Documenting GTA-SA memory addresses

[random_download]

Those are injected opcodes using a complicated technique found by CyQ. Page 1 Page 2

[J-Fox.GEMM]

Hi i want to set the playerlimit atm :: in my scm code is this code:

 

 

0053: $PLAYER_CHAR1 = create_player 0 at  2480.67 -1671.37 $ZPos01F5: $PLAYER_ACTOR1 = create_emulated_actor_from_player $PLAYER_CHAR1     09C7: change_player_skin $PLAYER_CHAR1 to $Actor                   01B4: set player $PLAYER_CHAR1 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR2 = create_player 0 at  2485.67 -1672.37 $ZPos01F5: $PLAYER_ACTOR2 = create_emulated_actor_from_player $PLAYER_CHAR2     09C7: change_player_skin $PLAYER_CHAR2 to $Actor                      01B4: set player $PLAYER_CHAR2 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR3 = create_player 0 at  2480.67 -1673.37 $ZPos01F5: $PLAYER_ACTOR3 = create_emulated_actor_from_player $PLAYER_CHAR3     09C7: change_player_skin $PLAYER_CHAR3 to $Actor                 01B4: set player $PLAYER_CHAR3 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR4 = create_player 0 at  2485.67 -1674.37 $ZPos01F5: $PLAYER_ACTOR4 = create_emulated_actor_from_player $PLAYER_CHAR4     09C7: change_player_skin $PLAYER_CHAR4 to $Actor                 01B4: set player $PLAYER_CHAR4 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR5 = create_player 0 at  2480.67 -1675.37 $ZPos01F5: $PLAYER_ACTOR5 = create_emulated_actor_from_player $PLAYER_CHAR5     09C7: change_player_skin $PLAYER_CHAR5 to $Actor                 01B4: set player $PLAYER_CHAR5 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR6 = create_player 0 at  2485.67 -1676.37 $ZPos01F5: $PLAYER_ACTOR6 = create_emulated_actor_from_player $PLAYER_CHAR6    09C7: change_player_skin $PLAYER_CHAR6 to $Actor                 01B4: set player $PLAYER_CHAR6 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR7 = create_player 0 at  2480.67 -1677.37 $ZPos01F5: $PLAYER_ACTOR7 = create_emulated_actor_from_player $PLAYER_CHAR7     09C7: change_player_skin $PLAYER_CHAR7 to $Actor                 01B4: set player $PLAYER_CHAR7 frozen state  1 (unfrozen)    0053: $PLAYER_CHAR8 = create_player 0 at  2485.67 -1678.37 $ZPos01F5: $PLAYER_ACTOR8 = create_emulated_actor_from_player $PLAYER_CHAR8    09C7: change_player_skin $PLAYER_CHAR8 to $Actor                 01B4: set player $PLAYER_CHAR8 frozen state  1 (unfrozen)    0053: $PLAYER_CHAR9 = create_player 0 at  2480.67 -1679.37 $ZPos01F5: $PLAYER_ACTOR9 = create_emulated_actor_from_player $PLAYER_CHAR9     09C7: change_player_skin $PLAYER_CHAR9 to $Actor                 01B4: set player $PLAYER_CHAR9 frozen state  1 (unfrozen)   0053: $PLAYER_CHAR10 = create_player 0 at  2485.67 -1680.37 $ZPos01F5: $PLAYER_ACTOR10 = create_emulated_actor_from_player $PLAYER_CHAR10     09C7: change_player_skin $PLAYER_CHAR10 to $Actor                01B4: set player $PLAYER_CHAR10 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR11 = create_player 0 at  2480.67 -1681.37 $ZPos01F5: $PLAYER_ACTOR11 = create_emulated_actor_from_player $PLAYER_CHAR11     09C7: change_player_skin $PLAYER_CHAR11 to $Actor                01B4: set player $PLAYER_CHAR11 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR12 = create_player 0 at  2485.67 -1682.37 $ZPos01F5: $PLAYER_ACTOR12 = create_emulated_actor_from_player $PLAYER_CHAR12     09C7: change_player_skin $PLAYER_CHAR12 to $Actor                01B4: set player $PLAYER_CHAR12 frozen state  1 (unfrozen)           0053: $PLAYER_CHAR13 = create_player 0 at  2480.67 -1683.37 $ZPos01F5: $PLAYER_ACTOR13 = create_emulated_actor_from_player $PLAYER_CHAR13     09C7: change_player_skin $PLAYER_CHAR13 to $Actor                01B4: set player $PLAYER_CHAR13 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR14 = create_player 0 at  2485.67 -1684.37 $ZPos01F5: $PLAYER_ACTOR14 = create_emulated_actor_from_player $PLAYER_CHAR14     09C7: change_player_skin $PLAYER_CHAR14 to $Actor                01B4: set player $PLAYER_CHAR14 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR15 = create_player 0 at  2480.67 -1685.37 $ZPos01F5: $PLAYER_ACTOR15 = create_emulated_actor_from_player $PLAYER_CHAR15     09C7: change_player_skin $PLAYER_CHAR15 to $Actor                01B4: set player $PLAYER_CHAR15 frozen state  1 (unfrozen)        0053: $PLAYER_CHAR16 = create_player 0 at  2485.67 -1686.37 $ZPos01F5: $PLAYER_ACTOR16 = create_emulated_actor_from_player $PLAYER_CHAR16     09C7: change_player_skin $PLAYER_CHAR16 to $Actor                01B4: set player $PLAYER_CHAR16 frozen state  1 (unfrozen)   

