What's new

GTA 5 Packets - Some Directories / Thoughts

A

AnonPerson

Enthusiast
Messages
68
Reaction score
30
Here are a few that I have found. I believe I have seen one person in the forums mention the mpstats one. The others I haven't seen people, myself, talk about:

If any of my work is used to discover any exploits, please let me know as I'd love to see it! Also, be sure to give credit where credit is due. I have looked through 250,000-300,000 packets. I believe asking for a simple mention of my name, AnonPerson, and a link to this thread is simple enough.


Full Request URI:
https://prod.ros.rockstargames.com/gta5/11/gameservices/ProfileStats.asmx/WriteStats

Code:
Protocols in frame: eth:ip:tcp:http:data:data:data:data:data-text-lines
Frame Length: 60 bytes (480 bits)
Header length: 20 bytes
Destination port: http (80)
Flags: 0x018 (PSH, ACK)
POST /gta5/11/gameservices/ProfileStats.asmx/WriteStats HTTP/1.1\r\n
HOST:prod.ros.rockstargames.com\r\n
CONTENT-TYPE: application/x-www-form-urlencoded; charset=utf-8\r\n
TRANSFER-ENCODING: chunked\r\n

Full request URI:
http://prod.ros.rockstargames.com/c...gc/gta5mission/z7GPlhzcw06ammDaqw7d_A/1_0.jpg
Code:
I understand this one above leads to a .jpg file. However, I am posting it because of the directory.
Message: GET /cloud/11/cloudservices/ugc/gta5mission/z7GPlhzcw06ammDaqw7d_A/1_0.jpg HTTP/1.1\r\n
Request Method: GET
If-Modified-Since: Tue, 19 Nov 2013 21:20:02 GMT\r\n **(I ran this 12/16/2013)**

Full request URI: http://prod.ros.rockstargames.com/cloud/11/cloudservices/members/sc/********/GTA5/car
Code:
Protocols in frame: eth:ip:tcp:http:data:data:data:mime_multipart:data
HOST:prod.ros.rockstargames.com\r\n
CONTENT-TYPE: multipart/form-data; boundary=--------------------52af3ba8\r\n
TRANSFER-ENCODING: chunked\r\n
CONNECTION: Keep-alive\r\n
Expert Info (Chat/Sequence): POST /cloud/11/cloudservices/members/sc/********/GTA5/car HTTP/1.1\r\n
Header length: 20 bytes
Frame Length: 218 bytes (1744 bits)
UDP Length: 184
 
******** = How many numbers are after /sc/ but before /GTA5/[/I]
I edited due to not knowing if this is account specific. Haven't analyzed it enough yet.


Full request URI:
http://prod.cs.ros.rockstargames.co...mbers/xbl/****************/GTA5/saves/mpstats

**************** = 16 Numbers. This is account specific, as it has stayed the same per packet.

Code:
Protocols in frame: eth:ip:tcp:http:data:data:data:mime_multipart:data
Number of per-protocol-data: 1
[Hypertext Transfer Protocol, key 0]
Frame Length: 60 bytes (480 bits)
Header length: 20 bytes
Destination port: http (80)
Flags: 0x018 (PSH, ACK)
TRANSFER-ENCODING: chunked\r\n
CONNECTION: Keep-alive\r\n
HOST:prod.cs.ros.rockstargames.com\r\n
Request Method: POST
Expert Info (Chat/Sequence): POST /cloud/11/cloudservices/members/xbl/****************/GTA5/saves/mpstats HTTP/1.1\r\n
MIME Multipart Media Encapsulation, Type: multipart/form-data, Boundary: "--------------------52af3ba8"
 
**************** = 16 Numbers. This is account specific, as it has stayed the same per packet.

I loaded up the Chemical Extraction mission. This packet is in reference to that.
Full request URI:
http://prod.ros.rockstargames.com/c...ta5mission/z7GPlhzcw06ammDaqw7d_A/0_0_en.json
Code:
Expert Info (Chat/Sequence): GET /cloud/11/cloudservices/ugc/gta5mission/z7GPlhzcw06ammDaqw7d_A/0_0_en.json HTTP/1.1\r\n
Request Method: GET
Connection: Keep-alive\r\n
Host:prod.ros.rockstargames.com\r\n
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT\r\n **(Odd date?)**
Flags: 0x018 (PSH, ACK)
Protocols in frame: eth:ip:tcp:http
Number of per-protocol-data: 1
[Hypertext Transfer Protocol, key 0]
Destination port: http (80)
Header length: 20 bytes
Frame Length: 528 bytes (4224 bits)

