Quantcast

Jump to content

» «
Photo

Documenting GTA3/VC memory adresses

1,169 replies to this topic
JernejL
  • JernejL

    Big Homie

  • Feroci
  • Joined: 11 Mar 2002

#31

Posted 23 December 2003 - 02:20 PM

the player data is at same active block pointer as for car - if you are not in a car..

JernejL
  • JernejL

    Big Homie

  • Feroci
  • Joined: 11 Mar 2002

#32

Posted 25 December 2003 - 11:50 PM

more:

note: all decimal.

ashdexx posted only the hours for game time, here are the minutes:
10554258 > longword (4 byte unsigned integer)

carpointer + 581
1 byte switch > alternate siren
works on any car, specials like ambulance will have the siren and lights,
but on ordinary cars the car will have double horn biggrin.gif

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#33

Posted 26 February 2004 - 08:15 PM

68f5f0 - Gravity (Float)

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#34

Posted 27 February 2004 - 08:41 PM Edited by ashdexx, 27 February 2004 - 09:27 PM.

lmfao, you can set it to whatever you want, set it to zero and make tommy jump. he doesnt come down, ever tounge.gif

here'e a pic (brightness raised for clarity)
user posted image

Side effects-
peds are stuck in the sidewalk, and cant walk, even when they get out of the car
if you accelerate too fast, you do wheelies, even in that idaho, which is exactly how that happened
also, if you exit the car midair, the player stays in that spot, he doesnt fall down

Edit: i clicked start new game by accident, with no grav on, and decided to let it play out. this is a BAD thing to do, when ken drives you to the office, he cant stop! the car flys into, and through the camera, and the cutscene doesnt end, i needed to close vice via the task manager to get out of the game. just a warning...

Edit 2: as odd as it may sound, you can make tommy swim with this! seriously. i failed at a jump on the docks with my pcj, and tommy plummeted to the water, except he didnt drown, he just keeps doing the falling animation and never goes into the water, and while he's falling i can control which direction he falls, so i steered him back to the shore. damn.

@stretchnutter - damn good find here with that address! thanks you!

More stuff to do with it...
-hit bikes, the people fly much farther
-get into more fights with cops, and use weapons that make bodies fly, like grenades or rockets, the bodies get mad air
-stay by bridges and piss cars off by shooting at them
-do pretty much anything that onvoles an object leaving the area and travelling vertically...

here's my gravity settings
orig -
6f 12 01 3c
change 3c, to 3b, to keep the game playable, but much more interesting.

steve-m
  • steve-m

  • Feroci
  • Joined: 26 Jul 2002

#35

Posted 28 February 2004 - 01:20 AM

Congrats Stretchnutter, an awesome discovery!

What happens, when you set the gravity to a very high value like 1? This: wink.gif
user posted image

With this value it is impossible to jump, you will land the same moment you jumped off. Running and then jumping results in immediate death. And the best of all: If peds are spawned higher than ground level (e.g. when paths aren't set exactly), they don't survive the few centimeters falling distance! devil.gif
The same happens to .scm-placed cars, they fly through the air burning and exploding.

Another nice effect is setting the gravity to a negative value, jumping results in infinite rising, and not only for the player. If you let some people take off and then set the gravity back positive again, they fall down and crash into the ground, another way to kill peds... devil.gif

Some common values:
Hex BytesFloatDescription
6F 12 03 3C0.008default gravity
6F 12 83 3B0.004half gravity
6F 12 03 3B0.002quater gravity
6F 12 83 3C0.016double gravity
6F 12 03 3D0.032fourfold gravity
6F 12 03 BC-0.008negative gravity
00 00 80 3F1.0very high gravity
17 B7 D1 380.0001very low gravity


Low gravity (1/2 or 1/4) makes you jump wider, higher and longer and makes doing wheelies damn easy.

I've no idea what a gravity value of 0.008 could stand for. Normally it is defined as m/s with values like 9.8 (Earth) or 1.62 (Moon). Either the hundredth of the slightly changed original gravity or an undefined invention by R*.

