LFE v1.00.34 [Library-Function-Extractor] (c) Ravemax / DEXTROSE

1) WHAT IS IT ?

It is a utility that searches rom images for functions contained
in an object or library file and then creates a symbol table containing
all offsets of everything that was found.

This symbole table can then be used in for example Nagra's disasm and
will help you know what functions are called at what time.

So this could get very exciteing for hackers / crackers =)


2) USAGE

LFE.EXE ROMIMAGE LIBRARY|OBJECT

ROMIMAGE should be a rom image (non-byteswapped)

The LIBRARY|OBJECT has to be in SnSystems format and should contain
the functions you want to search for.


3) GENERAL NFO'S

If you have a Library of the size of 800k and want to search a rom
image with the size of 16Megs be prepared to let it run for a few
houres depending on the processing power ;)
Small rom images like demos with the size of about 1-2megs will get
you through very fast. 

Here is some kind of bench you can stare at.

a)

Library : 450K
ROM Image : 1.5 Megs
Processor : Pentium 2 / 266Mhz
Time Elapsed : about 4 mins

b)

Library : 450K
ROM Image : 16 Megs
Processor : Pentium 2 / 266Mhz
Time Elapsed : about 40 mins

Note: On Ravemax computer (p100) it took about x6 times longer

Here is somthing you could do for a quick gettin into things.
Offcourse useing only a small object file will get you through very
quikly. So for example searching the rom for the function ViSetMode,
also thi one should be included in every rom.
So just use the obj containing this function with LFE. 

HINT: There is a tools supplied to the PsyQ kit that lets you 
extract/add obj files out of libs and another one for diplaying 
what functions are included.

Now after searching the rom and with the knowledge of the location of
this function you now can search for the JAL the calls this function.
If you now look at the opcodes before the function you will notice 
that there the parameters are passed to the function to set the Video
Mode. So you now could look at the offset the parameter is loaded from
and by doing this you would notice it is for example a value of
0 = osViModeNtscLpn1. Now you can just change that value to another
one which is a valid mode and see what happens ;)

Here is the example (created with nagra's disam) :

[CODE]
; the ViManager is created here, as you can see ;)
800004b4: 0c00238c ..#. jal osCreateViManager
800004b8: afb00120 ...  sw $s0,0x0120($sp)

; we are lucky LFE found the byte value and inserted the Symbol name
; so you directly see which vid mode is set
800004bc: 3c048002 <... move $a0,osViModeNtscHaf1    

; ok the video mode is now set with the parameter in $a0
800004c4: 0c0025e8 ..%. jal osViSetMode
800004c8: 00000000 .... nop

; heh another function called ... just guess what it does ;)
800004cc: 0c0026f0 ..&. jal osViBlack

[DATA]
; OK here we have the constant of osViModeNtscLpn1 hehe and it is
; zero as expected ;)
80018c00: 00000000 .... nop  ; osViModeNtscLpn1
80018c04: 0000320e ..2. dw 0x0000320e
80018c08: 00000140 ...@ sll $zero,$zero,0x5
80018c0c: 03e52239 .."9 dw 0x03e52239



or here is perhaps another good example :

[CODE]
; Just guess what this code does
800004ec: 0c0021b4 ..!. jal osAiSetFrequency

; hehe doesn't this look like the sample rate ;)
800004f0: 3404ac44 4..D li $a0,44100
800004f4: 27a40018 '... addiu $a0,$sp,0x0018

; and finally set the buffer =)
800004f8: 0c00220c ..". jal osAiSetNextBuffer
800004fc: 24050100 $... li $a1,0x0100
80000500: 0c0021b0 ..!. jal osAiGetStatus



4) Future Look LFE

- Make it even better somehow and fix some bugs ;)
- Support for makeing symbols for the function parameters.
  So if the disam would support it ,a call could look like this
  (hey Nagra|Titanik?) :

  Call ViSetMode(NtscSetModeLan1)
  Call Vixxxx(X,Y,Z)

  not like this or worse :

  mov $at,0x80023423
  jal ViSetMode

  Hehe this would get us very close to a decompiler wouldn't 
  it ? (Nagra?) =)

- Also using information stored in the header files to detect constants
  used with certain functions, to ease it up even more.
- Hmmmm we gotta think about a way to detect these macros used in the
  header files ;)
- Make it support a uppcoming symbol format used in Niew and Patchworx
- If it is somehow possible ... increase the speed.
- Ports to Linux and Windows

5) Hints

Well this tool could help to make a ripper for sfx/msx/gfx/3d in the
future.

Could help developing the N64 emulator and make it support
symbol table so native pc code could be executed instead to be
emulated so that you have increase in speed and compatibility
(BreakPoint, we talked about that ;). 

Makes it easy to have a good overview on what's happening in 
the rom and to make cracks. Hack everything up.

Make trainers that use the functions that use the libs that allready
are in the image and play/display sounds/gfx out of the game. 


Possibility's = Infinite ! Use your Brain =)


[RAVEMAX]:
Greetings to all C coders and everyone who is not on the net cause of
windows messing up the installation of a simple isdn card. Special 
thanks must fly to Hartec for the original Idea and the support to 
get everything started.



This little text file,the above tests and ideas have been extracted 
outta Hartex mind =)