Quantcast

Jump to content

» «
Photo

Documenting GTAIV memory addresses

96 replies to this topic
the hubster
  • the hubster

    Sup Homies

  • Members
  • Joined: 03 May 2005

#1

Posted 02 December 2008 - 05:50 PM Edited by the hubster, 06 November 2009 - 06:48 PM.

user posted image


Please note the exe version when posting memory addresses (what patch is installed)

You will need Rick's xlive.dll Wrapper or xliveless to edit protected memory addresses.

http://www.gtamoddin...ddresses_(GTA4)

Nulldata
  • Nulldata

    Player Hater

  • Members
  • Joined: 28 Apr 2008

#2

Posted 03 December 2008 - 07:07 PM Edited by Nulldata, 03 December 2008 - 07:17 PM.

QUOTE (the hubster @ Dec 2 2008, 17:50)
Ill start:
Size of gtaiv.exe
CODE
13411688 bytes (0CCA568h)

Start of Securom signature tounge.gif
CODE

0CC9028h

Can you post the CRC hash for your GTAIV.exe? Should help with everyone just incase the EXEs are changed in anyway.

opium_addict
  • opium_addict

    CODE WRECKER

  • Members
  • Joined: 02 Aug 2008

#3

Posted 03 December 2008 - 10:44 PM

QUOTE (Nulldata @ Dec 3 2008, 13:07)
Can you post the CRC hash for your GTAIV.exe? Should help with everyone just incase the EXEs are changed in anyway.

i suspect that the file size is good enough. . .if something is changed then its more then likely the file size will change also...

Dangta
  • Dangta

    Multi-Talented Person

  • Members
  • Joined: 08 Jul 2004

#4

Posted 05 December 2008 - 05:17 PM Edited by Dangta, 05 December 2008 - 05:22 PM.

Hi guys, i'm not so experienced in disassembling but i've had a bit of progress. I think i've found some pretty good offsets in the following code:

In: B51CA0
CODE

.text:00B51CA0 sub_B51CA0      proc near              ; CODE XREF: sub_7E5A80+69p
.text:00B51CA0                 push    offset loc_B51B30
.text:00B51CA5                 push    offset aSet_time_one_d; "SET_TIME_ONE_DAY_FORWARD"
.text:00B51CAA                 call    sub_583420
.text:00B51CAF                 push    offset loc_B51B40
.text:00B51CB4                 push    offset aSet_time_one_0; "SET_TIME_ONE_DAY_BACK"
.text:00B51CB9                 call    sub_583420
.text:00B51CBE                 push    offset loc_B51C60
.text:00B51CC3                 push    offset aGet_time_of_da; "GET_TIME_OF_DAY"
.text:00B51CC8                 call    sub_583420
.text:00B51CCD                 push    offset loc_B51B60
.text:00B51CD2                 push    offset aGet_hours_of_d; "GET_HOURS_OF_DAY"
.text:00B51CD7                 call    sub_583420
.text:00B51CDC                 push    offset loc_B51B70
.text:00B51CE1                 push    offset aGet_minutes_of; "GET_MINUTES_OF_DAY"
.text:00B51CE6                 call    sub_583420
.text:00B51CEB                 push    offset loc_B51B80
.text:00B51CF0                 push    offset aSet_time_of_da; "SET_TIME_OF_DAY"
.text:00B51CF5                 call    sub_583420
.text:00B51CFA                 push    offset loc_B51BA0
.text:00B51CFF                 push    offset aForward_to_tim; "FORWARD_TO_TIME_OF_DAY"
.text:00B51D04                 call    sub_583420
.text:00B51D09                 push    offset loc_B51BC0
.text:00B51D0E                 push    offset aGet_minutes_to; "GET_MINUTES_TO_TIME_OF_DAY"
.text:00B51D13                 call    sub_583420
.text:00B51D18                 add     esp, 40h
.text:00B51D1B                 push    offset loc_B51BE0
.text:00B51D20                 push    offset aGet_current_da; "GET_CURRENT_DAY_OF_WEEK"
.text:00B51D25                 call    sub_583420
.text:00B51D2A                 push    offset loc_B51C80
.text:00B51D2F                 push    offset aGet_current__0; "GET_CURRENT_DATE"
.text:00B51D34                 call    sub_583420
.text:00B51D39                 push    offset loc_B51BF0
.text:00B51D3E                 push    offset aSet_time_of_ne; "SET_TIME_OF_NEXT_APPOINTMENT"
.text:00B51D43                 call    sub_583420
.text:00B51D48                 push    offset loc_B51C10
.text:00B51D4D                 push    offset aCompare_two_da; "COMPARE_TWO_DATES"
.text:00B51D52                 call    sub_583420
.text:00B51D57                 push    offset loc_B51C40
.text:00B51D5C                 push    offset aForce_time_of_; "FORCE_TIME_OF_DAY"
.text:00B51D61                 call    sub_583420
.text:00B51D66                 push    offset loc_B51B50
.text:00B51D6B                 push    offset aRelease_time_o; "RELEASE_TIME_OF_DAY"
.text:00B51D70                 call    sub_583420
.text:00B51D75                 add     esp, 30h
.text:00B51D78                 retn
.text:00B51D78 sub_B51CA0      endp


