Quantcast

Jump to content

» «
Photo

Documenting GTAIV memory addresses

96 replies to this topic
saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#31

Posted 19 December 2008 - 12:49 PM Edited by saracoglu, 22 December 2008 - 01:11 AM.

Here are some more offsets:
(XLive Protected Buffer Offsets are for Rick's 1.0.1.0 Version of Wrapper XLive.dll)

CPlayer
+ 0x3E0 -> (CPlayerPed *) playerPed (In addition to the 0x578)

CChar
+ 0x1BC -> (CCar *) Currently Driving Car (0 if on foot)
+ 0xB20 -> (CCar *) Currently Driving / Last Driven Car (Pointer remains after getting off)

Weapon Structure Array within CChar
+ 0x0 -> (DWord) Weapon ID (see weapon.xml)
+ 0x4 -> (XLivePBuffer*) -> Buffer + 0x10 (DWord) Amount of Ammo
+ 0xB -> (Byte) is Available (0/1) (ie. is Player is carrying this weapon or not)

Weapons:
CChar
+ 0x2DC -> Unarmed Slot (Hands)
+ 0x2E8 -> Meelee Slot
+ 0x2F4 -> Pistol Slot
+ 0x300 -> Shotgun Slot
+ 0x30C -> SMG Slot
+ 0x318 -> Rifle Slot
+ 0x324 -> Sniper Slot
+ 0x330 -> Heavy Slot
+ 0x33C -> Thrown Slot
+ 0x348 -> Object1 Slot
+ 0x354 -> Object2 Slot

also confirmed:
CChar
+ 0xE8C -> (XLivePBuffer*) -> Buffer + 0x10 -> (Float) Health
+ 0xB74 -> (XLivePBuffer*) -> Buffer + 0x10 -> (Float) Armor
more on vehicle coming soon
cheers,

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#32

Posted 19 December 2008 - 09:56 PM Edited by saracoglu, 19 December 2008 - 10:05 PM.

Teleporting player:

Requires Rick's xlive wrapper for editing the xliveprotected buffer values.

CPlayer
+ 0x578 -> (CPlayerPed *) CChar

CChar
+ 0x79C -> (XLiveBuffer*) CLocation
+ 0x020 -> (CVector*) Unprotected Player Location
+ 0x038 -> (CVector*) Unprotected Player Location
+ 0x7A0 -> (CVector*) Unprotected Player Location
The above unprotected location vectors follow the values of the ones in clive protected values.

CLocation
+ 0x10 -> (CVector*) Player Location Vector, same as in CChar+0x38 (or CChar+0x7A0)
+ 0x20 -> (0x3C) Bytes CVector Structure
+ 0x60 -> (0x3C) Bytes CVector Structure
+ 0xD0 -> (0x3C) Bytes CVector Structure

Within the CVectors, we have
CVector
1. Vector of the player's body, standing on ground:
(values are radiants, so 180 degrees is PI, 360 degrees is 2 PI)
+ 0x00 -> (FLOAT) Vector X
+ 0x04 -> (FLOAT) Vector Y
+ 0x08 -> (FLOAT) Vector Z
2. Players Vision vector (ie. looking at direction)
(values are radiants, so 180 degrees is PI, 360 degrees is 2 PI)
+ 0x10 -> (FLOAT) Vector X
+ 0x14 -> (FLOAT) Vector Y
+ 0x18 -> (FLOAT) Vector Z
3. An unknown vector at +0x20 to +0x28
4. Position Data as known:
+ 0x30 -> (FLOAT) Position X
+ 0x34 -> (FLOAT) Position Y
+ 0x38 -> (FLOAT) Position Z

So we need to change 3 x 3 values to teleport player from one location to another.
After teleporting, camera follows the player as if it warps thru hyperspae.
If needed, camera can also be teleported to prevent the hyperspace effect.

