Quantcast

Jump to content

» «
Photo

Documenting GTA3/VC memory addresses

1,185 replies to this topic
Vayan
  • Vayan

    Player Hater

  • Members
  • Joined: 05 May 2007

#901

Posted 24 December 2008 - 09:38 AM

Hello. I'm trying to find the address of code that exploding a car when it is upside down. I've got no results. =(
Sorry for bad English.

Vayan
  • Vayan

    Player Hater

  • Members
  • Joined: 05 May 2007

#902

Posted 24 December 2008 - 03:02 PM Edited by Vayan, 27 December 2008 - 07:37 PM.

I've made it!!!
at 4BE012h fill 6 bytes with 90h
at 59B744h - the same
In gta-vc.exe it is BDC12h and 19B344h.
The first address is address of function which explodes the player's car, the second - all other cars.
-----
Added
-----
I've found the way to control car lights.
at 58CD4Eh fill 6 bytes with 90h
[7E49C0h]+1F9h: 50h=on, 10h=off
I've made scripted car lights trigger using this addresses, it looks very nice.

stym
  • stym

    Hacker

  • Members
  • Joined: 06 Dec 2008

#903

Posted 12 February 2009 - 11:41 PM

GTA 3 v1.0

CODE

0x94139C - BYTE - Money
0x95CDA6 - BYTE - Time hour
0x95CDC8 - BYTE - Time minutes

SkuggyA
  • SkuggyA

    Player Hater

  • Members
  • Joined: 15 Dec 2007

#904

Posted 21 March 2009 - 11:04 PM

Does anyone know the offset for a vehicle alarm by any chance?

Jezpero!
  • Jezpero!

    Player Hater

  • Members
  • Joined: 07 Feb 2008

#905

Posted 01 April 2009 - 11:32 PM

Anyone who knows where to download Disco Light Mod 2 by Jacob and Ashdexx?
Can't find it anywhere on the web. dontgetit.gif

Thanks in advance.

coin-god
  • coin-god

    High Roller

  • $outh $ide Hoodz
  • Joined: 18 Mar 2007
  • None

#906

Posted 01 April 2009 - 11:43 PM

QUOTE (Jezpero! @ Apr 1 2009, 20:32)
Anyone who knows where to download Disco Light Mod 2 by Jacob and Ashdexx?
Can't find it anywhere on the web. dontgetit.gif

Thanks in advance.

May i ask why did you post it here? Im not rushing, its the wrong place, but why did you think it would be ok to post it here? biggrin.gif

Jezpero!
  • Jezpero!

    Player Hater

  • Members
  • Joined: 07 Feb 2008

#907

Posted 02 April 2009 - 12:56 AM

Because the only post with this mod had its last post two years ago.
This is the only active post i can find where the mod is discussed. That is in the middle of page 30.
I am only trying to find out where to download it and i am sorry if i have posted the post in the wrong place or something.

Jezpero!
  • Jezpero!

    Player Hater

  • Members
  • Joined: 07 Feb 2008

#908

Posted 02 April 2009 - 03:20 PM

No one who can post a download link or host the file?

Shadow-Link
  • Shadow-Link

    Li'l G Loc

  • Members
  • Joined: 01 Dec 2004
  • Netherlands

#909

Posted 02 April 2009 - 04:40 PM Edited by Prince-Link, 02 April 2009 - 04:44 PM.

Here you go wink.gif *Link removed*. PM me or something when you got it.. Then I'll remove the file smile.gif

SkuggyA
  • SkuggyA

    Player Hater

  • Members
  • Joined: 15 Dec 2007

#910

Posted 27 July 2009 - 05:57 PM

Hmm, does anyone know the address for the amount of Vehicle Structures in VC? I can't seem to create any more than 45 types of cars before my game freezes, like in SA.

gamerzworld
  • gamerzworld

    Why did I move here? I guess it was to sell Shark Cards.

  • Members
  • Joined: 29 Nov 2005
  • United-States

#911

Posted 14 December 2009 - 12:29 AM Edited by gamerzworld, 14 December 2009 - 12:42 AM.

If you want to translate the decimal address to work with the Steam version, subtract 4088.

GYZIE
  • GYZIE

    Player Hater

  • Members
  • Joined: 21 Apr 2009

#912

Posted 16 December 2009 - 10:01 PM

QUOTE (gamerzworld @ Dec 14 2009, 00:29)
If you want to translate the decimal address to work with the Steam version, subtract 4088.

Is there a possibility for sending me the GTA VC .exe steam version? Because I need it for some research. Shifty41s_beerhatsmilie2.gif

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#913

Posted 19 January 2010 - 11:54 AM Edited by ghost of delete key, 19 January 2010 - 12:00 PM.

QUOTE (DexX @ Dec 6 2003, 11:21)
Now i said i had a suprise and i meant it. If youve ever looked through the exe, or the gxt tables, youll notice alot of text that looks like it could at one time been part of an editor, that was built into the game. Well, this has to be the defining proof of that.

