Quantcast
Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
    1. Welcome to GTAForums!

    1. Red Dead Redemption 2

      1. Gameplay
      2. Missions
      3. Help & Support
    2. Red Dead Online

      1. Gameplay
      2. Find Lobbies & Outlaws
      3. Help & Support
    1. Crews & Posses

      1. Recruitment
    2. Events

    1. GTA Online

      1. DLC
      2. Find Lobbies & Players
      3. Guides & Strategies
      4. Vehicles
      5. Content Creator
      6. Help & Support
    2. Grand Theft Auto Series

    3. GTA 6

    4. GTA V

      1. PC
      2. Guides & Strategies
      3. Help & Support
    5. GTA IV

      1. Episodes from Liberty City
      2. Multiplayer
      3. Guides & Strategies
      4. Help & Support
      5. GTA Mods
    6. GTA Chinatown Wars

    7. GTA Vice City Stories

    8. GTA Liberty City Stories

    9. GTA San Andreas

      1. Guides & Strategies
      2. Help & Support
      3. GTA Mods
    10. GTA Vice City

      1. Guides & Strategies
      2. Help & Support
      3. GTA Mods
    11. GTA III

      1. Guides & Strategies
      2. Help & Support
      3. GTA Mods
    12. Top Down Games

      1. GTA Advance
      2. GTA 2
      3. GTA
    13. Wiki

      1. Merchandising
    1. GTA Modding

      1. GTA V
      2. GTA IV
      3. GTA III, VC & SA
      4. Tutorials
    2. Mod Showroom

      1. Scripts & Plugins
      2. Maps
      3. Total Conversions
      4. Vehicles
      5. Textures
      6. Characters
      7. Tools
      8. Other
      9. Workshop
    3. Featured Mods

      1. DYOM
      2. OpenIV
      3. GTA: Underground
      4. GTA: Liberty City
      5. GTA: State of Liberty
    1. Red Dead Redemption

    2. Rockstar Games

    1. Off-Topic

      1. General Chat
      2. Gaming
      3. Technology
      4. Programming
      5. Movies & TV
      6. Music
      7. Sports
      8. Vehicles
    2. Expression

      1. Graphics / Visual Arts
      2. GFX Requests & Tutorials
      3. Writers' Discussion
      4. Debates & Discussion
    1. News

    2. Forum Support

    3. Site Suggestions

JernejL

Documenting GTA3/VC memory addresses

Recommended Posts

Cowpat

Some addresses. Stop me if you've heard them.

 

ov = original value

 

6878762 flying crash cars

2byte ovb33f

to zero

 

6878822 constantly fall/no collision?

2byte ov4042

to zero

 

6878982 crazy bike

2byte ov803f

set to 0100h, don't zero

 

6885422 tick rate for player, peds, player vehicle

1byte ova9

set to 9f slow, d9 fast

 

6885990 no vehicle traffic

1byte ov80

to zero

 

6885992 no peds, vehicles, parked vehicles. only buses

1byte ov3f

to zero

 

Strange one this,

6886734 mini cars + people, big cars + people

1byte ov80

set to 00 mini, FF big

Share this post


Link to post
Share on other sites
Blehbeb

great prog Cowpat it works great. I was having the same problem as the other guys at first but heres what I did to get it to work. Placed original copy of ped.ifp in same dir as speedz.exe. Deleted Spdz.ini so it used the default settings. Changed the player speed to 4.0 clicked ok. It wrote the new file to C:\Program Files\Rockstar Games\Grand Theft Auto Vice City\anim and worked perfect. I have it set to 10 right now and holy crap does he run fast. Im finding if I wanna actually go slow I gotta hold down the run key haha.

Share this post


Link to post
Share on other sites
Cowpat

Thanks Blehbeb. I had the noose around my neck and was just about to kick the chair away. Good to know the prog works for some at least. Have suspicion that problem might be my crappo readme instructions.

 

At 4x speed you may find problems getting on to choppers, and also, if you run through one of those pill-shaped pick ups that make the game world go into slow-mo you may find you die rather easily.

