Fully reverse engineering Chrono Cross back into C code

[iaDRM]

Given reverse engineering games is now the thing to do, could it be time for Chrono Cross to join the trend?

Though the approach I'd suggest is not loading the game up in Ghidra and manually going through everything, but instead I think the approach should be finding a simple Open Source PS1 emulator, preferably one that uses an interpreted core, and modify it to generate metadata as it executes the game.

I'm inspired by the tools they used in the Sonic Sega Genesis reverse engineering community:
https://forums.sonicretro.org/index.php?threads/sonic-the-hedgehog-prototype.39840/page-24#post-976359

Active Disassembly. This feature tracks offsets, code references, data references, array bounds, jump tables, PC relative addressing, and a bunch of other things within the emulator. In a nutshell, I designed it to automatically do in a few seconds what took me a month to do manually. Once it was done, I was able to generate a disassembly of Sonic 2 similar to the result I achieved manually, but in a matter of hours rather than a month. I think this feature is still not really known or understood well, so I figured I'd throw it at the Sonic 1 proto. I just messed around for about 30 minutes to be thorough, and got a pretty damn near complete disassembly out of it. Should be useful to someone.

The tool they talk about seems to only work for Sega Genesis games, but something like this for the PS1 could be beneficial to other PS1 modding communities.

Furthermore, by using a modded emulator, one could do cool things like, imagine a piece of game code reads from CD and writes to a buffer, the emulator could label that memory region as "CD", and then another set of game code reads the buffer and renders it, so now you can see a flow from CD to GPU.

Anything that touches a labelled region gets the labels smeared onto it. It can work in reverse too, where a piece of code writes to the GPU, and it gets "GPU" labels attached to it. Then using a "fill" tool like algorithm, whenever a piece of code is about to proceed to another instruction be it by PC increment, call, or simple jump, if the other piece of code is dirtied with a label, then smear the label onto the current piece of code. So then you slowly watch addresses of code get colored by what they touched. Things with multiple labels (GPU, SPU) mean that code is used for multiple purposes.

There'll still need to be manual work naming things, but the above hypothetical emulator would be doing most of the heavy lifting by automating the research part of reverse engineering.

Thoughts?

[glennxserge]

I'd love more traction on this idea too, and I think you are right that leveraging an existing emulator is a good place to start.  There's already an instruction decoder in there, which is the first part of getting a disassembler up and running.  The big challenges will be in understanding what's data vs instruction and both of those will involve tracking lots of CD reads and a mess of pointers, compressed files, etc.  But it would be nice to get basic parts of the executable partitioned out into specifics, so we can build a map of the program flow.

You might also look into something like IDA Pro for ideas on how to organize the information.

[pillarock]

Pc version has debug.prg file. It has debug symbols, right? If so it should help reversing the game.

[glennxserge]

I don't have the PC version, but that's definitely worth a shot.  I wonder if the debug symbols you'd get are associated more with the emulation layer than the game execution, but not sure.

I took a look at using Ghidra to start analyzing the game.  I used ISOBuster to pull the game executable out: SLUS_010.41.  You have to set the language architecture to MIPS, default, 32, little endian, but it chugged through and made some sense of it.  I'm not sure it's starting in the right place though as it gets hung up eventually decompiling at 0004E868; constructor error.

I wasn't able to get the PSYQ extension stuff working through ghidra_psx_ldr, but I imagine some of those overlays will make a lot more sense with general PSX engine stuff identified.

Has anyone else successfully built ghidra_psx_ldr for Ghidra 10.1.4?

[trig]

Pardon me for butting in - I can just respond to your very last question even though I know nothing about reverse engineering and nothing^2 about the playstation!

I built it OK, see below. git didn't clone "data/psyq" -- looks like a pointer to another git project, or something? I don't know git/github. Anyway, I downloaded that separately and copied the contents to .ghidra/... after the extension was installed.

Code: [Select]

Working Directory: /home/user/git/ghidra_psx_ldr
Gradle user home: /home/user/.gradle
Gradle Distribution: Local installation at /home/user/Downloads/gradle-7.4.2
Gradle Version: 7.4.2
Java Home: /usr/lib/jvm/java-17-openjdk-amd64
JVM Arguments: None
Program Arguments: -PGHIDRA_INSTALL_DIR=/home/user/ghidra_10.1.4_PUBLIC
Build Scans Enabled: false
Offline Mode Enabled: true
Gradle Tasks: <run default tasks>

> Task :copyDependencies NO-SOURCE

> Task :compileJava
Note: /home/user/git/ghidra_psx_ldr/src/main/java/ghidra/app/plugin/processors/sleigh/PcodeEmit.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.

> Task :processResources
> Task :classes
> Task :indexHelp

> Task :buildHelp
INFO  Using log config file: jar:file:/home/user/ghidra_10.1.4_PUBLIC/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization) 
INFO  Using log file: /home/user/.ghidra/.ghidra_10.1.4_PUBLIC/application.log (LoggingInitialization) 
[JavaHelpFilesBuilder] Generating Help Files for: [file:///home/user/git/ghidra_psx_ldr/src/main/help/help/]
[JavaHelpFilesBuilder] Generating map file: file:///home/user/git/ghidra_psx_ldr/build/help/main/help/ghidra_psx_ldr_map.xml...
[JavaHelpFilesBuilder] finished generating map file
[JavaHelpFilesBuilder] Generating TOC file: ghidra_psx_ldr_TOC.xml...
[JavaHelpFilesBuilder] finished generating TOC file
[JavaHelpFilesBuilder] Done generating help files for module: ghidra_psx_ldr

> Task :jar
> Task :zipSource

> Task :buildExtension

Created task ':buildExtension' property 'archiveBaseName'.task ':buildExtension' property 'archiveExtension' in task ':buildExtension' property 'destinationDirectory'

BUILD SUCCESSFUL in 38s
7 actionable tasks: 7 executed

Ghidra appears to have successfully analyzed SLUS_010.41 and SLUS_010.80 for me. (Language "PSX:LE:32:default:default")

0x4e868 (really 0x8004e868 for me) looks OK to me... but I don't know what I'm supposed to see hah. Screenshot attached.