<<long-lost screencap is long-lost>>

and it doesnt work. NONE of the keys on my keyboard move the cursor, the mouse doesnt do jack, and neither does my controller. i can activate the menu, but not use it. i suspect the commands are not bound to any keys, that red one looks like its highlited.

Code to enable it:
Ingame, set the value to 1
A10B2D
When you enable it, the camera will fly way off into the distance, i dont know why, it just does. Anyway, VERY interesting info up there, i hope i can get some assitance looking into this...

biggrin.gif biggrin.gif biggrin.gif biggrin.gif biggrin.gif

Remember this?

I sure do.
It's been at the back of my mind for years now burning a hole in my medulla. (sheesh, time flies!)

For me, this was what it's all about.
Of course back then, I knew nothing of coding, and didn't know what to do with a disassembler.

That's changed now.
Also, I have a lot of free time on my hands and am barred from the IV experience for now...

So I've taken a break from my web project to drain the JQuery out of my pipes, and have turned my attention once again toward GTAVC.EXE

I've begun a mapping project- basically, I have all 800+ posts in this thread open in my browser, and all the other memory address info I can find, and have begun the arduous task of labeling everything. This is certainly going to take some time, as over the past two days, I've only covered the first page of this thread out of 23; labeling first the variables revealed herein, then chasing them up the calls and graphing them, attaching as much Vice-accurate nomenclature to the functions as I can. I give good descriptions of otherwise undocumented/unexplored code, and as I go along, some VERY interesting things have begun to reveal themselves to me.

When I got to this part that I quoted here, I began chasing a wild chain of calls up to where I had already labeled a bunch of initialization and loading routines.

It is becoming apparent that the "dead menu" is non-functional, but not merely a snippet of abandonware left in the EXE. In fact, it is part of a complete loader and decision tree separate from the functioning production-version loading routines. It is beginning to look as if there are "two" games intertwined within the EXE, the play version, and the developer version.

In several places where they cross their logic, like where the menu should respond to keys, the developer routines dead-end in nullsubs, sort of like "smart NOPs", and in certain places where necessary, some vars are hardcoded to constant "off" values.


mercie_blink.gif

I know at this point some of you may see what I'm about to say, and you may think I'm either crazy, or a n00b, and these may be true or not; but at this early stage, it appears that with some creative patching/hooking...

the EXE may be turned into a working dev console frontend!

Seriously. Although I've only connected a few hundred edges out of >6000 nodes, I seem to have gotten trapped for a bit in this massive set of parallel trees, and the depth of what was "left in" is simply staggering.

As I follow this topic like a novel from page one, I'm comparing the copious descriptions against the code and graphs, and it is now boggling my mind how obvious some of this is.
I've gotten quite a bit of the bottom end stuff marked out around the cheat codes and have noticed a few things I've never seen mentioned here...

For example, was anyone aware that all the piles of cheat codes fall into just 7 "cheat classes"?
Sure, running a cheat code fncks up your savegame, but just how it happens and what exactly gets borked depends on which class the cheat belongs to.
I'm sure anyone who's looked at the data addresses of the cheats in the EXE has noticed that the string that represents the cheat is just gibberish, no? It may be a CRC of the typed string; these are checked against values coming from the keyboard listener. I haven't checked this out though, (as if it's important) since I'm too busy cataloging routines and data.
Furthermore, I can see where one could interrupt the cheats to spawn vehicles, etc, and not actually call the bork-code! The Anti-Cheat_Cheat!
So far as I know, we've only monkeyed with setting the car id in its var.

I've also got parts of the file loaders mapped, and now I can "easily" tounge.gif see just how the anim pool allocates the anims against the various pedtypes and car groups. Creative patching here may give complete control over which anims may be given to what without the crashing one gets when trying to call wrongly-named IFPs.
(Better yet, the dev code might be co-opted for this purpose- the routines appear to be there. Same with creating objects, there's code to handle this and report developer-oriented pool allocation errors!)

I've also found a pipeline in the startup routines where the object pools are allocated, and where those pesky hardcoded environmental limits are imposed. This needs much more attention (in due time), but here I feel the chance for easy addition of say, car types or ped types as mentioned.

There's far too much to mention in one post, so I'll let y'all digest this for a bit while I dig back into the goldmine. But a few more things...

I noticed some here are using OllyDBG now.
I never heard of it, but I just nabbed the latest v., and will check it out.

Currently, I'm using the VCDBG.ASI hook with DebugView (pre-Microsoft), Hex Workshop 4.10 and WinGraph32/IDA Pro 4.3.0.740a, although I know there's newer versions at IDA's page, at 15MB I'm not gonna grab it quite yet... (on dialup colgate.gif )

@DexX: I know you used to use IDA Pro, and I remember how you got me pointed in the right direction with it. Like giving a gun to a baby.
Anyway, I found in this thread a (still working!) link you gave to an IDA dump of the EXE's names with addresses. Now the Questions:

1) How exactly did you export that?! I cannot for the life of me find anything in the IDE that does that! Am I some kinda looser, or did you do a magic trick?

