Log in to reply
 

Real Dangers of OpenIV OIV Files



  • So most of you know how OIV installers work, like it can overwrite your own customized files as well, and some of you know the damage it can cause to some extend... But very unfortunately this extend reaches far beyond your imagination.

    Apologize for bad voice quality, I didn't want to do this in my main PC just in case so I had only headphones, also a bit sick too :slight_smile:

    Anyway, please learn the real dangers these installers can cause to you and do your best to avoid using any OIV installers.

    OpenIV Team unfortunately awares of this since it is their own coding made possible the "delete" command to function. I was brought it to their attention before when QuantV version 2 was deleted my ENB and ReShade, their response was to investigate it but I guess it is left to be ignored...

    I'm hoping this video brings some awareness and they add a warning and secondary confirmation when there is a delete command present in the assembly.xml, doubtful but hope for the best I guess :slight_smile: Until then do your best to stay safe from this and please and please don't make me regret I brought this up to people's attention.
    I guess it is better to show this so it can reach as many people as it can instead of someone figure this out and silently puts it in the code without major percentage of people knowing it like how it happened in the Quant incident... Anyways stay safe <3



  • @MissySnowie

    I had written about this before in this post OIVs suck and why you should never use them.

    And also Installing an OIV - a better, safer way.

    Your video reinforces why these installers, in the wrong hands, are dangerous and more trouble than they're worth.

    Thank you for taking the time to create this video and warn users.

    I hope new users will realize this and avoid OIV automatic installers at all costs.



  • @MissySnowie

    Not to make people paranoid, but this is a good time to remind people that script mods (dlls) and in particular asi plugins (can't be decompiled, well not easily) can be extremely dangerous, even more than OIV installers - as we saw with the QuantV trojan which wiped disks. And ofc, same precautions with executable files.

    Keep in mind that your anti-virus will not catch customized malware. Also, the most devious authors will set a future date to trigger the malware code. This ensures that hundreds or thousands of users install the scripts giving the users the false impression it must be safe because its use is widespread and nobody has reported it - even when the scripts are not recent or even very old.

    I never use OIVs (except the ones I create for personal updates). If a mod has an OIV installer, I unzip it and manually do the install.
    Similary I rarely install scripts. If i do, I decompile it first and check the code.

    Most important tip: Backup your files, preferably on external drives that can be removed from a home network.



  • @MissySnowie

    You made a great point which I completely forgot to mention in my own posting - that the path (source) tags allows you go outside the mods folder.
    Ironically, I use this myself because I have multiple Mod folders, of course only one being active at any given time.

    For example (note in my folder structure all have prefix "Mods", but it could be any folder). I use this approach because each mod folder has a customized dlclist.xml.

    <archive path="ModsLS\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="LS\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsCPNorth\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="Cayo\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsChi\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="Chicago\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsDubai\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="Dubai\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsFrance\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="France\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsLC\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="Liberty\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsNord\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="Nurb\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsLVSF\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="LVSF\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsVSimp\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="Vice\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsRedDead\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="RedDead\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    <archive path="ModsLeMans\update\update.rpf" createIfNotExist="True" type="RPF7">
    <add source="LeMans\dlclist.xml">\common\data\dlclist.xml</add>
    </archive>
    


  • @JohnFromGWN Of course, from one side it is a good thing especially for practical installers and also newbies too but it also brings many dangers if it is been used by bad people :(

    If there is no manual install is present, extracting the files from OIV and manually installing them one by one is always the safest way. It may take time but at least you will know what you are doing. I would like to also mention that unfortunately doing a search for "delete" keyword in the assmebly can not always guarantee it's safety as any txt file can be put inside a few folders and used as the same name as an original game file, such as can be renamed to gta5.exe which then would overwrite your files with dummy text files... So it is best to avoid OIVs at all cost ..

    For scripts same thing too. In my opinion the scripts mods should only allowed if it's open source. I think this is how it is in lspdfr (might be wrong too). or perhaps there should be a message for people when they attempt to download a nonopen source script. It might be easier to said then done but this would allow people a lot more safety as we saw how scripts can also misused as well ..

    From what I can see however, the modding started to become more and more risky, and the risk isn't just breaking your game with crashes anymore :(



  • @MissySnowie said in Real Dangers of OpenIV OIV Files:

    from one side it is a good thing especially for practical installers and also newbies too

    Honestly, there aren't any features of OIVs that can justify their use given the inherent risk, mostly due to the stupidity of the author rather than to malicious intent,

    Only the ones you create yourself, for yourself, are OK in my book.

