Quantcast

Jump to content

» «
Photo

Documenting GTA-SA memory addresses

1,379 replies to this topic
AlexTMjugador
  • AlexTMjugador

    Hi!

  • Members
  • Joined: 12 Aug 2011
  • Spain

#1351

Posted 24 January 2015 - 06:57 PM

Thank you very much Seeman, but that isn't what I was looking for. Forgive me if I explained myself wrong :)

 

What I want to know is the memory adress of a CVehicle class method for toggling the engine broken state of a vehicle, if it exists. For example, I know that there's a method in that class to set vehicle engine state (whether it's on or off) at adress 0x41BDD0: CVehicle::SetEngineOn(bool). I only mentioned that opcode because it's kinda related with the method I said, functionality-wise (altrough I know they're different things code-wise, of course).

 

Thanks in advance :D


Seemann
  • Seemann

    Ruhe

  • GTA Mods Staff
  • Joined: 03 Sep 2004
  • Russia
  • Best Tool 2013 "Sanny Builder"
    Contribution Award [Mods]
    Helpfulness Awards [Mods]

#1352

Posted 24 January 2015 - 07:16 PM Edited by Seemann, 24 January 2015 - 07:16 PM.

Well, you know, it's just a flag, one bit in the particular field in a CVehicle struct. You dont need a method to switch one bit. That's why the method you're looking for does not exist. Use the code above.

AlexTMjugador
  • AlexTMjugador

    Hi!

  • Members
  • Joined: 12 Aug 2011
  • Spain

#1353

Posted 24 January 2015 - 07:25 PM

Ok, thanks for explaining :)


iFarbod
  • iFarbod

    King of San Andreas (3D/HD Universe)

  • Members
  • Joined: 17 Dec 2013
  • None

#1354

Posted 15 February 2015 - 04:22 PM

I Disabled the loading of the SCM, Can someone tell me how to create a player AFTER THE GAME HAS BEEN LOADED WITHOUT USING ANY SDK/THIRD PARTY LIBRARIES


iFarbod
  • iFarbod

    King of San Andreas (3D/HD Universe)

  • Members
  • Joined: 17 Dec 2013
  • None

#1355

Posted 17 February 2015 - 03:58 PM

I Disabled the loading of the SCM, Can someone tell me how to create a player AFTER THE GAME HAS BEEN LOADED WITHOUT USING ANY SDK/THIRD PARTY LIBRARIES

No body got any ideas?


nyolc8
  • nyolc8

    -

  • Members
  • Joined: 12 Oct 2009
  • Hungary

#1356

Posted 21 February 2015 - 04:49 PM Edited by nyolc8, 21 February 2015 - 06:18 PM.

New reverse engineering technique by IDA and Hex-Rays to produce decompiled pseudocode from binarys: http://video.reverse...?album=17&pos=0

Now for some memory addresses:

0x6ACCD0 : Begins an array holding some vehicle siren attributes (via model), each index in the array in the byte, meaning:
0 -> 2 Sirens
1 -> 1st type of single siren
2 -> 2nd type of single siren (doesn't seem as good as the first (less floats))
4 -> Nothing
0x6ACDAC : If the first array says 2 sirens it comes to this array and chooses what siren offset to use (via model again), each index in the array is still a byte:
0 -> 1st type of double siren
1 -> 2nd type of double siren
2 -> 3rd type of double siren
3 -> 4th type of double siren
4 -> 5th type of double siren
5 -> No Siren
0x6AB36D : switch(SingleSiren[vehiclemodel])
0x6AB39F : switch(DoubleSiren[vehiclemodel])
0x6ACA37 : Hardcoded Model Switches
0X6FC580 : DrawSirenParticle
0x6ABA60 : call DrawSirenParticle (NOP to disable sirens appearing)
0x4F62A0 : GetSirenSound
0x4F62BB : mov dl,[ecx+0x42D] (Get the siren true/false value, NOP to disable siren sounds)
0x501BA8 : Siren Sound array, each in the array is still a byte:
0 -> 1st type of siren sound
1 -> 2nd type of siren sound
2 -> 3rd type of siren sound
3 -> 4th type of siren sound
5 -> 5th type of siren sound
6 -> No siren sound
0x501AB0 : ProcSirenSound
0x501AD6 : switch(SirenSnds[vehiclemodel])
0x6D8470 : DoesModelContainSiren
0x6D84AC : SirenModelArray, only contains models below first police model, each index is a byte where the index is modelid:
0 -> Yes
1 -> No
2 -> Goto IsModelPolice
0x6D2370 : IsModelPolice
0x6D239C : PoliceModelArray, seems to start off where the other models left off (from DoesModelContainSiren), each index is a byte where the index is modelid:
0 -> Yes
1 -> No
To make the game 'think' every model contains a siren write mov al,1 + retn to the start of the func, or (0xB0 0x01 0xC3), same can be done with the Police check

