Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Nov 22, 2016 at 10:41 PM       11,550       18            
Last week we saw a PS4 API Demo from them, and today PlayStation 4 developers @kurt2467 and @BadChoicesZ are back with some more PS4 GTA V hax with full natives working... meaning any hacks that were possible on PS3 are now possible on Sony's PlayStation 4 console! :thumbup:

Here's the latest Grand Theft Auto V PS4 video demo from kurt2467's YouTube channel with the caption below, to quote: [PS4] Some More GTA V Hax

I finally got all of the natives to work! This means that anything that was possible on PS3, is possible on PS4 :D

PlayStation 4 GTAV Modding C# Code by Kurt2467 (Remote Procedure Calls)
From Pastebin.com: [PS4] GTA V RPC
Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace PS4_GTA
{
    public class RPC
    {
		private uint nativeArgBase = 0;
        private uint hookAddress = 0;
        private uint rpcCodeAddress = 0;
        private List<uint> nativeFuncList = new List<uint>();
        private List<UInt64> nativeHashList = new List<UInt64>();

        public RPC()
        {
            nativeArgBase = 0x2DCD820;
            hookAddress = 0xD8F480;
            rpcCodeAddress = 0x5046D0;
        }

        public void InitRPC()
        {
            WriteU64(nativeArgBase, 0);
            byte[] hook = new byte[] {
                0x55, //push rbp
                0xE8, 	0x4A, 	0x52, 	0x77, 	0xFF, //call 0x5046D0
                0x5D, //pop rbp
                0xC3, //retn
            };
            byte[] asmx86 = new byte[] { 
                0x55, //push rbp
                0x41, 	0x52, //push r10
                0x53, //push rbx
                0x49, 	0xC7, 	0xC2, 	0x20, 	0xD8, 	0xDC, 	0x02, //mov r10, 0x2DCD820
                0x49, 	0x8B, 	0x1A, //mov rbx, [r10]
                0x48, 	0x85, 	0xDB, //test rbx, rbx
                0x74, 	0x1A, //jz 0x5046FB
                0x48, 	0xC7, 	0xC7, 	0x30, 	0xD8, 	0xDC, 	0x02, //mov rdi, 0x2DCD830
                0xFF, 	0xD3, //call rbx
                0x49, 	0xC7, 	0xC2, 	0x20, 	0xD8, 	0xDC, 	0x02, //mov r10, 0x2DCD820
                0x48, 	0xC7, 	0xC3, 	0x00, 	0x00, 	0x00, 	0x00, //mov rbx, 0
                0x49, 	0x89, 	0x1A, //mov [r10], rbx
                0x5B, //pop rbx
                0x41, 	0x5A, //pop r10
                0x5D, //pop rbp
                0xC3, //retn
            };
            SetMemory(rpcCodeAddress, asmx86);
            SetMemory(hookAddress, hook);
            WriteU64(nativeArgBase + 0x10, nativeArgBase + 0x50);
            WriteU64(nativeArgBase + 0x20, nativeArgBase + 0x70);
        }

        public uint GetNativeAddress(UInt64 nativeHash)
        {
            uint nativeTable, index;
            UInt64 nativeAddy;
            nativeTable = 0x3644A28;
            index = (uint)nativeHash & 0xFF;
            nativeAddy = ReadU64(nativeTable + (index * 8));
            while (nativeAddy != 0)
            {
                uint count = ReadU32(nativeAddy + 0x40);
                for (uint i = 0; i < count; i++)
                {
                    UInt64 hash = ReadU64(nativeAddy + 0x48 + (i * 8));
                    if (hash == nativeHash)
                    {
                        return ReadU32(nativeAddy + 0x8 + (i * 8));
                    }
                }
                nativeAddy = ReadU64(nativeAddy);
            }
            return 0;
        }

