[[sheep]]

hi,

This is the first time posting about projectx on the forums.. but certainly not the last.

This project was born from the curiosity and success of 2 days reverse engineering.

The fruit of our works (there are 2 of us) developed into something beyond our meager expectations.

Our initial findings were related to the scripting engine itself, after looking through the asm disassembly for about 20 minutes we managed to obtain a good understanding of how the parser was handling and dealing with the functions (opcodes).

(for anyone thats interested.. though I'm sure this has probably been documented before..) the parser takes the initial 2 bytes of any of the main.scm opcodes and uses them as a reference, firstly to determine which jump table it uses and secondly to formulate the function the jump table finally arrives at. It sounds complex but is actually pretty strait forward if you have a good knowledge of asm.

what does this mean?

ok, once we had reached this point we realized that a HOOK of the parser was very possible, with this achieved we could run very versatile arbitrary scripts along side any .scm script running at the time.

An hour later and the first version of our asm core hook was in place.. running simple opcodes to test its functionality such as 0315h which simply took 0 params and incremented the amount of passengers dropped off in ur stats display.. getting this to run was a clear statement that bigger and better things could easily be achieved with the asm core in place.

next we modified the asm core so that we could run a collection of opcodes instead of just 1, this enables us to do some pretty cool stuff that you will be able to see a little later today when we release a small demo of our 2 day achievements..

so now we had our HOOK in place running selected scripts inside the game alongside the games own script.. we dedicated day 2 to the coding of the directx hooking functions so that people actually have something to enable and utilize the asm core from inside the game..

by the end of day 2 we had a directx console interfaced with the asm core running scripts by console commands..

as you can see the work has progressed very quickly and to be honest more quickly than we both anticipated.. we called it projectx because we really dont know where it will end.. we are both fully versed in network coding and have had success in the network experiments carried out so far with gta:vc.. so i suppose a realistic goal would be to make some kind of online co-op mission creator.. this of course could be a long way away.. but then again.. 2 days ago we had nothing )

look out later today for a little demo of our work so far.. ill re post here when its complete..

tnx for reading...

sheep/spookie

[Opius]

So you've managed to get an outside program to hook onto Vice's mission script?

SWEET!

Reckon you could find a way to get a debugger into it, so mission coders can know exactly where their scripts crash?

[[sheep]]

a debugger of sorts would be very ambitious and going in a different direction to where we are going now.. unfortunately the functions (opcodes) that cause the game to crash are 99% due to memory access violations and happen while inside the function manipulating whatever aspect of the game the opcode was written for.. so as far as any debugger (at this stage) its only functionality would be to log into a file the LAST opcode and parameters that ran through the gta:vc script parser.. at the very least you would know WHAT crashed the game.. like i say.. im new here so this may already have been done.. if not then let me know and ill add it to the demo release..

[Opius]

Nope, little to no work has been put into manipulating the mission script once it's running up until now, so you're a pioneer of it

I wouldn't mind seeing that version of the debugger in the first release, so if you could add it...

[aad]

now im waiting for the demo to be released

[pj-54]

hmm posted a link to this when i saw it on mta forums but it got deleted after 2mins

i wanted to know if they were planning coop mode for multiplayer

guess they were worried youd take over as top mp mod!!!

what is the demo going to be?

[TwoZero]

This sounds awesome, hooking up scripts while the game is running.

I really hope this is going to work out to be a great tool.

[DexX]

QUOTE

hmm posted a link to this when i saw it on mta forums but it got deleted after 2mins

Y'know, i'm just.....not suprised.

[sheep] - good work, great time. I can't wait to see what else you cna accomplish.

[[sheep]]

Sorry for the slight delay.. real life intrudes as usual

Progress halted for a while

Back on track now.. we WILL have a demo for you guys very soon..

Both myself and spookie noticed the real bad attitude some people have around these forums, the lack of knowledge sharing is almost unbelievable.

Handing over your source code is VERY different to helping a few guys along with memory addresses that in the end could be obtained by anyone with enough time and patience.

Well, we do not intend to keep knowledge from people that would benefit from it.

Saying this brings me onto my final comment, the last thing we did was to reverse the actor building routines. Ill try and explain in simple terms the more important aspects of what happens when you create an actor internally.

CREATE ACTOR REVERSED...

Firstly, all the floats (x,y,z) positions are converted from the script, forumalting the REAL 32bit values into the EAX register.

There is a function that does this and is used for all conversions from SCRIPT to FLOAT, oddly enough they dont just read them directly out of the script, they read it byte by byte using a collection of BIT SHIFTS to formulate the final float..

Once formulate the x,y,z floats are saved for later to be inserted into the newly created actor structure..

