search

chaoticgd / ghidra-emotionengine-reloaded

An extension for Ghidra that adds support for the PlayStation 2.
Apache License 2.0
118 stars 11 forks source link

Burnout Beta v0.40 PAL ELF Analysis Issues with SP12 Release #53

Closed escape209 closed 5 months ago

escape209 commented 6 months ago

Starting with SP12, I've been running into major issues with analysis of the ELF for Burnout Beta v0.40 PAL.

I was using extension version SP11 with Ghidra 10.4 previously, and had no issues with the same ELF.

Log output from SP12 + Ghidra 11.0:

DEBUG   (PackedDatabaseCache) Using cached packed database: C:\Programs\Ghidra\ghidra_11.0_PUBLIC\Ghidra\Features\Base\data\typeinfo\generic\generic_clib.gdt
DEBUG   (ToolTaskManager) Background processing started...
DEBUG   (ToolTaskManager) Exec Task Auto Analysis
ERROR   (SleighInstructionPrototype) Pcode error at 00283760: Program does not contain referenced instruction: 00283764
ERROR   (SleighInstructionPrototype) Pcode error at 0028bcc0: Program does not contain referenced instruction: 0028bcc4
ERROR   (SleighInstructionPrototype) Pcode error at 00292e40: Program does not contain referenced instruction: 00292e44
ERROR   (SleighInstructionPrototype) Pcode error at 002950a0: Program does not contain referenced instruction: 002950a4
ERROR   (SleighInstructionPrototype) Pcode error at 002822e0: Program does not contain referenced instruction: 002822e4
ERROR   (SleighInstructionPrototype) Pcode error at 0029de50: Program does not contain referenced instruction: 0029de54
ERROR   (SleighInstructionPrototype) Pcode error at 0029de58: Program does not contain referenced instruction: 0029de5c
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 004a5340: <EXTERNAL>::EXT_FUN_004a5340
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 004a2b20: <EXTERNAL>::EXT_FUN_004a2b20
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 003657a0: <EXTERNAL>::EXT_FUN_003657a0
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 00398940: <EXTERNAL>::EXT_FUN_00398940
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 004cdbe0: <EXTERNAL>::EXT_FUN_004cdbe0
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 004a9c20: <EXTERNAL>::EXT_FUN_004a9c20
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 00395e00: <EXTERNAL>::EXT_FUN_00395e00
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 00478e40: <EXTERNAL>::EXT_FUN_00478e40
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 00478b80: <EXTERNAL>::EXT_FUN_00478b80
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 00416b20: <EXTERNAL>::EXT_FUN_00416b20
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 00395cc0: <EXTERNAL>::EXT_FUN_00395cc0
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 0047d220: <EXTERNAL>::EXT_FUN_0047d220
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 004b27e0: <EXTERNAL>::EXT_FUN_004b27e0
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 004cd7c0: <EXTERNAL>::EXT_FUN_004cd7c0
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 004cd980: <EXTERNAL>::EXT_FUN_004cd980
ERROR   (SleighInstructionPrototype) Pcode error at 002822e0: Program does not contain referenced instruction: 002822e4
ERROR   (SleighInstructionPrototype) Pcode error at 00283760: Program does not contain referenced instruction: 00283764
ERROR   (SleighInstructionPrototype) Pcode error at 0028bcc0: Program does not contain referenced instruction: 0028bcc4
ERROR   (SleighInstructionPrototype) Pcode error at 00292e40: Program does not contain referenced instruction: 00292e44
ERROR   (SleighInstructionPrototype) Pcode error at 002950a0: Program does not contain referenced instruction: 002950a4
ERROR   (CreateFunctionCmd) Failed to create function at 002342f0 since its body contains referring thunk at 002342e0
ERROR   (CreateFunctionCmd) Failed to create function at 00242320 since its body contains referring thunk at 002422e0
ERROR   (SleighInstructionPrototype) Pcode error at 00283760: Program does not contain referenced instruction: 00283764
DEBUG   (CreateThunkFunctionCmd) Created new external location for address 04300ff8: <EXTERNAL>::EXT_FUN_04300ff8
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 00229ad0
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 00229ad0
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 00253588
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 00253158
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 00251580
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 0021db70
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 0021db70
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 0021db70
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 0021db70
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 0021db70
WARN    (SimpleBlockModel) WARNING: Invalid delay slot instruction found at 0021db70
WARN    (ClearFlowAndRepairCmd) WARNING! Repairing body of function at 00109d40
ERROR   (ClearFlowAndRepairCmd) ... function body repair failed due to overlap with another function: 00109d40
WARN    (ClearFlowAndRepairCmd) WARNING! Repairing body of function at 00109e58
ERROR   (ClearFlowAndRepairCmd) ... function body repair failed due to overlap with another function: 00109e58
WARN    (ClearFlowAndRepairCmd) WARNING! Repairing body of function at 0010e2f8
ERROR   (ClearFlowAndRepairCmd) ... function body repair failed due to overlap with another function: 0010e2f8
ERROR   (SleighInstructionPrototype) Pcode error at 002822e0: Program does not contain referenced instruction: 002822e4
ERROR   (SleighInstructionPrototype) Pcode error at 0028bcc0: Program does not contain referenced instruction: 0028bcc4
ERROR   (SleighInstructionPrototype) Pcode error at 00292e40: Program does not contain referenced instruction: 00292e44
ERROR   (SleighInstructionPrototype) Pcode error at 002950a0: Program does not contain referenced instruction: 002950a4
WARN    (DecompileCallback) Decompiling 001102c0: Unable to read bytes at ram:0061c9c0
WARN    (DecompileCallback) Decompiling 001035d8: Unable to read bytes at ram:0061b980
WARN    (DecompileCallback) Decompiling 00101100: Unable to read bytes at ram:0061b280
WARN    (DecompileCallback) Decompiling 00100b60: Unable to read bytes at ram:0061b160
WARN    (DecompileCallback) Decompiling 00123168: Unable to read bytes at ram:0061e320
WARN    (DecompileCallback) Decompiling 0010e460: Unable to read bytes at ram:0061c730
WARN    (DecompileCallback) Decompiling 00101b50: Unable to read bytes at ram:0061b380
WARN    (DecompileCallback) Decompiling 00133430: Unable to read bytes at ram:00620960
WARN    (DecompileCallback) Decompiling 0013b210: Unable to read bytes at ram:00620e40
WARN    (DecompileCallback) Decompiling 001012d0: Unable to read bytes at ram:0061b300
WARN    (DecompileCallback) Decompiling 0014a850: Unable to read bytes at ram:00621800
WARN    (DecompileCallback) Decompiling 00141470: Unable to read bytes at ram:00621460
WARN    (DecompileCallback) Decompiling 00141bb0: Unable to read bytes at ram:006214a0
WARN    (DecompileCallback) Decompiling 00125658: Unable to read bytes at ram:0061ead0
WARN    (DecompileCallback) Decompiling 00125658: Unable to read bytes at ram:0061ead0
WARN    (DecompileCallback) Decompiling 0015c620: Unable to read bytes at ram:00622160
WARN    (DecompileCallback) Decompiling 00145af0: Unable to read bytes at ram:006216e0
WARN    (DecompileCallback) Decompiling 00151fd0: Unable to read bytes at ram:006218e0
WARN    (DecompileCallback) Decompiling 001558b0: Unable to read bytes at ram:00621d40
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627c60
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627c00
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627ba0
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:006228c0
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:00622860
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:00622800
