Documenting GTA-SA memory addresses

[Futago-za Ryuu 0]

thx, doing it right now.

does any1 know how i can make my own programs(exe's) or dll's, i have basically nil knowledge about programing, so simple as it can be plz

[random_download 0]

You need to get a compiler. Delphi or Visual C++ are good ones, and you could use Visual Basic as well if you wanted. Search on google.

[Yegorchic 0]

 

random_download, but he can use some "trainer creators"...

[Jarno 0]

My first findings:

They are for the minigame: 'Bee Bee Gone'

0xA48A2C (DWord 4 bytes) [ Lifes left ]

0xA48A38 (DWord 4 bytes) [ Score ]

0xA4FA80 (DWord 4 bytes) [ Flowers left ]

 

And found one of the 'Kickstar' arena.

0xA51A78 (DWord 4 bytes) [ Score ]

 

(Tested and it works for me, sorry if not works)

 

And I have a request.

The address of the Divebar? (Float?)

 

Thanks in advance.

[random_download 0]

random_download, but he can use some "trainer creators"...

 

does any1 know how i can make my own programs(exe's) or dll's

To make exe or dll files properly you need a compiler not a trainer creator

[Yegorchic 0]

Why nobody written some new adresses?

[Jarno 0]

I posted 4 adresses

Some posts above.

 

And Yegorchic find adresses by yourself?!

[Yegorchic 0]

I posted 4 adresses

Some posts above.

 

And Yegorchic find adresses by yourself?!

Some pages later I posted some adresses. M... it were "how many bullets fired" etc...

[Jarno 0]

I posted 4 adresses 

Some posts above.

 

And Yegorchic find adresses by yourself?!

Some pages later I posted some adresses. M... it were "how many bullets fired" etc...

Sorry don't saw them.

[Yegorchic 0]

Does somebody knowm how can I put textbox in SA (top-left)?

[Jarno 0]

Somebody posted it on one of the first pages.

[Yegorchic 0]

Ow... I don't saw... but I searched...

[[KFC]Nutz 0]

I have found the functions that modify fog distance above 200 meters

altitude. Previously I found the address of the constant (float 1000.0)

these functions use, but that address (0x00858C4C) is shared by

hundreds of calls by unrelated functions and changing

that really screws things up! By modding the functions that

use that constant we isolate the changes to fog distance only:

 

0x0056139D pointer to const float - fog distance at 200m-500m altitude if timecyc.dat StrClp > 1000.0

0x0056136B pointer to const float - fog distance above 500m altitude if timecyc.dat StrClp > 1000.0

 

0x0056139D = 0x16079D in exe

0x0056136B = 0x16076B in exe

 

by default these two pointers point to 0x00858C4C which has

a constant float 1000.0 stored.

 

if StrClp in timecyc.dat is greater than 1000.0 then the first pointer

is used to adjust the fog distance between 200m-500m altitude.

It gradually changes from 200m=StrClp value to 500m = 1000.0.

If StrClp is less than 1000.0 this function is not used.

 

If StrClp in timecyc.dat is greater than 1000.0 then the second

pointer is used to set the fog distance above 500m. If StrClp is less

than 1000.0 this function is not used.

 

Some useful addresses to put in these pointers:

 

0x008631F0 const float 2000.0

0x008707FC const float 3500.0

0x0086CD78 const float 5000.0

0x00871260 const float 20000.0

 

When I set both pointers to the const float 3500.0 address and

set StrClp to 3500.0 for all modes in timecyc.dat I have 3500m

fog distance at all altitudes. This makes for dramatically improved

flying conditions especially when the annoying opaque clouds above 200m are

turned off by setting both:

 

0x00716642 float - cloud generation factor above 200m altitude

0x00716655 float - cload generation factor above 200m altitude

 

to 0x47C35000 (100000.0)

 

Of course 3500.0 is to far to use reliably at max "draw distance"

in the options menu. When I set draw distance to four bars

it doesn't flash or crash but some detail in the distance takes

awhile to load. 3500.0 and four bars seemed to be the

best looking compromise to me for flying.

 

[ThaKilla 0]

Hey I was wondering what is NOP (I'm sure it means No-Operation) but is there a special value you send to it?

 

Also I have added a trainer to GTASA-UE that allows you to dynamicaly link structures to memory values (pointers.) Also all the values are setup threw a GUI that allows for dynmic addressing/Looping using VBScript. Hopefully it will be ready sometime this week, but here is a Screen Shot if you want to check it out.