In this next packet, I went into crews to view my own crew.
Full request URI:
http://prod.ros.rockstargames.com/cloud/11/cloudservices/crews/sc/*******/metadata.json

******* = 7 Numbers. My Crew Specific, so I removed it.

Code:
Protocols in frame: eth:ip:tcp:http
Expert Info (Chat/Sequence): GET /cloud/11/cloudservices/crews/sc/*******/metadata.json HTTP/1.1\r\n
Host:prod.ros.rockstargames.com\r\n
Connection: Keep-alive\r\n
Request Method: GET
Destination port: http (80)
Header length: 20 bytes
Frame Length: 508 bytes (4064 bits)
Number of per-protocol-data: 1
Hypertext Transfer Protocol, key 0]
Flags: 0x018 (PSH, ACK)
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT\r\n **(Again, non-updated date in code)**

Full request URI:
http://prod.cloud.rockstargames.com...or/131200_Deathmatch_and_Race_Creator_256.dds

I'm posting this now, but I am editing the numbers until I know for sure it is not account specific. It most likely isn't, being in /global/sc/news/ , BUT I like to be safe.

EDIT: It's not account specific. Just the news, as I thought.

Here is the picture:
Code:
Frame Length: 486 bytes (3888 bits)
Protocols in frame: eth:ip:tcp:http
Number of per-protocol-data: 1
[Hypertext Transfer Protocol, key 0]
Header length: 20 bytes
Destination port: http (80)
Flags: 0x018 (PSH, ACK)
Expert Info (Chat/Sequence): GET /global/sc/news/Creator/131200_Deathmatch_and_Race_Creator_256.dds HTTP/1.1\r\n
Connection: Keep-alive\r\n

Full request URI:
http://prod.ros.rockstargames.com/gta5/11/gameservices/socialclub.asmx/CheckText
Code:
Protocols in frame: eth:ip:tcp:http:data:data:data:data-text-lines
Frame Length: 60 bytes (480 bits)
Header length: 20 bytes
Number of per-protocol-data: 1
[Hypertext Transfer Protocol, key 0]
Source port: mysql-proxy (6446)
Destination port: http (80)
Flags: 0x018 (PSH, ACK)
Expert Info (Chat/Sequence): POST /gta5/11/gameservices/socialclub.asmx/CheckText HTTP/1.1\r\n
Request Method: POST
CONTENT-TYPE: application/x-www-form-urlencoded; charset=utf-8\r\n
TRANSFER-ENCODING: chunked\r\n
CONNECTION: Keep-alive\r\n

A prod.realtimevc.ros.rockstargames.com is a directory, packet info didn't matter. It was just a DNS protocol to look up the web address. Standard query. Just thought I'd post it.


Full request URI:
http://prod.ros.rockstargames.com/cloud/11/cloudservices/global/SC/news/TIP_Interaction_Menu/en.json

I don't like tips (on games) and disabling them on this game doesn't work for me. Just decided to post to see if I could do anything. Doubt I will. But why not post it. It may not even be what I think it is, being in /news/ directory.
Code:
Expert Info (Chat/Sequence):
GET /cloud/11/cloudservices/global/SC/news/TIP_Interaction_Menu/en.json HTTP/1.1\r\n
Frame Length: 485 bytes (3880 bits)
Protocols in frame: eth:ip:tcp:http
Number of per-protocol-data: 1
[Hypertext Transfer Protocol, key 0]
Header length: 20 bytes
Destination port: http (80)
Flags: 0x018 (PSH, ACK)
Connection: Keep-alive\r\n

Full request URI:
http://prod.cs.ros.rockstargames.co...*******/GTA5/saves/mpstats/save_char0001.save

This one is probably the most interesting out of a lot of these. I hate to take away numbers, but my XBL R* account number is used in here, just as it was in mpstats (which, this is a file from that directory).