It looks like it's maybe allocating a function to an opcode? I'm not sure... Rockstar may have organized the code in a way that each subject-specific opcode is contained within it's own method. Which would explain why only time related opcodes are in this?

I'm attempting to have a play around by calling some opcodes myself through C/C++. I'll let you know if i have any luck!

opium_addict
  • opium_addict

    CODE WRECKER

  • Members
  • Joined: 02 Aug 2008

#5

Posted 06 December 2008 - 09:45 PM Edited by opium_addict, 07 December 2008 - 03:50 AM.

Pointer to the D3D9 Device:
CODE
GTAIV.exe + 0x128B570


CODE
IDirect3DDevice9 *pDevice = (IDirect3DDevice9 *)*(DWORD*)((DWORD)g_hGTA + 0x128B570);


edit:
CODE
.text:007E5A80 SetupAllNatives proc near              ; CODE XREF: SetupScripts+94p
.text:007E5A80
.text:007E5A80; FUNCTION CHUNK AT .text:00B49D50 SIZE 00000031 BYTES
.text:007E5A80
.text:007E5A80                 call    SetupAudioNatives
.text:007E5A85                 call    SetupCameraNatives
.text:007E5A8A                 call    SetupDebugNatives
.text:007E5A8F                 call    SetupHUDNatives
.text:007E5A94                 call    SetupEngineNatives
.text:007E5A99                 call    SetupInputNatives
.text:007E5A9E                 call    SetupCharNatives
.text:007E5AA3                 call    SetupPlayerNatives
.text:007E5AA8                 call    SetupTaskNatives
.text:007E5AAD                 call    SetupCarNatives
.text:007E5AB2                 call    SetupObjectNatives
.text:007E5AB7                 call    SetupScriptHelperNatives
.text:007E5ABC                 call    SetupMissionNatives
.text:007E5AC1                 call    SetupWorldNatives
.text:007E5AC6                 call    SetupNavigationNatives
.text:007E5ACB                 call    SetupWeaponNatives
.text:007E5AD0                 call    SetupFireNatives
.text:007E5AD5                 call    SetupZoneNatives
.text:007E5ADA                 call    SetupRenderNatives
.text:007E5ADF                 call    SetupGangNatives
.text:007E5AE4                 call    SetupCutsceneNatives
.text:007E5AE9                 call    SetupTimeNatives
.text:007E5AEE                 call    SetupOnlineNatives
.text:007E5AF3                 call    SetupBrainNatives
.text:007E5AF8                 call    nullsub_5
.text:007E5AFD                 call    SetupCarbombNatives
.text:007E5B02                 jmp     SetupWaterNatives
.text:007E5B02 SetupAllNatives endp


CODE
.text:00B7F360; int __cdecl SetPedDensityMultiplier(float)


thanks to Mike and Yoann on IRC

ceedj
  • ceedj

    PEDS Creator

  • Feroci
  • Joined: 21 May 2005
  • United-States

#6

Posted 07 December 2008 - 07:35 AM

QUOTE (Dangta @ Dec 5 2008, 13:17)
It looks like it's maybe allocating a function to an opcode? I'm not sure... Rockstar may have organized the code in a way that each subject-specific opcode is contained within it's own method. Which would explain why only time related opcodes are in this?

