Quantcast

Jump to content

» «
Photo

WIP - PROJECTX

  • This topic is locked This topic is locked
130 replies to this topic
[sheep]
  • [sheep]

    Player Hater

  • Members
  • Joined: 01 Sep 2004

#1

Posted 01 September 2004 - 07:24 AM

hi,

This is the first time posting about projectx on the forums.. but certainly not the last.

This project was born from the curiosity and success of 2 days reverse engineering.

The fruit of our works (there are 2 of us) developed into something beyond our meager expectations.

Our initial findings were related to the scripting engine itself, after looking through the asm disassembly for about 20 minutes we managed to obtain a good understanding of how the parser was handling and dealing with the functions (opcodes).

(for anyone thats interested.. though I'm sure this has probably been documented before..) the parser takes the initial 2 bytes of any of the main.scm opcodes and uses them as a reference, firstly to determine which jump table it uses and secondly to formulate the function the jump table finally arrives at. It sounds complex but is actually pretty strait forward if you have a good knowledge of asm.

what does this mean?

ok, once we had reached this point we realized that a HOOK of the parser was very possible, with this achieved we could run very versatile arbitrary scripts along side any .scm script running at the time.

An hour later and the first version of our asm core hook was in place.. running simple opcodes to test its functionality such as 0315h which simply took 0 params and incremented the amount of passengers dropped off in ur stats display.. getting this to run was a clear statement that bigger and better things could easily be achieved with the asm core in place.

next we modified the asm core so that we could run a collection of opcodes instead of just 1, this enables us to do some pretty cool stuff that you will be able to see a little later today when we release a small demo of our 2 day achievements..

so now we had our HOOK in place running selected scripts inside the game alongside the games own script.. we dedicated day 2 to the coding of the directx hooking functions so that people actually have something to enable and utilize the asm core from inside the game..

by the end of day 2 we had a directx console interfaced with the asm core running scripts by console commands..

as you can see the work has progressed very quickly and to be honest more quickly than we both anticipated.. we called it projectx because we really dont know where it will end.. we are both fully versed in network coding and have had success in the network experiments carried out so far with gta:vc.. so i suppose a realistic goal would be to make some kind of online co-op mission creator.. this of course could be a long way away.. but then again.. 2 days ago we had nothing smile.gif )

look out later today for a little demo of our work so far.. ill re post here when its complete..

tnx for reading...

sheep/spookie

Opius
  • Opius

    General

  • Feroci
  • Joined: 27 Jun 2002

#2

Posted 01 September 2004 - 07:26 AM

So you've managed to get an outside program to hook onto Vice's mission script?

SWEET!

Reckon you could find a way to get a debugger into it, so mission coders can know exactly where their scripts crash?

[sheep]
  • [sheep]

    Player Hater

  • Members
  • Joined: 01 Sep 2004

#3

Posted 01 September 2004 - 07:41 AM

a debugger of sorts would be very ambitious and going in a different direction to where we are going now.. unfortunately the functions (opcodes) that cause the game to crash are 99% due to memory access violations and happen while inside the function manipulating whatever aspect of the game the opcode was written for.. so as far as any debugger (at this stage) its only functionality would be to log into a file the LAST opcode and parameters that ran through the gta:vc script parser.. at the very least you would know WHAT crashed the game.. like i say.. im new here so this may already have been done.. if not then let me know and ill add it to the demo release..

Opius
  • Opius

    General

  • Feroci
  • Joined: 27 Jun 2002

#4

Posted 01 September 2004 - 07:49 AM

Nope, little to no work has been put into manipulating the mission script once it's running up until now, so you're a pioneer of it biggrin.gif

I wouldn't mind seeing that version of the debugger in the first release, so if you could add it...

aad
  • aad

    3d artist

  • Feroci
  • Joined: 15 Mar 2004
  • None

#5

Posted 01 September 2004 - 05:30 PM

now im waiting for the demo to be released biggrin.gif biggrin.gif biggrin.gif biggrin.gif

pj-54
  • pj-54

    Player Hater

  • Members
  • Joined: 01 Sep 2004

#6

Posted 01 September 2004 - 07:37 PM

hmm posted a link to this when i saw it on mta forums but it got deleted after 2mins sad.gif

i wanted to know if they were planning coop mode for multiplayer

guess they were worried youd take over as top mp mod!!!

what is the demo going to be?

TwoZero
  • TwoZero

    Ghetto Star

  • The Connection
  • Joined: 15 Apr 2003

#7

Posted 01 September 2004 - 09:07 PM

This sounds awesome, hooking up scripts while the game is running.