        public T CallRaw<T>(UInt64 address, params object[] args)
        {
            byte[] argBytes = new byte[0xA0];
            ArrayBuilder ab = new ArrayBuilder(argBytes);
            uint argStart = nativeArgBase + 0x70;
            uint strStart = nativeArgBase + 0x120;
            uint strCount = 0;
            uint nativeArgCount = 0;
            for (int i = 0; i < args.Length; i++)
            {
                if (args[i] is float)
                {
                    ab.Write.SetFloat((int)nativeArgCount * 8, (float)args[i], ArrayBuilder.ArrayWriter.EndianType.LittleEndian);
                    nativeArgCount++;
                }
                else if (args[i] is string)
                {
                    uint strPtr = (uint)strStart + (strCount * 0x20);
                    WriteString(strPtr, (string)args[i]);
                    ab.Write.SetUInt32((int)nativeArgCount * 8, strPtr, ArrayBuilder.ArrayWriter.EndianType.LittleEndian);
                    strCount++;
                    nativeArgCount++;
                }
                else if (args[i] is int)
                {
                    ab.Write.SetInt32((int)nativeArgCount * 8, (int)args[i], ArrayBuilder.ArrayWriter.EndianType.LittleEndian);
                    nativeArgCount++;
                }
                else
                {
                    UInt64 tmp = Convert.ToUInt64(args[i]);
                    ab.Write.SetUInt64((int)nativeArgCount * 8, tmp, ArrayBuilder.ArrayWriter.EndianType.LittleEndian);
                    nativeArgCount++;
                }
            }
            SetMemory(argStart, argBytes);
            System.Threading.Thread.Sleep(10);
            WriteU64(nativeArgBase, (UInt64)address);
            System.Threading.Thread.Sleep(30);
            object ret = 0;
            if (typeof(T).ToString() == "System.Int32")
            {
                ret = ReadI32(nativeArgBase + 0x50);
                ret = (T)Convert.ChangeType(ret, typeof(T));
            }
            if (typeof(T).ToString() == "System.Int64")
            {
                ret = ReadI64(nativeArgBase + 0x50);
                ret = (T)Convert.ChangeType(ret, typeof(T));
            }
            if (typeof(T).ToString() == "System.UInt32")
            {
                ret = ReadU32(nativeArgBase + 0x50);
                ret = (T)Convert.ChangeType(ret, typeof(T));
            }
            if (typeof(T).ToString() == "System.UInt64")
            {
                ret = ReadU64(nativeArgBase + 0x50);
                ret = (T)Convert.ChangeType(ret, typeof(T));
            }
            if (typeof(T).ToString() == "System.Single")
            {
                ret = ReadFloat(nativeArgBase + 0x50);
                ret = (T)Convert.ChangeType(ret, typeof(T));
            }
            if (typeof(T).ToString() == "System.Single[]")
            {
                float[] fRet = new float[3];
                fRet[0] = ReadFloat(nativeArgBase + 0x50);
                fRet[1] = ReadFloat(nativeArgBase + 0x58);
                fRet[2] = ReadFloat(nativeArgBase + 0x60);
                ret = (T)Convert.ChangeType(fRet, typeof(T));
            }
            return (T)ret;
        }

        public T CallFunc<T>(UInt64 nativeAddress, params object[] args)
        {
            return CallRaw<T>(nativeAddress, args);
        }

        public T CallHash<T>(UInt64 nativeHash, params object[] args)
        {
            uint func;
            if (nativeHashList.Contains((UInt64)nativeHash))
                func = nativeFuncList[nativeHashList.IndexOf((UInt64)nativeHash)];
            else
                func = GetNativeAddress((UInt64)nativeHash);
            if (func != 0)
            {
                nativeHashList.Add((UInt64)nativeHash);
                nativeFuncList.Add(func);
                return CallRaw<T>(func, args);
            }
            return (T)Convert.ChangeType(0, typeof(T));
        }
	}
}
From Pastebin.com: ArrayBuilder.cs
Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace PS4_GTA
{
    public class ArrayBuilder
    {
        private byte[] buffer;
        private int size;

        public ArrayWriter Write
        {
            get
            {
                return new ArrayWriter(this.buffer);
            }
        }
        public ArrayBuilder(byte[] bytes)
        {
            this.buffer = bytes;
            this.size = bytes.Length;
        }
        public class ArrayWriter
        {
            private byte[] buffer;
            private int size;

            public enum EndianType
            {
                LittleEndian,
                BigEndian
            };

            public ArrayWriter(byte[] bytes)
            {
                this.buffer = bytes;
                this.size = bytes.Length;
            }

