Mafia 3 Modding (Mega Thread)

Download Mods for the Mafia Games Forums Mod Creation Mafia 3 Modding (Mega Thread)

This topic contains 184 replies, has 65 voices, and was last updated by  jehodonjohn 1 year ago.

Viewing 15 posts - 1 through 15 (of 185 total)
  • Author
    Posts
  • #162740

    Barzakh
    Participant

    Hi everybody,
    I just started to reverse engineer Mafia 3 and wanted to share all information of myself with you guys. Also if you want you can also post your information and reversed stuff.
     
    So far Mafia 3 seems to be based on Mafia 2’s codebase. A lot of Strings, Functions, Function calls (hierachy) and xrefs are equal to Mafia2’s (except Mafia3’s running on x64, not like Mafia 2 on x86).
    I’m currently trying to port Gibbets Mafia 2 tool (http://svn.gib.me/public/illusion/trunk/) to Mafia 3, so far it’s looking good (and promising), it seems that the SDS base structure (platform, version, XML etc.) hasn’t really changed. The version got incremented from 19 to 20. I’m current reversing the TEA keys of Mafia 3 at the moment.
     
    In case you also want to reverse engineer Mafia 3, you need to dump the executable. From my point of view Denuvo got used in the shipped executable (A lot of jumps inside the codebase, my experience tells me that  it’s Denuvo because the same structure appeared on previous reverse engineering projects (e.g. GTA5)). So in order to dump it, open the executable, as soon as you’re in singleplayer (spawned), go to Desktop and run Scylla x64 (https://github.com/NtQuery/Scylla/releases). Simply press dump and you get a (nearly) decrypted executable which is ready to be loaded into IDA.
     
    Update
    Used libraries(dependencies): Havok, wWise
    Used LUA versions seems to be 5.2.1 (at least in havok)
    Weather Sets: “SUNNY”, “PARTLY_CLOUDY”, “CLOUDY”, “LIGHT_RAINY”, “RAINY”, “LIGHT_WINDY”, “WINDY”
     
    Still they seem to be using LUA for scripting (same as in Mafia 2).

     
     
    When looking deeper into scripting (let’s take SetTime function), we can see that the function itself has lua calls inside.

     
    Looking even deeper, you can see that Mafia 2 and Mafia 3’s script engine system has some similarities. (Don’t mind the //get top , the compiler just inlined the function (compile config, compiler version etc. caused this))

     
     
    Update 8.10
    If you want to patch loading screens, simply patch these bytes on the following address:
    Bytes: 0xB000C3  (ASM code: mov al(B0), 0(00); retn(C3);) Note: If you patch the address directly, don't forget to write bytecode in reverse order, so it's 0xC300B0
    Address: 0x0000000143850B30 (Imagebase 0x140000000, so ImgBase + 0x3850B30)
     
    Furthermore here is a list of class instances (Imagebase is 0x140000000)

    Name Address Description
    VAR_C_GameScriptModule 0x00000001462F5ED8 To be done.
    VAR_C_GameCamera 0x000000014608C120 To be done.
    VAR_C_Game 0x00000001461E5828 To be done.
    VAR_C_FlowNodeLogicQuestEvaluateImpl 0x00000001461E6968 To be done.
    VAR_C_CityOwnersManager 0x00000001461E5A38
    VAR_C_CharacterTable 0x00000001461E5898
    VAR_C_ActorSubdivObj 0x00000001461E6008
    M3Malloc  0x000000014293D770 Thread safe malloc inside Mafia 3

     
    About hashing:
    Mafia 3 is using the same hashing methods as Mafia 2. Used hash methods are fnv32 and fnv64. Screenshot attached below. (The reason the function body is inside the parent function is caused by the compiler (optimisations), who inline the function to improve performance (optimizations at compiletime))


     
    About SDS structure:
    In previous SDS version (Mafia 2, version 19), the SDS archive header contained a XML offset (also the XML content was not encrypted/encoded). In SDS version 20 (Mafia 3), XML offset seem to no longer exist (always 0), also the content seems to be encrypted / compressed.