I really hope this is going to work out to be a great tool.

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#8

Posted 02 September 2004 - 06:53 AM

QUOTE
hmm posted a link to this when i saw it on mta forums but it got deleted after 2mins

Y'know, i'm just.....not suprised.

[sheep] - good work, great time. I can't wait to see what else you cna accomplish.

[sheep]
  • [sheep]

    Player Hater

  • Members
  • Joined: 01 Sep 2004

#9

Posted 02 September 2004 - 07:25 PM


Sorry for the slight delay.. real life intrudes as usual sad.gif

Progress halted for a while smile.gif

Back on track now.. we WILL have a demo for you guys very soon..

Both myself and spookie noticed the real bad attitude some people have around these forums, the lack of knowledge sharing is almost unbelievable.

Handing over your source code is VERY different to helping a few guys along with memory addresses that in the end could be obtained by anyone with enough time and patience.

Well, we do not intend to keep knowledge from people that would benefit from it.

Saying this brings me onto my final comment, the last thing we did was to reverse the actor building routines. Ill try and explain in simple terms the more important aspects of what happens when you create an actor internally.

CREATE ACTOR REVERSED...

Firstly, all the floats (x,y,z) positions are converted from the script, forumalting the REAL 32bit values into the EAX register.

There is a function that does this and is used for all conversions from SCRIPT to FLOAT, oddly enough they dont just read them directly out of the script, they read it byte by byte using a collection of BIT SHIFTS to formulate the final float..

Once formulate the x,y,z floats are saved for later to be inserted into the newly created actor structure..

Next, the function needs to determine where to allocate the new ACTOR structure, this is done by checking an array to find the next available slot of memory.. every loop, a LOOP COUNTER variable is increased and when it finds the first available slot it marks it as USED! so that its not used by the next generated actor, and then jumps out of the loop onto the next step..

Next, the actor ID is taken from the script (this is the last param) and is basically added to the MAIN.SCRIPT.BASE.VARIABLE.MEMORY for example:

base script address = 456789 (hex)
id = 000c (hex)
NEW_CREATED_ACTOR_ID_ADDRESS = 456795 (hex)

So those 2 values are added together which formulates the final address to store away that LOOP COUNTER variable, this is how the ID system works.. it just looks at its MAIN.SCRIPT.BASE.VARIABLE.MEMORY + ID and it gets the
loop counter then multiplies it by the PLAYER_STRUCT_SIZE (6d8 hex) and it has its start address of the the ID specified.

The counter variable used for the array check is now multiplied by 6d8(hex), this is the size of the player structure as explained above.. it then takes the base address of all actor structures (the base address is actually our MAIN PLAYER!! structure) and adds the result of the multiplication to this value, this points to a blank actor structure which is then initialized with all the data from the character model you specified along with the x,y,z floats saved earlier..

well.. thats basically how it is.. it sounds a little more complex than it really is.. dont know if it helps anyone, i hope so..

neways.. expect demo soon.. wink.gif

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#10

Posted 02 September 2004 - 08:40 PM

I was attempting this the other day. I did get the functions to be called but the game crashed soon after cool.gif


This might help... got this from CyQ a while back. Proved very useful.

CODE


ok, first some interesting mission script related addresses (names mostly copied from gta3 ps2 exe, which still had symbols; it might be worth getting because of similarities with the vc exe):
CODE  
functions:
00450EF0 CollectNextParameterWithoutIncreasingPC
00450DD0 CollectParameterAbsoluteAddress
00451010 CollectParameters
0044B400 ProcessCommands0to99
00446390 ProcessCommands100to199
00444BE0 ProcessCommands200to299
00453670 ProcessCommands300to399
00451F90 ProcessCommands400to499
00457580 ProcessCommands500to599
00456E20 ProcessCommands600to699
00455030 ProcessCommands700to799
0045B220 ProcessCommands800to899
00458EC0 ProcessCommands900to999
006084C0 ProcessCommands1000to1099
00606730 ProcessCommands1100to1199
00630650 ProcessCommands1200to1299
0062E940 ProcessCommands1300to1399
00637600 ProcessCommands1400to1499
0044FBE0 ProcessOneCommand
00450E50 StoreParameters
data:
007D7438 ScriptParams dd 20h dup(?)
00821280 ScriptSpace db 260512 dup(?)

to find out the address of opcode 0407h, here's what you do:
convert to decimal: 1031.
find the appropriate function: ProcessCommands1000to1099.
there, you'll find some code like this:
CODE  
lea     eax, [esi-1002]
mov     ebx, ecx
cmp     eax, 61h      ; switch 98 cases
ja      loc_609633    ; default
jmp     off_6D750C[eax*4]; switch jump

so you do: 1031-1002=29.
this means you have to get the 30th address in the list at off_6D750C, which happens to be loc_6089EA.


