Note: This is an article from my old dev blog. Exterior links have actually been upgraded, but the message is or else reposted verbatim.
So, that tweet went a little bit viral. Its the timeless Game Child Development boot-up display, with the text altered to the oh-so-relatable Im Gay . I might have created this as an animation, however rather Id invested a number of days reading documents and disassembly to actually customize the sprites in the systems biography data. I believed it could be interesting to share the technological details about that.Read more bios for gba At website Articles
For all of my testing I was using the VisualBoyAdvance emulator. Its obtained some really wonderful debug views to imagine the state of the VRAM, a memory visitor, and extremely favorably the disassembly of the active program code, together with the ability to tip directions one-by-one.
My first presumption was that the graphics information would certainly exist in an obvious layout in the biographies, which Id have the ability to spot it just by dumping out the biography as an image, mapping each byte to a pixel. Ive utilized this technique on various other reverse-engineering tasks and its normally very valuable. In this situation, nonetheless, I turned up just entropy – no noticeable patterned data at all.
I attempted zeroing out numerous parts of the BIOS information, seeing if I can deduce the location of the sprite data. This didnt work extremely well – I managed to break the audio chime and later handled to crash the BIOS completely, so I ditched that concept pretty quickly.
I got to the conclusion that the information need to be compressed in some type, and started looking around for sources regarding GBA information compression strategies. I stumbled across a job called dsdecmp which contained code for compression and decompression with numerous algorithms made use of by the GBA and DS systems, and thought it may be beneficial.
I attempted running dsdecmps LZ77 decompressor on the biographies, beginning at each point in the biographies that can probably match the LZ77 information header, in the hopes that I can discover the pressed sprite data by large strength, however this likewise turned up a stumbling block.
Ultimately I understood I was going to have to obtain my hands unclean, and by tipping via the BIOS code one instruction at a time making use of VBAs disassembler, I was able to identify the adhering to data flow:
- Replicate $ 370 bytes from $ 0000332C to $ 03000564
- Decompress $ 370 bytes from $ 03000564 into $ 3C0 bytes at $ 03001564
- Unwind $ 3C0 bytes from $ 03001564 right into $ 800 bytes at $ 03000564
- Increase $ 800 bytes of 2bit graphics information from $ 03000564 into $ 2000 bytes of 8bit graphics data at $ 06000040
A fast note about the GBA memory format. The biography is mapped at address range $ 00000000-$ 00003FFF, theres some general-purpose RAM starting at $ 03000000, and VRAM begins at $ 06000000. There are different other parts of addressable memory however theyre not relevant right here. ( source: GBATEK)
So its duplicating some compressed information from the BIOS right into IRAM, unwinding it two times in IRAM, and after that expanding it while replicating into VRAM. After a bit reading the GBATEK documentation and comparing versus the compressed data, I was able to determine from the header bytes that the initial compression pass is Huffman and the second pass is LZ77. So I believe the biography is in fact performing the following steps making use of the biography decompression features:
MemCopy($ 0000332C, $03000564, $370);// most likely using CpuSet or CpuFastSet HuffUnCompReadNormal($ 03000564, $03001564);. LZ77UnCompReadNormalWrite8bit($ 03001564, $03000564);. BitUnPack($ 03000564, $06000040, );.
I had the ability to bodge together some C# code to extract the sprite data and dump it bent on an image data. I after that bodged with each other some even more code to review the image file, cut it down to 2 little bits per pixel, and press the data in the way the biography expects. I might then just modify the picture file, run the code, and Id get a changed biography data with the brand-new sprites.
This does not function constantly though. If the sprites have too much degeneration, the compression wont be able to keep the data under $ 370 bytes, and I believe the halfway-stage compressed data has an upper size limit also. The good news is I procured the information I wanted under the dimension restriction, but I did have a couple of failed efforts while experimenting.
While Im sure plenty of you desire my tooling for this, I wont be releasing it. Its a hacky and buggy mess Im not especially happy with, and I do not actually seem like cleaning it up or fielding assistance demands. This should have provided you enough detail to develop a similar tool on your own if youre actually identified though;-RRB- Oh, and there was a reward GDPR joke tweet that blew up a little bit also, made with the very same methods.