Documenting GTA-SA memory addresses

[JernejL 61]

and here is same topic as for gta vc memory exploring, san andreas is out in usa and will be soon in europe and rest of the world, some addresses were already posted in

the vc memory topic, so you can start with clean topic here, now get back to work

[random_download 0]

0xA49960 = start of scm block

[jacob. 1]

00B74490 = Pool of CPed structures

00B74494 = Occupied CVehicle (Player when on foot)

CPed + 0x540 = Health. (float)

 

[LATE EDIT] Removed innacurate information.

Edited November 4, 2005 by jacob.

[Hammer83 0]

0x464080 - GetOpcodeParameters()

0xA43C78 - Where the routine above stores opcode parameters values. Max 16 paramters for an opcode it seems.

0x53BC80 - LoadGame(char* fileName), initializes all data structures and loads fileName (which is gta.dat).

0x5B9030 - LoadMapDefinitionFile(char* fileName), parses and loads dat-files, such as default.dat and gta.dat.

0x550F10 - AllocatePools(), allocates stuff which LimitAdjuster modifies, such as Peds and Buildings.

0x82119A - malloc(size_t size)

0x438480 - Looks like cheat processor

[jacob. 1]

0xB7CE50 - money

0xBAA420 - wanted level

0xB70153 - current hour

0xB70152 - current minute

 

CPed + 0x740 - current weapon

 

Display Settings

Look down a few posts.

 

Edited June 25, 2006 by jacob.

[ModelingMan 94]

CPed + 0x718 = Current weapon slot. (1 byte)

CPed + 0x5A0 = Start of weapon data. Each slot has 28 bytes.

[Stretchnutter 2]

CPed + 0x14 = pointer to XYZ position structure (and rotation)

 

0x863984 = gravity

 

[jacob. 1]

Stretchnutter, I had a look into XYZ and found these:

 

Player + 368 = x pos

Player + 372 = y pos

Player + 376 = z pos

 

Values appear to be read-only.

[Stretchnutter 2]

yea... these are not read only though.

 

DWORD(CPed+0x14) + 0x30 = XPos

DWORD(CPed+0x14) + 0x34 = YPos

DWORD(CPed+0x14) + 0x38 = ZPos

 

DWORD(CPed+0x14) + 0x0 to 0x2C is the rotation matrix

 

 

Its much different from vice city. looks like there are a bunch of coordinates at this location.. could be the traffic cars.

 

 

maybe i should write a teleporter

[random_download 0]

 

coords are DWords not floats?

[ModelingMan 94]

I have started to label some functions in IDA, here is my current list, it's not much but it's a start

Linkage.

 

CPed block size = 0x7C4 bytes.

CVehicle block size = 0x0A18 bytes.

 

Also the maximum amount of vehicles and peds loaded are the same as VC.

 

 

coords are DWords not floats?

No, read his last post, he says that the dword pointer at (CPed + 0x14) leads you to XYZ and rotation.

 

Edit:

0x00B6F3B8 = Player CVehicle pointer.

0x00B6F5F0 = Player pointer.

Edited June 9, 2005 by ModelingMan

[Squiddy 3]

Values of all these addresses are saved in gta_sa.set, so most of them should be options related. I see jacob allready found some. I have the problem not having sa at the moment, so I can't test them. If anyone has some time, he could test them please?

 

------------------------------------------------------

0xB6EC1C float - mouse sensitivity

0xC1CC02 byte

0xC1CC03 byte

 

0xBA6748

+ 0x4F BYTE

+ 0x50 BYTE

+ 0x52 BYTE

+ 0x4D BYTE

+ 0x51 BYTE

+ 0x3C 4 byte - brightness

+ 0xC4 BYTE

+ 0xC5 BYTE

+ 0xCC 4 byte (0xC8)

+ 0x40 4 byte - draw distance

+ 0x44 BYTE - subtitles

+ 0x4B BYTE

+ 0x4C BYTE

+ 0xD8 4 byte (0xD4)

+ 0xD0 BYTE

+ 0x21 BYTE - hud switch

+ 0x24 4 byte

+ 0xB0 BYTE

+ 0xE8 BYTE - Store Gallery Photos

+ 0xB1 BYTE

+ 0xB2 BYTE

+ 0xB3 BYTE

+ 0xB4 BYTE

+ 0xB5 BYTE

+ 0xB6 BYTE

+ 0x4A BYTE - legend switch

+ 0xAC 4 byte

 

Added the addresses jacob found, hope it's okay.

 

Update

+ 0x84 BYTE

Edited June 9, 2005 by Squiddy

[aad 1]

Are memory adresses for cheats welcome if so ill hunt some adresses down and ill post them later it really takes long on my old 1,55 GHZ

[Sobeit 0]

Are memory adresses for cheats welcome if so ill hunt some adresses down and ill post them later it really takes long on my old 1,55 GHZ

no, new adresses are not welcome.....wtf were you thinking?