Contrary to popular belief the values in these switches aren't colours, they are floats defining where the sirens appear on the vehicle, colours are not accounted for as of yet (despite what misinformed people may tell you), However this information does give us the ability to decide which vehicles can use which type of siren and where there rendered on the vehicle (SALA already gives you this in a limited way)

EDIT:

I managed to get sirens on heaps of other vehicles (by hacking the arrays) including working sounds, here's a screen of the blista

sirenlq5.th.png

Washington:

washingtonsirenya1.th.png

Some other random car:

siren2el7.th.png

It's interesting to note that although one colour was red the other was nothing (just light), which means I must have clipped the colour somewhere in my memory editing

Yay I just found where the colours are actually located:

0x6AB5B5 : loc Blue (move the Blue colour in)
0x6AB5BE : loc Red (move the Red colour in)

Can someone tell me how to use this? I just can't figure out how to set a siren (or a different siren type) for a car. :/ (what are those "via model" means?)

iFarbod
  • iFarbod

    King of San Andreas (3D/HD Universe)

  • Members
  • Joined: 17 Dec 2013
  • None

#1357

Posted 12 March 2015 - 09:15 PM

What's this function's address? (US 1.0 - If you know the EU 1.0 and 1.1 post them too!)

 

CGangs::SetGangWeapons(short,int,int,int)  


nick7
  • nick7

    グランドセフトオ

  • Members
  • Joined: 04 Aug 2011
  • None

#1358

Posted 13 March 2015 - 03:51 AM Edited by nick7, 13 March 2015 - 05:36 AM.

What's this function's address? (US 1.0 - If you know the EU 1.0 and 1.1 post them too!)

CGangs::SetGangWeapons(short,int,int,int)

Check this out - EU-1.00 @ 0x5DE550


* * *

Actually i wanna post a pair cheat collisions i've found (I'm posting here because cheat topic was closed lol)
// spaces are just for readability
LXGIWYL -> THUGS ARMOURY // CCheat::WeaponCheat1 (Weapon set 1)
UZUMYMW -> NUTTERS TOYS  // CCheat::WeaponCheat3 (Weapon set 3)
It's really similar to vice city's and looks like 'PROFESSIONALS KIT' so i think i'm right.

not sure, but seems to be right:
AJLOJYQY -> ROUGH NEIGHBOURHOOD // CCheat::MayhemCheat (Peds attack other with golfclub)
  • ThirteenAG, LINK/2012 and iFarbod like this

iFarbod
  • iFarbod

    King of San Andreas (3D/HD Universe)

  • Members
  • Joined: 17 Dec 2013
  • None

#1359

Posted 13 March 2015 - 07:59 AM Edited by iFarbod, 13 March 2015 - 09:36 AM.

 

What's this function's address? (US 1.0 - If you know the EU 1.0 and 1.1 post them too!)

CGangs::SetGangWeapons(short,int,int,int)

Check this out - EU-1.00 @ 0x5DE550


* * *

Actually i wanna post a pair cheat collisions i've found (I'm posting here because cheat topic was closed lol)
// spaces are just for readability
LXGIWYL -> THUGS ARMOURY // CCheat::WeaponCheat1 (Weapon set 1)
UZUMYMW -> NUTTERS TOYS  // CCheat::WeaponCheat3 (Weapon set 3)
It's really similar to vice city's and looks like 'PROFESSIONALS KIT' so i think i'm right.

not sure, but seems to be right:
AJLOJYQY -> ROUGH NEIGHBOURHOOD // CCheat::MayhemCheat (Peds attack other with golfclub)

Is the address same for US 1.0 and 1.1? If not, how can i find that address?

