Quantcast

Jump to content

» «
Photo

Documenting GTA-SA memory adresses

1,347 replies to this topic
JernejL
  • JernejL

    Big Homie

  • Feroci
  • Joined: 11 Mar 2002

#1

Posted 08 June 2005 - 08:06 PM

and here is same topic as for gta vc memory exploring, san andreas is out in usa and will be soon in europe and rest of the world, some addresses were already posted in
the vc memory topic, so you can start with clean topic here, now get back to work tounge.gif
  • nick7 likes this

random_download
  • random_download

    :o

  • Members
  • Joined: 07 Mar 2004

#2

Posted 08 June 2005 - 08:56 PM

0xA49960 = start of scm block

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#3

Posted 08 June 2005 - 09:22 PM Edited by jacob., 04 November 2005 - 08:41 PM.

00B74490 = Pool of CPed structures
00B74494 = Occupied CVehicle (Player when on foot)
CPed + 0x540 = Health. (float)


[LATE EDIT] Removed innacurate information.

Hammer83
  • Hammer83

    Hustler

  • Members
  • Joined: 11 Jan 2003

#4

Posted 08 June 2005 - 11:31 PM

0x464080 - GetOpcodeParameters()
0xA43C78 - Where the routine above stores opcode parameters values. Max 16 paramters for an opcode it seems.
0x53BC80 - LoadGame(char* fileName), initializes all data structures and loads fileName (which is gta.dat).
0x5B9030 - LoadMapDefinitionFile(char* fileName), parses and loads dat-files, such as default.dat and gta.dat.
0x550F10 - AllocatePools(), allocates stuff which LimitAdjuster modifies, such as Peds and Buildings.
0x82119A - malloc(size_t size)
0x438480 - Looks like cheat processor

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#5

Posted 09 June 2005 - 12:12 AM Edited by jacob., 25 June 2006 - 12:45 AM.

0xB7CE50 - money
0xBAA420 - wanted level
0xB70153 - current hour
0xB70152 - current minute

CPed + 0x740 - current weapon

Display Settings
Look down a few posts.

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004

#6

Posted 09 June 2005 - 01:36 AM

CPed + 0x718 = Current weapon slot. (1 byte)
CPed + 0x5A0 = Start of weapon data. Each slot has 28 bytes.

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#7

Posted 09 June 2005 - 02:25 AM

CPed + 0x14 = pointer to XYZ position structure (and rotation)

0x863984 = gravity

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#8

Posted 09 June 2005 - 03:28 AM

Stretchnutter, I had a look into XYZ and found these:

Player + 368 = x pos
Player + 372 = y pos
Player + 376 = z pos

Values appear to be read-only.

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#9

Posted 09 June 2005 - 06:13 AM

yea... these are not read only though.

DWORD(CPed+0x14) + 0x30 = XPos
DWORD(CPed+0x14) + 0x34 = YPos
DWORD(CPed+0x14) + 0x38 = ZPos

DWORD(CPed+0x14) + 0x0 to 0x2C is the rotation matrix


Its much different from vice city. looks like there are a bunch of coordinates at this location.. could be the traffic cars.


maybe i should write a teleporter smile.gif

random_download
  • random_download

    :o

  • Members
  • Joined: 07 Mar 2004

#10

Posted 09 June 2005 - 06:29 AM

wow.gif coords are DWords not floats?

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004

#11

Posted 09 June 2005 - 08:28 AM Edited by ModelingMan, 09 June 2005 - 09:19 AM.

I have started to label some functions in IDA, here is my current list, it's not much but it's a start smile.gif
Linkage.

CPed block size = 0x7C4 bytes.
CVehicle block size = 0x0A18 bytes.

Also the maximum amount of vehicles and peds loaded are the same as VC.

QUOTE (By random Posted on Jun 9 2005 @ 07:29)
wow.gif coords are DWords not floats?

No, read his last post, he says that the dword pointer at (CPed + 0x14) leads you to XYZ and rotation.

Edit:
0x00B6F3B8 = Player CVehicle pointer.
0x00B6F5F0 = Player pointer.

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#12

Posted 09 June 2005 - 02:59 PM Edited by Squiddy, 09 June 2005 - 09:05 PM.

