Static Analysis with Ghidra: Quick Start
#1
Information 
Hey, first post here!

ITT we disassemble and analyze Mario Kart Wii using Ghidra:
A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission

Basic disassembly / PowerPC experience required.

Why Ghidra?
I was on a long hunt for a proper disassembler. Tried out everything from cross-compiled gcc to Hopper's trial version to radare2. They were all kind of working but were either a pain to set up or lacked advanced functionality like auto-analysis. Finally, Vega pointed me to Ghidra which works flawlessly and is easy to set up. Bonus points for open source!

I'll focus on Linux / macOS users but will work fine on Windows with minor changes.

So here's the basic plan:
  1. Extracting game binaries from your image
  2. Setup Ghidra + Tools
  3. Create Ghidra project and analyze binaries
At the bottom of the thread, you can find a list of all tools used.



Getting the game binaries

Most of the game code resides in two files: main.dol and StaticR.rel. The former one is the entrypoint containing a bunch of generic/loading code, the latter is a relocatable object file containing most of the game logic. Despite being relocatable, it is always loaded at the same address.

To extract these files from the game ISO, we use wit extract from Wiimm's ISO tools.
The files reside here: /DATA/files/rel/StaticR.rel /DATA/sys/main.dol.

Because most of the symbol addresses differ across different regions, I recommend using the PAL version (RMCP01) of the game going forward. It seems to have the most symbol names mapped.

Setting up Ghidra

Now that we have the interesting files, it's time to install the tools that can look at them.

Ghidra is Java-based, so install the JDK. (Debian: openjdk-12-jdk, Brew Cask: java).
Also set the correct $JAVA_HOME in your .profile.
(Try $(dirname $(readlink $(which java)))/java_home if you don't know where)

Next, download and install Ghidra. ~/opt/ghidra is a good location.
Set the correct $GHIDRA_INSTALL_DIR in your .profile.

Why not go ahead and try it out!
Open it with ~/opt/ghidra/ghidraRun

You can close it back down again because sadly the NSA didn't include logic to parse .dol/.rel files,
or to understand the Wii's Broadway CPU. Maybe we need more mkwii cybercrime, just saying.

Installing Ghidra extensions

Fortunately, aldelaro5 and Cuyler36 wrote Ghidra extensions that fill the gap!

Install the Broadway Language definitions so Ghidra understands Wii machine code:
Next, build and install GameCube Loaders so Ghidra can parse .dol/.rel files:
  • Download the repo:
    git clone https://github.com/Cuyler36/Ghidra-GameCube-Loader
  • Build the Gradle project to produce an extension .zip file with ./gradlew
  • If above fails for some reason, grab the prebuilt .zip from the GitHub releases tab
  • Place the zip in $GHIDRA_INSTALL_DIRECTORY/Extensions/Ghidra/
  • Start Ghidra and install the plugin via File => Install Extensions
  • Restart Ghidra to activate changes

Congrats! You now have a solid toolchain that can disassemble and statically analyze any Wii game.

Analyze all the binaries

Let's put it to use!
  • Start up a new project in Ghidra (non-shared)
  • Press I and import main.dol and StaticR.rel
    Select Nintendo GameCube Binary as the format.
    If it asks you if you want to load symbol maps, press no as we don't have any right now.
  • Press the green dragon to open CodeBrowser
    [Image: HRkraM8.png]
  • In Code Browser, Go To File => Open and select the two binaries
  • You'll be asked if you want to run code analysis. Confirm and wait for a few minutes.

Of course, Mario Kart ships without debug symbols so every function is just called FUN_<address> for now. Best of all, despite not even knowing the ABI, Ghidra recognizes most call parameters.

You can find some symbol names in the list of useful links at the bottom.
How to import them is left as an exercise to the reader. (Protip: Ghidra has an amazing Python API)
I might release a symbol file some time in the future.

That's it! Have fun reversing and let us know what you're working on.

[Image: gWr4yG9.png]



Useful links
Special thanks to Vega and Dorian for tech support.
Reply
#2
Thank you very much for this!!!
Reply
#3
I can't find the link for version 9.0.2, and the newer versions work improperly. (Both 9.1.1 and 9.1.2 fail on .rel files)
Super Mario Eclipse, what Super Mario Sunshine could've been.
Reply
#4
https://ghidra-sre.org/releaseNotes_9.1.2.html
Reply
#5
I just use a Mem80/81 ram dump since the GameCube dol/rel loader doesn’t work on newer versions or just doesn’t work on Wii files.
Reply
#6
This is very smart actually. May try this myself since it merges the two files into what you see mid game
Super Mario Eclipse, what Super Mario Sunshine could've been.
Reply
#7
Really great tutorial, thank you so much! Big Grin
Reply
#8
(03-11-2020, 05:45 PM)1superchip Wrote: I just use a Mem80/81 ram dump since the GameCube dol/rel loader doesn’t work on newer versions or just doesn’t work on Wii files.

I wanted to give this a try but I'm hit with this when trying to import in Ghidra:

Unable to load REL file! Reason: Import Table ofsset + Import Table size in header is past the file bounds!

Am I missing something obvious here? I'm using v9.1.2
Reply
#9
You can use a ram dump so you can see what you would see in game, get dolphin and then dump the ram only mem80 and Mem81 for ram then load using GameCube language by Aldelaro5. This will allow you to see all of mem80, the dol and StaticR.rel as they would be loaded in game. You will not need the Ghidra GameCube Loader for using a ram dump.
Reply
#10
(04-26-2020, 09:52 PM)1superchip Wrote: You can use a ram dump so you can see what you would see in game, get dolphin and then dump the ram only mem80 and Mem81 for ram then load using GameCube language by Aldelaro5. This will allow you to see all of mem80, the dol and StaticR.rel as they would be loaded in game. You will not the the Ghidra GameCube Loader for using a ram dump.
Ah alright. I assumed since this was a thread about Ghidra that you were loading the ram dump into Ghidra.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)