Quantcast

Jump to content

» «
Photo

Documenting GTAIV memory addresses

96 replies to this topic
man2104
  • man2104

    MC Spy

  • Members
  • Joined: 12 Jun 2002

#61

Posted 29 December 2008 - 12:17 PM

for the native command handler posted by Seemann
It is incompatible with 1.0.1 exe

new addresses should be used for 1.0.1:

f_null = 0x00859B90;
f_reg = 0x00615790;
f_hash = 0x00616E10;

stefanACM
  • stefanACM

    Player Hater

  • Members
  • Joined: 29 Nov 2008

#62

Posted 29 December 2008 - 02:58 PM

QUOTE (~Rick @ Dec 29 2008, 01:07)
QUOTE (stefanACM @ Dec 28 2008, 10:59)
Can anybody HACK max ping in LAN NETWORK !!!

Go away pirate. icon13.gif

I am not pirat
I need it for play over LAN with my friend because signal is low and ping is 30-40

BWARazor
  • BWARazor

    Peon

  • Members
  • Joined: 26 Dec 2008

#63

Posted 31 December 2008 - 03:28 PM Edited by BWARazor, 31 December 2008 - 03:55 PM.

Deleted

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#64

Posted 01 January 2009 - 12:11 PM Edited by Sacky, 01 January 2009 - 12:49 PM.

Objects:

0x8D8290 : int __cdecl allocateObject()

0x9C4700 : int __cdecl setObjectOnFire(int objectID)
0x9C479B : int __stdcall isValidObject(int objectID) (With objectPool in ECX)
0x9C47B0 : int __cdecl isObjectOnFire(int objectID)
0x9C5410 : int __cdecl hasObjectBeenDamagedByWeapon(int objectID, int weaponID)
0x96A3C0 : int __stdcall extinguishObjectFire(int objectID) (With objectFirePool in ECX)
0x9D2D80 : int __cdecl createObject(int modelID, float x, float y, float z, int* handle, int flags)

0x11E73E8 : objectPool
0x12825C0 : objectFirePool (256 elements)

+0x1E4 : (byte) Last Weapon Damage

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#65

Posted 03 January 2009 - 03:25 AM

Native Injector:

http://pastebin.com/m64adee56

For use like this:

NATIVE n_ABSF = { "ABSF", 1 };
NATIVE n_CREATE_OBJECT = { "CREATE_OBJECT", 6 };
DWORD objectHandle;

scripting->injectNative(&n_CREATE_OBJECT,0x6F0783F5,12.0f,12.0f,12.0f,&objectHandle,1);
scripting->injectNative(&n_ABSF,54.367f);

Still very experimental... so it's highly likely the limited testing I've done with it hasn't ironed out all the bugs

Mechan
  • Mechan

    Player Hater

  • Members
  • Joined: 28 Dec 2008

#66

Posted 04 January 2009 - 05:44 PM

Hi
I'm beginner in game memory editing, and I tried to call createObject from C# code: http://pastebin.com/f44842901 but I'm getting AccessViolationException: "Attempted to read or write protected memory. This is often an indication that other memory is corrupt." at line 77.
It's impossible to edit memory just like that or I'm doing it wrong? Maybe I have to inject dll or something like that?

With simple memory reading (Rick posted code couple posts above) it works fine.
I've got Rick's XLive Wrapper.

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#67

Posted 04 January 2009 - 11:05 PM

Mechan, I think your offset might be wrong. Since 0x9D2D80 is assuming a 0x400000 base, try the offset 0x5D2D80. I'd also like to point out calling createObject will fail unless you do REQUEST_MODEL first.

man2104
  • man2104

    MC Spy

  • Members
  • Joined: 12 Jun 2002

#68

Posted 05 January 2009 - 02:46 AM

How can you call the function in your own process, but not in GTA IV process?

Oleg
  • Oleg

    Player Hater

  • Members
  • Joined: 12 Jul 2005

#69

Posted 06 January 2009 - 10:32 AM

--------- request from ZModeler developer ----------
Hi! I'm digging in *.wft files and need some assist to classify entries. There are VMT pointers stored in files and they seem to be the same in *.wft files. I'm not sure whether GTA dynamically writes proper addresses there when loading file, I suspect these addresses are already properly set and binded to some library or .exe file explicitly. I'll list these VMT pointers below and need someone to specify class-names or something that will make a sence what should I search for in associated class data.