Values of all these addresses are saved in gta_sa.set, so most of them should be options related. I see jacob allready found some. I have the problem not having sa at the moment, so I can't test them. If anyone has some time, he could test them please? smile.gif

------------------------------------------------------
0xB6EC1C float - mouse sensitivity
0xC1CC02 byte
0xC1CC03 byte

0xBA6748
+ 0x4F BYTE
+ 0x50 BYTE
+ 0x52 BYTE
+ 0x4D BYTE
+ 0x51 BYTE
+ 0x3C 4 byte - brightness
+ 0xC4 BYTE
+ 0xC5 BYTE
+ 0xCC 4 byte (0xC8)
+ 0x40 4 byte - draw distance
+ 0x44 BYTE - subtitles
+ 0x4B BYTE
+ 0x4C BYTE
+ 0xD8 4 byte (0xD4)
+ 0xD0 BYTE
+ 0x21 BYTE - hud switch
+ 0x24 4 byte
+ 0xB0 BYTE
+ 0xE8 BYTE - Store Gallery Photos
+ 0xB1 BYTE
+ 0xB2 BYTE
+ 0xB3 BYTE
+ 0xB4 BYTE
+ 0xB5 BYTE
+ 0xB6 BYTE
+ 0x4A BYTE - legend switch
+ 0xAC 4 byte

Added the addresses jacob found, hope it's okay. wink.gif

Update
+ 0x84 BYTE

aad
  • aad

    3d artist

  • Feroci
  • Joined: 15 Mar 2004
  • None

#13

Posted 09 June 2005 - 03:09 PM

Are memory adresses for cheats welcome if so ill hunt some adresses down and ill post them later it really takes long on my old 1,55 GHZ wow.gif

Sobeit
  • Sobeit

    mta ninja

  • BUSTED!
  • Joined: 11 May 2004

#14

Posted 09 June 2005 - 07:11 PM

QUOTE (aad @ Jun 9 2005, 15:09)
Are memory adresses for cheats welcome if so ill hunt some adresses down and ill post them later it really takes long on my old 1,55 GHZ wow.gif

no, new adresses are not welcome.....wtf were you thinking?

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#15

Posted 09 June 2005 - 08:33 PM Edited by !cMc! Jacob, 12 June 2005 - 03:06 AM.

Thanks for that, squiddy. Figured out what they all did.
All are byte values unless stated otherwise..

Display Settings
0xBA6784 - Brightness [long]
0xBA6792 - Legend
0xBA676C - Radar Mode
0xBA6769 - Hud Mode
0xBA678C - Subtitles
0xBA6830 - Store gallery photos
0xBA6788 - Draw Distance [long]
0xBA6794 - Frame limiter
0xBA6793 - Widescreen
0xA9AE54 - Visual FX Quality
0xBA680C - Mip Mapping
0xBA6814 - Antialiasing [1 = off, 2 = 1, 3 = 2, 4 = 3]
0xBA6820 - Resolution [640x480=11, 800x400 = 12, 800x600=13, 1024x1068=15]

Sound Configuration
0xBA6798 - Radio Volume [0 through 64]
0xBA6797 - SFX Volume [0 through 64]
0xBA6799 - Radio Equalizer
0xBA6795 - Radio Auto-tune
0xBA67F8 - Usertrack/Play mode [0 = radio, 1 = random]
0xBA680D - Usertrack/Automatic Media Scan
0xBA679A - Radio Station [0 through 11, 12 = usertrack player]

Controller Configuration
0xBA6818 - Controller Configuration [0 = mouse+keys, 1 = joypad]
0xB6EC1C - Mouse sensivity [float]

Interesting enough, none of the other controller/mouse config is in the structure squiddy posted. Perhaps its located somewhere else.

QJimbo
  • QJimbo

    With DMA/R* from the beginning :)

  • Members
  • Joined: 01 Feb 2004

#16

Posted 10 June 2005 - 12:25 AM Edited by QJimbo, 10 June 2005 - 03:41 AM.

woo Delfi we are getting in there early wink.gif
$B70152 : Minutes
$B70153 : Hours (note $0F = 15:00 rather than 16:00)

EDIT: Ack in my rush to post these I didn't notice !cMc! Jacob already had... oh well... it's the thought that counts tounge.gif

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#17

Posted 10 June 2005 - 07:45 AM Edited by !cMc! Jacob, 12 June 2005 - 03:04 AM.