2) Are you still using IDA? If your version is compatible, I could periodically upload the .IDB database to share my naming progress with you and any other folks using IDA. I think this could get interesting again after all this time.

3) Does anyone know of a decent disasm/graphing combo worth its salt?
I like IDA, but the bundled WinGraph32 is a bit lame, makes cruddy graphs that can't be exported (only printed!), and is clunky.

4) How on Earth did you get IDA to parse all those RenderWare-specific names? Did you diasm against the header files?
In my disasm, they all turn up as "unexplored", since there's no direct reference to these RW files with which the EXE was compiled.
Somewhere I have the RWSDK 3.2 headers, although VC was made with v3.4 dozingoff.gif


Also, a cursory look at the OllyDBG docs shows me that function calls through the tool will only accept up to 10 arguments- is that so?
If so, I'm not sure how useful it will be, as many of the main game and scene loading routines take many more, as many as 50+ in some cases! Sh!t, mang, that's a lot of parameters.



Anyhoo, I'm off again, make a noise if any of this is of any value, or just ban me and get it over with.

tounge.gif

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#914

Posted 19 January 2010 - 06:30 PM

QUOTE
Anyway, I found in this thread a (still working!) link you gave to an IDA dump of the EXE's names with addresses. Now the Questions:

1) How exactly did you export that?! I cannot for the life of me find anything in the IDE that does that! Am I some kinda looser, or did you do a magic trick?

I copy/pasted them from the "Names" tab.
Edit;
Hold shift to select multiple entries.

QUOTE
2) Are you still using IDA? If your version is compatible, I could periodically upload the .IDB database to share my naming progress with you and any other folks using IDA. I think this could get interesting again after all this time.

I no longer have VC installed, or access to the files i had, but i recommend posting what you find anyway. I had always hoped to see an online database of function addresses and descriptions, not unlike what we had in the opcode database (which is no longer active.. mad.gif )

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#915

Posted 20 January 2010 - 08:32 AM Edited by ghost of delete key, 20 January 2010 - 11:27 AM.

OPCODE DB IS GONE?!?!

...THE F^CK?
SRSLY?!

angry.gif

Those are some of the few resources I DIDN'T save to disk because I figured...
I dunno what I figured.
Barton's SCM package had a fairly complete opcode list, no? I have to see if I still have that stuff.
I've got millions of files saved, It's getting hard to keep organized.

Sadly I had a hard drive die awhile back and lost some other important stuff like my RW files, but whatever.

Yes, maybe the Wiki could serve as a catalogue of general GTA opcode and func defs. Imma go look at it.
<looking>
Hmmm, sorely incomplete and a bit outdated in spots. This needs attention. confused.gif

QUOTE
I copy/pasted them from the "Names" tab.

mercie_blink.gif Funny, my IDA won't let me select more than a single entry at a time to do that.

No way in hell I'm gonna copy/paste 5745 times to build a list. Just not happening.

Hey, anybody have any good suggestions on decompressing SA's EXE?
There's not much to see in there in the raw state. I'd really rather get on that, but I think VC's guts may be helpful in general.
Some of us still like to mess with it. colgate.gif

<edit>
I was working on a wacky version (SAMP).
the "compact" version used with CLEO disassembles nicely. I'll post further in the SA memory thread.
Now back to VC blush.gif

grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#916

Posted 20 January 2010 - 03:02 PM Edited by grovespaz, 20 January 2010 - 03:11 PM.

You sir, are my hero smile.gif Ever since I saw that screenshot I knew there had to be some more left in the game, and I've always wanted to enable it. Sadly, I never knew enough about disassembling to make it happen.
This thread is the only thread I still receive subscription notification's to, just in case anyone decided to give it another poke biggrin.gif lol.gif
So you did, and I busted out of my absence (my last post here was on Mar 10 2009) to say, thank you biggrin.gif

I seriously hope you succeed in finding more interesting stuff.. wink.gif

Is there any other copy of the opcode db floating around? If not, I might dig out my old computer to see what I might have.

P.S. I'm just getting the hang of IDA, but could I possibly bother you to share the work you've done so far? I've always wanted to be able to explore some inner functions of GTA-VC

NTAuthority
  • NTAuthority

    hell, no, tunnel, no

  • Feroci
  • Joined: 09 Sep 2008
  • European-Union
  • Best Conversion 2014 [ViIV for GTANY]
    Most Knowledgeable [Tech] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Contribution Award [Mods]

#917

Posted 20 January 2010 - 03:34 PM Edited by NTAuthority, 20 January 2010 - 04:44 PM.