Kryptos
  • Kryptos

    Hacker

  • Members
  • Joined: 05 Nov 2003

#11

Posted 02 September 2004 - 10:29 PM Edited by Kryptos, 02 September 2004 - 10:35 PM.

I realize this post is off topic, but I feel it only appropriate to mention this. Sheep's tutorials, aside from +ORC's few documents on Win32 hacking, are really what shined light on game hacking for me, he's written numerous tutorials on everything from Dynamic Memory Allocation to Direct X Hooking, his DirectX Hooking tutorial being the only one I've ever seen of its kind. Good luck on this project of yours, I am intrigued as to what your final product will accomplish. I've thought about this in the past, although the implementation seemed beyond what I had time for. The major difference between what you've done and what I had in mind was that I merely wanted to overwrite the unused, or relatively unused, opcodes with more powerful ones at runtime, although your project sounds like it will add much more functionality then I could have ever dreamed of achieving.

Cray
  • Cray

    MTA Developer

  • Members
  • Joined: 01 Jul 2002

#12

Posted 03 September 2004 - 02:10 AM

I must say a lot of interesting work has been done here, and I can't wait to see what comes from it.

It is definitely interesting to see others venture in this sort of territory, which is often left unventured in these sorts of games. The amount of power that can come out of hooking directly into this game is immense and you guys are definitely heading in the right direction.

Keep us all posted here, and some of my other team members and I will try to drop some ideas and help where we can.

[sheep]
  • [sheep]

    Player Hater

  • Members
  • Joined: 01 Sep 2004

#13

Posted 03 September 2004 - 03:56 AM


kryptos..

It's always nice to find out your work is appreciated by others.. I hope we all learn a little something from all this.. knowledge is power.. and some people seem to love to horde it.. my intention is only to spread the knowledge so we can all get a little further in our endeavors... tnx again..


Cray..

Now, you may find this reply a little harsh.. but from what ive seen around this place i think its a) long overdue.. and b) most definitely deserved.

Ive noticed in many posts where the posting parties have either revealed something rather interesting or .. they have shown knowledge of a given subject you reply with the EXACT same trash that you just used in this thread.. you make it sound like you have done all this before.. now!! dont get me wrong.. im not one to band around insults without having a little something to back them up..

If I believed for 1 second that you had any knowledge on the reversing or hooking of gta then i wouldnt be typing this reply to you.. but before i started all this with my good friend spookie we decided to just have a looksee at what was already around.. and when we had stopped laughing.. we knew that it was our duty to bring an actual playable MP mod that wasnt coded by complete f*cking idiots.

btw.. i use the term CODED very loosely here..

your team (which seems to have about 10 lead programmers) and if they dont lead programming they lead something else.. bang on about how you cant possibly let out any secrets because it would aid cheaters in their quest.. ive got a little news for you.. your code is so poorly protected its almost like you want people to cheat anyway!!! from your pathetic trainer detection which HOLY sh*t!!! checks every window name for the word TRAINER!! f*cking hell lads.. must have taken you all night to think that one up!! to your laughable 2.. count them!!! 2 crc file checks... i mean!! you put the message box for the CRC ERROR directly under the check.. why dont you just include an inbuilt trainer? it would save anyone with half a brain 10 seconds work..

how about I point YOU!!! in the right direction... why not use the crc check of the files later on in the loading of the program as part of a decryption key?? that way its very difficult to find.. sh*t.. even putting the messagebox further away from the actual check would be a 100% improvement on your current attempts..

if on the other hand im completely wrong.. and mta was written by a bunch of hardcore reversing maniacs.. why on gods earth do u ignore the immense power of what a hook into the scripting engine can do? MTA looks like it was coded by a bunch of visual basic monkey spasms on a f*cking ego trip..

btw.. ive checked the website.. i do apologize to anyone that is actually normal on the MTA team.. im sure there must be at least 1 or 2.. this is not directed at you in any way.. just the idiots that come to these forums holding their extreme lack of knowledge over others..

IN THE LAND OF THE BLIND!! THE ONE EYED MAN IS KING!! that sums up MTA.

its not often I lash back.. but i try and make sure i get the message across when i do..


Spooky
  • Spooky

    Prince of the Yolkfolk

  • Members
  • Joined: 13 Jan 2002

#14

Posted 03 September 2004 - 06:27 AM

user posted image
It's resized, the console doesn't look that tiny in 640x480 wink.gif

user posted image
Reminds me of Thriller.

user posted image
Wheres Wally?

user posted image
Enticing.

user posted image
Satisfying.