Example:
0x006B223C, tMaterial, size 0x60
0x006B48F4, tPolyMesh, size 0x50
0x006B0234, tGeometryObject, size 0x1C

Unknown:
0x006A35F4, tUnkBlock14, variable size
0x0069A5BC, tUnkBlock15, size 0xC0
0x006A4678, tUnkStub, size 0x1C

********** tUnkBlock16Base, base class;
0x0069BBEC tUnkBlock16V0 : tUnkBlock16Base
0x0069D56C tUnkBlock16V0A : tUnkBlock16Base
0x0069D7F4 tUnkBlock16V0B : tUnkBlock16Base
0x0069BBEC tUnkBlock16V1 : tUnkBlock16V0
0x0069AAF4 tUnkBlock16V2 : tUnkBlock16V0
0x0069B41C tUnkBlock16V3 : tUnkBlock16V2

If you find out what these classes stand for, you can send a PM me, or e-mail, or post as guest in this thread of my forum:

http://forum.zmodele...opic.php?t=3553

Thank You!

TripleX87
  • TripleX87

    Player Hater

  • Members
  • Joined: 27 Dec 2008

#70

Posted 06 January 2009 - 07:31 PM

Hello guys. I'm not an expierenced Trainer Programmer - but I am willing to be one.

But I've got a question. Could you please make a quick tutorial that explains, how you find all these adresses (and Functions) you are all talking about. What Program are you using? What have I got to search for?

I hope you can help me because i want to find the first adress on my own (and post them here) smile.gif

(sry for bad englisch)

Peace

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#71

Posted 07 January 2009 - 05:20 AM

GXT Hook:

.text:007E5F50 ; char *__stdcall convertGXTToString(char *key)
.data:00FE7568 gxtTable
.text:00458090 ; int __cdecl CRC32Hash(char *text, int textSize)
.text:007E5B00 ; char *__stdcall getGXTTextFromTable(int hash, int)

http://pastebin.com/m724466a0

Seemann
  • Seemann

    Ruhe

  • Members
  • Joined: 03 Sep 2004
  • Russia
  • Best Tool 2013 "Sanny Builder"

#72

Posted 25 January 2009 - 02:59 AM

QUOTE (Seemann @ Dec 8 2008, 01:01)
Those of you who are using IDA may find this useful.
http://public.sannyb...GTA4/native.idc

for 1.0.2.0

CODE
f_null = 0x00C78DD0;
f_reg = 0x00583420;
f_hash = 0x00585550;

saracoglu
  • saracoglu

    saracoglu

  • Members
  • Joined: 02 Jun 2002

#73

Posted 26 January 2009 - 11:01 PM

some startpoint memory locations for gta iv 1.0.2 patched:

(codebase is 0x400000)

CODE
0x1009798 (DWord) Pointer to CPlayer
0x0FFCDA0 (Float) XPosition (stats only)
0x0FFCDA4 (Float) YPosition (stats only)
0x0FFCDA8 (Float) ZPosition (stats only)
0x0F70154 (DWord) Current Money (stats only)
0x10514C0 (DWord) Current Hours (read/write)
0x10514BC (DWord) Current Minutes (read/write)
0x10514D4 (DWord) GameDay (read/write)
0x10514B8 (DWord) GameMonth (read/write)
0x10375B0 (DWord) XLive Buffer Pointer for Float Stats starts here. This is the Game Progress Stat
+0x4 (DWord) Next XLive Buffer Pointer, for the next Float Stat and so on. For the float stats enum, see aru's scripthook sdk, scriptenums.h

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#74

Posted 27 January 2009 - 08:04 AM Edited by Sacky, 27 January 2009 - 08:25 AM.

1.0.2.0

SCO Stuff:

class CSCO
{
#pragma pack(1)
public:
virtual void method () {};

BYTE zPadding1[4];
BYTE* scoBinary;
};

struct SCO_POOL
{
#pragma pack(1)
DWORD scriptName; // hash of name
CSCO* scoInst;
};

0xF6D0F4 : SCO_POOL*
0xF6D100 : (DWORD) SCO_POOL_COUNT

GXT Table:

struct GXT_ENTRY
{
#pragma pack(1)
char* entry;
DWORD crc32Hash;
};

class GXTClass
{
#pragma pack(1)
public:
virtual void method() {};

int numGXTItems;
GXT_ENTRY GXTItems[200]; // I guessed the amount, it's probably thousands
};

0xFE0F88 : GXTClass (Statically Allocated)

MrGtaman
  • MrGtaman

    Mark Chump

  • Members
  • Joined: 26 Apr 2007

#75

Posted 02 February 2009 - 06:05 PM

Has anybody found the address for player's FPS? I need it because I get 8-15fps(according to Fraps, the game's benchmark says my avg. fps is 11.**) with EVERYTHING on low and so I can't play MP in the city, the game kicks me saying "you've been disconnected because your computer is running too slowly", airport is actually the only map I can play without getting kicked unless there are too many vehicles around, effects or I get too close to Broker(too many trees and details, I think)... So I thought maybe if we knew that address we could have made some kind of FPS hack for MP smile.gif

