Quantcast

Jump to content

» «
Photo

Documenting GTA3/VC memory adresses

1,150 replies to this topic
jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#661

Posted 26 April 2005 - 10:23 PM

Messing around in a debugger and found out how to change the name of the scm gta loads.
In fact, I found out the filename of every single file loaded.. and they aren't too hard to change. With this knowledge another possible city loader from LC-Myriad-VC is possible. Simply change the filenames and paths it loads, then force the game to reload.

user posted image

Here I have written my custom scm's filename - GTAS.SCM - in a code cave located in the memory. And as you can see, each address holds the numeric ascii value of one letter.
Then add 1 to the address and there is the location of the next letter.. you get it.

0x4506E1 - SCM file that GTAVC will load..
CODE
004506E1: PUSH gta-vc.xxxxxx // analysis = ASCII "main.scm",0

Scroll to 004506E1 in your debugger and you'll see something similiar to this. Change xxxxx to the address containing the binary ascii of your new file, in my case, 0x67dd50. Reload the game and it loads gtas.scm. This information may have been known for a while now, but if so, why hasn't this method been attempted in the making of a city loader? I don't see where it could fail.
So couldn't all GTA:LC files be installed as, say "mainLC.scm" and "gta3LC.img", etc, and then just reload these files to change cities?

DexX
  • DexX

    Black Hat

  • Feroci Racing
  • Joined: 16 May 2002

#662

Posted 27 April 2005 - 06:54 AM

/* here's a challenege for all you chaps who seem to be good at finding pointers (im not one of them); find the pointers to the currently active map objects. here's a hint - 2379C4C - the x position for the beachball on starfish island (house by the bridge, swimming pool). Yes, that address is pretty much meaningless as it changes all the time, but its a starting point. im finding the objects by searching for their coords in memory.

you can move them dynamically, any map object. thanks to jacob for the idea to move the beachball around (its also an object that moves dynamically because its supposed to, when you shoot it).

/me wonders about the applications of syncing map objects in multiplayer mods */

aad
  • aad

    3d artist

  • Feroci Racing
  • Joined: 15 Mar 2004
  • None

#663

Posted 27 April 2005 - 10:54 AM

This can be done to with hex editing at least i found those things to in a hex editor and it works too.

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#664

Posted 27 April 2005 - 01:54 PM

QUOTE (ashdexx @ Apr 27 2005, 06:54)
/* here's a challenege for all you chaps who seem to be good at finding pointers (im not one of them); find the pointers to the currently active map objects. here's a hint - 2379C4C - the x position for the beachball on starfish island (house by the bridge, swimming pool). Yes, that address is pretty much meaningless as it changes all the time, but its a starting point. im finding the objects by searching for their coords in memory.

you can move them dynamically, any map object. thanks to jacob for the idea to move the beachball around (its also an object that moves dynamically because its supposed to, when you shoot it).

/me wonders about the applications of syncing map objects in multiplayer mods */

What? You got the beachball to move!?

I've been wanting to sync something like that for so long just for the hell of it. I'm assuming the address you gave me + 4 = Y coordinates and +8 = Z coordinates?
/me tests.

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#665

Posted 29 April 2005 - 01:49 AM

The address you found, ashdexx

A) isnt static
and B) does not change and cannot be used to move the beachball.


anyway....

player+324 = is player on the ground (useful for possible parachute mod?)
0 = no, 1 = yes (duh)

player+588 = walk state or something
5 when sprint, 4 when regular run

DexX
  • DexX

    Black Hat

  • Feroci Racing
  • Joined: 16 May 2002

#666

Posted 29 April 2005 - 02:37 AM

/*
QUOTE (!cMc! Jacob @ Apr 28 2005, 19:49)
The address you found, ashdexx

A) isnt static
and B) does not change and cannot be used to move the beachball.

Really..
QUOTE (me)
find the pointers to the currently active map objects.

