Information on Anti-Money Cheats in GTA Online

Andrew

Commissioner
Commissioner
Jun 3, 2015
18
Original Information:




The following is some information regarding the determination of getting flagged for money-related cheats in GTA Online. As far as I know, this may only apply to the PC version of GTA Online. Of course, the New Team of Weapons and Tactics does not condone nor endorse cheating in any game and as such, this information is for reference only. Credits for this information and research all go to <a class="bigusername" href="http://www.unknowncheats.me/forum/member1136894.html">leveln</a>, from UC.




The following is - in other words - some reversal info on the High Earner flag which marks an account for statistical analysis. It is set when you make too much money over a time period.




Here's the TL;DR version:




- Proof that your account is flagged if you earn over 50k/hour

- The flag is MPPLY_IS_HIGH_EARNER

- It is calculated when the money is sent to R* servers, so you can't change the stat

- It appears to be calculated from MPPLY_TOTAL_EVC

- Lowering MPPLY_TOTAL_EVC should trick the calculation to not flag the account




- Alternatively, you MAY be able to unset MPPLY_IS_HIGH_EARNER every script loop so it never gets sent.




Detailed Previous Research:




If you cleared this flag after the money was earned and prior to the transaction being sent to R* servers, you will not be investigated. (See below why this is not always true)



Things like selling cars, buying ammo, job earnings, etc. will be sent the second the cash is earned, which is why using CE with the car selling exploit caused a lot of people to get banned. Even if they cleared their flags after the car was sold, the transaction already took place and the flag was sent alongside the earnings (maybe, more on this below).


The values used to calculate this flag come from the values of <b>HIGH_EARNER_VALUE</b> (default: $50,000) and <b>HIGH_EARNER_INTERVAL</b> (default: 1 hour). When you earned over 50k within an hour timeframe, you were flagged and your account would be manually reviewed by a support agent.


<b>So when is this actually calculated?</b>

The transaction event exists at <i>.text:00007FF68D6922AC</i>. It uses <b>_?AV?$atSingleton@VGameTransactionSessionMgr@@@@</b> (more info below), which eventually calls the function at <i>.text:00007FF68D8F119C</i> to evaluate whether to set the MPPLY_IS_HIGH_EARNER flag, using the value stored in <b>MPPLY_TOTAL_EVC</b> (From R*: "Banked Cash that the player has EARN, either in game or via other mechanism.").


The tricky part of this, is that the flag is set DURING THE TRANSACTION, not when the money is added. It is only called on certain event types, though. I haven't reversed a list of events which trigger this, but that should be possible by investing enough time.

The question is, when are the flags sent to R* servers? Is it during the transaction, directly afterwards, or when the online session is saved (like finding a new session or switching to SP)? If it is afterwards or when the session is saved, then the flag can be set to FALSE and all is well. Otherwise, you are screwed on most transactions.

<b>SEE EDIT 2!!!</b>


More on <b>_?AV?$atSingleton@VGameTransactionSessionMgr@@@@</b>:

The data sent to R* for each transaction is: character, slot, bank, evc, pvc, pxr, nonce (one-time encrypted transaction key), c, pt, vct, vcp, amt (amount of transaction, I'm assuming), and usde.


<b>Other thoughts</b>:

The other stuff to watch out for is that other data is also collected in your stats, such as <b>PVC_DAILY_ADDITIONS</b> and <b>PVC_DAILY_TRANSFERS</b>. I ran out of time to reverse any of these, but statistical analysis could screw you in a ton of ways if they were so inclined. But do they bother if your high earner flag is not set? Doubtful, but maybe.



[EDIT 2]

Looking into the transaction function a little more, the MetricRecoupVC class (part of MetricTransaction) stores the MPPLY_IS_HIGH_EARNER flag. This struct is sent with the transaction. So if you see the spinning yellow circle, then the high-earner flag is being sent.


If the money bags are collected and the icon does not appear, you can clear your flag directly after (BUT!!!): One stipulation: Like I said before, the high-earner flag is calculated after the transaction has begun. So if you collect too much of these then your flag will be set when the transaction starts because your <b>MPPLY_TOTAL_EVC</b> is being checked.




 





December 30th, 2015 Update:




Checking and cross-referencing the in-game values in IDA yielded a confirmed value: $50,000 / 1 hour -> which is used in setting the high earner flag.




 









Pointers to both tuneables for the 350.2 Steam version have been included, if anyone wishes to toss em in CE or ReClass and see for themselves. They are both DWORDs (4 bytes).




Also a few other notes:




  1. Transaction term here that matters when these check are performed, are transactions to the servers, not in-game bank transactions. (i.e.: when you see the yellow circle, that's sending a transaction to the server).

  2. In older versions of the game, many people were banned who messed with money, and the anti-cheat was not inspecting processes so they couldn't know about things like Cheat Engine running.

  3. Functions/Routines were added in version 350.1 of Grand Theft Auto V which provide Rockstar the ability to scan your processes, see hooked DLLs, and check if your game is running with a debugger.

  4. Rumor has it that there is a function in the game client which submits your account for administrative review if you've made more than $500k/30 minutes.

  5. At the time of writing, money bags don't initiate a cash transaction. If this function is only called on transactions and is not called on every save, then luck for those who cheat is in their favor. Selling cars, good sport rewards, buying ammunition, and jobs, and so on all trigger a cash transaction with Rockstar servers. For example, selling a car at over $50,000 (i.e.: $51,000, $60,000, etc) will trigger the MPPLY_IS_HIGH_EARNER flag. Does that mean they are going to ban someone for selling it? Obviously not, but it is something to keep in mind.

  6. No one (here) knows exactly what Rockstar does on their end once the server receives the flag. They definitely don't manually investigate each case if it is triggered at 50k. However, it does appear to queue the account into a master queue/list of accounts to be analyzed automatically for odd earnings using your earnings stats and transaction history.

  7. You can be detected in Single Player since Social Club is always active. It is best to block all network activity from GTA5.exe via firewall or HOSTS when doing testing.
 

Bydget

New Member
Aug 23, 2015
1
This should be read through and understood as this could save your account. <fileStore.core_Emoticons>/emoticons/wink.gif