Leveling Up Ghidra: Learn Ghidra Plugins with a Game Boy Game

all right everyone we'll get started again uh so next up uh for our last uh talk at bides Boulder 2024 we have uh Jacob lonis uh who'll be presenting his talk on leveling up gidra learn gidra plugins with a Game Boy game so please give him a warm [Applause] welcome hello everybody can you hear me okay is that good awesome uh so hello thank you for for coming to this um this was kind of a an idea that just came out of nowhere and then the talk got accepted and I quickly had to figure out how to do it so it's it's a good time I promise um it really spawned from I talked to a lot of my friends who are

reverse engineers in the field and not a lot of people use gedra right like your company will either buy you Ida or Ida Pro and then that or binary ninjja seems to be the hot one right now um and everyone talks about how easy it is to write plugins for those and I wanted to see if it was really that bad with gidra it's not as bad as you think as long as you're okay with dealing Java um but as for who am I before we jump into it um my name is Jacob lonis I a senior software engineer on the threat research team at proofpoint uh so I do a lot of the development that basically makes the

researchers lives a bit easier um I write internal tooling whether that's command line tools full stack tools um any Tech stack that kind of fulfills the niche of what they're asking for I write um and manage and do Ops for unfortunately as well so that's fun but um that's what I do I'm currently residing in Boulder I just moved here and it's great I love it so thank you for letting me join uh and then what I do for fun other than write Game Boy plugins and gidra is I run I read I hike and I do some open source development so if you've used Yara X which is the rust rewrite of Yara if you've used the Macho

module I wrote a lot of that so if you use it and you like it good I'm happy um other than that if you've used the anything in the P python ecosystem like rough the lter formatter I've done some contributions there as well um super fast if you haven't tried it definitely check it out all right so the agenda for what we're going to do today um we're going to talk about what are gidra plugins uh there's we're going to dive into the gidra ecosystem itself kind of how it lays out in gidra uh we're going to talk about the possibilities of of what we can do with plugins we're going to actually show a lot of the code to write

the plugin and then we're going to do more uh a lot a lot more is when we dive into the Game Boy stuff um it's it's a lot of fun and before we start the one thing that I do want to say is that we will discuss a whole lot here today we won't have time to dive into every topic in every piece of code um there is an open source uh repository on GitHub if you go to github.com lonis um you'll see the GB analyzer repo so if you want to follow along and look at the code um while we're going through it you're more than welcome to it should be public and it's

uh it's fully published under the Apache 2.0 license so if you want to take it apart you know change it do whatever you'd like you're more than welcome to and as for the the General in introduction if you're not familiar with gidra it's an open source reverse engineering toolkit uh it's developed by the NSA because Idol licenses cost like a billion dollars each and they didn't want to buy them for everyone so they wrote gidra uh it's highly extensible and customizable just due to the nature of java and how you inherit and overwrite and all these fun things so we can actually take a lot of parts of the UI that have already been written and

kind of customize them into our own like pieces of of code and it's it's pretty it's pretty fun uh and it's also free the biggest part as I mentioned in the start is G is free so the barrier of Entry to get into this type of thing and writing plugins and supporting the ecosystem it's a lot easier than having to buy a license for something and then seeing if you want to do it or not as for getting started we're going to dive into the kind of the architecture and ecosystem of gidra this is not all-encompassing but it does cover the points that we're interested in today uh the core platform of gedra mainly consists of for this talk it's

it's more complex than this but for this talk we'll we'll simplify it uh there's the flat API so one of the things that the gidra developers did is they created this API that is a lot of the most commonly used pieces of gidra and they took it into like its own singular flat level so you don't have to go into a bunch of different modules and grab other things like you don't have to know that this is three levels deep in this module Etc it's all part of the flat API so if you've written any um scripting like gedra scripting in in Python you've used the flat API you just didn't know it um there's EXT oh goodness extensible

components so what that means is with Java you basically inherit a class and then you can modify it on top of that um and then there's the disassembler and decompiler which if you've used gedra or done any you're familiar with uh there's export modules we won't dive into that today but I feel like it's pretty cool to talk about because what you can do is you can write export modules to take the information that you're looking for or looking at in gidra and take it and put it somewhere else so if you have you know a workflow that that you is repeatable that you constantly take information out you can put it in somewhere else so whether that's just