There are so many trainers for those idiots who can't play fairly and no really useful things like FPS hack for those who can't afford a better pc sad.gif

g4mGunner
  • g4mGunner

    Rat

  • BUSTED!
  • Joined: 27 Sep 2008

#76

Posted 03 February 2009 - 03:09 PM

QUOTE (MrGtaman @ Feb 2 2009, 18:05)
Has anybody found the address for player's FPS? I need it because I get 8-15fps(according to Fraps, the game's benchmark says my avg. fps is 11.**) with EVERYTHING on low and so I can't play MP in the city, the game kicks me saying "you've been disconnected because your computer is running too slowly", airport is actually the only map I can play without getting kicked unless there are too many vehicles around, effects or I get too close to Broker(too many trees and details, I think)... So I thought maybe if we knew that address we could have made some kind of FPS hack for MP smile.gif

There are so many trainers for those idiots who can't play fairly and no really useful things like FPS hack for those who can't afford a better pc sad.gif

You don't need the address for FPS, you aren't able to edit it, only read it (unless is for a framelimiter). You are looking for a NOP so the game doesn't make you leave MP on low fps.

MrGtaman
  • MrGtaman

    Mark Chump

  • Members
  • Joined: 26 Apr 2007

#77

Posted 04 February 2009 - 06:33 PM

QUOTE (g4mGunner @ Feb 3 2009, 15:09)
QUOTE (MrGtaman @ Feb 2 2009, 18:05)
Has anybody found the address for player's FPS? I need it because I get 8-15fps(according to Fraps, the game's benchmark says my avg. fps is 11.**) with EVERYTHING on low and so I can't play MP in the city, the game kicks me saying "you've been disconnected because your computer is running too slowly", airport is actually the only map I can play without getting kicked unless there are too many vehicles around, effects or I get too close to Broker(too many trees and details, I think)... So I thought maybe if we knew that address we could have made some kind of FPS hack for MP smile.gif

There are so many trainers for those idiots who can't play fairly and no really useful things like FPS hack for those who can't afford a better pc sad.gif

You don't need the address for FPS, you aren't able to edit it, only read it (unless is for a framelimiter). You are looking for a NOP so the game doesn't make you leave MP on low fps.

Well, I didn't mean to make my performance better smile.gif Just want to avoid the fps auto-kicking. When my fps is 10 or higher, it's ok but when it drops below 10 I still have a couple of seconds to point the camera down so fps is "fine" again, otherwise the game kicks me... So I'm looking for a way to disable that auto-kicking function.

stym
  • stym

    Hacker

  • Members
  • Joined: 06 Dec 2008

#78

Posted 07 February 2009 - 02:41 AM

hey, how i find d3d9 and d3d9 device address?

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#79

Posted 09 February 2009 - 04:40 AM

0xF56BC4 : BYTE[32] Encrytion key used in AES (Note it's just a pointer not the actual encryption key)

iGeo
  • iGeo

    HaloMods.com Admin

  • Members
  • Joined: 31 Dec 2005

#80

Posted 17 February 2009 - 12:31 AM

Don't suppose anyone knows where the 'Exposure' value is?

warclaw
  • warclaw

    Prankster

  • BUSTED!
  • Joined: 19 Jan 2008

#81

Posted 21 February 2009 - 07:53 PM Edited by warclaw, 21 February 2009 - 08:05 PM.

hi there is new on that! what is it and how i open GTA IV .EXE and edit the doc?files? and how i change the traffic light time? to green can it be edit and how many parked cars ??? please give me some info about this XD tounge.gif sounds intresting!
and how i install it ?? and how it work i have lunch the program that i need Ricks games stuff.

I dont press OK when i come up SYSTEM copy to win 32 i copy to the GTA IV directory only and lunch the game and afther that it pop up .

Need to exract xlive.dll froom windwos/win32 to GTA IV Directory how do there?? and are this safe ? wow.gif tounge.gif

and how i start to copy in codes and change!? monocle.gif thanks for all help!

HazardX
  • HazardX

    pedestrian mangler

  • Members
  • Joined: 13 Dec 2008

#82

Posted 21 February 2009 - 08:42 PM

QUOTE (warclaw @ Feb 21 2009, 20:53)
hi there is new on that! what is it and how i open GTA IV .EXE and edit the doc?files? and how i change the traffic light time? to green can it be edit and how many parked cars ??? please give me some info about this XD tounge.gif sounds intresting!
and how i install it ?? and how it work i have lunch the program that i need Ricks games stuff.

