Hack Snapmatic

I've been working for a while on a system which would allow people at the Liberty-Tree to take as many picture as they want inside GTA V. The system implemented by Rockstar Games allows only 96 saved pics per player which is a ridiculousely low limit for us. I've heard about people diverting the data-stream between R* servers and their gaming console in order to cheat and make huge amount of money, so I decided to make my own similar set up and to try to do something with for pics.

This is partly a translation from french of something I posted on various forums in order to get help. Unfortunately, this does not work anymore since 1.10 update. I didn't search why yet. I'll update when done.

A little bit of explaination

What is Snapmatic ?

When you take pictures in GTA V, you are allowed to save them "on the cloud", this service is called Snapmatic, a parody name for Instagram.

Pictures are stored inside the console and on the cloud. The console is only able to store 96 pics but the cloud saves everything you send to it whithout any limit. This is the console which enforces the 96 pics limit.

Let's summarize what happens when you take and save a picture on the cloud:

  1. Player starts console and launches the game
  2. The game requests Snapmatic cloud to know how many slots are empty, gets a response and keeps it
  3. Player takes a pic
  4. The game checks if there is any available slots
    -> If there is no available slots, game throws error and this stops here.
  5. Player selects save
  6. Pic is sent to Snapmatic cloud inside a blob containing also 1041 bytes of metadata
  7. Cloud saves the pic and responds with a success message, console decreases the available slot counter and saves the pic locally

Each time you take another picture, this goes through steps 3 to 7, the real number of available slots is never checked again.

If you delete a picture, the number of available slots is increased as the pic is deletes from cloud and console.

So, let's imagine you were allowed to take 500 pics, the number of available slots will be zero when starting the game, then if you delete one picture, you will be able to take another one, even if the real number if far past the limit.

DNS Hack

Around december 2013, many players started cheating by creating huge amounts of money. The method was simple, DNS hijacking allowed to divert connections to Rockstar's server and to manipulate data inside the requested files. Most cheaters didn't even understand what they were doing and simply used DNS IPs relased on various forums.

That's how all these people created all that money, a simple JSON file named "tunables.json" was used by the game, it countained some variables used as coefficient values for amount of money/rp earned by players after each missions. Tweaking these coefficients to high values allowed cheaters to gain billions of GTA$ just by doing simple missions.

What about pictures?

The idea with snapmatic pictures is almost the same, pics are sent to Rockstar as POST data inside an HTTP request to http://prod.ro[…]eateContent

So I just installed a dnsmasq/nginx/php-fpm combo on a Ubuntu testing server I got and started trying to get the picture before it reached Rockstar's server. The ultimate idea was to save the pictures taken directly on my website instead of Rockstar's servers.

The issue

I successfully captured data each time I was taking photo inside the game, but all I got was encrypted data. The data I got was always 1041 byte larger than the PNG picture file published on Snapmatic's website (so I guess the console itself creates the PNG file and sends it encrypted with joined metadata).

I didn't try to go further with this, mainly because I didn't want to spend much time on something Rockstar would patch in a future update, but I found that if Snapmatic answer wasn't relayed to the console, the available pic slot counter wasn't decreased and you were allowed to take as many pics as you wanted. Unfortunately, this is now over since update 1.10 changed this.

To be continued…