08-02-2019, 07:31 PM
(This post was last modified: 11-01-2019, 12:29 AM by Vega.
Edit Reason: Grammar
)
Hey, first post here!
ITT we disassemble and analyze Mario Kart Wii using Ghidra:
A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
Basic disassembly / PowerPC experience required.
Why Ghidra?
I was on a long hunt for a proper disassembler. Tried out everything from cross-compiled gcc to Hopper's trial version to radare2. They were all kind of working but were either a pain to set up or lacked advanced functionality like auto-analysis. Finally, Vega pointed me to Ghidra which works flawlessly and is easy to set up. Bonus points for open source!
I'll focus on Linux / macOS users but will work fine on Windows with minor changes.
So here's the basic plan:
Getting the game binaries
Most of the game code resides in two files: main.dol and StaticR.rel. The former one is the entrypoint containing a bunch of generic/loading code, the latter is a relocatable object file containing most of the game logic. Despite being relocatable, it is always loaded at the same address.
To extract these files from the game ISO, we use wit extract from Wiimm's ISO tools.
The files reside here: /DATA/files/rel/StaticR.rel /DATA/sys/main.dol.
Because most of the symbol addresses differ across different regions, I recommend using the PAL version (RMCP01) of the game going forward. It seems to have the most symbol names mapped.
Setting up Ghidra
Now that we have the interesting files, it's time to install the tools that can look at them.
Ghidra is Java-based, so install the JDK. (Debian: openjdk-12-jdk, Brew Cask: java).
Also set the correct $JAVA_HOME in your .profile.
(Try $(dirname $(readlink $(which java)))/java_home if you don't know where)
Next, download and install Ghidra. ~/opt/ghidra is a good location.
Set the correct $GHIDRA_INSTALL_DIR in your .profile.
Why not go ahead and try it out!
Open it with ~/opt/ghidra/ghidraRun
You can close it back down again because sadly the NSA didn't include logic to parse .dol/.rel files,
or to understand the Wii's Broadway CPU. Maybe we need more mkwii cybercrime, just saying.
Installing Ghidra extensions
Fortunately, aldelaro5 and Cuyler36 wrote Ghidra extensions that fill the gap!
Install the Broadway Language definitions so Ghidra understands Wii machine code:
Next, build and install GameCube Loaders so Ghidra can parse .dol/.rel files:
Congrats! You now have a solid toolchain that can disassemble and statically analyze any Wii game.
Analyze all the binaries
Let's put it to use!
Of course, Mario Kart ships without debug symbols so every function is just called FUN_<address> for now. Best of all, despite not even knowing the ABI, Ghidra recognizes most call parameters.
You can find some symbol names in the list of useful links at the bottom.
How to import them is left as an exercise to the reader. (Protip: Ghidra has an amazing Python API)
I might release a symbol file some time in the future.
That's it! Have fun reversing and let us know what you're working on.
![[Image: gWr4yG9.png]](https://i.imgur.com/gWr4yG9.png)
Useful links
Special thanks to Vega and Dorian for tech support.
ITT we disassemble and analyze Mario Kart Wii using Ghidra:
A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
Basic disassembly / PowerPC experience required.
Why Ghidra?
I was on a long hunt for a proper disassembler. Tried out everything from cross-compiled gcc to Hopper's trial version to radare2. They were all kind of working but were either a pain to set up or lacked advanced functionality like auto-analysis. Finally, Vega pointed me to Ghidra which works flawlessly and is easy to set up. Bonus points for open source!
I'll focus on Linux / macOS users but will work fine on Windows with minor changes.
So here's the basic plan:
- Extracting game binaries from your image
- Setup Ghidra + Tools
- Create Ghidra project and analyze binaries
Getting the game binaries
Most of the game code resides in two files: main.dol and StaticR.rel. The former one is the entrypoint containing a bunch of generic/loading code, the latter is a relocatable object file containing most of the game logic. Despite being relocatable, it is always loaded at the same address.
To extract these files from the game ISO, we use wit extract from Wiimm's ISO tools.
The files reside here: /DATA/files/rel/StaticR.rel /DATA/sys/main.dol.
Because most of the symbol addresses differ across different regions, I recommend using the PAL version (RMCP01) of the game going forward. It seems to have the most symbol names mapped.
Setting up Ghidra
Now that we have the interesting files, it's time to install the tools that can look at them.
Ghidra is Java-based, so install the JDK. (Debian: openjdk-12-jdk, Brew Cask: java).
Also set the correct $JAVA_HOME in your .profile.
(Try $(dirname $(readlink $(which java)))/java_home if you don't know where)
Next, download and install Ghidra. ~/opt/ghidra is a good location.
Set the correct $GHIDRA_INSTALL_DIR in your .profile.
Why not go ahead and try it out!
Open it with ~/opt/ghidra/ghidraRun
You can close it back down again because sadly the NSA didn't include logic to parse .dol/.rel files,
or to understand the Wii's Broadway CPU. Maybe we need more mkwii cybercrime, just saying.
Installing Ghidra extensions
Fortunately, aldelaro5 and Cuyler36 wrote Ghidra extensions that fill the gap!
Install the Broadway Language definitions so Ghidra understands Wii machine code:
- Download the repo:
git clone https://github.com/aldelaro5/ghidra-gekko-broadway-lang
- Copy data/languages/* in the repo to Ghidra/Processors/PowerPC/data/languages
Next, build and install GameCube Loaders so Ghidra can parse .dol/.rel files:
- Download the repo:
git clone https://github.com/Cuyler36/Ghidra-GameCube-Loader
- Build the Gradle project to produce an extension .zip file with ./gradlew
- If above fails for some reason, grab the prebuilt .zip from the GitHub releases tab
- Place the zip in $GHIDRA_INSTALL_DIRECTORY/Extensions/Ghidra/
- Start Ghidra and install the plugin via File => Install Extensions
- Restart Ghidra to activate changes
Congrats! You now have a solid toolchain that can disassemble and statically analyze any Wii game.
Analyze all the binaries
Let's put it to use!
- Start up a new project in Ghidra (non-shared)
- Press I and import main.dol and StaticR.rel
Select Nintendo GameCube Binary as the format.
If it asks you if you want to load symbol maps, press no as we don't have any right now.
- Press the green dragon to open CodeBrowser
![[Image: HRkraM8.png]](https://i.imgur.com/HRkraM8.png)
- In Code Browser, Go To File => Open and select the two binaries
- You'll be asked if you want to run code analysis. Confirm and wait for a few minutes.
Of course, Mario Kart ships without debug symbols so every function is just called FUN_<address> for now. Best of all, despite not even knowing the ABI, Ghidra recognizes most call parameters.
You can find some symbol names in the list of useful links at the bottom.
How to import them is left as an exercise to the reader. (Protip: Ghidra has an amazing Python API)
I might release a symbol file some time in the future.
That's it! Have fun reversing and let us know what you're working on.
Useful links
- Tool: Wiimm's ISO Tools
- Tool: Ghidra
- Tool: aldelaro5's Gekko/Broadway language definitions
- Tool: Cuyler36's GameCube Loaders
- Wiki: Symbol Map — MKWii.com
- BitBucket: Even bigger symbol map by megazig
- Wiki: DOL (File Format) — Custom Mario Kart
- Wiki: REL (File Format) — Custom Mario Kart
Special thanks to Vega and Dorian for tech support.