Json um or any other type of file format you can write something to do that um as for scripting there's uh python which is backed by jython which allows you to tie into the Java side um and there's also it's written in you can have scripts written in Java as well um and this is what a lot of people do for Automation in gidra um when you look at like open source projects or uh gon like what people publish you'll notice there's a lot of scripting but there's not a lot of plugins and I think that's just because you can fire up Python and immediately like start do XYZ uh but in Java it's a little more complicated and

that's kind of the main motivation behind this talk is it's not as complex as it looks and then finally there's plugins so plugins are only written in Java um plugins are comprised of components there's about four main ones which we'll break into um and within those components you can fire actions or you can also talk to the flat API which would then do a lot of the things that you can also do in plugins or in scripting and I'm just going to break this down in a little bit simpler terms so you can easily clarify the difference between scripting and plugins in gedra um so scripting again it's written in Python which is backed by jython or Java

um you have access to the flat API um and then it can also be ran from the command line or you can also trigger it being an action so if you have already things that you've developed for scripts that you call frequently you can actually run these from actions in your plugin so you don't have to completely reinvent what you've been doing and you can actually leverage things that you've done in the past and then plugins in gedra solely written in Java no no python unfortunately so if you like python you can still write things in the scripting and call them view your plugins but when you get into the nitty-gritty of the the guey and the UI and all of that you'll

have to do it in Java unfortunately but it's okay it's what it's for um it allows for more in-depth use than scripting so you can keep state with things a lot of scripting you'll see it starts at the top it iterates through something and then it gives you the output um with the plugins what we can do is we can actually keep track of the state and have other things that Branch off because of those changes in state which was pretty pretty great um and finally the the other difference is uh plugins can be built and distributed with the build system they use Gradle um and we'll talk about that we'll get into more depth with it but instead of a

script you have to pass around and then you have to know the directory of of where your scripts are where gidra is looking for them um you just build the zip and then you hit uh install extension and it gidra takes care of everything which I think is a lot simpler than knowing where your working directory is that gidra is looking at and finding where to put the scripts and all that fun stuff now finally the exciting part because I'm sure the Game Boy part is much more exciting than the gidra part um why Game Boy well first as a piece of context if you're not familiar with the Game Boy uh the Game Boy the original

game boy was developed by Nintendo it was originally released in 1989 uh it has lots and lots of games to play and there's actually still quite a big ecosystem around games being developed in the Indie scene so even if you're not interested in reverse engineering Game Boy games uh a lot of the resources that I use and talk about in the talk you can probably turn into development resources if you would like to develop Game Boy games as well um and finally it's still used for leisure in competitive play worldwide just last week the uh World competition of Tetris played on game boys and we'll get into that uh in a little bit a little more in

depth but there's still a prominent um developer in NDC in around game boys which I think is pretty great um just a couple more summary points uh small handheld video games uh these are the cartridges so the games that's what we'll be actually taking apart today in dismantling and writing some code for the plugins um the CPU if you're not familiar with it it's an 8 bit 8bit CPU similar to the 880 sharp CPU uh it's got a 4.19 millerz CPU with 160x 144 display uh it's a little bit slower than the computers you use right today but still pretty great and uh I would be a Miss if I didn't mention the resources that I leveraged

to be able to do a lot of this stuff um there's an individual in the Game Boy community that goes by geeko um and they've compiled just like this massive compendium of Game Boy resources so they've you know they figured out all the timing and all of the um basically every part of the CPU and how it functions and interacts with the ROM and the ram they've documented it which is great because Nintendo did not open source any of that right this is all um done in in a research fashion um so there's GB research which is the the general intro to a lot of this stuff um there's gidra boy which is actually the

disassembler and decompiler plugin for gidra that we'll leverage today um it will help us analyze some of the uh the instructions and all of that uh there's the Game Boy Pand which is basically just a markdown friendly um easy way to digest the information and then there is the gbct which is the complete technical reference it's like a 220 page document of everything You' never wanted to know and probably things you didn't want to know about the Game Boy it's it's very helpful it's very useful now as for the cartridge itself um each cartridge has a header so very similar to you know any type of executable that you're looking at um it has a header that you need to parch to

extract information out um the header contains information about the game and also the hardware that it expects to be there when it runs so it can run successfully um we want that information you know how do we get it so I'm going to break down first the header and then we'll talk about the use case of actually extracting that information there's a whole lot here I'm not going to read through each of them because we're going to go through them a little bit more in depth so the first four entries there's the entry point um usually this is just you know where the code starts for the game to actually load itself um there's the Nintendo logo so if anyone has

anyone ever inserted a game in a Game Boy and then you get that like weird line and it doesn't boot okay so that's actually Nintendo's first iteration of like licensing and like making sure that individuals are licensed to develop the games so if that um like sequence of B is not present in the cartridge header Nintendo actually refuses to load the rest of the game and then you get that weird sound bite and bar through the screen saying you're not authorized to do this so th those bites have to be present for you to have any part of the game Run and if a lot of the time when that bar is there it's because you know