 

Anyway, There is also a CCheat::WeaponCheat4 I Found in the Android version of the game.

 

EDIT: Worked like a charm for both EU and US, not sure about 1.1


iFarbod
  • iFarbod

    King of San Andreas (3D/HD Universe)

  • Members
  • Joined: 17 Dec 2013
  • None

#1360

Posted 13 March 2015 - 11:16 AM Edited by iFarbod, 13 March 2015 - 11:17 AM.

// Need the addresses for the following functions:
CPed::DettachPedFromEntity(void)
CPed::AttachPedToEntity(CEntity *,CVector,ushort,float,eWeaponType)
CPed::AttachPedToBike(CEntity *,CVector,ushort,float,float,eWeaponType) 

juarez
  • juarez

    Thx you

  • Members
  • Joined: 11 Jun 2011
  • Australia

#1361

Posted 13 March 2015 - 01:54 PM

https://github.com/D...ame_sa/CPed.cpp

  • iFarbod likes this

iFarbod
  • iFarbod

    King of San Andreas (3D/HD Universe)

  • Members
  • Joined: 17 Dec 2013
  • None

#1362

Posted 30 March 2015 - 08:33 AM Edited by iFarbod, 30 March 2015 - 08:37 AM.

My random finds :)

0056E230 int __cdecl FindPlayerWanted(int) // i think it should return a CWanted
0056E160 int __cdecl FindPlayerTrain(int a1)
0056E610 char __thiscall CPlayerInfo::WorkOutEnergyFromHunger(void *this)
00588BE0 char __cdecl CHud::SetHelpMessage(char const *msg, unsigned short *, bool, bool, bool, unsigned int) // parameters stolen from libGTASA
0056EA30 int __thiscall CPlayerInfo::BlowUpRCBuggy(bool) // not sure what this does

Deji
  • Deji

    Coding like a Rockstar!

  • Feroci
  • Joined: 24 Dec 2007
  • None
  • Contribution Award [Mods]

#1363

Posted 30 March 2015 - 11:42 AM

Actually i wanna post a pair cheat collisions i've found (I'm posting here because cheat topic was closed lol)

// spaces are just for readability
LXGIWYL -> THUGS ARMOURY // CCheat::WeaponCheat1 (Weapon set 1)
UZUMYMW -> NUTTERS TOYS  // CCheat::WeaponCheat3 (Weapon set 3)
It's really similar to vice city's and looks like 'PROFESSIONALS KIT' so i think i'm right.

not sure, but seems to be right:
AJLOJYQY -> ROUGH NEIGHBOURHOOD // CCheat::MayhemCheat (Peds attack other with golfclub)

Bunch more here: http://gtag.gtagamin...andreas/cheats/
  • Silent likes this

Alexander Blade
  • Alexander Blade

    Come As You Are

  • Members
  • Joined: 05 Nov 2006
  • None
  • Major Contribution Award [Mods]

#1364

Posted 31 March 2015 - 11:35 AM

You can look into the Android version , there are actual cheat strings there

 

 

Actually i wanna post a pair cheat collisions i've found (I'm posting here because cheat topic was closed lol)

// spaces are just for readability
LXGIWYL -> THUGS ARMOURY // CCheat::WeaponCheat1 (Weapon set 1)
UZUMYMW -> NUTTERS TOYS  // CCheat::WeaponCheat3 (Weapon set 3)
It's really similar to vice city's and looks like 'PROFESSIONALS KIT' so i think i'm right.

not sure, but seems to be right:
AJLOJYQY -> ROUGH NEIGHBOURHOOD // CCheat::MayhemCheat (Peds attack other with golfclub)
Bunch more here: http://gtag.gtagamin...andreas/cheats/

 


iFarbod
  • iFarbod

    King of San Andreas (3D/HD Universe)

  • Members
  • Joined: 17 Dec 2013
  • None

#1365

Posted 31 March 2015 - 08:12 PM Edited by iFarbod, 31 March 2015 - 08:12 PM.