I'm attempting to have a play around by calling some opcodes myself through C/C++. I'll let you know if i have any luck!

Pretty sure you're dead on right, the little bit of mission script I've seen suggests just that; as though they've moved from a BASIC approach (II/VC/SA) to a more streamlined object-oriented scripting (C/C++).

Nice work here guys! smile.gif

aru
  • aru

    *poof*

  • Feroci
  • Joined: 20 Jun 2005
  • None

#7

Posted 07 December 2008 - 08:43 AM

There's no notion of opcode per each function anymore... The basic opcodes of the IV scripting engine (or should I say RAGE scripting engine tounge.gif ) are just some very low level VM opcodes like add/sub/jmp/call/etc. One of those opcodes calls a native function, and its invoked by the hash of the name of the function... which is why you see all the names there. The hashing algorithm is use is the One-at-a-Time Hash:

CODE
ub4 one_at_a_time(char *key, ub4 len)
{
 ub4   hash, i;
 for (hash=0, i=0; i<len; ++i)
 {
   hash += key[i];
   hash += (hash << 10);
   hash ^= (hash >> 6);
 }
 hash += (hash << 3);
 hash ^= (hash >> 11);
 hash += (hash << 15);
 return (hash & mask);
}

(from: http://burtleburtle....ash/doobs.html)

I have the full specs of the scripting VM and the opcodes written up on paper from the 360 version (and its pretty much identical on PC)... I just haven't had time to type it all up nicely.

Alexander Blade
  • Alexander Blade

    Come As You Are

  • Members
  • Joined: 05 Nov 2006
  • None
  • Major Contribution Award [Mods]

#8

Posted 07 December 2008 - 11:35 AM Edited by Alexander Blade, 07 December 2008 - 11:42 AM.

.data:00E4AF70 models hash nodes array pointer

model_hash_node struct 0x8 b
-- model_hash 0x4 b
-- model_ingame_id 0x4 b
end

.data:00E58CF8 Cheat functions pointers array (17)

.text: 008654E0 ; int __cdecl SpawnVehicle(int IngameID);
car spawning function

Andrew
  • Andrew

  • Andolini Mafia Family
  • Joined: 21 Jul 2003
  • None

#9

Posted 07 December 2008 - 12:16 PM

Excellent work so far smile.gif Pinned.

Peter
  • Peter

    Secretly Heroic

  • Members
  • Joined: 21 Sep 2006
  • United-Kingdom

#10

Posted 07 December 2008 - 01:21 PM

To avoid spamming the first page, I'll only list the most interesting ones in this post. A full list of vTable names can be found on this page smile.gif

Interesting vTables
CEntity (0xCF7FF4)
-- CBuilding (0xD1E7B4)
-- CPhysical (0xD0A014)
-- -- CVehicle (0xCFA804)
-- --- -- CAutomobile (0xD49754)
-- --- -- CBike (0xD4BA24)
-- --- -- CPlane (0xCFB31C)
-- --- -- CTrain (0xCF31AC)
-- --- -- CHeli (0xCE712C)
-- -- CPed (0xCF4864)
-- --- -- CPlayerPed (0xD005B4)
-- --- -- CDummyPed (0xD267F4)
-- -- CObject (0xCF41BC)
-- --- -- CCutsceneObject (0xD493EC)
-- --- -- CDummyObject (0xD20C9C)

CTask (0xCFABDC)
CTaskSimple (0xCFAC24)
CTaskComplex (0xCFAC7C)

CPedIntelligence (0xCFDB9C)

UZI-I
  • UZI-I

    WPL Manager...