I have managed to teleport the player incl. the car. Will post offsets soon.
cheers,

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#33

Posted 20 December 2008 - 10:45 PM

A new version of my wrapper is now available:

http://blog.gib.me/2...to-iv-part-iii/

Intosia
  • Intosia

    I'm random! ^^

  • Members
  • Joined: 11 Dec 2008

#34

Posted 21 December 2008 - 08:41 PM

QUOTE (saracoglu @ Dec 18 2008, 14:11)
Good news.
At least stat Information can be fixed/edited.

Current Game Time:
CODE

Hours:    0x010AC530
Minutes:  0x010AC52C


Values are Bytes, changing them also changes day/night within the game.
The Missions like 'Pick me up in one hour' or 'deliver by 19:00' can be tricked by editing these values.

cheers,

Thanks smile.gif

Had a bit of fun making a nice render with some cycles:
http://nl.youtube.co...CDXykWnM&fmt=22

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#35

Posted 21 December 2008 - 10:22 PM

QUOTE (~Rick @ Dec 20 2008, 23:45)
A new version of my wrapper is now available:

http://blog.gib.me/2...to-iv-part-iii/

Apparently, the memory print of CLocation, also the XLive Protected Value's offsets have been relevant to the version 1.0.0.1 of Rick's wrapper xlive.dll
As Rick also said in his blog, the protected value buffers have been reorganized.
I will be editing my posts with the offsets according to the new version.
This will also be helpful for the GTA4Center, as the new xlive.dll enforces offline play.

Until then,
cheers,

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#36

Posted 21 December 2008 - 10:37 PM

QUOTE (saracoglu @ Dec 21 2008, 14:22)
Apparently, the memory print of CLocation, also the XLive Protected Value's offsets have been relevant to the version 1.0.0.1 of Rick's wrapper xlive.dll
As Rick also said in his blog, the protected value buffers have been reorganized.
I will be editing my posts with the offsets according to the new version.

Yes, I redid it to be a bit more sane, the old way was:

CODE
typedef struct _FakeProtectedBuffer
{
unsigned int head; // 'RICK'
unsigned int size; // size of data at pointer
void *data;
}
FakeProtectedBuffer;


The new way:

CODE
typedef struct _FakeProtectedBuffer
{
unsigned int head; // 'R1CK'
unsigned int structSize; // 0x10
unsigned int version; // '1002'
unsigned int size; // size of following data
}
FakeProtectedBuffer;
Data follows the structure (+0x10 bytes from struct start).

voodoo48
  • voodoo48

    The chosen one...

  • Members
  • Joined: 16 Jan 2007

#37

Posted 22 December 2008 - 11:23 AM

QUOTE (saracoglu @ Dec 18 2008, 15:11)
Good news.
At least stat Information can be fixed/edited.

Current Game Time:
CODE

Hours:    0x010AC530
Minutes:  0x010AC52C


Values are Bytes, changing them also changes day/night within the game.
The Missions like 'Pick me up in one hour' or 'deliver by 19:00' can be tricked by editing these values.

cheers,

Doesn't seem to be working. sad.gif I think there can be a difference between retail and Steam (or just simply downloadable) versions.

So, for me, at first, time's addresses were 0x179C530 and 0x179C52C, but now they are 0x1C2C530 and 0x1C2C52C. confused.gif I use the retail version of GTA IV.

Intosia
  • Intosia

    I'm random! ^^

  • Members
  • Joined: 11 Dec 2008

#38

Posted 22 December 2008 - 11:52 AM

QUOTE (voodoo48 @ Dec 22 2008, 11:23)
QUOTE (saracoglu @ Dec 18 2008, 15:11)
Good news.
At least stat Information can be fixed/edited.

Current Game Time:
CODE

Hours:    0x010AC530
Minutes:  0x010AC52C


Values are Bytes, changing them also changes day/night within the game.
The Missions like 'Pick me up in one hour' or 'deliver by 19:00' can be tricked by editing these values.

cheers,

Doesn't seem to be working. sad.gif I think there can be a difference between retail and Steam (or just simply downloadable) versions.

So, for me, at first, time's addresses were 0x179C530 and 0x179C52C, but now they are 0x1C2C530 and 0x1C2C52C. confused.gif I use the retail version of GTA IV.

