Documenting GTA3/VC memory addresses

[Kryptos]

I believe it was [sheep] who did most of the SCM reverse engineering, and spookie coded most of it, as well as the DirectX interface. Anyhow, either way, if you'd read any of the discussions that went on in the ProjectX topic you'd know that kyeman wasn't any part of it, and his research was completely seperate.

[jacob.]

Hmm.... in that case, what he did / worked on / accomplished is completely irrelevant. The fact is, spookie released something. He didn't.

 

PS - I was working on Windows 2 years before Bill Gates even started on his. I think I deserve some credit.

[Kryptos]

Do you even know the story behind Q-DOS? Obviously not since you're merely making an idiot of yourself. Credit is given where it is due, and just because you can't comprehend what other's have achieved doesn't mean you have to ignorantly denounce their accomplishments. Not only that, but you completely failed to accredit [sheep], who did much of the work on the RCE of the SCM engine for spookie's DLL as well as quite a bit of the programming behind the original spooshdemo, so make sure you do give credit where it is due.

[Kryptos]

Sorry about the double post, but this post is completely unrelated to the previous one. I realize this topic is for Vice addresses, but I figure I might as well bring a few GTA3 ones into the mix. I've been spending the last hour going through the GTA3 v1.1 executable in IDA and TSearch looking for the appropriate gravity address, and although I have yet to come up with the actual one I've found quite a few interesting things that I believe warrant a post.

 

First, and this is what I found to be most interesting, is the address I originally thought to be the gravity address. The original value is 1.0, decreasing it will increase gravity, and increasing it will decrease gravity... but there's more to it then that. As you set the address higher it seems that the player accelerates in their motions. A simple jump continuously, and exponentially, grows into a flight until the limit is reached and the game crashes.

 

 

 

The address for this is 0x5F66B8, and as was previously mentioned the default value is 1.0. Pedestrians and vehicles are seemingly unaffected by any change until you interact with them. Even setting this to 1.07 will have major repercussions, so be forewarned. And after dying make sure to change it back to 1.0 before respawning or you'll crash (or, at least I have). Here's another little humorous shot after having it fling me into the sky and then downward again:

 

 

 

0x5F66B8 - particle accelerator

 

Another interesting address, which I assume has to do with traction/skidding, is 0x5F7194. Setting this to a lower number allows incredible skidding distances, although it only effects the player's car. Since it's hardcoded I'm hesitant to say it has to do with handling.cfg, but I just skimmed over these addresses, so if you're interesting in vehicle handling in regards to the executable check out that memory region.

 

0x5F9DBC - player vehicle traction

 

I was also playing around with some of the hardcoded player geometry. Namely address 0x5F9DBC which, when set to 1.5 rotates the player's head to the side, and when set to 2.0 removes the player's head:

 

 

 

0x5F9DBC - player head geometry/motion

 

In regards to pedestrians much of their activity is easily found throughout the CPed region. The only address I really played around with was 0x5FA0FC which, when set to a lower number (default 1.0) would cause purple nines to spawn and get into vehicles as passengers (at least, they were the only models I noticed getting into vehicles as passengers).

 

0x5FA0FC - purple nines as passengers

 

I also mapped out much of the HUD, including both the radar and player data (I know this has been done for Vice, but why not post something for GTA3 as well). The radar addresses are easily found under the definitions of the texture files for them, so I'll skip them, but here's a little picture of some distortion:

 

 

 

Here are the addresses with what I assume to be appropriate names for what they do to the HUD:

 

0x5FD4E8 - font horizontal stretch/compression

0x5FD4EC - toggle player data on/off (time, money, health and wanted level)

0x5FD4FC - column

0x5FD500 - row

0x5FD504 - font vertical stretch/compression

0x5FD50C - font width

0x5FD510 - font horizontal lines

0x5FD518 - font vertical lines

0x5FD520 - font thick horizontal lines

0x5FD51C - font thick vertical lines

 

And of course, here's some pictures of the effects that the aforementioned addresses can have:

 

 

 

 

 

 

 

 

 

And what's memory hacking without senseless obscenities and messed up interfaces:

 

 

 

 

[jacob.]

Hahaha, that one with his head dissapearing is f*cking hillarious!

[Kryptos]

Here's a few other addresses for player geometry as well as what may be the ped multiplier.