  • Members
  • Joined: 23 Aug 2006

#11

Posted 07 December 2008 - 02:23 PM Edited by UZI-I, 07 December 2008 - 02:39 PM.

Address from IDA

Pool Documentation :
http://public.yoa2n.fr/gtaiv/Pools.txt

Class Documentation :
http://public.yoa2n....cumentation.txt

And not sure About that :
CODE
// - Returned value is in the EAX Registar
mov ecx, PoolStart
GetEntityFromID ( int iIndex )       -> 0x40A1F0


EDIT :
CODE
// - Affect All Car (Parked And Circulation)
SetCarDensityMultiplier ( int iMultiplier )          -> 0x00B63830

// - Affect Only Circulation
SetRandomCarDensityMultiplier ( int iMultiplier )    -> 0x00B63850

// - Affect Only Parked Car
SetParkedCarDensityMultiplier ( int iMultiplier )    -> 0x00B63860

0x00E5F75C -> g_dwCarDensityMultiplier
0x00E5F764 -> g_dwParkedCarDensityMultiplier


Thanks to Opium

Seemann
  • Seemann

    Ruhe

  • GTA Mods Staff
  • Joined: 03 Sep 2004
  • Russia
  • Best Tool 2013 "Sanny Builder"
    Contribution Award [Mods]
    Helpfulness Awards [Mods]

#12

Posted 07 December 2008 - 05:01 PM

Those of you who are using IDA may find this useful.
http://public.sannyb...GTA4/native.idc

It is an IDA script that gives a name for every native command handler (there are about 2800 of them). So, for example, this code

CODE
.text:00B5A19E                 push    offset sub_B5A120                  ; handler
.text:00B5A1A3                 push    offset aHas_script_loa             ; "HAS_SCRIPT_LOADED"
.text:00B5A1A8                 call    registerNativeScriptCommand        ; Call Procedure

becomes
CODE
.text:00B5A19E                 push    offset n_HAS_SCRIPT_LOADED         ; handler
.text:00B5A1A3                 push    offset aHas_script_loa             ; "HAS_SCRIPT_LOADED"
.text:00B5A1A8                 call    registerNativeScriptCommand        ; Call Procedure

and 00B5A120 accordingly is changed to the procedure n_HAS_SCRIPT_LOADED.

Run the script via File > IDC file... menu


Rafioso
  • Rafioso

    Player Hater

  • Members
  • Joined: 19 Mar 2006

#13

Posted 07 December 2008 - 06:12 PM

Hi,

which tool did you use to find the opcodes?

listener
  • listener

    Monkey with a disassembler

  • Members
  • Joined: 06 Sep 2007
  • None
  • Contribution Award [Mods]

#14

Posted 07 December 2008 - 06:13 PM Edited by listener, 07 December 2008 - 06:47 PM.

Unfinished class hierarchy: http://public.sannyb..._pc_classes.txt

parsed .ide/.ipl contents:
CODE
template<class T> class CDataStore {
public:
 int nSize; // +0, total size of store, in objects
 int nAllocated; // +4, numer of allocated objects in store
 T * pData;
};

