This page is a mirror of Tepples' nesdev forum mirror (URL TBD).
Last updated on Oct-18-2019 Download

The art of reverse engineering?

The art of reverse engineering?
by on (#123143)
There's a few guys out there that has disassembled (and commented) entire NES-games. Metroid and Super Mario Bros comes to mind. Probably more exists.
This sounds like a huge task for a mortal like myself. Does anyone know, is there a special technique involved in this process or is it just people with too much time to spare that's doing this? :)
I'm just curious how they're doing it..
Re: The art of reverse engineering?
by on (#123145)
First thing to do is figure out where the variables are, and what they do. You can use a cheat finder for that, or just poke around, or freeze bytes in memory.
Once you know what the variables do, your disassembles now have symbol names instead of numbers, so you have a much easier time guessing what the surrounding code does.
Re: The art of reverse engineering?
by on (#123146)
What kind of tools would allow this?

EDIT: Just noticed FCEUX can create symbolic names. But is there a disassembler that can make use of this data?
Re: The art of reverse engineering?
by on (#123149)
Just write simple text replacement tools to substitute your variables for the addresses.

You should also play through the game thoroughly and create a code/data log before you use your disassembler.
Re: The art of reverse engineering?
by on (#123152)
I've uploaded latest disassemble of Battletoads. ... isAssemble
Format is IDB (IDAPRO). For people who principal, can't get IDA leaked version, I've made different outputs: *asm , hmtl and something else.

And about techniques, for initial disasm you can use scripts, that video of using on my channel:
This scripts exists into folder 'scripts' on feos-tas svn, but it's for anrom, if you need mmc3 or some else you should edit them.
that was used for romhack "battletoads-dark queen rematch", and some others.

Then continue disasm by finding variables. (like lifes,coordinates). by cheat search.
And at last name functions.

Good luck!.
Re: The art of reverse engineering?
by on (#123170)
Bisqwit wrote an amazing tool he called clever-disasm as part of his nescom tools. It's a tracing disassembler that takes a simple specification language for hints when it gets confused.

For simple programs it does the job almost entirely by itself; for more complex ones I usually find I only need to add 30-50 hints to get a usable output.

Mapper support is somewhat limited, however, and some issues require source diving/changing.
Re: The art of reverse engineering?
by on (#123229)
Start with graphical output and work backwards. You can knock out a lot of code just looking at the system i/o accesses and following the trail until the data format becomes apparent (Disassemblies need to come with a data format bible - that helps understanding the code a lot more than scattershot commenting). Well-known compression methods like Huffman and lz77 are likely to show up in the code.
Re: The art of reverse engineering?
by on (#123231)
Would the one I made for Bananmos's music engine and the one I made for an NES FMV player be a good example of a data format bible?
Re: The art of reverse engineering?
by on (#123288)
Certainly. From the P-frame explanation, it sounds like the frame is stored in 4 bytes + (n changed rows * 2) + n changed 4x2 pixel segments.