Research: Reverse Engineering Pokemon White 2 Game Code

pichu2000 · Oct 28, 2014

POKEMON WHITE 2 REVERSE ENGINEERING

Hi, I'm back!
After a lot of silent backstage work I decided to share with you my research about Pokemon White 2 Game original code.
I decided to analyze White 2 because it's more structured than DPP, HGSS and also because Bond of projectpokemon gives a good database to start. I use IDA pro SDK 6.1 + a little plugin developed by Ludde and edited by me to generate pseudocode from ARM Thumb instructions (It's not perfect but It's very useful)
But now no more chatting!

Basic Idea

Like other NDS Rom games, W2 uses arm9.bin file to execute main game code and overlays files to load additional functions/structures. There is in particular a table that give us the loading addresses for each overlay (We have overlapping addresses, so we can't use a unique binary file to analyze all the overlays)
I try to divide the assembly file in "logical" blocks, and each block have a general structure and a series of functions.
Note: It may be contains mistakes!
Now, the arm9.bin file can be divided in these different "structure-functions" block (We uses as base address: 0x2000000, that is the main RAM address)

Legend:
o.h = Original C file Header
s.f = Save File

0x2000400 - 0x20057F0 Nintendo DS Generic OS Functions

0x20057F0 - 0x2006D64 Sound Generic Functions

0x2006D64 - 0x2006EE8 Microphone Sound Handler (o.h. snd_mic.c)

0x2006EE8 - 0x2006FC8 Background Music Information Handler (o.h. bgm_info.c)

0x2006FC8 - 0x20070F0 Sound Stream Handler (o.h. snd_strm.c)

0x20070F0 - 0x2007710 Save Control Handler(o.h. save_control.c)

0x2007710 - 0x2007D4C Single Box Handler (s.f Block 0)

0x2007D4C - 0x2007E0C All Box Handler (o.h. box_savedata.c, s.f Block 0 - 23)

0x2007E0C - 0x2007FD0 Perap Cry Handler(o.h. perapvoice.c, s.f Block 36)

0x2007FD0 - 0x200898C Item Save Data (o.h. myitem_savedata.c, s.f Block 24)

0x200898C - 0x2008B08 Configuration? Handler (o.h. config.c)

0x2008B08 - 0x2008C1C Player Status Handler(o.h. mystatus.c)

0x2008C1C - 0x2008DA0 Play Time Handler(o.h. playtime.c)

0x2008DA0 - 0x2008EF4 Game Status?(s.f Block 27)

0x2008EF4 - 0x2009184 Trainer Location Status Handler(s.f Block 28)

0x2009184 - 0x20092C8 Timer Handler(s.f Block 33)

0x20092C8 - 0x20093D0 Real Time Clock Handler(s.f Block 37)

0x20093D0 - 0x200965C Trainer Card Signature Handler(s.f Block 38)

0x200965C - 0x2009854 Mail Handler(o.h. mail.c, s.f Block 40)

0x2009854 - 0x2009930 CGear Handler(s.f Block 32)

0x2009930 - 0x2009B50 Unknown Handler(s.f Block 35)

0x2009B50 - 0x2009E58 Unity Tower Handler(s.f Block 29)

0x2009E58 - 0x200A4B8 Wifi List?(s.f Block 30)

0x200A4B8 - 0x200A5F0 Unknown Handler(s.f Block 31)

0x200A5F0 - 0x200AC58 Mistery Gift Handler(s.f Block 34)

0x200AC58 - 0x200AF74 Musical Information Handler(s.f Block 42)

0x200AF74 - 0x200AFBC Unknown Handler(s.f Block 43)

0x200AFBC - 0x200B488 Unknown Handler(s.f Block 44)

0x200B488 - 0x200B4FC Unknown Handler(s.f Block 46)

0x200B924 - 0x200BA84 Tournament Handler(s.f Block 47)

0x200BA84 - 0x200BB00 Unknown Handler(s.f Block 48)

0x200BB00 - 0x200C210 Battle Record Handler (o.h. battle_rec.c)

0x200C210 - 0x200C3A8 Battle Box Handler(s.f Block 49)

0x200C3A8 - 0x200C598 Day Care Handler(s.f Block 50)

0x200C598 - 0x200C7A0 High Link Handler(s.f Block 53)

0x200C7A0 - 0x200CCA0 Trainer Card Handler(s.f Block 52)

0x200CCA0 - 0x200CE50 Musical Distro Handler (o.h. musical_dist_save.c)

0x200CE8C - 0x200DCEC Pokedex Handler (s.f Block 54)