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#36

Posted 28 February 2004 - 01:40 PM

man oh man....i do the oddest things. im not even sure of *exactly* what it was this time, but ill give my instrucstions nonethless, vague though they are. from 69b1c0 to 69b21f, fill it with zeros. this will have 2 effects ingame, one, all the parked cars will be facing one direction, the other is every time you press a key on the keyboard, it will spawn a blooding, i sh*t you not. pic -
user posted image

im unable to narrow down the address(es?) any more, because im about to pass out. if anyone wants too, have at it. btw, DO NOT hold down a key, it WILL start raining bloodrings, and drop your fps to less than 1. and i literally mean "rain", there will be that many if you press a key for too long. i made the mistake of holding a key down for a solid 5 seconds. 2 minutes later, when my game resumed, i had about 1/4 of a frame per second, before vice crashed. oops tounge2.gif

time for sleepy.gif

AJH
  • AJH

    Player Hater

  • Members
  • Joined: 07 Dec 2003

#37

Posted 28 February 2004 - 05:45 PM

Thats is cool smile.gif

Here's the adres: 69B1D8

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#38

Posted 04 March 2004 - 04:16 PM Edited by Stretchnutter, 05 March 2004 - 09:34 AM.

7838D1 - Current Gear (Byte)

apparently you can force it to change gears, but the sound type relies on switches... the offsets around that one contain nothing but 1's and 0's interesting.


changing the gear doesn't have an effect on the vehicle speed, but the sound definately changes (you have to do some ASM hacking to disable the instructions that are updating the gear offset, or you can just FREEZE the value)

This works perfectly next to a speedometer rah.gif

Ill have to play around with this a bit more later devil.gif

EDIT: Ok, more is now known.

7838E0 (dword) - Timer for when sound starts playing, gear changed?
Compare to global timer @ 974B2C

7838D8 (dword) - frequency of sound when in 'overdrive' (just increases with time if above certain speed until it reaches 800(dec) then it starts decreasing if over)

7838DD (byte?) - some kinda 'overdrive' switch


CODE
_text:005F1625 080 mov ds:dword_0_7838D8, 0
_text:005F162F 080 jmp loc_0_5F1D9A ; Jump
_text:005F1634 ; ---------------------------------------------------------------------------


if you NOP out the Jump @ 005F162F by setting it to hex 9090909090 (size?) you can have overdrive on all the time and control the frequency.

I used the speed to control the frequency and it sounded like it had one gear tounge.gif

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#39

Posted 08 March 2004 - 01:21 PM

more info, these change the text thats entered to activte a cheat, kinda. like some kind of cheat identifer keypad-thingy tounge.gif
Example, if you type in TRAVELINSTYLE, you spawn a bloodring, soo..

[carname] [address] [cheat text]
Bloodring - 69B1D8, thats the offset for TRAVELINSTYLE
Romero's Hearse - 69b1e8 - THELASTRIDE
Love Fist Limo - 69b1f4 - ROCKANDROLLCAR
Trashmaster - 69b204 - RUBBISHCAR
Sabre Turbo - 69b210 - GETTHEREFAST

Now, if you swap around the values of say romero's hearse, and the bloodring, then typing in TRAVELINSTYLE, will spawn a hearse, instead of a bloodring, ive tested this.
If you fill the value with zero, as mentioned before, it will spawn that car when you press ANY a-z key

thanks to AJH for narrowing it down mate smile.gif

This is one i'm still exploring, but if you mess with it, there is no door animation, the door (driver side, front door) is EITHER open or closed, but when tommy gets in / out of a vehicle, it skips the animation and all the frames, and just becomes open / closed.
69b34a

JernejL
  • JernejL

    Big Homie

  • Feroci
  • Joined: 11 Mar 2002

#40

Posted 09 March 2004 - 01:01 PM

in the ped control block:

start +
#256 = your speed force

JernejL
  • JernejL

    Big Homie

  • Feroci
  • Joined: 11 Mar 2002

#41

Posted 15 March 2004 - 11:26 AM

QUOTE (grovespaz @ Mar 10 2004, 16:18)
O, please someone help me with memory adress in Visual basic

OMG! HE IS A INTERPRETED VB FREAK!!!

sorry.. i just had to do it..

if you can't figure out how to memory hack in vb, then
ask stretchnutter, he uses vb.

