The day I
reverse
engineered
a Gameboy
Advance
game
With @ythecombinator
AND @macabeus
REVISITED
Slide 2
Slide 2 text
WTF?!
THE DAY I REVERSE ENGINEERED A GAMEBOY ADVANCE GAME
Slide 3
Slide 3 text
"""
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
soooo…
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
This is
macabeus
Slide 8
Slide 8 text
This is
MATHEUS
Slide 9
Slide 9 text
This is US
PLAYING
KLONOA
Slide 10
Slide 10 text
AND THIS
IS US
BORED
Slide 11
Slide 11 text
soooo…
Slide 12
Slide 12 text
WANTED
MORE
LEVELS TO
PLAY WITH
Slide 13
Slide 13 text
WANTED
DIFFERENT
LEVELS
Slide 14
Slide 14 text
soooo…
Slide 15
Slide 15 text
soooo…
Slide 16
Slide 16 text
soooo…AND THIS IS
KLONNOA
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
http://bit.ly/balccon-gba-code
Slide 20
Slide 20 text
Stretching
the bridge
THE DAY I REVERSE ENGINEERED A GAMEBOY ADVANCE GAME
Slide 21
Slide 21 text
https://www.nogba.com
Slide 22
Slide 22 text
https://www.hex-rays.com/products/ida
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
This is the tile ID. In
this example, all tiles
with the ID 9B are
exactly the bridge
part, which is the left
corner. 9A is the ID of
the continuous part of
the bridge.
Slide 26
Slide 26 text
This tells us where the
tile is stored in the
memory. In this
example, it is
at 0600F1AD.
Slide 27
Slide 27 text
https://www.coranac.com/tonc/text/hardware.htm
Slide 28
Slide 28 text
https://www.coranac.com/tonc/text/hardware.htm
The address found is
expected 0600F1AD given
that everything
between 0600 and 0601
is part of the section
known as VRAM.
Slide 29
Slide 29 text
Our bridge starts here!
Slide 30
Slide 30 text
And now we grow it bigger!
WTF??!
Slide 31
Slide 31 text
Understanding
the DMA
THE DAY I REVERSE ENGINEERED A GAMEBOY ADVANCE GAME
Slide 32
Slide 32 text
VRAM pulls the tilemap
containing exactly
what the player has
to see from somewhere
else that has the
entire thing.
Slide 33
Slide 33 text
https://www.coranac.com/tonc/text/regbg.htm
Slide 34
Slide 34 text
https://www.coranac.com/tonc/text/regbg.htm
Direct Memory Access
Slide 35
Slide 35 text
https://www.coranac.com/tonc/text/regbg.htm
It is a feature of computer
systems that allows certain
hardware subsystems to access
main system memory (random-
access memory), independent of
the CPU
Slide 36
Slide 36 text
https://www.coranac.com/tonc/text/regbg.htm
tldr; a faster copy and
paste
DMA3: 03000900 0600E000 80000400
DMA3: 03001100 0600E800 80000400
DMA3: 03004DB0 0600F000 80000200
DMA3: 03004800 07000000 84000048
The closest to the bytes
of our bridge (0600F1AD).
Slide 39
Slide 39 text
DMA3: 03000900 0600E000 80000400
DMA3: 03001100 0600E800 80000400
DMA3: 03004DB0 0600F000 80000200
DMA3: 03004800 07000000 84000048
This address is the VRAM
data source. It’s located
in a region called Fast
WRAM.
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
Our bridge starts here!
Slide 42
Slide 42 text
Stretching it…
…It works!
And…
Slide 43
Slide 43 text
Stretching it…
…It works!
And…
WTF??!
Slide 44
Slide 44 text
Our extra tiles
disappear when out of
the player vision
range.
Slide 45
Slide 45 text
LET’S TALK
ABOUT
PHYSICS
THE DAY I REVERSE ENGINEERED A GAMEBOY ADVANCE GAME
Slide 46
Slide 46 text
Object
Attribute
Memory
Slide 47
Slide 47 text
OAM
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
This is the
address in
which Klonoa
is stored on
the memory
DMA3: 03000900 0600E000 80000400
DMA3: 03001100 0600E800 80000400
DMA3: 03004DB0 0600F000 80000200
DMA3: 03004800 07000000 8400003E
We can see exactly the byte
that writes on Klonoa’s
object (03004800).
Slide 52
Slide 52 text
DMA3: 03000900 0600E000 80000400
DMA3: 03001100 0600E800 80000400
DMA3: 03004DB0 0600F000 80000200
DMA3: 03004800 07000000 8400003E
We can see exactly the
byte that writes on
Klonoa’s OAM (03004800).