// Android Cheat names, under CCheat class
	* AddToCheatString(char)
	* AdrenalineCheat()
	* AllCarsAreGreatCheat()
	* AllCarsAresh*tCheat()
	* ApacheCheat()
	* BeachPartyCheat()
	* BlackCarsCheat()
	* BlowUpCarsCheat()
	* ClearGameCheatsList()
	* ClearMissionSkip()
	* CloudyWeatherCheat()
	* CountrysideInvasionCheat()
	* DoCheats()
	* DozerCheat()
	* DrivebyCheat()
	* DuskCheat()
	* ElvisLivesCheat()
	* EverybodyAttacksPlayerCheat()
	* ExtraSunnyWeatherCheat()
	* FastTimeCheat()
	* FatCheat()
	* FindCheatIndex(char const*)
	* FlyboyCheat()
	* FoggyWeatherCheat()
	* FunhouseCheat()
	* GangLandCheat()
	* GangsCheat()
	* GolfcartCheat()
	* HandleAllCheats()
	* HandleCarCheat()
	* HandleCheatMenu(bool)
	* HandleGameCheats()
	* HandleMissionJump(bool, int)
	* HealthCheat()
	* HearseCheat()
	* JetpackCheat()
	* LoveConquersAllCheat()
	* LovefistCheat()
	* MayhemCheat()
	* MidnightCheat()
	* MoneyArmourHealthCheat()
	* MonsterTruckCheat()
	* MuscleCheat()
	* NinjaCheat()
	* NotWantedCheat()
	* ParachuteCheat()
	* PinkCarsCheat()
	* PredatorCheat()
	* ProcessAllCheats()
	* ProcessCheatMenu()
	* ProcessCheats()
	* ProcessDebugCarCheats()
	* ProcessDebugMissionSkip()
	* ProcessWeaponSlotCheats()
	* QuadCheat()
	* RainyWeatherCheat()
	* ResetCheats()
	* RiotCheat()
	* SandstormCheat()
	* ScriptBypassCheat()
	* ShowMappingsCheat()
	* SkinnyCheat()
	* SlowTimeCheat()
	* StaminaCheat()
	* StockCar2Cheat()
	* StockCar3Cheat()
	* StockCar4Cheat()
	* StockCarCheat()
	* StormCheat()
	* StuntPlaneCheat()
	* SuicideCheat()
	* SunnyWeatherCheat()
	* TankCheat()
	* TankerCheat()
	* TheGamblerCheat()
	* TimeTravelCheat()
	* TogglePlayerInvincibility()
	* ToggleShowTapToTarget()
	* ToggleShowTargeting()
	* TrashmasterCheat()
	* VehicleCheat(int)
	* VehicleSkillsCheat()
	* VillagePeopleCheat()
	* VortexCheat()
	* WantedCheat()
	* WantedLevelDownCheat()
	* WantedLevelUpCheat()
	* WeaponCheat1()
	* WeaponCheat2()
	* WeaponCheat3()
	* WeaponCheat4()
	* WeaponSkillsCheat()
	* WeaponSlotCheat()

LINK/2012
  • LINK/2012

    LIVIN' IN CODE

  • Feroci
  • Joined: 30 Jan 2011
  • Brazil
  • Best Tool 2014 [Mod Loader]
    Contribution Award [Mods]

#1366

Posted 31 March 2015 - 09:09 PM

He's talking about _ZN6CCheat10CheatLabelE tho.

In any case none of the cheat strings on the Android binary relate to the PC hashes.


Alexander Blade
  • Alexander Blade

    Come As You Are

  • Members
  • Joined: 05 Nov 2006
  • None
  • Major Contribution Award [Mods]

#1367

Posted 01 April 2015 - 08:43 AM

Not the best joke , though . Now go and get this strings from _ZN6CCheat15m_aCheatStringsE !

 

He's talking about _ZN6CCheat10CheatLabelE tho.

In any case none of the cheat strings on the Android binary relate to the PC hashes.


nyolc8
  • nyolc8

    -

  • Members
  • Joined: 12 Oct 2009
  • Hungary

#1368

Posted 03 April 2015 - 11:35 AM

Anyone knows anything about where are the vehicle component ids are defined? So where the game defines these:
16 = bonnet, 1 = chassis, 2 = rf_wheel, etc...

fastman92
  • fastman92

    фастман92 | ف

  • Members
  • Joined: 28 Jul 2009
  • None
  • Contribution Award [Mods]

#1369

Posted 03 April 2015 - 05:24 PM Edited by fastman92, 03 April 2015 - 05:25 PM.