     
    At the time being, I’ m reversing the script engine in order we can create a scripthook and run own lua content. Instead of just hooking loadbuffer function, I’m reversing the whole Script Engine (so we can adjust everything). This are the base structure at the moment:
    http://pastebin.com/xCfq7H94
     
    Also here are the LUA function addresses (these are not the ones from HavokScript hksi, these are the plain Lua functions)

    lua_close 0x00000001446D10E0
    lua_newstate 0x00000001446D1380
    lua_pushfstring 0x00000001446D14F0
    luaL_addsize 0x00000001446DAE40
    luaL_callmeta 0x00000001446DB3F0
    luaL_argcheck 0x00000001446DB0B0
    luaL_checkany 0x00000001446DB570
    luaL_checkinteger 0x00000001446DB600
    luaL_checknumber 0x00000001446DB750
    luaL_checkoption 0x00000001446DB800
    luaL_checkudata 0x00000001446DBBA0
    luaL_error 0x00000001446DBD70
    luaL_findtable 0x00000001446DC3A0
    luaL_getmetatable 0x00000001446DC260
    luaL_gsub 0x00000001446DC6D0
    luaL_loadfile 0x00000001446DC9B0
    luaL_newmetatable 0x00000001446DCAC0
    luaL_openlibs 0x00000001446DEB90
    luaL_optinteger 0x00000001446DCCC0
    luaL_optnumber 0x00000001446DCFC0
     More coming soon…

     
     
     

    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    • This topic was modified 2 years, 5 months ago by  Barzakh.
    8 users thanked author for this post.
    #162746
    Draconio
    Draconio
    Keymaster

    Thank you very much for sharing this via our forums, Barzakh! I’m glad to see that they didn’t deviate too far from Mafia II’s proprietary tech. Hopefully this means aspects of Mafia II can be ported into Mafia III.

    #162771

    dirtydanisreal
    Participant

    there are a bunch of cvars that can be found if you look at the memory strings, but im not sure how to make the game read them or get it to enable a debug console

    #162787

    Barzakh
    Participant

    Sooo… This is the first look in the Script Hook for Mafia 3, first version should be out on sunday 😉 This version is thread safe and works with the Game Main Script Thread / Machine. Also I’ll add a list with available commands and parameters (all game sciprting functions, as far as possible).. D3D11 hook and maybe developer console coming later on

    https://www.youtube.com/embed/0kepM10jcWA
    (unfortunately i can’t embbed it with the video tag, keep on getting 403 not authorized, A potentially unsafe operation has been detected in your request to this site…)
     
    PS.: Some nice messing around screenshot 😉

    • This reply was modified 2 years, 5 months ago by  Barzakh.
    • This reply was modified 2 years, 5 months ago by Zenin Zenin.
    2 users thanked author for this post.
    #162789
    Josh
    Josh
    Participant

    Fucking awesome man. I cannot wait to make Mafia 3 script mods soon. Thank you for your work, I appreciate it!

    #162790
    Draconio
    Draconio
    Keymaster

    Thanks for reporting the embed error, Barzakh. We will look into it immediately.
    Looks like you weren’t joking about the codebase – that Lua script is the same one I used for the Teleport to Joe’s Apartment mod. Do any of the other scripts on the site work in Mafia III via your script hook?
    Nice choice of music on the video. Reminds of of when Wei sung it in Sleeping Dogs. Shame that game wasn’t moddable. 🙂

    #162792

    Barzakh
    Participant

    Alright, first version of the scripthook is out now. (I’ll upload it here once I’ve finished some cleanups (adding icons to executable, writing tutorial, list of commands etc.))
    https://github.com/MartinJK/Mafia3ScriptHook
     
    The Scripthook supports loading of library (.dll) and script (.lua) files. So you can either write your plugins with C++ (calling game functions directly) or simply use lua, or either use both.
    The library part of the Scripthook features all needed memory functionality (searching for patterns (writing them into a cache file so search is next time faster etc.)) including LUA (you get the lua_State ptr once the plugin start routine is called)
    Example can be seen here: https://github.com/MartinJK/Mafia3ScriptHook/blob/master/ExampleDLLPlugin/src/main.cpp
     
    The files need to be placed in the following directories:
    MAFIA III FOLDER/scripts/*.lua
    MAFIA III FOLDER/plugins/*.dll
     
    In order to allow quick development, you can reload the LUA scripts via F1 key press. Reload for .dll will be added soon
     
    Oh and by the way, I’ve uploaded the Mafia 3 font files (extracted from the Launcher) for you guys, you can download it at https://mega.nz/#!l8NDVCKA (nearly 60MB because of chinese and japanese fonts)

    • This reply was modified 2 years, 5 months ago by  Barzakh.
    5 users thanked author for this post.
    #162805

    lundy
    Participant

    Finally. I’m so glad this is starting off.