some of the bits got lost because there's something on one of the pins or something like that and then the next uh set of information is the title it's a just a short like you know 12 uh 12 character title um and then there's also the manufacturer code and then the next floor there's the cgb flag so the color Game Boy came out after the original game boy this flag is there to let the Game Boy know that it can use the color features uh there's the new lcy code which is the new version of the old leny code and basically what that is is there were so many lenses for the newer games that

they had to figure out a way to add more information to the cartridge because a lot of the older ones didn't develop games anymore but newer ones did and they ran out of bites um that one the the logic's a little weird but we'll actually get into it um and then the next part of the header is the sgb flag so the sgb flag for those who aren't familiar with the super Game Boy uh was like a cartridge addition that you could put into the Super Nintendo and then you could play games at I guess technically a higher resolution but really it was to benefit from the extra colors the NES had that the Game Boy did not so that

flag lets it know whether or not it can be played on the super Game Boy and then the next one is the cartridge type so basically what type of Hardware is present on the cartridge you know like the memory bank controller how many ROM sets are on the actual cartridge itself that kind of stuff and then the next set of information basically the ROM size so the size of the game The Ram size how much memory is available on the chip itself uh the destination code the destination code is interesting and we'll get into it more in depth but basically it's Japan Market or everywhere else that's really the two things that they broke down um and then

there's also the old liy code so the old code older than the new lcy code is basically if it's a set value you know to go back and look at the new lcy code to derive that information otherwise you can use the old licy code that's really the only amount of information in the header that is dependent on like certain values everything else is pretty much you can read through and get that context pretty easily and then finally uh the last three sets of information is the mask ROM version number and basically that's just what version has been published what what version of the ROM are you working with um and when I say ROM I mean the

cartridge the game um and then the next one is the header check sum so the header actually has its own check sum and if that isn't verified properly then the game won't boot there's also the global check suum which is a really interesting piece of information because for those who've played the N64 uh Pokemon Stadium or Pokemon Tower game um this checkm is only used inside the emulator of that N64 game that emulates Game Boy games so it's there but that's the only place that it's like documented use case basically if the the check sum of the entire game doesn't match it won't play um I don't know why they did that and it's only used there but that's the only

documented use case so you now have a fun fact that people will love um and finally just to kind of talk about why parsing this information out and presenting it while you're doing some sort of initial re and triage um can anyone tell me what GameBoy game this is from this Header information if someone like ocrs it and puts it into cyber Che I'll be really impressed but it is Pokémon but what color R wrong okay uh close though it's a color um we'll we'll dive into which one it is later we'll parse it out um so this brings us to our first use case that is probably pretty relevant depending on what type of binary you're looking at um

we need to write a parser and if you've ever written a parser you basically you know the position of how the header is defined and you get those bites and you turn it into human readable information because as we saw on the last slide it's not exactly human readable cool and the the next thing that is relevant for our when we actually go to write the plugin uh there's IO ranges so when instructions want to write to you know the I/O the screen The Sounds the read from the joyad input things like that um they'll be reading from these addresses so if we wanted to actually analyze what functions are touching what parts of Hardware um we need to keep in mind

these things um and that's that's really all I'm going to go into for now we're going to dive into how we do that later um but just be present that there are static addresses that we can talk to the hardware and it's relevant for when we need pieces of context out of the code now we're actually going to talk into the fun part we're going to dive into how the plugin is actually structured um how it's written we're going to look at some Java code so if someone has like traumatic experience of the Java I apologize most of the code coming up is is Java um so writing a plugin what do we actually need to write the plugin it's

not that much I promise um you need a whole lot of java so unlike scripting which I talked about before the plugins need to be written in Java so if you have an aversion to Java I'm sorry um if you love Java I'd love to know why that is and maybe tell me afterward but um and then the plugins use the Gradle build system so Gradle is is what's used uh for gedra itself and it's also what's used for the plugins um and you don't have to know a whole lot about how the build system works you just have to know that gedra ships a template for you to build the plugins with which is really

great because I didn't want to figure out the uh the gradal build system Jenkins is enough for me and then finally if you've never looked at Java docs before I'm happy for you because Java docs are the really like it looks like it's built in like 1998 right it's like that Oracle Vibe of it's it's a lot of information there's not a lot of pretty things or fun things to look at it's just straight wall of text so if you're diving into certain parts of gidra and what you want to extend you'll have to get a little bit comfortable with looking at that documentation more often than not there's probably a GitHub issue or anything like that that talks

about it so you don't have to look at that um but there are some use cases where you have to look at the docs and it will happen but getting comfortable with reading those type of docs will benefit you because it's much more difficult to read those than any other documentation I've ever encountered maybe not than Apple but almost everything so writing the actual plugin there's actually a lot of um things that we can benefit from so we don't have to start from scratch so gidra provides quite a few examples for us they provide scripting examples um they provide uh plug-in examples they provide export examples a lot of cool things like that um and they're all