 

Meanwhile, some more addresses. Stop me if you've heard them.

 

ov = original value

 

6886734 small/big bike fronts

1byte ov80

set to 00 small, FF big

 

6889110 all peds spawned facing North/zombie nation

2byte ovb63b

to zero

 

6889182 punching, kicking or melee weapons have no effect

1byte ov a3

change value

 

6901186, 6901192 no peds, only vehicles

2byte, 1byte

to zero

 

6901223 all peds spawned as cops

1byte ov38

to zero

 

6901246 only women + cops in some areas, only men + cops in other areas

2byte ov8041

to zero

 

6901370 peds spawned only behind camera

1byte ov80

to zero

 

6901372 no peds

1byte

to zero

 

6901382 only cops, skaters and shufflers spawned

2byte ov733f

to zero

Edited by Cowpat

Share this post


Link to post
Share on other sites
Stretchnutter

YAY... a new discovery.. nothing too special.

 

ok its a dword (4 bytes)

 

You get the actor pointer, add 0x244

 

if you change this to 0 while in a car you can shoot your weapons forward while driving (and switch weapons)... but it disables the accelerator so you have to change back to dec 50 (0x32) to be able to resume normal driving.

 

its weird, but its a start... i was having fun shooting the big machine gun from the drivers seat biggrin.gif

user posted image

hehehe devil.gif

 

EDIT: Watch the video - DivX 5, 450kb, sorry for bad quality

Edited by Stretchnutter

Share this post


Link to post
Share on other sites
Kryptos

I've been doing a lot of work on the GTA3 executable, namely going through the SCM portion of it following all the jump routines and calls and such. Last night I was going through opcode 015d, set_gamespeed, and I followed everything through into the address that controls the speed of the game. So I decided to have some fun with it and modified it to crap with some interesting results. The address is 8F2CD4. Most of the time the modified value has an effect of super-slow-motion, it seems as though the game has frozen although if you watch vehicles and pedestrians closely you can see their characters running through the animation routines and the vehicle's tires spinning. I also managed to modify it so only the vehicles were travelling at normal speed and the pedestrians were in super-slow-motion. Possibly the most humerous part was when I modified the value again and two pedestrians began floating away. Anyhow, it's fun to play with. I realize that this is the GTA:Vice City topic, however the same can be done with the Vice engine, although I don't have the executable on hand so I can't give you the address. I'm not sure if anyone else has already documented this address, so excuse this post if it's an old find.

 

Ciao,

Kryptos

Share this post


Link to post
Share on other sites
Cowpat

Stretchnutter: went to player pointer + 0x244 but found this value 0100 0000.

this changes to 3200 0000 when player in vehicle. perhaps we have different VC versions. Glad I went there anyway because I found this,

 

Player pointer + 0x46 (70 decimal)

1 byte to FF

 

Camera leaves player body. You are still as normal but invisible. Still cast shadow. Can fire weapons but they have no effect as it is the 'body' which actually does the firing. Don't switch this on when in a vehicle as it will crash game. You can get in/on a vehicle once it is switched on though. Has to be reset if you are wasted. Switching effect on and off eventually crashes game anyway.

 

****** Stop Press ******

 

For users of Speedz + SpeedzGTA3. Please note that the programs cannot be run from within the game exe directory. Also, that the programs take an unmodified copy of ped.ifp (usually placed in the same dir as Speedz) and then output a modified copy of ped.ifp (usually to the anim dir in the game directory). I shall re-write the readme instructions to clarify these matters. Apologies to those who have been having trouble.

 

thanks

**********************

Edited by Cowpat

Share this post


Link to post
Share on other sites
JernejL
Stretchnutter: went to player pointer + 0x244 but found this value 0100 0000.

this changes to 3200 0000 when player in vehicle. perhaps we have different VC versions. Glad I went there anyway because I found this,

 

Player pointer + 0x46 (70 decimal)

1 byte to FF

 

Camera leaves player body. You are still as normal but invisible. Still cast shadow. Can fire weapons but they have no effect as it is the 'body' which actually does the firing. Don't switch this on when in a vehicle as it will crash game. Switching effect on and off eventually crashes game anyway.