    As for Noobs, they would really benefit from learning how to do things themselves. The mods section is inundated with automatic installers and similar mods and tools that claim to facilitate the modding process when all they really do is keep the noobs at the helpless noob level.

    You can imagine how many times noobs have updated their gameconfig.xml before an OIV replaces it, unknowingly to them. Then as expected their system crashes, they ask for help here, and swear all their files are updated even though they no longer are.



  • Thank you OP for the informative video and thank you to the rest of you reinforcing the topic. I'm new to GTA modding but not new to systems and I got a feeling of dread first mod I downloaded in OIV assembly. It's too simplistic in it's design and that is where it is the most dangerous.

    Cheers guys!


  • MODERATOR

    @MissySnowie I didn't read the whole topic but by watching the video I clearly see the failure is in the process you do to install an OIV file, not the OIV itself. You shouldn't install an OIV file with another OpenIV task open in the background. That's going to cause obvious rewriting issues because the game files are being used by the tool and at the same time you're trying to replace them with a different OpenIV task. 2 OpenIV tasks trying to do different things with the same files = problem.



  • @Reyser I'm not exactly sure what you are referring to honestly :thinking: I feel like you are talking about the other topic I made (OpenIV the rpf destroyer) but you said you were saying these by watching my video so I'm actually confused there :/

    But I guess I can explain both of them :slight_smile: The rpf destroyer thingy I was talking about, I didn't opened 2 OpenIV programs at the same time. I'm actually aware if there are 2 openiv is open and you do a change, it's causing problems within the rpf or with the rpf itself. So I'm always opening 1 OpenIV at a time while doing edits. The only time I open 2 OpenIV is, if I want to compare 2 files. Sure I can open 2 ytd or ydd in the same OpenIV but when I do that it's causing fps problems on the model viewer. But of course when I do that Edit Mode is always being turned off. So unfortunately I did it right but it still corrupted my update.rpf :( I was also doing it with manual install, not OIV install way.

    In this topic though I wanted to show a problem or vulnerability of how OpenIV designed to handle delete command. It's like a design flaw so to say. and by that what I meant is, if someone with malicous intend wants, they can have OpenIV delete your entire game folder by simply adding a 1 line of very small delete command. It can't be detected by antivirus and is very easy to hide in the code blocks inside assembly.xml .

    I know I write a bit too much most of the time so you didn't wish to read all that junk but I think you simply misunderstood or just confused these 2 topics :blush:



  • @MissySnowie The potential issues with OIVs, whether malicious, careless, or just plain stupidity, whether deletions or replaces, far outweigh any convenience for new users. They also do a disservice to new users, keeping them in the dark about how to install mods themselves.

    Invariably at some point in their modding journey, due to this lack of interest in learning, they will hose their setup and post here with "game crashes, please fix for me, urgent." Expecting some forum mind reader to provide the magic solution.

    Thank you for relating your experience and keeping this issue visible for those who care to keep their games running properly.



  • @MissySnowie said in Real Dangers of OpenIV OIV Files:

    OpenIV Team unfortunately awares of this since it is their own coding made possible the "delete" command to function.

    Not going to write a tutorial to encourage a Quant JR, but just so all readers realize this is serious, this is the command referenced above.

    <content>
      <delete>data\ThisArchiveWillBeDeleted.rpf</delete>
    </content>

  • MODERATOR

    @MissySnowie In the video you try to install an OIV which fails. I believe I'm not wrong when affirming that it fails because you had an OpenIV task open in the background. The OpenIV tool is a task and the OIV is another task, so 2 tasks which as you've said in your reply can cause issues. I hope this little explanation clarifies what got you confused when I did mention the video in my first comment of this topic.

    About the "delete" command it has nothing dangerous. Is the user responsibility to know what they're downloading and that installing a mod can replace/modify some files. Of course, we won't approve mods that wipe users game folder on purpose. Never happened and I doubt it'll ever happen but even if someday it happens it'd just be taken down and everyone would move on to other and more relevant things. It's nothing to be afraid of like QuantV malware. Not comparable.



  • @JohnFromGWN Thank you so much :slight_smile:

    @Reyser The reason it fails to install is not because of what you think, it is after the delete command since it wiped out the entire game folder, OpenIV can't find the files to copy inside mods folder, thus fails the installation. If you however write the code at the very end the fail error won't show up since the deletion occurs at the very end of the installation. But I'm not talking about installation failures here, I'm talking about how a single line of little code can delete your entire game folder with no warning.