[jacob. 1]

Thanks for that, squiddy. Figured out what they all did.

All are byte values unless stated otherwise..

 

Display Settings

0xBA6784 - Brightness [long]

0xBA6792 - Legend

0xBA676C - Radar Mode

0xBA6769 - Hud Mode

0xBA678C - Subtitles

0xBA6830 - Store gallery photos

0xBA6788 - Draw Distance [long]

0xBA6794 - Frame limiter

0xBA6793 - Widescreen

0xA9AE54 - Visual FX Quality

0xBA680C - Mip Mapping

0xBA6814 - Antialiasing [1 = off, 2 = 1, 3 = 2, 4 = 3]

0xBA6820 - Resolution [640x480=11, 800x400 = 12, 800x600=13, 1024x1068=15]

 

Sound Configuration

0xBA6798 - Radio Volume [0 through 64]

0xBA6797 - SFX Volume [0 through 64]

0xBA6799 - Radio Equalizer

0xBA6795 - Radio Auto-tune

0xBA67F8 - Usertrack/Play mode [0 = radio, 1 = random]

0xBA680D - Usertrack/Automatic Media Scan

0xBA679A - Radio Station [0 through 11, 12 = usertrack player]

 

Controller Configuration

0xBA6818 - Controller Configuration [0 = mouse+keys, 1 = joypad]

0xB6EC1C - Mouse sensivity [float]

 

Interesting enough, none of the other controller/mouse config is in the structure squiddy posted. Perhaps its located somewhere else.

 

Edited June 12, 2005 by !cMc! Jacob

[QJimbo 0]

woo Delfi we are getting in there early

$B70152 : Minutes

$B70153 : Hours (note $0F = 15:00 rather than 16:00)

 

EDIT: Ack in my rush to post these I didn't notice !cMc! Jacob already had... oh well... it's the thought that counts

Edited June 10, 2005 by QJimbo

[jacob. 1]

Player + 45 = Animation Edited June 12, 2005 by !cMc! Jacob

[Stretchnutter 2]

Camera Stuff

 

0x52B730 = Start of camera 'MOVer' subroutine. set to 0xC3 (retn) to lock camera

 

0xB6F028 = Camera Block Start

0xB6F028-0xB6F0DB - Uknown stuff - mostly flags, pointers and some floats

 

0xB6F0DC = [dword]Current View

(0 = Bumper View / 1 = Close External View / 2 = Middle External View / 3 = Furthest External View / 4 = nothing(same as last?) / 5 = Cinematic View / 6 to INF = same as 4?) same as Vice... no top-down

 

0xB6F0E0 = [float]Car View Distance (arm length) read only

0xB6F0E8 = [float]True View Distance (true arm length)read only (freezing will cause it to be jumpy, as if final copy )

 

 

0x8CC3E0 to 0x8CC3F0 = [floats]Hard-Coded View Distances For Closest External View (ecx = 1) (read/write)

528B13 mov eax, ds:dword_0_8CC3E0[edx*4]

edx = vehicle type (0 to 4) ?! normal car = edx = 0 | eax = true distance

 

0x8CC3F4 to 0x8CC404 = [floats]Hard-Coded View Distances For Middle External View (ecx = 2) (read/write)

528B24 mov eax, ds:dword_0_8CC3F4[edx*4]

edx = vehicle type (0 to 4) ?! normal car = edx = 0 | eax = true distance

 

0x8CC408 to 0x8CC418 = [floats]Hard-Coded View Distances For Furthest External View (ecx = 3) (read/write)

528B36 mov eax, ds:dword_0_8CC408[edx*4]

edx = vehicle type (0 to 4) ?! normal car = edx = 0 | eax = true distance

 

0xB6F97C = Pointer to TRUE? camera Matrix (freezing these has effect, as if final copy)

0xB6F99C to 0xB6F9DB = Camera Matrix (0xB6F99C + 0x30 = Xpos, etc...) read only, unless you write retn @ 52B730

 

 

 

EDIT:

 

Controls Stuff

 

0xB73458 = Start of controls block

read only unless the subroutine is disabled (not documented yet)

+ 0x20 = [word]Accelerate (255 = on / 0 = off)

+ 0x22 = [word]Brake

more...

 

 

EDIT2:

 

Text Stuff

 

write normal strings here (not unicode)

 

0xBAA7A0 = Top Left Text Box [eg; Cheat activated] (disappears after few seconds)

0XBAADC0 = Busted/Wasted Text Box - Center screen...displayed until first byte is null

Edited June 10, 2005 by Stretchnutter

[Squiddy 3]

Controller Configuration

0xC1CC02 - BYTE - Steer with mouse

0xC1CC03 - BYTE - Invert mouse vertically

 

[steve-m 28]

 

0x?????? - Visual FX Quality

it's at 0xA9AE54 [0 - 3]

[Hammer83 0]

ModellingMan, are you sure player struct is at address you listed?

