    2
    .code    32
_Z11mh4gexptestv:
    //LDR    R0, = _il_addon_dummyconst
    ////LDR    R0, = _il_addon_dummydata
    //LDR    R0, = _il_addon_dummybss
    BX    LR
    .pool
 
// end of addon codes
...

here we used a empty BX LR for sample. sure you can reference to symbols in local assembly or original code.bin.
Warning, by the design, the end of RW data is same beginning for ZI bss, thus we can't inject additional bytes between the same point.
you can consider place it to .text, .const or .bss instead.

_il_addon in .text will append to code.bin's text, and so on.

Code:
    .section    .rodata
_il_addon_dummyconst:
    .asciz    "const"
    .size    _il_addon_dummyconst, . - _il_addon_dummyconst
    .align    2
 
//    .data
//_il_addon_dummydata:
//    .asciz    "data"
//    .size    _il_addon_dummydata, . - _il_addon_dummydata
//    .align    2
 
    .bss
_il_addon_dummybss:
    .ds.w    1
    .size    _il_addon_dummybss, . - _il_addon_dummybss
    .align    2

3. once you have your .s file, assemble it with arm-linux-androideabi-as-new or other assembler you like.
4. now you may have a .o file, for eg, MH4GExporter.o, we need object file, exheader, code.bin, symbol list for code.bin to use insanelinker.
5. use exefs2elf.py (or makeelf if you havn't python&binutils installed) to generate elf and analyst by IDA. export symbols from IDA pro using InsaneSymbolExporter.py. if your .s used new symbols which your newly marked them after export, re-export before linking.
6. link with such command:
insanelinker -i code.bin -o code_insane.bin --exheader=exheader.bin --newexheader=exheader_insane.bin --symbols=idaexp.txt MH4GExporter.o
the linker will try to resolve external symbols from idaexp.txt, and use any information from exheader/object file to do statically relocation.
if you havn't see any error msg with `!!!!!` mark, the output exheader_insane.bin and code_insane.bin is ready to merge back to ROM/CXI.
if there some unsolved symbol in log, you need check you spell or you haven't renamed it in IDA pro.
7. merge code_insane.bin and exheader_insane.bin back to ROM, if you need a patched CCI ROM image. if you need a CIA fake patch, merge to CXI instead of CCI. this can be done using mergerom 0.32.
8. if you need build CIA patch, use merged CXI now. I suggest make_cia for this job.
here is the real command I used in exporter build, sure without linker, just patch in 010Editor...

mergerom ncch0_game_10_rc.cxi --exefs=exefs_rc.bin --code=..\workdir\exefs\code_exp.bin --exheader=exh_exp_upd_rc.bin
make_cia -o mh4g_down_10_rc_eximp.cia --major=1 --minor=0 --micro=7 --content0=ncch0_game_10_rc.cxi --id_0=00000004 --content1=ncch0.bin.0001.00000005 --id_1=00000005
 

banxian

Active Member
OP
Newcomer
Joined
Oct 30, 2014
Messages
40
Trophies
0
Age
40
XP
266
Country
Switzerland
I want to fork another project for homebrew from this point.

first need collect many exefs for same or similar firmware, select largest one as base,
rename recognized 'nn library functions', mark game developer's routines/variables as 'gap'.
then if we write our nnMain inplementation, and link our objects with marked code.bin,
we can make homebrew based on `semi-official` 9.x SDK.
I just want to naming it to "haCkTR-SDK".
almost nn functions will keeped by well-done game engine, the missed symbols can grab from other games or leaked 4.2.8 SDK or leaked dev console tools or bravo-heats anonymous.

infact if I develop on lower SDK and modify exheader/codebin/plainregion to fit higher SDK/kernel version, my ROM may crash on startup. this is the reason I can't make a full patch from official sdk with different version.

sure it need lots of manually work, I am afraid can't done by myself.
even I don't know it's legal develop or will sue by nintendo.

any suggestions?
 

Lord M

Well-Known Member
Member
Joined
Oct 31, 2014
Messages
1,075
Trophies
0
Age
31
XP
502
Country
Italy
WHat are this exactly? Mean you can patch/modify game memory/exefs like infinite money and put in rebuilded game?
 

banxian

Active Member
OP
Newcomer
Joined
Oct 30, 2014
Messages
40
Trophies
0
Age
40
XP
266
Country
Switzerland
WHat are this exactly? Mean you can patch/modify game memory/exefs like infinite money and put in rebuilded game?

for eg, if someone is skilled in MTFramwork, an enemy HP inspector can be added in MH3G/4/4G/4U.
but not me.
I just can build hack ROM based on CTR librarie functions, not the game engine level.

