-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathgraph_search.py
306 lines (283 loc) · 11.7 KB
/
graph_search.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
import re
import os
import struct
import subprocess
import random
from collections import defaultdict
from typing import List, Dict, Tuple, Set
US_PATH = '../pokeemerald'
def elf_funcs(elf_path: str, unknown=True) -> Dict[str, Tuple[int, int]]: # Find all functions in an ELF file
p = subprocess.run(f'readelf -s -W {elf_path}', stdout=subprocess.PIPE, encoding='utf-8',
shell=True)
lines = p.stdout.split('\n')
elf_reg = re.compile(r'\s*\d+:\s([a-fA-F0-9]{8})\s+(\d+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)')
symbols = {} # Map function names to (address, size tuples)
for line in lines:
m = elf_reg.match(line)
if m and m.group(3) == 'FUNC': # Collect functions
addr, size, dtype, bind, vis, ndx, name = m.groups()
is_unknown = name[:4] == 'sub_'
if unknown is not None and is_unknown != unknown:
continue
addr = int(addr, 16)
size = int(size)
symbols[name] = (addr-1, size)
if unknown is True:
unk_str = 'unknown '
elif unknown is False:
unk_str = 'known '
else:
unk_str = ''
print(f'Found {len(symbols)} {unk_str}functions')
return symbols
# Builds an "instruction graph"
# Maps instructions to a dictionary
# That dictionary maps following instructions, to the places they follow at
# So if you have:
# 0 MOV r0, r1
# 2 BX lr
# {(MOV r0, r1): {(BX lr): {2}}}
def build_graph(rom: str, symbols: Dict[str, Tuple[int, int]]) -> Dict[int, Dict[int, Set[int]]]:
graph = defaultdict(lambda: defaultdict(set))
with open(rom, 'rb') as f:
count = 0
print('Graphed 0 functions', end='')
for name, (addr, size) in symbols.items():
f.seek(addr & 0xfffffe)
data = f.read(size)
instrs = [t[0] for t in struct.iter_unpack('<H', data)] # Unpack instructions as ints
assert len(instrs) == size // 2
last = None
for i, instr in enumerate(instrs):
cursor = addr + 2*i # Address of current instruction
graph[last][instr].add(cursor)
graph[None][instr].add(cursor)
last = instr
count += 1
if count % 100 == 0:
pass
print(f'\rGraphed {count} functions', end='')
if not size:
continue
last = None
for i, instr in enumerate(instrs):
curr = addr + 2*i
positions = graph[last][instr]
assert curr in positions
last = instr
print(f'\rGraphed {count} functions')
return graph
def calc_sizes(map_path: str) -> Dict[int, int]: # Calculate the size of *addresses*. Crude asf
with open(map_path, 'r') as f:
lines = list(line for line in f)
sizes = {} # Maps addresses to their sizes
reg = re.compile(r'\s*(0x[\da-fA-F]+)')
for l1, l2 in zip(lines[:-1], lines[1:]):
m1 = reg.match(l1)
if not m1:
continue
m2 = reg.match(l2)
if not m2:
continue
addr1, addr2 = int(m1.group(1), 16), int(m2.group(1), 16)
if not addr1 & 0xff000000 == addr2 & 0xff000000 == 0x08000000: # Only pay attention to ROM addresses
continue
size = addr2 - addr1
sizes[addr1] = size
return sizes
def asm_funcs(asm_path: str, sizes: Dict[int, int], unknown=True) -> Dict[str, Tuple[int, int]]:
reg = re.compile(r'(\w+): @ (0x[\da-fA-F]+)')
symbols = {} # Maps names to (address, size) tuples
with open(asm_path, 'r') as f:
for line in f:
m = reg.match(line)
