Jump to content

[V] Script/Native Documentation and Research


Recommended Posts

PLAYER::GET_PLAYER_PED

 

Hashes: 0x43A66C31C68491C0 0x6E31E993

--------------------------------------------------------------------------------------------------------------------------

Ped GET_PLAYER_PED(Player player) // 0x43A66C31C68491C0 0x6E31E993

--------------------------------------------------------------------------------------------------------------------------

jet fuel can't melt steel beams.

 

 

9/11? Lol...

Edited by Enumerator
Neutrinobeam

I don't know who if anyone out there is working on brute forcing natives, but I've been looking at the Jenkin's one-at-a-time (supposedly the innards of GET_HASH_KEY). I noticed some stuff that might make the brute force faster.

 

The hash function parts are reversible, the problem is not knowing the input string, so you don't know what character value to subtract from the hash.

uint_32 hash = 0for char in input    hash += char    hash += hash << 10    hash ^= hash >> 6hash += hash << 3hash ^= hash >> 11hash += hash << 15

The set of uint_32 can be considered an abelian group (Z_2^32) under addition and multiplication mod 2^(32). So the += (<<) lines can be replaced with *= 0x401, 0x9, or 0x8001.

 

Because they are all of the form 2^(n)+1, they are relatively prime to 2^(32) and have multiplicative inverses in Z_2^(32) easily computable with the Extended Euclidian Algorithm.

 

1/1025 = 0x3FFF801, 1/9 = 0x38E38E39, and 1/32739 = 1/0x8001 = 0xC00FFC01

 

So hash = prehash + prehash << 10 (= prehash * 0x401) can be inverted with prehash = hash * 0x3FFF801 (or the appropriate += <<.) And the others similarly.

 

The ^= >> leave a window that can be exploited from the top down to undo the operation.

f undoXor(hash, shift)    if shift < 1 || shift > 31 return 0    prehash = window = 0    for i = 0, i <= 31/shift, ++i        window ^= hash >> (32 - shift*i)        prehash += window << (32 - shift * i)    return prehash

From that, the final three lines of Jenkins can be reversed for every known hash to create an associated hash that acts better. Specifically, to hash "abcd", you only need the associated hash of "abc" and the letter "d". The associated hashes can be reverse searched for common prefix associated hashes "get_", "is_", etc. Or an end first search can be done. Look for 50 character strings using just memory for 49 associated hashes "a", "ab", "abc", etc. and not having to recompute information. Do "aba" through "abz", using "ab", then find "ac" and do "aca" trough "acz", working towards shorter strings.

Neutrinobeam

It was never about bruteforce speed but about hash collisions .

 

I think it would be more useful if we had a program where we can input just one hash and see all the possible collisions so we can pick the most fitting one (basically like Skorpo's but faster like yours), which would probably be found among the shortest hits. I ran it once and the list has more comedic value than anything else. IS_CANCERSTICKS_SYSTEM_SIGNIN_UI? GIVE_SNIFF_PED_AMMO_BY_TYPE? IS_PIMP_ALL_ADRENALINE?? I can't even see a single one in the whole list that makes any sense.

 

By the way concerning the new hashes since we already know the name of the natives we can directly search for those, right? As in have "GET_PLAYER_PED" and search for a hash that matches?

...we need to name their params and types here as well. In order to put more understanding in whatever natives do

nativedb page does not appear to allow in-place edits. How can I contribute better descriptions of params and overall information once I discover it ?

You click that little pen right there.

\/

b7283514dd.png

...we need to name their params and types here as well. In order to put more understanding in whatever natives do

nativedb page does not appear to allow in-place edits. How can I contribute better descriptions of params and overall information once I discover it ?

Alexander Blade

Does anybody here have Online ysc/rpf with scripts ?

 

where i found the online decompiled scripts or they don't exist.

i need the script of prison break heist.

Edited by Alexander Blade
sasuke78200

Yes, there's a rpf stored on R* cloud named bg.rpf which contains online scripts (for hot-fixing for example).

 

 

http://prod.cloud.rockstargames.com/titles/gta5/pcros/bgscripts/bg_ng_372_0_rpf-Versions/0d55faa5-6b2d-46b1-bb8c-01f3143bff50.rpf

Edited by sasuke78200

Yes, there's a rpf stored on R* cloud named bg.rpf which contains online scripts (for hot-fixing for example).

 

 

http://prod.cloud.rockstargames.com/titles/gta5/pcros/bgscripts/bg_ng_372_0_rpf-Versions/0d55faa5-6b2d-46b1-bb8c-01f3143bff50.rpf

can you give me those scripts please.