QUOTE (ghost of delete key @ Jan 19 2010, 12:54)
It is becoming apparent that the "dead menu" is non-functional, but not merely a snippet of abandonware left in the EXE. In fact, it is part of a complete loader and decision tree separate from the functioning production-version loading routines. It is beginning to look as if there are "two" games intertwined within the EXE, the play version, and the developer version.

In several places where they cross their logic, like where the menu should respond to keys, the developer routines dead-end in nullsubs, sort of like "smart NOPs", and in certain places where necessary, some vars are hardcoded to constant "off" values.

WHAT THE HUGE f*ck? Finally, someone with a bit more knowledge about disassembly than me has ventured in the deep world of GTA's debugging data, including the holy 'New Actor' menu. If what you say is correct, and there's a complete debug processing loop in the game (like CGame::Process?) it shows exactly what I've always thought about how R* removed debugging stuff from the EXE; #ifdef-ing and partially disabling data, indeed with constants and other strange disable functions. smile.gif

Who'd like to bet on San Andreas still having the path compiler somewhere in its code? Or to VC having more debugging stuff left in than only that partial menu, but actually, with the right patches, ALMOST THE ENTIRE DEBUG RUNTIME? wow.gif VC still had tons of debug log calls left as the 'vc_log' plugin shows, so why would it stop there? I love knowing more about the tools of GTA development, I love .sc, and I was planning on remaking this menu for SA... and if someone would get it to work for VC it might be a huge help!

ooooh, I'm so excited! smile.gif sadly my disassembly attempts have always failed miserably, but I've also been looking (a tiny bit) at such removed code.

EDIT: looked at it some more, it seems to read/write a 'movie.dat', sadly I end up in a function with tons of sub/nullsub calls which I can't relate to any other GTA3 data file from sannybuilder.com's GTA3 IDB. Too bad there's no VC IDB, or this address for III... sad.gif

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#918

Posted 20 January 2010 - 08:34 PM

I was fartin' around at the sannybuilder site last night and saw the .idb, but didn't get it.

I'm working on my own set now: one for VC, and one for SA.

Now the funny part?

The SA engine still has pieces of VC in it just like VC had bits of III abandoned in it... like the zipper message for Hyman Stadium.

LOTS of production debug labels, but only a fraction of the data strings actually xref anything. But I digress (check the SAmem thread biggrin.gif )

QUOTE
Who'd like to bet on San Andreas still having the path compiler somewhere in its code? Or to VC having more debugging stuff left in than only that partial menu, but actually, with the right patches, ALMOST THE ENTIRE DEBUG RUNTIME?

It seems like this is indeed the case! You don't even know what a nut I'm busting at the prospect... cry.gif happy.gif nervous.gif

And yes guise, I'll be happy to share some yummy .idb goodness soon, once I have a decent amount of stuff cataloged and named. After all, give back to the community and all that jazz, eh?

inlove.gif

btw, I'm glad you're still around, Gspaz! I'm apparently not the only ghost to haunt these boards.

grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#919

Posted 21 January 2010 - 09:02 PM

QUOTE (ghost of delete key @ Jan 20 2010, 20:34)
I was fartin' around at the sannybuilder site last night and saw the .idb, but didn't get it.

I'm working on my own set now: one for VC, and one for SA.

Before I continue, may I ask what EXE version you are working on exactly? 1.0 or 1.1, no-cd or original? smile.gif
QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

Now the funny part?

The SA engine still has pieces of VC in it just like VC had bits of III abandoned in it... like the zipper message for Hyman Stadium.

Very true, also, a lot of other interesting labels. Today I stumbled upon a debug label which just read 'F*CKF*CKF*CK' lol.gif
QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

LOTS of production debug labels, but only a fraction of the data strings actually xref anything. But I digress (check the SAmem thread  biggrin.gif )

QUOTE
Who'd like to bet on San Andreas still having the path compiler somewhere in its code? Or to VC having more debugging stuff left in than only that partial menu, but actually, with the right patches, ALMOST THE ENTIRE DEBUG RUNTIME?

It seems like this is indeed the case! You don't even know what a nut I'm busting at the prospect... cry.gif happy.gif nervous.gif
Are you talking about the SA part, the VC part or both? sigh.gif

QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

And yes guise, I'll be happy to share some yummy .idb goodness soon, once I have a decent amount of stuff cataloged and named. After all, give back to the community and all that jazz, eh?
inlove.gif

Thank you so much! I'm really looking forward to it, I'm also very interested in mapping other parts of VC (like the SCM parser, etc).

QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

btw, I'm glad you're still around, Gspaz!  I'm apparently not the only ghost to haunt these boards.
Why thank you blush.gif
I am also very glad to see you're still active and kicking serious butt wink.gif
It's a shame a part of the scene deflated as time progressed, though only natural.

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#920

Posted 21 January 2010 - 09:31 PM Edited by ghost of delete key, 21 January 2010 - 09:38 PM.