..or get a better programming tool.

edit:

skimmer uses tire inflation status for propeller animation - if you
zero-fill all 4 tire status bytes the propeller halts and re-runs.

a interesting thing here is that this isn't true for helicopters, and hunter actualy uses front 2 tires..
i also believe that in one of files in xbox \NEO\ folder claims that skimmer is technicaly a BOAT.

btw, don't edit tire status on a BIKE, it WILL crash.

for car tire status see my post on one of previous pages.

take a look at:

-713.967529296875
-1643.58801269531
42.3484268188477

seems there is face orientation bug on that crane..

-797.999328613281
-1593.70751953125
31.3741073608398
but the very same crane here doesn't have that bug ??

JasonB
  • JasonB

    GTA-SA/GTA-VC/GTA3 Modder Extraordinaire

  • Members
  • Joined: 24 Aug 2002
  • None

#42

Posted 26 March 2004 - 09:42 AM

although this topic seems to have died i will post here anyway. as you probably dont know I am coding an EXE for GTA: LC, while it is not very complicated and i have almost finished there are a few things im stumped on. The first and most important is this:
In my program i can read and write data to vices memory, no problem. But this documentation of sorts is only for new stuff for vice, so i downloaded the source for the admin console so that i could get the missing memory addreses i needed. I opened it up, and began to look for basic addresses, when i thought i had found them i tried to use the memory addreses in my program, it didnt work, i tried many times using different addreses found in the admin console and all returned null results. What the hell am i doing wrong.

THere are some other problems but they arent that bad, ill figure it out myself. Im pretty new at this, so i may be wrong

JernejL
  • JernejL

    Big Homie

  • Feroci
  • Joined: 11 Mar 2002

#43

Posted 26 March 2004 - 11:08 AM

did you change any of gta3 window title / class names?
maybe gta3 admin console can't fond the gta3 window..

JasonB
  • JasonB

    GTA-SA/GTA-VC/GTA3 Modder Extraordinaire

  • Members
  • Joined: 24 Aug 2002
  • None

#44

Posted 27 March 2004 - 01:20 AM

QUOTE (Delfi @ Mar 26 2004, 21:08)
did you change any of gta3 window title / class names?
maybe gta3 admin console can't fond the gta3 window..

nothing changed, just downloaded the source code and wham didnt work, compiled it, ran it and set it to use GTA3 1.1, tried it and WHAM nothing. after isolating base addreses (or what i think are) and trying to use my code with the addreses still yielded Null results.

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#45

Posted 27 March 2004 - 01:40 AM

hold up a second, isnt GTA:LC, a port of gta3, running on the Vice exe?
setting it to run on gta3 1.1 doesnt eman anything if you have the wrong exe altogether, all the addresses between the games are different.

JasonB
  • JasonB

    GTA-SA/GTA-VC/GTA3 Modder Extraordinaire

  • Members
  • Joined: 24 Aug 2002
  • None

#46

Posted 27 March 2004 - 01:42 AM

QUOTE (ashdexx @ Mar 27 2004, 11:40)
hold up a second, isnt GTA:LC, a port of gta3, running on the Vice exe?
setting it to run on gta3 1.1 doesnt eman anything if you have the wrong exe altogether, all the addresses between the games are different.

when i said i compiled it i was testing i meant that i was testing using GTA3 not VC

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#47

Posted 27 March 2004 - 01:44 AM

ooohhh, my bad, sorry. carry on biggrin.gif

JasonB
  • JasonB

    GTA-SA/GTA-VC/GTA3 Modder Extraordinaire

  • Members
  • Joined: 24 Aug 2002
  • None

#48

Posted 27 March 2004 - 02:07 AM

no need to apologize, i should have said that in the first place. Quick Question before i disappear for a while in my many projects i have to finish (myriad lots, LC EXE, my scm mod, my UT2k4 mod, blablabla): How exactly do you get the memory addreses, i dont know because personally i have never tried, but i would like to, i think i need to give something back to the community and im interested in this so any help/advice would be swell biggrin.gif

DexX
  • DexX

    Black Hat

  • Feroci
  • Joined: 16 May 2002

#49

Posted 27 March 2004 - 02:19 AM

I do it the old-fashioned, slow, painful way. do something, do a search, do something else, do another search, view the results. be warned, this method can cause insanity to some people, you were warned. Tsearch is the program i do it with...
http://membres.lycos.fr/tsearch/
Free, simple, and gets the job done. certainly there are other programs and methods out there, but this is good enough for me, considering my knowledge of the subject.

ashdexx ponders his gameshark/pro action replay pro days on his psx and n64

ahhh, good times, good times...

