Retro Game Decompilation Using AI

Transcript

1. macabeus Retro Game Decompilation Using AI

2. let me tell a history

3. preamble For a long time, I loved to have fun

   working on reverse engineering games Reverse engineering games was always a playtime for me.
 Ragnarok Online was my fi rst sandbox.

4. preamble For a long time, I loved to have fun

   working on reverse engineering games Reverse engineering games was always a playtime for me.
 Ragnarok Online was my fi rst sandbox.

5. preamble A few years ago, I decided to work on

   Klonoa: Empire of Dreams

6. preamble A few years ago, I decided to work on

   Klonoa: Empire of Dreams

7. preamble

8. preamble

9. preamble Does someone here know Klonoa? 🙋🙋🙋

10. preamble As I expected… nobody 😅
 So, let’s talk about

    Super Mario 64 instead!

11. preamble As I expected… nobody 😅
 So, let’s talk about

    Super Mario 64 instead!

12. preamble This success was not only for players but also

    for hackers who were nerd-sniped.

13. preamble The community crafted amazing tools.
 For example, STROOP

14. preamble Another example is Mario Builder 64

15. preamble Another example is Mario Builder 64

16. preamble But the achievement most important for this talk is…

17. preamble And they even match decompiled the game itself! They

    match decompiled the game itself!

18. preamble

19. preamble

20. preamble

21. preamble

22. preamble What is matching decompilation? How is the work fl

    ow to decompile a game like Super Mario 64? Can AI be useful on matching decompilation?

23. preamble What is matching decompilation? How is the work fl

    ow to decompile a game like Super Mario 64? Can AI be useful on matching decompilation?

24. preamble What is matching decompilation? How is the work fl

    ow to decompile a game like Super Mario 64? Can AI be useful on matching decompilation?

25. Disassembly decompilation matching decompilation matching decompilation + ai

26. Disassembly decompilation matching decompilation matching decompilation + ai

27. Disassembly A disassembler is a tool that does the reverse

    process of an assembler. That is, it converts a binary back into assembly.

28. Disassembly 0x23 0xF3 0x80 0xFD 0x78 0x46 0x3C 0x30 0x00

    0x47 A disassembler is a tool that does the reverse process of an assembler. That is, it converts a binary back into assembly.

29. Disassembly 0x23 0xF3 0x80 0xFD 0x78 0x46 0x3C 0x30 0x00

    0x47 Disassembly ARMv4T
 (Thumb instructions) A disassembler is a tool that does the reverse process of an assembler. That is, it converts a binary back into assembly.

30. Disassembly 0x23 0xF3 0x80 0xFD 0x78 0x46 0x3C 0x30 0x00

    0x47 bl 08367610h mov r0, r15 add r0, 3Ch bx r0 Disassembly ARMv4T
 (Thumb instructions) A disassembler is a tool that does the reverse process of an assembler. That is, it converts a binary back into assembly.

31. Disassembly

32. Disassembly

33. rom hacking Disassembly

34. Disassembly Rom hacking

35. Disassembly Rom hacking ; adds the amount the player sold

    to their money AddAmountSoldToMoney:: ld de, wPlayerMoney + 2 ld hl, hMoney + 2 ; total price of items ld c, 3 ; length of money in bytes predef AddBCDPredef ; add total price to money ld a, MONEY_BOX ld [wTextBoxID], a call DisplayTextBoxID ; redraw money text box ld a, SFX_PURCHASE call PlaySoundWaitForCurrent jp WaitForSoundToFinish ; function to remove an item (in varying quantities) from the player's bag or PC box ; INPUT: ; HL = address of inventory (either wNumBagItems or wNumBoxItems) ; [wWhichPokemon] = index (within the inventory) of the item to remove ; [wItemQuantity] = quantity to remove RemoveItemFromInventory:: homecall RemoveItemFromInventory_ ret

36. Disassembly Rom hacking

37. Disassembly Rom hacking

38. Disassembly Rom hacking

39. Disassembly Rom hacking

40. Disassembly Rom hacking

41. Disassembly Rom hacking

42. Disassembly Rom hacking

43. Disassembly decompilation matching decompilation matching decompilation + ai

44. decompilation Binary Assembly Disassembler Higher-level code (e.g., C) Decompiler A

    decompiler is a program that performs the reverse process of a compiler.
 That is, it converts assembly back into a higher-level language