if m:
is_unknown = m.group(1).startswith('sub_')
if unknown != is_unknown: # Only want certain functions
continue
addr = int(m.group(2), 16)
if addr not in sizes:
continue
symbols[m.group(1)] = (addr, sizes[addr])
print(f'Found {len(symbols)} {"unknown" if unknown else "known"} JP functions')
return symbols
def match_instrs(instrs: List[int], graph): # Match a sequence of instructions
matches = []
if not instrs:
return []
for base in graph[None][instrs[0]]:
last = instrs[0]
# print(f'Try: {base:08x}')
match_len = 1
for match_len, instr in enumerate(instrs[1:], 1):
addr = base + 2*match_len
potential = graph[last][instr]
# print(f'{instr:04x} {addr:08x} {not sequence_break}')
if addr not in potential: # Sequence is broken
break
last = instr
matches.append((match_len, base))
matches.sort(reverse=True) # Get the best match
if len(instrs) >= 10 and matches and len(instrs)-1 == matches[0][0]: # Perfect match
if not any(t[0] == matches[0][0] for t in matches[1:]): # No other perfect matches
return matches[:1]
return matches
def decode(instrs: List[int]): # Primitive, unfinished THUMB decoder
for op in instrs:
print(f'{op:04x}', end=' ')
if op & 0xf800 == 0x1800: # Add/subtract
opcode = (op >> 9) & 3
codes = ('ADD', 'SUB', 'ADD', 'SUB')
val = (op >> 6) & 7
rs = (op >> 3) & 7
rd = op & 7
flag = 'r' if opcode < 2 else '#'
print(f'{codes[opcode]} r{rd},r{rs},{flag}{val}')
elif op & 0xe000 == 0: # Move shifted register
opcode = (op >> 11) & 3
codes = ('LSL', 'LSR', 'ASR')
offset = (op >> 6) & 31
rs = (op >> 3) & 7
rd = op & 7
print(f'{codes[opcode]} r{rd},r{rs},#{offset}')
elif op & 0xe000 == 0x2000: # Add/sub immediate
opcode = (op >> 11) & 3
codes = ('MOV', 'CMP', 'ADD', 'SUB')
rd = (op >> 8) & 7
nn = op & 255
print(f'{codes[opcode]} r{rd},#{nn}')
elif op & 0xfc00 == 0x4000: # ALU ops
opcode = (op >> 6) & 15
codes = ('AND', 'EOR', 'LSL', 'LSR', 'ASR', 'ADC', 'SBC', 'ROR',
'TST', 'NEG', 'CMP', 'CMN', 'ORR', 'MUL', 'BIC', 'MVN')
rs = (op >> 3) & 7
rd = op & 7
print(f'{codes[opcode]} r{rd}, r{rs}')
elif op & 0xf800 == 0x4800: # Load PC-relative
r = (op >> 8) & 7
print(f'LDR r{r} PC+{4*(op & 255)}')
elif op & 0xf200 == 0x5200: # Load register offset
opcode = (op >> 10) & 3
codes = ('STR', 'STB', 'LDR', 'LDB')
ro = (op >> 6) & 7
rb = (op >> 3) & 7
rd = op & 7
print(f'{codes[opcode]} r{rd},[r{rb},r{ro}]')
elif op & 0xe000 == 0x6000: # Load immediate offset
opcode = (op >> 11) & 3
codes = ('STR', 'LDR', 'STB', 'LDB')
nn = (op >> 6) & 31
if opcode < 2:
nn *= 4
rb = (op >> 3) & 7
rd = op & 7
print(f'{codes[opcode]} r{rd},[r{rb},#{nn}]')
elif op & 0xfc00 == 0x4400: # High register ops
opcode = (op >> 8) & 3
codes = ('ADD', 'CMP', 'MOV', 'NOP', 'BX')
MSBd = (op >> 7) & 1
MSBs = (op >> 6) & 1
rs = (op >> 3) & 7
rd = op & 7
rs |= MSBs << 3
rd += MSBd << 3
if opcode == 3:
flag = 'BLX' if MSBd else 'BX'
print(f'{flag} r{rs}')
else:
print(f'{codes[opcode]} r{rd},r{rs}')
else:
print()
def match_iter(instrs, graph, slices=10): # Iteratively try to find a match
matches = match_instrs(instrs, graph) # Try to match the entire sequence first
if len(matches) == 1: # One perfect match
return matches[0][1]
elif not matches: # No match anywhere
return None