Slide 53
Slide 53 text
No content
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
1
2
Slide 57
Slide 57 text
No content
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
No content
Slide 61
Slide 61 text
No content
Slide 62
Slide 62 text
Here is where Y fixes
Klonoa’s position
Here is where which
decides if should fix
or not Klonoa’s
position
Slide 63
Slide 63 text
No content
Slide 64
Slide 64 text
https://www.coranac.com/tonc/text/hardware.htm
Slide 65
Slide 65 text
https://www.coranac.com/tonc/text/hardware.htm
Slide 66
Slide 66 text
No content
Slide 67
Slide 67 text
Let’s find
the
tilemap on
rom
THE DAY I REVERSE ENGINEERED A GAMEBOY ADVANCE GAME
Slide 68
Slide 68 text
Cartridge Fast WRAM Display
Slow WRAM VRAM
> > > >
The data flow
Slide 69
Slide 69 text
Cartridge
Fast WRAM
Display VRAM Slow WRAM
> > > >
Our research flow
Slide 70
Slide 70 text
swi 11h
what?
Slide 71
Slide 71 text
Swi
Slide 72
Slide 72 text
SoftWare
Interrupt
Slide 73
Slide 73 text
SoftWare
Interrupt
=
Bios
calls
Slide 74
Slide 74 text
BIOS is a firmware that is intended to
initialise the physical components of
the system
In GBA, its BIOS exposes many functions
often used in games, including data
compression and decompression
Each function has an associated numeric
code, which must be used as a parameter
in the SWI statement
Slide 75
Slide 75 text
Input:
How division works on ARM Assembly swi 0x06
R0
numerator
R1
denominator
R0
numerator / denominator
R1
numerator % denominator
R3
abs(numerator / denominator)
Output:
Slide 76
Slide 76 text
No content
Slide 77
Slide 77 text
Huffman + lz77 = deflate
Slide 78
Slide 78 text
No content
Slide 79
Slide 79 text
No content
Slide 80
Slide 80 text
No content
Slide 81
Slide 81 text
No content
Slide 82
Slide 82 text
6E 6E 6E B0 B1 BD
77 AB B3 AB B3 7C
6E 6E 6E 6E 6E 6E
6E 6E 7C 6E 6E 6E
6E 7C 6E 6E
Slide 83
Slide 83 text
6E 6E 6E B0 B1 BD
77 AB B3 AB B3 7C
6E 6E 6E 6E 6E 6E
6E 6E 7C 6E 6E 6E
6E 7C 6E 6E
6E 6E 6E B0 B1 BD
77 AB B3 AB B3 7C
6E 6E 6E 6E 6E 6E
6E 6E 7C 6E 6E 6E
6E 7C 6E 6E
Slide 84
Slide 84 text
6E 6E 6E B0 B1 BD
77 AB B3 AB B3 7C
6E 6E 6E 6E 6E 6E
6E 6E 7C 6E 6E 6E
6E 7C 6E 6E
6E 6E 6E B0 B1 BD
77 AB B3 AB B3 7C
6E 6E 6E 6E 6E 6E
6E 6E 7C 6E 6E 6E
6E 7C 6E 6E
=
Slide 85
Slide 85 text
Let’s paint
the
tilemap
THE DAY I REVERSE ENGINEERED A GAMEBOY ADVANCE GAME
x x x x a x x x x
x x x x b x x x x
I’m on tile a
x x x x a x x x x
x x x x b x x x x
From the tile a to b there are
9 bytes (= 9 tiles), so the
length of the tilemap is
exactly 9
Slide 91
Slide 91 text
No content
Slide 92
Slide 92 text
Breakpoint here
Slide 93
Slide 93 text
…is located here
This byte…
Slide 94
Slide 94 text
No content
Slide 95
Slide 95 text
As I change this byte…
Slide 96
Slide 96 text
…it reflects right here
Slide 97
Slide 97 text
No content
Slide 98
Slide 98 text
Changing these bytes…
Slide 99
Slide 99 text
…we drop Klonoa one level below
Slide 100
Slide 100 text
No content
Slide 101
Slide 101 text
Changing these bytes…
…we found the B tile!
Slide 102
Slide 102 text
020085DB
The length of the level is 420!