**************** = 16 Numbers. XBL R* account specific. Have to delete.

Code:
Protocols in frame: eth:ip:tcp:http
Number of per-protocol-data: 1
[Hypertext Transfer Protocol, key 0]
Destination port: http (80)
Header length: 20 bytes
Frame Length: 547 bytes (4376 bits)
Flags: 0x018 (PSH, ACK)
Request Method: GET
Connection: Keep-alive\r\n
Message: GET /cloud/11/cloudservices/members/xbl/****************/GTA5/saves/mpstats/save_char0001.save HTTP/1.1\r\n

That will retrieve a data through TCP that with this length:
Reassembled TCP length: 38815
It is encoded using:
Line-based text data: application/x-www-form-urlencoded
But you can also get the data in hex form, which is what I plan on working with.


EDIT: I made this thread to spark some creativity or ideas. Never hurts to see what people see, as I only have two eyes and they tend to see things once and can't stop seeing any different pattern.

EDIT2: Added a few more. Just found one for content creator, but I believe it is a .dds image file. Will share that in a few after I analyze it for a few more minutes.

EDIT3: The content creator packet I found was just the news one. I exported it into a readable format, and then uploaded it to imgur. You can find it above in that specified packet.

EDIT4: Found packet that was saving my char001 game save. Uploaded.

EDIT5: Done for now. Collecting more packets. If you have any thoughts, please post below. There are several that I am interested in comparing similar packets of and try to alter values.

Thanks.

AnonPerson.
 
Last edited:
A

AnonPerson

Enthusiast
Messages
68
Reaction score
30
Saving This Post In Case I Need It
 
X

XMr JohnsonX

RAPID FiRE BUZZARD
Messages
432
Reaction score
112
Has anyone figured out how to access these files?
 
C

CR4ZYC00KIE

Enthusiast
Messages
75
Reaction score
7
Yes, in fact proven. I have clicked on the first link you provided in the thread and it asks me for login credentials such as, Username and Password?
 
S

shaunr

Propane and propane accessories
Messages
1,669
Reaction score
493
I bet we'll be able to find the file that controls the vehicles in our garage and if it's insured or not, and then we could put in whatever we want and insure it. thatd be awesome
 
A

AnonPerson

Enthusiast
Messages
68
Reaction score
30
I bet we'll be able to find the file that controls the vehicles in our garage and if it's insured or not, and then we could put in whatever we want and insure it. thatd be awesome

Pretty sure it is the car file that I posted above.

It could also be in the gamesave001.save file, not sure if I posted that one up there, but I have it.
 
P

PostRequest

Newbie
Messages
5
Reaction score
0
So can we spoof the packets received when downloading the gamesave and mod them so when our xbox gets it, it is modded?
 
S

s7orm

Enthusiast
Messages
98
Reaction score
2
is this for retail or flash/jtaged systems?
 
S

Shatech

Enthusiast
Messages
262
Reaction score
90
so if you find the request source how do you bypass it? by simply adding it to the right location in the usbwebserver? or by adding that specific url in the host file of the pc?
 
T

tomsaundo

Newbie
Messages
13
Reaction score
3
Any way to rip the save_char0001.save file due to I would like to look into it and im running it through winhttracker and its coming up with an error
 
S

Shatech

Enthusiast
Messages
262
Reaction score
90
Any way to rip the save_char0001.save file due to I would like to look into it and im running it through winhttracker and its coming up with an error
ive seen this script too but not sure how to trace it
 
T

tomsaundo

Newbie
Messages
13
Reaction score
3
Id love to find out whats inside as we may find the source to getting rid of the cheaters pool once and for good !
 
S

Shatech

Enthusiast
Messages
262
Reaction score
90
can someone here please inform us how to back track or map the file location after we discover the these https and dns addresses?
 
T

tomsaundo

Newbie
Messages
13
Reaction score
3
So where in usbwebserver do you put this and how did you determine the path?

You would place it in your root folder and add /ugc/gta5mission/0121/fs1qaEg-i0CmbimKNRuGfA/ (This changes depending on the mission) folders and add the file in. This is how people get the missions working for their servers
 
Top Bottom