This warning dialog appeared after analysis, but I think the extension is saying "warning" when it's really just info:

Code: [Select]

(These messages are also written to the application log file)

Applied OBJs for LIBCD.LIB: 13/51:
0x80024BDC: BIOS_2.OBJ, 3.47 entropy
0x80010220: S_024.OBJ, 2.92 entropy
0x80010220: S_013.OBJ, 2.92 entropy
0x80011EA8: S_005.OBJ, 2.22 entropy
0x80011EA8: S_003.OBJ, 2.22 entropy
0x800236BC: S_021.OBJ, 3.41 entropy
0x80010220: S_008.OBJ, 2.92 entropy
0x80010220: S_012.OBJ, 2.92 entropy
0x80049BF0: EVENT.OBJ, 3.69 entropy
0x80011EA8: S_004.OBJ, 2.22 entropy
0x80024FB8: SYS.OBJ, 4.30 entropy
0x8002369C: S_020.OBJ, 3.41 entropy
0x800236BC: S_022.OBJ, 3.41 entropy
Applied OBJs for LIBC.LIB: 4/55:
0x80010414: MEMMOVE.OBJ, 4.09 entropy
0x80010334: ITOA.OBJ, 3.74 entropy
0x80010A94: STRTOK.OBJ, 3.68 entropy
0x80010324: A56.OBJ, 2.65 entropy
Applied OBJs for LIBDS.LIB: 7/36:
0x800236BC: D3_003.OBJ, 3.41 entropy
0x80010220: D2_001.OBJ, 2.92 entropy
0x8002369C: DSSYS_3.OBJ, 3.41 entropy
0x800236BC: D3_002.OBJ, 3.41 entropy
0x80010220: D3_004.OBJ, 2.92 entropy
0x80024FB8: D3_006.OBJ, 4.30 entropy
0x80010220: D2_003.OBJ, 2.92 entropy
Applied OBJs for LIBETC.LIB: 6/8:
0x80027AF4: INTR.OBJ, 4.31 entropy
0x800285C4: VMODE.OBJ, 2.17 entropy
0x800278E4: VSYNC.OBJ, 3.78 entropy
0x80028204: INTR_VB.OBJ, 3.91 entropy
0x80028324: INTR_DMA.OBJ, 4.39 entropy
0x80010220: PADSTOP.OBJ, 2.92 entropy
Applied OBJs for LIBSPU.LIB: 26/126:
0x8004DD70: S_SNC.OBJ, 4.00 entropy
0x8004BA54: S_M_INIT.OBJ, 3.25 entropy
0x8003FC70: S_Q.OBJ, 2.81 entropy
0x80051894: S_SRA.OBJ, 3.69 entropy
0x8004BAB4: S_SI.OBJ, 3.91 entropy
0x8004B200: S_STM.OBJ, 3.21 entropy
0x80056440: S_SIA.OBJ, 3.87 entropy
0x8004BC34: S_CB.OBJ, 3.00 entropy
0x8004B1A0: S_STSA.OBJ, 4.05 entropy
0x800516C4: S_SRMT.OBJ, 4.38 entropy
0x80051D64: S_CRWA.OBJ, 4.26 entropy
0x80051F14: S_GRMDT.OBJ, 2.77 entropy
0x80029574: S_M_UTIL.OBJ, 3.85 entropy
0x80029474: S_DCB.OBJ, 2.96 entropy
0x8004BC64: S_R.OBJ, 4.10 entropy
0x8004BBF4: S_SIC.OBJ, 3.50 entropy
0x80051F14: S_GRMFB.OBJ, 2.77 entropy
0x800287D4: S_INI.OBJ, 3.70 entropy
0x800287B4: S_I.OBJ, 3.25 entropy
0x8004DDC0: S_GVEX.OBJ, 3.04 entropy
0x8004DDE0: S_SRMD.OBJ, 2.82 entropy
0x80051F14: S_GRMT.OBJ, 2.77 entropy
0x80028934: SPU.OBJ, 4.40 entropy
0x8003DD34: S_GR.OBJ, 2.96 entropy
0x8004BC64: S_W.OBJ, 4.10 entropy
0x8004BD24: S_STC.OBJ, 1.90 entropy
Applied OBJs for LIBSN.LIB: 9/44:
0x80028614: CLOSE.OBJ, 2.50 entropy
0x8002B3E0: op_vnew.obj, 2.92 entropy
0x8002AF18: SNWRITE.OBJ, 3.15 entropy
0x8002B3E0: op_vdel.obj, 2.92 entropy
0x80028624: LSEEK.OBJ, 3.59 entropy
0x8002AE38: CREAT.OBJ, 3.26 entropy
0x800285F4: OPEN.OBJ, 3.41 entropy
0x80028714: SNREAD.OBJ, 3.15 entropy
0x80028648: FSINIT.OBJ, 1.95 entropy
Applied OBJs for LIBAPI.LIB: 37/89:
0x800228D4: C57.OBJ, 2.65 entropy
0x800229B4: A53.OBJ, 2.65 entropy
0x80022CD4: A66.OBJ, 2.65 entropy
0x800229F4: A91.OBJ, 2.65 entropy
0x80051F04: A10.OBJ, 2.52 entropy
0x80022964: A36.OBJ, 2.22 entropy
0x800281D4: A23.OBJ, 2.65 entropy
0x800228F4: C73.OBJ, 2.65 entropy
0x80022904: A07.OBJ, 2.65 entropy
0x80022934: A11.OBJ, 2.65 entropy
0x800229C4: A54.OBJ, 2.65 entropy
0x800281E4: A24.OBJ, 2.65 entropy
0x80022974: A37.OBJ, 2.22 entropy
0x80022FF4: A19.OBJ, 2.65 entropy
0x80022954: A32.OBJ, 2.65 entropy
0x800229D4: A67.OBJ, 2.65 entropy
0x80022A14: L03.OBJ, 2.65 entropy
