Quantcast

Jump to content

» «
Photo

Documenting GTA-SA memory adresses

1,335 replies to this topic
steve-m
  • steve-m

  • Feroci Racing
  • Joined: 26 Jul 2002

#31

Posted 12 June 2005 - 10:44 PM

QUOTE (Stretchnutter @ Jun 12 2005, 23:07)
spooky thats wierd... i wonder what they will do when they release a patch, release a different patch for each country?! that would be odd.

Yep, they also did that for VC. I have a whole bunch of different executables for that game...

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#32

Posted 13 June 2005 - 11:19 AM Edited by Stretchnutter, 13 June 2005 - 01:38 PM.

I guess we should just stick with the USA version because thats what all those trainers out there and this thread are based on so far, future trainers should also base on it. For the people who bought the EU game they will have to figure out what to do on their own I guess. turn.gif

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#33

Posted 13 June 2005 - 02:25 PM

QUOTE (Stretchnutter @ Jun 13 2005, 12:19)
I guess we should just stick with the USA version because thats what all those trainers out there and this thread are based on so far, future trainers should also base on it. For the people who bought the EU game they will have to figure out what to do on their own I guess. turn.gif

that was rude, so i will stick to the european exe then and americans will have to figure out what to do on their own I GUESS.

Opius
  • Opius

    General

  • Feroci Racing
  • Joined: 27 Jun 2002

#34

Posted 13 June 2005 - 03:25 PM

How about we drop the drama and think about this logically?

I'd say at least 66% of people who own the game are using the American version. It's logical that you would use the method that will ensure the most amount of people will be able to use it without modification.

Delfi, aren't you always complaining about people not using/conforming to standards? Why would you want to deliberately complicate an already difficult area of modding over something so petty? You're making a mountain out of a molehill.

So, be sure to make notes on what version of the EXE the addresses you post are from, so they can be adjusted if needed.

[EDIT]And a request: I'd love if someone could find a way to remove the EAX/Nvidia splash screens, the intro movie and the intro splash screen. Tedius as sh*t after the first time.

SubConscious
  • SubConscious

    Player Hater

  • Members
  • Joined: 12 Jun 2005

#35

Posted 13 June 2005 - 03:27 PM

surely i can use the US exe with my EU install? i've seen it before where they release different versions of the same patch for different regions, but they worked on all of them.

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#36

Posted 13 June 2005 - 08:22 PM

Why is there different executables for different countries anyway? It can't be for language purposes, thats definatly a GXT thing. So why?

Anyway, I'm sure the exes have fixed byte differences between them - just as the 8 byte difference between VC 1.0/1.1.

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#37

Posted 13 June 2005 - 08:24 PM

QUOTE (Opius @ Jun 13 2005, 16:25)
How about we drop the drama and think about this logically?

I'd say at least 66% of people who own the game are using the American version. It's logical that you would use the method that will ensure the most amount of people will be able to use it. Factor into this the fact that it would at most four lines of code to both check the version and add the needed value to addresses seems like you're all making mountains out of molehills.

So, be sure to make notes on what version of the EXE the addresses you post are from, so they can be adjusted if needed.

you misunderstood the whole thing, he went so fast assuming and screwing others that i got pissed off ofcourse.

DexX
  • DexX

    Black Hat

  • Feroci Racing
  • Joined: 16 May 2002

#38

Posted 14 June 2005 - 01:18 AM

QUOTE (Spooky @ Jun 13 2005, 17:58)
ashdexx: The shaders are inside the executable, but they're compiled at runtime it seems. Open the executable in a hex editor and have a search.

oh sh*t, your right! wow.gif

the block of code starting around 4d63fb, hex, looks like its DirectX 9 asm shader code....hoo-wee, now this should be interesting...

oh yea, thats an address in the static exe, my bad blush.gif
American exe

kyeman
  • kyeman

    Snitch

  • Members
  • Joined: 13 Sep 2004

#39

Posted 14 June 2005 - 04:00 AM

QUOTE (Opius)

[EDIT]And a request: I'd love if someone could find a way to remove the EAX/Nvidia splash screens, the intro movie and the intro splash screen. Tedius as sh*t after the first time.


