Quantcast

Jump to content

» «
Photo

Documenting GTA3/VC memory addresses

1,186 replies to this topic
ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#931

Posted 05 February 2010 - 01:31 PM

QUOTE (grovespaz @ Feb 5 2010, 06:38)
Well, I've also spent quite some time mapping the opcode handler, and was even thinking of taking over the opcode interpreter entirely but that's too much work with too little to gain at the moment.


Well, every bit of this stuff coming out helps me link routines...

This "opcode handler" routine is a large jump table resolver called by one "mission manager" routine, which first calls the wasted-busted check, does some thinking, then calls the opcode handler.
This routine is called by three different routines involved in loading the game frontend.

Use the graph tool in IDA to see how it links together.


QUOTE
The ingame debugger seems like a very nice way to go, so do you feel like working together on this a bit? smile.gif


biggrin.gif PM sent.

QUOTE
As you can (probably) see, I've based my mod on Spookie's Speedo as well, and I've got a GUI system running in VC which we could use smile.gif
I'm still having a bit of trouble calculating the correct address of the opcode, so I'll be off again trying to fix it :monocle:By the way, is there any document/page which describes the complete actor block as far as it's been documented yet?

Been having trouble with this as well. confused.gif Info is scattered and incomplete.

grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#932

Posted 05 February 2010 - 04:57 PM Edited by grovespaz, 05 February 2010 - 05:01 PM.

QUOTE (ghost of delete key @ Feb 5 2010, 13:31)
Well, every bit of this stuff coming out helps me link routines...

This "opcode handler" routine is a large jump table resolver called by one "mission manager" routine, which first calls the wasted-busted check, does some thinking, then calls the opcode handler.
This routine is called by three different routines involved in loading the game frontend.

Can you clarify which routine is called by three different other routines? Because, from what I can see in IDA, the opcode interpreter only gets called from 44FBE0.
The opcode interpreter itself, in it's turn, does something like this:

CODE
if ( FinalOpcode < 0 || FinalOpcode >= 100 )
 {
   if ( FinalOpcode >= 200 )
   {
     if ( FinalOpcode >= 300 )
     {
       if ( FinalOpcode >= 400 )
       {
                       <SNIP>
                           if ( FinalOpcode >= 1400 )
                           {
                             if ( FinalOpcode < 1500 )
                               result = OpcodeHandler1400_1499(FinalOpcode);
                           }
                       <SNIP>
       }
       else
       {
         result = OpcodeHandler300_399(Offset, FinalOpcode);
       }
     }
     else
     {
       result = OpcodeHandler200_299(Offset, FinalOpcode);
     }
   }
   else
   {
     result = OpcodeHandler100_199(Offset, FinalOpcode);
   }
 }
 else
 {
   result = OpcodeHandler0_99(Offset, FinalOpcode);
 }

Well, it's a bít more complicated, but that's the gist of it.


QUOTE

Use the graph tool in IDA to see how it links together.

Actually, as you can see above moto_whistle.gif , I find the PseudoCode tool one of the best inventions ever turn.gif I have not made much use of the graph, I guess i'm just more used to reading code blush.gif

QUOTE

Been having trouble with this as well.  confused.gif   Info is scattered and incomplete.

Hmm.. I'm thinking about compiling this information if it's not done already. However, I don't want to reinvent the wheel when there could be a perfectly good wheel available confused.gif

I've noticed I was searching this thread a lot, and searching a thread can take some time here, so I clicked 'Print this topic', and saved the resulting HTML page which contained the whole thread, in a clean layout on my computer. I can just search in my browser, and it's a lot faster ^.^

spaceeinstein
  • spaceeinstein

    Chocolate

  • GTA Mods Staff
  • Joined: 17 Jul 2003
  • Hong-Kong
  • Major Contribution Award [Mods]
    Helpfulness Awards [Mods]

#933

Posted 05 February 2010 - 06:43 PM Edited by spaceeinstein, 05 February 2010 - 07:17 PM.

List of mission restart taxi stuff and some other taxi stuff
CODE
0x456046 - [4 bytes] - Opcode 02DE check if player is in a Taxi
+0x8 for each additional taxis (Cabbie, Zebra Cab, Kaufman Cabs)
0xA10B7F - [1 byte] - Kaufman Cabs' radio flag
Restart mission taxi:
0x42AEAC - [4 bytes] - Kaufman Cabs spawn (NOTE: Model needs to be loaded through 0x42AFB3 and set to spawn through 0x94EEB8)
0x42AFB3 - [4 bytes] - Kaufman Cabs model load
0x42AFD6 - [6 bytes] - NOP to have Tommy be able to carjack the taxi instead of entering it as passenger
0x42B219 - [1 byte] - Blue fade in color
+0x2 - [1 byte] - Green fade in color
+0x2 - [1 byte] - Red fade in color
0x42B24E - [4 bytes] - TAXI text duration
0x687574 - [string] - TAXI gxt text
0x78BCD8 - [float] - Angle taxi start
+0x4 for each additional taxi start, up to 0x78BCF4 total by default
0x812138 - [float] - X-coord taxi start
+0xC for each additional taxi start, up to 0x81218C
0x81213C - [float] - Y-coord taxi start
+0xC for each additional taxi start, up to 0x812190
0x812140 - [float] - Z-coord taxi start
+0xC for each additional taxi start, up to 0x812194
0x94DD94 - [float] - X-coord taxi destination (updated by opcode 058E)
+0x4 - [float] - Y-coord taxi destination
+0x4 - [float] - Z-coord taxi destination
0x94EEB8 - [1 byte] - Set taxi to spawn
0xA0D378 - [float] - Angle taxi destination
0xA10B6D - [1 byte] - Activate mission restart taxi

0x42AEAC - restart mission taxi a Sabre Turbo (see above to prevent crash)
user posted image user posted image

0x456046 - taxi driver mission with Sabre Turbo as valid taxi
user posted image user posted image

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#934

Posted 06 February 2010 - 08:27 AM

QUOTE (grovespaz @ Feb 5 2010, 11:57)
QUOTE (ghost of delete key @ Feb 5 2010, 13:31)
Well, every bit of this stuff coming out helps me link routines...

