1.76 demo videos, 4.05 PS4 Kernel Exploit and PS4 4.05 Game Modding Payload alongside his Full Debug Settings Payload, today PlayStation 4 developer @2much4u made available a PS4 GTA V Native Caller via Twitter while @0x199 released a Nice Fly PS4 4.05 Game Mod and Firebreather PS4 4.05 Mod for GTAV 1.00 on Twitter proceeding his other PS4 game mods.
Download: PS4-GTA-V-Native-Caller-4.05.zip / GIT / nicefly_405.bin (17 KB) / firebreather_405.bin (14 KB)
For the Nice Fly PS4 4.05 Game Mod, he notes to quote: "Hold Square to fly. Once flying, hold R2 to boost. As a small addon, this version also enables North Yankton. Enjoy!"
For the Firebreather mod on PS4 4.05 for GTAV 1.00 he states: "Simply press R1 to breathe fire (don't press too many times). Ported from PC by me, credits to Kokolaty for originally developing this mod."
And from the README.md, to quote: PS4 GTA V Native Caller
A simple example of calling natives on PS4 GTA V using idc's adaptation of CTurt's PS4 ***.
A large part of GTA V is controlled by custom script files Rockstar writes in their own format. A virtual processor is included in each version of the game to interpret these scripts. The main way for them to interact with and control the game is to invoke natives. Natives are functions defined within the game's executable. In the same way that scripts use natives to control the game, arbitrarily calling them will allow the caller to control the game to his/her desire. The purpose of this payload is to provide an easy way of doing just that. It includes a few small examples: making the player invincible, giving the player super jump, and teleporting the player when a button combination is pressed.
Setting Up Execution
First, a kernel payload is executed to escape the sandbox, escalate the web browser's privileges, and make appropriate kernel patches. The kernel payload also disables ASLR for newly created processes, making it much easier to modify them. Afterwards, the browser payload constantly checks the running processes waiting for one called eboot.bin. Once a game process is found, the syscall ptrace is used to read and write to it. With ASLR disabled, the EBOOT always starts at 0x400000 in memory. A few bytes are read from the EBOOT to verify that the game is GTA V and to detect the region.
Functions for making syscalls, invoking natives, and setting up the environment are copied into free executable space within the EBOOT. The native IS_PLAYER_ONLINE is hooked with the function to set up the execution environment. This function allocates more memory within GTA's process since the EBOOT has limited space. Once this setup function is called from GTA, the browser payload copies a standard main function into that newly allocated space and exits.
Executing Inside GTA V
Once executing within GTA V, a structure called gtaVars is declared in some arbitrarily allocated memory to keep track of global variables. The native table has the same structure as on other platforms, making it easy to work with. The native hashes on PS4 GTA V 1.00 are also the same as the 1.00 native hashes on PC, meaning the documentation on NativeDB can be used. The majority of the code in nativeHook is filtered to only execute once a frame (IS_PLAYER_ONLINE is called multiple times a frame), in order to keep things smooth. This will be more important for any drawing.
Functions called from nativeHook must be always inline or GTA will crash. This is because when compiled, nativeHook will expect those functions to be at specific locations relative to itself. Once nativeHook is copied to a different location, those relative addresses will be incorrect. The exceptions to this are functions declared in the payload by their absolute address such as invokeNative.
Since nativeHook is copied to a different location, strings will have the same relative address issue as called functions. A simple way around this is to define them on the stack like:
This is necessary so the compiler does not place the string in the data segment.Code:const char helloWorld = "hello world";
Global variables also have the same relative address issue. In order to mitigate this, keep track of global variables with the gtaVars structure defined in gta.h.
By default 0x10000 bytes will be allocated for nativeHook and 0x4000 bytes for gtaVars. These sizes can be adjusted if need be.
When executed multiple times, the payloads will replace each other rather than executing simultaneously.
Only a few natives are defined in natives.h. However, more can be defined as necessary.
Button ID's for PS4 were different than last gen and PC so a simple mapping of them is included. Button_Tpad_X and Button_Tpad_Y can be used with the natives GET_CONTROL_VALUE and GET_CONTROL_NORMAL for touchpad input. Button_Tpad is just for if the touchpad is pressed.
Since this payload injects functions into EBOOT memory, different versions of the payload can be tested without having to restart GTA.
This is a fairly primitive way to go about modding a game, expect some strange and quirky bugs while using this.
Specter, CTurt, qwertyoruiopz, flatz, idc, SKFU, droogie, Xerpi, bigboss, Hunger, Takezo, and Proxima - PS4 research making all this possible
Alexander Blade and NativeDB Contributors - Native research making GTA V stuff relatively easy to port to PS4
This includes the necessary kernel patches to get ptrace working. I know many devs have been struggling with that. Also, the payload now allocates memory within gta to eliminate the limited space issue that existed on the 1.76 version.
Don't forget to recompile idc's payload *** before using this. He pushed an update today that added support for the kexec syscall which is needed for this payload.
PS4 4.05 Mod - GTA V Nice Fly Mod
GTA V Firebreather MOD Thanks to 0x199, 2much4u, seb5594 (PS4 4.05) by GrimDoe
Thanks to both @B7U3 C50SS and @offLife for the news tips in the PSXHAX Shoutbox tonight!