CODE

#define NOP 0x90
DWORD d,ds;

*(PBYTE)0xC8D4C0 = 5;
VirtualProtect((PVOID)0x747483,6,PAGE_EXECUTE_READWRITE,&d);
memset((PVOID)0x747483,NOP,6);
VirtualProtect((PVOID)0x747483,6,d,&ds);


You'd have to use this with something that gets inprocess with gta_sa. I've had to resort to using a loader since we lost the Miles Sound System *sniff* cryani.gif .



jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#40

Posted 14 June 2005 - 04:17 AM

Awesome find kyeman, its about time those annoying advertisements are gone.

QUOTE
You'd have to use this with something that gets inprocess with gta_sa

Why? Aren't both VisualProtect and memset functions that can be called from external processes? It appears to me like all you'd need is a program that loads gta_sa.exe, then immediatly NOP's 0x747483.

QJimbo
  • QJimbo

    With DMA/R* from the beginning :)

  • Members
  • Joined: 01 Feb 2004

#41

Posted 14 June 2005 - 11:51 AM

QUOTE (SubConscious @ Jun 13 2005, 15:27)
surely i can use the US exe with my EU install? i've seen it before where they release different versions of the same patch for different regions, but they worked on all of them.

I don't know about the UK version, but I know that the German version has been censored in a few ways, e.g. peds don't drop cash when you kill them, you can't mutilate bodies, etc. All headache causing things for the trainer maker -_-

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#42

Posted 14 June 2005 - 11:53 AM

QUOTE (!cMc! Jacob @ Jun 14 2005, 05:17)
Why? Aren't both VisualProtect and memset functions that can be called from external processes? It appears to me like all you'd need is a program that loads gta_sa.exe, then immediatly NOP's 0x747483.

Of course, but this is just a temporary solution. What if others want to make changes like these? We have to think about a standard for this, one major dll that loads all others.

steve-m
  • steve-m

  • Feroci Racing
  • Joined: 26 Jul 2002

#43

Posted 14 June 2005 - 12:00 PM

Don't we have that already? dontgetit.gif

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#44

Posted 14 June 2005 - 12:39 PM

QUOTE (steve-m @ Jun 14 2005, 13:00)
Don't we have that already? dontgetit.gif

Wasn't sure if hammer's work has been officially announced, but okay, one problem we don't have to think about anymore. smile.gif

Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#45

Posted 14 June 2005 - 01:22 PM Edited by Stretchnutter, 14 June 2005 - 01:29 PM.

QUOTE (kyeman @ Jun 14 2005, 04:00)
QUOTE (Opius)

[EDIT]And a request: I'd love if someone could find a way to remove the EAX/Nvidia splash screens, the intro movie and the intro splash screen. Tedius as sh*t after the first time.


CODE

#define NOP 0x90
DWORD d,ds;

*(PBYTE)0xC8D4C0 = 5;
VirtualProtect((PVOID)0x747483,6,PAGE_EXECUTE_READWRITE,&d);
memset((PVOID)0x747483,NOP,6);
VirtualProtect((PVOID)0x747483,6,d,&ds);


You'd have to use this with something that gets inprocess with gta_sa. I've had to resort to using a loader since we lost the Miles Sound System *sniff* cryani.gif .

found an easier way.

also give a quick tutorial how to use HIEW.

First you will want to make sure you backup gta_sa.exe

These instructions are for the USA version 1.0*

Download HIEW here: http://www.serje.net/sen/

Unzip then run HIEWDEMO.EXE

Browse to gta_sa.exe and load it

You should see a bunch of wierd text. Press F4 then select 'Decode'.
Now it should look like something familiar to you ASM heads.

For the no intro hack do the following:

press F5 then type ".00748AA8" without the parenthesis

at this address you should see
push ebx
pusi edi...


at this point press F3 then type the following exactly: C7 05 C0 D4 C8 00 05 00 00 00 EB DF
without the spaces.

basically this says
mov dword ptr [0xC8D4C0],5
jmp 748A93


the region we are writing code to is called when 0xC8D4C0 = 0x0 just to give a little insight

when you are done press F9 (save) then press F10 (quit)

now when you load the game you are taken directly to the main menu.

No loader or trainer...

random_download
  • random_download

    :o

  • Members
  • Joined: 07 Mar 2004

#46

Posted 14 June 2005 - 06:11 PM

B793D4: Float, Fat stat
B793D8: Float, Stamina stat
B793DC: Float, Muscle stat

B79496: Float, pistol stat
B79498: Float, silenced pistol stat
B7949C: Float, desert eagle stat
B794A0: Float, shotgun stat
B794A4: Float, sawn-off shotgun stat
B794A8: Float, combat shotgun stat
B794AC: Float, machine pistol stat
B794B0: Float, smg stat
B794B4: Float, AK47 stat
B794B8: Float, M4 stat

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#47

Posted 14 June 2005 - 06:17 PM Edited by !cMc! Jacob, 18 June 2005 - 11:18 PM.