0xE4AE4C - CDataStore<CBaseModelInfo> g_baseModelStore;
0xE4AE58 - CDataStore<CInstanceModelInfo> g_instanceModelStore;
0xE4AE64 - CDataStore<CTimeModelInfo> g_timeModelStore;
0xE4AE70 - CDataStore<CWeaponModelInfo> g_weaponModelStore;
0xE4AE7C - CDataStore<CVehicleModelInfo> g_vehicleModelStore;
0xE4AE88 - CDataStore<CPedModelInfo> g_pedModelStore;
0xE4AE94 - CDataStore<CMloModelInfo> g_mloModelStore;
0xE4AEA0 - unknown store
0xE4AEAC - unknown store
0xE4AEB8 - unknown store
0xE4AEC4 - unknown store
0xE4AED0 - unknown store
0xE4AEDC - CDataStore<CParticleAttr> g_particleAttrStore;
0xE4AEE8 - CDataStore<CExplosionAttr> g_explosionAttrStore;
0xE4AEF4 - CDataStore<CProcObjAttr> g_procObjAttrStore;
0xE4AF00 - CDataStore<CLadderInfo> g_ladderInfoStore;
0xE4AF0C - CDataStore<CSpawnPoint> g_spawnPointStore;
0xE4AF18 - CDataStore<CLightShaftAttr> g_lightShaftAttrStore;
0xE4AF24 - CDataStore<CScrollBar> g_scrollBarStore;
0xE4AF30 - CDataStore<CSwayableAttr> g_swayableAttrStore;
0xE4AF3C - CDataStore<CBouyancyAttr> g_bouyancyAttrStore;
0xE4AF48 - CDataStore<CAudioAttr> g_audioAttrStore;
0xE4AF54 - CDataStore<CWorldPointAttr> g_worldPointAttrStore;
0xE4AF60 - CDAtaStore<CWalkDontWalkAttr> g_walkDontWalkAttrStore;
0xFAA7F8 - CDataStore<CEscalatorAttr> g_escalatorAttrStore;
0xFAA804 - CDataStore<CLightAttrStore> g_lightAttrStore;


UZI-I
first field (4 bytes) of all classes with virtual methods - pointer to virtual methods table

UZI-I
  • UZI-I

    WPL Manager...

  • Members
  • Joined: 23 Aug 2006

#15

Posted 07 December 2008 - 06:48 PM

Hum.

So I edited my doc.
It should be as that : http://public.yoa2n....cumentation.txt ?

listener
  • listener

    Monkey with a disassembler

  • Members
  • Joined: 06 Sep 2007
  • None
  • Contribution Award [Mods]

#16

Posted 07 December 2008 - 07:18 PM

UZI-I
Uhhh... No.

If you define inherited class/struct/union, all fields from the parent class will be added automatically (no need to define them again).
First field of the inherited class follows last field of the parent class.

Also, if you define at least one virtual method, VMT pointer wil be added by compiler.

And look at the inheritance diagram (search for CVirtualBase):

class CVirtualBase;
class CEntity : public CVirtualBase;
class CDynamicEntity : public CEntity;
class CPhysical : public CDynamicEntity;
class CVehicle : public CPhysical;
class CAutomobile : public CVehicle;
.. and so on

UZI-I
  • UZI-I

    WPL Manager...

  • Members
  • Joined: 23 Aug 2006

#17

Posted 07 December 2008 - 07:29 PM

I know class are inherited from other in GTA. But I don't understand what is this pointer to the vTable...

listener
  • listener

    Monkey with a disassembler

  • Members
  • Joined: 06 Sep 2007
  • None
  • Contribution Award [Mods]

#18

Posted 07 December 2008 - 09:49 PM

Good description of class internals (structure, inheritance, multiple inheritance, RTTI, etc):
http://www.openrce.o...es/full_view/23

Alexander Blade
  • Alexander Blade

    Come As You Are

  • Members
  • Joined: 05 Nov 2006
  • None
  • Major Contribution Award [Mods]

#19

Posted 11 December 2008 - 10:15 AM Edited by Alexander Blade, 11 December 2008 - 10:55 AM.

0x7FBF30 _cdecl SetMaxWantedLevel(int WantedLevel); // Wanted level [0..6]

dword 0xE57700 - max wanted level
dword 0xE57704 - (?) police activity

wildmotzi
  • wildmotzi

    m00 :o

  • Members
  • Joined: 25 Jun 2003

#20

Posted 15 December 2008 - 02:59 PM Edited by wildmotzi, 15 December 2008 - 03:54 PM.