Player + 45 = Animation

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#18

Posted 10 June 2005 - 01:24 PM Edited by Stretchnutter, 10 June 2005 - 02:19 PM.

Camera Stuff

0x52B730 = Start of camera 'MOVer' subroutine. set to 0xC3 (retn) to lock camera

0xB6F028 = Camera Block Start
0xB6F028-0xB6F0DB - Uknown stuff - mostly flags, pointers and some floats

0xB6F0DC = [dword]Current View
(0 = Bumper View / 1 = Close External View / 2 = Middle External View / 3 = Furthest External View / 4 = nothing(same as last?) / 5 = Cinematic View / 6 to INF = same as 4?) same as Vice... no top-down

0xB6F0E0 = [float]Car View Distance (arm length) read only
0xB6F0E8 = [float]True View Distance (true arm length)read only (freezing will cause it to be jumpy, as if final copy smile.gif )


0x8CC3E0 to 0x8CC3F0 = [floats]Hard-Coded View Distances For Closest External View (ecx = 1) (read/write)
528B13 mov eax, ds:dword_0_8CC3E0[edx*4]
edx = vehicle type (0 to 4) ?! normal car = edx = 0 | eax = true distance

0x8CC3F4 to 0x8CC404 = [floats]Hard-Coded View Distances For Middle External View (ecx = 2) (read/write)
528B24 mov eax, ds:dword_0_8CC3F4[edx*4]
edx = vehicle type (0 to 4) ?! normal car = edx = 0 | eax = true distance

0x8CC408 to 0x8CC418 = [floats]Hard-Coded View Distances For Furthest External View (ecx = 3) (read/write)
528B36 mov eax, ds:dword_0_8CC408[edx*4]
edx = vehicle type (0 to 4) ?! normal car = edx = 0 | eax = true distance

0xB6F97C = Pointer to TRUE? camera Matrix (freezing these has effect, as if final copy)
0xB6F99C to 0xB6F9DB = Camera Matrix (0xB6F99C + 0x30 = Xpos, etc...) read only, unless you write retn @ 52B730



EDIT:

Controls Stuff

0xB73458 = Start of controls block
read only unless the subroutine is disabled (not documented yet)
+ 0x20 = [word]Accelerate (255 = on / 0 = off)
+ 0x22 = [word]Brake
more...


EDIT2:

Text Stuff

write normal strings here (not unicode)

0xBAA7A0 = Top Left Text Box [eg; Cheat activated] (disappears after few seconds)
0XBAADC0 = Busted/Wasted Text Box - Center screen...displayed until first byte is null

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#19

Posted 10 June 2005 - 06:00 PM

Controller Configuration
0xC1CC02 - BYTE - Steer with mouse
0xC1CC03 - BYTE - Invert mouse vertically

steve-m
  • steve-m

  • Feroci
  • Joined: 26 Jul 2002

#20

Posted 11 June 2005 - 03:15 PM

QUOTE (!cMc! Jacob @ Jun 9 2005, 22:33)
0x?????? - Visual FX Quality

it's at 0xA9AE54 [0 - 3]

Hammer83
  • Hammer83

    Hustler

  • Members
  • Joined: 11 Jan 2003

#21

Posted 11 June 2005 - 03:16 PM

ModellingMan, are you sure player struct is at address you listed?

I think it might be at 0xB7CD98. IDA doesn't show any refs to 0xB6F5F0, but I must say I still have a lot of code represented as data.

ModelingMan
  • ModelingMan

    Crackalacking!

  • Feroci
  • Joined: 23 Jan 2004

#22

Posted 11 June 2005 - 11:32 PM

QUOTE (Hammer83 @ Jun 11 2005, 16:16)
ModellingMan, are you sure player struct is at address you listed?

I think it might be at 0xB7CD98. IDA doesn't show any refs to 0xB6F5F0, but I must say I still have a lot of code represented as data.

Both addresses work fine. VC also had 2 player pointer addresses. IDA also didn't show any refs to VC's player pointer...

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#23

Posted 12 June 2005 - 09:37 AM Edited by Stretchnutter, 12 June 2005 - 11:14 AM.

If I may suggest as an evil game hacking tip: Use Dual Monitors!!!

I had some problems using a debugger to set breakpoints with a single monitor. So I wondered what I could do with 2 monitors. Turns out it works great.

All you need is a Video Card with dual heads, 2 monitors and a program called Ultramon (free, look on google).