QUOTE (grovespaz @ Jan 21 2010, 16:02)
QUOTE (ghost of delete key @ Jan 20 2010, 20:34)
I was fartin' around at the sannybuilder site last night and saw the .idb, but didn't get it.

I'm working on my own set now: one for VC, and one for SA.

Before I continue, may I ask what EXE version you are working on exactly? 1.0 or 1.1, no-cd or original? smile.gif

You know, I haven't figured that out!
The original game I bought was the post-coffee v2.0, and it says it in the start menu.
I fired this one up, and it doesn't have a version number. It does have an internal compiles time and date (I'm not on my machine right now, so I dont' have the details), but I haven't even gone through the pages of this thread yet to sort things out.

BTW, I mentioned before, it's the "gta_sa_compact.exe" that Seeman mentions in the SannyBuilder forums.
Somebody should know what v that is... I'm guessing a US v1.0?
It has blood, and for some bizarre reason, it's perfectly compatible with my savegames made through the SAMP-patched exe I've been using.

QUOTE


QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

Now the funny part?

The SA engine still has pieces of VC in it just like VC had bits of III abandoned in it... like the zipper message for Hyman Stadium.

Very true, also, a lot of other interesting labels. Today I stumbled upon a debug label which just read 'F*CKF*CKF*CK' lol.gif



Yeah, I've seen that too. Made me rofl. That's part of the initial loading of the game IIRC, I think in the model pool stuff, but again, I don't have that handy atm...
QUOTE


QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

LOTS of production debug labels, but only a fraction of the data strings actually xref anything. But I digress (check the SAmem thread  biggrin.gif )

QUOTE
Who'd like to bet on San Andreas still having the path compiler somewhere in its code? Or to VC having more debugging stuff left in than only that partial menu, but actually, with the right patches, ALMOST THE ENTIRE DEBUG RUNTIME?

It seems like this is indeed the case! You don't even know what a nut I'm busting at the prospect... cry.gif happy.gif nervous.gif
Are you talking about the SA part, the VC part or both? sigh.gif

QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

And yes guise, I'll be happy to share some yummy .idb goodness soon, once I have a decent amount of stuff cataloged and named. After all, give back to the community and all that jazz, eh?
inlove.gif

Thank you so much! I'm really looking forward to it, I'm also very interested in mapping other parts of VC (like the SCM parser, etc).

I don't think I have enough yet to make any sense for anyone just yet, but it's coming along. I'll host'n'post soon enough.

Now check it out:
I was looking a some "bad-stack+ code in the SA exe, that is, chunks of code that have no proper entry point, or are not referenced elsewhere (xref'd), and consequently wind up returning the stack pointer to a weird non-zero value when treated as a whole function.

What I've noticed is that these are the same as other "whole routines" which are active game code.

In other words, there are many, many loading and parsing routines that are duplicate, although one of the "twins" will be truncated; snipped in half with a return op , while the tail end of the func becomes orphaned code and shows up in IDA and a section of BADSTACK, since of course the stack and registers arent cleaned right.

I'll put together some examples later on so y'all can see what I'm on about, but also note that I've checked a number of these and have seen many of these truncated functions have references to the debug code which never gets seen...
and references to the files that don't exist.
It seems that there's about twice as much as there really needs to be to make the game work, the rest is the dev code that alters stuff ingame, and some stuff it seems that can write to other files, like .cpp sourcecode files and such.

The mystery is beginning to unravel....

QUOTE

QUOTE (ghost of delete key @ Jan 20 2010, 20:34)

btw, I'm glad you're still around, Gspaz!  I'm apparently not the only ghost to haunt these boards.
Why thank you blush.gif
I am also very glad to see you're still active and kicking serious butt wink.gif
It's a shame a part of the scene deflated as time progressed, though only natural.

mercie_blink.gif

I don't know, but it just might pick up again...

Or not. tounge.gif

Forgive any spelling errors here, I'm writing 100mph on someone else's box, so...

<ONE MASSIVE FREAKIN EDIT:>
I just realized that this is the VC thread. cry.gif

DERP!

Well, actually, the same as above goes for VC, regarding the badstack orphans and all.

The SA specific stuff should get answered (please) in the SA thread if anyone has something to add, cool? suicidal.gif

NTAuthority
  • NTAuthority

    hell, no, tunnel, no

  • Feroci
  • Joined: 09 Sep 2008
  • European-Union
  • Best Conversion 2014 [ViIV for GTANY]
    Most Knowledgeable [Tech] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Contribution Award [Mods]

#921

Posted 22 January 2010 - 02:28 PM

Some more stuff about the debug menu: from the GTA3 .idb, it seems the debug processor function calls CPad::GetPad(1); which means that it would likely be sufficient to enable a second gamepad (like I've done for SA already) to get the menu to work (or patch the calls so it uses GetPad(0), heh).

I'll report back later. smile.gif

PS: the menu code is not in SA, the strings are however.