QUOTE (me again)
Yes, that address is pretty much meaningless as it changes all the time, but its a starting point.

its resolved with a pointer (what i mean by "changing"), just like the entity data for cars and peds are, its even in a similar format. */

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#667

Posted 29 April 2005 - 04:43 AM

Ah well, when you say the address changes I get confused with thinking you meant the value changes. confused.gif

Andy80586
  • Andy80586

    Mark Chump

  • Members
  • Joined: 23 Jul 2003

#668

Posted 04 May 2005 - 02:45 AM

I made a patch that makes permanent changes to the boundaries, and it requires an unmodified copy of VC 1.0. I tested it and it was very stable, and the only problem with it is that in-game stats fail to display but can still be saved to stats.html properly. It should be a legal way to get past the limits, and if it isn't legal I have no idea what is. Be sure to back up the original somewhere since I will be releasing these patches quite often as I test more and more hacks for the game and move them into the patch.

Boundaries Patch

Andy80586
  • Andy80586

    Mark Chump

  • Members
  • Joined: 23 Jul 2003

#669

Posted 05 May 2005 - 04:44 AM

The patch I posted here yesterday has been updated to increase the IDE limit. The maximum number of IDE objects can be increased to 15420 (from 3885) by downloading this file. It should still be stable, but I have some more limits to add to it before I start testing it fully.

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci Racing
  • Joined: 23 Jan 2004

#670

Posted 05 May 2005 - 08:05 PM

QUOTE (ashdexx @ Apr 27 2005, 07:54)
/* here's a challenege for all you chaps who seem to be good at finding pointers (im not one of them); find the pointers to the currently active map objects.

There is a pointer in the CPed and CVehicle blocks which leads you to the current part of the map you are on, the values are changeable, unfortunately I didn't document nor do I remember the exact offset. I'll have a look out for it...

Andy80586
  • Andy80586

    Mark Chump

  • Members
  • Joined: 23 Jul 2003

#671

Posted 05 May 2005 - 08:47 PM

I find CodeFusion to be a nice program... it has the ability to tell you exactly what it is changing and to compare the .exe you modify with the original. It should be possible to take apart the patch file to see what it changes.

I am going on a trip in less than 2 weeks, and when I get back San Andreas will be out. That is why I am trying to get as much of these mods out there as possible in patch format.

DexX
  • DexX

    Black Hat

  • Feroci Racing
  • Joined: 16 May 2002

#672

Posted 06 May 2005 - 06:02 PM

QUOTE (Andy80586 @ Apr 24 2005, 18:29)
Ashdexx, if you get the chance, can you go through this thread, collect all the memory addresses I posted here, and make a post with all of them in one? It will make things easier when I try and reproduce all of my file modifications and run extensive stability testing on each one (since one or more of them is causing the game to randomly freeze and/or crash, possibly the one having to do with paths). Right now I am working on getting the GTA3 map placed west of Vice City, and if it's ever going to be released in some way I want it to be as bug-free as possible. Thanks

/* i finished "cleaning up" this topic, for ths most part.

@ andy, i have a bunch of your posts copy/pasted, ill sort out the addresses and post them if you still want. im only posting the addresses though, i assume you have the functions documented already. */

ocram88
  • ocram88

    Mapper & Mission Scripter

  • Members
  • Joined: 16 May 2004

#673

Posted 06 May 2005 - 06:13 PM

when i use the patch from Andy80586 , then i get an error
"gta-vc.exe - CRC32 Error. Version missmatch, or File is allready patched!"
i use the original german gta-vc.exe (V1.0)
please help confused.gif

Andy80586
  • Andy80586

    Mark Chump

  • Members
  • Joined: 23 Jul 2003

#674

Posted 06 May 2005 - 10:34 PM

QUOTE (ocram88 @ May 6 2005, 11:13)
when i use the patch from Andy80586 , then i get an error
"gta-vc.exe - CRC32 Error. Version missmatch, or File is allready patched!"
i use the original german gta-vc.exe (V1.0)
please help confused.gif

you have to have the american version or it won't work

ocram88
  • ocram88

    Mapper & Mission Scripter

  • Members
  • Joined: 16 May 2004

#675

Posted 08 May 2005 - 01:05 PM

can you make a patch for the german version?