I use the DVD Version with Patch smile.gif Works fine?

ArkangelJosh
  • ArkangelJosh

    Square Civilian

  • Members
  • Joined: 04 Dec 2008

#39

Posted 22 December 2008 - 04:49 PM Edited by ArkangelJosh, 22 December 2008 - 05:18 PM.

I came across this while browsing the .exe earlier.


it may be of some help


the post was too big here so i had to put it all in a .txt file.

http://uploading.com...es/0WZMLNFV/GTA

http://www.turbouplo...Tkz/gta-add.txt


upload to other places if it proves useful.

FunGt
  • FunGt

    GTA-Modding.com

  • Members
  • Joined: 10 Jun 2005
  • Italy

#40

Posted 22 December 2008 - 06:27 PM

QUOTE (ArkangelJosh @ Dec 22 2008, 17:49)
I came across this while browsing the .exe earlier.


it may be of some help


the post was too big here so i had to put it all in a .txt file.

http://uploading.com...es/0WZMLNFV/GTA

http://www.turbouplo...Tkz/gta-add.txt


upload to other places if it proves useful.

This link is better by Suction Testicle Man uploader

wildmotzi
  • wildmotzi

    m00 :o

  • Members
  • Joined: 25 Jun 2003

#41

Posted 22 December 2008 - 06:33 PM

everyone is talking about CPlayer but how can i find CPlayer?

ArkangelJosh
  • ArkangelJosh

    Square Civilian

  • Members
  • Joined: 04 Dec 2008

#42

Posted 22 December 2008 - 06:42 PM

QUOTE (FunGt @ Dec 22 2008, 18:27)
QUOTE (ArkangelJosh @ Dec 22 2008, 17:49)
I came across this while browsing the .exe earlier.


it may be of some help


the post was too big here so i had to put it all in a .txt file.

http://uploading.com...es/0WZMLNFV/GTA

http://www.turbouplo...Tkz/gta-add.txt


upload to other places if it proves useful.

This link is better by Suction Testicle Man uploader

thanks

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#43

Posted 22 December 2008 - 06:44 PM

QUOTE (wildmotzi @ Dec 22 2008, 10:33)
everyone is talking about CPlayer but how can i find CPlayer?

Here is some basic C# code that reads out some information.

aru
  • aru

    *poof*

  • Feroci Racing
  • Joined: 20 Jun 2005
  • None

#44

Posted 22 December 2008 - 07:03 PM Edited by aru, 22 December 2008 - 08:00 PM.

There (probably) isn't a class called CPlayer...

I think what they mean by CPlayer is really CPlayerInfo and what they mean by CChar is really CPed. There's also a CPlayerPed which inherits from CPed, so don't get confused between that and CPlayerInfo.

To make matters worse, yes there is a real "Char" object used by the script, but its only used for mapping a script character to a real CPed.

CPlayerInfo normally contains stuff like health/armor/money/etc. It also has references to the actual CPlayerPed.

In GTAIV, there are 32 slots for CPlayerInfos. In 1.0.1, these are at:

CODE

Version 1.0.1

0x01064808                        ; CPlayerInfo **g_PlayersRef[32]

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#45

Posted 22 December 2008 - 07:09 PM

Also note that any tools made to work with GTA IV memory should be calculating the addresses based on the GTAIV base address at runtime, in Vista / etc, GTA IV image base is randomized.

So, aru's example for CPlayerInfo ** needs to be runtimebase + 0x00C64808 (addresses mentioned in this thread are for base address of 0x0040000000).

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#46

Posted 23 December 2008 - 02:30 AM Edited by saracoglu, 23 December 2008 - 11:22 AM.

I would also say that there definitely is a class called CPlayerInfo, instanced once per player.
There is one block of memory with pointers to CPed, protected money, etc. stats and so on.
I use WinXP. The 0x0040000000 Base Adress is also valid for the locations/offsets I have told about.