10948FC - current wanted level
F77BDC - money

changing these doesnt do anything ingame

health adress in startpost isnt working anymore with patch

FB4D00 - Health float
4B3F944 - Health float
59004EC - Health float ??

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#21

Posted 15 December 2008 - 10:12 PM Edited by saracoglu, 19 December 2008 - 07:54 PM.

Blued-out pieces of this post, as they are no more relevant


anyone successful with fixing/editing any of the memory values?

FB4D00 - float: health is most probably stats related. Before the patch, this stat was on 12777C0.
The memory footprint around the address is not populated enough for a ped object.

There are two more dynamic locations holding the same value as the FB4D00:
5DF33C4 and 6BB9AEC (dynamic, still need to resolve offsets to object start)
Values around both the locations are fairly similar. Also similar to those of GTA SA.
One of them seems to be the shadow copy of the other (of the player ped).

There should also be a mirror ped for the values, or at least a mirrored copy of values that would
probably be edited by trainers. Changing health value on all three locations at once does change
the health. However, I thins the mirror copy has also to be found and changed to the appropriate value.

Example: with a health of 180, changing all three to 200 back results in a red bar (mirror?) of
20 so that the health changes to full, but pending deduction of 20 remains. Next time player
gets injured, this pending 20 also gets executed. Bad news is, the several copies got out of
sync, so the deduction gets executed in a loop until player dies.

CPlayer is a CPed class. The health should also apply to the other peds within the game. The ped object
should fairly be same as our player. We might corner one of the peds (not loose them from sight to prevent
them to be respawned/recycled), aim at them, and use the player targeting entity -> targeting ped -> ped object to check if the same shadow copy exists for them as well, or if we can edit their health / armor
without game interfering and setting them back.

The memory around 5DF33C4 and 6BB9AEC consists of several location values, changing as the
player moves around. There are several of these blocks, also including vector information for
the direction each piece of the ped is looking at.


The CPed of GTASA was very similar to its CVehicle
object. I hope that this is also the case for GTA4, so we can decode car offsets looking at the ped memory.

until then, I try further to document the offsets around the CPed object.
cheers

Edit:
The 5DF33C4 (still dynamic) seems to be the Health of the CPlayer, stays stabile, and same as player gets injured. The Shadow copy in 6Bnnnnn is a block of 1280 bytes, repeating itself. By each injury not only the
health, but the whole object gets re-copied/cloned prior to entering the changed value, and the newly created
clone becomes the new shadow making it harder to fix memory values on the fly.
Here are some locations of health (probably the whole ped object), that got filled by each punch as player
got beaten by another ped:
06BBA9EC, 06BBD6EC, 06BBDBEC, 06BBE0EC, 06BBEAEC, 06BC1CEC, 06BC2BEC e
As you see, the smallest offset is 1280 bytes, and all above locations are offseted by a multiplier of 1280.

Also, this time, Ped object has also have detachable parts similar to the vehicle object (example: door to car is detachable as handbag to ped)

Edit2:
Grayed out all irrelevant comments. With Rick's xlive.dll, it is now possible to edit xlive-buffered values.
I have been able to beam the player around map, on foot or in car. Will post offsets soon

cheers,

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#22

Posted 18 December 2008 - 02:11 PM

Good news.
At least stat Information can be fixed/edited.

Current Game Time:
CODE

Hours:    0x010AC530
Minutes:  0x010AC52C


Values are Bytes, changing them also changes day/night within the game.
The Missions like 'Pick me up in one hour' or 'deliver by 19:00' can be tricked by editing these values.

cheers,

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#23

Posted 18 December 2008 - 05:09 PM

Can a new stickied thread be made for GTA IV 1.0.1.0 (patch #1)?

UZI-I
  • UZI-I

    WPL Manager...

  • Members
  • Joined: 23 Aug 2006

#24

Posted 18 December 2008 - 06:25 PM Edited by UZI-I, 18 December 2008 - 09:05 PM.