JasonB
  • JasonB

    GTA-SA/GTA-VC/GTA3 Modder Extraordinaire

  • Members
  • Joined: 24 Aug 2002
  • None

#50

Posted 27 March 2004 - 02:25 AM

thanks ashdexx, your the man wink.gif I had an action replay for my N64, never used it much, good fun when i did though smile.gif

Cray
  • Cray

    MTA Developer

  • Members
  • Joined: 01 Jul 2002

#51

Posted 27 March 2004 - 04:43 AM

ArtMoney is another great tool for finding addresses (detecting change). So if you can't used to TSearch, give it a shot.

[mta]kyeman
  • [mta]kyeman

    Player Hater

  • Members
  • Joined: 22 Jan 2004

#52

Posted 28 March 2004 - 08:52 AM

0x7DBCB0 - Base pointer to player controls structures (276 bytes in length).
1 word (2 bytes) represents 1 keystate.

At first I thought maybe each (scm)create_player might have their own
structure for keystates, but no such luck. PlayerControls[0] seems to be
the player ingame controls and PlayerControls[1] (0x7DBCB0+276) seems to be
the menu controls (I think). I also do not know why these structures are 276
bytes long when there's only about 17 known keystates.

Anyway, here is a list I did up from Barton's list. (Since it's the same
from the scm calls)

CODE

0x7DBCB0 + (Key * 2) = keystate.

Keys:

KEY_ONFOOT_TURNLR 2
KEY_ONFOOT_LOOKLR 3
KEY_ONFOOT_ACTION 4
KEY_ONFOOT_PREVWEAPON 5
KEY_ONFOOT_AIMTARGET 6
KEY_ONFOOT_NEXTWEAPON 7
KEY_ONFOOT_FORWARD 8
KEY_ONFOOT_BACKWARD 9
KEY_ONFOOT_STRAFEL 10
KEY_ONFOOT_STRAFER 11
KEY_ONFOOT_EXITMODE 12
KEY_ONFOOT_CAMERA 13
KEY_ONFOOT_JUMP  14
KEY_ONFOOT_ENTERVEHICLE 15
KEY_ONFOOT_SPRINT       16
KEY_ONFOOT_ATTACK       17
KEY_ONFOOT_CROUCH       18
KEY_ONFOOT_LOOKBEHIND   19

KEY_INCAR_TURRETLR      2
KEY_INCAR_TURRETUD      3
KEY_INCAR_RADIO         4
KEY_INCAR_LOOKLBEHIND   5
KEY_INCAR_HANDBRAKE     6
KEY_INCAR_LOOKRBEHIND   7
KEY_INCAR_TURNL         10
KEY_INCAR_TURNR         11
KEY_INCAR_CAMERA        13
KEY_INCAR_BRAKE         14
KEY_INCAR_EXITVEHICLE   15
KEY_INCAR_ACCELERATOR   16
KEY_INCAR_ATTACK        17
KEY_INCAR_HORN          18
KEY_INCAR_SUBMISSION    19



Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#53

Posted 28 March 2004 - 07:39 PM

some of these have direction switches that become 255 in one direction, and 0 in the other direction. a number next to the switch would represent direction speed/amount.

Death_Adder
  • Death_Adder

    Player Hater

  • Members
  • Joined: 26 Mar 2004

#54

Posted 30 March 2004 - 04:54 AM

QUOTE (Stretchnutter @ Mar 28 2004, 19:39)
some of these have direction switches that become 255 in one direction, and 0 in the other direction.  a number next to the switch would represent direction speed/amount.

Care to elaborate?