0x80022944: A12.OBJ, 2.65 entropy
0x80022924: A09.OBJ, 2.52 entropy
0x800281F4: A25.OBJ, 2.65 entropy
0x80022984: A50.OBJ, 2.65 entropy
0x80022A24: L10.OBJ, 2.52 entropy
0x80023014: A21.OBJ, 2.65 entropy
0x80022994: A51.OBJ, 2.65 entropy
0x80023004: A20.OBJ, 2.65 entropy
0x80023024: PATCH.OBJ, 3.21 entropy
0x80018D34: C112.OBJ, 2.65 entropy
0x80022FE4: A18.OBJ, 2.65 entropy
0x800229E4: A81.OBJ, 2.65 entropy
0x80022A04: L02.OBJ, 2.65 entropy
0x800230C4: CHCLRPAD.OBJ, 3.04 entropy
0x8004B8E4: COUNTER.OBJ, 4.15 entropy
0x80022914: A08.OBJ, 2.52 entropy
0x80022A34: FIRST.OBJ, 4.57 entropy
0x8003FCF0: A13.OBJ, 2.65 entropy
0x800229A4: A52.OBJ, 2.65 entropy
0x800228E4: C68.OBJ, 2.65 entropy
Applied OBJs for LIBMATH.LIB: 4/59:
0x80018694: SQRT.OBJ, 4.21 entropy
0x800187D4: GEDF2.OBJ, 4.28 entropy
0x80018C34: FIXDFSI.OBJ, 4.73 entropy
0x800188B4: ADDDF3.OBJ, 4.82 entropy
Applied OBJs for LIBC2.LIB: 21/50:
0x800107B4: SETJMP.OBJ, 3.79 entropy
0x80010994: STRCPY.OBJ, 3.41 entropy
0x80010D04: TODIGIT.OBJ, 4.01 entropy
0x80010714: PUTS.OBJ, 3.23 entropy
0x800103D4: MEMCPY.OBJ, 3.38 entropy
0x80010834: STRCAT.OBJ, 4.27 entropy
0x80010284: BZERO.OBJ, 3.29 entropy
0x80010484: MEMSET.OBJ, 3.41 entropy
0x80010220: ATOI_1.OBJ, 2.92 entropy
0x800104B4: PUTCHAR.OBJ, 3.72 entropy
0x80010774: RAND.OBJ, 3.88 entropy
0x80010374: LSEARCH.OBJ, 4.42 entropy
0x800109E4: STRLEN.OBJ, 2.61 entropy
0x80010A24: STRSTR.OBJ, 3.46 entropy
0x80010924: STRCMP.OBJ, 3.23 entropy
0x800108E4: STRCHR.OBJ, 2.80 entropy
0x80010324: EXIT.OBJ, 2.65 entropy
0x80010414: MEMMOVE.OBJ, 4.09 entropy
0x80010334: ITOA.OBJ, 3.74 entropy
0x80010A94: STRTOK.OBJ, 3.68 entropy
0x80010244: BCOPY.OBJ, 3.38 entropy
Applied OBJs for LIBSND.LIB: 7/223:
0x80010220: SSQUIT.OBJ, 2.92 entropy
0x800100E4: VM_KEY_2.OBJ, 0.99 entropy
0x80010220: SSNOFF.OBJ, 2.92 entropy
0x80022CF0: SSVM_2.OBJ, 2.22 entropy
0x800287B4: UT_ROFF.OBJ, 3.25 entropy
0x800107A4: SSVM.OBJ, 2.22 entropy
0x800100E4: DMYNOT1.OBJ, 0.99 entropy
Applied OBJs for LIBGTE.LIB: 67/535:
0x80049E50: FGO_00.OBJ, 3.67 entropy
0x800267A4: REG13.OBJ, 1.92 entropy
0x800263A4: MTX_06.OBJ, 3.78 entropy
0x80026C64: SMP_05.OBJ, 2.35 entropy
0x8002697C: REG02_1.OBJ, 1.92 entropy
0x80025724: MSC01.OBJ, 4.07 entropy
0x8003CA18: MTX_004.OBJ, 4.60 entropy
0x80026354: MTX_05.OBJ, 3.84 entropy
0x80026978: SMP_12.OBJ, 2.77 entropy
0x80026784: REG12.OBJ, 2.42 entropy
0x80026BD4: SMP_03.OBJ, 3.65 entropy
0x80026C34: SMP_04.OBJ, 3.03 entropy
0x80026C94: CMB_00.OBJ, 3.89 entropy
0x800257B4: MSC02.OBJ, 4.56 entropy
0x80025E04: MTX_003.OBJ, 4.77 entropy
0x80026764: REG11.OBJ, 3.19 entropy
0x80026D14: CMB_11.OBJ, 3.31 entropy
0x800253EC: GEO_03_3.OBJ, 4.06 entropy
0x80056480: CMB_07.OBJ, 3.82 entropy
0x80027474: RMAT_01.OBJ, 4.72 entropy
0x80026434: MTX_08.OBJ, 3.98 entropy
0x80026968: SMP_11.OBJ, 2.77 entropy
0x80049E90: SMP_01_1.OBJ, 3.57 entropy
0x80025CF4: MTX_000.OBJ, 4.58 entropy
0x80026604: MTX_12.OBJ, 3.51 entropy
0x800260E4: MTX_009.OBJ, 3.45 entropy
0x80026C78: SMP_06.OBJ, 2.77 entropy
0x80026744: REG10.OBJ, 3.19 entropy
0x80027274: RMAT_00.OBJ, 4.84 entropy
0x80027684: RATAN.OBJ, 3.92 entropy
0x80026404: MTX_07.OBJ, 2.93 entropy
0x80026D54: FGO_01.OBJ, 3.89 entropy
0x80026134: MTX_00B.OBJ, 4.56 entropy
0x80026FE4: FGO_09.OBJ, 3.85 entropy
0x800265D4: MTX_11.OBJ, 3.60 entropy
0x80025AB4: MSC06_2.OBJ, 3.56 entropy
0x80026C7C: REG02_5.OBJ, 1.92 entropy
0x800268B8: SMP_7.OBJ, 2.73 entropy