MrGTAmodsgerman

 

Yes, there's a rpf stored on R* cloud named bg.rpf which contains online scripts (for hot-fixing for example).

 

 

http://prod.cloud.rockstargames.com/titles/gta5/pcros/bgscripts/bg_ng_372_0_rpf-Versions/0d55faa5-6b2d-46b1-bb8c-01f3143bff50.rpf

can you give me those scripts please.

 

There included, but idont know how to open it, it comes a Error Message in LibertyV and OpenIV

Edited by MrGTAmodsgerman

 

 

Yes, there's a rpf stored on R* cloud named bg.rpf which contains online scripts (for hot-fixing for example).

 

 

http://prod.cloud.rockstargames.com/titles/gta5/pcros/bgscripts/bg_ng_372_0_rpf-Versions/0d55faa5-6b2d-46b1-bb8c-01f3143bff50.rpf

can you give me those scripts please.

 

There included, but idont know how to open it, it comes a Error Message in LibertyV and OpenIV

 

you have to decompile them to get the code

 

 

So, since http://gta5-mystery-busters.onet.domains/tools/hashlist.php is down does anyone still have list of hashes for items?

It's not down anymore. By the way is there a visualiser for those?

 

CTRL + F > ALL :santa:

 

I mean so you can see what the models look like.

I really want to be able to contribute to nativedb naming but I'm a business app developer not a game engine veteran.

I do have a simple working script I wrote that calls natives so I'm at least that far.

 

Does optimized.exe have to be run in the same folder as the game .exe ?

Run optimized.exe while the game is running or not running ?

Some actual command lines that show optimized.exe in use would be very helpful

Do you have a dev environment set up that lets you set breakpoints and be able to type and execute like the Immediate Window in Visual Studio?

It seems brutal to have to restart the game every time just to mess with a native

 

Is it just by luck that optimized will get a hit ?
If you get something, how do you actually test it?

 

Any guidance would be much appreciated.

Hey man, hope this helps you a little.

 

2f8911bd2a.jpg

 

 

Here's a way around restarting the game.

 

 

I really want to be able to contribute to nativedb naming but I'm a business app developer not a game engine veteran.

I do have a simple working script I wrote that calls natives so I'm at least that far.

 

Does optimized.exe have to be run in the same folder as the game .exe ?

Run optimized.exe while the game is running or not running ?

Some actual command lines that show optimized.exe in use would be very helpful

Do you have a dev environment set up that lets you set breakpoints and be able to type and execute like the Immediate Window in Visual Studio?

It seems brutal to have to restart the game every time just to mess with a native

 

Is it just by luck that optimized will get a hit ?
If you get something, how do you actually test it?

 

Any guidance would be much appreciated.

 

Hey man, hope this helps you a little.

 

2f8911bd2a.jpg

 

 

Here's a way around restarting the game.

 

 

I really want to be able to contribute to nativedb naming but I'm a business app developer not a game engine veteran.

I do have a simple working script I wrote that calls natives so I'm at least that far.

 

Does optimized.exe have to be run in the same folder as the game .exe ?

Run optimized.exe while the game is running or not running ?

Some actual command lines that show optimized.exe in use would be very helpful

Do you have a dev environment set up that lets you set breakpoints and be able to type and execute like the Immediate Window in Visual Studio?

It seems brutal to have to restart the game every time just to mess with a native

 

Is it just by luck that optimized will get a hit ?
If you get something, how do you actually test it?

 

Any guidance would be much appreciated.

 

OK thanks. I am working mostly in .net so that is nice to not have to reload. I'm off to study the decompiled scripts. There is so much to learn but it will be well worth the effort to be able to harness Rage to the fullest being the masterpiece it is. I work for the DOT and the $250k driving sim we have now looks like Mario Cart on Nintendo 64 compared to GTAV. I ultimately want to use Rage for doing traffic flow studies.

 

 

There included, but idont know how to open it, it comes a Error Message in LibertyV and OpenIV

 

you have to decompile them to get the code

 

How?

 

i don't know how but you see the decompiled scripts.