At the following locations, you will see the X Speed (y and z follows by 0x4 offsets):
0x010D1940 -> (Float) nominal? camera? X Speed
0x014513F0 -> (Float) nominal? car? X Speed
0x01555650 -> (Float) absolute car X Speed
absolute: speed is -/+ according to your direction
nominal: speed is always + as in speedometer

Overwriting these information does not have any effect on the vehicle speed.
I have found another block of memory, having almost the same values (ie. float can differ a bit).
This block is editable, and have a direct effect on the car speed. Writing for example a 20 (Float) in Z Adress results the car hop into air with a reasonable +Z speed. This block will let also the movement controls 'increase speed by ...' of a trainer be available.

Here is the problem. I could not find the pointers from CPlayerPed or CPlayerVehicle to this speed block.
Here are example locations (taken from 2 different cars with memory searching):
0x067C0E70 and 0x067B4B70.

I would very much appreciate if anyone can have a look at this issue.
cheers,

Edited to correct typo about CPlayerInfo - Thanks Rick

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#47

Posted 23 December 2008 - 03:08 AM

QUOTE (saracoglu @ Dec 22 2008, 18:30)
I would also say that there is not a class called CPlayerInfo.
There is one block of memory with pointers to CPed, protected money, etc. stats and so on.
I use WinXP. The 0x0040000000 Base Adress is also valid for the locations/offsets I have told about.

Did you mean there is? Because that is what it is likely called -- the block that money, etc, are stored in for save files is called PlayerInfo.

And yes, any addresses in this thread should definitly be said as a base address of 0x00400000. I was referring that any tools made should dynamically calculate the correct addresses for usage on both XP and Vista smile.gif .

the hubster
  • the hubster

    Sup Homies

  • Members
  • Joined: 03 May 2005

#48

Posted 24 December 2008 - 09:45 AM

Anyone know how to stop IDA from pausing so often?

man2104
  • man2104

    MC Spy

  • Members
  • Joined: 12 Jun 2002

#49

Posted 24 December 2008 - 01:41 PM

How can you use IDA to debug in the first place? If I attrach IDA to GTA, the game crashes.

listener
  • listener

    Monkey with a disassembler

  • Members
  • Joined: 06 Sep 2007
  • None

#50

Posted 24 December 2008 - 01:49 PM

QUOTE (man2104 @ Dec 24 2008, 13:41)
How can you use IDA to debug in the first place? If I attrach IDA to GTA, the game crashes.

Use this dll: http://public.sannyb...ess_no_save.rar
(save/load not implemented yet)

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#51

Posted 24 December 2008 - 04:30 PM Edited by saracoglu, 24 December 2008 - 11:09 PM.

Offset to make CPed Invincible:

CPed
+0x119 -> (Byte) Specials. Flipping 3rd bit (ie OR 0x4) makes the ped invincible.

Edit to correct above offset:
CPed
+0x118 -> (DWord) Specials: A whole bunch of flags, (ie. setting the above mentioned bit makes invincible)

Offset to make CVehicle Invincible:
CVehicle
+0x118 -> (DWord) Specials: I have tried with OR 0xEEEE to see what happens, and got a car with a bulletproof tires, bulletproof windows, practically undestructable even with a rocket launcher smile.gif
I still need to find the flag for Damage-proof, as the chasis itself gets some damage (but overall health remains same)


This is valid not only for the CPlayerPed or CPlayerVehicle. You can alternatively make other npc's invincible as well.

cheers,

Edit:
A very welcome side effect of this flag is that niko does not fall off from motorcycles, no matter what happens!!

snoepie
  • snoepie

    Player Hater

  • Members
  • Joined: 24 Dec 2008

#52

Posted 24 December 2008 - 05:21 PM

Hey guys I am not an very experience trainer maker but I am making trainers.

I am using ricks 1.0.0.1 wrapper and created several options already,

I would like someone to try some option out for me based on ricks wrapper:

The option is created on the GTAIV update version 1.0.1

download a program called t-search, it's a tool which allows you to search the memory of a given proces. Just a tool like cheatengine or artmoney.