This "opcode handler" routine is a large jump table resolver called by one "mission manager" routine, which first calls the wasted-busted check, does some thinking, then calls the opcode handler.
This routine is called by three different routines involved in loading the game frontend.

Can you clarify which routine is called by three different other routines? Because, from what I can see in IDA, the opcode interpreter only gets called from 44FBE0.

I should have said:
"the /Mission Mgr/ is called by three different routines involved in loading the game frontend."
tounge.gif
Not enough coffee in the world...





The opcode interpreter itself, in it's turn, does something like this:

<pseudocode>

Well, it's a bít more complicated, but that's the gist of it.

QUOTE
I find the PseudoCode tool one of the best inventions ever turn.gif


PseudoCode tool? In IDA??? I have no such goodies in my v4.3.0. Been looking for a plugin or something...

Here you can see your if/then tree. there seems little rhyme or reason for the many banks of opcode handlers, but there you have it.

user posted image

This is the routine that calls the main handler; it thinks about the busted-wastedcheck before deciding to dive into opcode hell...

user posted image

and this is called by one routine which checks to see if it should even bother, or go on with loading duties That one is called by three different loading routines.

Here you can see the call chart between routines, as you can see there are tentative names for the front-end loaders.

user posted image

Whats the point?

Matching the SCM opcodes with their subroutines is helping me group and classify piles of memory addresses that I haven't seen documented anywhere.

I might be tripping, but it seems that there are multiple copies of certain structures like the player/actor characters, depending on what routine wants to do what in memory. I don't mean copies of the structure made during creation of models, I mean separate bases. mercie_blink.gif
Needs more study.
And I think opcodes are going slightly off-topic. sigh.gif


QUOTE
I've noticed I was searching this thread a lot, and searching a thread can take some time here, so I clicked 'Print this topic', and saved the resulting HTML page which contained the whole thread, in a clean layout on my computer. I can just search in my browser, and it's a lot faster ^.^


Me too. Now I have more pages of GTAF on my drive than game files. Easy peasy... turn.gif

NTAuthority
  • NTAuthority

    hell, no, tunnel, no

  • Feroci
  • Joined: 09 Sep 2008
  • European-Union
  • Best Conversion 2014 [ViIV for GTANY]
    Most Knowledgeable [Tech] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Contribution Award [Mods]

#935

Posted 06 February 2010 - 08:37 AM

QUOTE (ghost of delete key @ Feb 6 2010, 09:27)
QUOTE
I find the PseudoCode tool one of the best inventions ever turn.gif


PseudoCode tool? In IDA??? I have no such goodies in my v4.3.0. Been looking for a plugin or something...

It's the $2299 Hex-Ray Decompiler plugin, I think. I got it somewhere *illegally*, and yes, it can be a huge help. tounge.gif

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#936

Posted 06 February 2010 - 12:39 PM

QUOTE (NTAuthority @ Feb 6 2010, 03:37)
QUOTE (ghost of delete key @ Feb 6 2010, 09:27)
QUOTE
I find the PseudoCode tool one of the best inventions ever turn.gif


PseudoCode tool? In IDA??? I have no such goodies in my v4.3.0. Been looking for a plugin or something...

It's the $2299 Hex-Ray Decompiler plugin, I think. I got it somewhere *illegally*, and yes, it can be a huge help. tounge.gif

mad.gif ...
you Officially Suck.

Gimme.

NAO.

tounge.gif

Yeah, I was looking at the new HexRays tools the other day and dreaming.

Hours of wasted time looking for an attainable alternative. Oh well.
I also gotta cut the time to d/l a newer version of IDA, now that the oldies are free.

spaceeinstein
  • spaceeinstein

    Chocolate

  • GTA Mods Staff
  • Joined: 17 Jul 2003
  • Hong-Kong
  • Major Contribution Award [Mods]
    Helpfulness Awards [Mods]

#937

Posted 12 February 2010 - 05:38 PM Edited by spaceeinstein, 12 February 2010 - 05:54 PM.