0x80026634: REG03_2.OBJ, 2.38 entropy
0x8002FAF0: FGO_04.OBJ, 3.43 entropy
0x80027804: PATCHGTE.OBJ, 3.71 entropy
0x8002AF30: MTX_00A.OBJ, 3.98 entropy
0x80026644: REG03_3.OBJ, 2.38 entropy
0x800265A4: MTX_10.OBJ, 3.56 entropy
0x80025A64: MSC06_1.OBJ, 3.53 entropy
0x80026624: REG03_1.OBJ, 2.38 entropy
0x8002F860: FGO_03.OBJ, 3.84 entropy
0x80025114: GEO_01.OBJ, 3.47 entropy
0x80025044: GEO_00.OBJ, 3.66 entropy
0x80049F30: SMP_01_4.OBJ, 3.79 entropy
0x80026A94: SMP_00_7.OBJ, 3.08 entropy
0x80026574: MTX_09.OBJ, 3.43 entropy
0x80049D40: MTX_04.OBJ, 4.59 entropy
0x80026BA4: SMP_02.OBJ, 3.32 entropy
0x80026B94: REG02_8.OBJ, 1.92 entropy
0x80025F94: MTX_006.OBJ, 3.76 entropy
0x80026244: MTX_03.OBJ, 4.58 entropy
0x80025C14: MSC06_5.OBJ, 4.00 entropy
0x80049F60: SMP_01_5.OBJ, 3.75 entropy
0x80025514: FOG_01.OBJ, 3.54 entropy
0x8003DD54: REG08.OBJ, 3.07 entropy
0x80025C74: MSC06_6.OBJ, 4.14 entropy
0x80026654: REG03_4.OBJ, 2.70 entropy
0x80025584: FOG_02.OBJ, 3.76 entropy
0x8002FC90: FGO_05.OBJ, 3.41 entropy
0x80025F64: MTX_005.OBJ, 3.32 entropy
0x80026734: REG09.OBJ, 1.92 entropy
Applied OBJs for LIBCARD.LIB: 16/18:
0x80018D54: C172.OBJ, 2.65 entropy
0x80018DB4: A79.OBJ, 2.65 entropy
0x80018D74: A74.OBJ, 2.65 entropy
0x80018E34: PATCH.OBJ, 3.82 entropy
0x80018D34: C112.OBJ, 2.65 entropy
0x80018D64: C173.OBJ, 2.65 entropy
0x80018DD4: A92.OBJ, 2.65 entropy
0x80018DA4: A78.OBJ, 2.65 entropy
0x80018D44: C171.OBJ, 2.65 entropy
0x80018D94: A76.OBJ, 2.65 entropy
0x80018D84: A75.OBJ, 2.65 entropy
0x80019154: END.OBJ, 2.83 entropy
0x80018DE4: A93.OBJ, 2.65 entropy
0x80019054: INIT.OBJ, 3.13 entropy
0x80018DC4: A80.OBJ, 2.65 entropy
0x80018DF4: CARD.OBJ, 3.41 entropy
Applied OBJs for LIBCOMB.LIB: 1/3:
0x800100E4: COMB_3.OBJ, 0.99 entropy
Applied OBJs for LIBPAD.LIB: 1/21:
0x800165A4: PDMAIINI.OBJ, 3.62 entropy
Applied OBJs for LIBGS.LIB: 5/167:
0x800107A4: GS_102.OBJ, 2.22 entropy
0x800107A4: GS_101.OBJ, 2.22 entropy
0x80022CF0: GS_125.OBJ, 2.22 entropy
0x80010220: GS_106.OBJ, 2.92 entropy
0x800107A4: GS_124.OBJ, 2.22 entropy
Applied OBJs for LIBGPU.LIB: 47/60:
0x800114A4: P11.OBJ, 2.67 entropy
0x80011554: P16.OBJ, 2.52 entropy
0x800119A4: P41.OBJ, 4.22 entropy
0x80011324: P03.OBJ, 4.16 entropy
0x80011424: P08.OBJ, 3.17 entropy
0x80011794: P33.OBJ, 3.94 entropy
0x800115D4: P20.OBJ, 2.43 entropy
0x80011764: P32.OBJ, 3.60 entropy
0x800112C4: P02.OBJ, 4.43 entropy
0x80011654: P24.OBJ, 2.43 entropy
0x80011534: P15.OBJ, 2.52 entropy
0x800116D4: P28.OBJ, 2.52 entropy
0x80011084: E01.OBJ, 4.17 entropy
0x80011474: P10.OBJ, 2.67 entropy
0x80011634: P23.OBJ, 2.43 entropy
0x80011894: P36.OBJ, 3.18 entropy
0x800113A4: P06.OBJ, 3.75 entropy
0x80011744: P31.OBJ, 3.87 entropy
0x80011454: P09.OBJ, 2.90 entropy
0x800112A4: P01.OBJ, 3.31 entropy
0x80011224: E04.OBJ, 3.67 entropy
0x80011594: P18.OBJ, 2.45 entropy
0x80011974: P40.OBJ, 3.23 entropy
0x80011514: P14.OBJ, 2.52 entropy
0x80010F94: E00.OBJ, 4.40 entropy
0x800116B4: P27.OBJ, 2.43 entropy
0x80011824: P35.OBJ, 3.86 entropy
0x80011384: P05.OBJ, 3.47 entropy
0x80011614: P22.OBJ, 2.52 entropy
0x80011714: P30.OBJ, 3.37 entropy
0x800115B4: P19.OBJ, 2.52 entropy
0x80011164: E03.OBJ, 4.69 entropy
0x80011264: P00.OBJ, 4.12 entropy
0x80011944: P39.OBJ, 3.49 entropy
0x80011694: P26.OBJ, 2.43 entropy
0x800114F4: P13.OBJ, 2.37 entropy
0x80011574: P17.OBJ, 2.52 entropy
0x80011364: P04.OBJ, 3.33 entropy