located in wherever you so if you haven't downloaded gedra before it's uh it's basically just uh an archive and then you extract it and you run it from that archive so a lot of people like put in opt and then keep it there um wherever that you have uh extracted that to you have extensions and then gidra and then inside of there is a lot of great things that you can leverage so you don't have to start from ground zero and then finally what do we need to actually write the plugin um if you've ever written Java you've probably used intellig and you you know it's a lot nicer than gidra I'm sorry to inform you

that you have to use Eclipse if you want all the nice things um it's only a lot more painful than intellig um is an extension that the gedra developers have written uh to help you develop um and basically what it allows for is you can generate skeleton files so you don't have to start from the beginning you can generate skeleton files to at least get like your plugin present maybe no functionality but it be there um and it allows us to start really quickly and start iterating and then finally gev also allows you to debug in real time so you can hit the Run button in eclipse and then it will spin up a debug instance of gidra and

you'll be able to see the errors or you know whatever you're printing to to the console or anything like that um so if you want all of those niceties you have to use Eclipse um nothing is stopping you from setting it up and then running it via intellig but you won't have the debugging uh but maybe that's something that one of you want to contribute back to the open source ecosystem that'd be cool right um but if not I understand because I didn't want to do it either um and then finally gidra Dev is also located and shipped with gidra um so it's in the extensions eclipse and the gidra dev directory um and essentially the bottom right I know it's

not too visible but really that's just the screen you see when you install extensions into Eclipse um and then you just drag and drop it um and then you it brings you a new window and it's basically what do you want to create um so when you go to actually create it you can select what type of um plugin you'd like the template for um in our case we only did plugin but there are PL more that you can do like if you wanted to for some reason have some sort of new analyzer or new loader or anything like that you're uh you know you can get started really quickly um now the one thing that I

found really difficult I don't know about everybody else I'm not good at UI and ux like I the the website that Heidi showed is what my personal blog looks like because I'm not good at UI and ux so basically it ships with tools that you can leverage to do the UI stuff um so there it's a plugin called window Builder which comes with Java uh swing which is what gedra leverages for their UI um so it's actually like what you see is what you get so you can drag and drop things and it actually generates the code for you in the file that you opened with it so it's built into Eclipse um it's just a white box because I'm going

to show you my wonderful piece of UI that I first started with super good super great super clear shows a lot of information um um this is the header if you can't tell you probably can't um this is the header and all of the relevant Fields um it gets better than this I promise but this is just a show where we started and then I found that that uh plugin existed and we went from there and got a lot better and if you get frustrated with it others have too um there's more than one issue on GitHub where gidra has said we're going to stay with Java and swing you're welcome to rewrite the entire

thing but we're not switching um you can actually see right here immediately after creating it well the user is also deleted at this point so maybe that has something to do with the NSA I don't know um uh but the they closed it and locked it and limited it immediately so they're sticking with Java and swing so if you want to get into the gidro ecosystem it's Java and it's swing um now finally we're going to get into the actual code of the plugin so the plugin component is where you define the plugin itself to gedra so it's you know the name the information what version you're expecting it to run do you have a help menu simple things

like that um and basically this is this is it this is the Constructor um so when you go to initialize it g will see that this is present it'll see that it you know uses the the plugin tool as a uh a parameter and then it sees that you call the super and then it initializes it for you and then basically when you go to run you'll see your your plug-in present now it doesn't do anything at this moment in time but you have a plugin and it's running and a lot of this skeleton code was generated the only thing that I changed obviously was I named it so it says Game Boy plugin instead of just

plugin um and then this is where you initialize things like the provider uh the provider is terminology basically meaning what the user sees so it provides the graphics to the users how I thought about it it does a lot more but that's the simplest way to think about it um and then the other things that you can do in the Prov uh in the plugin is basically when certain things happen in gidra you can overwrite what Behavior your plugin does so for instance I uh initially found out that if there is no program loaded in gidra and you try to read any of the addresses it crashes because it's a no pointer right thanks Java um turns out you can actually

control when your plugin loads so what I did was I overwrote or overr overwrote the program activated function call and basically I said anytime the program is activated is when I want my plug-in to actually initialize so if you don't have a program loaded it won't crash anymore and there's a lot of things like that like you can do when an analyzer starts when the program is activated when you open up the uh database of the actual program itself you know there's a bunch of different calls that you can have and then next we'll get into the provider component so the provider again is kind of like the UI um this is where you define a lot of the layout the guey

