Mafia 3 Modding (Mega Thread)
October 7, 2016 at 10:56 am #162740
I just started to reverse engineer Mafia 3 and wanted to share all information of myself with you guys. Also if you want you can also post your information and reversed stuff.
So far Mafia 3 seems to be based on Mafia 2’s codebase. A lot of Strings, Functions, Function calls (hierachy) and xrefs are equal to Mafia2’s (except Mafia3’s running on x64, not like Mafia 2 on x86).
I’m currently trying to port Gibbets Mafia 2 tool (http://svn.gib.me/public/illusion/trunk/) to Mafia 3, so far it’s looking good (and promising), it seems that the SDS base structure (platform, version, XML etc.) hasn’t really changed. The version got incremented from 19 to 20. I’m current reversing the TEA keys of Mafia 3 at the moment.
In case you also want to reverse engineer Mafia 3, you need to dump the executable. From my point of view Denuvo got used in the shipped executable (A lot of jumps inside the codebase, my experience tells me that it’s Denuvo because the same structure appeared on previous reverse engineering projects (e.g. GTA5)). So in order to dump it, open the executable, as soon as you’re in singleplayer (spawned), go to Desktop and run Scylla x64 (https://github.com/NtQuery/Scylla/releases). Simply press dump and you get a (nearly) decrypted executable which is ready to be loaded into IDA.
Used libraries(dependencies): Havok, wWise
Used LUA versions seems to be 5.2.1 (at least in havok)
Weather Sets: “SUNNY”, “PARTLY_CLOUDY”, “CLOUDY”, “LIGHT_RAINY”, “RAINY”, “LIGHT_WINDY”, “WINDY”
Still they seem to be using LUA for scripting (same as in Mafia 2).
When looking deeper into scripting (let’s take SetTime function), we can see that the function itself has lua calls inside.
Looking even deeper, you can see that Mafia 2 and Mafia 3’s script engine system has some similarities. (Don’t mind the //get top , the compiler just inlined the function (compile config, compiler version etc. caused this))
If you want to patch loading screens, simply patch these bytes on the following address:
(ASM code: mov al(B0), 0(00); retn(C3);)
Note: If you patch the address directly, don't forget to write bytecode in reverse order, so it's 0xC300B0
Address: 0x0000000143850B30 (Imagebase 0x140000000, so ImgBase + 0x3850B30)
Furthermore here is a list of class instances (Imagebase is 0x140000000)
Name Address Description VAR_C_GameScriptModule 0x00000001462F5ED8 To be done. VAR_C_GameCamera 0x000000014608C120 To be done. VAR_C_Game 0x00000001461E5828 To be done. VAR_C_FlowNodeLogicQuestEvaluateImpl 0x00000001461E6968 To be done. VAR_C_CityOwnersManager 0x00000001461E5A38 VAR_C_CharacterTable 0x00000001461E5898 VAR_C_ActorSubdivObj 0x00000001461E6008 M3Malloc 0x000000014293D770 Thread safe malloc inside Mafia 3
Mafia 3 is using the same hashing methods as Mafia 2. Used hash methods are fnv32 and fnv64. Screenshot attached below. (The reason the function body is inside the parent function is caused by the compiler (optimisations), who inline the function to improve performance (optimizations at compiletime))
About SDS structure:
In previous SDS version (Mafia 2, version 19), the SDS archive header contained a XML offset (also the XML content was not encrypted/encoded). In SDS version 20 (Mafia 3), XML offset seem to no longer exist (always 0), also the content seems to be encrypted / compressed.