Edited by marhex

Not sure if it's just me being plain stupid here, but in the later later versions of Native Trainer, you added a function to prevent the player from flying through the windscreen. Now here is the code:

	const int PED_FLAG_CAN_FLY_THRU_WINDSCREEN = 32;	if (featureVehSeatbeltUpdated)	{		if (bPlayerExists && !featureVehSeatbelt)			PED::SET_PED_CONFIG_FLAG(playerPed, PED_FLAG_CAN_FLY_THRU_WINDSCREEN, TRUE);		featureVehSeatbeltUpdated = false;	}	if (featureVehSeatbelt)	{		if (bPlayerExists)		{			if (PED::GET_PED_CONFIG_FLAG(playerPed, PED_FLAG_CAN_FLY_THRU_WINDSCREEN, TRUE))				PED::SET_PED_CONFIG_FLAG(playerPed, PED_FLAG_CAN_FLY_THRU_WINDSCREEN, FALSE);		}	}

I'm just curious on how to find the different flagID's?

Alexander Blade

There is no list , this one is found by assumption using natives located around.

 

Not sure if it's just me being plain stupid here, but in the later later versions of Native Trainer, you added a function to prevent the player from flying through the windscreen. Now here is the code:

	const int PED_FLAG_CAN_FLY_THRU_WINDSCREEN = 32;	if (featureVehSeatbeltUpdated)	{		if (bPlayerExists && !featureVehSeatbelt)			PED::SET_PED_CONFIG_FLAG(playerPed, PED_FLAG_CAN_FLY_THRU_WINDSCREEN, TRUE);		featureVehSeatbeltUpdated = false;	}	if (featureVehSeatbelt)	{		if (bPlayerExists)		{			if (PED::GET_PED_CONFIG_FLAG(playerPed, PED_FLAG_CAN_FLY_THRU_WINDSCREEN, TRUE))				PED::SET_PED_CONFIG_FLAG(playerPed, PED_FLAG_CAN_FLY_THRU_WINDSCREEN, FALSE);		}	}

I'm just curious on how to find the different flagID's?

I request re sorry :

It is not possible that someone clutched make a Brute Forcing program in CUDA ( For exploit GPU ) As computing power gripped much acrue .

I personnaly do not develop in CUDA but if anyone knows he might be doing , it should help ?

 

And what is the name of the new hash algorithm for native functions ? ( not JOAAT but the other)

 

Thank ^^

Edited by TransmetTeam

I programmed a little BruteForcer Native in C#.

I nommed "Large Hash Collider" ( LHC ) :santa: .

It is based on a dictionary of 500 words and mixtures and forms a chain ( the chain is treated not to exceed 30 characters )
And the string is hashed in the JOAAT, the joaat hash checker is then in a dump 1799 joaat hash still not found ( I have to retrieve NativeDB ) and if there is one that is worth what hash then the hash and is the native display.

 

I find it rather powerful spell me at least one native Every 15 seconds , even if it is quite random

 

I'm sorry for my English.

 

The link : http://www.mediafire.com/download/4p1616w6cvpwlgo/Large_Hash_Collider_-_V2_-_Transmet.zip

 

EDIT : Link Updated ( with the new version of the program ) this new version add a 300 words in the dictionnary and correct 2 bugs.

Edited by TransmetTeam
lulzmodder

I was just trying to figure out few unknown things in the entity section, and as a result I got these:

Vector3 ENTITY::_0xE465D4AB7CA6AE72(Any P0) //GET_ENTITY_COLLISION_NORMAL? normalized collision pointAny _0x5C3D0A935F535C4C(Any p0) //GET_COLLIDED_STATIC_MAP_OBJECT_HASH? they can't be created or spawned thoughvoid _0x621873ECE1178967(Any p0, float p1, float p2, float p3, BOOL p4, BOOL p5, BOOL p6, BOOL p7) //works same as SET_ENTITY_COORDS (O.o)
Edited by lulzmodder
InfamousSabre

 

I was just trying to figure out few unknown things in the entity section, and as a result I got these:

Vector3 ENTITY::_0xE465D4AB7CA6AE72(Any P0) //GET_ENTITY_COLLISION_NORMAL? normalized collision pointAny _0x5C3D0A935F535C4C(Any p0) //GET_COLLIDED_STATIC_MAP_OBJECT_HASH? they can't be created or spawned thoughvoid _0x621873ECE1178967(Any p0, float p1, float p2, float p3, BOOL p4, BOOL p5, BOOL p6, BOOL p7) //works same as SET_ENTITY_COORDS (O.o)

GET_ENTITY_COLLISION_NORMAL seems very useful to me, but I'm confused as to what exactly it returns. What is a collision normal / normalized collision point?

Edited by InfamousSabre

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • 0 User Currently Viewing
    0 members, 0 Anonymous, 0 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.