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#922

Posted 22 January 2010 - 11:13 PM

QUOTE (NTAuthority @ Jan 22 2010, 09:28)
Some more stuff about the debug menu: from the GTA3 .idb, it seems the debug processor function calls CPad::GetPad(1); which means that it would likely be sufficient to enable a second gamepad (like I've done for SA already) to get the menu to work (or patch the calls so it uses GetPad(0), heh).

I'll report back later. smile.gif

PS: the menu code is not in SA, the strings are however.

yeah, I noticed that.

The other thing I'm noticing is that the routines in are much more organized than in VC... or should I say 'in smaller bites".

You'll have to let me know how you pathed SA to provide the second gamepad service. biggrin.gif

This will help me sort out a few things, I think.

grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#923

Posted 23 January 2010 - 07:55 PM

I've been having much fun disassembling GTA:VC and trying to mess with its internals.

At the moment I am trying to redirect certain game engine functions (like the opcode processor) to my own functions, which try to mimick the original VC functions. I'm not having a lot of luck making the redirection work though sad.gif


Btw, what VC version are you using? smile.gif I'm working off a 1.0 No-CD crack.

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#924

Posted 24 January 2010 - 12:03 PM

I'm using the original US v1.0 exe.

On another note, I just discovered that my VC won't work anymore. Fresh install, too. Very troubling.
II and SA are working fine, though, very strange. It's pissing me off, I need to test stuff. angry.gif


I was digging in the back pages, and I found this old thread.

I remember this well, and was surprised to find it.
[sheep] and spooky have already tred this ground, and sadly the topic died in a flamewar with the MTA team (one of the best flamewars around here though tounge.gif ).

Also, all the links to the posted resources are dead. If anyone has ANYTHING along these lines, please make a noise.

I'm still fairly new at reversing, and ASM in general, so any memories and links of great resources/topics would be gratefully accepted. tounge.gif

My VC mapping is on hold while I switch back to SA and play around with Olly.

Oh, I'm using VCDBG with DebugView; does anyone recall if a reporter hook was made for SA?
I have the VCDBG source, and I'll be trying my hand at applying it to SA. If the work has already been done, I'd like to use it.

I hate reinventing the wheel, but I'm always up for building a better mousetrap. tounge2.gif

grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#925

Posted 24 January 2010 - 12:17 PM Edited by grovespaz, 24 January 2010 - 01:07 PM.

Hmm.. Have you tried deleting the gta_vc.set in 'GTA Vice City User Files'?

I remember ProjectX well, I even posted in the topic. It is not what I'm doing at the moment, but very closely related. Actually, I eventually want to combine it's function with mine to form one über-project turn.gif

Ooh ooh biggrin.gif My experimenting with redirecting functions within VC have payed off biggrin.gif I have succesfully told the game not to call its internal opcode parser, but mine. At the moment mine saves the current location the SCM is at, calls the internal opcode parser to process the opcode and returns.

So yeah, to get techy, the function at 0x44FD70 calls the Opcode Interpreter at 0x44FBE0. At run-time, when I press a certain key, my proxy dll patches the call to call my function within the dll, which merely contains this:
CODE
int __declspec(naked) NewOpcodeInterpreter()
{
__asm
{
 mov ecx, currentoff    //Move the current SCM instruction pointer (passed in ecx) into my variable, so I can read it.
 mov ebx, currentof2    // "
 call ProcessOneCommandClone  // Call the game's script opcode processor.
 ret       // return.
}
}


I'm still having some trouble running more advanced code within my custom function, it seems like there is some sort of memory offset mishap mercie_blink.gif

spaceeinstein
  • spaceeinstein

    Chocolate

  • GTA Mods Staff
  • Joined: 17 Jul 2003
  • Hong-Kong
  • Major Contribution Award [Mods]
    Helpfulness Awards [Mods]

#926

Posted 03 February 2010 - 04:50 PM Edited by spaceeinstein, 04 February 2010 - 12:32 AM.

I have gotten together a giant list of anything related to cheats for Vice City (v1 only). The latest list will be updated at the modding wiki. An interesting note is that some weapons' ammo is 4 bytes instead of the usual 1 byte. Most are tested but I could have made a mistake somewhere there. There are some that are already discovered. It's huge!