Based on the Version 1.01 (First Patch)

Functions :
0x00615790 -> void __cdecl RegisterNative ( char* szNativeName, void* pNativeFunction );
0x007F5920 -> void __cdecl RegisterAllNative ( void );
0x00A03CA0 -> void __cdecl RegisterPadsNative ( void );
0x00A00DF0 -> void __cdecl RegisterCharsNative ( void );
0x009F0190 -> void __cdecl RegisterPlayersNative ( void );
0x009EBC70 -> void __cdecl RegisterTasksNative ( void );
0x009DEA90 -> void __cdecl RegisterCarsNative ( void );
0x009D43E0 -> void __cdecl RegisterObjectsNative ( void );


0x009D5010 -> void __cdecl SetCarDensityMultiplier ( int iMultiplier ); // - Affect All Cars
0x009D5030 -> void __cdecl SetRandomCarDensityMultiplier ( int iMultiplier ); // - Affect Only The Circulation
0x009D5040 -> void __cdecl SetParkedCarDensityMultiplier ( int iMultiplier ); // - Affect Only the Parked Car
0x00943090 -> void __cdecl SetPedDensityMultiplier ( int iMultiplier );

0x0082CE30 -> DWORD* __cdecl GetPlayerFromID ( int iPlayerID );
0x00496EE0 -> DWORD* __cdecl GetEntityFromIndex ( int iPlayerID );

0x009EDFE0 -> int __cdecl GetPlayerIndex ( void )
0x009EE3B0 -> int __cdecl GivePlayerHelmet ( int iPlayerID )

0x00494AF0 -> int __cdecl AllocateCharPool ( void );

Variables :

0x00E989F0 -> (DWORD) g_dwCarDensityMultiplier
0x00E989F8 -> (DWORD) g_dwParkedCarDensityMultiplier
0x00E95ECC -> (DWORD) g_dwPedDensityMultiplier

0x011E1540 -> (DWORD) g_dwVehiclePoolStart
0x016EB9A0 -> (DWORD) g_dwCharPoolStart

0x01064808 -> (DWORD) Pointer to the first Player. The pointer to the second Player is at 0x01064808 + 0x4

CVector
+ 0x30 -> (FLOAT) Position X
+ 0x34 -> (FLOAT) Position Y
+ 0x38 -> (FLOAT) Position Z

CEntity
+ 0x2E -> (WORD) Model ID
+ 0x20 -> (CVector*) Position
+ 0x24 -> (DWORD) IsVisible
+ 0xFC -> (FLOAT) Health

CVehicle : CEntity
+ 0xE1C -> (DWORD) HasHydraulics
+ 0xFA0 -> (CChar*) Driver
+ 0xFE4 -> (BYTE) Color 1
+ 0xFE5 -> (BYTE) Color 2
+ 0x1118 -> (DWORD) Dirt Level
+ 0x14C4 -> (BYTE) CanBeResprayed


CPlayer
+ 0x538 -> (BYTE) Fire Proof
+ 0x53F -> (BYTE) Free Health Care
+ 0x578 -> (CChar*) Char
+ 0x564 -> (DWORD) Team

CChar : CEntity
+ 0x380 -> (CEntity*) Targetted Entity

From my doc @ http://public.yoa2n.fr/gtaiv/

CODE
DWORD dwPlayerPointer = * ( DWORD* )ADDR_PLAYERPOINTER;
if ( dwPlayerPointer )
{
   DWORD dwPlayerCharPointer = * ( DWORD* )( dwPlayerPointer + 0x578 );
   if ( dwPlayerCharPointer )
   {
       DWORD dwCoordPointer = * ( DWORD* )( dwPlayerCharPointer + 0x20 );
       if ( dwCoordPointer )
       {
           float fX = * ( float* )( dwCoordPointer + 0x30 );
           float fY = * ( float* )( dwCoordPointer + 0x34 );
           float fZ = * ( float* )( dwCoordPointer + 0x38 );

           // - g_pLogFile->Write ( "Position : %f, %f, %f\n", fX, fY, fZ );
       }
   }
}


Haven't tested everything, but using the function, GivePlayerHelmet() is funny tounge.gif

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#25

Posted 18 December 2008 - 06:45 PM Edited by ~Rick, 18 December 2008 - 07:07 PM.

