Documenting GTA3/VC memory addresses

[Cowpat 1]

Ok, what I did was assume that 'Actor pointer' was the same as 'Player pointer' as posted by Stretchnutter and added 940 to that.

 

So that would be 8276876 (0x007E4B8C) plus 940 = 8277816.

 

The value I found wasn't a one or a zero (like you might find for a boolean value), so I just set it zero. Back in the game the whole top half of the screen was tearing. The bottom half was OK. I got the feeling that it was anything above the 'horizon' or drawn in the background that was affected by the tearing. Zero either of the first two bytes to get the effect. Zero the third byte and the game crashes.

 

 

if you are interested, and can't replicate what I found, I could do a listing of a block of values to help find it.

 

Edit: Ooops, I've just realised that the 940 may have been hex, rather than decimal. My bad.

Edited June 15, 2004 by Cowpat

[Cray 0]

It's decimal, not hex, and does work.

 

As stated in here though, this is a read-only value and is not something that can be set (as it wouldn't know what vehicle to put the player into, etc... etc...). It is a boolean value (I think defined as a BYTE or UINT8 in R*'s code).

 

My guess is, the tearing is being caused by the pointer not pointing to the proper place, or somehow the math / settings of + 940 is not being performed properly.

 

As for Win98, it has always caused problems for the MTA Team with the old technology (currently released). What we found is that sometimes the player pointers are not correctly pointing to the correct place, therefore the sync is being broken (things can't be written / read properly). It's a pain, but does work.

 

Racer_S: there is definitely no downside to you comparing the pointers rather than using the + 940 BYTE, other than a few calculations here and there (really nothing major). You mise well use whatever works best most of the time.

[Cray 0]

Ok, what I did was assume that 'Actor pointer' was the same as 'Player pointer' as posted by Stretchnutter and added 940 to that.

You are correct.

 

The easiest calculation is PLAYER_POINTER + (ACTOR_NUM * 1752), with ACTOR_NUM 0 (or the base PLAYER_POINTER), being the pointer to the actual player of the game. 1752 would be the size of the actor struct (internally many classes which come together to create the ACTOR, aka CPed).

 

So, fill in the appropriate pointers and you should be good to go, and then anything you want to read off of that can be added, in decimal or hex, from the base pointer value above.

[Cowpat 1]

 

The easiest calculation is PLAYER_POINTER + (ACTOR_NUM * 1752), with ACTOR_NUM 0 (or the base PLAYER_POINTER), being the pointer to the actual player of the game.  1752 would be the size of the actor struct (internally many classes which come together to create the ACTOR, aka CPed).

Thanks for all that. Although I program in C, and have got together a very simple loader for Vice City, I'm still very much feeling my way with the Player Pointer stuff and have been doing all my hacking by hand (nice tool, Delfi).

Edited June 18, 2004 by Cowpat

[JernejL 49]

 

I think defined as a BYTE or UINT8 in R*'s code

or RwUInt8

 

edit: just to make this post useful, here is what i found yesturday:

 

812, 813 = byte tire status for bike (same values as car: 0 = normal, 1 = pooped, 2 = no-tire.. you should realy try no-tire setting on a bike (lmao) )

 

Edited June 14, 2004 by Delfi

[JernejL 49]

pooped

erm.. this was a mistake, i made bike memory dumps, one normal and second

one with empty tires, i temporary named the ok bike as pcj and the second as pcj_pooped, because i couldn't make up a better name..

 

cars usualy don't loose their tires on normal scenario, but you can use the status bytes that seem to specify active tires too..

 

altrough you can setup car to have no tires, the wheel model is still there..

 

[Augh 0]

Hi.

 

Delfi; I've recently gained a vested interest in discovering where the colour for the effect used to create siren and taxicab sign's light is assigned. If there's anything that I can do to either assist those searching the code or to try and discover it myself, could you outline briefly what that might involve?

 

I haven't much if any experience with this stuff, possibly some relevant really really basic C++ based things. Alls I really know is I'm looking for a light object which can appear red, blue and yellow, and carries a rotating value in the first two cases.

 

I don't know if this much is promising or not, and have no idea how many times more indepth this kind of recoding is than my understanding of it... But yeah, I'm keen to discover or assist and I'd like to know more about how.

 

Cheers.

[DexX 46]

Augh, if you want one person in particular to respond to something, its better to send them a pm. as you posted this publicly, i will answer it...

 

I've recently gained a vested interest in discovering where the colour for the effect used to create siren and taxicab sign's light is assigned. If there's anything that I can do to either assist those searching the code or to try and discover it myself, could you outline briefly what that might involve?