CODE

0x4ABF4C - [1 byte] - YOUWONTTAKEMEALIVE set wanted level
0x4ABFC4 - [1 byte] - LEAVEMEALONE set wanted level
0x4AC009 - [1 byte] - APLEASANTDAY set weather
0x4AC04E - [1 byte] - ALOVELYDAY set weather
0x4AC099 - [1 byte] - ABITDRIEG set weather
0x4AC0DE - [1 byte] - CATSANDDOGS set weather
0x4AC129 - [1 byte] - CANTSEEATHING set weather
0x4AC14B - [4 bytes] - PANZER Rhino model
0x4AC946 - [4 bytes] - TRAVELINSTYLE Bloodring A model
0x4AC976 - [4 bytes] - THELASTRIDE Romero's Hearse model
0x4AC9A6 - [4 bytes] - ROCKANDROLLCAR Love Fist model
0x4AC9D6 - [4 bytes] - RUBBISHCAR Trashmaster model
0x4ACA06 - [4 bytes] - GETTHEREFAST Sabre Turbo model
0x4ACA36 - [4 bytes] - BETTERTHANWALKING Caddy model
0x4ACDD6 - [4 bytes] - GETTHEREQUICKLY Bloodring B model
0x4ACE06 - [4 bytes] - GETTHEREVERYFASTINDEED Hotring A model
0x4ACE36 - [4 bytes] - GETTHEREAMAZINGLYFAST Hotring B model
0x4AEAEF - [4 bytes] - NUTTERTOOLS Chainsaw model
+0xE for each additional weapon (.357, S.P.A.S. Shotgun, MP, M4, .308 Sniper, Minigun, Minigun component)
0x4AEB75 - [1 byte] - NUTTERTOOLS Chainsaw ammo
+0x12 for each additional weapon (.357, S.P.A.S. Shotgun, MP)
0x4AEBCF - [4 bytes] - NUTTERTOOLS M4 ammo
0x4AEBE4 - [1 byte] - NUTTERTOOLS .308 Sniper ammo
0x4AEBF6 - [4 bytes] - NUTTERTOOLS Minigun ammo
0x4AEB77 - [1 byte] - NUTTERTOOLS Chainsaw weapon number (NOTE: Model needs to be loaded first)
+0x12 for each additional weapon (.357, S.P.A.S. Shotgun, MP)
0x4AEBD4 - [1 byte] - NUTTERTOOLS M4 weapon number (NOTE: Model needs to be loaded first)
0x4AEBE6 - [1 byte] - NUTTERTOOLS .308 Sniper weapon number (NOTE: Model needs to be loaded first)
0x4AEBFB - [1 byte] - NUTTERTOOLS Minigun weapon number (NOTE: Model needs to be loaded first)
0x4AEC8F - [4 bytes] - PROFESSIONALTOOLS Katana model
+0xE for each additional weapon (Grenade, Detonator Grenade, .357, Stubby Shotgun, Mac, M4, .308 Sniper, Rocket Launcher)
0x4AED15 - [1 byte] - PROFESSIONALTOOLS Katana ammo
+0x12 for each additional weapon (Detonator Grenade, .357, Stubby Shotgun, Mac)
0x4AED6F - [4 bytes] - PROFESSIONALTOOLS M4 ammo
0x4AED84 - [1 byte] - PROFESSIONALTOOLS .308 Sniper ammo
0x4AED96 - [1 byte] - PROFESSIONALTOOLS Rocket Launcher ammo
0x4AED17 - [1 byte] - PROFESSIONALTOOLS Katana weapon number (NOTE: Model needs to be loaded first)
+0x12 for each additional weapon (Detonator Grenade, .357, Stubby Shotgun, Mac)
0x4AED74 - [1 byte] - PROFESSIONALTOOLS M4 weapon number (NOTE: Model needs to be loaded first)
0x4AED86 - [1 byte] - PROFESSIONALTOOLS .308 Sniper weapon number (NOTE: Model needs to be loaded first)
0x4AED98 - [1 byte] - PROFESSIONALTOOLS Rocket Launcher weapon number (NOTE: Model needs to be loaded first)
0x4AEE1F - [4 bytes] - THUGSTOOLS Brass Knuckles model
+0xE for each additional weapon (Bat, Molotov Cocktail, Pistol, Chrome Shotgun, Tec 9, Kruger, Sniper Rifle, Flame Thrower)
0x4AEEA5 - [1 byte] - THUGSTOOLS Brass Knuckles ammo
+0x12 for each additional weapon (Bat, Molotov Cocktail, Pistol, Chrome Shotgun)
0x4AEEFF - [4 bytes] - THUGSTOOLS Tec 9 ammo
0x4AEF14 - [1 byte] - THUGSTOOLS Kruger ammo
0x4AEF26 - [1 byte] - THUGSTOOLS Sniper Rifle ammo
0x4AEF38 - [4 bytes] - THUGSTOOLS Flame Thrower ammo
0x4AEEA7 - [1 byte] - THUGSTOOLS Brass Knuckles weapon number (NOTE: Model needs to be loaded first)
+0x12 for each additional weapon (Bat, Molotov Cocktail, Pistol, Chrome Shotgun)
0x4AEF04 - [1 byte] - THUGSTOOLS Tec 9 weapon number (NOTE: Model needs to be loaded first)
0x4AEF16 - [1 byte] - THUGSTOOLS Kruger weapon number (NOTE: Model needs to be loaded first)
0x4AEF28 - [1 byte] - THUGSTOOLS Sniper Rifle weapon number (NOTE: Model needs to be loaded first)
0x4AEF38 - [1 byte] - THUGSTOOLS Flame Thrower weapon number (NOTE: Model needs to be loaded first)
0x68E058 - [float] - DEEPFRIEDMARSBARS/PROGRAMMER Tommy's body width
0x68F1F0 - [float] - ONSPEED cheat
0x68F1F4 - [float] - ONSPEED game speed multiplier
0x68F1F8 - [float] - BOOOOOORING cheat
0x68F1FC - [float] - BOOOOOORING game speed multiplier
0x68F204 - [string] - LOOKLIKELANCE Lance model
0x68F20C - [string] - IWANTBIGTITS Candy model
0x68F214 - [string] - MYSONISALAWYER Ken model
0x68F21C - [string] - ILOOKLIKEHILARY Hilary model
0x68F224 - [string] - ROCKANDROLLMAN Jezz model
0x68F22C - [string] - ONEARMEDBANDIT Phil model
0x68F234 - [string] - IDONTHAVETHEMONEYSONNY Sonny model
0x68F240 - [string] - FOXYLITTLETHING Mercedes model
0x68F248 - [string] - WELOVEOURDICK Dick model
0x68F250 - [string] - CHEATSHAVEBEENCRACKED Diaz model
0x97F2C4 - [1 byte] - CHASESTAT cheat
0xA10AB3 - [1 byte] - OURGODGIVENRIGHTTOBEARARMS cheat
0xA10ADC - [1 byte] - GREENLIGHT cheat
0xA10B0F - [1 byte] - GRIPISEVERYTHING cheat
0xA10B11 - [1 byte] - AIRSHIP cheat
0xA10B23 - [1 byte] - CERTAINDEATH cheat
0xA10B26 - [1 byte] - AHAIRDRESSERSCAR cheat
0xA10B28 - [1 byte] - COMEFLYWITHME cheat
0xA10B30 - [1 byte] - WHEELSAREALLINEED cheat
0xA10B47 - [1 byte] - MIAMITRAFFIC cheat
0xA10B5F - [1 byte] - FANNYMAGNET cheat
0xA10B81 - [1 byte] - SEAWAYS cheat
0xA10B82 - [1 byte] - IWANTITPAINTEDBLACK cheat
0xA10B87 - [1 byte] - LIFEISPASSINGMEBY cheat