Next, the function needs to determine where to allocate the new ACTOR structure, this is done by checking an array to find the next available slot of memory.. every loop, a LOOP COUNTER variable is increased and when it finds the first available slot it marks it as USED! so that its not used by the next generated actor, and then jumps out of the loop onto the next step..

Next, the actor ID is taken from the script (this is the last param) and is basically added to the MAIN.SCRIPT.BASE.VARIABLE.MEMORY for example:

base script address = 456789 (hex)
id = 000c (hex)
NEW_CREATED_ACTOR_ID_ADDRESS = 456795 (hex)

So those 2 values are added together which formulates the final address to store away that LOOP COUNTER variable, this is how the ID system works.. it just looks at its MAIN.SCRIPT.BASE.VARIABLE.MEMORY + ID and it gets the
loop counter then multiplies it by the PLAYER_STRUCT_SIZE (6d8 hex) and it has its start address of the the ID specified.

The counter variable used for the array check is now multiplied by 6d8(hex), this is the size of the player structure as explained above.. it then takes the base address of all actor structures (the base address is actually our MAIN PLAYER!! structure) and adds the result of the multiplication to this value, this points to a blank actor structure which is then initialized with all the data from the character model you specified along with the x,y,z floats saved earlier..

well.. thats basically how it is.. it sounds a little more complex than it really is.. dont know if it helps anyone, i hope so..

neways.. expect demo soon..

[Stretchnutter]

I was attempting this the other day. I did get the functions to be called but the game crashed soon after


This might help... got this from CyQ a while back. Proved very useful.

CODE

ok, first some interesting mission script related addresses (names mostly copied from gta3 ps2 exe, which still had symbols; it might be worth getting because of similarities with the vc exe): CODE   functions: 00450EF0 CollectNextParameterWithoutIncreasingPC 00450DD0 CollectParameterAbsoluteAddress 00451010 CollectParameters 0044B400 ProcessCommands0to99 00446390 ProcessCommands100to199 00444BE0 ProcessCommands200to299 00453670 ProcessCommands300to399 00451F90 ProcessCommands400to499 00457580 ProcessCommands500to599 00456E20 ProcessCommands600to699 00455030 ProcessCommands700to799 0045B220 ProcessCommands800to899 00458EC0 ProcessCommands900to999 006084C0 ProcessCommands1000to1099 00606730 ProcessCommands1100to1199 00630650 ProcessCommands1200to1299 0062E940 ProcessCommands1300to1399 00637600 ProcessCommands1400to1499 0044FBE0 ProcessOneCommand 00450E50 StoreParameters data: 007D7438 ScriptParams dd 20h dup(?) 00821280 ScriptSpace db 260512 dup(?) to find out the address of opcode 0407h, here's what you do: convert to decimal: 1031. find the appropriate function: ProcessCommands1000to1099. there, you'll find some code like this: CODE   lea     eax, [esi-1002] mov     ebx, ecx cmp     eax, 61h      ; switch 98 cases ja      loc_609633    ; default jmp     off_6D750C[eax*4]; switch jump so you do: 1031-1002=29. this means you have to get the 30th address in the list at off_6D750C, which happens to be loc_6089EA.

[Kryptos]

I realize this post is off topic, but I feel it only appropriate to mention this. Sheep's tutorials, aside from +ORC's few documents on Win32 hacking, are really what shined light on game hacking for me, he's written numerous tutorials on everything from Dynamic Memory Allocation to Direct X Hooking, his DirectX Hooking tutorial being the only one I've ever seen of its kind. Good luck on this project of yours, I am intrigued as to what your final product will accomplish. I've thought about this in the past, although the implementation seemed beyond what I had time for. The major difference between what you've done and what I had in mind was that I merely wanted to overwrite the unused, or relatively unused, opcodes with more powerful ones at runtime, although your project sounds like it will add much more functionality then I could have ever dreamed of achieving.

This post has been edited by Kryptos on Thursday, Sep 2 2004, 22:35

[Cray]

I must say a lot of interesting work has been done here, and I can't wait to see what comes from it.

It is definitely interesting to see others venture in this sort of territory, which is often left unventured in these sorts of games. The amount of power that can come out of hooking directly into this game is immense and you guys are definitely heading in the right direction.

Keep us all posted here, and some of my other team members and I will try to drop some ideas and help where we can.

[[sheep]]

kryptos..

It's always nice to find out your work is appreciated by others.. I hope we all learn a little something from all this.. knowledge is power.. and some people seem to love to horde it.. my intention is only to spread the knowledge so we can all get a little further in our endeavors... tnx again..


Cray..

Now, you may find this reply a little harsh.. but from what ive seen around this place i think its a) long overdue.. and b) most definitely deserved.