0x200DCEC - 0x200DE34 Overworld Handler(s.f Block 55)

0x200DE34 - 0x200E0F0 Gds Profile Handler (o.h. gds_profile.c)

0x200E0F0 - 0x200E2FC Unknown Handler(s.f Block 56)

0x200E2FC - 0x200E5A8 Unknown Handler(s.f Block 57)

0x200E5A8 - 0x200E7F0 Unknown Handler(s.f Block 58)

0x200E7F0 - 0x200E8BC Battle Subway (o.h. bsubway_savedata.c)

0x200E8BC - 0x200EC00 Symbol Save Handler(o.h. symbol_save.c, s.f Block 60)

0x200EC00 - 0x200EE20 Unknown Handler(s.f Block 61)

0x200EE20 - 0x200EF48 Battle Examination Handler(o.h. battle_examination.c)

0x200EF48 - 0x200EFC4 Unknown Handler

0x200EFC4 - 0x200F128 Pokemon Trade Handler(s.f Block 65)

0x200F128 - 0x200F164 Unknown Handler

0x200F164 - 0x200F29C Unknown Handler(s.f Block 63)

0x200F29C - 0x200F3B8 Record Handler(s.f Block 61)

0x200F3B8 - 0x200F6E4 Unknown Handler(s.f Block 64)

0x200F6E4 - 0x200F8F4 Hollow Handler(s.f Block 66)

0x200F8F4 - 0x200FB54 Medals Handler(s.f Block 68)

0x200FB54 - 0x200FE80 Unknown Handler(s.f Block 41)

0x200FE80 - 0x200FF40 Unknown Handler

0x200FF40 - 0x200FFFC Unknown Handler

0x200FFFC - 0x2010230 Join Avenue Handler(s.f Block 67)

0x2010230 - 0x20105C8 Key Data Handler(s.f Block 69)

0x20105C8 - 0x20108CC Pokewood Handler (o.h. pokewood_rec.c)

0x20108CC - 0x2010CA0 Save Control Handler

0x2010CA0 - 0x2010DC0 Medals Handler

0x2010DC0 - 0x2010FF4 Unknown Handler(s.f Block 70)

0x2010FF4 - 0x20112FC Unknown Handler(s.f Block 71)

0x20112FC - 0x20114A4 Unknown Handler(s.f Block 72)

0x20114A4 - 0x20116C0 Cygnus Save Control Handler(o.h. cygnus_save_control.c)

0x20116C0 - 0x2012908 Net Error Handler(o.h. net_err.c)

0x2012908 - 0x2012EE0 Wifi Dwc Handler(o.h. wih_dwc.c)

0x2012EE0 - 0x20130B4 Net Save Handler(o.h. net_save.c)

0x20130B4 - 0x2014498 Game Beacon Accessor Handler (o.h. game_beacon_accessor.c)

0x2014498 - 0x2014D1C Link Festival Handler (o.h. link_festival.c)

0x2014D1C - 0x201587C Festival Mission Handler (o.h. fest_mission.c)

0x201587C - 0x2015A88 Script Virtual Machine Handler (o.h. vm.c)

0x2015A88 - 0x2015AE0 Season Info Handler

0x2015AE0 - 0x2016440 NSBCA Animation Handler (o.h. ica_anime.c)

0x2016440 - 0x2016510 NSBTX to CLWK Converter Handler (o.h. nsbtx_to_clwk.c)

0x20168F0 - 0x2016CB4 Process System Handler (o.h. procsys.c)

0x2016CB4 - 0x2016EE8 Game Event Handler (o.h. game_event.c)

0x2016EE8 - 0x2017C60 Game Data Handler (o.h. game_data.c)

0x2017C60 - 0x20186E0 Battle Setup Handler (o.h. btl_setup.c)

0x20186E0 - 0x2018FE8 Zone Data Handler (o.h. zonedata.c)

0x20191C0 - 0x201931C Event Flag Handler (s.f. Block 45)

0x201931C - 0x201937C Field Status Handler (o.h. field_status.c)

0x201937C - 0x2019A14 Game Event Executions Functions

0x2019A14 - 0x201C2D8 Multi Cell Sequence Handler (o.h. mcss.c)

0x201C2D8 - 0x201F0A8 Pokemon Tool Handler (o.h. poketool.c)

0x201F0A8 - 0x201F780 Narc 106 Related Functions First Block

0x201F780 - 0x201F9A8 Pokemon Regulation Handler (o.h. poke_regulation.c)