WARN    (DecompileCallback) Decompiling 00162f10: Unable to read bytes at ram:00622920
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:006228c0
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:00622860
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:00622800
WARN    (DecompileCallback) Decompiling 00145e60: Unable to read bytes at ram:00621740
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:006228c0
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:00622860
WARN    (DecompileCallback) Decompiling 00161b70: Unable to read bytes at ram:00622800
WARN    (DecompileCallback) Decompiling 00168010: Unable to read bytes at ram:00623760
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627c60
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627c00
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627ba0
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627c60
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627c00
WARN    (DecompileCallback) Decompiling 0016c840: Unable to read bytes at ram:00627ba0
WARN    (DecompileCallback) Decompiling 0011a3e0: Unable to read bytes at ram:0061dda0
WARN    (DecompileCallback) Decompiling 00198b10: Unable to read bytes at ram:0063a840
WARN    (DecompileCallback) Decompiling 00121890: Unable to read bytes at ram:0061e100
WARN    (DecompileCallback) Decompiling 001860f0: Unable to read bytes at ram:006295c0
WARN    (DecompileCallback) Decompiling 00198d20: Unable to read bytes at ram:0063a880
WARN    (DecompileCallback) Decompiling 00196950: Unable to read bytes at ram:0063a020
WARN    (DecompileCallback) Decompiling 00196950: Unable to read bytes at ram:00639fc0
WARN    (DecompileCallback) Decompiling 001b27c0: Unable to read bytes at ram:0063b920
WARN    (DecompileCallback) Decompiling 001a0808: Unable to read bytes at ram:0063b100
WARN    (DecompileCallback) Decompiling 001a0808: Unable to read bytes at ram:0063b140
WARN    (DecompileCallback) Decompiling 001a0808: Unable to read bytes at ram:0063b100
WARN    (DecompileCallback) Decompiling 001a0808: Unable to read bytes at ram:0063b140
WARN    (DecompileCallback) Decompiling 00186660: Unable to read bytes at ram:00629660
WARN    (DecompileCallback) Decompiling 00195a50: Unable to read bytes at ram:00639f40
WARN    (DecompileCallback) Decompiling 00123eb0: Unable to read bytes at ram:0061e720
WARN    (DecompileCallback) Decompiling 0016cbe0: Unable to read bytes at ram:00627cc0
WARN    (DecompileCallback) Decompiling 001b55d0: Unable to read bytes at ram:0063d0a0
WARN    (DecompileCallback) Decompiling 00160140: Unable to read bytes at ram:006227a0
WARN    (DecompileCallback) Decompiling 00196950: Unable to read bytes at ram:0063a020
WARN    (DecompileCallback) Decompiling 00196950: Unable to read bytes at ram:00639fc0
WARN    (DecompileCallback) Decompiling 001e8130: Unable to read bytes at ram:0063fb20
WARN    (DecompileCallback) Decompiling 001a2c20: Unable to read bytes at ram:0063b200
WARN    (DecompileCallback) Decompiling 001ece20: Unable to read bytes at ram:00640760
WARN    (DecompileCallback) Decompiling 001ece20: Unable to read bytes at ram:006406e0
WARN    (DecompileCallback) Decompiling 001edf90: Unable to read bytes at ram:006407e0
WARN    (DecompileCallback) Decompiling 001ece20: Unable to read bytes at ram:00640760
WARN    (DecompileCallback) Decompiling 001ece20: Unable to read bytes at ram:006406e0
WARN    (DecompileCallback) Decompiling 001ef480: Unable to read bytes at ram:006422a0
WARN    (DecompileCallback) Decompiling 001e3400: Unable to read bytes at ram:0063f860
WARN    (DecompileCallback) Decompiling 001f2480: Unable to read bytes at ram:00642540
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642460
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00724c84
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642400
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:006423a0
WARN    (DecompileCallback) Decompiling 001ef140: Unable to read bytes at ram:00642220
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642460
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00724c84
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642400
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:006423a0
WARN    (DecompileCallback) Decompiling 001e1780: Unable to read bytes at ram:0063f7e0
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642460
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00724c84
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642400
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:006423a0
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642460
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00724c84
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:00642400
WARN    (DecompileCallback) Decompiling 001f1340: Unable to read bytes at ram:006423a0
WARN    (DecompileCallback) Decompiling 001f2d80: Unable to read bytes at ram:00642780
WARN    (DecompileCallback) Decompiling 001f3250: Unable to read bytes at ram:00642840
WARN    (DecompileCallback) Decompiling 001fd330: Unable to read bytes at ram:006456e0
WARN    (DecompileCallback) Decompiling 001fdfc0: Unable to read bytes at ram:00645760
WARN    (DecompileCallback) Decompiling 001f26d0: Unable to read bytes at ram:00642600
WARN    (DecompileCallback) Decompiling 00206a10: Unable to read bytes at ram:00645c20
WARN    (DecompileCallback) Decompiling 00254960: Unable to read bytes at ram:006468a0
WARN    (DecompileCallback) Decompiling 002548c0: Unable to read bytes at ram:00646860
WARN    (DecompileCallback) Decompiling 00262370: Unable to read bytes at ram:00646a60
WARN    (DecompileCallback) Decompiling 00216fa0: Unable to read bytes at ram:00645e20
WARN    (DecompileCallback) Decompiling 002559d0: Unable to read bytes at ram:006468e0
WARN    (DecompileCallback) Decompiling 00262ba0: Unable to read bytes at ram:00646b80
WARN    (DecompileCallback) Decompiling 002646c0: Unable to read bytes at ram:00646fe0
WARN    (DecompileCallback) Decompiling 00235f20: Unable to read bytes at ram:006466a0
WARN    (DecompileCallback) Decompiling 00250bf0: Unable to read bytes at ram:00646800
ERROR   (SleighInstructionPrototype) Pcode error at 0028bcc0: Program does not contain referenced instruction: 0028bcc4
ERROR   (SleighInstructionPrototype) Pcode error at 002950a0: Program does not contain referenced instruction: 002950a4
ERROR   (SleighInstructionPrototype) Pcode error at 00283760: Program does not contain referenced instruction: 00283764
ERROR   (SleighInstructionPrototype) Pcode error at 00292e40: Program does not contain referenced instruction: 00292e44
ERROR   (SleighInstructionPrototype) Pcode error at 002822e0: Program does not contain referenced instruction: 002822e4
ERROR   (SleighInstructionPrototype) Pcode error at 0029de58: Program does not contain referenced instruction: 0029de5c
ERROR   (SleighInstructionPrototype) Pcode error at 0029de50: Program does not contain referenced instruction: 0029de54
INFO    (ApplyDataArchiveAnalyzer) Applied data type archive: generic_clib
ERROR   (SleighInstructionPrototype) Pcode error at 002822e0: Program does not contain referenced instruction: 002822e4
ERROR   (SleighInstructionPrototype) Pcode error at 0029de58: Program does not contain referenced instruction: 0029de5c
ERROR   (SleighInstructionPrototype) Pcode error at 0029de50: Program does not contain referenced instruction: 0029de54
ERROR   (SleighInstructionPrototype) Pcode error at 0028bcc0: Program does not contain referenced instruction: 0028bcc4
ERROR   (SleighInstructionPrototype) Pcode error at 00292e40: Program does not contain referenced instruction: 00292e44
ERROR   (SleighInstructionPrototype) Pcode error at 002950a0: Program does not contain referenced instruction: 002950a4
INFO    (AutoAnalysisManager) Analysis Log Messages
    STABS> [D:\a\ccc\ccc\ccc\analysis.cpp:13] error: No .mdebug section.