 

The address 0x5F9DF8 controls torso rotation. The default value is 180, if set to 0 it doesn't allow the torso to rotate when the player tries to look backwards. If set to 360 it allows the body to freely rotate sideways, 720 allows the body to rotate completely backwards, and so on (if you keep increasing the value it eventually gets to the point where the body will rotate numerous times).

 

 

 

0x5F9DF8 - torso rotation

 

Address 0x5F9DFC controls the direction of the legs. Although altering this number at first has no apparent effect, when the player starts to side strafe the legs will show the change in value. If set to 0 the legs don't rotate during side strafing, or if set to a high number, like 1, they over rotate sideways.

 

 

 

0x5F9DFC - leg rotation during strafe

 

Address 0x5F9DC8 appears to control the tilt of the head.

 

 

 

0x5F9DC8 - tilt of head

 

Address 0x5F9B08 would seem to be the ped multiplier as, when changed, it spawns a lot more pedestrians (which is especially noticeable in the early hours).

 

 

 

0x5F9B08 - ped multiplier

 

Most of these are pretty self-explanatory, except the tilt of the player's head one since it creates some strange effects when altered. As for the ped multiplier, I'm still unsure of whether it's the correct address, but I found it strange that at 4 am when the city is normally quiet there were upwards of 20 pedestrians on screen at most times (the picture only shows the pedestrians in front of me, I was standing in front of a spawning node and GTA3 doesn't use site obscurity, so there were pedestrians behind me).

[DexX]

/* i think my dreams are all in hex now, sorry about the delays. straight to the point though;

Police Weapon Accuracy: 0x4ed7b6

Swat Weapon Accuracy: 0x4ed805

Fbi Weapon Accuracy: 0x4ed8f0

Army Weapon Accuracy: 0x4ed876

 

Tank property vehicle ID's - by default all are 162(d). See default.ide for vehicle id's.

BP Tires - 0x5886b2

Turn winshield into turret (can turn it left/right) - 0x589ae1

Front wheel steering lock (wheels dont steer, when you do) - 0x590522

Super Armor (BP, EP) - 0x59f184

Impact/object collision doesn't lower vehicle health - 0x59ef8a

 

Police Car

Shoot this car ID, to get a star - 0x5b9675 (i know this was posted before, but it goes with the next line)

Number of stars you get - 0x5b9685

Get shotgun when enter Policecar - ID numbers

Weapon.dat ID1 - 0x5b8964

Weapon.dat ID2 - 0x5b8979

Weapon.dat ID3 - 0x5b898a

Default.ide model reference (ALL must be changed to work properly!!) - 5b899f

Ammo for shotgun (5 is default) - 0x5b8977, 0x5b8988

 

Caddy

get golfclub on vehicle enter

Weapon.dat ID1 - 0x5b89b8

Weapon.dat ID2 - 0x5b89cd

Default.ide model reference - 0x5b89d4, same notes as above. Also, you *can* change it @ runtime, but typically the models comes out invisible on your hud, and on tommy. Probably best to include it as part of a launcher instead.

 

Coach

ANY vehicle can carry 8 peds (??!!!)

Vehicle ID's - 0x578ada and 0x4f4b6c - i *just* found this one today, so its not fully tested. but i changed the vehicle ID @ 4f4b6c to 219, to match my rancher, and had 10 scripted actors, scripted to get in it as passengers. 8 of them succeeded

not sure if 578ada has to be changed too, but may as well list it just in case.

Both need to be changed.

 

Emergency Vehicle Flashing Light RGB colors (at long, long last..)

Dunno if the format is RGB, BGR, or what it is exactly, but i did get the colors to change to what i want with enough tinkering. All are Byte 0-ff

PoliceCar

X-Position (float) - 0x69a6f8

Colors***

58bf06

58bf0B

58bf10

58bf15

58bf1a

58bf1f

 

Enforcer

Light Z position (float) - 69a724

Light X position (float) - 69a658

Colors***

58bf90

58bf95

58bf9a

58bf9f

58bfa4

58bfa9

 

Ambulance

(coords not sorted yet (actually they are, i just need to narrow the address down a bit, will edit post))

Colors***

58c01a

58c01f

58c024

58c029

58c02e

58c033

 