Ive noticed in many posts where the posting parties have either revealed something rather interesting or .. they have shown knowledge of a given subject you reply with the EXACT same trash that you just used in this thread.. you make it sound like you have done all this before.. now!! dont get me wrong.. im not one to band around insults without having a little something to back them up..

If I believed for 1 second that you had any knowledge on the reversing or hooking of gta then i wouldnt be typing this reply to you.. but before i started all this with my good friend spookie we decided to just have a looksee at what was already around.. and when we had stopped laughing.. we knew that it was our duty to bring an actual playable MP mod that wasnt coded by complete f*cking idiots.

btw.. i use the term CODED very loosely here..

your team (which seems to have about 10 lead programmers) and if they dont lead programming they lead something else.. bang on about how you cant possibly let out any secrets because it would aid cheaters in their quest.. ive got a little news for you.. your code is so poorly protected its almost like you want people to cheat anyway!!! from your pathetic trainer detection which HOLY sh*t!!! checks every window name for the word TRAINER!! f*cking hell lads.. must have taken you all night to think that one up!! to your laughable 2.. count them!!! 2 crc file checks... i mean!! you put the message box for the CRC ERROR directly under the check.. why dont you just include an inbuilt trainer? it would save anyone with half a brain 10 seconds work..

how about I point YOU!!! in the right direction... why not use the crc check of the files later on in the loading of the program as part of a decryption key?? that way its very difficult to find.. sh*t.. even putting the messagebox further away from the actual check would be a 100% improvement on your current attempts..

if on the other hand im completely wrong.. and mta was written by a bunch of hardcore reversing maniacs.. why on gods earth do u ignore the immense power of what a hook into the scripting engine can do? MTA looks like it was coded by a bunch of visual basic monkey spasms on a f*cking ego trip..

btw.. ive checked the website.. i do apologize to anyone that is actually normal on the MTA team.. im sure there must be at least 1 or 2.. this is not directed at you in any way.. just the idiots that come to these forums holding their extreme lack of knowledge over others..

IN THE LAND OF THE BLIND!! THE ONE EYED MAN IS KING!! that sums up MTA.

its not often I lash back.. but i try and make sure i get the message across when i do..

[Spooky]

It's resized, the console doesn't look that tiny in 640x480


Reminds me of Thriller.


Wheres Wally?


Enticing.


Satisfying.

[Opius]

Now I'm REALLY looking forward to it

[ThE_cHeEsE]

omfg wat opius said!!!

[Spooky]

This isn't the demo we were planning release, we were planning a choreographed scene using some of the actor behaviour protocols, but here you go...

http://sheeps.reversing.info/spooshdemo.zip

This release doesn't have the opcode logger as we've modified the asm core this morning for the above mentioned actor behaviour protocols.

Simply drop the executable file into your vice root directory and execute it.

It spawns cars and actors, either random or specified -

Press F11 to be able to type into the console, and then the available commands are

/car [id]
This will spawn a vehicle beside you (despite the name, this works on all vehicles). To view a list of valid vehicle ids press F9. If you do not specify an id a random car will be spawned.

/actor [model]
This will spawn an actor beside you. [model] is an optional string specifying the model the actor will have. To view a list of valid model strings press F10. If you do not specify a model it'll be random.

/screenshot
This saves the game's front buffer to file in bitmap format. Files will be named vice00.bmp to vice99.bmp and saved in the game's root directory.

/trans
Toggles the in-game GUI transparency.

/quit
Quits the game without going through the menus

This is nothing spectacular yet it does demonstrait the flexibility and power of the approach we've taken in producing this mod.

After playing about with our dynamic scripting engine a bit more (we're making it even more flexible would you believe) it'll be time to move onto the network coding. Once the basics are setup (multiple players interacting in the same world) we'll move onto cooperative missions .

Don't expect miracles in the terms of the timescale of this project as we're only a two man team with other commitments, but rest assured we'll have it done in about 1/100th of the time it's taken certain other mp mods.

[EDIT] If you downloaded this right after posting grab it again We've been working with v1.1, and forgot to add the v1.0 check. It's been added now and works with both versions.

[Stretchnutter]

WOW... thats really neat... i've dived into the asm part of the scripts plenty of times but this is amazing.


Spooky forgot to mention this demo only works with the 1.1 patch .

This is fun, keep it up guys

Greetz [sheep]

WOW!


This post has been edited by Stretchnutter on Friday, Sep 3 2004, 09:45

[Spooky]

Gah Stretchnutter! You beat me to my edit It works with both versions now.

[EDIT]
If only you had a minigun
(p.s. you can cycle the models using /actor dbg)

[ThE_cHeEsE]

wow i just tested it, amazing in only a few days have some cookies .

So about project x will it be turned into a mp mod i mean if u can do this in a few days i would love to see what kind of mp mod u guys could make