Click...

You can do things like watch live changes to the memory.... sure you can do this in windowed mode... but noone has figured out how to yet.

Sorry for going off-topic tounge.gif


more text stuff

these are wierd if you try writing something to these they dont appear because the game constantly sets the first byte to 0, but if you turn that off they operate in same manner as the busted/wasted text box.

0xBAB040 = BOTTOM TEXT BOX - stunt bonus information is written here
0xBAAEC0 = TOP MIDDLE - i dont know, some orange text
0xBAAFC0 = ?
0xBAAF40 = ?
0xBAAE40 = ?

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#24

Posted 12 June 2005 - 01:16 PM

Racer, if you don't mind me asking, how do you find those textbox addresses? Do you wait until one is displayed then search for the string in memory? (ascii values of characters in order, unless they're in unicode in that case its asciichar,0,asciichar,0)
This is just out of curiousity and for possible future reference to help me get better at finding addresses. tounge.gif

I don't have duel moniters so I haven't been able to debug anything at all. I'm just waiting for someone to release a windowed-mode modification.

Handling.cfg is loaded into the memory when you start a game, as are all of its parameters stored in memory offsets.. anyone know if theres a 'handling pointer' or something? I'd look into this myself if i had a debugger that worked in full-screen. bored.gif

QJimbo
  • QJimbo

    With DMA/R* from the beginning :)

  • Members
  • Joined: 01 Feb 2004

#25

Posted 12 June 2005 - 02:24 PM

Hey guys, I'm having some problems with my TimeSync Tool, which basically makes the weather go mental when you freeze the time, does anyone know why? It's like there's another timer in there, maybe 16th's/256th's of a second if a single/double byte Hex value... anyone seen any values that look like that?

I'm not sure why the weather keeps changing within the minute though, another timer would just make a transition repeat instead of going mental... hmm.

And as for the dual monitor thing, that seems like a nice trick, but someway of getting SA running in a window would be good. 3Danalyze doesn't work, as SA seems to go "oh noes teh window" and quits tounge.gif

JernejL
  • JernejL

    Big Homie

  • Feroci
  • Joined: 11 Mar 2002

#26

Posted 12 June 2005 - 07:48 PM

i use dual monitors with geforce fx 5600, it works well but many games work improperly on dual monitors, mouse cursor is important problem here, even
gtavc had problems with grabbing cursor on two monitors, zmodeler2 also
doesn't work properly on dualscreen monitors - no hardware, only software
renderer is availible..

aad
  • aad

    3d artist

  • Feroci
  • Joined: 15 Mar 2004
  • None

#27

Posted 12 June 2005 - 08:14 PM

I did a try to search for some memory adresses that would be cool to use for making a trainer (im currently making one) so here is my mem adres

CODE
969160 (Flying Car cheat)


its in hex so for coding it in VB use &H and then my adress. cool.gif It actualy works better then the normal cheat at least it looks like it works better.

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#28

Posted 12 June 2005 - 08:16 PM

QUOTE (!cMc! Jacob @ Jun 12 2005, 13:16)
Racer, if you don't mind me asking, how do you find those textbox addresses? Do you wait until one is displayed then search for the string in memory? (ascii values of characters in order, unless they're in unicode in that case its asciichar,0,asciichar,0)
This is just out of curiousity and for possible future reference to help me get better at finding addresses. tounge.gif

i did exactly that... actually i put in a cheat and searched for "Cheat a" short for Cheat activated..


i found 3 of them... so i tryed writing something else in them and see which one had an effect... found one that worked... then jumped to the address in IDA, seen a xref to it... then just scrolled down until i saw another xref.

Spooky
  • Spooky

    Prince of the Yolkfolk

  • Members
  • Joined: 13 Jan 2002

#29

Posted 12 June 2005 - 08:18 PM

I don't know if this has been mentioned yet, but the USA and EU versions of game game have different executables. One piece of code I came across was exactly +0x50 bytes misalignged in the EU exe.

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#30

Posted 12 June 2005 - 09:07 PM

spooky thats wierd... i wonder what they will do when they release a patch, release a different patch for each country?! that would be odd.

0xB7CB84 = [dword]A global timer in ms
0xB70158 = [dword]Timer related to weather and time in ms
0xB7015C = [dword]Defines how many ms = 1 second... default 1000, set to 1 for a headache




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users