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#676

Posted 09 May 2005 - 06:43 PM Edited by Squiddy, 09 May 2005 - 07:14 PM.

Thinking about what else could be changed in vc, I thought about making the internal mp3 player (radiostation) controllable. I have some ideas how to achieve this, but there seem to be many problems on the way to a good solution. However, here are some addresses I found while working, they might be useless but this is a topic for memory adresses, isn't it? biggrin.gif

0xA108B0 DWORD - Number of valid mp3 files found in mp3 directory and loaded
0xA10B50 Byte - Is mp3 station playing (Audio Menu too)
0x97881C DWORD - Index of currently playing track
0x978DB0 DWORD - Track position (only updated sometimes, like when switching to menu and back)

0x9753E0 DWORD - Pointer to first mp3 file
Resulting address:
+0x104 = Track length in milliseconds
+0x10C = Next track

Edit:
Thanks to the great help from kyeman and spookie I have something more to show:
http://squiddy.marwa...ns/vcmp3_02.jpg

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#677

Posted 10 May 2005 - 02:56 PM

Does anyone know how the vehicle entity list works exactly? I have the address delfi posted a while back, 7927340.. he said there's 40 blocks of 250 bytes, summing to a 10,000 byte entity table, but which block contains car entity data?

Luke
  • Luke

    suckmyrocket

  • Inactive Staff
  • Joined: 01 Dec 2003
  • None

#678

Posted 10 May 2005 - 04:19 PM

QUOTE (!cMc! Jacob @ May 10 2005, 14:56)
Does anyone know how the vehicle entity list works exactly? I have the address delfi posted a while back, 7927340.. he said there's 40 blocks of 250 bytes, summing to a 10,000 byte entity table, but which block contains car entity data?

The one Delfi posted is an entity table with peds, cars, cops, players, and even a few odd things like fire hydrant spurts in it. There's another one with just cars in, can't remember where it is though.

Andy80586
  • Andy80586

    Mark Chump

  • Members
  • Joined: 23 Jul 2003

#679

Posted 10 May 2005 - 11:46 PM

It looks like the only way around the in-game stats display and the savegame loading bugs is to use either a no-CD or a backup-CD cracked .exe. Safedisc seems to be the cause of these issues, and I don't know of any way to take it off and put it back on again. The game does have a second level of CD detection, so I will leave that one intact. Any other suggestions?

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#680

Posted 11 May 2005 - 05:35 AM

QUOTE (!cMc! Jacob @ May 10 2005, 15:56)
Does anyone know how the vehicle entity list works exactly? I have the address delfi posted a while back, 7927340.. he said there's 40 blocks of 250 bytes, summing to a 10,000 byte entity table, but which block contains car entity data?

the first number is pointer type and second number is the pointer to the memory block i think, other 240 bytes in these records are trash.

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#681

Posted 11 May 2005 - 08:34 AM

A couple hours of research and I've figured out how to get the pointers/object types/vehicle names/etc of everything in the entity list. There was however a few values that I didn't recognize, and when teleporting to its +52,56,60 - it took me to random areas. Could be ghosts, or Tommy's ghost mom. tounge.gif

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#682

Posted 11 May 2005 - 10:28 AM

QUOTE (!cMc! Jacob @ May 11 2005, 09:34)
A couple hours of research and I've figured out how to get the pointers/object types/vehicle names/etc of everything in the entity list. There was however a few values that I didn't recognize, and when teleporting to its +52,56,60 - it took me to random areas. Could be ghosts, or Tommy's ghost mom. tounge.gif

no, it took you to places where previously normal peds or cars that were later deleted.

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#683

Posted 12 May 2005 - 07:07 PM Edited by Squiddy, 12 May 2005 - 08:23 PM.

