Archive for the ‘Grand Theft Auto IV’ Category

Hacking Grand Theft Auto IV: A Basic Trainer

Tuesday, December 23rd, 2008

Here is a basic trainer for GTA IV 1.0.1.0, features:

  • Invincibility
  • Fast Reload
  • Never Get Tired

This trainer will work with and without my XLive wrapper.

Note: this trainer is for GTA IV 1.0.1.0 only, the trainer does not attempt to validate that you are running 1.0.1.0 at all, using it with other versions may lead to unexpected behavior.

Basic Trainer for GTA IV 1.0.1.0

Running the trainer will immediately activate all mentioned features. If you do not become invincible, simply run the trainer again and it should take.

This trainer will refuse to activate if it detects you are playing in multiplayer.

This trainer is based on the superman example script provided in Alice, created by Alexander Blade, in standalone form.

As usual, please report any problems, etc in comments to this post.

Tags: ,
Posted in Grand Theft Auto IV | 163 Comments »

Hacking Grand Theft Auto IV: Part III

Saturday, December 20th, 2008

Another feature set provided by the Games For Windows API is various functions for “protecting” data (hashing & validating). GTA IV uses these functions to hash and validate its save files. I’m not exactly sure how these functions work exactly — other than the fact that the one we are interested in, XLiveUnprotectData, is called in a peculiar way.

It’s called twice, with five arguments, none of these arguments point at the save data itself, but at the 360 byte blob at the end of the save file. I suspect that this process is actually decrypting some memory rather than hashing the save itself, the end result is that a CRC32 hash of a part of the save is extracted, then compared against. By hashing the save and providing the valid CRC32 in the result of a replaced XLiveUnprotectData we can get past this validation, allow us to load other people’s saves as well as letting us modify our saves.

For the new version of the wrapper:

  • Multiplayer functionality of GTA IV is now forcefully disabled, to prevent usage of my wrapper to cheat in multiplayer. Yeah, sorry, I’m not going to encourage it.
  • Protected buffers have slightly changed to better organize them, they are a single block of data rather than two now (this is only really useful if you’re writing a trainer for use with my wrapper).
  • A new tool, CopyXLiveResources, is now provided to fix the invisible Games For Windows interface in-game. You do not have to use this tool if you do not want to.
  • Save validation is now disabled, you can load any save. Note: This will not magically fix any form of corruption on your save files if they are corrupted.

Note: the save validation “feature” of this version of my wrapper now potentially makes it incompatible with any other game, and previous version of GTA IV. This version of the wrapper was made with GTA IV 1.0.1.0 in mind, if there are compatibility issues with previous versions I have no plans to support them.

XLive Wrapper (1.2.0.7) for GTA IV (1.0.1.0)

I have only tested my wrapper locally. There could be unforeseen issues that I have not expected, if you experience any bugs feel free to comment this post.

Tags: ,
Posted in Grand Theft Auto IV | 241 Comments »

Hacking Grand Theft Auto IV: Part II

Tuesday, December 16th, 2008

One of the features the Games For Windows API provides is protected buffers. These buffers can be allocated by games that use the API, and data can be copied back and forth from them. GTA IV uses this for a bunch of the game memory, for example, your current cash.

The following functions (thanks, xlive.pdb!), are what provide this feature to games:

  • int XLivePBufferAllocate(int size, XLiveProtectedBuffer **pbuffer)
  • int XLivePBufferGetByte(XLiveProtectedBuffer *pbuffer, int offset, unsigned char *value)
  • int XLivePBufferGetDWORD(XLiveProtectedBuffer *pbuffer, int offset, unsigned int *value)
  • int XLivePBufferGetByteArray(XLiveProtectedBuffer *pbuffer, int offset, void *destination, int size)
  • int XLivePBufferSetByte(XLiveProtectedBuffer *pbuffer, int offset, unsigned char value)
  • int XLivePBufferSetDWORD(XLiveProtectedBuffer *pbuffer, int offset, unsigned int value)
  • int XLivePBufferSetByteArray(XLiveProtectedBuffer *pbuffer, int offset, void *source, int size)
  • int XLivePBufferFree(XLiveProtectedBuffer *pbuffer)

By creating a fake xlive.dll which wraps the real xlive.dll, we can serve ‘unprotected’ versions of these 8 functions. In doing this, we can now freely modify at runtime the data that the game wants to be protected, including your current cash.

XLive Wrapper for GTA IV 1.0.0.1

Drop this into your GTA IV game directory (where GTAIV.exe resides), start the game, viola, unprotected memory!

(The first time you run the game, the wrapper will prompt you if it is OK to copy the original xlive.dll/xlive.dll.CAT unmodified to another location with a new name)

If you encounter any issues with the wrapper aside from the UI issue, please let me know!

The only side effect that I’ve seen so far is that the in-game UI for Games For Windows no longer appears, although the game continues to function normally (including multiplayer).

Part III will talk about save validation and include version 1.1.0.0 of the wrapper with this disabled :).

Tags: ,
Posted in Grand Theft Auto IV | 109 Comments »

Hacking Grand Theft Auto IV

Tuesday, December 9th, 2008

A week ago Grand Theft Auto IV came out for the PC, since then I’ve been trying to poke about at things, the first thing I saw that I wanted to try was to edit the save files.

I found the save files nestled in C:\Users\Rick\AppData\Local\Rockstar Games\GTAIV\savegames. You’ll likely find several subdirectories there, following the format of user_<16 byte Live user ID>. Under one of these directories you find files following the scheme of SGTA4<index>.

Taking a look at these saves, the data is unencrypted and in a very obvious format. Unfortunately you cannot directly edit them, GTAIV makes use of some hashing features built into xlive.dll (Games for Windows – Live).

There is a 360 (coincidence?) byte footer to each GTAIV save file — this makes up two blocks. A 296 byte block, and a 64 byte block. I’m not sure about the 296 byte block, but the 64 bit block is likely a hash of the save data.

I set an obvious way to try and edit the save data: change the amount of money you have.

Looking at the structure of the save data, the amount of cash you have is in the second block of data in the save (PlayerInfo), there appear to be two values for money — one is probably total cash while the other is current cash. They are 0x1EA and 0x1F2 bytes from the start of the save file (due to the structure of the file, these offsets are unlikely to change).

Out of all the attempts I made in trying to edit a save file — the one I ended up with was pretty much a massive hack. xlive.dll has some protections enabled that make tampering with a running game a bad idea (crashing, not functioning properly, among other things). I dug deep enough to discover that I could essentially break a part of xlive.dll to make it possible to modify GTAIV code. When GTAIV calls xlive.dll to do something (in this instance, hash a save file), xlive.dll does a check on the calling process to make sure it hasn’t been modified. The offending function is called XLivepVerifyAddress (xlive.dll+0xA6354, according to xlive.pdb ;-).

I broke this function (by making it always return 0), hooked the function that hashes save data (GTAIV.exe+0x18C180), a pointer to the save data being the first argument.

Starting the game with my changes (done at runtime, no modification to files of course, via loader + injected DLL), I load my game, something crashes (another thread, perhaps), the game continues to run fine. I save.

The end result?

A save file with its cash altered to $10,000,000, with a valid hash.

(shortly after purchasing a fancy hat with my new money in a relatively new game)

Tags: ,
Posted in Grand Theft Auto IV | 35 Comments »