0x800115F4: P21.OBJ, 2.43 entropy
0x800117C4: P34.OBJ, 3.97 entropy
0x800113E4: P07.OBJ, 3.71 entropy
0x80011674: P25.OBJ, 2.43 entropy
0x800118D4: P38.OBJ, 4.41 entropy
0x80010D74: BREAK.OBJ, 4.17 entropy
0x800114D4: P12.OBJ, 2.52 entropy
0x800110F4: E02.OBJ, 4.16 entropy
0x800116F4: P29.OBJ, 3.87 entropy
Applied OBJs for 2MBYTE.OBJ: 1/1:
0x80010000: 2MBYTE.OBJ, 3.26 entropy
Applied OBJs for LIBC2.LIB: 1/50:
0x80010244: BCOPY.OBJ, 3.38 entropy
Applied OBJs for LIBSND.LIB: 2/223:
0x80010270: VM_KEY_2.OBJ, 0.99 entropy
0x80010270: DMYNOT1.OBJ, 0.99 entropy
Applied OBJs for LIBCOMB.LIB: 1/3:
0x80010270: COMB_3.OBJ, 0.99 entropy
Applied OBJs for LIBC.LIB: 1/55:
0x80010324: A56.OBJ, 2.65 entropy
Applied OBJs for LIBC2.LIB: 1/50:
0x80010324: EXIT.OBJ, 2.65 entropy
Applied OBJs for LIBC.LIB: 1/55:
0x80010334: ITOA.OBJ, 3.74 entropy
Applied OBJs for LIBC2.LIB: 1/50:
0x80010334: ITOA.OBJ, 3.74 entropy
Applied OBJs for LIBC2.LIB: 1/50:
0x80010374: LSEARCH.OBJ, 4.42 entropy
Applied OBJs for LIBSND.LIB: 1/223:
0x800107A4: SSVM.OBJ, 2.22 entropy
Applied OBJs for LIBGS.LIB: 3/167:
0x800107A4: GS_102.OBJ, 2.22 entropy
0x800107A4: GS_101.OBJ, 2.22 entropy
0x800107A4: GS_124.OBJ, 2.22 entropy
Applied OBJs for LIBC2.LIB: 1/50:
0x80010924: STRCMP.OBJ, 3.23 entropy
Applied OBJs for LIBC2.LIB: 1/50:
0x80010A24: STRSTR.OBJ, 3.46 entropy
Applied OBJs for LIBC.LIB: 1/55:
0x80010A94: STRTOK.OBJ, 3.68 entropy
Applied OBJs for LIBC2.LIB: 1/50:
0x80010A94: STRTOK.OBJ, 3.68 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80010D74: BREAK.OBJ, 4.17 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80010F94: E00.OBJ, 4.40 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011084: E01.OBJ, 4.17 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x800110F4: E02.OBJ, 4.16 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011164: E03.OBJ, 4.69 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011224: E04.OBJ, 3.67 entropy
Applied OBJs for LIBGPU.LIB: 3/60:
0x80011324: P03.OBJ, 4.16 entropy
0x80011364: P04.OBJ, 3.33 entropy
0x800112C4: P02.OBJ, 4.43 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011384: P05.OBJ, 3.47 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x800113E4: P07.OBJ, 3.71 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011424: P08.OBJ, 3.17 entropy
Applied OBJs for LIBGPU.LIB: 2/60:
0x80011714: P30.OBJ, 3.37 entropy
0x800116F4: P29.OBJ, 3.87 entropy
Applied OBJs for LIBGPU.LIB: 2/60:
0x80011744: P31.OBJ, 3.87 entropy
0x80011764: P32.OBJ, 3.60 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011824: P35.OBJ, 3.86 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011894: P36.OBJ, 3.18 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011944: P39.OBJ, 3.49 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x80011974: P40.OBJ, 3.23 entropy
Applied OBJs for LIBGPU.LIB: 1/60:
0x800119A4: P41.OBJ, 4.22 entropy
Applied OBJs for LIBMATH.LIB: 1/59:
0x80018694: SQRT.OBJ, 4.21 entropy
Applied OBJs for LIBMATH.LIB: 1/59:
0x800187D4: GEDF2.OBJ, 4.28 entropy
Applied OBJs for LIBMATH.LIB: 1/59:
0x800188B4: ADDDF3.OBJ, 4.82 entropy
Applied OBJs for LIBMATH.LIB: 1/59:
0x80018C34: FIXDFSI.OBJ, 4.73 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018D44: C171.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018D54: C172.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018D64: C173.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018DA4: A78.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018DB4: A79.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018DC4: A80.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018DD4: A92.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018DE4: A93.OBJ, 2.65 entropy
Applied OBJs for LIBCARD.LIB: 1/18:
0x80018DF4: CARD.OBJ, 3.41 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80022934: A11.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80022984: A50.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80022994: A51.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x800229A4: A52.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x800229C4: A54.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x800229D4: A67.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x800229E4: A81.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80022A34: FIRST.OBJ, 4.57 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80022CD4: A66.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80022FE4: A18.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80022FF4: A19.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80023004: A20.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80023014: A21.OBJ, 2.65 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x80023024: PATCH.OBJ, 3.21 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x800230C4: CHCLRPAD.OBJ, 3.04 entropy
Applied OBJs for LIBCD.LIB: 1/51:
0x8002369C: S_020.OBJ, 3.41 entropy
Applied OBJs for LIBDS.LIB: 1/36:
0x8002369C: DSSYS_3.OBJ, 3.41 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x800253EC: GEO_03_3.OBJ, 4.06 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x80025514: FOG_01.OBJ, 3.54 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x800257B4: MSC02.OBJ, 4.56 entropy
Applied OBJs for LIBGTE.LIB: 2/535:
0x80025AB4: MSC06_2.OBJ, 3.56 entropy
0x80025A64: MSC06_1.OBJ, 3.53 entropy
Applied OBJs for LIBGTE.LIB: 2/535:
0x80025C74: MSC06_6.OBJ, 4.14 entropy
0x80025C14: MSC06_5.OBJ, 4.00 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x800260E4: MTX_009.OBJ, 3.45 entropy
Applied OBJs for LIBGTE.LIB: 2/535:
0x80026AA4: SMP_11.OBJ, 2.77 entropy
0x80026A94: SMP_00_7.OBJ, 3.08 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x80026C34: SMP_04.OBJ, 3.03 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x80026FE4: FGO_09.OBJ, 3.85 entropy
Applied OBJs for LIBAPI.LIB: 1/89:
0x800281E4: A24.OBJ, 2.65 entropy
Applied OBJs for LIBSPU.LIB: 1/126:
0x80029574: S_M_UTIL.OBJ, 3.85 entropy
Applied OBJs for LIBSN.LIB: 1/44:
0x8002AE38: CREAT.OBJ, 3.26 entropy
Applied OBJs for LIBSN.LIB: 1/44:
0x8002AF18: SNWRITE.OBJ, 3.15 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x8002FAF0: FGO_04.OBJ, 3.43 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x8002FC90: FGO_05.OBJ, 3.41 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x8003DD54: REG08.OBJ, 3.07 entropy
Applied OBJs for LIBGTE.LIB: 2/535:
0x80049E50: FGO_00.OBJ, 3.67 entropy
0x80049E90: SMP_01_1.OBJ, 3.57 entropy
Applied OBJs for LIBGTE.LIB: 2/535:
0x80049F30: SMP_01_4.OBJ, 3.79 entropy
0x80049F60: SMP_01_5.OBJ, 3.75 entropy
Applied OBJs for LIBSPU.LIB: 2/126:
0x8004BC64: S_R.OBJ, 4.10 entropy
0x8004BC64: S_W.OBJ, 4.10 entropy
Applied OBJs for LIBSPU.LIB: 1/126:
0x80056440: S_SIA.OBJ, 3.87 entropy
Applied OBJs for LIBGTE.LIB: 1/535:
0x80056480: CMB_07.OBJ, 3.82 entropy