0x94C104 DWORD
Total length of all mp3 tracks (in milliseconds)

Not sure if this has been posted before, the search gave me no result.
0x978810 DWORD

Set to 0x0 an everything is fine
Set to 0x1 and only water, cars and peds etc. will be rendered, radio stops playing
Set to 0x11 and water disappears too

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#684

Posted 13 May 2005 - 12:39 AM

Here's a formula for getting a car pointer from its handle I've found useful recently..

car pointer = ((handle - 769) / 256) * 1500) + (0x7E49C0)

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#685

Posted 13 May 2005 - 10:11 AM

QUOTE (!cMc! Jacob @ May 13 2005, 01:39)
Here's a formula for getting a car pointer from its handle I've found useful recently..

car pointer = ((handle - 769) / 256) * 1500) + (0x7E49C0)

what??

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#686

Posted 13 May 2005 - 03:42 PM Edited by !cMc! Jacob, 13 May 2005 - 03:44 PM.

All cars have a handle. The first car has a handle of 769, the second 1025, and they continue to incrament in 256 bytes. Each car block is 1500 bytes long. The car blocks start directly after eachother starting from the base car pointer, 0x7E49C0.

Its basically a spiffed up recreation of GameGetVehicle - but it gets car pointers from handles instead of carIDs. But handles and carIDs aren't that much different from one another. To convert a car's handle to it's ID (the order it was created in), you subtract 769 and divide by 256. Then we have the car ID, from there we use a process similiar to VC's own GameGetVehicle function to retrieve the car's pointer. Get it now?

Luke
  • Luke

    suckmyrocket

  • Inactive Staff
  • Joined: 01 Dec 2003
  • None

#687

Posted 13 May 2005 - 04:41 PM

QUOTE (Delfi @ May 13 2005, 10:11)
QUOTE (!cMc! Jacob @ May 13 2005, 01:39)
Here's a formula for getting a car pointer from its handle I've found useful recently..

car pointer = ((handle - 769) / 256) * 1500) + (0x7E49C0)

what??

The thing he forgot to mention is that these 'handles' he speaks of are just the contents of an SCM variable from CreateCar opcode.

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#688

Posted 13 May 2005 - 06:36 PM

These contents are required as one of the parameters for every single opcode that deals with specific cars. Barton's editor deals with them like this:

CODE
$car = create_car #rhino etc etc etc

Whereas $car holds the car handle. To use further opcodes with this car you must specify $car, the car handle. They aren't as useless as you might think.

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#689

Posted 14 May 2005 - 08:42 PM

QUOTE (!cMc! Jacob @ May 13 2005, 16:42)
All cars have a handle. The first car has a handle of 769, the second 1025, and they continue to incrament in 256 bytes. Each car block is 1500 bytes long. The car blocks start directly after eachother starting from the base car pointer, 0x7E49C0.

Its basically a spiffed up recreation of GameGetVehicle - but it gets car pointers from handles instead of carIDs. But handles and carIDs aren't that much different from one another. To convert a car's handle to it's ID (the order it was created in), you subtract 769 and divide by 256. Then we have the car ID, from there we use a process similiar to VC's own GameGetVehicle function to retrieve the car's pointer. Get it now?

to get memory offset for a car index (i) use this:

7927340 + (i * 40)

read the pointer any you have the location to the ped / car / object data at that entity table index.

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#690

Posted 15 May 2005 - 06:03 PM Edited by Squiddy, 15 May 2005 - 06:05 PM.

user posted image

Progressbar | All adresses for VC 1.0
0x68E704 (float) Distance from the left
0x68E708 (float) Distance from the bottom
0x68E70C (float) Width
0x68E7010 (float) Height

0xA0CE94 (float) Position of the bar (progress of loading), maximum 94 for me on original installation
0x68E6FC (float) Progress step (set it to 0.5 and the position will reach it's maximum at 47 -> bar will only load to the half)

(Colors were changed by altering the exe)

Misc
0xA10B63 (byte) Set to 1 and menu will be disabled, wasted&busted will not be shown (camera fading endless)
0xA0D9AC (byte) Set to 2 and a loading screen will appear (will be reset to 1
0xA10B36 (byte) Set to 1 and the game pauses, except radio
0xA10B76 (byte) Same as above, but this time sound will continue
0x7E46F5 (byte) Cinema border switch: On/Off (1/0)
0x7839C0 (dword) Pointer to the unicode string for the current radio station




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users