- 02008437 = 1A4 (420)
Slide 103
Slide 103 text
https://github.com/oliver-moran/jimp
Slide 104
Slide 104 text
const Jimp = require('jimp')
const { drop } = require('ramda')
const fs = require('fs')
const data = drop(3, fs.readFileSync('dump/level-2/tilemap'))
new Jimp(300, 600, (err, image) "# {
let x = 0
let y = 0
for (let i = 0; i < data.length; i += 1) {
const value = data[i]
x += 1
if (x === 300) {
y += 1
x = 0
}
let color = getPixelColor(value)
image.setPixelColor(color, x, y)
}
image.write('image.png')
})
Slide 107
Slide 107 text
No content
Slide 108
Slide 108 text
No content
Slide 109
Slide 109 text
No content
Slide 110
Slide 110 text
No content
Slide 111
Slide 111 text
No content
Slide 112
Slide 112 text
Let’s find
and paint
the objects
THE DAY I REVERSE ENGINEERED A GAMEBOY ADVANCE GAME
Each level is stored
continually in the memory
First Level
Second Level
Third Level
Slide 189
Slide 189 text
First Level
Second Level
Third Level
> Changes in
the first
level
Slide 190
Slide 190 text
First Level
Second Level
Third Level
>
Customised First Level
> Changes in
the first
level
Slide 191
Slide 191 text
Second Level
Third Level
First Level
Second Level
Third Level
>
Customised First Level
> Changes in
the first
level
Slide 192
Slide 192 text
Second Level
Third Level
First Level
Second Level
Third Level
>
Customised First Level
> Changes in
the first
level
Slide 193
Slide 193 text
No content
Slide 194
Slide 194 text
ARM
Thumb
Faster to execute
Instructions demands less memory
Can perform instructions more complex
Slide 195
Slide 195 text
The switch between ARM and Thumb must be
done by bx instruction.
And this instruction only can read a
register
Slide 196
Slide 196 text
Instructions to load a level
.
.
.
.
.
.
.
.
.
Very big hole space
at the end of cartridge
First Level__
Second Level__
Third Level__
081B27FC
081B3E5C
081B50AC
Instructions to load a level
Slide 197
Slide 197 text
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Instructions to load a level
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
Slide 198
Slide 198 text
Instructions to load a level 08367620 FC 27 1B 08
08367624 00 77 36 08
08367628 5C 3E 1B 08
0836762C B0 86 36 08
08367620 AC 50 1B 08
08367634 80 93 36 08
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
Slide 199
Slide 199 text
Instructions to load a level 08367620 FC 27 1B 08
08367624 00 77 36 08
08367628 5C 3E 1B 08
0836762C B0 86 36 08
08367620 AC 50 1B 08
08367634 80 93 36 08
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
Slide 200
Slide 200 text
Instructions to load a level 08367620 FC 27 1B 08
08367624 00 77 36 08
08367628 5C 3E 1B 08
0836762C B0 86 36 08
08367620 AC 50 1B 08
08367634 80 93 36 08
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
Slide 201
Slide 201 text
Instructions to load a level 08367620 FC 27 1B 08
08367624 00 77 36 08
08367628 5C 3E 1B 08
0836762C B0 86 36 08
08367620 AC 50 1B 08
08367634 80 93 36 08
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
Slide 202
Slide 202 text
Instructions to load a level (patched)
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
Original loader
Patched loader
08043B0A mov r4,r0
08043B0C bl 08367610h
08043B10 bl 0805143Ch
08043B0A mov r4,r0
08043B0C add r0,r5,4
08043B0E mov r1,r4
08043B10 bl 0805143Ch
Slide 203
Slide 203 text
Instructions to load a level (patched)
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
R0 is the pointer to where is
the tilemap that
will load
Original loader
Patched loader
08043B0A mov r4,r0
08043B0C bl 08367610h
08043B10 bl 0805143Ch
08043B0A mov r4,r0
08043B0C add r0,r5,4
08043B0E mov r1,r4
08043B10 bl 0805143Ch
Slide 204
Slide 204 text
Instructions to load a level (patched)
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
Original loader
Patched loader
08043B0A mov r4,r0
08043B0C bl 08367610h
08043B10 bl 0805143Ch
08043B0A mov r4,r0
08043B0C add r0,r5,4
08043B0E mov r1,r4
08043B10 bl 0805143Ch
Slide 205
Slide 205 text
Instructions to load a level (patched)
First Level__
Second Level__
Third Level__
.
.
.
.
.
.
.
.
.
081B27FC
081B3E5C
081B50AC
Customised First Level__
Customised level loader
Constant addresses map table
Hole
Customised Second Level__
Hole
Customised Third Level__
Hole
Hole
08367700
083686B0
08369380
08367610 mov r0,r15
08367612 add r0,3Ch
08367614 bx r0