45. decompilation

46. decompilation

47. decompilation

48. decompilation

49. Disassembly decompilation matching decompilation matching decompilation + ai

50. matching decomp. Build the level editor Decompile

51. matching decomp. Build the level editor The decompilation is a

    mean for the project Decompile

52. matching decomp. And what if… the decompilation is the goal

    of a project? Build the level editor The decompilation is a mean for the project Decompile

53. matching decomp. Decompile Readable code that generates the same binary

    The decompilation itself is the goal for the project The decompilation is a mean for the project Build the level editor Decompile

54. matching decomp. It’s matching decompilation! Decompile Readable code that generates

    the same binary The decompilation itself is the goal for the project

55. matching decomp. Matching decompilation is when the goal is
 to

    rewrite the code from a binary - using a
 high-level language and having a readable code - that, when compiled, it generates a binary that matches the original one Decompile Readable code that generates the same binary The decompilation itself is the goal for the project

56. matching decomp. The code generated from Ghidra isn’t ready for

    matching decompilation

57. matching decomp. The code generated from Ghidra isn’t ready for

    matching decompilation

58. overview matching decompilation

59. matching decomp. OoT MQ debug N64 ROM .z65 fi OoT

    Decomp github.com/zeldaret/oot Game assets (texturas, models…) Build process (how to assemble the ROM from the assets and code) Game code (physics, logic…) Match OoT MQ debug N64 rom .z65 fi

60. matching decomp. .z65 fi OoT Decomp github.com/zeldaret/oot Game assets (textures,

    models…) Build process (how to assemble the ROM from the assets and code) Game code (physics, logic…) OoT MQ debug N64 rom .z65 fi OoT MQ debug N64 ROM Match

61. matching decomp. .z65 fi OoT Decomp github.com/zeldaret/oot Game assets (textures,

    models…) Build process (how to assemble the ROM from the assets and code) Game code (physics, logic…) OoT MQ debug N64 rom .z65 fi OoT MQ debug N64 ROM Match

62. matching decomp. .z65 fi OoT Decomp github.com/zeldaret/oot Game assets (textures,

    models…) Build process (how to assemble the ROM from the assets and code) Game code (physics, logic…) OoT MQ debug N64 rom .z65 fi OoT MQ debug N64 ROM Match

63. matching decomp. .z65 fi OoT Decomp github.com/zeldaret/oot Game assets (textures,

    models…) Build process (how to assemble the ROM from the assets and code) Game code (physics, logic…) OoT MQ debug N64 rom .z65 fi OoT MQ debug N64 ROM Match

64. matching decomp. .z65 fi OoT Decomp github.com/zeldaret/oot Game assets (textures,

    models…) Build process (how to assemble the ROM from the assets and code) Game code (physics, logic…) OoT MQ debug N64 rom .z65 fi le OoT MQ debug N64 ROM Match

65. matching decomp. .z65 fi OoT Decomp github.com/zeldaret/oot Game assets (textures,

    models…) Build process (how to assemble the ROM from the assets and code) Game code (physics, logic…) OoT MQ debug N64 rom .z65 fi le OoT MQ debug N64 ROM Match

66. tools matching decompilation

67. matching decomp. tools objdiff

68. matching decomp. tools

69. matching decomp. tools

70. matching decomp. tools

71. matching decomp. tools

72. matching decomp. tools The target assembly

73. matching decomp. tools Your code in C

74. matching decomp. tools The assembly from your C code

75. matching decomp. tools Di ff s between the target assembly

    and the one from the C code

76. matching decomp. tools Matching rate

77. quick walkthrough matching decompilation

78. matching decomp. walkthrough glabel func_8087828C /* 0012C 8087828C AFA50004 */