Here are most of the stats in Vice City. I have included opcodes that directly affect the stats. Some are known already.
CODE
0xA1023C - [4 bytes] - Mission attempts (incremented by 0317)
0x97F1F4 - [4 bytes] - Days passed in game
0xA0D228 - [4 bytes] - Safehouse visits
0x974C0C - [4 bytes] - Rampages passed (total number set by 0408)
0x974C08 - [4 bytes] - Rampages passed (number of)
0x978794 - [4 bytes] - People you've wasted
0x9753AC - [4 bytes] - People wasted by others
0xA0D388 - [4 bytes] - Road Vehicles destroyed
0x974B04 - [4 bytes] - Boats destroyed
0x9751F0 - [4 bytes] - Planes & Helicopters destroyed
0x94DB58 - [4 bytes] - Tires popped with gunfire
0x9B5EB8 - [4 bytes] - Total number of wanted stars attained
0x9B5F30 - [4 bytes] - Total number of wanted stars evaded
0x975330 - [4 bytes] - Times busted
0x975320 - [4 bytes] - Hospital visits
0x9B6E38 - [4 bytes] - Number of headshots
0x94DB80 - [4 bytes] - Gang members wasted (Cubans)
   0x+4 for additional gangs (Haitians, etc., they all add up in the end)
0x94DBAC - [4 bytes] - Criminals wasted
0x9787A8 - [4 bytes] - Kgs of explosives used
0x97532C - [4 bytes] - Bullets fired
0x9B6CD4 - [4 bytes] - Bullets that hit
0xA0D9B4 - [float] - Dist. traveled on foot (miles)
0xA0FCFC - [float] - Dist. traveled by car (miles)
0xA0D2D8 - [float] - Dist. traveled by bike (miles)
0xA0D384 - [float] - Dist. traveled by boat (miles)
0x974C04 - [float] - Dist. traveled by golf cart (miles)
0x4BE18A - [4 bytes] - the Caddy used to measure that
0x9B6A48 - [float] - Dist. traveled by helicopter (miles)
0x97F210 - [float] - Max. INSANE Jump dist. (m) (set by 030E)
0xA0CFD8 - [float] - Max. INSANE Jump height (m) (set by 030F)
0x9787DC - [4 bytes] - Max. INSANE Jump flips (set by 0310)
0x978530 - [4 bytes] - Unique Jumps completed (total number set by 0314)
0x974B48 - [4 bytes] - Unique Jumps completed (number incremented by 0313)
0x978D14 - [4 bytes] - Max. INSANE Jump rotation (set by 0311)
0x974B30 - [4 bytes] - Best INSANE stunt so far (set by 0312)
   0 = No INSANE stunts completed
   1 = Insane stunt
   2 = Perfect insane stunt
   3 = Double insane stunt
   4 = Perfect double insane stunt
   5 = Triple insane stunt
   6 = Perfect triple insane stunt
   7 = Quadruple insane stunt (unused)
   8 = Perfect quadruple insane stunt (unused)
0x97530C - [4 bytes] - Longest Wheelie time (secs)
0x9786C0 - [float] - Longest Wheelie distance (m)
0x974B3C - [4 bytes] - Longest Stoppie time (secs)
0x9B5F44 - [float] - Longest Stoppie distance (m)
0xA0FCF8 - [4 bytes] - Longest 2 wheels time (secs)
0x9B48D0 - [float] - Longest 2 wheels distance (m)
0x974C28 - [float] - Visits From Loan Sharks (unused)
0x9787B4 - [4 bytes] - Criminals killed on Vigilante Mission (incremented by 0402)
0x94DD60 - [4 bytes] - Highest Vigilante Mission level (set by 0578)
0xA0D1DC - [4 bytes] - Passengers dropped off (incremented by 0315)
0xA0D9C8 - [4 bytes] - Cash made in taxi (added by 0316)
0x9B5EA8 - [4 bytes] - People saved in an Ambulance (incremented by 0401)
0x978DB8 - [4 bytes] - Highest Paramedic Mission level (set by 0403)
0x9B6A84 - [4 bytes] - Total fires extinguished (incremented by 0404)
0x975310 - [4 bytes] - Fire Truck Mission level (set by 0599)
0x97F898 - [float] - Stores Knocked Off (added by 0531)
0x4CC102 - [4 bytes] - Stores Knocked Off (total number, set to 15 by default)
0xA0FC8C - [float] - Movie Stunts (unused)
0xA10918 - [4 bytes] - Assassination Contracts Completed (incremented by 0533)
0x4CC1CD - [4 bytes] - Assassination Contracts Completed (total number, set to 5 by default)
0x97F21C - [4 bytes] - Photographs Taken
0x978780 - [float] - Pizza's Delivered (added by 0534)
0x974C00 - [float] - Garbage Pickups Made (unused)
0x975390 - [float] - 'Ice Cream' Sold (added by 0536)
0x974B80 - [4 bytes] - Fastest time on 'Alloy Wheels Of Steel' (set by 042E)
   +0x4 for each additional stat related to 042E up to 0x974BD8
0x9B6E20 - [4 bytes] - Highest score for Shooter (set by 042F)
   +0x4 for each additional stat related to 042F, except the last one, up to 0x9B6E2C
0xA0FD80 - [4 bytes] - Hotring Best Result (set by 0582)
0x974B08 - [float] - Shooting Range Rank
0x97854C - [4 bytes] - Flight hours (ms, converted to min in menu)
0x9B6E54 - [4 bytes] - Number of bloodring kills (added by 0543)
0xA0D2E0 - [4 bytes] - Longest time in bloodring (secs) (set by 0544)
0x9B48B4 - [4 bytes] - Fishes Fed
0x97869C - [4 bytes] - Seagulls Sniped
0xA0FC94 - [4 bytes] - Sprayings
0xA0FDCC - [float] - Weapon Budget (added by 0528)
0xA0D068 - [float] - Fashion Budget (added by 04CF)
0x9B48B0 - [float] - Property Budget (added by 0529)
0xA10298 - [float] - Auto Repair and Painting Budget
0x975404 - [4 bytes] - Property Destroyed
0x978E08 - [4 bytes] - Property Owned
0xA10AFD - [1 byte] - The Malibu owned (set by 0542, Property Owned needs a value for this to show)
   +0x1 for each additional property related to 0542 up to 0xA10B0B
0x978E0C - [float] - Highest media attention

And some miscellaneous stuff. I don't know if these are known already.
CODE
0x489DFE - [1 byte] - wanted level when shooting in the air, hitting peds and cars, etc. It's very specific on some actions that causes you to gain a wanted level
0x812668 - [1 byte] - garage 1 type (+A8? for additional garages, not tested yet) (can be changed by 02FA)
0x812669 - [1 byte] - garage door state
   0=closed
   1=opened
   2=close
   3=open
   4=stuck opened (set by 0360)
   5=stuck closed (set by 0361)
0x81266A - max cars in save garage, 4 definite max (set by 057A)
0x812682 - set camera follow player while in garage (set by 03DA)
0x94B930 - [float] - Restart point X when wasted, +C for additional points (set by 016C)
0x94B934 - [float] - Y
0x94B938 - [float] - Z
0x7DD740 - [float] - angle
0xA10972 - [1 byte] - Number of wasted restart points
0x933B00 - [float] - Restart point X when busted, +C for additional points (set by 016D)
0x933B04 - [float] - Y
0x933B08 - [float] - Z
0x7DD720 - [float] - angle
0xA10970 - [1 byte] - Number of busted restart points

Between 4907BF and 492CB8 all contains colors for the "redefine controls" menu. I had thought the colors in the menu would share the same colors everywhere else but in this section of the menu, a LOT of the text have their own colors. Same thing with the player skin setup, starting 4932B2.
user posted image
  • HM128 likes this

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#938

Posted 13 February 2010 - 02:08 PM Edited by ghost of delete key, 13 February 2010 - 02:10 PM.