Grab either a hex editor, or a dissassembler, and start looking at the "code". If you have no idea what I'm talking about, then you might just want to leave this to other people, as there isn't really a simple way to explain it. Some google searches would send you on your merry way though.

 

The idea is modify the game memory while its running and alter it to suit our needs. changing the color obviously has to be possible, but its difficult to approach, as the color values arent a variable while playing the game, the color is contant. Also, the lights don't "rotate", they flash, one color fading into the other.

 

i won't discourage you from helping, im just saying don't expect to be able to jump right into it. these are what i use, do google searches on them, and you can find official sites, work from there to find tutorials and whatnot.

Memory hacker / editor - Tsearch

Exe Disssambler - IDA

Hex editor - Winhex, Hex Workshop

 

I've also heard these are good, but havent used them myself..

Memory hacker / editor - ArtMoney

Exe Disssambler - Win32 Disasm

Hex editor - Hex Workshop

 

good luck

Edited June 17, 2004 by ashdexx

[Augh 0]

Thanks man, I largely just directed my request at the apparently most prevelant poster in a 'running stuff' position

 

Ok Hex editing and so on I'm familiar with in the sense that I have some idea what it looks like, how it quacks etc etc, but I'm no guru or even fully paid up I'll have a poke around and see if it wouldn't be worth learning the basics of, most things like that are, eventually...

 

As to the specifics, mostly thinking out loud For example, I couldn't determine if it would be easier (if one were R*) to turn the light effect off and on, or 'reface' it 2 or 4 times per 'spin'. That sorta thing, and like I noticed the Taxi and other sirens all use that graphic... Anyway, this is getting off the topic of mem edit, so I'll leave it there.

 

Thanks for the pointers and cautions both, appreciated

[JernejL 49]

i was bored and cracked pizzadox gta-vc trainer to see

how the inf. run works, here is what i came up with,

if the author would leave some email adress in the

trainer i would ask him..

 

inf. run:

patch code at #5467949 with (90 90 90 90 90 90) (original= D8 25 24 54 97 00)

 

(i think $90 means NOP)

 

this actualy gave me a good point about that we could hook this

little piece of code responsible for running, as EBP contains

pointer to player block!!

 

the code shows two player-control-block variables:

playblock + $600 and playblock + $608

both are also connected with running and getting tired

 

[Sobeit 0]

they were acually listed by jax.....

 

but ive found some thing i need you to explain guy...

 

and or course i didnt find them with dasm.....but with my own "private" proggie

 

0068322C 4B4F5F73686F745F6672+ db 'KO_shot_front',0

0068323C 4B4F5F73686F745F6661+ db 'KO_shot_face',0

0068324C 4B4F5F73686F745F7374+ db 'KO_shot_stom',0

 

those are actions, i am to belive the very first set of numbers are memory adresses, but i am not certain......

Edited June 21, 2004 by Sobeit

[JernejL 49]

 

and or course i didnt find them with dasm.....but with my own proggie

 

0068322C  4B4F5F73686F745F6672+      db    'KO_shot_front',0

 

what did you use then?

 

the whole thing looks realy like disassembler program code dump..

especialy the number in front, which is probably RVA adress in-memory..

so if you made the program that made the output then you probably know what the number means..

 

 

search for gta3.dir file for that text, you may find the coresponding file about that text..

Edited June 21, 2004 by Delfi

[Sobeit 0]

id acually like to keep that program private, if anyone wants it, and acually knows what to do with it, other then pass it around, thatd be great,and ill PM it to them, also, ill do just that, thanx delphi

 

EDIT: didnt mean "my" proggie, my other post has been edited.....private

Edited June 21, 2004 by Sobeit

[Cowpat 1]

Found this tonight, see if you get same thing as me.

 

#6879074 (0x68F762), set 2 bytes to zero. No peds, cars, bikes, anything, except buses + passengers.

 

minimum value with any traffic is ~003F

 

Seems to prevent object creation, though existing objects remain until destroyed.

 

Appears to leave missions intact, except from them being dead easy on account of the lack of traffic and no cop cars. Shop staff exist.

 

Maybe some chavvie would like to stick it in a trainer.

 

btw. is anyone else out there finding that this address works, someone?

Edited June 23, 2004 by Cowpat

[Sobeit 0]

I'm sure your "private program" isn't any match for the super IDA.

 

pffffft kicks IDA's ass

 

anyways........this is a n00b Q, but.....what must u obtain (program) to open DIR files......