More to come soon.

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#927

Posted 04 February 2010 - 01:49 PM

Much awesomeness!

Thanks, I've been looking for something like this.

Will certainly help sorting out the layer of code above the cheat addy's. I couldn't see how it's compartmentalized, but now I can see the various groups of cheats.

SWEET. happy.gif

grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#928

Posted 04 February 2010 - 10:52 PM

WOOHOOO! biggrin.gif biggrin.gif
I've found a way to make VC step through the SCM instructions one step at a time! I can pause and resume the script interpreter at any time, Vice City temporarily stops executing instructions until I release it lol.gif

Check out this video which shows it in action (with the intro mission):
Link to Youtube video

Please excuse the live music starting at the end of the video. It was a hidden track and I had no idea my music was still playing blush.gif

How did I do it?
Well, if you read my previous post, I hooked the function at 0044FBE0 (which is the opcode interpreter) by patching the function which calls it (exact address is 0x44FDB5) to call my own function.
When I pause the script, I merely set al to 1 (mov al, 1) and return when the opcode processor is called.


Now, imagine this with an ingame dissassembler which shows you the mission script as you step through it inlove.gif
Ambitious? Yes! But too much fun to let go sigh.gif

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#929

Posted 05 February 2010 - 10:49 AM

QUOTE (grovespaz @ Feb 4 2010, 17:52)
<cool news>

...Now, imagine this with an ingame dissassembler which shows you the mission script as you step through it inlove.gif
Ambitious? Yes! But too much fun to let go sigh.gif

Weird.

As.

Hell.

I was just thinking this same thing.

I spent the last day mapping and cataloging that very opcode handler, and had the same idea about an onscreen debugger.

I'm thinking a hack of spooky's speedo code would do nicely.

I was thinking about an onscreen menu to configure breakpoints and such as well...


grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#930

Posted 05 February 2010 - 11:38 AM Edited by grovespaz, 05 February 2010 - 11:58 AM.

Ahahaha, Imagine that lol.gif ( I guess great minds think alike eh? rolleyes.gif )

Well, I've also spent quite some time mapping the opcode handler, and was even thinking of taking over the opcode interpreter entirely but that's too much work with too little to gain at the moment.

The ingame debugger seems like a very nice way to go, so do you feel like working together on this a bit? smile.gif

As you can (probably) see, I've based my mod on Spookie's Speedo as well, and I've got a GUI system running in VC which we could use smile.gif
I'm still having a bit of trouble calculating the correct address of the opcode, so I'll be off again trying to fix it monocle.gif

By the way, is there any document/page which describes the complete actor block as far as it's been documented yet?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users