All of this said, I can't proceed from here; I've hardly used Ghidra before. I can't be of any help except to maybe provide you a working ghidra extension if that's needed..?

[Vehek]

This is a list of SDK functions I got using radare2 (note: I was using a version from a few years ago) and FLIRT signatures originally meant for IDA.

Code: [Select]

0x80010008    3 172          flirt.__SN_ENTRY_POINT
0x800100f4   19 304  -> 300  flirt.atoi
0x80010284    5 48           flirt.bzero
0x800102b4    4 64           flirt.toupper
0x800103d4    5 64   -> 52   flirt.memcpy
0x80010414    8 112  -> 108  flirt.memmove
0x80010484    5 48           flirt.memset
0x800104b4   11 252          flirt._putchar
0x800105b0    3 60           flirt._putchar_flash
0x80010714    5 96   -> 84   flirt.puts
0x80010774    1 48           flirt.rand
0x800107b4    1 60           flirt.setjmp
0x80010834   10 176  -> 164  flirt.strcat
0x80010924   10 112  -> 100  flirt.strcmp
0x80010994    6 80   -> 68   flirt.strcpy
0x800109e4    6 64   -> 52   flirt.strlen
0x80010d04    6 112          flirt.todigit
0x80011164    4 192  -> 180  flirt.SetDefDrawEnv
0x80011224    1 64   -> 60   flirt.SetDefDispEnv
0x80011264    1 64   -> 60   flirt.GetTPage
0x800113a4    1 64   -> 60   flirt.AddPrim
0x80011474    4 48   -> 40   flirt.SetSemiTrans
0x800114a4    4 48   -> 40   flirt.SetShadeTex
0x80011794    5 48   -> 44   flirt.SetDrawTPage
0x800117c4    4 96           flirt.SetDrawMove
0x800118d4    4 112          flirt.SetTexWindow
0x80011c34   12 372          flirt.ResetGraph
0x80011eb8    3 96           flirt.DrawSyncCallback
0x80011f18    7 152          flirt.SetDispMask
0x80011fb0   18 388          flirt.DrawSync
0x80012134    1 144          flirt.ClearImage
0x8001225c    1 96           flirt.LoadImage
0x800122bc    1 96           flirt.StoreImage
0x8001231c    5 184          flirt.MoveImage
0x8001249c    3 172          flirt.ClearOTagR
0x800125a4    3 112          flirt.DrawOTag
0x80012614    3 192          flirt.PutDrawEnv
0x800127ac    1 52           flirt.GetDrawEnv
0x800127e0   75 1272         flirt.PutDispEnv
0x80012cd8    1 52           flirt.GetDispEnv
0x80015784    1 32           flirt.atol
0x800157a4    1 32           flirt.atol
0x80015810   14 208  -> 204  flirt.PadGetState
0x800159d4    7 224  -> 152  flirt.PadInfoAct
0x80015bd0    1 256  -> 72   flirt.PadInfoMode
0x800165a4    1 204          flirt.PadStartCom
0x80016670    1 68           flirt.PadStopCom
0x800187d4   19 224  -> 220  flirt.__gedf2
0x800188b4   37 896  -> 884  flirt.__adddf3
0x80018c34   12 256  -> 244  flirt.__fixdfsi
0x80018d34    1 16   -> 12   flirt._bu_init
0x80018d74    1 16   -> 12   flirt.InitCARD2
0x80018d84    1 16   -> 12   flirt.StartCARD2
0x80018d94    1 16   -> 12   flirt.StopCARD2
0x80018da4    1 16   -> 12   flirt._card_write
0x80018e34    1 220  -> 68   flirt._patch_card_info
0x80018f10    3 148          flirt._patch_card
0x80018fa4    3 112          flirt._patch_card2
0x80019014    3 64   -> 52   flirt._copy_memcard_patch
0x80019054    5 144          flirt.InitCARD
0x800190e4    3 72           flirt.StartCARD
0x8001912c    1 40           flirt.StopCARD
0x80019154    3 128  -> 112  flirt._ExitCard
0x8001a994    2 64           flirt.DsFlush
0x800228d4    1 16   -> 12   flirt.InitHeap
0x800228e4    1 16   -> 12   flirt.FlushCache
0x80022904    1 16   -> 12   flirt.DeliverEvent
0x80022914    1 16   -> 12   flirt.OpenEvent
0x80022944    1 16   -> 12   flirt.EnableEvent
0x80022964    1 16           flirt.EnterCriticalSection
0x80022974    1 16           flirt.ExitCriticalSection
0x800229b4    1 16   -> 12   flirt.write
0x80022a04    1 16   -> 12   flirt.SysEnqIntRP
0x80022a24    1 16   -> 12   flirt.ChangeClearRCnt
0x80022cd4    1 16   -> 12   flirt.firstfile2
0x80022cf0    1 16           flirt.GsGetWorkBase
0x80022fe4    1 16   -> 12   flirt.InitPAD2
0x80023004    1 16   -> 12   flirt.StopPAD2
0x80023014    1 16   -> 12   flirt.PAD_init2
0x800230c4    3 112  -> 104  flirt._remove_ChgclrPAD
0x80023ca8   25 640          flirt.CD_sync
0x80023f28   29 712          flirt.CD_ready
0x800241f0   43 1036         flirt.CD_cw
0x800245fc    1 136          flirt.CD_vol
0x80024684    4 212          flirt.CD_flush
0x80024758    5 240          flirt.CD_initvol
0x80024848    1 76           flirt.CD_initintr
0x80024894   11 480          flirt.CD_init
0x80024a74    9 360          flirt.CD_datasync
0x80024bdc    6 256          flirt.CD_set_test_parmnum
0x80024cdc    3 240  -> 236  flirt.CD_getsector2
0x80025044    4 60           flirt.rsin
0x80025080    8 148  -> 144  flirt.sin_1
0x80025114   10 160          flirt.rcos
0x80025584   22 272  -> 260  flirt.SetFogNearFar