I dont press OK when i come up SYSTEM copy to win 32 i copy to the GTA IV directory only and lunch the game and afther that it pop up .

Need to exract xlive.dll froom windwos/win32 to GTA IV Directory how do there?? and are this safe ? wow.gif tounge.gif

and how i start to copy in codes and change!? monocle.gif thanks for all help!

meh. dozingoff.gif If you just want to spam requests do so in the Requests Thread!
If you really want to start looking for memory addresses open GTAIV.exe in IDA Pro. You'll find your way if you have got the basic knowledge to do this. If you don't know what IDA Pro is, what it does or how to use it: Let it be and come back when you've learned Assembler and some basics on Reverse Engineering and really understand it! Do not ask before this requirement is met, because noone will be able to help you.

iGeo
  • iGeo

    HaloMods.com Admin

  • Members
  • Joined: 31 Dec 2005

#83

Posted 22 February 2009 - 11:53 PM

I'm very new to finding memory addresses and the likes, but I did manage to find the memory address for the 'Exposure' value I was looking for. I was able to edit it, but then all of a sudden it stopped responding to edits, and I found that the address had changed. How do I overcome this? Someone mentioned something to me about 'Pointers' but I'm not sure how they work, or how I can get a way to always find the right memory value for this value, if it's forever changing.

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#84

Posted 26 February 2009 - 09:12 AM

OK the 'Exposure' value can be found like this:

0x10CAEB8 : (float) Exposure

Then add +0x1290 to that Memory Address and you get the next Exposure value. You can keep doing this for all the exposure values in timecyc.dat. I'll publish the structures here soon.

Hergonan
  • Hergonan

    Prankster

  • Members
  • Joined: 31 Aug 2005

#85

Posted 26 February 2009 - 09:20 AM

QUOTE (iGeo @ Feb 22 2009, 23:53)
I'm very new to finding memory addresses and the likes, but I did manage to find the memory address for the 'Exposure' value I was looking for. I was able to edit it, but then all of a sudden it stopped responding to edits, and I found that the address had changed. How do I overcome this? Someone mentioned something to me about 'Pointers' but I'm not sure how they work, or how I can get a way to always find the right memory value for this value, if it's forever changing.

Pointers...
They have always been a hard topic to me tounge.gif
What I understood is, the game has a header, and the header contains different pointers of settings, models it currently displays, functions, etc.
The header never changes. So you can go from header->settings to point to the container of "settings".
That container's location changes, but its shape doesn't. And it's always pointed from the header.
The place of the location is called the offset.
So, header has an offset for settings, settings has an offset for each setting. As the game goes on, the memory constantly changes, therefore the individual settings can move around too. However, since the structure of settings (usually)don't change, the pointer header->settings->individual always points to the correct offset.

I might not be correct, but that's how I understand it.

Sacky
  • Sacky

    IV's Limit Adjuster

  • Members
  • Joined: 10 Nov 2006

#86

Posted 27 February 2009 - 06:26 AM Edited by Sacky, 27 February 2009 - 06:29 AM.

typedef cell DWORD;

0x15AD8B4 : (cell**) Global Variables Pool

HazardX
  • HazardX

    pedestrian mangler

  • Members
  • Joined: 13 Dec 2008

#87

Posted 06 March 2009 - 10:06 PM Edited by HazardX, 06 March 2009 - 11:45 PM.

QUOTE (Sacky @ Feb 27 2009, 07:26)
typedef cell DWORD;

0x15AD8B4 : (cell**) Global Variables Pool

Amazing! That's exactly what i've been looking for! happy.gif Do you have an idea where to find it for game version 1.0.1.0? I've been searching for known values in the expected memory range but didn't find it.

[EDIT] Got it. It's at 0x015B5A88. Was easier to find with IDA, actually. smile.gif

stym
  • stym

    Hacker

  • Members
  • Joined: 06 Dec 2008

#88

Posted 21 March 2009 - 03:13 PM Edited by stym, 22 March 2009 - 10:06 PM.

for version 1.0.2.0

CODE

0x10AC530 - BYTE - Time Hour
0x10AC52C - BYTE - Time Minute

Andrew
  • Andrew

  • Andolini Mafia Family
  • Joined: 21 Jul 2003
  • None

#89

Posted 23 April 2009 - 10:12 PM

Unpinned topic, topic is included in the forum header.

jenksta
  • jenksta

    Player Hater

  • Members
  • Joined: 22 Dec 2008
  • United-Kingdom

#90

Posted 26 May 2009 - 02:09 PM Edited by JeNkStA, 08 October 2009 - 10:35 PM.

....




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users