    About the "delete" command it has nothing dangerous.

    How come something deletes your entire game folder along with all the mods you have installed, all the custom changes you made so far, the changes you spent perhaps years not being dangerous? This is seriously an interesting way you approach to this matter.

    The users might have to know of course what they are installing but not everyone can posses the knowledge of analyzing an OIV file, plus even if they look, it is easy to miss the code among the bulk of code blocks... I don't know are the moderators are actually downloading and checking all the mods to it's bytes but even so they are humans after all and can miss small details too, that's perfectly normal for anybody.

    Sure the level of danger can't be comparable to QuantV, since unlike how Quant wipes the harddrives OpenIV only wipes the game folder instead, but the danger is still a danger, lesser or greater. I'm sure if someone would have lost even one thing, they wouldn't feel great that they didn't lose their pc entirely :slight_smile: Even if you have backed up your game to an external harddrive moments ago, it still surely be bothersome to copy paste over 80 GB files :) Some people can even cry even if they accidentally deleted the wrong photograph themselves, it's human nature to be sad about something we lose :slight_smile:



  • @MissySnowie, @Reyser

    This discussion is not just relevant in light of the QuantV incident. It is of paramount importance because hopefully it reinforces being careful with software in general and most importantly backing up.

    I posted a video an hour ago where I allowed an OIV to delete my GTA5.exe. Anyone watching the entire video will see I undid the damage by restoring my file from a backup. Much quicker than a verify integrity or reinstall and damage undone completely.

    I also agree that the mods on this site are safe and have stated that in my posts a few times. However this is a community and we are helping new users because they will not always download from this site. Many mod sites, less reputable, offer mods that are not available here because of DMCA or for other reasons. Again we can use QuantV as an example.

    We should also remember that deletes and disk wipes are rare and very extreme examples whereas other disruptive issues such as overwriting dlclist.xml and gameconfig.xml are much more common and cause headaches for new users, many who don't regularly backup.

    Finally yes it is the user's responsibility to ensure they download and install from reputable sites and hopefully stay away from pirated games that are possibly infected. I hope people will take the experiences from this thread and the lessons learned to heart.


  • MODERATOR

    @MissySnowie @JohnFromGWN

    By dangerous I mean malicious if you prefer that word better to understand what I mean. Getting your game files deleted is kind of a dirty trick on but nothing major. If the user that installs the mod with the "delete" line saved any backups would just need to restore them and if didn't then we hope would learn from the mistake and make sure to have at least one safe somewhere.

    How does someone feel for suffering an accidental modded game data deletion for installing a mod is not something we should care about anyway. Is something that never happened, I highly doubt is ever going to happen and even if someday it happens is not something crucial. Once reported we would just take down the upload (as I've said in a previous comment) and warn the mod uploader about it.

    There's no problem with you guys warning users about the remote possibility of any OIV installable mod that could contain the delete code but from that to almost tell people to avoid OIV files... is exaggerated.



  • People are free to use OIVs, they can do whatever they want and of course they will.

    The primary issue with OIVs is definitely not malicious because the probability is extremely low.

    This thread I don't think was meant to create paranoia, but rather to inform the community about potential pitfalls.

    There are many other reasons to avoid OIVs, primarily that the new user (noobs) will have files overwritten without their "informed consent" which is very different than consent. In other words they don't realize their dlclist.xml will only contain one mod, the one installed, and their gameconfig.xml will now be from 2018. Yes, I'm just using this as possible examples - examples I've seen, that do exist.

    Also, how many times have we seen users post here asking how to uninstall an OIV mod?
    Answer: it's impossible to do except manually - or by recreating the OIV yourself with the original files (assuming user has backed up every single file that has been overwritten by the OIV). The modders who include a backup folder do so at the time mod is created - not with the current files.

    So...

    Would readers here install an OIV without checking the assembly.xml? Definitely. Most will.

    Me? No way. Never happened, never will.



  • @Reyser Well once they know the full knowledge of how OIV files work and what can they cause, they can by all means go ahead with it. I'm sure people with that knowledge wouldn't really avoid installing OIV anyway, me also time to time refer to OIV if the amount of files are too much. Someone was made OIV installer of one of the mods of Nik The Greek and I was happy to use it :blush:

    Sure they can learn it from the hard way too but I merely tried to help people to learn it from the easy way :slight_smile: There are some other gta 5 mod sites and I doubt their moderators care about these as much as you guys do. Some still actually cares but I seen many broken mods haven't taken any action despite countless of comments and reports :slight_smile:

    So like @JohnFromGWN , my comments were made for newbies, although I guess I should have stated this at the beginning to clear any misunderstandings too, my bad there :slight_smile:



  • @MissySnowie said in Real Dangers of OpenIV OIV Files:

    I guess I should have stated this at the beginning to clear any misunderstandings too, my bad there

    No, that was obvious from the start. Anyone experienced with computing in general takes precautions.