 

It also allows you to build "Cheat Scripts" using a type of .Net idea (Will support VBScript/ JavaScript)

 

This will change the players health/armor to max every 1ms

 

 

IF [Player.Ped Info.Health] < [Player.Ped Info.Max Health] THEN     [Player.Ped Info.Health] = [Player.Ped Info.Max Health]END IFIF [Player.Ped Info.Armor] < 100 THEN     [Player.Ped Info.Armor] = 100END IF

 

[jacob. 1]

Hey I was wondering what is NOP (I'm sure it means No-Operation) but is there a special value you send to it?

The no-op identifier is 0x90, to NOP a set of instructions you just construct a byte array of 0x90[sizeof(instructions)] and write it to the addy of instructions you're wanting to NOP.

[Skiller 0]

u know the Ps2 section and the PC section are identacal . meaning .. Say u find your Stats ..

 

Health

Stamina

Muscle

 

they all be in the Exact same offset that they are in the PS2 ver if u have the same section found that is ..

 

Here is an Example of the Garage settings..

 

Exact Same as PC ver

+

00 = X Coord (Float)

04 = Y Coord (Float)

08 = Z Coord (Float)

10 = Proof

12 = Car ID

14 = Car Parts Slot 1 --???--

16 = Car Parts Slot 2

18 = Car Parts Slot 3

1A = Car Parts Slot 4

1C = Car Parts Slot 5

1E = Car Parts Slot 6

20 = Car Parts Slot 7

22 = Car Parts Slot 8

24 = Car Parts Slot 9

26 = Car Parts Slot 10

28 = Car Parts Slot 11

2A = Car Parts Slot 12

2C = Car Parts Slot 13

2E = Car Parts Slot 14

30 = Car Parts Slot 15

32 = Body Color (Byte)

33 = Second Color (Byte)

34 = ?? (Looks to be in Byte Format)

35 = ?? (Looks to be in Byte Format)

36 = ?? (Looks to be in Byte Format)

37 = ?? (Looks to be in Byte Format)

38 = ?? (Looks to be in Byte Format)

39 = Bomb Equip (Byte) --BB--

3A = Custom Pain Job (byte) --PP--

3B = Nitros Enabler(Byte) --NN--

3C = ?? (Looks to be in Byte Format)

3D = ?? (Looks to be in Byte Format)

3E = ?? (Looks to be in Byte Format)

3F = ?? (Looks to be in Byte Format)

 

 

For the BB/PP/NN/Car parts (???) digits u can look here

http://www.codemasters-project.net/members...llerModShop.htm

 

For the Car ID digits u can look here

http://www.codemasters-project.net/members...s/CarDigits.htm

 

For the Proof Digits u can look here

http://www.codemasters-project.net/members...gits/Proofs.htm

 

if u want to maybe use the Database for your offsets .. here is the main Address

http://www.codemasters-project.net/members.../GtaSacodes.htm

 

hope this help .. i might Get into hacking the PC ver alittle more .. it kinda helps with hacking the PS2 ver since i can edit live (damn my way of hacking GTA SA is out ) have fun ppl

Edited September 25, 2005 by Skiller

[Yegorchic 0]

Game Speed: 00B7FCB64 - 4 bytes, float...

[Skiller 0]

(address is from the AO PC ver Not updated)

well From looking Between the ps2 ver and PC ver .. iv got this

 

 

PC009725c4 = Start of "create_forbidden_for_cars_cube" 'this address also tells how many Forbidden cubes there are left"009725c8 = X009725cc = Y009725d0 = Z009725e0 = (can pass or can not pass)101 (Cars Cant Pass) 100 (Cars can pass) +07 to the next

 

 

this only affects the cars for the Peds .. and not the acutal Roadblock it self .. im still trying to find this .. i have a Fealing its in the SCM section .. with the rest of the info ..

 

using the above section lines and the unlock island stats all thats left is the actual Roadblock .. (take it no one has found this in the main exe yet .. ?)

Edited September 27, 2005 by Skiller

[Jarno 0]

Anybody nows the Breath/Dive bar address?

 

Can't find it.

[jacob. 1]

0xA9A888 - Pointer to a pointer to a pool of CUniqueJump structures (68 bytes each)

0xA9A88C - Currently triggered CUniqueJump entity

 

 

struct _CUniqueJump {VECTOR vec1;  	// +00VECTOR vec2;  	// +12VECTOR vec3;  	// +24VECTOR vec4;  	// +36VECTOR vec5;  	// +48DWORD dwCASH_REWARD;	// +60BYTE bHAS_BEEN_JUMPED;	// +65};

 

 

Why there are 5 sets of coordinates in the memory structure as opposed to 3 sets in the unique jump opcode definition is mostly unknown to me right now, but they seem to 'interpolate' the definition. Comparing and contrasting the memory values with the definitions will show you what I mean.