 

Cheap n' cheerful alternative to camera hack for admiring skins, etc.

my method - game world freeze - value is around page 3 i think is safer

it freezes world and allows you to move camera around actor when on-foot

the key is binded to F in developer console in default hotkey config file.

the world freeze option is also used in dev-console when you use the

console key to operate with console..

 

Share this post


Link to post
Share on other sites
Stretchnutter
Stretchnutter: went to player pointer + 0x244 but found this value 0100 0000.

this changes to 3200 0000 when player in vehicle. perhaps we have different VC versions.

thats right.. if you set it to 0 while in a car you can shoot your weapons forward .. also you can aim left or right (notice the animation changes)

Share this post


Link to post
Share on other sites
Cowpat
Stretchnutter: went to player pointer + 0x244 but found this value 0100 0000.

this changes to 3200 0000 when player in vehicle. perhaps we have different VC versions.

thats right.. if you set it to 0 while in a car you can shoot your weapons forward .. also you can aim left or right (notice the animation changes)

Yup, got it now. musta been too tired last night.

great for smashing thru roadblocks and the ultimate in driveby's cool.gif

Share this post


Link to post
Share on other sites
JernejL
Stretchnutter: went to player pointer + 0x244 but found this value 0100 0000.

this changes to 3200 0000 when player in vehicle. perhaps we have different VC versions.

thats right.. if you set it to 0 while in a car you can shoot your weapons forward .. also you can aim left or right (notice the animation changes)

Yup, got it now. musta been too tired last night.

great for smashing thru roadblocks and the ultimate in driveby's cool.gif

the car machinegun shooting works fine, but shoots into own car because player is too

much inside biggrin.gif

 

and on bikes the minigun shoots sideways instead front.. confused.gif

 

Share this post


Link to post
Share on other sites
Cowpat

 

the car machinegun shooting works fine, but shoots into own car because player is too

much inside biggrin.gif

 

and on bikes the minigun shoots sideways instead front.. confused.gif

talk about shooting sideways...

if you do that thing I posted teh other night

 

Player pointer + 0x46 (70 decimal)

1 byte to FF

 

first park your player in spot with good firing arc, switch the effect on, go a little away from your body, get yourself a couple of stars. when the cops arrive they don't seem to know where to shoot and you can target and kill them easily, your 'body' doing the actual shooting, you the aiming. even with FBI you don't sustain many hits cause everybody seems to be shooting sideways. but you can't move very far from your body ( or the bullets are out of range) and of course you gotta deal with the helicopters as usual. mindless, but fun for a while.

Edited by Cowpat

Share this post


Link to post
Share on other sites
Stretchnutter

yea i said it was weird. It seems to work best with the bikes and the Yankee(box truck...) .

 

I noticed if you steer left or right you can change the shooting angle..

Share this post


Link to post
Share on other sites
random_download

Sorry if this is a N00B question, but how do I poke strings or floats to an adress? I am using Delphi 7 and this is the code I use to poke hex integers:

 

 

var WindowName : integer; ProcessId : integer; ThreadId : integer;  buf : PChar; HandleWindow : Integer; write : cardinal; return : string;Const WindowTitle = 'GTA: Vice City';...procedure TForm1.Button1Click(Sender: TObject);Const Address1 = $4ed772; PokeValue1 = $0122; NumberOfBytes1 = 2;beginWindowName := FindWindow(nil,WindowTitle);    If WindowName = 0 then      begin          MessageDlg('The game must be running. Run it now, and then try again.', mtwarning,[mbOK],0);      end; ThreadId := GetWindowThreadProcessId(WindowName,@ProcessId); HandleWindow := OpenProcess(PROCESS_ALL_ACCESS,False,ProcessId); GetMem(buf,1); buf^ := Chr($0); WriteProcessMemory(HandleWindow,ptr(Address1),buf,NumberOfBytes1,write); FreeMem(buf); closehandle(HandleWindow);end;

 

 

I managed to get most of the adresses which are integers to work with this.

