GTA Cloud Servers Being Sent Encrypted HTTP Headers

Xversial

Enthusiast
Messages
105
Reaction score
40
While watching GTA Online's outbound HTTP connections I noticed that there are 2 things being sent to rockstar when you're gathering the config files.

Scs-ticket = E6huAFselAqPv2EbFdgpUXyHjzJeTHer0aXUMuzxvfUtvYogUTpwFrIJNQSlONhDZEfws3DBXeZAFVjfy6r4wU61QWI/VjVOdY30md8MgBFmQ5l9EYOXRlOv8bSTxJDDH2uoQ2LFXgANcyvq6VxUc2zVPrEEqA==
User-agent = ros 8UEQPZR8IRGFfHdJkHQ8Tcw5clKJciYN3TctDMA=

What I know for sure:
The user-agent string starts with ros which stands for Robot Operating System and could be the library that is being used to instigate HTTP requests.
The user-agent is different for every request.
Both strings seem to be in base64, however do not decode to plain-text.


The Scs-ticket I am paranoid about being the console serial number, thus why I blanked out 23 characters of the string.
If anyone could share some insight on these that would be great. I would really like to know what rockstar is being sent.

Edit: The SCS Ticket is NOT the console serial number. It changes every time you reload the game. This is probably your session ID or something of the sort.
 

Pork Soda

Enthusiast
Messages
201
Reaction score
33
While watching GTA Online's outbound HTTP connections I noticed that there are 2 things being sent to rockstar when you're gathering the config files.

Scs-ticket = E6huAFselAqPv2EbFdgpUXyHjzJeTHer0aXUMuzxvfUtvYogUTpwFrIJNQSlONhDZEfws3DBXeZAFVjfy6r4wU61QWI/VjVOdY30md8MgBFmQ5l9EYOXRlOv8bSTxJDDH2uoQ2LFXgANcyvq6VxUc2zVPrEEqA==
User-agent = ros 8UEQPZR8IRGFfHdJkHQ8Tcw5clKJciYN3TctDMA=

What I know for sure:
The user-agent string starts with ros which stands for Robot Operating System and could be the library that is being used to instigate HTTP requests.
The user-agent is different for every request.
Both strings seem to be in base64, however do not decode to plain-text.


The Scs-ticket I am paranoid about being the console serial number, thus why I blanked out 23 characters of the string.
If anyone could share some insight on these that would be great. I would really like to know what rockstar is being sent.

Edit: The SCS Ticket is NOT the console serial number. It changes every time you reload the game. This is probably your session ID or something of the sort.
We need a way to spoof that number
 

xBob

Enthusiast
Messages
34
Reaction score
1
My theory on spoofing this goes this way:
1. We modify the currently used web servers for the tunables so when it gives the console the tunables the web server saves the sesh id
2. We make a program on your pc that when the server gets a session id from your ip the server sends it to your client
3. Your client requests tunables from the legit rockstar servers with the sesh id to spoof the console connecting to the cloud servers
 

Kiint

Enthusiast
Messages
43
Reaction score
25
scs ticket is the session id for session control. This is what is used to create/manage lobbies.
 

xBob

Enthusiast
Messages
34
Reaction score
1
But couldn't rockstar see if they get the sesh id or not and put you on a list for inspection?
 

Kiint

Enthusiast
Messages
43
Reaction score
25
The session ID is a way of tracking and matching the character to the Online sessions, if you mess with it you probably won't be able to join and instead be either on a session all by yourself, or you will get an invalid Online ID. Your console ID is tracked by Sony/Microsoft. Rockstar track your session ID and your PSN account. They can tie it all together by requesting a console ban for consoles using the appropriate PSN account (if Sony/Microsoft honour the request).

There are no Rockstar servers except for the session control servers (and other stuff like saves, news, tunables etc). The actual lobbies and missions are all peer to peer using STUN to mesh the sessions together based on the scs-ticket. Everyone will have a unique scs-ticket, and Rockstar will (in the back end) manage the lobby/mission ID's and use the STUN servers to merge the selected scs-tickets to the apropriate lobby/mission ID.