Racer.. in that case, all of the static offsets found with that patched executable would be a few bytes off from what others have found, right? The last thing we need is people coming in here and posting offsets that aren't correct for other people. Which is why some sort of "universal" executable should be chosen as we did with VC (1.0/1.1). Might I suggest the unpacked nocd patch? smile.gif


Stretchnutter
  • Stretchnutter

    Also known as Racer_S

  • Members
  • Joined: 15 Jun 2002

#48

Posted 14 June 2005 - 08:17 PM

QUOTE (!cMc! Jacob @ Jun 14 2005, 14:17)
Racer.. in that case, all of the static offsets found with that patched executable would be a few bytes off from what others have found, right? The last thing we need is people coming in here and posting offsets that aren't correct for other people. Which is why some sort of "universal" executable should be chosen as we did with VC (1.0/1.1). Might I suggest the unpacked nocd patch? smile.gif

No that little tutorial only overwrites some code... HIEW is just a better way to do it compared to a hex editor because it accounts for the 'real' memory location. I would have some trouble finding the correct offset to edit with a hex editor.

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#49

Posted 14 June 2005 - 08:33 PM

QUOTE (!cMc! Jacob @ Jun 14 2005, 19:17)
Racer.. in that case, all of the static offsets found with that patched executable would be a few bytes off from what others have found, right? The last thing we need is people coming in here and posting offsets that aren't correct for other people. Which is why some sort of "universal" executable should be chosen as we did with VC (1.0/1.1). Might I suggest the unpacked nocd patch? smile.gif

right, now pm me where to get it.

btw, the game is on a dvd - not cd.. tounge.gif


Cowpat
  • Cowpat

    web schmeb

  • Members
  • Joined: 12 Feb 2004

#50

Posted 14 June 2005 - 11:56 PM

QUOTE (kyeman @ Jun 14 2005, 04:00)
CODE

#define NOP 0x90
DWORD d,ds;

*(PBYTE)0xC8D4C0 = 5;
VirtualProtect((PVOID)0x747483,6,PAGE_EXECUTE_READWRITE,&d);
memset((PVOID)0x747483,NOP,6);
VirtualProtect((PVOID)0x747483,6,d,&ds);



Hooray! I've been trying to get VirtualProtect to work for two nights now - no more .rdata blues smile.gif

Now I can switch gravity off with a button and slide dead peds around like ice pucks

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#51

Posted 15 June 2005 - 10:37 AM Edited by saracoglu, 18 June 2005 - 01:48 AM.

I have found some time to have a closer look to the vehicle object, and compared to the gta3 and gtavc vehicles.
There are still a lot to check, but here are some memory offsets (as offset to player car adr.), and what they do:
(offsets are decimal)