Opius
  • Opius

    General

  • Feroci
  • Joined: 27 Jun 2002

#15

Posted 03 September 2004 - 06:40 AM

Now I'm REALLY looking forward to it inlove.gif

ThE_cHeEsE
  • ThE_cHeEsE

    Rat

  • Members
  • Joined: 06 Feb 2004

#16

Posted 03 September 2004 - 06:42 AM

omfg wat opius said!!!

Spooky
  • Spooky

    Prince of the Yolkfolk

  • Members
  • Joined: 13 Jan 2002

#17

Posted 03 September 2004 - 08:56 AM

This isn't the demo we were planning release, we were planning a choreographed scene using some of the actor behaviour protocols, but here you go...

http://sheeps.revers.../spooshdemo.zip

This release doesn't have the opcode logger as we've modified the asm core this morning for the above mentioned actor behaviour protocols.

Simply drop the executable file into your vice root directory and execute it.

It spawns cars and actors, either random or specified -

Press F11 to be able to type into the console, and then the available commands are

/car [id]
This will spawn a vehicle beside you (despite the name, this works on all vehicles). To view a list of valid vehicle ids press F9. If you do not specify an id a random car will be spawned.

/actor [model]
This will spawn an actor beside you. [model] is an optional string specifying the model the actor will have. To view a list of valid model strings press F10. If you do not specify a model it'll be random.

/screenshot
This saves the game's front buffer to file in bitmap format. Files will be named vice00.bmp to vice99.bmp and saved in the game's root directory.

/trans
Toggles the in-game GUI transparency.

/quit
Quits the game without going through the menus wink.gif

This is nothing spectacular yet it does demonstrait the flexibility and power of the approach we've taken in producing this mod.

After playing about with our dynamic scripting engine a bit more (we're making it even more flexible would you believe) it'll be time to move onto the network coding. Once the basics are setup (multiple players interacting in the same world) we'll move onto cooperative missions smile.gif .

Don't expect miracles in the terms of the timescale of this project as we're only a two man team with other commitments, but rest assured we'll have it done in about 1/100th of the time it's taken certain other mp mods.

[EDIT] If you downloaded this right after posting grab it again wink.gif We've been working with v1.1, and forgot to add the v1.0 check. It's been added now and works with both versions.

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#18

Posted 03 September 2004 - 09:39 AM Edited by Stretchnutter, 03 September 2004 - 09:45 AM.

WOW... thats really neat... i've dived into the asm part of the scripts plenty of times but this is amazing.


Spooky forgot to mention this demo only works with the 1.1 patch .

This is fun, keep it up guys wink.gif

Greetz [sheep]

WOW!
user posted image

Spooky
  • Spooky

    Prince of the Yolkfolk

  • Members
  • Joined: 13 Jan 2002

#19

Posted 03 September 2004 - 09:40 AM

Gah Stretchnutter! You beat me to my edit wink.gif It works with both versions now.

[EDIT]
If only you had a minigun wink.gif
(p.s. you can cycle the models using /actor dbg)

ThE_cHeEsE
  • ThE_cHeEsE

    Rat

  • Members
  • Joined: 06 Feb 2004

#20

Posted 03 September 2004 - 09:55 AM

wow i just tested it, amazing in only a few days have some cookies cookie.gif cookie.gif cookie.gif .

So about project x will it be turned into a mp mod i mean if u can do this in a few days i would love to see what kind of mp mod u guys could make

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#21

Posted 03 September 2004 - 10:18 AM

Thanks for the advice. colgate.gif

weeeeee

user posted image


So what are your [spooky, sheep] intentions? Maybe an MP mod or a supercharged console?


Just this demo is very useful.... ever try to spawn a PCJ with any other trainer? lol.gif

Cowpat
  • Cowpat

    web schmeb

  • Members
  • Joined: 12 Feb 2004

#22

Posted 03 September 2004 - 10:27 AM


Hail to the kings!!!

wish I knew assembler sad.gif

TwoZero
  • TwoZero

    Ghetto Star

  • The Connection
  • Joined: 15 Apr 2003

#23

Posted 03 September 2004 - 10:54 AM Edited by TwoZero, 03 September 2004 - 10:58 AM.

Downloading now...