QUOTE (spaceeinstein @ Feb 12 2010, 12:38)
Between 4907BF and 492CB8 all contains colors for the "redefine controls" menu. I had thought the colors in the menu would share the same colors everywhere else but in this section of the menu, a LOT of the text have their own colors. Same thing with the player skin setup, starting 4932B2.

What you have found are some instances of the arguments passed to a function (I labeled it MAKE_RGBA_TEXT) which takes a string and the RGBA values. smile.gif
The ones you mentioned aren't global vars, they're local to those functions.

from the player skin setup:
CODE

.text:004932A9                 lea     ecx, [esp+3D4h+var_158] // Load Effective Address
.text:004932B0                 push    eax
.text:004932B1                 push    94h
.text:004932B6                 push    65h
.text:004932B8                 push    31h
.text:004932BA                 call    MAKE_RGBA_TEXT // Call Procedure


the routine enumerates the skin files and grabs their names, and passes the text to the "MAKE_RGBA_TEXT" function. It appears everywhere text is to be drawn onscreen.

In many places the values are passed as constants instead of local vars, like above, and if I recall, I've seen it use some global vars as args.

One day I'll have the IDB filled out enough to post, but not today tounge.gif

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004
  • Scotland

#939

Posted 16 February 2010 - 11:01 AM

VC reverse engineering is still alive! I just read a few posts from last month, don't have time just now to read the rest.

My VC IDA database has quite a lot of labelled functions and variables. It's mostly the labels from the GTA3 PS2 SLUS, and another handful found by myself and Dexx. I'm sure I can "legally" create an IDC file for use with IDA (IDC file is essentially a script, it contains no binary code), it should be useful to you all.

I seen something about copying the functions from the Names tab in IDA, you simply right click any function and hit copy; it'll copy the entire list along with the addresses.

NTAuthority
  • NTAuthority

    hell, no, tunnel, no

  • Feroci
  • Joined: 09 Sep 2008
  • European-Union
  • Best Conversion 2014 [ViIV for GTANY]
    Most Knowledgeable [Tech] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Contribution Award [Mods]

#940

Posted 16 February 2010 - 11:04 AM

QUOTE (ModelingMan @ Feb 16 2010, 12:01)
It's mostly the labels from the GTA3 PS2 SLUS

Hm, nice! I've been trying a bit to map the GTA3/PS2 names in the gta3.idb from listener to VC, but having them already available can be a nice help. smile.gif

spaceeinstein
  • spaceeinstein

    Chocolate

  • GTA Mods Staff
  • Joined: 17 Jul 2003
  • Hong-Kong
  • Major Contribution Award [Mods]
    Helpfulness Awards [Mods]

#941

Posted 16 February 2010 - 05:12 PM Edited by spaceeinstein, 08 March 2010 - 06:02 PM.

Ooo, I think this is cool
CODE
0x5B8A47 - 4 bytes - Ambulance model, entering it will give you health. The second car with perks is offset from this car, and the third one is offset from the second, etc. So changing one affects all below it.
0x5B8A4F - 1 byte - +4 from Ambulance model for Taxi model to give you money
0x5B8A54 - 1 byte - +6 from Taxi for Police
0x5B8A59 - +1 for Enforcer
0x5B8A60 - +B for Cabbie
0x5B8A67 - +13h for Caddy to give you golf club
0x5B8A70 - +1 for Zebra
0x5B8A75 - +1C for Kaufman Cabs


Menu, all colors in BGR order
CODE
0x49E014 and 0x49E01B - save menu transparent background alpha
0x49E028,2D,2F - save menu transparent background color
0x49E1D9 - menu title text font
0x49E25A and 0x49E261 - menu title shadow alpha
0x49E26E, 70, 72 - menu title shadow color
0x49E330, 35, 3A - menu title color
0x49E425 - menu message text font
0x49E4AB and 0x49E4B2 - menu message shadow alpha
0x49E4BF, C1, C3 - menu message shadow color
0x49E4F2, F7, FC - menu message color
0x49E77F, 81, 83 - save menu text color
0x49E817 - menu options font
0x49E898 and 0x49E89F - menu options shadow alpha
0x49E8AC, AE, B0 - menu options shadow color
0x49E8DF, E4, E9 - menu options color
0x49ED7D, 82, 84 - unselect mouse option color
0x49EDDC, E1, E3 - unselect resolution option color
0x49F313, 18, 1A, 1F - green bar "left behind" color
0x49F7D2, D7, D9, DE - green bar "static" color
0x49F9BB, C0, C2, C7 - green bar "moving" color
0x4A21A2, A7, A9, AB - pausing game fade color
0x4A26E2, E7, EC - onscreen menu overlay color
0x4A2743, 48, 4A, 4C - dynamic bar color left side
0x4A283D, 42, 44, 46 - dynamic bar color top side
0x4A2937, 3C, 3E, 40 - dynamic bar color bottom side
0x4A2A40, 45, 47, 49 - dynamic bar color right side
0x4A2CCB, D0, D2, D4 - dynamic bar transition color left side
0x4A2DC5, CA, CC, CE - dynamic bar transition color top side
0x4A2EC2, C7, C9, CB - dynamic bar transition color bottom side
0x4A2FD1, D6, D8, DA - dynamic bar transition color right side
0x4A341D, 22, 27, 2C - Vice City logo color
0x4A36C2, C2, C7, CC - mouse color

cry.gif Holy crap, there are so many unique colors for many things and this is only the front main menu. There are unique colors for controls, audio, stats, brief, map, and stats. One could make a completely psychedelic look by changing these settings into random numbers.