66 Byte, Specials: 1..111.. EP/NA/NA/DP/FP/BP/NA/NA
68 Float, X (East-West) speed
72 Float, Y (North-South) speed
76 Float, Z (up-down) speed
80 Float, X (NS) Spin
84 Float, Y (EW) Spin
88 Float, Z (NW) Spin
140 Float, Mass (kg) from handling.cfg
144 Float, Turn Mass from handling.cfg
148 Float, Grip Divider (0.1=10xgGrip / 1=1xgGrip / 100=g/100Grip)
152 Float, Mass-to-Grip Multiplier. Ie. G Force when flying/during suspension/driving (acceleration towards ground)
160 Float, Normalized Grip Level
164 Float, CoM X
168 Float, CoM Y
172 Float, CoM Z
1076 Byte, Body Color (as in carcolors.dat, black being the 0)
1077 Byte, Stripe Color (as in carcolors.dat, black being the 0)
1080 DWord, modding data as in garage info
1084 DWord, modding data as in garage info
1088 DWord, modding data as in garage info
1092 DWord, modding data as in garage info
1096 DWord, modding data as in garage info
1100 DWord, modding data as in garage info
1104 DWord, modding data as in garage info
1108 DWord, modding data as in garage info
1112 Float, Car Wheel Size from vehicle.ide
1116 DWord, Siren Time Left ms
1216 Float, Car Damage Left (1000: undamaged)
1272 Dword, Car Door Locked State (1:open 2:locked)
1444 Byte, Car Wheels Shot: (.1.1.1..=NA/RF/NA/LB/NA/LF/NA/NA) RF:RightFrontWheel 1:shot, 0:OK
[EDIT]
Following offsets are Floats, as positions of doors and other car parts that gets detached by damage
We need to recalculate and set their locations if we warp a car from one location to another. Otherwise
the car spins uncontrollable:
1828 Detachables1 Pos X
1832 Detachables1 Pos Y
1836 Detachables1 Pos Z
1872 Detachables2 Pos X
1876 Detachables2 Pos Y
1880 Detachables2 Pos Z
1916 Detachables3 Pos X
1920 Detachables3 Pos Y
1924 Detachables3 Pos Z
1960 Detachables4 Pos X
1964 Detachables4 Pos Y
1968 Detachables4 Pos Z
[/EDIT]
[EDIT]
Here is the detachable locations for bikes. At each offset, there are 12 bytes, ie. 3 Floats having the X,Y and Z coords.:
+ 1532 BikeDetachPosAdr(0)
+ 1632 BikeDetachPosAdr(1)
+ 1676 BikeDetachPosAdr(2)
+ 1720 BikeDetachPosAdr(3)
+ 1764 BikeDetachPosAdr(4)
[/EDIT]
have a nice time hacking,
Alper

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#52

Posted 15 June 2005 - 10:54 PM

QUOTE
Following offsets are Floats, as positions of doors and other car parts that gets detached by damage
We need to recalculate and set their locations if we warp a car from one location to another. Otherwise
the car spins uncontrollable:
1828 Detachables1 Pos X
1832 Detachables1 Pos Y
1836 Detachables1 Pos Z
1872 Detachables2 Pos X
1876 Detachables2 Pos Y
1880 Detachables2 Pos Z
1916 Detachables3 Pos X
1920 Detachables3 Pos Y
1924 Detachables3 Pos Z
1960 Detachables4 Pos X
1964 Detachables4 Pos Y
1968 Detachables4 Pos Z

That would explain why my velocity gets totally screwed when spawning in a vehicle.. do you know how these Detachable offsets are calculated? I'd imagine they'd be different for each vehicle, but it sure would be a pain to have to do a preset calculation for every single bloody car... sad.gif

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#53

Posted 16 June 2005 - 05:16 PM

I guess you would just need to recalculate some values on runtime and assign them to the detachables.
You can even assign the car location directly to them. It is better than letting them have 0-0-0 as location values.


By the way, how do you 'spawn' a car?

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#54

Posted 16 June 2005 - 06:58 PM

just subtract the detachables positions from current location, warp the car and sum
them with new location i assume..

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#55

Posted 16 June 2005 - 07:03 PM Edited by saracoglu, 16 June 2005 - 07:49 PM.

For the garage editor coders:

There are 50 Garages in the game. Each garage position, details, usage information, location in game,
location of door, width, depth and height, direction it looks, coordinates of lower left corner, and
upper right corner, if it is usable by the player, which property (safe house) it belongs, number of
cars that can be parked into, the door state (closed, opening, open and closing) is found in the
garage object of 212 bytes. The memory location where the garages start in the exe I use is:
0x96C048 (I am using non-patched original v1.0 german exe with english language option selected, and
original scm file.) The next garage is at 0xD4 offset, so on 0x96C120

Here is the offsets that I was able to figure out by now:
0 Float, X Coord of the Garage Lower Left corner
4 Float, Y Coord of the Garage Lower Left corner
8 Float, Z Coord of the Garage Lower Left corner
12 Float, X Value of direction vector 1
16 Float, Y Value of direction vector 1
20 Float, X Value of direction vector 2
24 Float, Y Value of direction vector 2
28 Float, Top Z Coord of the garage (TopZCoord - ZCoord = Garage Height)
32 Float, Normalized Width of the garage
36 Float, Normalized Depth of the garage
40 Float, Left Border (X) corrdinate
44 Float, Right Border (X) corrdinate
48 Float, Front Border (Y) corrdinate
52 Float, Back Border (Y) corrdinate
77 Byte, Garage Door State: 0:closed 1:open 2:opening 3:closing

The direction vector 3 is completely left out, I think because the garages are always even to the ground.
I think that is also why the Z values of the direction vectors are also left-out.