I made a thread (here) about a computer vision application that I am developing. I need the capability for a separate application to control Vice City (eg. simulate pressing up, down, left, and right). A suggestion was made to use a trainer to modify memory, which sounds like a really great idea. Using the offsets posted by [mta]kyeman, I can observe key presses. When I press the up key, I see 0x7DBCC0 (KEY_ONFOOT_FORWARD) go to 255 and it goes back to 0 when released, as expected. But here's the problem, when I write 255 to 0x7DBCC0, nothing happens. I even tried continually writing to the address in a loop, yet Tommy won't even budge. Am I missing something? Is there some other address that I need to be writing to in addition to this one?

kipo
  • kipo

    Square Civilian

  • Members
  • Joined: 21 Dec 2003

#55

Posted 30 March 2004 - 06:22 AM Edited by kipo, 30 March 2004 - 06:31 AM.

nop this address 0x4AB1C8 (909090) and it should work, you can try nopping this one too 0x4AB282 to correct some jerky movements, not sure yet

JasonB
  • JasonB

    GTA-SA/GTA-VC/GTA3 Modder Extraordinaire

  • Members
  • Joined: 24 Aug 2002
  • None

#56

Posted 30 March 2004 - 11:07 AM

*sigh* a quick search on google with GTA3 Admin Cosnole would have yielded instant result6s but here it isCLICK

Barton Waterduck
  • Barton Waterduck

    retired modder

  • Members
  • Joined: 12 Feb 2002

#57

Posted 30 March 2004 - 11:49 AM

Just wondering if anybody has put all the adresses in a file yet and where I can get it. ph34r.gif If not, I guess I could just read through all these pages.

Is anybody using my code creators for mission coding ? They work like memory hacking tools. The VC version could use some more stuff in it, like the car model the player is driving, car angle and other stuff that would be useful in an automated mission scripting tool. It should work for giddy / gtama too.

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#58

Posted 30 March 2004 - 02:20 PM Edited by Stretchnutter, 30 March 2004 - 02:23 PM.

QUOTE (Death_Adder @ Mar 30 2004, 04:54)
QUOTE (Stretchnutter @ Mar 28 2004, 19:39)
some of these have direction switches that become 255 in one direction, and 0 in the other direction.  a number next to the switch would represent direction speed/amount.

Care to elaborate?

I made a thread (here) about a computer vision application that I am developing. I need the capability for a separate application to control Vice City (eg. simulate pressing up, down, left, and right). A suggestion was made to use a trainer to modify memory, which sounds like a really great idea. Using the offsets posted by [mta]kyeman, I can observe key presses. When I press the up key, I see 0x7DBCC0 (KEY_ONFOOT_FORWARD) go to 255 and it goes back to 0 when released, as expected. But here's the problem, when I write 255 to 0x7DBCC0, nothing happens. I even tried continually writing to the address in a loop, yet Tommy won't even budge. Am I missing something? Is there some other address that I need to be writing to in addition to this one?

You have to disable the ASM instructions that continually update those addresses. With TSearch you can use the Autohack feature to find the exact instruction you need to get rid of.

Then with TSearch you can make an EasyScript and generate a hex list to copy/paste into your app.

I've done this in the past, but i would do it much differently now.

It allows you to set the value to anything you want without it reverting to its desired state and will still have its effects on the player.

The instructions differ somewhat from v1.0/v1.1 i think.

You have to be careful when writing to asm instruction zones, one bad byte -crash n burn.


Edit: what programming language do you plan on using to make the trainer? it can be done easily with visual basic if you are a newbie to programming.

Death_Adder
  • Death_Adder

    Player Hater

  • Members
  • Joined: 26 Mar 2004

#59

Posted 30 March 2004 - 07:49 PM

Thanks for the suggestions, guys. The programming language is C++.

Death_Adder
  • Death_Adder

    Player Hater

  • Members
  • Joined: 26 Mar 2004

#60

Posted 31 March 2004 - 01:46 AM

It's working flawlessly now. Thanks again, guys. In case anyone is interested, here's the addresses that I had to nop:

KEY_ONFOOT_FORWARD
0x4AB1C8
0x4AB1C9
0x4AB1CA

KEY_ONFOOT_BACKWARD
0x4AB1D0
0x4AB1D1
0x4AB1D2

KEY_ONFOOT_STRAFEL / KEY_INCAR_TURNL
0x4AB1D8
0x4AB1D9
0x4AB1DA

KEY_ONFOOT_STRAFER / KEY_ONCAR_TURNR
0x4AB1E0
0x4AB1E1
0x4AB1E2

KEY_INCAR_BRAKE
0x4AB1F8
0x4AB1F9
0x4AB1FA

KEY_INCAR_ACCELERATOR
0x4AB208
0x4AB209
0x4AB20A




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users