    You did well, very well.

    Now users, particularly the kids, can do whatever they want, heed the advice, or play the ostrich. Peace out.


  • MODERATOR

    @JohnFromGWN said in Real Dangers of OpenIV OIV Files:

    I hope new users will realize this and avoid OIV automatic installers at all costs.

    There's no reason to create undue FUD. For starters, in general, everything which can install, can uinstall.

    Furthermore. .OIV is pretty harmless. It's essentially just a zip file, and contains, next to a content folder, an assembly.xml file, with commands like:

    <archive path="update\update.rpf" createIfNotExist="True" type="RPF7">
    <delete>common\data\dlclist.xml</delete>
    <delete>common\data\gameconfig.xml</delete>
    <add source="dlclist.xml">common\data\dlclist.xml</add>
    <add source="gameconfig.xml">common\data\gameconfig.xml</add>
    

    So, yes, while it can delete stuff, only so in an opened .rpf; and, more importantly, the whole process is chrooted, as we say in the UNIX world (jailed, so as to not have access to the parent directory it's located in; the GTA V base directy is effectively treated as root). So, . OIV cannot wipe your entire harddisk! Besides, assembly.xml is not obfuscated in any way. Anyone with enough brainscells to rub together, can rename the .OIV to .ZIP, and inspect the contents for themselves.

    The primary reason not to use .OIV, is that there's no undo; and, ere long (with a few hundred commands) you lose track of what happened (and thus what you potentially need to undo manually). Other than that, .OIV is entirely safe; subsidiarily, safer to use than your typical .dll or .asi file.

    In the end, it boils down to whether you trust the source (when inspection, like an .asi, is hard). And, as Quant demonstated, you can abuse said trust exactly only once.



  • @meimeiriver said in Real Dangers of OpenIV OIV Files:

    Furthermore. .OIV is pretty harmless. It's essentially just a zip file, and contains, next to a content folder, an assembly.xml file, with commands like:
    <archive path="update\update.rpf" createIfNotExist="True" type="RPF7">
    <delete>common\data\dlclist.xml</delete>
    <delete>common\data\gameconfig.xml</delete>
    <add source="dlclist.xml">common\data\dlclist.xml</add>
    <add source="gameconfig.xml">common\data\gameconfig.xml</add>

    I wrote a post called OIVs suck and why you should never use them that listed 6 reasons to avoid OIV installers and so as to not create FUD I also created a post called See also safe way to install with OIVs including a video tutorial. If you take a quick look at my post, deletions and malicious code were not even mentioned until point 7 - because they were improbable. In fact, I only added point 7 because of the experience @MissySnowie went through.

    So let's look at this example from the viewpoint of a new user - the typical user who posts for help on these forums with very little supporting information. Of course they didn't think to backup their files - which is very common unfortunately. And of course they don't know that the OIV installer is an archive that can easily be inspected with 7z without even having to extract it - you can just open it and look at the assembly.xml.

    Here is the result of installing with an OIV having the code above.

    1. The user's dlclist.xml has been deleted according to the instructions above.
    2. The user's dlclist.xml has been replaced with one that includes only two items: the GTA5 dlcpacks from whenever the OIV was created (2020? 2021?) and one additional line which is for the author's mod and just the author's mod.

    So every single xml entry for every single addon the user installed has been effectively wiped, or if you prefer replaced.

    1. The updated gameconfig.xml that the user installed recently for the Criminal Enterprises has also been deleted.
    2. The user's gameconfig.xml now, replaced by the OIV, is for the GTA5 version at the time the OIV was created - unlikely to be current unless this is a new mod release.

    Possible outcomes.

    1. The game will possibly crash because unbeknownst to the user their recently update gameconfig.xml has been replaced with an older version. When the user posts for help, forum members will ask if they updated gameconfig.xml and they will answer yes - not realizing it has been replaced.

    However, being desperate, they will reinstall a new gameconfig.xml and omg, the game now starts. But wait, all the addon vehicles, peds, MLOs, etc are missing!
    Not to worry because the addons haven't been deleted, they just no longer spawn because the OIV replaced their dlclist.xml and damn it, if only the user had backed it up.