potential = {t[1] for t in matches} # All potential matches
for _ in range(slices): # Slice the list randomly and search for matches
start = random.randint(1, len(instrs))
end = random.randint(1, len(instrs))
if start == end:
end += 1
elif end < start:
start, end = end, start
matches = match_instrs(instrs[start:end], graph)
new_set = {t[1]-2*start for t in matches}
potential = potential & new_set # Take intersection of old and new locations
if not potential:
return None
elif len(potential) == 1:
addr = potential.pop()
return addr
return None
def match_loop(rom: str, unknown, jp_known, us_known: dict, graph) -> Dict[str, str]: # Interactive
rv_known = {addr: name for name, (addr, size) in us_known.items() if name not in jp_known}
print(f'Pool: {len(rv_known)}')
keys = list(unknown.keys())
random.shuffle(keys)
unk_exp = re.compile(r'sub_[\dA-Fa-f]+')
replace: Dict[str, str] = {} # Maps old names to new names
# print('At any time, type "quit" to quit and replace all correct names')
match_count = 0
print('Matched 0 functions', end='', flush=True)
with open(rom, 'rb') as f:
for name in keys:
addr, size = unknown[name]
if not size:
continue
f.seek(addr & 0xfffffe)
data = f.read(size)
instrs = [t[0] for t in struct.iter_unpack('<H', data)]
for i in range(len(instrs)-1, -1, -1): # Try to remove trailing 'data'
if instrs[i] in (0x4770, 0x4700, 0x4708): # BX lr, BX r0, BX r1
instrs = instrs[:i+1]
break
# print(f'Trying {name} ({len(instrs)} instructions)')
match = match_iter(instrs, graph)
if match and match in rv_known:
if unk_exp.match(rv_known[match]): # Don't rename to an unknown function
continue
replace[name] = rv_known[match]
rv_known.pop(match) # Remove the match from the pool
match_count += 1
if match_count % 10 == 0:
print(f'\rMatched {match_count} functions', end='')
# print(f'Matched {name} ({addr:08x}) with {rv_known[match]} ({match:08x})')
# try:
# command = input('Replace? (y/N): ')
# except KeyboardInterrupt:
# command = 'N'
# if 'quit' in command:
# break
# elif command in ('y', 'Y'):
# replace[name] = rv_known[match]
print(f'\rMatched {match_count} functions')
return replace
def replace_names(asm_path: str, replace: Dict[str, str]): # Replace lines
with open(asm_path, 'r') as f_in:
count = 0
asm = f_in.read() # Read in the entire file
print(f'Replaced {count} names', end='', flush=True)
for old_name, new_name in replace.items():
asm = asm.replace(old_name, new_name)
count += 1
if count % 100 == 0:
print(f'\rReplaced {count} names', end='')
print(f'\rReplaced {count} names')
with open(asm_path, 'w') as f_out:
f_out.write(asm)
JP_MAP = 'pokeemeraldjp.map'
JP_ASM = os.path.join('asm', 'rom.s')
US_ELF = os.path.join('..', 'pokeemerald', 'pokeemerald.elf')
US_ROM = os.path.join('..', 'pokeemerald', 'pokeemerald.gba')
JP_ROM = 'pokeemerald_jp.gba'
JP_ELF = 'pokeemerald_jp.elf'
if __name__ == '__main__':
jp_unknown = elf_funcs(JP_ELF, True)
jp_known = elf_funcs(JP_ELF, False)
us_funcs = elf_funcs(US_ELF, None) # ALL functions, including unknown ones
graph = build_graph(US_ROM, us_funcs) # Build instruction graph
replace = match_loop(JP_ROM, jp_unknown, jp_known, us_funcs, graph)
if replace:
replace_names(JP_ASM, replace)