INFO    (AutoAnalysisManager) -----------------------------------------------------
    ASCII Strings                              0.489 secs
    Apply Data Archives                        0.179 secs
    Call Convention ID                         0.731 secs
    Call-Fixup Installer                       0.036 secs
    Create Address Tables                      0.350 secs
    Create Address Tables - One Time           0.053 secs
    Create Function                            0.361 secs
    Data Reference                             0.088 secs
    Decompiler Switch Analysis                 2.809 secs
    Demangler GNU                              0.405 secs
    Disassemble Entry Points                   5.154 secs
    Disassemble Entry Points - One Time        0.012 secs
    Embedded Media                             0.031 secs
    External Entry References                  0.039 secs
    External Symbol Resolver                   0.000 secs
    Function Start Search                      0.149 secs
    MIPS-R5900 Constant Reference Analyzer    14.115 secs
    Non-Returning Functions - Discovered       0.957 secs
    Non-Returning Functions - Known            0.035 secs
    Reference                                  0.167 secs
    STABS                                      1.924 secs
    Shared Return Calls                        0.460 secs
    Stack                                     17.332 secs
    Subroutine References                      0.232 secs
    Subroutine References - One Time           0.000 secs
    -----------------------------------------------------
    Total Time   46 secs
    -----------------------------------------------------