This looks awesome wow.gif and that only in a few days work....

btw Sheep, I looked up some tutorials you wrote, about memory editing, DMA and DirectX hooking. I was looking for such tutorials, very well written, thank you very much smile.gif

p.s LMAO @ MTA dedicated post biggrin.gif

EDIT: Holy sh*t, I just tested it... all I can say is awesome inlove.gif

Cray
  • Cray

    MTA Developer

  • Members
  • Joined: 01 Jul 2002

#24

Posted 03 September 2004 - 11:27 AM Edited by Cray, 03 September 2004 - 11:42 AM.

I don't want to clutter up this post with are wars, and I am sure a lot of what was said was deserving. I will take this criticism in a with a grain of salt and leave it at that. Although I have not tried what you posted, I will later today, but it definitely seems neat.

Btw, I am personally so tired of fighting with other teams which are all heading towards a similar goal. I was sincerely offering our assistance where we can, and the offer will still be held here. We are obviously going in two different directions (your coop, and us dm/etc...), so I don't see why we can't help one another through this process so we can get to an end result faster. Either way, the ball is in your court.

I will leave you with the following image, to show our "inexperience" as well:

user posted image

[sheep]
  • [sheep]

    Player Hater

  • Members
  • Joined: 01 Sep 2004

#25

Posted 03 September 2004 - 12:00 PM

If you had shown this much willing to help others in the past (and ive read a lot of nasty posts you have written) then this episode would never have happened. Ive met many people like you on projects, the little people do NOT!! matter to you.. when you see someone that can aid you in your own cause then the story starts to change and your TRADE SECRET bullsh*t starts to show cracks..

so.. let me tell you how its going to be..

WE!! will give people the help they need.. because you are no longer needed or wanted.. there is very little aspect that i wont or cant help people with.. and if this aids them to get the upper hand on power hungry muppets like you then its a pleasure to see.

Spooky
  • Spooky

    Prince of the Yolkfolk

  • Members
  • Joined: 13 Jan 2002

#26

Posted 03 September 2004 - 12:36 PM

Did you take that screenshot just now Cray? Its just I think i've seen that before...

Also, It doesn't really show much without an explanation.. Enlighten us.

Cray
  • Cray

    MTA Developer

  • Members
  • Joined: 01 Jul 2002

#27

Posted 03 September 2004 - 01:00 PM

It does not seem like I am really welcome here, but I will still respond to your question.

Actors and Vehicles created on command fully in game. In this test mode, you specify the type of Actor / Vehicle (similar to your program I presume), and it creates the object at the Player Position, plus an offset.

You also see our chat, which is done through DirectX, also similar to yours. You will also notice some text in the middle of the screen, which identifies the object which you are currently looking at. So, the object I am pointing to now is an actor, so it says Actor, some related info, and the pointer it holds.

The image is probably similar to what you may have seen in our latest Teaser video, or potentially some screens we have tossed about. The airport is our "test area", and the commands to do this sort of thing have been completed for quite some time now.

But, I don't want to take away from your guys work, but I also don't like being threatened.

This thread is for your mod, and NOT ours. I am more than happy to discuss ANY part of MTA with either of you, but out of respect for everyone here I will not flood this thread unless I can help in specific areas. Contact me at [email protected] if you want, but otherwise I will just be an observant in this thread.

Kryptos
  • Kryptos

    Hacker

  • Members
  • Joined: 05 Nov 2003

#28

Posted 03 September 2004 - 02:18 PM Edited by Kryptos, 03 September 2004 - 02:21 PM.

I know this may sound like an idiotic question but I was just amazed at how much you've accomplished in such a short time period since progress in this community is more then less based on months and not days. Is this release based on C++ with Assembly modules, or vice versa (Assembly with C++ modules)? I'm so bedazzled by all of this, I never thought the day would come when such respected game hackers would appear in this community. I can't believe I've overlooked Spooky for so long, I knew his name sounded familiar but I couldn't quite figure out where I'd heard it before.

I had to edit my original post because I'd completely overlooked the DirectX GUI.

Cowpat
  • Cowpat

    web schmeb

  • Members
  • Joined: 12 Feb 2004

#29

Posted 03 September 2004 - 03:20 PM Edited by Cowpat, 06 September 2004 - 08:03 AM.


This is great. Will you be able to assign paths to spawned peds and vehicles? I'm sure my machine can handle a lot more traffic than is currently spawned by the game.

ggm_SpYder
  • ggm_SpYder

    Player Hater

  • Members
  • Joined: 22 Oct 2003

#30

Posted 03 September 2004 - 05:46 PM

unbelievable...

Although my knowledge I feel like a baby here....

while reading this I get so many questions but I think Kryptos would be the better person than me to speak to you....and may be get some answers...I hope. :-)

keep on going!!!!!




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users