    sw $a1, 0x0004($sp) /* 00130 80878290 84820168 */ lh $v0, 0x0168($a0) ## 00000168 /* 00134 80878294 24010001 */ addiu $at, $zero, 0x0001 ## $at = 00000001 /* 00138 80878298 3C0E8016 */ lui $t6, 0x8016 ## $t6 = 80160000 /* 0013C 8087829C 1441000B */ bne $v0, $at, .L808782CC /* 00140 808782A0 24030002 */ addiu $v1, $zero, 0x0002 ## $v1 = 00000002 /* 00144 808782A4 95CEF566 */ lhu $t6, -0x0A9A($t6) ## 8015F566 /* 00148 808782A8 3C188088 */ lui $t8, %hi(func_80878300) ## $t8 = 80880000 /* 0014C 808782AC 27188300 */ addiu $t8, $t8, %lo(func_80878300) ## $t8 = 80878300 /* 00150 808782B0 31CF0040 */ andi $t7, $t6, 0x0040 ## $t7 = 00000000 /* 00154 808782B4 15E00005 */ bne $t7, $zero, .L808782CC /* 00158 808782B8 00000000 */ nop /* 0015C 808782BC 24030002 */ addiu $v1, $zero, 0x0002 ## $v1 = 00000002 /* 00160 808782C0 A4830178 */ sh $v1, 0x0178($a0) ## 00000178 /* 00164 808782C4 03E00008 */ jr $ra /* 00168 808782C8 AC980164 */ sw $t8, 0x0164($a0) ## 00000164 .L808782CC: /* 0016C 808782CC 14620005 */ bne $v1, $v0, .L808782E4 /* 00170 808782D0 3C198088 */ lui $t9, %hi(func_80878300) ## $t9 = 80880000 /* 00174 808782D4 27398300 */ addiu $t9, $t9, %lo(func_80878300) ## $t9 = 80878300 /* 00178 808782D8 A4830178 */ sh $v1, 0x0178($a0) ## 00000178 /* 0017C 808782DC 03E00008 */ jr $ra /* 00180 808782E0 AC990164 */ sw $t9, 0x0164($a0) ## 00000164 .L808782E4: /* 00184 808782E4 04410004 */ bgez $v0, .L808782F8 /* 00188 808782E8 3C088088 */ lui $t0, %hi(func_808783D4) ## $t0 = 80880000 /* 0018C 808782EC 250883D4 */ addiu $t0, $t0, %lo(func_808783D4) ## $t0 = 808783D4 /* 00190 808782F0 A4830178 */ sh $v1, 0x0178($a0) ## 00000178 /* 00194 808782F4 AC880164 */ sw $t0, 0x0164($a0) ## 00000164 .L808782F8: /* 00198 808782F8 03E00008 */ jr $ra /* 0019C 808782FC 00000000 */ nop

79. matching decomp. walkthrough s16 func_8087828C(void *arg0, s32 arg1) { if

    (arg0->unk168 == 1) { if ((*(void *)0x8015F566 & 0x40) == 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } } if ((u16)2 == arg0->unk168) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } if (arg0->unk168 < 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_808783D4; } return arg0->unk168; }

80. matching decomp. walkthrough s16 func_8087828C(void *arg0, s32 arg1) { if

    (arg0->unk168 == 1) { if ((*(void *)0x8015F566 & 0x40) == 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } } if ((u16)2 == arg0->unk168) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } if (arg0->unk168 < 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_808783D4; } return arg0->unk168; } static void func_8087828C( BgGateShutter* this, GlobalContext* globalCtx ) { if (this->unk_168 == 1) { if (!(gSaveContext.inf_table[7] & 0x40)) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } } if (this->unk_168 == 2) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } if (this->unk_168 < 0) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_808783D4; } }

81. matching decomp. walkthrough s16 func_8087828C(void *arg0, s32 arg1) { if

    (arg0->unk168 == 1) { if ((*(void *)0x8015F566 & 0x40) == 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } } if ((u16)2 == arg0->unk168) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } if (arg0->unk168 < 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_808783D4; } return arg0->unk168; } s16 return arg0->unk168; static void func_8087828C( BgGateShutter* this, GlobalContext* globalCtx ) { if (this->unk_168 == 1) { if (!(gSaveContext.inf_table[7] & 0x40)) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } } if (this->unk_168 == 2) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } if (this->unk_168 < 0) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_808783D4; } } static void BgGateShutter* this, GlobalContext* globalCtx