 

I think it might be at 0xB7CD98. IDA doesn't show any refs to 0xB6F5F0, but I must say I still have a lot of code represented as data.

[ModelingMan 94]

 

ModellingMan, are you sure player struct is at address you listed?

 

I think it might be at 0xB7CD98. IDA doesn't show any refs to 0xB6F5F0, but I must say I still have a lot of code represented as data.

Both addresses work fine. VC also had 2 player pointer addresses. IDA also didn't show any refs to VC's player pointer...

[Stretchnutter 2]

If I may suggest as an evil game hacking tip: Use Dual Monitors!!!

 

I had some problems using a debugger to set breakpoints with a single monitor. So I wondered what I could do with 2 monitors. Turns out it works great.

 

All you need is a Video Card with dual heads, 2 monitors and a program called Ultramon (free, look on google).

 

Click...

 

You can do things like watch live changes to the memory.... sure you can do this in windowed mode... but noone has figured out how to yet.

 

Sorry for going off-topic

 

 

more text stuff

 

these are wierd if you try writing something to these they dont appear because the game constantly sets the first byte to 0, but if you turn that off they operate in same manner as the busted/wasted text box.

 

0xBAB040 = BOTTOM TEXT BOX - stunt bonus information is written here

0xBAAEC0 = TOP MIDDLE - i dont know, some orange text

0xBAAFC0 = ?

0xBAAF40 = ?

0xBAAE40 = ?

Edited June 12, 2005 by Stretchnutter

[jacob. 1]

Racer, if you don't mind me asking, how do you find those textbox addresses? Do you wait until one is displayed then search for the string in memory? (ascii values of characters in order, unless they're in unicode in that case its asciichar,0,asciichar,0)

This is just out of curiousity and for possible future reference to help me get better at finding addresses.

 

I don't have duel moniters so I haven't been able to debug anything at all. I'm just waiting for someone to release a windowed-mode modification.

 

Handling.cfg is loaded into the memory when you start a game, as are all of its parameters stored in memory offsets.. anyone know if theres a 'handling pointer' or something? I'd look into this myself if i had a debugger that worked in full-screen.

[QJimbo 0]

Hey guys, I'm having some problems with my TimeSync Tool, which basically makes the weather go mental when you freeze the time, does anyone know why? It's like there's another timer in there, maybe 16th's/256th's of a second if a single/double byte Hex value... anyone seen any values that look like that?

 

I'm not sure why the weather keeps changing within the minute though, another timer would just make a transition repeat instead of going mental... hmm.

 

And as for the dual monitor thing, that seems like a nice trick, but someway of getting SA running in a window would be good. 3Danalyze doesn't work, as SA seems to go "oh noes teh window" and quits

[JernejL 61]

i use dual monitors with geforce fx 5600, it works well but many games work improperly on dual monitors, mouse cursor is important problem here, even

gtavc had problems with grabbing cursor on two monitors, zmodeler2 also

doesn't work properly on dualscreen monitors - no hardware, only software

renderer is availible..

 

[aad 1]

I did a try to search for some memory adresses that would be cool to use for making a trainer (im currently making one) so here is my mem adres

 

 

969160 (Flying Car cheat)

 

 

its in hex so for coding it in VB use &H and then my adress. It actualy works better then the normal cheat at least it looks like it works better.

[Stretchnutter 2]

Racer, if you don't mind me asking, how do you find those textbox addresses? Do you wait until one is displayed then search for the string in memory? (ascii values of characters in order, unless they're in unicode in that case its asciichar,0,asciichar,0)

This is just out of curiousity and for possible future reference to help me get better at finding addresses.

i did exactly that... actually i put in a cheat and searched for "Cheat a" short for Cheat activated..

 

 

i found 3 of them... so i tryed writing something else in them and see which one had an effect... found one that worked... then jumped to the address in IDA, seen a xref to it... then just scrolled down until i saw another xref.

[Spooky 1]

I don't know if this has been mentioned yet, but the USA and EU versions of game game have different executables. One piece of code I came across was exactly +0x50 bytes misalignged in the EU exe.

[Stretchnutter 2]

spooky thats wierd... i wonder what they will do when they release a patch, release a different patch for each country?! that would be odd.

 

0xB7CB84 = [dword]A global timer in ms

0xB70158 = [dword]Timer related to weather and time in ms

0xB7015C = [dword]Defines how many ms = 1 second... default 1000, set to 1 for a headache