Loading the System Menu into IDA Pro
Posted by bushing
|
Loading the System Menu into IDA Pro August 05, 2008 05:34AM | Admin Registered: 15 years ago Posts: 271 |
Most "NAND Titles" on the Wii contain two pieces of executable code -- the "NANDLoader", and then a main DOL. The system starts the NANDLoader, which then uses ES_ calls to go and load the main DOL and execute it.
The system menu is a little bit different; it's just one piece. The first part of it is a little "NANDLoader stub" which moves the rest of it into memory, and then executes it.
The easiest way to load it into IDA Pro is the following:
1) Open the file in your favorite hex editor
2) Change the "0000 3400" to "8000 3400"
3) Load the file into IDA Pro as a DOL file
4) Move the cursor to 81330000
5) Hit Alt-S (Edit Segment...)
6) Change "Segment Class" from DATA to CODE, select OK
7) Hit 'C' on 81330000 to begin analysis of the main CODE section
The system menu is a little bit different; it's just one piece. The first part of it is a little "NANDLoader stub" which moves the rest of it into memory, and then executes it.
The easiest way to load it into IDA Pro is the following:
1) Open the file in your favorite hex editor
0000000: 0000 0100 0000 0000 0000 0000 0000 0000 ................ 0000010: 0000 0000 0000 0000 0000 0000 0000 0500 ................ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000040: 0000 0000 0000 0000 8000 3400 0000 0000 ..........4..... 0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000060: 0000 0000 8132 ffe0 0000 0000 0000 0000 .....2.......... 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000090: 0000 0400 0000 0000 0000 0000 0000 0000 ................ 00000a0: 0000 0000 0000 0000 0000 0000 0038 0000 .............8.. 00000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000d0: 0000 0000 0000 0000 8134 0000 0001 0000 .........4...... 00000e0: 0000 3400 0000 0000 0000 0000 0000 0000 ..4.............
2) Change the "0000 3400" to "8000 3400"
3) Load the file into IDA Pro as a DOL file
4) Move the cursor to 81330000
5) Hit Alt-S (Edit Segment...)
6) Change "Segment Class" from DATA to CODE, select OK
7) Hit 'C' on 81330000 to begin analysis of the main CODE section
|
Re: Loading the System Menu into IDA Pro August 05, 2008 12:44PM | Admin Registered: 15 years ago Posts: 19 |
Here's an addition for making SystemMenu reverse engineering more convenient. Sir_Kane recently build a nice ".SEL" file loading plugin for IDA. I hear you ask now, "What are SEL files?" , simply said they are a library of symbolnames belonging to a particular binary. With these SEL files and Sir_Kane's IDA Plugin you can save yourself a lot of time!
How do I obtain said "SEL Files" ?
The SEL files are stored on your Wii's NAND but also in regular systemmenu "WADs" , so there's more then one way to get them. For this example I will be using WiiFuse to extract the SystemMenu binaries.
As you can see, there are 3 .APP files and a TMD in the directory. One is a "bogus" .app of 64 bytes (it doesn't hold anything interesting, just some identifier strings), the other two we are interested in. One is the actual systemmenu DOL, which can be loaded into IDA using bushing's method in the previous post. The other doesn't look like it has a DOL header at all:
Installing Sir_Kane's SEL Loader Plugin
Download this, and extract the .PLW to\plugins\
Now, start IDA, load the DOL/ELF .. and go to: Edit -> Plugins -> Load Sel File
At this point it should find the .SEL file with the same basename as your DOL/ELF and start loading it .. IDA Might look like it's hanging and you will probably get some scary messages in the status window, but don't worry and just wait for it to finish.
At some point the "analysis bar" (or whatever the hell it's called) will start becoming more blue and blue, and tons of symbols will appear in the 'names' window. Enjoy!
P.S. I'm not sure if there are any public ARC extractors out there, as I've been using something I half-assed together some while ago, although im pretty confident there *is* some public tool to do it.
P.P.S. Everything described here is how I did it last night on my 3.3E wii, sysmenu filenames might differ on older versions, but the procedure -should be- the same basically.
Edited 2 time(s). Last edit at 08/05/2008 12:45PM by blasty.
How do I obtain said "SEL Files" ?
The SEL files are stored on your Wii's NAND but also in regular systemmenu "WADs" , so there's more then one way to get them. For this example I will be using WiiFuse to extract the SystemMenu binaries.
blackbook:~/wiifuse-0.2.0# ./wiifuse -i 0000000100000002 /dev/ttyUSB0 /mnt/nand title's data path is "/title/00000001/00000002/data" blackbook:~/wiifuse-0.2.0# cd /mnt/nand/title/00000001/00000002/content blackbook:/mnt/nand/title/00000001/00000002/content# ls 0000005c.app 0000005d.app 0000005e.app title.tmd
As you can see, there are 3 .APP files and a TMD in the directory. One is a "bogus" .app of 64 bytes (it doesn't hold anything interesting, just some identifier strings), the other two we are interested in. One is the actual systemmenu DOL, which can be loaded into IDA using bushing's method in the previous post. The other doesn't look like it has a DOL header at all:
blackbook:/mnt/nand/title/00000001/00000002/content# hexdump -C 0000005d.app|head -n 2 00000000 55 aa 38 2d 00 00 00 20 00 00 07 38 00 00 07 60 |U.8-... ...8...`| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|It's an so-called "ARC Archive" which can be recognized by the 64bit magic identifier at the start (55aa382d00000020). Inside this ARC there's a lot of files hiding, but the one we're interested in is 'main.sel'. Extract this main.sel file (in my case it was in ./FINAL/EU2/main.sel in the extracted ARC) and copy it to the same folder as the other .app (0000005e.app in my case), now rename the .SEL to have the same "basename" as your .ELF/.DOL, and you're all set! .. well almost, we still have to install the plugin.