Address1 = memory adress

PokeValue1 = hex value to poke

NumberOfBytes1 = the number of hex bytes to be poked

Share this post


Link to post
Share on other sites
JernejL

use this:

 

 

function TTrainer.readProcess(offset: longword; var Buffer; size: integer): integer;var detach: boolean;beginwindows.ReadProcessmemory(apphandle, pointer(offset), @buffer, size, cardinal(result));end;

 

 

you can see how i typecasted the longword type which is 4 byte integer and allows

performing arthimetics into a pointer smile.gif

 

now you can specify any integer value for the offset and it will be accepted.

 

to convert string to integer use inttostr('$123') function, it converts from decimal and hex format (if first char is dollar sign)

 

Share this post


Link to post
Share on other sites
random_download

Could you give me an example on how to use that please, because I really don't understand how to use it.

I get as much as 'offset' is the address, '@buffer' is the string to poke and 'size' is the number of bytes. I think it is used something like:

 

WindowName := FindWindow(nil,WindowTitle);If WindowName = 0 thenbeginMessageDlg('The game must be running. Run it now, and then try again.', mtwarning,[mbOK],0);end;ThreadId := GetWindowThreadProcessId(WindowName,@ProcessId);apphandle := OpenProcess(PROCESS_ALL_ACCESS,False,ProcessId);GetMem(buffer,1);buffer^ := inttostr('$1');offset:= $4ed772size:= $1windows.ReadProcessmemory(apphandle, pointer(offset), @buffer, size, cardinal(result));end;FreeMem(buffer);closehandle(apphandle);

 

I can't test this at the moment because I am on the PC without Delphi.

Share this post


Link to post
Share on other sites
Spooky

 

var Buffer: BYTE; hWin: HWND; hProc: THandle; iProcID, nbr: Cardinal;begin hWin:= FindWindow(nil, WINDOW_CAPTION); if hWin = 0 then   MessageDlg('The game must be running. Run it now, and then try again.', mtWarning, [mbOK], 0) else begin   GetWindowThreadProcessId(hWin, @iProcID);   hProc:= OpenProcess(PROCESS_ALL_ACCESS, false, iProcID);   ReadProcessMemory(hProc, Ptr($4ed772), @Buffer, SizeOf(Buffer), nbr);   CloseHandle(hProc); end;end;

 

 

This would read one byte from $4ed772 into Buffer. If you wanted to read a float or whatever, simply change Buffer's type on the second line.

Share this post


Link to post
Share on other sites
random_download

Sorry for the double-post.

Found the wanted level mem. address.

 

978D98 > integer

BFF7C88 > integer

 

both in hex. They both change with the wanted level, change them both and it works.

 

Ammo for M60=

 

2541DD0 > Integer. Ammo loaded for M60.

2541DD4 > Integer. Total ammo for M60.

 

Both in hex.

Edited by random_download

Share this post


Link to post
Share on other sites
Stretchnutter

@random_download

 

some of your offsets are too high of a number to be static.. this mean the next time your restart your game the offset will be different.

 

so these offsets need the player pointer + something to make sense... like the wanted level and ammo i know for sure are in the player block.

Share this post


Link to post
Share on other sites
random_download

I just find that if you change the values with Tsearch or a trainer they change the wanted level or ammo for M60.

Share this post


Link to post
Share on other sites
ModelingMan

I was also searching for the wanted level address today, I came across one that random_download found($978D98), but that one only pokes the value, but it doesn't lock it.

 

This is the correct memory address for the wanted level:

 

$3A942D8 > 1 byte (values 0-6)

 

$3A942B8 > 2 byte (values 0 = 0, 1 = 74, 2 = 220, 3 = 393, 4 = 1220, 5 & 6 = game crashed when I was gonna get these)

 

Values for the second address vary.