0x80025724    6 144  -> 128  flirt.SquareRoot0
0x80025b04    1 144  -> 40   flirt.LoadAverageShort12
0x80025f94    3 164  -> 76   flirt.PushMatrix
0x80026038    3 172  -> 92   flirt.PopMatrix
0x80026404    1 48   -> 36   flirt.TransMatrix
0x80026434    1 320  -> 312  flirt.ScaleMatrix
0x80026d54   13 656  -> 652  flirt.RotMatrix
0x80027274    1 512  -> 248  flirt.RotMatrixYXZ_gte
0x80027474    1 528  -> 248  flirt.RotMatrix_gte
0x80027684   41 384  -> 372  flirt.ratan2
0x80027804    6 172          flirt._ExitCard
0x800278e4   23 528          flirt.VSync
0x80027af4    1 48           flirt.ResetCallback
0x80027b24    1 48           flirt.InterruptCallback
0x80027b54    1 48           flirt.DMACallback
0x80027b84    1 52           flirt.VSyncCallback
0x80027c48    1 16           flirt.CheckCallback
0x80027c70   22 1348 -> 524  flirt.SetIntrMask
0x800281d4    1 16   -> 12   flirt.ReturnFromException
0x800281e4    1 16   -> 12   flirt.ResetEntryInt
0x800281f4    1 16   -> 12   flirt.HookEntryInt
0x80028204    5 288  -> 124  flirt.startIntrVSync
0x80028324    5 672  -> 112  flirt.startIntrDMA
0x800285d8    1 16           flirt.GsGetWorkBase
0x80028654   10 192          flirt.PCread
0x800287b4    1 32           flirt.SsUtReverbOff
0x800287d4    4 232          flirt._SpuInit
0x800288bc    3 120  -> 112  flirt.SpuStart
0x80028934   31 1088         flirt._spu_init
0x80028ed8   30 640          flirt._spu_t
0x80029158    4 132          flirt._spu_Fw
0x800291dc    1 100          flirt._spu_Fr
0x80029240    4 68           flirt._spu_FsetRXX
0x80029284   11 164          flirt._spu_FsetRXXa
0x8002940c    4 104  -> 92   flirt._spu_Fw1ts
0x80029474    1 48   -> 36   flirt._SpuDataCallback
0x800294a4   10 208  -> 204  flirt.SpuSetReverb
0x8002af30    1 320  -> 312  flirt.ScaleMatrixL
0x8002f860   13 656  -> 652  flirt.RotMatrixZYX
0x8003fc70    3 128  -> 116  flirt.SpuQuit
0x800421e8    2 48           flirt.GsSetLsMatrix
0x80049bf0   10 336  -> 204  flirt.CdInit
0x80049e50    1 64           flirt.TransposeMatrix
0x8004ac70    1 16           flirt.GsGetWorkBase
0x8004b1a0    4 96   -> 92   flirt.SpuSetTransferStartAddr
0x8004b200    5 48           flirt.SpuSetTransferMode
0x8004b8e4   14 156          flirt.SetRCnt
0x8004b980    4 56           flirt.GetRCnt
0x8004b9b8    1 48           flirt.StartRCnt
0x8004b9e8    1 52           flirt.StopRCnt
0x8004ba54    4 96   -> 84   flirt.SpuInitMalloc
0x8004bab4   20 320  -> 316  flirt.SpuSetIRQ
0x8004bbf4    3 64   -> 60   flirt.SpuSetIRQCallback
0x8004bc34    1 48   -> 36   flirt._SpuCallback
0x8004bc64    5 96   -> 92   flirt.SpuRead
0x8004bcc4    5 96   -> 92   flirt.SpuRead
0x8004bd24    3 48   -> 36   flirt.SpuSetTransferCallback
0x8004dd70    4 80   -> 72   flirt.SpuSetNoiseClock
0x8004dde0    1 48   -> 40   flirt.SpuSetReverbModeDepth
0x800516c4   20 464  -> 460  flirt.SpuSetReverbModeType
0x80051894   97 1232         flirt._spu_setReverbAttr
0x80051d64   19 416  -> 404  flirt.SpuClearReverbWorkArea
0x80051f04    1 16   -> 12   flirt.WaitEvent
0x80056440    4 64           flirt.SpuSetIRQAddr
0x80090e44    1 64   -> 40   flirt.DsFlush
0x80094118    2 64           flirt.DsFlush

[glennxserge]

Thanks, trig.  That's super helpful.  I'll see if I can get that extension built and installed.  Good note about the missing data folder, I think I ran into something similar.  Nice to see though that this is still working in the current release.

Your ghidra output is looking about how I'd expect.  That is to say, all the work left ahead is making sense of the code in context of the game and renaming all the generic symbols

And thanks, Vehek for the additional signatures, those seem to line up and expand on the ones in trig's output.  These will be helpful in understanding what each function is trying to do.  I'll play around with this some more and see what I can find.

Also stumbled on TDR as well when I was looking around: https://www.beneaththewaves.net/Software/This_Dust_Remembers_What_It_Once_Was.html
An unwieldy name, but seems promising as a tool.

[Xeregs906]

Is it possible to use ghidra to further expand the dump files obtained from purple cat?

From my understanding, the difficulty in reverse engineering CC is how the CD sectors are compressed. Even Square couldn't fully reverse their own files all these years later lol!!

[pillarock]

I found libRetroReversing, a library that provides reverse engineering functionality to retroArch libRetro cores https://github.com/RetroReversing/libRetroReversing . With this thing theoretically, you can create a PSX reversing emulator. There is also a step-by-step guide on how to do this https://www.retroreversing.com/create-reversing-emulator