Miscellaneous
CODE
0x42BD33 - 4 bytes - wasted time progression in minutes
0x430CF3 - 2 bytes - set to 432 to be able to spray any car you want
0x430D31 - 1 byte - set to 0 to be not frozen while respraying your car
0x53B6D4+0x7 - byte - weapons given to peds when using ped weapons cheat
0x5591B7 - 1 byte - number of wanted stars to draw
0x573F9E - 1 byte - green scanline (from 04C7) number blue color, +0x2 for green and red (BGR)
0x5AD189 - 1 byte - police heli final explosion type
0x5AD3EA - 1 byte - police heli mid-air explosion type
0x5AD23E - 4 bytes - cash added when shot down police helicopter
0x5B8AB6 - 1 byte - money when entering a taxi
0x5C6F38 - 1 byte - rocket launcher explosion type
0x5C7068 - 1 byte - molotov explosion type
0x5C720A - 1 byte - remote grenade explosion type
0x69C69C - float - health when entering an ambulance
0x783944+0x4 - float - arcade music, up to 0x783958
0x817D2C+0x34 - float - phone x coord
0x817D30+0x34 - y coord
0x817D34+0x34 - z coord
0x817D24+0x34 - phone activity, 3 = normal nonringing, 9 = ringing, rest was used in GTA III but can still be used in VC, specifically 4,5, and 6
0x978810 - 1 byte - select interior
0x980038 - 1 byte - disable radio station, including the one in the pause menu
0xA10B32 - 1 byte - set free bomb garage


And some opcode-related ones, I think some are already discovered
CODE
0x86966B - 1 byte - show save screen (03D8)
0x94AE60 - 1 byte - chaos level (04BF)
0x94AE68 - 1 byte - infinite run (0330)
0x94AE69 - 1 byte - fast reload (0331)
0x94AE6A - 1 byte - fireproof (055D)
0x94AE6B - 1 byte - max health (055E)
0x94AE6C - 1 byte - max armor (055F)
0x94AE6F - 1 byte - enable  driveby (0501)
0x978554 - 1 byte - stadium event message (054D)
0x9B6DE9 - 1 byte - pause onscreen timer (0396)
0xA10B15 - 1 byte - set radar gray (057E)
0xA10B3A - 1 byte - taxi boost jump (0572)
  0x5930EC - 4 bytes - models to use for taxi boost, +0x7 for additional model (doesn't work on bikes but fortunately it doesn't crash the game)
0xA10B3E - 1 byte - set riot noise (0552)
  0x7839A8 - float - riot noise location


And something very cool. Negative money!
user posted image
NOP 0x44575C to 0x445772 and use opcode 0109 to subtract your money.

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004
  • Scotland

#942

Posted 17 February 2010 - 06:05 PM Edited by ModelingMan, 05 June 2010 - 08:13 PM.

OK, here is a link to an IDC script for IDA generated from my current IDB. It was created with IDA 5, but should work with earlier versions. Do NOT execute this script on your current IDBs as it undefines everything currently in the IDB, create a new disassembly. You may get some errors mentioning a name is already in use, just ignore the messages and continue; you may want to select "Do not display this message again".

My current IDB is a little bit messy as I created a signature file based on my original IDB and used that signature in a new disassembly (wish I hadn't now). My original IDB is lost somewhere on countless backup DVDs.

There are several functions labelled with different parameters (the functions differed slighty on GTA3 PS2). There may also be others which are incorrectly named (because of the signature file I mentioned above).

There should be alot of stuff here which you can all have fun with. smile.gif

Edit: Here is a slightly modified version of the script. This one may not undefine the labels you have currently in your IDB (unless I have labelled it), and will not label functions with a "FAKE_" prefix (this was my signature which caused this). Make a backup of your current IDB before trying this script.

Edit: Also, you may want to change the compiler type to GNU C++ (Options -> Compiler...) so that IDA demangles the function labels. And another useful thing is to set IDA to show demangled names as actual names instead of comments (Options -> Demangled names...).

I see there's some activity in the SCM section. I did a little bit of this for GTA:LC and also made a little opcode hook for VC. Once I find the source code to my little hook I'll post it here, it might help you at some point (it demonstrates how to call class functions without having to set the ecx register manually).

ghost of delete key
  • ghost of delete key

    chrome vanadium

  • The Connection
  • Joined: 27 Dec 2003
  • United-States

#943

Posted 18 February 2010 - 08:44 AM

QUOTE (ModelingMan @ Feb 16 2010, 06:01)
VC reverse engineering is still alive!

I like to call it "reVice engineering". tounge.gif

Sorry, nothing to add just yet, though that IDC my be quite handy, thanks!

grovespaz
  • grovespaz

    Group: Morons

  • Members
  • Joined: 22 Feb 2004

#944

Posted 18 February 2010 - 03:54 PM

QUOTE (ModelingMan @ Feb 17 2010, 18:05)
OK, here is a link to an IDC script for IDA generated from my current IDB. It was created with IDA 5, but should work with earlier versions. Do NOT execute this script on your current IDBs as it undefines everything currently in the IDB, create a new disassembly. You may get some errors mentioning a name is already in use, just ignore the messages and continue; you may want to select "Do not display this message again".

My current IDB is a little bit messy as I created a signature file based on my original IDB and used that signature in a new disassembly (wish I hadn't now). My original IDB is lost somewhere on countless backup DVDs.

There are several functions labelled with different parameters (the functions differed slighty on GTA3 PS2). There may also be others which are incorrectly named (because of the signature file I mentioned above).

There should be alot of stuff here which you can all have fun with. smile.gif

Edit: Here is a slightly modified version of the script. This one may not undefine the labels you have currently in your IDB (unless I have labelled it), and will not label functions with a "FAKE_" prefix (this was my signature which caused this). Make a backup of your current IDB before trying this script.

Edit: Also, you may want to change the compiler type to GNU C++ (Options -> Compiler...) so that IDA demangles the function labels. And another useful thing is to set IDA to show demangled names as actual names instead of comments (Options -> Demangled names...).