 

(All my addresses are for VC 1.0)

 

EDIT:

 

 

so these offsets need the player pointer + something to make sense... like the wanted level and ammo i know for sure are in the player block.

Yep you are correct, I just went back ingame, and the memory addresses I found have changed.

Edited by ModelingMan

Share this post


Link to post
Share on other sites
JernejL
Sorry for the double-post.

Found the wanted level mem. address.

 

978D98 > integer

BFF7C88 > integer

 

both in hex. They both change with the wanted level, change them both and it works.

 

Ammo for M60=

 

2541DD0 > Integer. Ammo loaded for M60.

2541DD4 > Integer. Total ammo for M60.

 

Both in hex.

the static - fixed data adresses are:

 

from #4194304 ($400000) to 4194304 + gta-vc exe file size.

 

anything above is dynamic and those adresses shouldn't be posted because they won't

work - you should find a pointer to them to make them work.

 

for instance - to recharge weapons properly use the player actor pointer and the

weapon index and you'll find the right data alaways, stretchnutter posted his method for

finding out if weapon is being fired that on page 2-4 - weapon ammo is close, and i

have posted mine for exact weapon ammo few pages back.

 

my new adresses:

 

CAR PTR +

 

683 - driver door status

684 - front passenger side door status

685 - left-rear door status

686 - right-rear door status

 

status numbers:

open = 2 (the door will dangle when you drive like when damaged)

closed= 0 (the door won't move, like it is closed)

 

and i believe that ashdexx sent me fixed and useful adresses for wanted level..

but i can't find them atm confused.gif

 

Share this post


Link to post
Share on other sites
ghost of delete key

If this were a hardware problem, I would use a logic analyzer on the data busses and set up a statistical analysis to detect what states change versus what inputs change. This naturally will return groups of states associated with keypress input and related system-states. From there a state-map is no big deal.

 

It seems to reason you could do exactly the same thing here; you already have the logic analizer front-end.

 

All that's needed is a bit of code that generates a table of running-game addresses, a logger (output to .txt file?) and a few lines to create highlights, histograms, or whatever statistical output makes sense on order to paint a picture of what addresses are involved in any given gamestate or input.

(maybe a box where you could annotate event names)

 

The whole of the mem could probably be grokked and documented within a week.

 

And no more "I found half of what makes it work, but..."

 

Too bad I have more ideas than coding skill ATM...

 

 

Share this post


Link to post
Share on other sites
Spooky
Spooky, have you ever considered making a trainer-like app for Vice? or will delfi run the show? tounge.gif

Delfi is the master, it'd be no competition wink.gif

Share this post


Link to post
Share on other sites
random_download

Here are the addresses for all the garages:

 

 

7D7878 - sunshine   slot 17D78A0 - sunshine   slot 27D7918 - sunshine   slot 37D7940 - sunshine   slot 47D79B8 - sunshine   slot 57D79E0 - sunshine   slot 67D7A58 - sunshine   slot 77D7A80 - sunshine   slot 87D7558 - hyman      slot 17D7580 - hyman      slot 27D75A8 - hyman      slot 37D75D0 - hyman      slot 47D75F8 - hyman      slot 57D7620 - hyman      slot 67D7698 - hyman      slot 77D76C0 - hyman      slot 87D7AF8 - diaz       slot 17D7B20 - diaz       slot 27D7738 - Ocean      slot 17D77D8 - links      slot 17D74B8 - el swanko  slot 1

 

 

3 or 4 of these were already posted by ModelingMan and ULTRA. Obviously, all in hex. For v1.0.

 

Edit: I can't get the player pointer to work. I read it, and it changes when I start up Vice City again, but it is always very low such as 24 or 240.

When it was 24, the address for the Magnum was 2541D70. When the player pointer was 240, it was 253DB2C. I can't find any sort of patterns between them. Somewhere in this thread is a post on seeing if the player is driving, which was to add 940 to the player pointer. This gives a very low address, for which no value exists. Do I have to do something else to get the right values?

Edited by random_download

Share this post


Link to post
Share on other sites
JernejL

my pointers i post are decimal, if you used mine then this is the problem.