Firetruck

coords posted in a previous post, same page as this

Colors***

58c0a4

58c0a9

58c0ae

58c0b3

58c0b8

58c0bd

 

Colors***

Vehicle EM light color format; based on work i did after this post, mainly on the the firetruck, this appears to be the format for the light colors. each vehicle has 6 addresses, which should correspond to this layout:

 

blue1 //address 1

red2 //address 2

green1 //address 3

green2 //address 4

red1 //address 5

blue2 //address 6

 

Vicechee, chopper, and fbi values not listed, because i dont know them. R* did them differently than the vehicles above

 

@ ALL emergency cars

Speed that lights flash at (float) - 69a6b0

 

thats all for the moment. im not done though.. */

Edited March 20, 2005 by ashdexx

[jacob.]

(1 byte for all)

 

 

Light 1 colors - 0x58bf06, 58bf0B, 58bf10

58bf06 = 255

58bf0B = 255

58bf10 = 0

 

In RGB form, this is yellow. [#FFFF00]

 

 

Light 2 colors - 0x58bf15, 58bf1b, 58bf1f

58bf15 = 0

58bf1b = 198

58bf1f = 0

 

In RGB form, this is a greenish tint. [#00C600]

 

 

I havent studied the colors of the police car, but if it were RGB, the transition should be similiar to this:

 

 

But - you said it may be in BGR format (wich ive never heard of btw lol). In that case, the transition would appear:

like that.

 

But doesnt the police car fade from red to blue?

[DexX]

/* your right. im sorry for the misunderstanding; "light1" and "light2" were just labels i used for posting to make my life simpler. Looking at them in memory gave me a headache, which is why it isn't clearer.

 

firetruck blue1 - 58c0a4

firetruck green1 - 58c0ae

firetruck red1 - 58c0b8

 

firetruck lights 2

red2 - 58c0a9

green2 - 58c0b3

blue2 - 58c0bd

 

or, in the order they appear in memory..

firetruck blue1 - 58c0a4

red2 - 58c0a9

firetruck green1 - 58c0ae

green2 - 58c0b3

firetruck red1 - 58c0b8

blue2 - 58c0bd

 

*all these i confirmed*

 

just to prove im not full of sh*t;

*/

Edited March 20, 2005 by ashdexx

[jacob.]

Perhaps you've accidentally discovered an opacity level address on the lights?

I can see some disco-styled emergency vehicles out of this.

 

I don't see where this might be possible though, unless "red2 - 58c0bd" (255) may have been mistaken for opacity instead of red value.

 

edit: Wait a tic. I've messed up somewhere. Let me retrace..

 

firetruck blue1 - 58c0a4

firetruck green1 - 58c0ae

firetruck red1 - 58c0b8

green-255, blue-0, red-255

That = yellow.

 

 

blue2 - 58c0a9

green2 - 58c0b3

red2 - 58c0bd

blue-255, red-0, green-0

That = blue.

 

Yellow - Blue transition:

Aye, that looks about right for the firetruck, doesnt it?

Atleast it looks better then before. For some reason though I keep thinking a red should be somewhere in the light transitions..

 

 

Edited March 20, 2005 by !cMc! Jacob

[DexX]

/* nah, its not opacity. its rgb. have you tried editing the addresses yourself?

The firetruck lights for example, wouldn't go from red/yellow to turquoise to by adjusting the opacity. at any rate, for the 2nd set, i had them swapped, which was causing teh problem, revision:

 

firetruck lights 2

red2 - 58c0a9

green2 - 58c0b3

blue2 - 58c0bd */

 

Edit: got the format sorted now; see my last post for details.

Edited March 20, 2005 by ashdexx

[jacob.]

 

/* nah, its not opacity. its rgb. have you tried editing the addresses yourself?

The firetruck lights for example, wouldn't go from red/yellow to turquoise to by adjusting the opacity. at any rate, for the 2nd set, i had them swapped, which was causing teh problem, revision:

 

firetruck lights 2

red2 - 58c0a9

green2 - 58c0b3

blue2 - 58c0bd */

 

Edit: got the format sorted now; see my last post for details.

The new addresses appear to be accurate. Gimme a second and I'll increase one by a hotkey ingame for a disco test..

edit: that is, if i can find a f*cking firetruck, ffs.. isnt there a weapon cheat for a molotov? professionaltools, nuttertools... forgot the other..

ill eventaully find one.

