Hacking Project Reverse Engineering ORAS

[AlfaPaladin]

I'm starting a project to try decompiling Pokemon Alpha Sapphire, but I'm hitting some snags in extracting everything properly from the CIA. Can anyone give me any pointers? I know there's at least a little bit of prior work on the topic; e.g. @Zetta_D has posted a few snippets before, so I know this ambitious goal isn't completely impossible. I'm only in the very initial stages though, so I can't make any big promises about when/if I'll have any interesting results to share

Here's my current plan for the project, and progress so far:

1. ☑ Decrypt title via GM9, dumping result to a "normal" CIA file
2. ☑ Extract NCCH file from CIA (contents.0000.00000003) with ctrtool
3. ☑ Extract exefs and exheader partitions from NCCH with ctrtool
4. ☑ Extract .code section (code.bin) from exefs, using the offset and size values from exheader
5. ☐ Convert to an ELF binary with ctr-elf
6. ☐ Load ELF into Ghidra, set to ARMv6 little-endian mode
7. ☐ Disassemble to C
8. Work through the disassembled code, documenting and renaming things to make it all legible. This (should) be the biggest and most difficult part.

However, I'm stuck at step 5 right now. I can't seem to get ctr-elf to properly convert my code.bin into an ELF, as the script seems to calculate the wrong offsets for the ro and rw sections. I have two major questions at this time:

• (A) Is my plan reasonable and/or are the other tools I should be aware of?
• (B) Are there any known issues with trying to use ctr-elf as I'm trying to do here? Probably more an issue with what I'm doing than with the tool itself?

Thanks!

 

[Kwyjor]

Disassemble to C

What exactly leads you to believe it was written in C in the first place..?

Perhaps I am not up to date with recent developments, but I think you will find that Ghidra does not "disassemble to C" and only disassembles into raw ARM assembly code.

Probably more an issue with what I'm doing than with the tool itself?

Would it not be helpful to provide more precise details about what exactly you are doing..?

 

[Zetta_D]

I'm starting a project to try decompiling Pokemon Alpha Sapphire, but I'm hitting some snags in extracting everything properly from the CIA. Can anyone give me any pointers? I know there's at least a little bit of prior work on the topic; e.g. @Zetta_D has posted a few snippets before, so I know this ambitious goal isn't completely impossible. I'm only in the very initial stages though, so I can't make any big promises about when/if I'll have any interesting results to share

Here's my current plan for the project, and progress so far:

1. ☑ Decrypt title via GM9, dumping result to a "normal" CIA file
2. ☑ Extract NCCH file from CIA (contents.0000.00000003) with ctrtool
3. ☑ Extract exefs and exheader partitions from NCCH with ctrtool
4. ☑ Extract .code section (code.bin) from exefs, using the offset and size values from exheader
5. ☐ Convert to an ELF binary with ctr-elf
6. ☐ Load ELF into Ghidra, set to ARMv6 little-endian mode
7. ☐ Disassemble to C
8. Work through the disassembled code, documenting and renaming things to make it all legible. This (should) be the biggest and most difficult part.

However, I'm stuck at step 5 right now. I can't seem to get ctr-elf to properly convert my code.bin into an ELF, as the script seems to calculate the wrong offsets for the ro and rw sections. I have two major questions at this time:

• (A) Is my plan reasonable and/or are the other tools I should be aware of?
• (B) Are there any known issues with trying to use ctr-elf as I'm trying to do here? Probably more an issue with what I'm doing than with the tool itself?

Thanks!

I'd suggest going with dynamic analysis (using IDA Pro + GDB Stub) rather than static analysis (just looking at the .elf out of context). It’s the best way to dive in and really understand what each function is doing.

I’ve got some free time coming up, so I’ll probably get back to working on my Sango plugin soon.

PS: Yes, converting assembly to C is the easy part - making it clean and actually readable is by far the real challenge. x)