Here is a download link:
http://wpepro.net/pl...13_versionid=82

1. Ones extracted fire up t-search.exe

2. Start up GTA 4.

3. In t-search when GTA 4 has started click on Open process.

4. Select GTA IV.exe , t-search will be attached to the games proces.

5. Now in t-search click on view and select easywrite.

6. Click on the white paper a new screen will show up, called EASYWRITE INTERPRETER.

add the code below to the very top screen.

offset 00E81083
lea ecx, [esi+0x590]
pushad
mov ebx, [ecx]
mov dword ptr [ebx+0x18],0x186A0
popad
jmp 7fdad8

offset 7fdad2
jmp 00E81083
nop

7. Click OK

8. You will see a lable called no name is made.

9. Enable the lable and go back into the game. You should get 100.000 cash now.

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#53

Posted 24 December 2008 - 11:16 PM Edited by saracoglu, 25 December 2008 - 01:53 AM.

Some more Offsets about popping wheels:

CVehicle
+0x1680 -> (Float) Left Front Wheel Damage
+0x17F0 -> (Float) Left Rear Wheel Damage
+0x1960 -> (Float) Right Front Wheel Damage
+0x1AD0 -> (Float) Right Rear Wheel Damage
+0x1C40 -> (Float) Left Middle Wheel Damage
+0x1DB0 -> (Float) Right Middle Wheel Damage

Resetting the damage back to 1000 repairs for example popped tires.

The damage system within CVehicle seems that detachables (tires, doors, windows etc) have their own health, and can be repaired by setting the value back to 1000. However, if the model is already changed (ie. from normal tire to shooted/flat tire, the detachable works as repaired, the model remains broken)

cheers

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#54

Posted 28 December 2008 - 03:12 AM

Some more interesting locations:
(base adress taken as 0x400000)

Three copies of Game Weather:
0x10AC428 (DWord?)
0x10AC450 (DWord?)
0x10AC474 (DWord?)

Weather Values:
0 = Extra Sunny
1 = Sunny
2 = Sunny-Windy
3 = Cloudy
4 = Rain
5 = Drizzle
6 = Foggy
7 = Heavy Rain

Interesting Flags:
CPlayer
+0x0AA (Byte) -> Ignored By Police (Invisibility??) 0/1
+0x536 (Byte) -> Super Stamina 0/1

CVehicle
+0xF98 (DWord) -> Alarm time left in miliseconds
+0xF70 (Byte) -> Special Flags. First Bit is Damage-Proof (ie OR &H1)
+0x02E (Word) -> Car Type ID (follows the vehicle.ide, starting with 84 for admiral)
+0x119 (Byte) -> Also Special Flags, OR &H4 makes explosion-proof and bullet-proof


I have not been lucky with teleporting the vehicle, or setting speed. Any help will be appreciated.

cheers,

Mechan
  • Mechan

    Player Hater

  • Members
  • Joined: 28 Dec 2008

#55

Posted 28 December 2008 - 05:23 AM

QUOTE (~Rick @ Dec 22 2008, 18:44)
QUOTE (wildmotzi @ Dec 22 2008, 10:33)
everyone is talking about CPlayer but how can i find CPlayer?

Here is some basic C# code that reads out some information.

Could you also post file with "Gibbed.GTA4.Memory" namespace, please?
This would be very helpful for me

UZI-I
  • UZI-I

    WPL Manager...

  • Members
  • Joined: 23 Aug 2006

#56

Posted 28 December 2008 - 08:55 AM

QUOTE
The damage system within CVehicle seems that detachables (tires, doors, windows etc) have their own health


Yes. There is a Health value in the CEntity Object.
And each object inherit from it tounge.gif

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#57

Posted 28 December 2008 - 12:25 PM

I have written this as response to Voodo's pm request. I thought I should share with all as well:

There are several Location blocks to overwrite in order to properly teleport the player ped. Each piece of an object within gta iv is an entity with own health, weight and location. the center of mass vector of cplayerped is on:
CPlayer -> (+0x578) CPed* -> (+0x020) CVector*