 

Share this post


Link to post
Share on other sites
random_download

No, I used the hex pointer posted by Stretchnutter on page 11.

0x7E4B8C - Player (character) Pointer VC 1.0
I put that into TSearch and got the values I posted above. Are these the sort of numbers which should appear there and I missed something out? Or did I do something wrong elsewhere? When I put the value into TSearch, it just deleted the 0x bit, is that correct? Edited by random_download

Share this post


Link to post
Share on other sites
JernejL
No, I used the hex pointer posted by Stretchnutter on page 11.
0x7E4B8C - Player (character) Pointer VC 1.0
I put that into TSearch and got the values I posted above. Are these the sort of numbers which should appear there and I missed something out? Or did I do something wrong elsewhere? When I put the value into TSearch, it just deleted the 0x bit, is that correct?

no idea, i don't use Tsearch..

 

on the player adress read a 4 byte integer (dword, uint32 whatever)

then go directly to that adress.

 

Share this post


Link to post
Share on other sites
random_download
OK, I used this:
varBuffer: BYTE;hProc: THandle;iProcID, nbr: Cardinal;Const Size = 4;beginWindowName := FindWindow(nil,WindowTitle);    If WindowName = 0 then      begin          MessageDlg('The game must be running. Run it now, and then try again.', mtwarning,[mbOK],0);      end;  GetWindowThreadProcessId(WindowName, @iProcID);  hProc:= OpenProcess(PROCESS_ALL_ACCESS, false, iProcID);  ReadProcessMemory(hProc, Ptr($7E4B8C), @Buffer, Size, nbr);  CloseHandle(hProc);  Label25.Caption:= inttostr(Buffer);

To read the address, but the program crashed. when I changed:

   ReadProcessMemory(hProc, Ptr($7E4B8C), @Buffer, Size, nbr);

to

   ReadProcessMemory(hProc, Ptr($7E4B8C), @Buffer, SizeOf(Buffer), nbr);

by changi Size to SizeOf(Buffer), it worked fine, disblying 16 as the value. I opened TSearch, and that said that the value was 16 too.

Share this post


Link to post
Share on other sites
JernejL
OK, I used this:
varBuffer: BYTE;hProc: THandle;iProcID, nbr: Cardinal;Const Size = 4;beginWindowName := FindWindow(nil,WindowTitle);    If WindowName = 0 then      begin          MessageDlg('The game must be running. Run it now, and then try again.', mtwarning,[mbOK],0);      end;  GetWindowThreadProcessId(WindowName, @iProcID);  hProc:= OpenProcess(PROCESS_ALL_ACCESS, false, iProcID);  ReadProcessMemory(hProc, Ptr($7E4B8C), @Buffer, Size, nbr);  CloseHandle(hProc);  Label25.Caption:= inttostr(Buffer);

To read the address, but the program crashed. when I changed:

   ReadProcessMemory(hProc, Ptr($7E4B8C), @Buffer, Size, nbr);

to

   ReadProcessMemory(hProc, Ptr($7E4B8C), @Buffer, SizeOf(Buffer), nbr);

by changi Size to SizeOf(Buffer), it worked fine, disblying 16 as the value. I opened TSearch, and that said that the value was 16 too.

WTF?? POINTERS ARE 4 BYTE INTEGERS, NOT ONE BYTE THEY ARE NOT BYTE TYPE, USE LONGWORD (4 BYTES) AND DON'T USE POINTER TYPE EITHER BECAUSE YOU CAN'T PREFORM ARTHIMETICS ON THEM WITHOUT TYPECASTING, AND I AM TELLING YOU THIS FOR THE LAST 3 PAGES!!

 

Share this post


Link to post
Share on other sites
jax

Well, Someones cranky...

 

w00t go delfi open up a can of whoopass on someone who just wants help... way to go. This kind of stuff isn't exactly easy for everyone to grasp the concept of you know...

 

-Jax

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • 2 Users Currently Viewing
    0 members, 0 Anonymous, 2 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.