Jump to content

[V] Script/Native Documentation and Research


Recommended Posts

GTA V Native hash translation table from b757 to b791 .

 

http://pastebin.com/qcFpCS42

Much appreciated. Would you happen to have an authentic b331 to b350? I could only find a "fake". A broader b331 to b757 (for example) would also work, allowing me to check that the results were identical.

 

If anybody else is looking

 

natives-b791.txt.h

GTA V Native hash translation table from b757 to b791.txt

GTA V Native hash translation table from b678 to b757.txt

GTA V Native hash translation table from b617 to b678.txt

GTA V Native hash translation table from b573 to b617.txt

GTA V Native hash translation table from b505 to b573.txt

GTA V Native hash translation table from b463 to b505.txt

GTA V Native hash translation table from b393 to b463.txt

GTA V Native hash translation table from b372 to b393.txt

GTA V Native hash translation table from b350 to b372.txt

GTA V Native hash translation table from b331 to b350.txt

 

The natives-bXXX.txt.h file(s) are generated with this simple PHP script, and the combined input of all the translation tables.

 

 

 

 

<?php/*** @brief combineNativeHashTranslationTables.php* read natives.h, and produce natives-bYYY.h by sequentially applying* "GTA V Native hash translation table from bXXX to bYYY" files.** @usage php combineNativeHasTranslationTables.php "GTA V Native hash translation"*.txt** @param [file1 [file2 [file3 [...]]]] file list in sequential order*//*** Note: this is a very ineffecient process and will take multiple minutes to run*/array_shift($argv);$search = array();$replace = array();while ($fn = array_shift($argv)) {$table = file($fn, FILE_IGNORE_NEW_LINES);$fn = 'natives-' . preg_replace('/.*b/', 'b', $fn) . '.h'; // Output file nameforeach ($table as $line) {if (preg_match_all('/\b0x(\w+)\b/', $line, $result, PREG_PATTERN_ORDER)) {// This could be sped up greatly, if we saved the intervening natives-bYYY.h// file, rather than applying every translation table in sequence.// Target first parameter of function definition (leave // 0x64bithash as original)$search[] = "(0x{$result[1][0]}";$replace[] = "(0x{$result[1][1]}";;// Ensure we don't replace function names with hex codes in them, eg:// UNK::_0x000...// (not needed if we target only function arguments)// $search[] = "_0x{$result[1][1]}";// $replace[] = "_0x{$result[1][0]}";}}file_put_contents($fn, str_replace($search, $replace, file_get_contents("natives.h")));printf("Wrote %s to disk...\n", $fn);}/* vim: set ts=4 sts=4 sw=4 et: */

 

 

 

Edited by sfinktah

@Fireboyd78 - If you can write IDA Python scripts, would you consider helping me with a de-obfuscation project?

 

I have observed the JMP operand obfuscated as follows (around 1,700 times in a dump of the main executable)

 

 

48 8D 64 24 F8        - lea rsp,[rsp-08]         ; Stack -= 848 89 2C 24           - mov [rsp],rbp            ; Push RBP48 8D 2D 156A5A00     - lea rbp,[7FF749022784]   ; Put JMP target in RSP48 87 2C 24           - xchg [rsp],rbp           ; Pop RBP (RBP restored)48 8D 64 24 08        - lea rsp,[rsp+08]         ; Stack += 8 (Balanced)FF 64 24 F8           - jmp qword ptr [rsp-08]   ; JMP (target)
This can be de-obsfucated as:

 

90 90 90 90 90        - NOP * 590 90 90 90           - NOP * 490 90                 - NOP * 2   ; Pad instruction to preserve                                  ; RIP of next instructionE9 ?? ?? ?? ??        - JMP NEAR 0x????????90 90 90 90           - NOP * 490 90 90 90 90        - NOP * 590 90 90 90           - NOP * 4
There are variants on this, for instance this version swaps the order of first two operands, resulting in an extra byte of total code and a different signature:

 

 

48 89 6c 24 f8        MOV [RSP-0x8], RBP      48 8d 64 24 f8        LEA RSP, [RSP-0x8]      48 8d 2d 4b 84bcfd    LEA RBP, [RIP-0x2437bb5]48 87 2c 24           XCHG [RSP], RBP         48 8d 64 24 08        LEA RSP, [RSP+0x8]      ff 64 24 f8           JMP QWORD [RSP-0x8]     
I have been combating these at the source, running a shell script over the exe dump, and executing (via pcre) these translations:

 

 

           |------------- 11 bytes -------| |--5 bytes --| |----------------- 13 bytes ---------|Signature: 48 8D 64 24 F8 48 89 2C 24 48 8D 2D ?? ?? ?? ?? 48 87 2C 24 48 8D 64 24 08 FF 64 24 F8Translate: 90 90 90 90 90 90 90 90 90 90 90 E9 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90           |------------- 12 bytes ----------| |-- 5 bytes--| |---------------- - 13 bytes---------|Signature: 48 89 6c 24 f8 48 8d 64 24 f8 48 8d 2d ?? ?? ?? ?? 48 87 2c 24 48 8d 64 24 08 ff 64 24 f8Translate: 90 90 90 90 90 90 90 90 90 90 90 90 e9 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90
But obviously life would be nicer if IDA could handle this.

 

I recently found a third iteration of the same obfuscation, which I cannot fix with a simple byte-by-byte regular expression, because they've inserted a JMP to split the two portions:

 

 

000143FE7A20 PLAYER___0xDC64D2C53493ED12:000143FE7A20    mov     rax, [rcx+10h]000143FE7A24    mov     ecx, [rax]000143FE7A26    mov     qword ptr [rsp+58h+var_60], rbp000143FE7A2B    lea     rsp, [rsp-8]000143FE7A30    jmp     near ptr qword_1438BEB90+50001438BEB95    lea     rbp, sub_140C69BAC0001438BEB9C    xchg    rbp, [rsp]0001438BEBA0    lea     rsp, [rsp+8]0001438BEBA5    jmp     qword ptr [rsp-8]
(IDA has made that one look a little more complex than it really is).

 

Are your IDA Python skills up to this? These obfuscations are present in every 2nd to 3rd native function, and stop IDA from being able to trace the native functions, making it extremely painful to work out what the many (still unknown) native functions actually do.

 

For anyone interested, here is the shell script that handles the first two obfuscations:

 

 

#!/usr/bin/env shxxd -ps GTA5_Dumped.exe |     sed -e 's/\(..\)/\1 /g' |     tr '\n' ' '             |    perl -p -e "s/48 8d 64 24 f8 48 \89 2c 24 48 8d 2d (.. .. .. ..) \48 87 2c 24 48 8d 64 24 08 ff 64 24 f8/90 90 90 90 90 \90 90 90 90 90 90 e9 \1 90 90 90 90 90 90 90 90 90 90 \90 90 90/g ; s/48 89 6c 24 f8 48 8d 64 24 f8 48 8d 2d\ (.. .. .. ..) 48 87 2c 24 48 8d 64 24 08 ff 64 24 \f8/90 90 90 90 90 90 90 90 90 90 90 90 e9 \1 90 90 90 \90 90 90 90 90 90 90 90 90 90/g" |    xxd -r -ps > GTA5_Dumped_NOP.exe
That's a Unix shell script BTW, although I run it on cygwin with no issue. Edited by sfinktah
fwiskalicious

Edit: Problem solved. Thanks, unknown modder! 

int banner = GRAPHICS::REQUEST_SCALEFORM_MOVIE("mp_big_message_freemode"); should be:

 

// top of script

int banner;

 

//ScriptMain

banner = GRAPHICS::REQUEST_SCALEFORM_MOVIE("mp_big_message_freemode");

 

The REQUEST_SCALEFORM_MOVIE native(that also is currently posted on NativeDB with a hash of 0x11FE353CF9733E6F), is invalid.

Edited by fwiskalicious

lol, it's not invalid. One of your scripts is probably trying to call it too early (or some other sh*t with the use of it is wrong).

fwiskalicious
On 7/19/2016 at 8:56 PM, Unknown_Modder said:

lol, it's not invalid. One of your scripts is probably trying to call it too early (or some other sh*t with the use of it is wrong).

 

Edit: Problem solved.

 

The only line I have in my script that requests this native is:

 

int banner = GRAPHICS::REQUEST_SCALEFORM_MOVIE("mp_big_message_freemode");

 

I don't see an issue with what i'm feeding the native... 

 

That's it. I'm not using "banner" anywhere. It's just been declared, and that's all.

This message also appears before the game window actually opens. So I hit "Play" on steam, SC opens up, closes, then native error.