Edited March 20, 2005 by !cMc! Jacob

[DexX]

/* PANZER cheat vehicle ID - byte - 4AC14B

Change it to 137(decimal), and type in "panzer", now you'll spawn a firetruck, instead of a Rhino */

[jacob.]

Hey ashdexx its done

Works like a charm, very visually appealing. However I need somewhere to host it

 

.

http://shadows.clan-source.com/gta/files/discotrainer.zip

Edited March 20, 2005 by !cMc! Jacob

[Andrew]

Wow, not bad. If you wish I can host it for you.

 

[jacob.]

 

Wow, not bad. If you wish I can host it for you.

Thanks gangsta

 

executable - here

source code (vb) - here

 

Working on a second version that allows you to specify both in RGB or HEX what color you want each light to be.

lol sorry for giant pic. i'll make it smaller later. but basically i just gotta finish up the ambulance/firetruck, then it should be finished.

When in disco mode it updates those colors realtime (all values) to show you what colors the lights are randomly changing to.

And when not in disco mode, you can manually edit the values, and they will change ingame.

 

The way ashdexx gave us the format of those light addresses was a bit mixed so I put them in order -

 

PoliceRed1 = 0x58BF1A

PoliceGreen1 = 0x58BF10

PoliceBlue1 = 0x58BF06

PoliceRed2 = 0x58BF0B

PoliceGreen2 = 0x58BF15

PoliceBlue2 = 0x58BF1F

 

EnforcerRed1 = 0x58BFA4

EnforcerGreen1 = 0x58BF9A

EnforcerBlue1 = 0x58BF90

EnforcerRed2 = 0x58BF95

EnforcerGreen2 = 0x58BF9F

EnforcerBlue2 = 0x58BFA9

 

AmbulanceRed1 = 0x58C02E

AmbulanceGreen1 = 0x58C024

AmbulanceBlue1 = 0x58C01A

AmbulanceRed2 = 0x58C01F

AmbulanceGreen2 = 0x58C029

AmbulanceBlue2 = 0x58C033

 

FiretruckRed1 = 0x58C0B8

FiretruckGreen1 = 0x58C0AE

FiretruckBlue1 = 0x58C0A4

FiretruckRed2 = 0x58C0A9

FiretruckGreen2 = 0x58C0B3

FiretruckBlue2 = 0x58C0BD

 

Edited March 21, 2005 by !cMc! Jacob

[-GRAVITY2-]

Does anybody have any idea as to what the codes are for the COL limit? I really need to get passed this annoying problem. Any help would be greatly appreciated.

[jacob.]

 

Does anybody have any idea as to what the codes are for the COL limit? I really need to get passed this annoying problem. Any help would be greatly appreciated.

Althouh it probably is possible to bypass the COL limit, you have to remember that Rockstar put the limit on there for a reason. The renderware engine can only handle so much. And if you're going to tell me "oh, renderware can definatly handle it", then answer me - why Rockstar didn't realize this theirselves and instead chose to put such a small limit on it?

[-GRAVITY2-]

Hey i wouldnt argue with you im not a n00b i know your smarter than you. But im not asking for somthing like 10000 limit mabey 3000 but san andreas has a bigger one so i should be good then but i want to get this thing ingame without the hassel of breaking it up.

[Kryptos]

Here's a few camera hacks. If anyone wants the address just ask, but since people apparently no longer have any interest in GTA3 I don't see a point in going through the hassle.

 

 

Will work on another GTA3 Mod now.

 

why you want to bother with that?

ppl don't like gta3 and it's dead and old...

 

Gta VC PC > MOD GTA LC > fun

 

 

To hell with VC, nothing compares to the evolution GTA3 brought with it.

[DexX]

/*

Hey i wouldnt argue with you im not a n00b i know your smarter than you. But im not asking for somthing like 10000 limit mabey 3000 but san andreas has a bigger one so i should be good then but i want to get this thing ingame without the hassel of breaking it up.

addresses concering those limits aren't known yet, and probably won't be anytime soon. you'll probably chop up your model, and get all the bugs out of it, before we know how to expand the .col limit. LAthough considering the .col limit is around 2000 faces, perhaps you should consider optimizing it?