um you also initialize your actions and your callbacks so actions are just little like uh you can press a button or when change State when the state changes or something like that it allows you to have things that Fire based off of those callbacks and then it will do the things that you uh tell it to do um and this is where we get our first taste of swing and in Java UI and all that wonderfulness that it is you can see that we initialize the panel uh the plug-in gets gets brought in and then we also initialize the help a little bit further um but I have a couple of so like the build panel line and the create

actions lines U those are mine so basically I'm saying build the gooy to show it to the user and then create the actions and then other than that you know you can set like the title and all that fun stuff um I always thought Game Boy was one word turns out it's two I didn't know that kind of like Spider-Man with a hyphen it's there um but this is these are two examples of the actions we'll dive into it uh a little bit deeper later but essentially you know I have a an action that when the program loads if it's a Game Boy game we want to parse the header um and then we also have one if I click this

button I would like to generate the check sum because if it's check sum it should be verifiable maybe not secure but verifiable um and and we get into that but those are those are two you can see that there's some helper functions in there and we'll we'll also dive into that um but that's really all actions are it's you define a call back you put code into it and then you can go from there um and just a reminder if you're trying to read through all the code and it's a little too fast uh the repository is on my GitHub and you're more than welcome to dive into it so for docking actions the docking

actions are over there on the right side um the icons gedra is a little blurry when they render the icons I apologize for that but basically those three are are things that I defined for the plugin to do um the first one is I'm pretty sure it's to Parts the header the second is to add comments and then the third is to well we get into it we'll do it a little bit later um but basically docking actions are the third piece of of what you define to actually do some fun things in gedra um it's when a trigger occurs so a button click a state change things like that um there's small functions that can call other things or

behavior um I think the only main important part to talk about docking actions is that you don't need to do all that behavior in that piece of code because it is just like a it's like a Lambda function in Java so you don't have to have all of your behavior and Analysis in there you can have it somewhere else and just call it and get the output because then it stays a little bit cleaner and you can organize it a little bit better um and here's another one of the actions this is a check someone to break it down a little bit better um but basically we pass in the title of what we want when we highlight over it um

these are these are print Lines Just so you can see it in the console but it'll also display it VI the guey you can see that via the checkm dialogue um and I will show you these examples I just want to show you what the code looks like first um and then you add it to the program and and that's really about it and then the final one which is not a part of gidra or the skeleton uh code that they give you but I found it a lot more helpful to Define define like a helper class or a helper component so I have a class that where all of my functions and Analysis and everything is

to find inside of that so I'm not putting all of my parsing and all of that inside the Plugin or the provider I just want to be able to call a small function and it handle the rest of it for me um so it lets you abstract things you keep things simple then when you know you have a bug or something doesn't parse right you know that via the stack Trace it's in whatever portion of your helper instead of you know provider line 9,633 or something um you can keep State you can perform calculations there's a lot that you can do um anything in that you can do in Java you can do inside of

it um and then you leverage it to make things simpler and repeatable and this is what the initialization well some of the initialization of my helper class actually looks like so I take in the the plugin itself I take in that flat API that we talked about earlier um I have a whole bunch of hashmaps I don't know if this was the most efficient way you're someone's probably going to bully me after this talk and say this wasn't efficient that's okay please do I don't know Java well um but basically I set up there's a lot of context that is in bite form that we want to translate to human readable context so essentially I took

all of those bite entries and created maps to have the human readable side so I input the byes and then I get the human readable context that we can then use elsewhere um and then I have the the check some field because it's just stored as an integer um but basically I initialize my helper I build out the maps I build out uh the header which is you know parsing it and storing it and then I build out the lenses because there's like I'm going to show you as an example but there are so many lies for the Game Boy games um and we'll get into a a pretty narly case of the licenses in

a minute um but when I say make things simpler I really do mean it so what you can do in your helper functions so you don't have to have all this bloat everywhere else is for example if I want to get the name of the program in gidra so that API that's that flat API and we can do get current program get domain file get name right and writing helper. G prog program name is a lot easier than writing all of that um similar for path so where it is on your system uh shot 256 md5 all of that fun stuff um set code comments is one that we'll dive into later and then the get LC e so this

is this is where we talked about this is the one part of the header where logic is actually required to parse it it's not just a set of bytes um so at first we get the old lcy code and then if it's the hex value of 33 um we then know that we need to not use the old lcy code and we need to go get the new lcy code great naming conventions um and that's how we do that right so we compare the address value uh the flat API has a uh an api. git bite and you just pass it a pointer to an address but for whatever reason you can't just pass in an integer you

have to convert it to an address first I probably could have overridden the git bite to accept an integer um but gerer provides the api. two address and you just pass in an integer and it converts it to the address that it's expecting which is really easy um and yeah you can see I have great error handling here it'll just return nothing if it errors um yeah that's that's how you get the license code and then you'll notice that we use our old liy or new licy map and we turn it into human readable text uh so this is uh this is what we showed a little bit earlier I figured I would show the whole hex dump now so it's not