I see there's some activity in the SCM section. I did a little bit of this for GTA:LC and also made a little opcode hook for VC. Once I find the source code to my little hook I'll post it here, it might help you at some point (it demonstrates how to call class functions without having to set the ecx register manually).

Wow! Thank you so much! lol.gif This makes reading some of the code so much easier biggrin.gif

It's good to see some of the old timers are still active biggrin.gif

Same goes to you, spaceeinstein, it's very cool to see you're still hacking your way around VC. wink.gif The control HUD colours is something I'm going to play with when I get the chance.

spaceeinstein
  • spaceeinstein

    Chocolate

  • GTA Mods Staff
  • Joined: 17 Jul 2003
  • Hong-Kong
  • Major Contribution Award [Mods]
    Helpfulness Awards [Mods]

#945

Posted 18 February 2010 - 07:26 PM

Actually this is my first time in hacking Vice City in this way. I had always thought hacking requires a lot of work so I hadn't bothered to try before but lately I want to try. The coolest thing is to understand how opcodes behave.

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004
  • Scotland

#946

Posted 19 February 2010 - 01:51 AM Edited by ModelingMan, 05 June 2010 - 08:13 PM.

I started up a little something I was working on a couple years ago. At first it started off wrapping D3D8 calls to D3D9. After that failed, I turned to redirecting all the referenced Renderware functions of VC to the Renderware 3.6 libs I have, which seems to be working so far.

user posted image

If you've ever used the RW libs you'll recognize the logo in the bottom left corner.

My plan was to use the RW functions from the SA executable and redirect the functions in VC (and probably III) to them. This could allow more advanced graphics hacks for VC and III (HLSL shaders, etc.).

NTAuthority
  • NTAuthority

    hell, no, tunnel, no

  • Feroci
  • Joined: 09 Sep 2008
  • European-Union
  • Best Conversion 2014 [ViIV for GTANY]
    Most Knowledgeable [Tech] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Contribution Award [Mods]

#947

Posted 19 February 2010 - 09:55 AM

QUOTE (ModelingMan @ Feb 19 2010, 02:51)
If you've ever used the RW libs you'll recognize the logo in the bottom left corner.

During scanning over this topic, I thought 'but that odd RW logo, would that be a trial version of RW or so?', which sparked my interest in reading the full post. Nice idea!

QUOTE

My plan was to use the RW functions from the SA executable and redirect the functions in VC (and probably III) to them. This could allow more advanced graphics hacks for VC and III (HLSL shaders, etc.).


... and analysis via PIX, which I've wanted to try on VC to compare with SA but couldn't do since VC is D3D8. tounge.gif Also, 'redirecting to SA', wouldn't that be semi-impossible?

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004
  • Scotland

#948

Posted 19 February 2010 - 02:17 PM

QUOTE (NTAuthority @ Feb 19 2010, 10:55)
Also, 'redirecting to SA', wouldn't that be semi-impossible?

I'd like to think of it as semi-possible. tounge.gif

Patching the SA executable to make it seem like a DLL and loading that into VC's memory (through LoadLibrary) may work. Using the handle returned by LoadLibrary, it is then possible to redirect the RW functions to SA. Of course, the main problem with this dirty hack is relocation; LoadLibrary may try to load SA's executable where VC's already is causing it to fail, so I'll need to somehow workaround that.

In addition, all DFFs and TXDs would need to be converted to at least RW 3.4; this can easily be an automated process.

NTAuthority
  • NTAuthority

    hell, no, tunnel, no

  • Feroci
  • Joined: 09 Sep 2008
  • European-Union
  • Best Conversion 2014 [ViIV for GTANY]
    Most Knowledgeable [Tech] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Contribution Award [Mods]

#949

Posted 21 February 2010 - 08:03 AM

QUOTE (ModelingMan @ Feb 19 2010, 15:17)
In addition, all DFFs and TXDs would need to be converted to at least RW 3.4; this can easily be an automated process.

SA's RenderWare instance is fully capable of loading all VC DFF files, it's only the TXDs that would need to be changed.

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004
  • Scotland

#950

Posted 21 February 2010 - 03:48 PM

QUOTE (NTAuthority @ Feb 21 2010, 09:03)
SA's RenderWare instance is fully capable of loading all VC DFF files, it's only the TXDs that would need to be changed.

Hmmm, I haven't tested VC DFFs in SA, but somehow I don't think this is true. In order for me to load VC's player.dff with the RW3.6 libs (essentially the same as SA) I had to convert it from 3.3.0.2 to 3.4.0.0.

CODE
.text:0074B475 054                 cmp     eax, 34000h
.text:0074B47A 054                 jb      loc_74BC92


The code above (from RpClumpStreamRead in SA), shows a comparison of the decoded version info. If the condition is true the function exits with an error and since VC's player.dff would be decoded to 0x33002 the function will fail.

Even though VC uses RW3.4, it seems most of, if not all, the DFFs are versioned with 3.3.0.2.

VRocker2k5
  • VRocker2k5

    GTA Addict

  • Members
  • Joined: 17 Aug 2005

#951

Posted 23 February 2010 - 04:52 PM Edited by VRocker2k5, 23 February 2010 - 04:54 PM.

Heres something awesome i found in gta3 while messing with the CMenuManager class.

Theres been loads of talk about the in game debug menu, but theres a couple of debug menus left in the game. Dunno if these have been found before.