0x201F9A8 - 0x201FD24 Narc 106 Related Functions Sec Block

0x201FD24 - 0x202125C Pokemon Party Handler(o.h. pokeparty.c, s.f Block 26)

0x202125C - 0x20219A0 Pokemon Moves Handler(o.h. waza_tool.c)

0x20219A0 - 0x2022D84 Print System Handler (o.h. printsys.c)

0x2022D84 - 0x2024200 Graphic Font Handler (o.h. gf_font.c)

0x2024200 - 0x2024CAC Word Set Handler (o.h. wordset.c)

0x2024CAC - 0x2024F18 Bitmap Windows Functions First Block

0x2024F18 - 0x20250AC Bitmap Menu Work Handler (o.h. bmp_menuwork.c)

0x20250AC - 0x202571C Bitmap Menu Handler (o.h. bmp_menu.c)

0x202571C - 0x2026554 Bitmap Menu List Handler (o.h. bmp_menulist.c)

0x2026554 - 0x2026628 Bitmap Cursor Handler (o.h. bmp_cursor.c)

0x2026628 - 0x2026D0C Item Functions

0x2026D0C - 0x2027E30 Palette Animation Handler (o.h. palanm.c)

0x2027E30 - 0x2029994 Wipe Handler (o.h. wipe.c)

0x2029994 - 0x202A0F8 PMSI Parameter Handler (o.h. pmsi_par.c)

0x202A0F8 - 0x202A284 PMS Word Handler (o.h. pms_word.c)

0x202A284 - 0x202A300 Unknown Handler (s.f. Block 39)

0x202A300 - 0x202AC68 Information Windows Handler (o.h. infowin.c)

0x202AC68 - 0x202AE88 Actor Tool Handler (o.h. actor_tool.c)

0x202AE88 - 0x202B488 Bitmap Oam Handler (o.h. bmp_oam.c)

0x202B488 - 0x202B5D0 Region Functions

0x202B5D0 - 0x202B67C Trainer Type Functions

0x202B67C - 0x202BB90 Cursor Move Handler (o.h. cursor_move.c)

0x202BB90 - 0x202BFC0 Game Communication Handler (o.h. game_comm.c)

0x202BFC0 - 0x202D728 Game Beacon Handler (o.h. game_beacon.c)

0x202D728 - 0x202D804 Beacon Status Handler (o.h. beacon_status.c)

Next time we start analyze each single block (we try to analyze)
If you wanna help, you're welcome, but I advice you: it's very hard work!

Bond697 · Oct 29, 2014

the gen 5 games are C, not C++, and there are no classes. also, those addresses are wrong- they're missing a 0 or something.

e:
you're going to want this: http://hack.thundaga.com/hacking_stuff.7z

arm9-white2_decompressed_U.idb is the most useful thing.

pichu2000 · Oct 30, 2014

Bond697 said:
the gen 5 games are C, not C++, and there are no classes. also, those addresses are wrong- they're missing a 0 or something.

e:
you're going to want this: http://hack.thundaga.com/hacking_stuff.7z

arm9-white2_decompressed_U.idb is the most useful thing.

Hi Bond, I've already your database (I work hardly on it for 1-2 years, finding a bunch of new functions).
I know that White 2 uses only a series of structures, with functions that operate in these structures. I called it wrongly "classes", it's only a naming convention.
I fixed the addresses, thanks!

pichu2000 · Oct 31, 2014

Hi, guys!
As I promise, we start analyze ASM blocks from binary file of White 2 code.
For now we skip the first two "sections" (I wanna start with some "easy" to understand)
As I define previously, from offset 0x2006D64 to 0x2006EE8 we have all the functions linked with original snd_mic.c source file.
In particular we have:

0x2006D64 SNDMIC_AllocBlock
0x2006DE4 SNDMIC_DSI_27047C0
0x2006DEC SNDMIC_FreeBlock
0x2006E0C SNDMIC_SetWord_020
0x2006E3C SNDMIC_CheckWord_020
0x2006E54 _DSIMIC_StartAutoSampling
0x2006E80 _SNDMIC_StartAutoSampling
0x2006EC0 SNDMIC_PerapVoice_Table004_UpdateSpecific
0x2006ED4 SNDMIC_GetWord_024_01F

1) SNDMIC_AllocBlock

Spoiler:

2) SNDMIC_FreeBlock

Spoiler:

As you can see, most of the code is little obscure yet, so I appreciate any suggestion on what it really do.
I stop here for now, because I wanna know If this approach is useful for you or not.
Stay tuned!

Research: Reverse Engineering Pokemon White 2 Game Code

pichu2000

Bond697

pichu2000

pichu2000