Installing Sir_Kane's SEL Loader Plugin
Download this, and extract the .PLW to
Now, start IDA, load the DOL/ELF .. and go to: Edit -> Plugins -> Load Sel File
At this point it should find the .SEL file with the same basename as your DOL/ELF and start loading it .. IDA Might look like it's hanging and you will probably get some scary messages in the status window, but don't worry and just wait for it to finish.
At some point the "analysis bar" (or whatever the hell it's called) will start becoming more blue and blue, and tons of symbols will appear in the 'names' window. Enjoy!
P.S. I'm not sure if there are any public ARC extractors out there, as I've been using something I half-assed together some while ago, although im pretty confident there *is* some public tool to do it.
P.P.S. Everything described here is how I did it last night on my 3.3E wii, sysmenu filenames might differ on older versions, but the procedure -should be- the same basically.
Edited 2 time(s). Last edit at 08/05/2008 12:45PM by blasty.
|
Re: Loading the System Menu into IDA Pro August 05, 2008 04:52PM | Admin Registered: 15 years ago Posts: 180 |
For extracting "ARC" files (which are usually U8 Archives), you can use a variety of tools.
On the Wiibrew wiki, you can find code for Parsing U8 archives and decompressing LZ77'd content.
Since most of you use IDA Pro on Windows, crediar's WiiRawExt will probably be useful. It unpacks U8 archives and automatically decompresses any LZ77 content.
On the Wiibrew wiki, you can find code for Parsing U8 archives and decompressing LZ77'd content.
Since most of you use IDA Pro on Windows, crediar's WiiRawExt will probably be useful. It unpacks U8 archives and automatically decompresses any LZ77 content.
|
Re: Loading the System Menu into IDA Pro August 06, 2008 10:48AM | Admin Registered: 15 years ago Posts: 271 |
It's pretty weird that these symbols are even there, but they seem to be necessary -- if you (for example) patch the System Menu to change the stored path the main.sel file, it will refuse to boot! My theory is that it has to do with the relocatable module support, specifically wwwlib -- many of the channels that use that also contain a main.sel file (news channel, weather channel, etc.)
Starting with the Nintendo Channel, they seem to be using a new version of Codewarrior, or a different linker or something -- there's a small main.sel file, and there are also some symbol tables buried within data sections of the main DOL, too. (Alas, nothing horribly useful.)
Starting with the Nintendo Channel, they seem to be using a new version of Codewarrior, or a different linker or something -- there's a small main.sel file, and there are also some symbol tables buried within data sections of the main DOL, too. (Alas, nothing horribly useful.)
|
Re: Loading the System Menu into IDA Pro September 06, 2008 12:51PM | Registered: 15 years ago Posts: 93 |
I downloaded and tried the 4.9 free version but it starts with an error (The procedure entry point qstpncpy could not be located in the dynamic link library IDA.WLL) and I can't seem to find the dol format in the disassembly database selection screen. (copied dol.ldw to loaders folder)
I guess free version do not support extra plugins and loaders?
What version do you people use?
edit : nevermind, installed 5.2 and got it right. now I need to learn a bit of ppc assembly
Edited 1 time(s). Last edit at 09/07/2008 04:25PM by WiiCrazy.
I guess free version do not support extra plugins and loaders?
What version do you people use?
edit : nevermind, installed 5.2 and got it right. now I need to learn a bit of ppc assembly
Edited 1 time(s). Last edit at 09/07/2008 04:25PM by WiiCrazy.
|
Re: Loading the System Menu into IDA Pro September 26, 2008 10:00PM | Registered: 15 years ago Posts: 4 |
|
Re: Loading the System Menu into IDA Pro September 28, 2008 10:46PM | Admin Registered: 15 years ago Posts: 271 |
|
Re: Loading the System Menu into IDA Pro July 01, 2009 03:12AM | Registered: 15 years ago Posts: 7 |
|
Re: Loading the System Menu into IDA Pro July 18, 2009 12:22PM | Registered: 15 years ago Posts: 405 |
|
Re: Loading the System Menu into IDA Pro July 19, 2009 07:00AM | Registered: 15 years ago Posts: 2 |
I found a current link for SELLoader3 on comex's site, but in case that link goes down, I've uploaded it to Sharebee:
Sir_Kane's SEL Loader Plugin - SELLoader3.rar
Edit: Unfortunately, it looks like the 'main.sel' files included with SM v4.0 and up have been stripped of useful info. Darn. :-/
Edit 2: I had posted a question here on how to get the DOL loading in IDA Pro. After doing more digging and research, I eventually found out it's because I hadn't copied dol.ldw and gekkoPS.plw to my IDA 5.2 folder. Once I did that, voila it worked perfectly.
Cheers! :)
Edited 4 time(s). Last edit at 07/19/2009 09:22AM by Dteyn.
Sir_Kane's SEL Loader Plugin - SELLoader3.rar
Edit: Unfortunately, it looks like the 'main.sel' files included with SM v4.0 and up have been stripped of useful info. Darn. :-/
Edit 2: I had posted a question here on how to get the DOL loading in IDA Pro. After doing more digging and research, I eventually found out it's because I hadn't copied dol.ldw and gekkoPS.plw to my IDA 5.2 folder. Once I did that, voila it worked perfectly.
Cheers! :)
Edited 4 time(s). Last edit at 07/19/2009 09:22AM by Dteyn.
|
Re: Loading the System Menu into IDA Pro August 10, 2009 10:54PM | Admin Registered: 15 years ago Posts: 271 |
|
Re: Loading the System Menu into IDA Pro October 25, 2009 10:01PM | Registered: 14 years ago Posts: 2 |
Sorry, only registered users may post in this forum.