Heres a screenshot of one of the debug menus (some of the options actually work!). Be warned with debugging the lights stuff, when i tested with other stuff enabled, it kept flashing black and white every frame.

user posted image

Theres 53 menus in GTA3, and 34 in VC, although VC has no secret ones. Heres some enums i've made for both games:

GTA3:
CODE

enum eMenuOptions
{
E_MENU_NOMENU = 0,
E_MENU_STATS = 1,
E_MENU_STARTGAME = 2,
E_MENU_BREIFS = 3,
E_MENU_PS2CONTROL_SETUP = 4,
E_MENU_AUDIO = 5,
E_MENU_DISPLAY = 6,
E_MENU_LANGUAGE = 7,
E_MENU_LOADGAME = 8,
E_MENU_DELETE = 9,
E_MENU_NEWGAME_CONFIRM = 10,
E_MENU_LOAD_CONTINUE = 11,
E_MENU_DELETE_CONFIRM = 12,
E_MENU_LOADFAILED_CORRUPTED = 13,
E_MENU_LOADFAILED_CORRUPTED1 = 14,
E_MENU_DELETINGSAVE = 15,
E_MENU_MP_MAP1 = 16,
E_MENU_DELETEFAILED = 17,
E_MENU_DEBUG = 18,
E_MENU_MEMCARD_DEBUG = 19,
E_MENU_TESTSAVE = 20,
E_MENU_MP = 21,
E_MENU_NOSPACE500KB = 22,
E_MENU_NOSPACE200KB = 23,
E_MENU_SAVECONFIRM = 24,
E_MENU_NOMEMCARD = 25,
E_MENU_SAVEGAME = 26,
E_MENU_OVERWRITESAVE = 27,
E_MENU_MP_MAP2 = 28,
E_MENU_MP_CONNECTION = 29,
E_MENU_MP_FINDGAME = 30,
E_MENU_MP_HOST_GAMETYPE = 31,
E_MENU_MP_HOSTGAME = 32,
E_MENU_UNKNOWN = 33,
E_MENU_MP_PLAYERSETTINGS = 34,
E_MENU_CONTROLOPTIONS = 35,
E_MENU_OLDKEYOPTIONS = 36,
E_MENU_OLDKEYOPTIONS2 = 37,
E_MENU_OLDKEYOPTIONS3 = 38,
E_MENU_OLDKEYOPTIONS4 = 39,
E_MENU_DEBUGOPTIONS = 40,
E_MENU_OPTIONS = 41,
E_MENU_SUREQUIT = 42,
E_MENU_SAVING = 43,
E_MENU_GAMESAVED = 44,
E_MENU_FILEDELETED = 45,
E_MENU_FILEDELETED2 = 46,
E_MENU_SAVEFAILED = 47,
E_MENU_SAVEFAILED2 = 48,
E_MENU_LOADFAILED_CORRUPTED2 = 49,
E_MENU_MP_SERVERINFO = 50,
E_MENU_DEFAULT = 51,
E_MENU_SPMP = 52,
};


GTAVC:
CODE

enum eMenuOptions
{
E_MENU_STATS = 0,
E_MENU_DEFAULT = 1,
E_MENU_BREIF = 2,
E_MENU_AUDIOOPTIONS = 3,
E_MENU_DISPLAYOPTIONS = 4,
E_MENU_LANGUAGE = 5,
E_MENU_MAP = 6,
E_MENU_STARTCONFIRM = 7,
E_MENU_LOAD = 8,
E_MENU_DELETE = 9,
E_MENU_LOADCONFIRM = 10,
E_MENU_DELETECONFIRM = 11,
E_MENU_STARTGAME = 12,
E_MENU_DELETING = 13,
E_MENU_DELETESUCCESS = 14,
E_MENU_SAVE = 15,
E_MENU_OVERWRITE = 16,
E_MENU_SAVING = 17,
E_MENU_SAVESUCCESS = 18,
E_MENU_UNKNOWN = 19,
E_MENU_CHEATSWARNING = 20,
E_MENU_CRASHY = 21,
E_MENU_UNKNOWNSAVE = 22,
E_MENU_SAVEUNSUCCESSFUL = 23,
E_MENU_SAVEUNSUCCESSFUL2 = 24,
E_MENU_LOADFAIL_CORRUPT = 25,
E_MENU_CONTROLOPTIONS = 26,
E_MENU_OPTIONS = 27,
E_MENU_SUREQUIT = 28,
E_MENU_MAIN = 29,
E_MENU_CONTROLSETTINGS = 30,
E_MENU_MOUSESETTINGS = 31,
E_MENU_PAUSE = 32,
E_MENU_QUITSPLASH = 34,
};


To check these menus out yourselves. Navigate to the CMenuManager class (GTA3 1.1 = 0x8F5A8C - GTAVC 1.0 = 0x869630) then add the offset for the current menu (GTA3 1.1 = 0x548 - GTAVC 1.0 = 0xF8)

Enjoy smile.gif

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#952

Posted 25 February 2010 - 02:36 AM Edited by DexX, 25 February 2010 - 09:20 PM.

Ffs, i stop reading this topic for 3 days...

Modelingman; SA should load assets with a version number greater than or equal to the rwLIBRARYBASEVERSION, as defined in (include\d3d9\)rwversion.h.
For rwg 3.7 the base is 3.5. For rw 3.6 it should be the same, or 3.4.

Edit; The above is true for Rwg 3.7. For 3.6, rwLIBRARYBASEVERSION is defined in rwplcore.h (and it is 3.4, rw will spit a warning, 3.5 to load without a warning, 3.6 is current)

Btw if you attempt dff batch conversion using the RpClumpStreamWrite function in the SA exe - and you get it to work - lemme know. It's the only Rw function that consistently crashes for me.

spaceeinstein
  • spaceeinstein

    Chocolate

  • GTA Mods Staff
  • Joined: 17 Jul 2003
  • Hong-Kong
  • Major Contribution Award [Mods]
    Helpfulness Awards [Mods]

#953

Posted 26 February 2010 - 04:08 PM Edited by spaceeinstein, 30 July 2010 - 11:20 PM.

Ooo, this is cool. It took days to get this right. From 0x69B1F4 and onward, change a series of hex values into
51 4E 4C 55 60 69 4C 4C 46 4E 4E 58 5A 00
then type my name "spaceeinstein" in the game to spawn a Love Fist limo.