    • This reply was modified 2 years, 5 months ago by  lundy.
    #162807

    lundy
    Participant
    162789 wrote:

    Fucking awesome man. I cannot wait to make Mafia 3 script mods soon. Thank you for your work, I appreciate it!

    Knowing YOU are going to be working on stuff here. That reassures me. All we need now is model editing.

    1 user thanked author for this post.
    #162814

    Barzakh
    Participant

    Alright guys, here are some functions (Once I wrote a script you get them prettyfied ;))
    Until then, please compare the variables (like game.game – if they are correct) and take / guess the parameters from here http://mafiascene.net/thread-850.html
     
    game.game http://hastebin.com/jizoxekoti.hs
    game.hud http://hastebin.com/uwizoyipub.css
    game.traffic http://hastebin.com/sedasiditu.hs
    game.battle  http://hastebin.com/ifeyiwufew.hs
     
    Unknown yet, only class reversed:
    human http://hastebin.com/upeyukotev.css
    player http://hastebin.com/yuwexotomu.hs (you can access it with game.game:GetActivePlayer() )
    car (vehicle) http://hastebin.com/iroxorijes.hs (when you are in a car, you can access it with game.game:GetActivePlayer():GetOwner() )
    boat (vehicle) http://hastebin.com/ifuwoqidoj.hs  (when you are in a car, you can access it with game.game:GetActivePlayer():GetOwner() )
     
    garage http://hastebin.com/ukohaluxap.hs
    radio http://hastebin.com/iroxoruwah.hs
    gameaudioak http://hastebin.com/uxeyunefac.hs
    sds http://hastebin.com/aguqekorin.hs
    mapstream http://hastebin.com/nocebanura.hs
    savegame http://hastebin.com/uhayebaxaz.hs
    nagivation http://hastebin.com/hutepilehi.hs
    pipcamera http://hastebin.com/mubixatevu.hs
    gamedirector http://hastebin.com/bipixerega.hs
    gui http://hastebin.com/wemegulato.hs
    race http://hastebin.com/uxuyetezow.hs
    relationship http://hastebin.com/ivokohivuf.hs
    wingman http://hastebin.com/vapidojoyi.hs
    gamecam and mafiacam http://hastebin.com/yozafehaca.hs
    cutscene http://hastebin.com/wenugujoye.hs
    videocapture http://hastebin.com/icuyifiqiz.hs
    door http://hastebin.com/ohizuzivis.hs
    entity (wrapper)  http://hastebin.com/cuhiyipifo.hs
     
    Little insight how many functions register these variables (like game.game, game.hud etc.)

    • This reply was modified 2 years, 5 months ago by  Barzakh.
    • This reply was modified 2 years, 5 months ago by  Barzakh.
    • This reply was modified 2 years, 5 months ago by  Barzakh.
    • This reply was modified 2 years, 5 months ago by  Barzakh.
    • This reply was modified 2 years, 5 months ago by  Barzakh.
    8 users thanked author for this post.
    #162820

    PatrickJr.
    Participant

    Awesome stuff!

    #162825
    sic_null
    sic_null
    Participant

    Any possibility of custom soundtracks? Would be dope to listen to my own music while driving around.

    #162826

    dirtydanisreal
    Participant

    any way to add a toggle button for lethal/nonlethal takedowns? In real time?

    #162827
    Josh
    Josh
    Participant

    @sic_null You will have to wait for the SDS Tool.
    @dirtydanisreal There most likely is but not all functions are found yet.

    #162828

    PatrickJr.
    Participant
    162807 wrote:

    Fucking awesome man. I cannot wait to make Mafia 3 script mods soon. Thank you for your work, I appreciate it!

    Knowing YOU are going to be working on stuff here. That reassures me. All we need now is model editing.

    To be honest @jedijosh920 is pretty awesome when it comes to scripts and stuffs

    • This reply was modified 2 years, 5 months ago by  PatrickJr..
Viewing 15 posts - 1 through 15 (of 185 total)

You must be logged in to reply to this topic.