 

Maybe try it yourself?

Edited by fwiskalicious
unknown modder

 

lol, it's not invalid. One of your scripts is probably trying to call it too early (or some other sh*t with the use of it is wrong).

 

The only line I have in my script that requests this native is:

 

int banner = GRAPHICS::REQUEST_SCALEFORM_MOVIE("mp_big_message_freemode");

 

I don't see an issue with what i'm feeding the native...

 

That's it. I'm not using "banner" anywhere. It's just been declared, and that's all.

This message also appears before the game window actually opens. So I hit "Play" on steam, SC opens up, closes, then native error.

 

Maybe try it yourself?

 

Then the native isnt the issue. Sounds like you are trying to call a native outside of a GTAThread, Can you show the code in the file that has your DllMain function in

fwiskalicious

 

 

lol, it's not invalid. One of your scripts is probably trying to call it too early (or some other sh*t with the use of it is wrong).

 

The only line I have in my script that requests this native is:

 

int banner = GRAPHICS::REQUEST_SCALEFORM_MOVIE("mp_big_message_freemode");

 

I don't see an issue with what i'm feeding the native...

 

That's it. I'm not using "banner" anywhere. It's just been declared, and that's all.

This message also appears before the game window actually opens. So I hit "Play" on steam, SC opens up, closes, then native error.

 

Maybe try it yourself?

 

Then the native isnt the issue. Sounds like you are trying to call a native outside of a GTAThread, Can you show the code in the file that has your DllMain function in

 

Exact same as NativeTrainer's main.cpp, but check your PMs for further information.

fwiskalicious

Small snippet of information I found.

This is for anyone wondering how r* does their "Loading" with the spinning circle at the bottom right of the screen. Call these in the order listed:

 

UI::_0xABA17D7CE615ADBF("localized string, eg PM_WAIT for Please wait")

UI::_0xBD12F8228410D9B4(5); -- Spinner type. See below.

// Do all your loading here. Or, you may use WAIT.

UI::_0x10D373323E5B9C0D(); --removes it.

 

SPINNER TYPES:

1 -- Regular clockwise spinner (same as 3)

2 -- Regular clockwise spinner (same as 3)

3 -- Regular clockwise spinner Example

4 -- Social club "Saving" Example

5 -- Regular clockwise spinner (same as 3)

 

Note that r* typically uses spinner type 5.

 

Example of usage:

 

 

UI::_0xABA17D7CE615ADBF("PM_WAIT");
UI::_0xBD12F8228410D9B4(5);
WAIT(10000);
UI::_0x10D373323E5B9C0D();
 
This will display "Please wait" beside the spinning circle for 10 seconds, then delete it.

 

Edited by fwiskalicious
  • Like 2
unknown modder

 

Small snippet of information I found.

This is for anyone wondering how r* does their "Loading" with the spinning circle at the bottom right of the screen. Call these in the order listed:

 

UI::_0xABA17D7CE615ADBF("localized string, eg PM_WAIT for Please wait")

UI::_0xBD12F8228410D9B4(5); -- Spinner type. See below.

// Do all your loading here. Or, you may use WAIT.

UI::_0x10D373323E5B9C0D(); --removes it.

 

SPINNER TYPES:

1 -- Regular clockwise spinner (same as 3)

2 -- Regular clockwise spinner (same as 3)

3 -- Regular clockwise spinner Example

4 -- Social club "Saving" Example

5 -- Regular clockwise spinner (same as 3)

 

Note that r* typically uses spinner type 5.

 

Example of usage:

 

UI::_0xABA17D7CE615ADBF("PM_WAIT");
UI::_0xBD12F8228410D9B4(5);
WAIT(10000);
UI::_0x10D373323E5B9C0D();
This will display "Please wait" beside the spinning circle for 10 seconds, then delete it.

 

 

The _0xABA17D7CE615ADBF native actually works like all the other text natives. i.e

UI::_0xABA17D7CE615ADBF("STRING");UI::ADD_TEXT_COMPONENT_SUBSTRING_PLAYER_NAME("whatever text you want");UI::_0xBD12F8228410D9B4(5);

EDIT, I updated the names on NativeDB to

UI::_0xABA17D7CE615ADBF -> UI::_SET_LOADING_PROMPT_TEXT_ENTRYUI::_0xBD12F8228410D9B4 -> UI::_SHOW_LOADING_PROMPTUI::_0x10D373323E5B9C0D -> UI::_REMOVE_LOADING_PROMPT
Edited by unknown modder
  • Like 1
jayrontaylor

Hi, First of all many thanks to everyone involved in this especially Alexander Blade!