Does anyone have a mirror for <a rel='nofollow' href='http://www.gtaforums...dpost&p=4146055' target='_blank'>this cheat-generating tool</a> and Y-Less' <a rel='nofollow' href='http://www.gtaforums...howtopic=228083' target='_blank'>cheat processor</a>?

One more random thing. NOP 0x42BC73 to 0x42BC7F to keep weapons after wasted.

EDIT: I think opcode 0522 have something to do with the dynamic character shadows during cutscenes in Vice City. This opcode is used right before the cutscene is loaded and it seems to disable the shadows. Without the opcode, shadows are enabled by default. If someone can delve deeper into this opcode, maybe we could have dynamic shadows everywhere!

I'm going to pool stuff I found here.
4C5D26 - float - radar zoom while on foot
406D3D - 1 byte - set to 0, can pause during cutscenes (but only after widescreen is turned off)! Although it messes up the cutscene audio.
427AAC - 4 bytes - car model ID, will always spawn in traffic with jingle/siren/horn on, that's how the Mr. Whoopee gets its jingle always on in traffic

HM128
  • HM128

    alovelyday

  • Feroci
  • Joined: 09 Jul 2006
  • None
  • Best Map 2013 "ViceCityStories PC Edition"

#954

Posted 06 March 2010 - 10:29 PM Edited by HackMan128, 14 May 2010 - 06:37 PM.

Can someone tell me, how to in G.T.A. Vice City load a weapon in-game?
I mean some memory addresses...
I know, how to set ammo, but I don't know, how to add a weapon.
When I making experiment, then I load python instead pistol:

007E4B8C + 1032+ 3 *24

PlayerPointer (Player Memory Address)
WeaponIndex (Pistol)

Then I got max number of bullets in a Colt45 (pistol). I just changed value to 18 and it load a Python.

btw, i found some funny trick: PlayerPointer+580 and , integer 4 bytes, value 12. He always shooting when you push holding ctrl, for example try this with fist, stubby shotgun or grenade xd

I Found the address, which going to make some changes, when minigun will model will load. If I loaded a minigun by cheat, it get some strangly values. I don't know, what gave this values, but when it's loaded, you can manipulate, remove weapon logo, texture of a model, but it will crash if you change too much...
This is the minigun addresses space: 00752837 is a begin, and 0075283F is end.
00752839 - when you change value to 0, weapon icon will hide.
00752840 - as above...
0075283F - minigun slot in weapon (7) dont touch...
Prevorious weapon: -77 in address...

Now I must know, why these addresses getting these strangly values...

PS: When i wrote it by hand, it crash, I think, that these values are some pointers, because are always different after run game... Can someone help me? I need to know, how to load a model to the memory... it's only one way to load a weapon.

By the way, i found this:
Drunk visuals: PPointer + 1592
Player Weight: PPointer + 184
MouseX: $007E4F00
MouseY: $007E4F10

kikiboy95
  • kikiboy95

    Ol' sql, brah.

  • Members
  • Joined: 23 Mar 2010
  • None

#955

Posted 15 May 2010 - 06:21 PM

How do you guys know what numbers do what? And is it possible to create some sort of external config like ASI+CFG so that polygon limits, weapons that bear cops, spawn limits n stuff could be editable? That's exe hacking via outside right? Or am I wrong? monocle.gif

GYZIE
  • GYZIE

    Player Hater

  • Members
  • Joined: 21 Apr 2009

#956

Posted 16 May 2010 - 06:48 AM

Well I'm kinda a noob in memory editing, but to know what a address is used for just change it or try to find what the address changes. And yes it's possible to make a external config. But you can do that also with a memory editor.

kikiboy95
  • kikiboy95

    Ol' sql, brah.

  • Members
  • Joined: 23 Mar 2010
  • None

#957

Posted 17 May 2010 - 03:24 PM

QUOTE (GYZIE @ May 16 2010, 09:48)
Well I'm kinda a noob in memory editing, but to know what a address is used for just change it or try to find what the address changes. And yes it's possible to make a external config. But you can do that also with a memory editor.

So can you show me an example?

do I need some blabla.cfg in main Vice City folder and inside smt. like this:

0xA6584FF = 1



Or what? I am not a noob. I am a completly zero about this, so I'd like to know:

How to find those adresses and how to determine what do they do, and how to create external config? smile.gif

GYZIE
  • GYZIE

    Player Hater

  • Members
  • Joined: 21 Apr 2009

#958

Posted 21 May 2010 - 08:14 PM

QUOTE (kikiboy95 @ May 17 2010, 15:24)
QUOTE (GYZIE @ May 16 2010, 09:48)
Well I'm kinda a noob in memory editing, but to know what a address is used for just change it or try to find what the address changes. And yes it's possible to make a external config. But you can do that also with a memory editor.

So can you show me an example?

do I need some blabla.cfg in main Vice City folder and inside smt. like this:

0xA6584FF = 1



Or what? I am not a noob. I am a completly zero about this, so I'd like to know:

How to find those adresses and how to determine what do they do, and how to create external config? smile.gif

Srry can't help you whit that. I'm a real bad C++ programmer.

http://community.rev...ngineering.net/ I think that forum could help you.

OmeXr
  • OmeXr

    Soldier

  • BUSTED!
  • Joined: 15 Apr 2009

#959

Posted 27 May 2010 - 02:31 PM

hey, i got a question for you guys, please answer it.

is there anyway to edit hud colors in III? or move hud parts (like weapon icon or money)?


PCJeff600
  • PCJeff600

    Player Hater

  • Members
  • Joined: 15 May 2010

#960

Posted 27 June 2010 - 01:22 AM

QUOTE (OmeXr @ May 27 2010, 14:31)
hey, i got a question for you guys, please answer it.

is there anyway to edit hud colors in III? or move hud parts (like weapon icon or money)?

Yea, there is. It was posted by Kryptos on page 29.
Let me know if it helped you out.




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users