DEBUG   (ToolTaskManager) Auto Analysis task finish (46.245 secs)
DEBUG   (ToolTaskManager) Queue - Auto Analysis
DEBUG   (ToolTaskManager) (0.0 secs)
DEBUG   (ToolTaskManager) Auto Analysis task complete (46.281 secs)
DEBUG   (ToolTaskManager) Background processing complete (46.286 secs)
INFO    (RecoveryMgr) Fri Jan 05 01:07:14 GMT 2024 Recovery snapshot created: C:\Projects\Ghidra\b1\test\b1test.rep\idata\00\~00000001.db\snapshotA.grf

Successful analysis using SP11 + Ghidra 10.4: javaw_JvaBZ7znE3

Analysis using SP12 + Ghidra 11.0: javaw_FPeRAlQCME

I also tried the Burnout Revenge July 14th ELF with both versions and it seems to work fine, so I don't think this is an issue with my own installation in particular.

Additional Info

chaoticgd commented 5 months ago

It looks like it's trying to apply relocations to a linked ELF file for some reason.

abelbriggs1 commented 5 months ago

Might be a regression due to #50, looking now

abelbriggs1 commented 5 months ago

So this seems to be a strange case - this is an executable ELF which is fully linked, but also includes a full relocation table. Since it's fully linked, it already has its relocations applied.

When many MIPS relocations are calculated, the target field of the instruction to be modified is often used as an offset or "addend" which is added to the relocation value. But since the relocation has already been applied in our case, the addend is the relocation itself! For an explicit example, applying a R_MIPS_26 relocation to an already relocated jal instruction will effectively double the target address value. That effect is causing the Ghidra analyzer to completely explode, because it's forced to create functions that don't exist.

Now, why is this only happening after #50? I believe it's because we weren't handling addends correctly according to the MIPS ABI. So applying the relocation to the relocated target would produce the same value.

Thankfully, in your case, I think you can just tell Ghidra to not perform symbol relocation/patching:

image

I tested this with your binary and it seems to analyze perfectly. Can you try this out?

escape209 commented 5 months ago

Yes, it works as expected with Perform Symbol Relocations unchecked.