Pokemon Red is Pokemon Yellow um but you can kind of see there are some things that we can parse out just by looking at the hex but there are some things that like for instance after the title you don't know that LC e code 01 you have no idea what that is right if someone does i''d be impressed okay um you'll be shocked that LY number one is Nintendo by the way um but basically we now parse it so in my helper uh Library what I'm doing is I'm getting the header so I start with my pointer at 100 um in one of my maps I had it defined of the addresses for each part of the header

and then it just iterates until it hits that and then it adds it to my structure that has the header um and basically it iterates through all of those it gets those btes it uh increments the pointer and then it returns all of that in the end and it also sets it for the class state so you can use it in other parts of your helper and since we've done this at the start we only have to do it once so if any other point in our plugin we want to manipulate or look at any of the header it's now saved in our helper component whereas if you wrote this in one of the actions you wouldn't have

this be accessible anywhere else in your plugin you'd have to copy and paste the code again which is painful and you also have to remember where it is and where to go get it from um so just to just to hammer the point home here's what the header looks like uh before we turn it into human readable context and all of that fun stuff um so you can see the the Nintendo logo that's the the first string of of Licensing that we talked about earlier um it's not a straight line it's encoded in like quadrants we'll leave that there U it's encoded in quadrants so essentially um it renders it in a cool way I don't

actually know the math because uh the video game math on pixels of screen that small is difficult for me um but you you can see we have a whole lot of stuff here um and I'm about to show you my super efficient way of how I keep track of all of this so um if there's another way to initialize maps please tell me because I don't want to keep doing this but essentially um I build out my licy maps um you can see that if it's 00 there's not one you know Nintendo Capcom Etc um there's one specific one that we'll talk about when we get to a specific game and and and all that fun stuff and then you

can also see when we talked about the cartridge type a little bit earlier um it's basically what the game is expecting to be able to actually run so if the console that you plug it into doesn't provide these things it won't run um you can see there's a lot of variants you probably didn't know there's that many variants of a Game Boy and then finally this is the new lienes so there's more um Nintendo is still the first um there's a whole lot but really it's just it's nice context to have when you when you're doing things like this and you know for a for an actual example a real use case when you're pulling

apart a header for a binary like a Mach o instead of having that um like the the integer of whatever bite you're reading you would then map that to like whatever the constant name is or something so you have a human readable you know comparison um and then with verifying the Header information we talked about how there's a check sum earlier so now we can actually calculate the header check sum uh the check sum is pretty easy you just start at 134 and you go uh until 14 C and then you just subtract it from itself and then you get the bottom set and that's that's really about all you do um now the one thing is that you'll

probably notice for anyone who is familiar with check subs and stuff this isn't like uh actually that secure if I change the header I could just recalculate it and then overwrite the header bite that's true you could do that um but it's mainly a way to ensure that whatever is there is that it's ready to run on the console so if someone modified something on the first set of bites and then they forgot to modify the check sum at the end the console won't run it um but see I got better at at UI stuff I promise it doesn't all look like the first example I showed um so basically the given check sum is what's

in the header the calculated check sum is what uh you calculate with that function um and then it's uh green or red with valid or invalid depending on what it what it calculates this was when I figured out that the window Builder was a thing and it made it a whole lot easier and a lot more fun um so with that we know that this information is good and if the information is good that means we can probably present the other information to the user so we've parsed out now the the first four the file information that's from gedra itself so we didn't get that from anywhere um please don't judge the ROM name I would never

download ROMs illegally please only dump them from your cartridges just clarifying um the title is Pokemon Red the lcy is Nintendo research and development one and that one is there for a reason they did have different research and development Labs um there's a book a little later on that we'll talk about in the talk you can actually read the differences in culture and Vibes between the two research and development facilities um and then the destination code as we talked about earlier was not Japan it was overseas only um does anyone know why Pokemon would be overseas only does anyone know what Pokemon is called in Japan yes so they wouldn't want to sell in Japan instead it's pocket monsters so

that's why this one is distributed as overseas only uh the ROM version is the initial version zero uh the Ram size is 1 Megabyte and then the cartridge type uh it has a memory bank controller RAM and a battery and the batter is to save State when you turn the game off right so if anyone's everever you know turned on their Pokemon Blue from way back when and your save was not there anymore and it didn't save when you turn it off that's because the batter is dead if you pull apart the cartridge you can replace it pretty easily um now finally who knows Tetris who's played Tetris okay almost everybody so if you're not familiar with Tetris I'm