 

@ kryptos, whats wrong with your traffic light corona? it looks like a green blood splotch did you alter something besides the camera addresses, or is that just from the bad picture quality?

GTA3 may have brought a bigger revolutiion with it, but more people play and support VC (currently). depends on what your trying to accomplish i guess. i've gotten rid of alot of the hardcoded features for VC, just in time for it to be replaced by SA, effectively rendering much of the work useless once people switch. fortunatley i do it more for fun than notoriety. */

[Kryptos]

The traffic light corona is just blurred because I opted out of encoding it as JPEG and went with GIF instead. Sorry for the low quality images. I did alter a few other addresses, namely in regards to the time cycle [timecyc.dat], one of which caused the engine overload that creates a disco-like sky but also began displaying lights (which I assume to be traffic lights since they were only in red, yellow and green) across the screen. Here's an image of the effects:

 

 

 

I'd imagine, since these values are based around the time cycle, they have to do with the intervals at which the lights change as well as magnitude of the coronas... or something to that extent. I'm not sure, I wasn't too interested in them, I was just quickly scowering the executable's variable region looking for the camera data.

 

I can understand why people prefer working with the newer engines, but even with the upcoming release of GTA:SA I won't be moving to the new engine, aside from perhaps a few glimpses of its innards for enjoyment. I just dislike VC overall, the storyline was okay, but truly nothing compared to GTA3, and the atmosphere is too flamboyant for my liking. It's more just a clash of tastes, mine obviously greatly differing from the mass'.

 

I just went back and did a few checks on that address that effects the traffic lights. Here's a few other images by modifying the values, these were encoded using JPEG for better quality:

 

 

 

 

And of course the addresses:

 

0x5F73DC - atmospheric lighting

 

0x5F52AC - camera distortion and distance from player

Edited March 31, 2005 by Kryptos

[Trust]

GTA3 is still the game I enjoyed the most.

 

The atmosphere is much darker, and it's the loads of sarcasm that can't be found in VC that make me enjoy it.

 

Good job, Kryptos.

[DexX]

/* does anyone know how i could completely disable cheat codes (VC 1.0)? There's text in the american.gxt that says "cheat mode enabled", so i assume there's some kind of switch or something, and MTA has them turned off as well, so clearly there is *a* way.

 

Its for a small mod im working on, that i would like to actually publicly release, and entering weapon and health cheats would defeat a major part of it. */

[Kryptos]

I'd imagine MTA just clears the cheat buffers so there aren't any strings available to activate the cheats, aside from directly calling the functions. They may also just null the call to the routine, either way.

[Quadropheniac90]

Hello, I'm new to this, but is there a way to get a textbox, and you can type in a model and when you press Enter you will become that model. And how do you change the memory adresses, with a hex editor or is there a special program? Tnx.

[Trust]

MTA prevented key input to type cheats, and also nops the cheat-addresses.

 

But there might be a way to switch if on/off I guess.

[random_download]

Hello, I'm new to this, but is there a way to get a textbox, and you can type in a model and when you press Enter you will become that model. And how do you change the memory adresses, with a hex editor or is there a special program? Tnx.

You can call a windows API to read/write memory addresses. Some tools you can use for memory editing are TSearch and ArtMoney. They basically do the same thing.

 

There is an opcode to set the players skin, so I suppose if you looked through the dissassembled exe and found the function it calls you could do that. Or if you made a keyboard hook and detected when the model was typed in, then passed it to the scm, you could just execute the opcode from there. I think that the latter way would work best.

[Hammer83]

/* does anyone know how i could completely disable cheat codes (VC 1.0)? There's text in the american.gxt that says "cheat mode enabled", so i assume there's some kind of switch or something, and MTA has them turned off as well, so clearly there is *a* way.

 

Its for a small mod im working on, that i would like to actually publicly release, and entering weapon and health cheats would defeat a major part of it. */

The call to process cheats routine is at this address: 0x602BE7. Nop that and I think it should disable all cheats (note: not tested).

[Quadropheniac90]

Well, I've downloaded TSearch and started Vice, but when I search for the Voodoo Hydraulics adress or whatever, it gives me 2 things but when I was in a Voodoo it gave 0 and when I got out it gave 0 finds. I don't know how to use it to change things (permanently) so is there a tut somewhere or can someone explain how to change all the stuff.