The second vector will always take you within inches of the 'trigger' of the unique jump, usually a ramp of some sort.

 

Edited September 30, 2005 by jacob.

[RedFox.com 0]

What's the code for read memory (of coords for example) in VB ?

[deNULL 0]

Somebody knows how to correctly select active interior (like by code 04BB: select_interior 0)? I have tried to change bytes at CPed + 2F and 00B72914, but it's does not works completely right (there are some bugs with sky and map...).

 

Yegorchic:

It's a small world...

[J-Fox.GEMM 0]

use ur winapi - Microsoft visual studio/common/tools/API or maybe WinAPI

 

 

To set the interitours u need to set their colors too - i m pretty sure they are + 1 to 3 byte - rgb

[deNULL 0]

To set the interitours u need to set their colors too - i m pretty sure they are + 1 to 3 byte - rgb

Colors? What are you driving at? Anyway, atmospheric effects uses more than just one color.

And I also have some problems with map - i think, coordinate system needs to be changed too.

[Jarno 0]

Please anyone dive bar offset...

Edited October 10, 2005 by Jarno

[J-Fox.GEMM 0]

if i remember: the map is invisble inside a house - theres a 1 byte value somewhere!

 

Also there is a rgb channel for each interitour.

 

it fixes the background and the lightening then.

 

maybe by mem hackin? - http://www.gtaforums.com/index.php?showtopic=219186

[Stinger357 0]

I was very impressed with delfi's dev console for VC. I would like to be able to change in memory the timer function for the peds bodies and/or cars disapearing, so basically instead of 30 seconds I can set the byte to 0 (hopefully it is a global variable) so they would stay persistent. Can this be done? I dont know where to begin looking in memory for the location of this timer. Can you help me? I think the memory changing of sa just fascinates me. What should I search for with Tsearch? If someone can point me in the right direction on how to change this value. I did notice 1 thing when you spawn a ped or car apart from the dynamic ones...and you kill the person they STAY! Also cars that are spawned also STAY! So I know this can be done, but don't know where to look.

 

Stinger

 

[random_download 0]

Use a custom scm to create/destroy cars on a keypress, then search for a value between 0 and 30 for the timer. Keep repeating by destroying/creating cars with the keypresses. Then you will probably find something like:

 

cmp something1, something2

where one of the somethings is the memory address you just found. So the other something is then probably the address you will want to change, being the max value for the timer.

[op9080 2]

 

0xA9A888 - Pointer to a pointer to a pool of CUniqueJump structures (68 bytes each)

0xA9A88C - Currently triggered CUniqueJump entity

 

 

struct _CUniqueJump {VECTOR vec1;  	// +00VECTOR vec2;  	// +12VECTOR vec3;  	// +24VECTOR vec4;  	// +36VECTOR vec5;  	// +48DWORD dwCASH_REWARD;	// +60BYTE bHAS_BEEN_JUMPED;	// +65};

 

 

Why there are 5 sets of coordinates in the memory structure as opposed to 3 sets in the unique jump opcode definition is mostly unknown to me right now, but they seem to 'interpolate' the definition. Comparing and contrasting the memory values with the definitions will show you what I mean.

The second vector will always take you within inches of the 'trigger' of the unique jump, usually a ramp of some sort.

 

I've got a couple of minor corrections to this. The first is that there is an additional field

 

struct _CUniqueJump {VECTOR vec1;  	// +00VECTOR vec2;  	// +12VECTOR vec3;  	// +24VECTOR vec4;  	// +36VECTOR vec5;  	// +48DWORD dwCASH_REWARD;	// +60BYTE bHAS_BEEN_JUMPED;	// +65BYTE bHAS_BEEN_FOUND;	// +66BYTE padding[2];};

 

 

The other is what the vectors are. In the mission script there are five vectors

 

startstart_radiuslandland_radiuscamera

 

 

The connection is

 

vec1 = start - start_radiusvec2 = start + start_radiusvec3 = land - land_radiusvec4 = land + land_radiusvec5 = camera

 

[J-Fox.GEMM 0]

I m confused a little bit:

 

Somebody checked this opcodes?

 

 

0124=2,write_mem_address %1d% value %2d% 0125=2,read_mem_address %1d% into %2d%

 

 

Madhacker2k4 gave me - he says it writes to the own process (GTA) so u can hack the own memory...

 

Really true???

 

Cuz how the opcode should know how big the actual address is - 1 byte, 2, 3 or maybe 4 bytes? :S