instead of showing you the game I'm going to tell you about two pieces of media instead uh the tetris effect is a really good book that talks about a lot of the licensing wos uh of Tetris that when it was originated in in Russia and brought over and sold to a whole bunch of different companies illegally um without the the knowledge of the developer you'll actually see that some versions of Tetris have a different LC e for the Game Boy than other versions and that is dependent on who had the rights to publish the game uh and then finally the I think it's on Apple TV right there's a Tetris movie about the exact thing that I just talked about in the

book but it's a little bit more dramaticized um and if you're not familiar with how many versions of Tetris there are these are all separate versions of Tetris on Game Boy right so imagine that you are this is a real use case uh for a plugin like this imagine you are a collector of retro games you probably want to know what version you're buying right so you know you uh instead of like stockx for shoes you could have stockx for Game Boy cartridges and you could you could analyze all the headers and see if they're they're the right ones um so if you are not a Game Boy game collector the tetris version on the left of that

right picture is called the minuette version and that's like the super rare version of Tetris um it has an extra soundtrack that's the only thing that's the only difference that's it but everyone really cares about it because it's different um and it also has slightly different cover art but you know if I were a nefarious person what I could do is I could buy a whole bunch of the ones on the right print out the label of the one on the left and if I didn't know about this Header information I could probably just tell you it's the menuette version right well say that happens I get the game uh and I you know dump the ROM and I'm like oh

this isn't the menu version that Header information will actually reveal to you assuming they haven't modified it um that it's a different version of the game because most people who are doing scams like that probably aren't going to know about the Header information so it's it's a cool use case that's actually applicable to the real world and then finally these look like the same version of Tetris the I mean the colors are a little more faded but the Header information is different so when we go to parse it out you'll see that the ROM size is the same but the versions are different and things like this um for example for the competitive Tetris scene um you probably want to

know what version all of the competitive players are playing on because you know if version zero runs slightly faster than version one someone has a competitive Advantage it's probably relevant to talk about um you're prob not analyzing binaries that aren't Game Boy ROMs for anything else like this but it's a it's a cool use case nonetheless now the next use case is IO so we talked about all that IO addressing a little bit way back when um and what we can do is you can either remember all of those addresses in your head and like you know jot it you can add comments manually in gedra when you analyze um but if I were to show you

this like you can see that it's going offset to an address that's defined but you don't really know what it's writing to or reading from right so we can actually use that contextual information and we can write something that finds addresses that use that offset or the offset goes to that location and we can add comments on the side there to say what it's reading to or write or writing to or reading from which I think is pretty great so if you have you know defined registers that you want to keep track of or even just specific in like addresses in the code that you're looking at you can do it like this um now here's another really

efficient I'm sure hashmap of uh human readable context but this is some of the stuff from that pandoc site that I mentioned earlier this is it's provided to you in a nice way and I just wrote a Rex uh little thing to address to human readable um so you could effectively write something that iterates through each instruction looks at if it's a referen to something else if it is you can then insert those strings on those pieces of code that way someone knows what they're looking at makes it a little bit easier right you don't have to remember it little little more straightforward and how to do that this is probably the grossest piece of java

so far but essentially the flat API provides you with a mechanism to get an iterator of all of the instructions and then from there while the iterator still has something next to look at um you can then get the instruction from the iterator you then parse you get the the address you get the physical address because everything is on the ROM so it's all physical and then you get the offset um if the destination is actually something that we cared about tracking so we initialized that big hash map of addresses that we cared about um we get it and then we can use this code unit so gedra breaks things down into code units and it's like database

under the hood um and you get that code unit usually it's just a line of code sometimes it's a function uh and you can add uh comments so you can either add it to the start of the line the end of the line right in the middle if you want to make your life a little bit more difficult in reading things um but you can put it somewhere and then you can insert whatever piece of relevant context that way when you go back through to look at the actual code you have better information um and then finally the the ones down at the bottom I just thought it was relevant to when I scroll through the ROM and I see those

addresses it would be a nice reminder to have those listed as well so it's not an instruction that's talking to it it's that actual address and then you have to end the transaction to commit it similar to like you know if you're writing like I think it's sqlite under the hood so you have to commit the sqlite transaction don't quote me on that I'm not sure if that's actually true um but yeah so the finished in both products because we could always improve on it um when you would go to the window you would see Game Boy analysis plugin um this is the initial screen that we have here so we have all of our pars

information um and then we also have our docking actions right so we have the the code commenting the calculate the check sum and then we also have the source code add comments to the code and I thought it was relevant we could add some of the favorite games and and just kind of look at the Header information because it's fun and if I offend anybody by not putting your favorite game I'm sorry I just I apologize um but Pokemon was you know my go-to um Kirby's Dreamland it was mentioned in the in the tweet that talked about this talk so I felt relevant to put it in there and then I was a big fan of like