 

Does anyone knows how I can get the sounds from the sfx soundbank? For example in Resident.rpf you have Set_Vehicle_Alarm that is used when Franklin opens his vehicle. Also for all the other soundfiles like police scanner etc. How do i get these when they are not in the decompiled scripts?

 

Many thanks

 

JAYRON

Edited by jayrontaylor
InfamousSabre

Hi, First of all many thanks to everyone involved in this especially Alexander Blade!

 

Does anyone knows how I can get the sounds from the sfx soundbank? For example in Resident.rpf you have Set_Vehicle_Alarm that is used when Franklin opens his vehicle. Also for all the other soundfiles like police scanner etc. How do i get these when they are not in the decompiled scripts?

 

Many thanks

 

JAYRON

Decrypt the sound files (named *.dat15, *.dat51, and the like). Maybe the names are in there. Other than that: Just guess.

  • 1 month later...
  • 3 weeks later...
  • 3 weeks later...

 

How do you guys decompile scripts and reverse engineer this game? I dumped the GTA5.exe and downloaded IDA, I have no idea what to do but I want to help lmao

lots of experience

 

 

I have also been trying to figure out how/what to dump out to discover Natives and figure out their new "hashes", and how to use that information build my own scripts.

 

I don't know C++ or below, but in less than 4 hours I went from not knowing a thing called Mods existed, to writing a simple one of my own for GTA V.

 

If this community is going to survive (and alleviate some burden on a select few) it would be nice if committed and capable people, like us, had some info to get started figuring this stuff out, so we can contribute back to the community.

  • Like 3

 

 

How do you guys decompile scripts and reverse engineer this game? I dumped the GTA5.exe and downloaded IDA, I have no idea what to do but I want to help lmao

lots of experience

 

I have also been trying to figure out how/what to dump out to discover Natives and figure out their new "hashes", and how to use that information build my own scripts.

 

I don't know C++ or below, but in less than 4 hours I went from not knowing a thing called Mods existed, to writing a simple one of my own for GTA V.

 

If this community is going to survive (and alleviate some burden on a select few) it would be nice if committed and capable people, like us, had some info to get started figuring this stuff out, so we can contribute back to the community.

 

I'd like this too, I have some natives I want to reverse, might be interesting for making another realtime meta editing tool
Alexander Blade
GTA V Native hash translation table from b791 to b877 .

 

http://pastebin.com/J64smfFv

  • Like 3
unknown modder

 

GTA V Native hash translation table from b791 to b877 .

 

http://pastebin.com/J64smfFv

 

yaaay, script dump to come shortly :)

 

EDIT: uploaded to gta5-mods, just waiting for them to approve - https://www.gta5-mods.com/tools/decompiled-scripts-b757

Edited by unknown modder

Native addresses for latest version - http://camx.me/gtav/addresses-b877.txt

Hey, what is this tool? I'm looking for a convenient way to get actual native addresses from VM native hashes for a long time with no success, mind explaining how can I do it? (:

  • 4 weeks later...
  • 1 month later...

Alright I managed to bruteforce the following natives:

0x96B8BEE8 NETWORK_EARN_FROM_PERSONAL_VEHICLE0x2BEFB6C4 NETWORK_EARN_FROM_CHALLENGE_WIN0x54198922 NETWORK_SPENT_FROM_ROCKSTAR0xCC068380 NETWORK_EARN_FROM_NOT_BADSPORT0xAEF6244B NETWORK_EARN_FROM_NOT_CHEATING0xA520B982 NETWORK_CAN_ACCESS_MULTIPLAYER0x19F0C471 NETWORK_CLEAR_CHARACTER_WALLET

@Alexander - now that the game has been out for 2 years and about 60% of the natives have been discovered, is it possible to create a more efficient method to bruteforce the rest of them?

Edited by TaazR
  • Like 2
Alexander Blade
GTA V Native hash translation table from b877 to b944 .

 

http://pastebin.com/rhCc8d3A

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • 0 User Currently Viewing
    0 members, 0 Anonymous, 0 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.