Supported Tools
The project supports three major reverse engineering platforms:- IDA Pro - Industry-standard disassembler (Python 2 or 3)
- Ghidra - Free and open-source reverse engineering suite (Jython)
- Binary Ninja - Modern binary analysis platform
Core Components
data.yml Database
The central data.yml file contains all reverse-engineered knowledge:- globals - Global variables and constants
- functions - Standalone function addresses and names
- classes - Class definitions including:
- Virtual tables (vtbls)
- Virtual functions (vfuncs)
- Regular member functions (funcs)
- Global instances
ffxiv_idarename.py
The main renaming script that works across IDA Pro, Ghidra, and Binary Ninja:- Ingests data.yml and applies names to the disassembly
- Renames functions, vtables, globals, and instances
- Handles class inheritance hierarchies
- Supports rebased executables
- Can be re-run safely to update names
classinformer.csv
Historical RTTI (Run-Time Type Information) database extracted from an old FFXIV build that shipped with debug symbols:- Contains class names and virtual table hierarchies
- Useful baseline for understanding inheritance relationships
- Several years old but still valuable for core structures
- Extracted using the ClassInformer IDA Pro plugin
Workflow Overview
Initial Setup
- Install your chosen reverse engineering tool (IDA Pro, Ghidra, or Binary Ninja)
- Install Python dependencies for ffxiv_idarename.py
- Import ffxiv_dx11.exe into your tool
- Run initial analysis
- Execute ffxiv_idarename.py to apply existing knowledge
Research Cycle
- Explore - Navigate through the disassembly to find structures of interest
- Document - Add findings to data.yml using the proper schema
- Verify - Re-run scripts to ensure proper naming and hierarchy
- Signature - Generate signatures for important functions
- Contribute - Submit findings via pull request
After Game Patches
Each patch requires:- Re-importing the updated ffxiv_dx11.exe
- Re-running analysis
- Re-running ffxiv_idarename.py
- Updating addresses in data.yml that have changed
- Regenerating signatures for relocated functions
Address Format
All addresses in FFXIVClientStructs use the standard Windows 64-bit image base:- Base Address: 0x140000000
- Format: 14 followed by 7 hex digits (14#######)
- Example: Function at offset 0x901D0 = 0x1400901D0
7FF6DDEAD480 ffxiv_dx11.exe+1A0D480 in Dalamud:
- The offset is +1A0D480
- In your disassembler, navigate to 141A0D480
Best Practices
Naming Conventions
- Use full namespace paths:
Client::System::Framework::Framework - Virtual functions: Use descriptive names when known,
vfXwhen unknown - Member functions: Common names include
ctor,dtor,Initialize,Finalize - Instances: Prefixed with
g_for globals - Parameters: Use descriptive names based on type/purpose
Documentation Standards
- Add comments to explain non-obvious structures
- Document function signatures when possible
- Note related game features or behaviors
- Reference related classes in the hierarchy
- Mark uncertain findings with TODO or comments
Version Control
- Always update the version field in data.yml
- Test scripts after making changes
- Document breaking changes
- Keep related changes together in commits
Additional Resources
External Tools
Signature Generation
Most contributors use caraxi’s sigmaker-x64 for IDA Pro signature generation. The included ffxiv_sigmaker.py is no longer actively maintained.Related Projects
- Dalamud - Plugin framework that consumes FFXIVClientStructs data
- Lumina - Excel sheet parser for game data files
- SaintCoinach - Alternative game data extraction tool