QUOTE (UZI-I @ Dec 18 2008, 10:25)
Based on the Version 1.01 (First Patch)

CPlayer
+ 0x538  -> (BYTE) Fire Proof
+ 0x53F  -> (BYTE) Free Health Care
+ 0x578  -> (CChar*) Char
+ 0x564  -> (DWORD) Team

For CPlayer,

CPlayer
+ 0x590 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer)
+ 0x594 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer, again for some reason)

Unconfirmed, but it appears that player health is available at CPlayer->Char->+0xE8C (a XLiveProtectedBuffer *).

gamerzworld
  • gamerzworld

    Why did I move here? I guess it was to sell Shark Cards.

  • Members
  • Joined: 29 Nov 2005
  • United-States

#26

Posted 18 December 2008 - 07:29 PM

QUOTE (~Rick @ Dec 18 2008, 13:45)
QUOTE (UZI-I @ Dec 18 2008, 10:25)
Based on the Version 1.01 (First Patch)

CPlayer
+ 0x538  -> (BYTE) Fire Proof
+ 0x53F  -> (BYTE) Free Health Care
+ 0x578  -> (CChar*) Char
+ 0x564  -> (DWORD) Team

For CPlayer,

CPlayer
+ 0x590 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer)
+ 0x594 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer, again for some reason)

Unconfirmed, but it appears that player health is available at CPlayer->Char->+0xE8C (a XLiveProtectedBuffer *).

The money protection might be due to Social Club tracking those stats.

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#27

Posted 18 December 2008 - 07:32 PM

QUOTE (gamerzworld @ Dec 18 2008, 11:29)
The money protection might be due to Social Club tracking those stats.

No, XLiveProtectedBuffer are buffers allocated by GTAIV with the XLive protected buffers API,

see http://blog.gib.me/2...uto-iv-part-ii/ for more details.

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#28

Posted 18 December 2008 - 09:57 PM

QUOTE (~Rick @ Dec 18 2008, 20:32)
QUOTE (gamerzworld @ Dec 18 2008, 11:29)
The money protection might be due to Social Club tracking those stats.

No, XLiveProtectedBuffer are buffers allocated by GTAIV with the XLive protected buffers API,

see http://blog.gib.me/2...uto-iv-part-ii/ for more details.

Thank you very much Rick.
Now that it is possible to edit some protected bits&bytes and see the changes in the game, I can go memory fishing. I will try to document as much vehicle and player offsets as possible before start coding the GTA4Center smile.gif

cheers

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#29

Posted 18 December 2008 - 10:19 PM

QUOTE (UZI-I @ Dec 18 2008, 10:25)
Based on the Version 1.01 (First Patch)

From discussion in #iv-modding, some information posted about CPlayer/CChar is incorrect.

CPlayer
+ 0x578 -> (CPlayerPed *) playerPed

CPhysical : CDynamicEntity
+ 0x1F0 -> (FLOAT) Health
+ 0x210 -> (FLOAT) related to health changes?
+ 0x214 -> (FLOAT) related to health changes? old health?

CPed : CPhysical

CPlayerPed : CPed
+ 0x1F0 -> (FLOAT) (inherited, just mentioning as it is unused, always 200.0 in CPlayerPed)
+ 0xE8C -> (XLiveProtectedBuffer *) Health, float

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#30

Posted 19 December 2008 - 12:42 AM Edited by Sacky, 19 December 2008 - 09:51 AM.

Disable xlive memory hashing

xlive.dll + 0xCB8DA NOP 6 bytes

This allows the game to run, but no xlive functions will work, and some may cause the game to stop working. Whether or not it loads your profile is pot luck.

0xFA6D70 : (int) language

0: English
1: French
2: German
3: Italian
4: Spanish




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users