Calling Native by hash

1. How to call GTA V Natives easy Using Hash.
2.  
3.  
4. i'm going to explain to you how you going to use it in this tutorial it dosn't not contain any info on how make SPRX and only how GTA calling natives by the native hash
5.  
6. First of all you have to know that the natives called by an Interpreter by their hashes, that means that inside the executable they are gets called by the hash.
7.  
8. To find where the natives are stored, you need to find the function where the hashes are passed as parameters.
9. This is quite easy, you just need to get one of these hashes, and search with IDA where they are used.
10.  
11. this way makes it very easy to find them
12.  
13. example, here is the code where the executable store the hash and the function of GET_PLAYER_PED.
14.  
15. Code:
16. lis %r3, 0x6E31 # 0x6E31E993
17. lis %r4, ((offset_GET_PLAYER_PED+0x10000)@h)
18. ori %r3, %r3, -0x166D # 0x6E31E993
19. addic %r4, %r4, -0x4D28 # offset_GET_PLAYER_PED
20. bl AddNative
21. You can see that the 2 high order bytes of the native's hash are stored into the third register.
22. Then the 2 low order bytes are added to the third register too.
23.  
24. The executable do exactly the same thing for all the natives, this mean that you just need to get the value of 'lis %r3' to get where the natives hash are added.
25.  
26. I'm gonna do the work for you, the value of 'lis %r3' is 0x3C60, this mean that if you want to know where a particular hash is added, you just need the two high order bytes of the hash, you search via your disassembler where 0x3C60XXXX is used.
27.  
28.  
29. So, now you can find where is added a particular hash.
30. If you have completly read the assembly code, you may have see that the hash is stored in r3 and a function is stored in r4.
31. Then a function (that I called AddNative) is called.
32.  
33. Let's look at this function. (look at it on your disassembler, the code is too long to be posted here).
34. It may be hard to read, so I did a C version.
35.  
36.  
37. Code:
38. struct Native
39. {    
40.    struct Native*     pLastNativesTable;            // + 0x00
41.    unsigned int     uiNativeFunctions[7];        // + 0x04
42.    unsigned int     uiNativeCount;                // + 0x20
43.    unsigned int     uiNativeHashes[7];            // + 0x24    
44. };
45.  
46. struct Native* g_Natives[256];
47.  
48.  
49. void AddNative(unsigned int a_uiNativeHash, unsigned int a_uiNativeFunction)
50. {
51.    unsigned int         l_uiTableIndex;
52.    struct Native*        l_pNative;
53.    unsigned int         l_uiIndex;
54.    
55.    l_uiTableIndex = a_uiNativeHash & 0xFF;
56.    l_pNative = g_Natives[l_uiTableIndex];
57.  
58.    
59.    if(l_pNative == 0 || l_pNative->uiNativeCount == 7)
60.    {
61.        l_pNative = (struct Native*)malloc(sizeof(struct Native));
62.        memset(l_pNative, 0x00, sizeof(struct Native));
63.        
64.        l_pNative->pLastNativesTable = g_Natives[l_uiTableIndex];
65.        g_Natives[l_uiTableIndex] = l_pNative;
66.    }
67.    
68.    l_uiIndex = l_pNative->uiNativeCount;    
69.    l_pNative->uiNativeFunctions[l_uiIndex]        = a_uiNativeFunction;
70.    l_pNative->uiNativeHashes[l_uiIndex]        = a_uiNativeHash;
71.    l_pNative->uiNativeCount++;
72. }
73. You can see that the hashes are simply stored in a global array.
74. This mean that we just need to find the address of this global array, if you understand PowerPC it's easy as hell with all the hint I gave you.
75.  
76.  
77. So know, how to get a native's function via hash ?
78.  
79. Just like this,
80.  
81.  
82. Code:
83. unsigned int GetNativeFunction(unsigned int a_uiNativeHash)
84. {
85.    unsigned int     l_uiTableIndex;
86.    struct Native*    l_pNative;
87.    int             l_bQuitLoop;
88.    int             i;
89.    
90.    l_bQuitLoop = 0;
91.    
92.    l_uiTableIndex = a_uiNativeHash & 0xFF;
93.    l_pNative = g_Natives[l_uiTableIndex];
94.    
95.    if(l_pNative)
96.    {
97.        while(l_bQuitLoop == 0)
98.        {
99.            for(i = 0; i < l_pNative->uiNativeCount && l_bQuitLoop == 0; i++)
100.            {
101.                if(l_pNative->uiNativeHashes[i] == a_uiNativeHash)
102.                {
103.                    return l_pNative->uiNativeFunctions[i];
104.                }
105.            }
106.            
107.            if((l_pNative = l_pNative->pLastNativesTable) == 0)
108.            {
109.                l_bQuitLoop = 1;
110.            }    
111.        }
112.    }    
113.    return 0;
114. }
115. So now, we know how these natives are stored, where they are stored, how to find a specific native's function via the hash.
116.  