            public void SetByte(int pos, byte value)
            {
                this.buffer[pos] = value;
            }
            public void SetInt32(int pos, int value, EndianType Type = EndianType.BigEndian)
            {
                byte[] bytes = BitConverter.GetBytes(value);
                if (Type == EndianType.BigEndian)
                    Array.Reverse(bytes, 0, 4);
                for (int i = 0; i < 4; i++)
                    this.buffer[i + pos] = bytes[i];
            }
            public void SetInt64(int pos, Int64 value, EndianType Type = EndianType.BigEndian)
            {
                byte[] bytes = BitConverter.GetBytes(value);
                if (Type == EndianType.BigEndian)
                    Array.Reverse(bytes, 0, 8);
                for (int i = 0; i < 8; i++)
                    this.buffer[i + pos] = bytes[i];
            }
            public void SetUInt32(int pos, uint value, EndianType Type = EndianType.BigEndian)
            {
                byte[] bytes = BitConverter.GetBytes(value);
                if (Type == EndianType.BigEndian)
                    Array.Reverse(bytes, 0, 4);
                for (int i = 0; i < 4; i++)
                    this.buffer[i + pos] = bytes[i];
            }
            public void SetUInt64(int pos, UInt64 value, EndianType Type = EndianType.BigEndian)
            {
                byte[] bytes = BitConverter.GetBytes(value);
                if (Type == EndianType.BigEndian)
                    Array.Reverse(bytes, 0, 8);
                for (int i = 0; i < 8; i++)
                    this.buffer[i + pos] = bytes[i];
            }
            public void SetBytes(int pos, byte[] value)
            {
                for (int i = 0; i < value.Length; i++)
                    this.buffer[i + pos] = value[i];
            }
            public void SetString(int pos, string str)
            {
                byte[] bytes = Encoding.UTF8.GetBytes(str + '\0');
                for (int i = 0; i < bytes.Length; i++)
                    this.buffer[i + pos] = bytes[i];
            }
            public void SetFloat(int pos, float value, EndianType Type = EndianType.BigEndian)
            {
                byte[] bytes = BitConverter.GetBytes(value);
                if (Type == EndianType.BigEndian)
                    Array.Reverse(bytes, 0, 4);
                for (int i = 0; i < 4; i++)
                    this.buffer[i + pos] = bytes[i];
            }
        }
    }
}
Thanks @raedoob and @GrimDoe for sharing the news in the PSXHAX Shoutbox! <3
PS4 GTA V Hax Demo Anything on PS3 Now Possible on PlayStation 4.jpg
 

Comments

R0rke

Super Power
Senior Member
Contributor
good , this tool will be available on any firmware ? i mean latest. and also can we use for GTA ONLINE Too ?
 

HydrogenNGU

Element
Senior Member
Contributor
Want more top-notch news for today? Well some of my buddies on NextGenUpdate; best coders that create insane mod menus have already got there hands on a 1.76 PS4 Console ready to create things. Not stating any names, but many stated they have no point of interest unless they find a way to go online, then that's when it's officially over for Rockstar. #YaDoneFukdUpSony
 

Thisismrnameles

Developer
Senior Member
Contributor
That's awesome! What firmware does this work on? Is it only for offline games or GTA online?
Fw 1.76
And it would work for online, but they would need a way to spoof to 4.06 for it to work
good , this tool will be available on any firmware ? i mean latest. and also can we use for GTA ONLINE Too ?
I believe it is only for 1.76
And for it to work only they would need to spoof to the lastest fw (4.06) :)
 
Recent Articles
PS Store Spring Sale Offers Savings Up to Half Off Select PSN Titles
The latest PlayStation Store sale is here featuring savings of up to 50% off select PS4 games and movies including Death Stranding, NBA 2K20, Dragon Ball Z: Kakarot and more! 🤩 PlayStation...
Rebug 4.86.1 LITE PS3 CFW with Cobra 8.2 and Toolbox 2.03.04
A few days back Sony released PS3 Firmware 4.86, and following their previous release today the Rebug Team made available Rebug 4.86.1 LITE (CEX) PS3 CFW with Cobra 8.2 and Toolbox 2.03.04 for...
Sony Unveils PlayStation Plus Free Games for April 2020
It's officially 4/20 all month, and today Sony officially unveiled the free PlayStation Plus games for April 2020 alongside a PS Plus preview trailer video below! 🌺🌼🌸 Headlining the free...
OrbisGl2 LibOrbis Graphic Backend Based on Raylib for PS4 Homebrew
Following the LibOrbisNfs PS4 Port earlier this year, PlayStation 4 scene developer BigBoss announced today that an OrbisGl2 LibOrbis Graphic Backend Library based on Raylib is now available...
Top