I have not yet checked all garages. But some of the known adresses are:
0x96C480 El Corona
0x96C7E0 Johnson House
0x96CB40 Santa Maria Beach
0x96CC18 Mulholland

The contents of the garages are also in the memory in almost the same manner. Like 0x96ABD8 is the 60 Bytes info
block start of the first car parked in Johnson House garage. First 12 bytes are (Float) location matrix (XYZ),
Offset 14 (Word) is BPDPEPFP coding, Offset 16 (Word) is CarID, Offset 20 to 44 is DWords, with tuning info.
I am now working on the details. I will soon finish and post the complete car parking information.

jacob.
  • jacob.

    Homie

  • Members
  • Joined: 27 Jun 2004

#56

Posted 17 June 2005 - 02:55 AM

QUOTE
By the way, how do you 'spawn' a car?

I was talking about teleporting a car the player is already in, which in that case you can use the same method of teleporting players on foot.

But for a vehicle your not in, I'd imagine it'd go something like this..
It must first be created somewhere in the game, then its just a matter of finding its pointer. You should be able to do this similiar to GameGetVehicle, just start from the base car pointer and add (index * carblocksize).
Then it's (vehicle+20)+0x30=x, +0x34=y, +0x38=z.. unless the xyz structure is different for vehicles.

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#57

Posted 17 June 2005 - 10:18 AM Edited by saracoglu, 17 June 2005 - 10:20 AM.

An idea to spawn a car would be to copy current and known car pointers around player, trigger the car spawn cheat, and compare them with the pointers after car spawn cheat to find the actual pointer. This would however spawn only one type of car. Grabbing the nearest available car and bringing it to user will also result in spawning a random car. We should check the car spawn cheat trigger and see if it is internally so coded that it accepts a CarID to spawn. Because then, we can just trigger the cheat with the desired ID, and not bother about bringing it to the user (with the cheat, the car gets spawned on nearest valid road location).

I am using several methods for controlling the car the user is in (or was in), from flight assistance to changing or fixing speed, spin, flipping car, locking doors, repairing wheel and other damage, changing car colors, etc.
If you have ever used my old GTA3 Admin Console you would remember how it works in game. I am currently working on upgrading the trainer to GTA SA. The User and Car Controls are already OK. After I finish the garage coding (you will be able to not only park cars/bikes/etc in garages and set DPBPEPFP, but also tune them, and give them NOS etc. as well), I will happily announce the beta version and ask for testers. The console does not change anything on the game files or functionality of gta_sa.exe, but overrides memory locations with the wanted values. So it is safe to use it without crashes etc.

Alper

DracoBlue
  • DracoBlue

    GTA:T-Coder/Leader

  • Members
  • Joined: 22 Sep 2003

#58

Posted 17 June 2005 - 11:00 AM

I searched for some also, because it was a bit difficult to read and edit things (in this board) so I put all the collected data in the Wiki @ http://GTADB.tk/Memo...ses_San_Andreas

Please adjust when you find a failure or something is missing.

See you,

JernejL
  • JernejL

    Big Homie

  • Feroci Racing
  • Joined: 11 Mar 2002

#59

Posted 17 June 2005 - 08:05 PM

QUOTE (DracoBlue @ Jun 17 2005, 12:00)
so I put all the collected data in the Wiki

that is no excuse, there is no problem of posting addresses here, and if you
were at that you could post them on gtamemory: http://www.gtaconnec....net/gtamemory/
which was mentioned in vc adresses topic.

share your things here, on this forum rather than redirect traffic to your site..

Squiddy
  • Squiddy

    Back!

  • The Connection
  • Joined: 06 Oct 2004

#60

Posted 17 June 2005 - 08:57 PM

0xBA6748

+ 0x15D - BYTE Current Menu ID
+ 0x78D - BYTE Show menu item hover
+ 0x54 - DWORD Selected menu item

+ 0xE9 - BYTE Main menu switch (startup menu/menu when playing)
+ 0x84 - DWORD language
+ 0x15F - BYTE selected savegame
+ 0x24 - DWORD radar mode

+ 0x64 - FLOAT map zoom
+ 0x68 - FLOAT map x position
+ 0x6C - FLOAT map y position

+ 0x5C - BYTE Player in menu?

Menu IDs: http://squiddy.marwa...as/prv/menu.txt




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users