I patched marioland1p.gb only 1byte some years ago, to get 1up after every die, because I can figure out the special opcode which decrements left life. (maybe decx -> incx)
in morden games, we need many bytes to get same result, because sometimes developer choice use virtual method to apply different calculate under different context.
 

banxian

Active Member
OP
Newcomer
Joined
Oct 30, 2014
Messages
40
Trophies
0
Age
40
XP
266
Country
Switzerland
http://filetrip.net/dl?GsrE2qS26c

a real demo to lock max hp/stamin in MH4G. contains assembly source, makefile and other needed files.
patched some UI display routine to fill curr/max value to 150.
based on MH4G 1.0, sure you can port to 1.2 by mark same 2 symbols in IDA.
func_capcom_maysomeobj_sprintf can locate by 1st call after reference to "+%1d",
and _il_patch_mid_func_capcom_ui_status_mainpage can be found near LDR R3, =0x12D and MOV R2, #3, the 1st BL to func_capcom_maysomeobj_sprint.


install cia, launch game, open status panel: lock on (about twice a second), close status panel: lock off.
I also changed attack/defense but seems no effect.

http://filetrip.net/dl?2aSWJslJtA

Item dumper source. symbol file is generated from 1.0 exefs, too.

you may need update the paths in Makefile to fit your rom decrypt goodies directory.
 

ultrazonn

Member
Newcomer
Joined
Feb 20, 2015
Messages
6
Trophies
0
Age
30
XP
51
Country
Italy
http://filetrip.net/dl?GsrE2qS26c

a real demo to lock max hp/stamin in MH4G. contains assembly source, makefile and other needed files.
patched some UI display routine to fill curr/max value to 150.
based on MH4G 1.0, sure you can port to 1.2 by mark same 2 symbols in IDA.
func_capcom_maysomeobj_sprintf can locate by 1st call after reference to "+%1d",
and _il_patch_mid_func_capcom_ui_status_mainpage can be found near LDR R3, =0x12D and MOV R2, #3, the 1st BL to func_capcom_maysomeobj_sprint.


install cia, launch game, open status panel: lock on (about twice a second), close status panel: lock off.
I also changed attack/defense but seems no effect.

Can you explayn me what this tool exactly do an what I have to do in order to use it?
 

_eyCaRambA_

Well-Known Member
Member
Joined
Apr 22, 2009
Messages
525
Trophies
1
Location
Right around the corner™
XP
399
Country
United States
It freezes stamina and health at 150 as long as the Status menu is opened. As banxian mentioned, it's just a demo/proof of concept.
Uninstall any previous patch for MH4G, then install the cia you find in the download folder.
 

ultrazonn

Member
Newcomer
Joined
Feb 20, 2015
Messages
6
Trophies
0
Age
30
XP
51
Country
Italy
It freezes stamina and health at 150 as long as the Status menu is opened. As banxian mentioned, it's just a demo/proof of concept.
Uninstall any previous patch for MH4G, then install the cia you find in the download folder.

Ok thanks I'll try it. How to delete previous pathches from the game?
 

Lord M

Well-Known Member
Member
Joined
Oct 31, 2014
Messages
1,075
Trophies
0
Age
31
XP
502
Country
Italy
You can try to apply this procedure with address and value of a game found in NTR Client?
If you want try, this is the address and value for max rupees on Zelda: ALBW USA:

028b5fa8 : 270e
(address in NTR client is +14000000, so ->
168b5fa8)
 

banxian

Active Member
OP
Newcomer
Joined
Oct 30, 2014
Messages
40
Trophies
0
Age
40
XP
266
Country
Switzerland
I select status UI as my hook point,
because it's a 3 in 1 target: switch, timer, and a pointer ready for read/write.

offsets for status structural is leaved in comments:

Code:
my_func_capcom_ui_status_mainpage_locker:
// R4 = currplayerinfo (for display)
// +34C/34E = curr/max hp
// +354/358 = curr/max stamina
// +350/35C = 64 00 00 00 | 96 00 00 00 prevmax?currmax? 140|140/140|148
// +37E = defense fixed short = 768
// +37C = attack base = 236 -> 849

it's maybe a challenge to me if I want to inject a extra switch in start -> option menu.
I have no idea about capcom's mtFramework at all.
I also found some produce executed after quest clear/retire/failed, but still a long distance to a monster hp visible patch.
 

banxian

Active Member
OP
Newcomer
Joined
Oct 30, 2014
Messages
40
Trophies
0
Age
40
XP
266
Country
Switzerland
a little utility makeelf, generate elf from code.bin and exheader.bin.
buggy source include.

usage:
makeelf --exheader=exheader.bin -i code.bin -o game.elf -v

TODO: accept exefs.bin and extract onfly. and merge symbols into debug info.
 

Attachments

  • makeelf_v1_with_src.rar
    108.1 KB · Views: 337

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: Did you pee in the water