Anyone knows anything about where are the vehicle component ids are defined? So where the game defines these:
16 = bonnet, 1 = chassis, 2 = rf_wheel, etc...



.data:008A7740     ; void *CVehicleModelInfo::ms_vehicleDescs
.data:008A7740     _ZN17CVehicleModelInfo15ms_vehicleDescsE dd offset _componentListCar
.data:008A7740                                             ; DATA XREF: CVehicleModelInfo::PreprocessHierarchy(void)+23o
.data:008A7740                                             ; CVehicleModelInfo::SetClump(RpClump *)+60r
.data:008A7744                     dd offset _componenListMtruck
.data:008A7748                     dd offset _componenListQuad
.data:008A774C                     dd offset _componenListHeli
.data:008A7750                     dd offset _componentListPlane
.data:008A7754                     dd offset _componentListBoat
.data:008A7758                     dd offset _componentListTrain
.data:008A775C                     dd offset off_8A71B8
.data:008A7760                     dd offset _componentListFPlane
.data:008A7764                     dd offset _componentListBike
.data:008A7768                     dd offset _componentListBmx
.data:008A776C                     dd offset _componentListTrailer
There are different components for different types of vehicles.

nyolc8
  • nyolc8

    -

  • Members
  • Joined: 12 Oct 2009
  • Hungary

#1370

Posted 03 April 2015 - 05:33 PM

But the numbers (so example: 16 = bonnet) are the same for every vehicles. Where are those number ids (in this case, 16) gets defined? Or the component lists are the lists with the numbers defined?

fastman92
  • fastman92

    фастман92 | ف

  • Members
  • Joined: 28 Jul 2009
  • None
  • Contribution Award [Mods]

#1371

Posted 03 April 2015 - 05:46 PM Edited by fastman92, 03 April 2015 - 05:46 PM.

Every component is described is described with this structure:
 
#pragma pack(push, 1)
struct RwObjectNameIdAssocation
{
  const char *name;
  int hierarchyID;
  void *flags;
};
#pragma pack(pop)
Notice hierarchyID.

Deji
  • Deji

    Coding like a Rockstar!

  • Feroci
  • Joined: 24 Dec 2007
  • None
  • Contribution Award [Mods]

#1372

Posted 06 April 2015 - 09:57 AM

Another cracked cheat...
TimeToKickAss = Spawn Rhino

Alexander Blade
  • Alexander Blade

    Come As You Are

  • Members
  • Joined: 05 Nov 2006
  • None
  • Major Contribution Award [Mods]

#1373

Posted 06 April 2015 - 11:31 AM Edited by Alexander Blade, 06 April 2015 - 11:32 AM.

All cheats , guess what each of 'em means :D

thugsarmoury
professionalskit
nutterstoys
ineedsomehelp
turnuptheheat
turndowntheheat
pleasantlywarm
toodamnhot
dulldullday
stayinandwatchtv
cantseewhereimgoing
timejustfliesby
speeditup
slowitdown
roughneighbourhood
stoppickingonme
surroundedbynutters
timetokickass
oldspeeddemon
notforpublicroads
justtryandstopme
wheresthefuneral
celebritystatus
truegrime
18holes
allcarsgoboom
wheelsonlyplease
sticklikeglue
goodbyecruelworld
donttryandstopme
alldriversarecriminals
pinkisthenewcool
solongasitsblack
flyingfish
whoateallthepies
buffmeup
thegambler
leanandmean
bluesuedeshoes
attackofthevillagepeople
lifesabeach
onlyhomiesallowed
betterstayindoors
ninjatown
loveconquersall
everyoneispoor
everyoneisrich
chittychittybangbang
cjphonehome
jumpjet
iwanttohover
touchmycaryoudie
speedfreak
bubblecars
nightprowler
dontbringonthenight
scottishsummer
sandinmyears
kangaroo
noonecanhurtme
manfromatlantis
letsgobasejumping
rocketman
idoasiplease
bringiton
stinglikeabee
iamneverhungry
stateofemergency
crazytown
takeachillpill
fullclip
iwannadriveby
ghosttown
hicksville
wannabeinmygang
noonecanstopus
rocketmayhem
worshipme
helloladies
icangoallnight
professionalkiller
naturaltalent
ohdude
fourwheelfun
hittheroadjack
itsallbull
flyingtostunt
monstermash

