For those of you who don’t know, radare2 is a reverse engineering framework. It comes with a nice set of tools to help you visualize and document disassembled code. Read more about it here.

I recently implemented support for the V810 architecture, which means you can now use it to disassemble and analyse VB ROMs.
The assembler isn’t implemented though, so the code patching capabilities aren’t there. I could do it if there’s enough interest, but I have no plans at the moment.

Anyway, I thought I’d mention it here because someone might find it useful.

Attachments:

1. 

   vbradare2_1.png
   

2. 

   vbradare2_2.png
   

3. 

   vbradare2_3.png
   

Looks good danielps, thanks for sharing your work.

I was sent here from another VG Dev site. I’m curious if this can be used to rip the sound files from games and create a multitrack cart of all known VB sound files. Perhaps same for graphics library. Then we code it into a VB info cart with info on the games, BG’s, graphical assets, histories, etc.

Sounds cool. Will check it out later. I would definitely be interested in the code patching capabilities.

hildenbraugh wrote:
I was sent here from another VG Dev site. I’m curious if this can be used to rip the sound files from games and create a multitrack cart of all known VB sound files. Perhaps same for graphics library. Then we code it into a VB info cart with info on the games, BG’s, graphical assets, histories, etc.

I’m not into romhacking myself, but I think that it might work for your purpose, although with a lot of effort. It’s probably easier to use an emulator to dump sound memory or something, but I’m just guessing.

I was sent here from another VG Dev site. I’m curious if this can be used to rip the sound files from games and create a multitrack cart of all known VB sound files. Perhaps same for graphics library. Then we code it into a VB info cart with info on the games, BG’s, graphical assets, histories, etc.

Yes, that would make a great cart. If someone does the hacking, I’ll definitely build them.

MineStorm wrote:

I was sent here from another VG Dev site. I’m curious if this can be used to rip the sound files from games and create a multitrack cart of all known VB sound files. Perhaps same for graphics library. Then we code it into a VB info cart with info on the games, BG’s, graphical assets, histories, etc.

Yes, that would make a great cart. If someone does the hacking, I’ll definitely build them.

If such a cart were made, it would make all of my wildest, giddy little schoolboy dreams come true…

danielps wrote:
For those of you who don’t know, radare2 is a reverse engineering framework. It comes with a nice set of tools to help you visualize and document disassembled code. Read more about it here.

I recently implemented support for the V810 architecture, which means you can now use it to disassemble and analyse VB ROMs.
The assembler isn’t implemented though, so the code patching capabilities aren’t there. I could do it if there’s enough interest, but I have no plans at the moment.

Anyway, I thought I’d mention it here because someone might find it useful.

I never used radare2 so I just tried it a bit. I understand that your pull request has not been accepted yet? At least I could find the asm_v810.dll anywhere in the binaries package. Also changing the architecture with “e asm.arch=v810” didn’t work.

Could you maybe post it here so that I don’t have to compile it myself?

Other then that I managed to dissemble some functions from my test rom, just with the wrong architecture. This article helped a bit: http://canthack.org/2011/07/adventures-with-radare-1-a-simple-shellcode-analysis/

However, I’m overwhelmed by the amount of features that are there. Could you maybe just throw some basic commands/features at me so that I know how to get started?

The pull request has been accepted, but it’s not yet on a stable release. You can either build it from source or wait for a nightly at bin.rada.re.
AFAIK it doesn’t use any special dependencies on linux and you just build it using some bash scripts at sys/. I haven’t tried on Windows but it seems to use MinGW, so it should be similar.

Anyway, I’m not by any means a radare wizard, but I’ll try to explain the basics:
To set the architecture you can pass the argument “-a v810”.
For example, if you want to disassemble an instruction:

$ rasm2 -a v810 -d 5f45

will disassemble 0x455f as “add -1, r10”
To disassemble a file (more in the screenshot below):

r2 -a v810 rom.vb

If you’re not too comfortable with having to learn cryptic commands, the visual mode is a great place to start. There’s an intro to that here.

Once you’ve annotated stuff, renamed functions or whatever, save it as a project with:

Ps prj_name

and the next time, you can open it with:

$ r2 -p prj_name

For more complex stuff you should read the book and watch radare.tv.

Attachments:

1. 

   snatcher_disasm.png
   

danielps wrote:
The pull request has been accepted, but it’s not yet on a stable release. You can either build it from source or wait for a nightly at bin.rada.re.

Totally missed the link to the nightly build. Works great, Thanks. Makes reading asm much easier then using the mednafen debug feature.

The code patching capabilities would be an great addition for me. But I guess only a handful others would use it.