117. How to call the function ? How the parameters are passed ? How the return value are fetched ?
118.  
119. Well, to call the natives you need to be in the game's main thread.
120. This is the difficult part, many guys on the internet fail at this part.
121. But with my method it's quite easy !
122. If you read the decompiled script you can see that many natives are called at every frame.
123. And one that is called very very often is PLAYER_ID (0x8AEA886C).
124.  
125. So, why don't we hook this native ? It is called from the main thread, and even more ! By the scripting interpreter itself !
126.  
127. To do this, you need to write a function, I just modified my GetNativeFunction to do so.
128.  
129.  
130. Code:
131. unsigned int HookNative(unsigned int a_uiNativeHash, unsigned int a_uiNewFunction)
132. {
133.    unsigned int     l_uiTableIndex;
134.    struct Native*    l_pNative;
135.    int             l_bQuitLoop;
136.    int             i;
137.    
138.    l_bQuitLoop = 0;
139.    
140.    l_uiTableIndex = a_uiNativeHash & 0xFF;
141.    l_pNative = g_Natives[l_uiTableIndex];
142.    
143.    if(l_pNative)
144.    {
145.        while(l_bQuitLoop == 0)
146.        {
147.            for(i = 0; i < l_pNative->uiNativeCount && l_bQuitLoop == 0; i++)
148.            {
149.                if(l_pNative->uiNativeHashes[i] == a_uiNativeHash)
150.                {
151.                    l_pNative->uiNativeFunctions[i] = a_uiNewFunction;
152.                    return 1;
153.                }
154.            }
155.            
156.            if((l_pNative = l_pNative->pLastNativesTable) == 0)
157.            {
158.                l_bQuitLoop = 1;
159.            }    
160.        }
161.    }    
162.    return 0;
163. }
164. So now, you are on the main thread, but you need to call the original function.
165. With the good parameters.
166.  
167. Let's see how are passed the parameters on the call of the natives functions.
168. For this I'm gonna analyze GET_ENTITY_COORDS native, now that you know where to find them let's see what it looks like.
169.  
170. Code:
171. mflr    %r0
172. bl      sub_1776544                // <-- store LR
173. stdu    %sp, var_90(%sp)
174. std     %r0, arg_A0(%sp)
175. mr      %r31, %r3                // <-- R3 is the first parameter passed to the native function, and it's now stored to R31
176. addic   %r3, %sp, arg_70
177. lwz     %r4, 8(%r31)            // Here you can see that it loads something from R31 + 8 and store it to R4
178. lwz     %r5, 4(%r4)                // Here you can see that it loads something from R4 + 4 and store it to R5
179. lwz     %r4, 0(%r4)                // Here you can see that it loads something from R4 + 0 and store it to R4
180. cntlzw  %r5, %r5
181. extsw   %r4, %r4
182. extrwi  %r5, %r5, 1,26
183. xori    %r5, %r5, 1                
184. bl      sub_398EF0                // Here it calls the GET_ENTITY_COORDS function
185. lwz     %r3, 0(%r31)            // Here you can see that it loads something from R31 + 0 and store it to R3
186. lfs     %fp1, arg_70(%sp)
187. lfs     %fp2, arg_74(%sp)
188. lfs     %fp3, arg_78(%sp)
189. stfs    %fp1, 0(%r3)            // Here you can see that it store a float from fp1 and store it to R3 + 0
190. stfs    %fp2, 4(%r3)            // Here you can see that it store a float from fp2 and store it to R3 + 4
191. stfs    %fp3, 8(%r3)            // Here you can see that it store a float from fp3 and store it to R3 + 8
192. addi    %sp, %sp, 0x90
193. b       loc_17765A8
194.  
195. By analyzing others native, you can assume that a structure is passed to the native.
196. And this structure looks likes this.
197.  
198.  
199. Code:
200. struct NativeArg
201. {
202.     unsigned int*    p_uiReturnValues;
203.     unsigned int    ui_Unknown;
204.     unsigned int*    p_uiArgValues;
205. };
206. So, know we know exactly how to hook properly a native.
207.  
208.  
209. Code:
210. void (*Original_Player_ID)(struct NativeArg*);
211.  
212.  
213. void Hook_Player_ID(struct NativeArg* a_pArg)
214. {
215.     // Here you make your calls to the natives.
216.  
217.    
218.     // Here you must call the original PLAYER_ID() function
219.     Original_Player_ID(a_pArg);
220. }
221.  
222.  
223. // in your main function
224.  
225.  
226. Original_Player_ID = (void (*)(struct NativeArg*))GetNativeFunction(0x8AEA886C);
227.  
228. if(HookNative(0x8AEA886C, Hook_Player_ID))
229. {
230.     // successfully hook
231. }
232. else
233. {
234.     // hook failed
235. }
236. Finally, you just need to make the calls to the natives you want to.
237.  
238. For this you need get the native's function address, you need to allocate properly the structure that pass your parameters and fetch the return values.
239. Then call the native with the structure as a parameters, to fetch returned values, you just need to look at the structure