[ghost_master2000 0]

LOL!!! yes that is an UBER-noob question.

 

the .dir file is just a list of file entries for the img files. It's just an index of all the files in teh .img files. here is the structure:

struct DirEntry{    unsigned long StartBlock;   unsigned long BlockCount;   char          name[23];};

 

 

each block is exactly 2048 bytes.

[JernejL 49]

id acually like to keep that program private, if anyone wants it, and acually knows what to do with it, other then pass it around, thatd be great,and ill PM it to them, also, ill do just that, thanx delphi

 

EDIT: didnt mean "my" proggie, my other post has been edited.....private

i seriously doubt about that you made the program to view that data and

don't know what the numbers that your program prints mean..

 

Cowpat: i'll try to stick them into new dev-console (with full credit ofcourse)

 

ST.MU, if you can read this, i finaly managed to redirect debug output text (vcdbg)

to any other program (dev-console) avoiding debugmonitor, it uses a simple wm_copydata data transfer

 

[Cowpat 1]

Thanks Delfi. If you feel you can use it then please do.

 

Of course, when I'm running around the empty City, I'm running at 4x speed, using my Speedz program (plug, plug ), so its quite easy to get from A to B without being able to hijack the nearest car/bike.

Edited June 23, 2004 by Cowpat

[steve-m 23]

ST.MU, if you can read this, i finaly managed to redirect debug output text (vcdbg)

to any other program (dev-console) avoiding debugmonitor, it uses a simple wm_copydata data transfer

Nice. But it still needs the .asi, right? Very good work on the dev-console, seems it can do absolutely everything...

[JernejL 49]

ST.MU, if you can read this, i finaly managed to redirect debug output text (vcdbg)

to any other program (dev-console) avoiding debugmonitor, it uses a simple wm_copydata data transfer

Nice. But it still needs the .asi, right? Very good work on the dev-console, seems it can do absolutely everything...

yeah, it still needs .asi, but i found out that gta-vc will also auto-grab these file

extensions on ititialization, listed in order:

 

.asi

.mix

.m3d

.flt

 

i named the new vcdbg as .flt, so it overrides any hooks setup by existing older vc-dbg

so the logging is 100% to be working

 

here is how it looks run-time (using 3d analyse d3d8.dll hack to run it in window) :

 

i'll put a update to the devconsole topic.

 

cowpat: i gotta try this speedz program, sounds cool..

 

[Cowpat 1]

Delfi: its coolish. Download it from my sig. Its not a trainer, but instead modifies ped.ifp You can speed up the peds to rediculous levels, but that works best in GTA3 - set peds to 1000 + "do time" and enjoy the mayhem. Otherwise it's best used as a "set it and forget it" way to make your player faster. But be warned though, once you get faster on foot you won't want to go back!

 

Edit to remove link and to update recommended ped setting.

Edited July 15, 2004 by Cowpat

[Opius 9]

Well, since I suck at this, I've got nothing concrete, but if the EXE uses materials in the same format as the DFF file, the colours DO NOT go RGB, it's in the format BGRA. Might help anyone looking for colours in the EXE.

 

That is all.

[Jack_Knife 1]

@Opius: I seem to remember that that's the standard order of the colours in directX, from when I was playing around with it a while ago. But yeah, might be helpful.

 

@Everyone who has contributed to this topic: I'd like to express my appreciation for your efforts. Not only have I had fun messing around with the addresses myself, there have been a few trainer-type programs that have sprung up, mainly due to the help provided by this topic. So, yeah, thanks.

[JernejL 49]

Delfi: its coolish. Download it from my sig. Its not a trainer, but instead modifies ped.ifp You can speed up the peds to rediculous levels, but that works best in GTA3 - set peds to 10,000 or more and enjoy the mayhem. Otherwise it's best used as a "set it and forget it" way to make your player faster. But be warned, once you get faster on foot you won't want to go back!

 

Or download here:Speedz

i tried it now, choosen unmodded ped.ifp file and set a file where to write new one, but

when triying to generate new ped.ifp the program starts to allocate enoremous amouts

of memory and eventualy crashes itself because it runs out of memory, the crash is

produced in msvcrt.dll.. can you make a optimal fun ped.ifp and upload it?

 

[Cowpat 1]

 

i tried it now, choosen unmodded ped.ifp file and set a file where to write new one, but

when triying to generate new ped.ifp the program starts to allocate enoremous amouts

of memory and eventualy crashes itself because it runs out of memory, the crash is

produced in msvcrt.dll.. can you make a optimal fun ped.ifp and upload it?