At the time being, I’ m reversing the script engine in order we can create a scripthook and run own lua content. Instead of just hooking loadbuffer function, I’m reversing the whole Script Engine (so we can adjust everything). This are the base structure at the moment:
Also here are the LUA function addresses (these are not the ones from HavokScript hksi, these are the plain Lua functions)
lua_close 0x00000001446D10E0 lua_newstate 0x00000001446D1380 lua_pushfstring 0x00000001446D14F0 luaL_addsize 0x00000001446DAE40 luaL_callmeta 0x00000001446DB3F0 luaL_argcheck 0x00000001446DB0B0 luaL_checkany 0x00000001446DB570 luaL_checkinteger 0x00000001446DB600 luaL_checknumber 0x00000001446DB750 luaL_checkoption 0x00000001446DB800 luaL_checkudata 0x00000001446DBBA0 luaL_error 0x00000001446DBD70 luaL_findtable 0x00000001446DC3A0 luaL_getmetatable 0x00000001446DC260 luaL_gsub 0x00000001446DC6D0 luaL_loadfile 0x00000001446DC9B0 luaL_newmetatable 0x00000001446DCAC0 luaL_openlibs 0x00000001446DEB90 luaL_optinteger 0x00000001446DCCC0 luaL_optnumber 0x00000001446DCFC0 More coming soon…October 7, 2016 at 7:29 pm #162746DraconioKeymaster
Thank you very much for sharing this via our forums, Barzakh! I’m glad to see that they didn’t deviate too far from Mafia II’s proprietary tech. Hopefully this means aspects of Mafia II can be ported into Mafia III.October 8, 2016 at 8:45 pm #162771dirtydanisrealParticipant
there are a bunch of cvars that can be found if you look at the memory strings, but im not sure how to make the game read them or get it to enable a debug consoleOctober 9, 2016 at 2:38 am #162787
Sooo… This is the first look in the Script Hook for Mafia 3, first version should be out on sunday 😉 This version is thread safe and works with the Game Main Script Thread / Machine. Also I’ll add a list with available commands and parameters (all game sciprting functions, as far as possible).. D3D11 hook and maybe developer console coming later on
(unfortunately i can’t embbed it with the video tag, keep on getting 403 not authorized, A potentially unsafe operation has been detected in your request to this site…)
PS.: Some nice messing around screenshot 😉October 9, 2016 at 2:50 am #162789JoshParticipant
Fucking awesome man. I cannot wait to make Mafia 3 script mods soon. Thank you for your work, I appreciate it!October 9, 2016 at 6:06 am #162790DraconioKeymaster
Thanks for reporting the embed error, Barzakh. We will look into it immediately.
Looks like you weren’t joking about the codebase – that Lua script is the same one I used for the Teleport to Joe’s Apartment mod. Do any of the other scripts on the site work in Mafia III via your script hook?
Nice choice of music on the video. Reminds of of when Wei sung it in Sleeping Dogs. Shame that game wasn’t moddable. 🙂October 9, 2016 at 5:32 pm #162792
Alright, first version of the scripthook is out now. (I’ll upload it here once I’ve finished some cleanups (adding icons to executable, writing tutorial, list of commands etc.))
The Scripthook supports loading of library (.dll) and script (.lua) files. So you can either write your plugins with C++ (calling game functions directly) or simply use lua, or either use both.
The library part of the Scripthook features all needed memory functionality (searching for patterns (writing them into a cache file so search is next time faster etc.)) including LUA (you get the lua_State ptr once the plugin start routine is called)
Example can be seen here: https://github.com/MartinJK/Mafia3ScriptHook/blob/master/ExampleDLLPlugin/src/main.cpp
The files need to be placed in the following directories:
MAFIA III FOLDER/scripts/*.lua
MAFIA III FOLDER/plugins/*.dll
In order to allow quick development, you can reload the LUA scripts via F1 key press. Reload for .dll will be added soon
Oh and by the way, I’ve uploaded the Mafia 3 font files (extracted from the Launcher) for you guys, you can download it at https://mega.nz/#!l8NDVCKA (nearly 60MB because of chinese and japanese fonts)October 9, 2016 at 9:31 pm #162805lundyParticipant
Finally. I’m so glad this is starting off.October 9, 2016 at 9:33 pm #162807lundyParticipantOctober 10, 2016 at 12:15 am #162814
Alright guys, here are some functions (Once I wrote a script you get them prettyfied ;))
Until then, please compare the variables (like game.game – if they are correct) and take / guess the parameters from here http://mafiascene.net/thread-850.html
Unknown yet, only class reversed:
player http://hastebin.com/yuwexotomu.hs (you can access it with game.game:GetActivePlayer() )
car (vehicle) http://hastebin.com/iroxorijes.hs (when you are in a car, you can access it with game.game:GetActivePlayer():GetOwner() )
boat (vehicle) http://hastebin.com/ifuwoqidoj.hs (when you are in a car, you can access it with game.game:GetActivePlayer():GetOwner() )
gamecam and mafiacam http://hastebin.com/yozafehaca.hs
entity (wrapper) http://hastebin.com/cuhiyipifo.hs
Little insight how many functions register these variables (like game.game, game.hud etc.)October 10, 2016 at 2:08 am #162820PatrickJr.Participant
Awesome stuff!October 10, 2016 at 3:35 am #162825sic_nullParticipant
Any possibility of custom soundtracks? Would be dope to listen to my own music while driving around.October 10, 2016 at 3:43 am #162826dirtydanisrealParticipant
any way to add a toggle button for lethal/nonlethal takedowns? In real time?October 10, 2016 at 4:26 am #162827JoshParticipantOctober 10, 2016 at 7:50 am #162828PatrickJr.Participant
Fucking awesome man. I cannot wait to make Mafia 3 script mods soon. Thank you for your work, I appreciate it!
Knowing YOU are going to be working on stuff here. That reassures me. All we need now is model editing.
To be honest @jedijosh920 is pretty awesome when it comes to scripts and stuffs
- You must be logged in to reply to this topic.