I saw your video running my Snatcher demo on a 3DS btw. Cool stuff.

An update on this.

I’ve added ESIL support for V810. ESIL is an intermediate language that can be easily generated, parsed and interpreted. There’s a more detailed explanation here but basically, it can decode instructions into a common language and then emulate them. For example, “add r2, r5” would be translated into “r1,r2,+=” and “movhi 0x701, r0, r1” would be “16,0×701,<<,r0,+,r1,=". The interesting part about this is that it can be used to emulate VB ROMs. It's not meant as a full-fledged emulator, but rather as a way to help with reverse engineering (it wont't do graphics, interrupts or system-specific stuff). It could also be used for code analysis and decompilation with stuff like radeco, although I haven’t gotten that to work.

Here’s a quick usage example. I’ve also recorded a demo here.

# Opens a ROM, maps it to 0x7000000, seeks to the end (in this case 0x71ffff0)
# and enables emulation
$> r2 -a v810 -F any -e asm.emu=true asm.emuwrite=true -m 0x7000000 -s 0x71ffff0 /path/to/rom.vb
# Allocates 0x10000 bytes and maps them to the VB RAM area (replace malloc... with
# /path/to/ramdump if you want to to work with a file)
[0x071ffff0]> o+ malloc://0x10000 0x5000000
[0x071ffff0]> af # Analyze and print the function
[0x071ffff0]> pdf
/ (fcn) fcn.071ffff0 16
|           0x071ffff0      20bc0007       movhi 0x700, r0, r1  ; r1=0x7000000 -> 0x501bc00
|           0x071ffff4      21a00000       movea 0x0, r1, r1    ; r1=0x7000000 -> 0x501bc00
|           0x071ffff8      0118           jmp [r1]             ; pc=0x7000000 -> 0x501bc00
|           0x071ffffa      0000           mov r0, r0           ; r0=0x0 
|           0x071ffffc      0000           mov r0, r0           ; r0=0x0 
\           0x071ffffe      0000           mov r0, r0           ; r0=0x0 
[0x071ffff0]> 3 aes # Steps 3 instructions
[0x07000000]> af
[0x07000000]> pdf
            ;-- r1:
/ (fcn) pc 168
|           0x07000000      60bc0105       movhi 0x501, r0, r3  ; r3=0x5010000 -> 0xffffff00
|           0x07000004      63a0c0ff       movea 0xffc0, r3, r3 ; r3=0x500ffc0 r3
|           0x07000008      80bc0105       movhi 0x501, r0, r4  ; r4=0x5010000 -> 0xffffff00
|           0x0700000c      84a00080       movea 0x8000, r4, r4 ; r4=0x5008000 r4
|           0x07000010      0570           ldsr PSW, r0
|           0x07000012      1870           ldsr CHCW, r0
|           0x07000014      c0a00020       movea 0x2000, r0, r6 ; r6=0x2000 -> 0xffffff00
|       .-> 0x07000018      df44           add -1, r6           ; r6=0x1fff -> 0xffffff00
|       `=< 0x0700001a      fe95           bne -2               ; pc=0x71ffff6 -> 0x18010000
|           0x0700001c      c0bc0607       movhi 0x706, r0, r6  ; r6=0x7060000 -> 0xffffff00
|           0x07000020      c6a0502d       movea 0x2d50, r6, r6 ; r6=0x7062d50 -> 0x2010000
# ...
[0x07000000]> aesu 0x700001c # Step until 0x700001c, right after the loop
ADDR BREAK
[0x07000000]> ar=
  r0 0x00000000      r1 0x07000000      r2 0x00000000      r3 0x0500ffc0
  r4 0x05008000      r5 0x00000000      r6 0x00000000      r7 0x00000000
  r8 0x00000000      r9 0x00000000     r10 0x00000000     r11 0x00000000
 r12 0x00000000     r13 0x00000000     r14 0x00000000     r15 0x00000000
 r16 0x00000000     r17 0x00000000     r18 0x00000000     r19 0x00000000
 r20 0x00000000     r21 0x00000000     r22 0x00000000     r23 0x00000000
 r24 0x00000000     r25 0x00000000     r26 0x00000000     r27 0x00000000
 r28 0x00000000     r29 0x00000000     r30 0x00000000     r31 0x00000000
  pc 0x0700001c     psw 0x00000000
[0x07000000]> V # Go into visual mode ('pp' to show the debug layout and 's' to step)

If anyone wants to give it a try, you’ll have to either build it from git or wait for the 0.10.1 stable release in about two weeks. If you find any issues, feel free to report them and I’ll try to fix them.