the Spider-Man and like Batman animated series games so I felt it relevant to to mention that one it's just a sid scroller where you beat things up but yeah um if you are interested in the source code it's available on my GitHub so github.com lonis GB analyzer um I I do have stickers of that logo without the GB analyzer so if you're interested in a little Game Boy with the G logo in it please approach me I have like 30 or 40 of them to give out uh I got really into it I i' uh designed the logo on like by hand it was great um you can tell that that's very representative of my UI work as well

so um and then finally I did include some Utilities in the GitHub repository so if this turns into something that you'd actually like to distribute out into your or Not My Game Boy plugin I maybe I don't know but like if you turn it into something where you find it relevant to distribute to the other Rees in your org or anything like that or you want to Define a plugin to contribute to the open source ecosystem um I have a a GitHub workflow that basically uh sets up uh Java and then sets up Gradle and then it will install gidra because you have to have gedra to build it because it uses that template um and then it

will actually publish it um to your artifacts like reposit the artifacts part of your repository and then you can create a release from there and actually have it like on the releases site um so if you would like any of that the hardest part was setting up Gradle I don't know why but it just didn't work well um but this works so if you're interested in using this and defining like an actual plugin and you want to distribute it please feel free to to take this and do whatever you need to do with it and then finally there are a couple plugins that I thought were relevant to mention that I've seen that I thought

were pretty cool not written by me um there's VT grap gedra which is a heck of a name uh it basically integrates functionality from virus total so you can write like um retro hunts or live hunts if you're familiar so you can actually take parts of the binary that you're looking at and create those uh rules via API and it will do it all from gidra I'm sure you know it's uh it's pretty cool and then there's also gedra lookup uh gedra lookup is a plugin that helps users lookup documentation of when API functions so it will actually display it to you in the GUI um of when you see those win API functions in the code

itself I'm not famili affiliated with either of these I just thought they were cool and thought it was relevant to mention that there's uh there's probably a lot of plugins for gidra that you may not be aware of and it's it's a cool e ecosystem to check out and then finally um if you're trying to do something with a plugin like this and you get stuck um there's a not a lot but there are some use cases uh and examples on the internet that you can look at so if you do if you're not familiar with uh github's new search that came out like last year two years ago somewhere in there search has gotten a lot better so

like it's a whole lot better um it doesn't just show you like three repositories and two lines of code anymore it'll search a whole lot of things very quickly um so you can do import gidra and then do the logical and and extends program plugin um you can also filter by file type of java if you'd like um but it'll give you a lot of examples that you can pull from and you know it's it's open source so feel free to you know rip the examples and try try what you'd like and then I know you're not supposed to put QR codes anymore please don't bully me um this is to the repo that's all it is um if you don't feel

comfortable scating the QR code it's just github.com lonis GB analyzer um and I think uh yeah that's last five minutes for questions if anybody has [Applause]

uh canva is actually incredibly useful um I have a couple of friends or co-workers friends they're also friends uh that told me that canva is really great for stuff like this it is yeah they're right yeah super great um but when you export to PowerPoint the animations don't work and your slide-ins don't work so uh if the internet would have went out I would have had to really hustle so so this was very surprisingly relevant to the work that I do because I I'm a docent at the media archaeology lab which is here at CU Boulder the largest collection of retro Computing devices in North America so I'm inviting you to come down and play the game games

that we have absolutely and I and I love this so I just want to say thank you for doing it and thank you for the the graphic design aw thank you very much that's awesome very cool no one's bullied me for the the hash Maps or anything so this is good this is good what if there aren't any I I'll ask one uh so what was your what was the the most maybe surprisingly Pleasant part of writing uh a g plugin sure so I wasn't relevant like uh like informed with the flat API I was used to diving into each function and when I first got into the gedra development I was like oh this is

going to suck like this is awful no the flat API actually makes it a whole lot easier um and due to the flat API a lot of the scripting examples that you'll see that people have published you know like a lot of um like EDR firms or detection firms consulting firms uh will publish like scripts to analyze binaries that they're writing a report about um and you can you can actually use those because in Python it's labeled the exact same way as in Java so if it's you know library. module. function it's the same way in Java and that was the most surprising part because I was really going into it expecting to like hate

doing all of this it seems only fair to also ask what was the most unpleasant part uh the guy the UI stuff um Java Swing the only time I've ever touched swing was my first semester of undergrad a long time ago and it it brought back a lot of the trauma from that um but and like writing it on paper I don't know if anyone else had to take Java exams on paper but it brought back that and I did not enjoy that at all but other than that it was great all right thanks questions speaker again thank you