82. matching decomp. walkthrough s16 func_8087828C(void *arg0, s32 arg1) { if

    (arg0->unk168 == 1) { if ((*(void *)0x8015F566 & 0x40) == 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } } if ((u16)2 == arg0->unk168) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } if (arg0->unk168 < 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_808783D4; } return arg0->unk168; } if ((*(void *)0x8015F566 & 0x40) == 0) { if (!(gSaveContext.inf_table[7] & 0x40)) { static void func_8087828C( BgGateShutter* this, GlobalContext* globalCtx ) { if (this->unk_168 == 1) { if (!(gSaveContext.inf_table[7] & 0x40)) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } } if (this->unk_168 == 2) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } if (this->unk_168 < 0) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_808783D4; } }

83. matching decomp. walkthrough s16 func_8087828C(void *arg0, s32 arg1) { if

    (arg0->unk168 == 1) { if ((*(void *)0x8015F566 & 0x40) == 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } } if ((u16)2 == arg0->unk168) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } if (arg0->unk168 < 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_808783D4; } return arg0->unk168; } (u16)2; (u16)2 (u16)2; (u16)2 static void func_8087828C( BgGateShutter* this, GlobalContext* globalCtx ) { if (this->unk_168 == 1) { if (!(gSaveContext.inf_table[7] & 0x40)) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } } if (this->unk_168 == 2) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } if (this->unk_168 < 0) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_808783D4; } } 2; 2 2 2

84. matching decomp. walkthrough s16 func_8087828C(void *arg0, s32 arg1) { if

    (arg0->unk168 == 1) { if ((*(void *)0x8015F566 & 0x40) == 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } } if ((u16)2 == arg0->unk168) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } if (arg0->unk168 < 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_808783D4; } return arg0->unk168; } static void func_8087828C( BgGateShutter* this, GlobalContext* globalCtx ) { if (this->unk_168 == 1) { if (!(gSaveContext.inf_table[7] & 0x40)) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } } if (this->unk_168 == 2) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } if (this->unk_168 < 0) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_808783D4; } } (u16)2 == arg0->unk168) (this->unk_168 == 2)

85. matching decomp. walkthrough s16 func_8087828C(void *arg0, s32 arg1) { if

    (arg0->unk168 == 1) { if ((*(void *)0x8015F566 & 0x40) == 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } } if ((u16)2 == arg0->unk168) { arg0->unk178 = (u16)2; arg0->unk164 = &func_80878300; return arg0->unk168; } if (arg0->unk168 < 0) { arg0->unk178 = (u16)2; arg0->unk164 = &func_808783D4; } return arg0->unk168; } static void func_8087828C( BgGateShutter* this, GlobalContext* globalCtx ) { if (this->unk_168 == 1) { if (!(gSaveContext.inf_table[7] & 0x40)) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } } if (this->unk_168 == 2) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } if (this->unk_168 < 0) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_808783D4; } }

86. matching decomp. walkthrough static void func_8087828C( BgGateShutter* this, GlobalContext* globalCtx

    ) { if (this->unk_168 == 1) { if (!(gSaveContext.inf_table[7] & 0x40)) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } } if (this->unk_168 == 2) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_80878300; return; } if (this->unk_168 < 0) { this->unk_178 = 2; this->actionFunc = (ActorFunc)func_808783D4; } } void func_8087828C( BgGateShutter* this, PlayState* play ) { if ( this->openingState == 1 && !GET_INFTABLE(INFTABLE_76) ) { this->unk_178 = 2; this->actionFunc = func_80878300; } else if (this->openingState == 2) { this->unk_178 = 2; this->actionFunc = func_80878300; } else if (this->openingState < 0) { this->unk_178 = 2; this->actionFunc = func_808783D4; } }

87. matching decomp. walkthrough 100% 627 days Decompilation progress

88. beyond matching decompilation

89. matching decomp. beyond When we achieve 100% match for a

    game, it paves the way for new possibilities

90. matching decomp. beyond

91. matching decomp. beyond

92. matching decomp. beyond

93. matching decomp. beyond

94. matching decomp. beyond

95. matching decomp. beyond

96. matching decomp. beyond

97. matching decomp. beyond

98. matching decomp. beyond and these games?

99. matching decomp. beyond Let’s lower the bar!