Here is my class for 64 bytes CVector:
<StructLayout(LayoutKind.Sequential)> Public Class CVectorBlock
Public XLevel As Single = 0
Public YLevel As Single = 0
Public ZLevel As Single = 0
Public iUnknown1 As Integer = 0
Public XFacing As Single = 0
Public YFacing As Single = 0
Public ZFacing As Single = 0
Public iUnknown2 As Integer = 0
Public XUnknown As Single = 0
Public YUnknown As Single = 0
Public ZUnknown As Single = 0
Public iUnknown3 As Integer = 0
Public XPosition As Single = 0
Public YPosition As Single = 0
Public ZPosition As Single = 0
Public iUnknown4 As Integer = 0
End Class
(I use vb.net, single is a Float, Integer is a DWord)

When you teleport Center of Mass, nothing happens, as it does not have a mass. The detachables start on CPed + 0x79C as XLive protected buffers. Using the xlive.dll wrapper from Rick, we can overwrite these protected buffers as well. You get a protected locations buffer pointer at CPed+0x79C, and read another xlive protected buffer on +0x10 offset. This is the CVector* of body.
Also, within the first xlive protected buffer, at offsets +0x20, +0x60, +0xD0 you have three Vector blocks to overwrite.

As for the player ped, I found that overwriting any of these vector blocks results in some sort of teleportation. The last location is calculated from the positions and mass of these detachables. Properly teleporting requires overwriting all five blocks.

Perhaps there are some more vector blocks, belonging to some other detachables that needs also to be overwritten to make the teleport milimeter accurate. I find these five results in fairly accurate teleportation.

cheers, and happy coding

PS: For teleporting a vehicle, for its simply being another object, the method shoudl be similar. I have however not found the offsets to get to the VectorBlock of the chasis. If I run a memory search giving the whereabouts of the vehicle, I find the chasis vector at a memory location around 6BB6564 (dynamic). If I teleport the chasis as well, I can teleport the vehicle also properly. How to get to this location following the pointers has been the challenge of this week for me.

stefanACM
  • stefanACM

    Player Hater

  • Members
  • Joined: 29 Nov 2008

#58

Posted 28 December 2008 - 06:59 PM

Can anybody HACK max ping in LAN NETWORK !!!

~Rick
  • ~Rick

    gibbed

  • Members
  • Joined: 25 Sep 2003

#59

Posted 29 December 2008 - 01:07 AM

QUOTE (stefanACM @ Dec 28 2008, 10:59)
Can anybody HACK max ping in LAN NETWORK !!!

Go away pirate. icon13.gif

voodoo48
  • voodoo48

    The chosen one...

  • Members
  • Joined: 16 Jan 2007

#60

Posted 29 December 2008 - 09:36 AM

QUOTE (saracoglu @ Dec 28 2008, 04:12)
Some more interesting locations:
(base adress taken as 0x400000)

Three copies of Game Weather:
0x10AC428 (DWord?)
0x10AC450 (DWord?)
0x10AC474 (DWord?)

Weather Values:
0 = Extra Sunny
1 = Sunny
2 = Sunny-Windy
3 = Cloudy
4 = Rain
5 = Drizzle
6 = Foggy
7 = Heavy Rain

Interesting Flags:
CPlayer
+0x0AA (Byte) -> Ignored By Police (Invisibility??) 0/1
+0x536 (Byte) -> Super Stamina 0/1

CVehicle
+0xF98 (DWord) -> Alarm time left in miliseconds
+0xF70 (Byte) -> Special Flags. First Bit is Damage-Proof (ie OR &H1)
+0x02E (Word) -> Car Type ID (follows the vehicle.ide, starting with 84 for admiral)
+0x119 (Byte) -> Also Special Flags, OR &H4 makes explosion-proof and bullet-proof


I have not been lucky with teleporting the vehicle, or setting speed. Any help will be appreciated.

cheers,

Great finds! icon14.gif I thought that the "rain-with-lightning" weather's ID is 7, but I couldn't exactly match the others, so I gave it up.
And I couldn't found the vehicles' ID in any GTA IV file. But now...




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users