    As for the uninstall process, hope this post will make you smile.


  • MODERATOR

    @JohnFromGWN The examples above are from my own, custom-rolled .OIV, which I use at every game update. I drop in a new gameconfig + dlclist.xml (when needed), and it further contains timecycles, custom loading screens, etc, for the new update.rpf file. Extremely useful. And for other large packages that need updating ever so often.

    A general .OIV packager should typically avoid including his own dlclist or gameconfig, as people hate that. :) That doesn't make .OIV inherently more dangerous than anything else, though. That's just the general .OIV creator not grasping that he needs to not mess with gamefiles ppl are likely to have customized.

    So, while .OIV serves its purpose, in many cases, it's always best to quickly inspect it. But my point remains, that such an inspection is endlessly easier with .OIV than with an .asi or .dll file. And that an .OIV is far more limited in what it can potentially destroy.



  • @meimeiriver
    I do the same because I have multiple mod folders and although i can use batch files to load dlc (rename) I unfortunately can't change dlclist.xml from batch or powershell command scripts/batch files or at the command line.

    I'm in 100% agreement with you that the potential for malice for an OIV is minimal. In fact, it will be just an annoyance for those who think backups are optional - because any file deleted or replace can, well.... be reinstalled.

    However, in my stay here on these forums I've come to the conclusion that there are quite a few users, young and old, who don't take any precautions. This includes the ones who use pirated games and we know GTA5 is one of the best targets for virus creators due to its popularity.

    If anything comes from these threads, I hope some users will come away with the importance of inspecting an OIV before installing. I also hope more adventurous ones will also decompile dlls. As for asi and executables, I honestly don't have any advice other than use at your own risk.

    What's really sad was that Quant was indeed a trusted source.


  • MODERATOR

    @JohnFromGWN said in Real Dangers of OpenIV OIV Files:

    As for the uninstall process, hope this post will make you smile.

    Yes, like I said, the lack on 'undo' is an issue with .OIV. Especially for newbies, who have no clue how to get rid of it all. That remains an issue, with or without .OIV usage. I remember my first weeks as a UNIX administrator. You compile a huge package, and very easily lose track of what got updated/replaced when you install the lot. For more experienced users in GTA V, it gets easier fast, though, as you begin to understand where things generally reside (like in UNIX).

    So, one could say beginners should avoid .OIV files (as inspecting them will still mean little to them). The modding community in Cyberpunk 2077, for instance, has an .OIV type installer too, which I also avoid for the same reasons: ere long something gets messed up, with me not having a real clue how to fix it (yet). I rather install manually. For large, recurring jobs, however, like my custom update.rpf .OIV, I prefer to automate the process, though.



  • @meimeiriver

    When I installed Liberty City, I edited the OIV installer. I removed some of the content (for my own archives) and then deleted the associated lines in assembly.xml. So in essence I used the OIV but with my specs. Similarly, although it would be a huge PITA, you could take your backup files, put them in the content folder, and use this now modified OIV installer as an uninstaller - all it would do is replace its files with your orginals - provided you backedup! :)

    I remember a long time ago, you could rename dos commands (from command.com).

    For example, you could rename format to something else. This was a wonderful way to protect your system. Don't know if this is still possible.

    On a lighter note, I often preach about being careful but my OS is imaged and on its own partition. All data is on separate drives, separate partitions and backed up on external drives - networked and detached. Having my entire system wiped would be a major annoyance, but recovery would be fairly quick and it's always a good idea to reinstall your OS every x years.


  • MODERATOR

    @JohnFromGWN said in Real Dangers of OpenIV OIV Files:

    When I installed Liberty City, I edited the OIV installer. I removed some of the content (for my own archives) and then deleted the associated lines in assembly.xml. So in essence I used the OIV but with my specs. Similarly, although it would be a huge PITA, you could take your backup files, put them in the content folder, and use this now modified OIV installer as an uninstaller - all it would do is replace its files with your orginals - provided you backedup!

    I thought about this once too. And it can be done, albeit indeed a convoluted way. Then I realized, Why bother? I have a full GTA V backup anyway: I can just restore the entire DLC when things get really borked beyond recognition. :) Or the entire game, for that matter.

    If I were not so lazy, I could create an undo .OIV along with the installer (with as contents, essentially just the old files). But like I said, I have backups, so who cares?!


Log in to reply
 

Looks like your connection to GTA5-Mods.com Forums was lost, please wait while we try to reconnect.