Basically, messing with the scs-ticket won't achieve anything except make it harder for you to go Online.
 

xBob

Enthusiast
Messages
34
Reaction score
1
Ah. That's makes a lot more sense so I guess spoofing it is useless
 

Kiint

Enthusiast
Messages
43
Reaction score
25
Theoretically, Rockstar could detect/patch who is "tunable" glitching by looking and matching the ros for the savegame and the tunable server ... unless they match then the client doesn't receive a scs-ticket.

Though to be perfectly honest, that's a very obtuse way of doing it.
 

Xversial

Enthusiast
Messages
105
Reaction score
40
the ros is the base64 session for clients to obtain their MP save from http://prod.cs.ros.rockstargames.com

you can access your save (an encrypted mpstats.xml file) by spoofing the agentdata on the prod.cs.ros sub-domain

ex. http://prod.cs.ros.rockstargames.com/cloud/11/cloudservices/members/xbl/XUID_HERE/GTA5/saves/mpstats

Your information has made me happier then ever!
Do you happen to know how we could go about decrypting the MPSTATS? I mean there must be a static encryption key stored somewhere within the game files.
 

Rukkia

Enthusiast
Messages
257
Reaction score
182
Your information has made me happier then ever!
Do you happen to know how we could go about decrypting the MPSTATS? I mean there must be a static encryption key stored somewhere within the game files.
couldnt tell ya, i didn't look into it too much - just spent a few minutes looking at it. srry
 

ECB2

lkn
Messages
1,029
Reaction score
1,513
Your information has made me happier then ever!
Do you happen to know how we could go about decrypting the MPSTATS? I mean there must be a static encryption key stored somewhere within the game files.

It's not a static encryption key.
 

Xversial

Enthusiast
Messages
105
Reaction score
40
It's not a static encryption key.
If it's not a static encryption key, what server is left to send it? I have checked it against prod.cs.ros.rockstargames.com, prod.cloud.rockstargames.com, and socialclub.rockstargames.com.
Also, if it's time based it still is static in a sense.
 

twisted0ne

Enthusiast
Messages
33
Reaction score
9
While watching GTA Online's outbound HTTP connections I noticed that there are 2 things being sent to rockstar when you're gathering the config files.

Scs-ticket = E6huAFselAqPv2EbFdgpUXyHjzJeTHer0aXUMuzxvfUtvYogUTpwFrIJNQSlONhDZEfws3DBXeZAFVjfy6r4wU61QWI/VjVOdY30md8MgBFmQ5l9EYOXRlOv8bSTxJDDH2uoQ2LFXgANcyvq6VxUc2zVPrEEqA==
User-agent = ros 8UEQPZR8IRGFfHdJkHQ8Tcw5clKJciYN3TctDMA=

What I know for sure:
The user-agent string starts with ros which stands for Robot Operating System and could be the library that is being used to instigate HTTP requests.
The user-agent is different for every request.
Both strings seem to be in base64, however do not decode to plain-text.


The Scs-ticket I am paranoid about being the console serial number, thus why I blanked out 23 characters of the string.
If anyone could share some insight on these that would be great. I would really like to know what rockstar is being sent.

Edit: The SCS Ticket is NOT the console serial number. It changes every time you reload the game. This is probably your session ID or something of the sort.
Looks like sha1 encryption to me, not base64.
 

Xversial

Enthusiast
Messages
105
Reaction score
40
Looks like sha1 encryption to me, not base64.
Sha1 is a hashing method and doesn't have a suffix of = signs.
Regardless, It's encoded after being encrypted. It's not just a hash or encoding.

I'm under the impression it is the same algo that GTA Uses for mostly everything else, AES-CBC with PKCS5Padding.
 
Last edited:

ECB2

lkn
Messages
1,029
Reaction score
1,513
Sha1 is a hashing method and doesn't have a suffix of = signs.
Regardless, It's encoded after being encrypted. It's not just a hash or encoding.

I'm under the impression it is the same algo that GTA Uses for mostly everything else, AES-CBC with PKCS5Padding.
Wrong algo.
Next try.
 
Top Bottom