Jeez , this the first feedback I've had so I never realised there might be a problem with it. The program does a lot of allocation/deallocation of memory but I've never had any problem running it with 512MB. Stupid question but, you're not trying to write a GTA3 .ifp to a VC .ifp or something, or trying to read and write to the same copy of ped.ifp?

 

If anyone else out there is having problems, please tell me.

 

I can't put a copy up on my site because I've got a 2meg limit and besides, I'd like to sort this out. It was developed on XP using VC++ 6.0, could users of Win9x have problems? Surely not, cause its all ANSI C.

 

Delfi:thanks for the .dll info. I'm not good enough a programmer to make proper use of it, but if its some kind of memory leak I have an idea where it might be.

 

Edited July 2, 2004 by Cowpat

[DexX 46]

Well, since I suck at this, I've got nothing concrete, but if the EXE uses materials in the same format as the DFF file, the colours DO NOT go RGB, it's in the format BGRA. Might help anyone looking for colours in the EXE.

 

That is all.

um....are you sure? Ive looked at material settings in RW Analyze, and in a hex editor, and ive always successfully modded them in the RGBA format. in fact, thats how i got the carcols prim and sec colors..

[JernejL 49]

i tried it now, choosen unmodded ped.ifp file and set a file where to write new one, but

when triying to generate new ped.ifp the program starts to allocate enoremous amouts

of memory and eventualy crashes itself because it runs out of memory, the crash is

produced in msvcrt.dll.. can you make a optimal fun ped.ifp and upload it?

Jeez , this the first feedback I've had so I never realised there might be a problem with it. The program does a lot of allocation/deallocation of memory but I've never had any problem running it with 512MB. Stupid question but, you're not trying to write a GTA3 .ifp to a VC .ifp or something? Or trying to read and write to the same copy of ped.ifp? I know, I know, you're not that stupid, but I have to ask.

 

If anyone else out there is having problems, please tell me (assuming anyone else has tried it ).

 

I can't put a copy up on my site because I've got a 2meg limit and besides, I'd like to sort this out. It was developed on XP using VC++ 6.0, could users of Win9x have problems? Surely not, cause its all ANSI C.

 

Delfi:thanks for the .dll info. I'm not good enough a programmer to make proper use of it, but if its some kind of memory leak I have an idea where it might be. But strange that its never affected me.

i did this:

 

1. run speedz

2. file > open ifp read

3. picked gtavc unmodified ped.ifp

4. file > open ifp write and named file inside anim folder named 'Kopija od ped.ifp' which is a copy of original file (dialog doesn't allow to choose unexisting files)

5. setup player and pedesterians to 4.0 and checked do_time

6. clicked ok

wtf?? now something different happens - dialog box saying 'Ok Ok A'

7. *runs gtavc*

 

erm.. no changes?

 

*tries again*

 

nothing different happens in gta-vc

 

 

[Cowpat 1]

Actually, I forgot, I did have it tested by a guy from my work and he reported that it worked ok - but then, maybe he was just telling me what I wanted to hear

 

Try writing to ped.ifp instead of "copy of ped.ifp". It shouldn't make any difference, but you never know. Also, can you see evidence of the file being written to in Explorer? Otherwise, you seem to be operating it as instructed. I wouldn't bother doing time - its not worth it!

 

Hope you can get it working ok. If anyone else out there is getting it to work ok it would be much appreciated if you could give me a sign - either here or by PM.

 

More addresses tonight, never expected the forums to be up and running so soon.

Edited June 28, 2004 by Cowpat

[JernejL 49]

Actually, I forgot, I did have it tested by a guy from my work and he reported that it worked ok - but then, maybe he was just telling me what I wanted to hear

 

Try writing to ped.ifp instead of "copy of ped.ifp". It shouldn't make any difference, but you never know. Also, can you see evidence of the file being written to in Explorer? Otherwise, you seem to be operating it as instructed. I wouldn't bother doing time - its not worth it!

 

Hope you can get it working ok. If anyone else out there is getting it to work ok it would be much appreciated if you could give me a sign - either here or by PM.

 

More addresses tonight, never expected the forums to be up and running so soon.

actualy the ending copy of ped.ifp is bigger for 1 Kb..

 

[jax 0]

I too have tried the program and it doesn't work... i get the same problem as delphi, and sometimes it likes to lock up my whole computer, i think it hogs all the ram, and my comp has 1GB of ram... so theres something fishy goin on there....

 

-Jax