  • DK22Pac, Silent and Junior_Djjr like this

fastman92
  • fastman92

    фастман92 | ف

  • Members
  • Joined: 28 Jul 2009
  • None
  • Contribution Award [Mods]

#1374

Posted 06 April 2015 - 11:34 AM Edited by fastman92, 06 April 2015 - 11:35 AM.

All cheats , guess what each of 'em means :D

How did you get this list?
Did you have to use a dictionary and write an application for testing out lots of permutations?

LINK/2012
  • LINK/2012

    LIVIN' IN CODE

  • Feroci
  • Joined: 30 Jan 2011
  • Brazil
  • Best Tool 2014 [Mod Loader]
    Contribution Award [Mods]

#1375

Posted 06 April 2015 - 05:08 PM Edited by LINK/2012, 06 April 2015 - 07:42 PM.

 

All cheats , guess what each of 'em means :D

How did you get this list?
Did you have to use a dictionary and write an application for testing out lots of permutations?

 

It's clearly legit cheats, the ones R* intended to be used and since there are too many collisions that seems legit I kinda of doubt he used some algorithm....

 

Yeah, we are all curious to know how did you get them!

I tried to go to the _ZN6CCheat15m_aCheatStringsE symbol @libGTASA when you mentioned it, but it's not there, maybe it's from a specific version of the binary?


Deji
  • Deji

    Coding like a Rockstar!

  • Feroci
  • Joined: 24 Dec 2007
  • None
  • Contribution Award [Mods]

#1376

Posted 06 April 2015 - 05:34 PM

All cheats , guess what each of 'em means :D

How did you get this list?
Did you have to use a dictionary and write an application for testing out lots of permutations?

That's how I spent the last few weeks getting the one's I got, lol... but I used an N Gram list I found on the internet which provided figures for word frequencies, and used a weighted random generator to generate strings which probably contain more common words, and numbers, since apparently they counted too.

nick7
  • nick7

    グランドセフトオ

  • Members
  • Joined: 04 Aug 2011
  • None

#1377

Posted 06 April 2015 - 07:38 PM Edited by nick7, 06 April 2015 - 09:11 PM.

thegambler

wait a second... there's no gambler cheat on PC, and no corresponding hash for CCheat::TheGambler on mobile.
UPD: lol, latest mobile version really contains this code


I tried to go to the _ZN6CCheat15m_aCheatStringsE symbol @libGTASA when you mentioned it, but it's not there, maybe it's from a specific version of the binary?

android lib v1.08 contains this array


so, finally, there's cheat definition i've used (updated corresponding to new cheat strings)
Spoiler
  • Deji likes this

gta.bullet
  • gta.bullet

    Crackhead

  • Members
  • Joined: 19 Jun 2010

#1378

Posted 17 April 2015 - 07:18 PM

 

All cheats , guess what each of 'em means :D

 

 

Wow... What's the point of all old meaningless words we used for cheating for ages? :blink:  


Logofero
  • Logofero

    fERO

  • Members
  • Joined: 25 Nov 2014
  • None

#1379

Posted 29 April 2015 - 06:47 AM

Sorry could strange question, but someone tell formula for
receiving TransmissionData.fMaxVelocity (Multiplied by 5.5555599e-3)

I Tried:

0@ = 0xC2B9DC
0@ + = 0x84
0A8D: 1@ = read_memory 0@ size 4 virtual_protect 0 // Landstalker TransmissionData.fMaxVelocity

speed does not match..

Someone tell me how to?

miclin
  • miclin

    old stager

  • Members
  • Joined: 22 Mar 2009

#1380

Posted 21 June 2015 - 05:03 PM

does somebody know the memory adresses of  the color/contrast functions + values?





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users