100. Disassembly decompilation matching decompilation matching decompilation + ai

101. AI + matching decomp. I wanted to continue working on

     Klonoa: Empire of Dreams. After building the level editor, the next challenge would be decompiling the game

102. AI + matching decomp. But it’s a Gameboy Advance game.


     It isn’t a very popular platform on the decomp community

103. AI + matching decomp. So, as a way to learn

     decompilation, I decided to help on decompile Sonic Advance 3

104. AI + matching decomp. Akatento Aotento Decompiled enemies: My target:

     Marun Gaogao Minimole …

105. AI + matching decomp. Akatento Aotento Decompiled enemies: My target:

     Marun Gaogao Minimole …

106. AI + matching decomp. And although I got to decompile

     the fi rst function…

107. AI + matching decomp. And although I got to decompile

     the fi rst function… …this process was very time consuming

108. AI + matching decomp. But then, I started to wonder

     “this process looks like a lot as fi nding patterns”… Akatento Aotento Marun

109. AI + matching decomp. Akatento Aotento Marun But then, I

     started to wonder “this process looks like a lot as fi nding patterns”… and AI excels at pattern matching!

110. AI + matching decomp. Early Jan 2025 Sonnet 3.5

111. AI + matching decomp.

112. AI + matching decomp.

113. AI + matching decomp.

114. AI + matching decomp.

115. AI + matching decomp. 96% match!

116. AI + matching decomp. Then, I focused on prompt re

     fi nement: • Adding examples from the other enemies • Including more context in the prompt

117. AI + matching decomp. Then, I focused on prompt re

     fi nement: • Adding examples from the other enemies • Including more context in the prompt But I didn’t had a good result as the fi rst one…

118. AI + matching decomp. January 20th, 2025 R1

119. AI + matching decomp.

120. AI + matching decomp. 74% match (but easy to fi

     nish)

121. AI + matching decomp. Akatento Aotento Decompiled enemies: My target:

     Marun Gaogao Minimole … Finished after many prompts on DeepSeek R1 and a good PR review

122. AI + matching decomp. Akatento Aotento Decompiled enemies: My target:

     Gaogao Minimole … Marun Kyacchaa

123. AI + matching decomp. Akatento Aotento Decompiled enemies: My target:

     Gaogao Minimole … Marun Kyacchaa Next target, but now using Claude Sonnet 4

124. AI + matching decomp. May 2025 Sonnet 4

125. AI + matching decomp. Function Match Rate Di ffi culty

     to Finish CreateEntity_Kyacchaa 99% Easy sub_806599C 85% Medium sub_8065A8C 95% Easy sub_8065B0 85% Easy sub_8065B90 91% Hard sub_8065C48 61% Hard sub_8065E48 90% Easy sub_8065EB0 91% Easy Task_Kyacchaa 99-100% Easy sub_8065F5C 99-100% Easy sub_8065F30 99-100% Easy sub_8065CE0 99-100% Easy sub_8065F10 99-100% Easy TaskDestructor_Kyacchaa 99-100% Easy

126. AI + matching decomp. Function Match Rate Di ffi culty

     to Finish CreateEntity_Kyacchaa 99% Easy sub_806599C 85% Medium sub_8065A8C 95% Easy sub_8065B0 85% Easy sub_8065B90 91% Hard sub_8065C48 61% Hard sub_8065E48 90% Easy sub_8065EB0 91% Easy Task_Kyacchaa 99-100% Easy sub_8065F5C 99-100% Easy sub_8065F30 99-100% Easy sub_8065CE0 99-100% Easy sub_8065F10 99-100% Easy TaskDestructor_Kyacchaa 99-100% Easy

127. AI + matching decomp. Kappa: The VS Code extension designed

     to help on matching decompilation

128. AI + matching decomp. It wires decompilation tools on
 VS

     Code It provides AI-powered features for decompilation on the top of VS Code As the result, it lower the bar to help on decompilation projects

129. kappa: decomp.me integration matching decompilation

130. None
131. None

132. kappa: decomp-permuter integration matching decompilation

133. None
134. None

135. kappa: objdiff integration matching decompilation

136. None

137. kappa: agent mode matching decompilation

138. AI + matching decomp.

139. AI + matching decomp.

140. kappa: Scatter Chart matching decompilation

141. None

142. wrapping up

143. wrapping up

144. wrapping up

145. wrapping up

146. wrapping up

147. wrapping up

148. BRUNO MACABEUS Software Engineer @animaapp gambiconf organizer @macabeus @bmacabeus