 

 

But after creating $Player7 it crashes :S

 

So i checked the vc-mp source:

 

 

	// Patch to increase vehicle pool limit from 110 to 200VirtualProtect((PVOID)0x4C02E4,128,PAGE_EXECUTE_READWRITE,&dwVP);*(BYTE *)0x4C02E4 = 0x6A;*(BYTE *)0x4C02E5 = 0x00; // push 0 (unused param)*(BYTE *)0x4C02E6 = 0x68;*(BYTE *)0x4C02E7 = 0xC8;*(BYTE *)0x4C02E8 = 0x00;*(BYTE *)0x4C02E9 = 0x00;*(BYTE *)0x4C02EA = 0x00; // push 200VirtualProtect((PVOID)0x4C02E4,128,dwVP,&dwVP2);

 

 

Thats what i found - Maybe in SA is a value to increase the playerlimit

 

Edit:

 

Problem fixed i use just 6 players now...

But where are the pointers

with actors it was easy to hack - but players have other pointers

Edited October 16, 2005 by J-Fox.GEMM

[op9080]

0x8A6168 - a table of pointers to opcode handlers. The pointer at address 0x8A6168 + 4 * n handles opcodes in the range 100 * n to 100 * n + 99. Each handler begins with a compiled C switch statement that checks that the opcode is in the correct range and uses a secondary pointer table with 100 entries to jump to the precise routine handling the given opcode.

 

0x9788C0 - begining of pickup object pool, 32 bytes each entry, 620 entries total. Each entry is a struct CPickupItem. I have some partial information on this struct

at CPickupItem + 0x18 - 2 byte object ID (from *.ide) files.

at CPickupItem + 0x1A - 2 byte reference count.

at CPickupItem + 0x1C - 1 byte pickup type. Some values are

0 - this slot is free

4, 5, 8 - this item has been picked up and not coming back, so its slot can be garbage collected

3 - used by horseshoes & oysters, probably means a one-shot item that's picked up by direct contact with the player

0x14 - used by photo ops, probably means one-shot item that's picked up by taking a picture

at CPickupItem + 0x4 - an optional pointer to destructor for garbage collecting the object

 

some object IDs - horseshoe 954, oyster 953 (from propext.ide), photo op 1253 (from dynamic.ide)

 

When creating a pickup item with an opcode, you get an object handle. The handle is a 32-bit int. The lower 16 bits are an index into the pickup item pool. The upper 16 bits are a copy of the reference count.

 

0xA9AD70 - DWORD, total number of gang tags (100).

0xA9AD74 - DWORD, number of tags completely painted stat.

0xA9A8C0 - array of 100 entries, each entry CGangTagState with 8 bytes

struct CGangTagState {

struct CGangTag* p;

BYTE amountPainted;

BYTE padding[3];

}

 

amountPainted is in the range 0-255 with 0 indicating an unpainted tag. Any value >= 228 indicates a completely painted tag.

 

I have some information on the struct CGangTag that describes the tag

at CGangTag + 0x4 - X position (float)

at CGangTag + 0x8 - Y position (float)

at CGangTag + 0xC - Z position (float)

at CGangTag + 0x14 - an optional pointer p. If p is non-null then the tag's position vector is actually at p + 0x30 instead of the above. This feature is never used, since this pointer is NULL on all actual tags.

 

0xB79380 - array of 82 floats, stats 0 - 81.

0xB79000 - array of 223 ints, stats 120 - 342.

 

While the stats at 120-342 are 32-bit ints, the opcodes that change these stats actually truncate their parameter to 16 bits and sign-extend them to 32 bits before applying them.

The following stats are limited to a value of 1000 by the opcodes that change the stats:

65-67, 21-25, 69-80, 160, 164-165, 223, 225, 229-230, 233, 241-244.

 

Edited October 23, 2005 by op9080

[J-Fox.GEMM]

Any ideas on the keystrokes in SA?

 

In vc i got it by the VC-MP code but in SA i can't find it

 

Also the actual car animation would be nice. Like Steer left or right.

 

ps i mean NOT the wheel rot which is in the carpointer

[Squiddy]

Any ideas on the keystrokes in SA?

 

In vc i got it by the VC-MP code but in SA i can't find it

What is it that you can't find? To subclass the window using vc-mp's method you just need the window's handle. You can find it with FindWindow.

[RedFox.com]

how can the XYZ coords of an actor, plz?

Edited October 24, 2005 by RedFox.com

[J-Fox.GEMM]

sorry for doublepost - read post below

 

Ma browser loaded the page twice cuz the first one got an error

Edited October 25, 2005 by J-Fox.GEMM

[J-Fox.GEMM]

 

What is it that you can't find? To subclass the window using vc-mp's method you just need the window's handle. You can find it with FindWindow.

 

Then i m confused a bit - cause i found some addresses in the PED block which points me to the Keyblock , in that block i was able to set the current pressed keys for each actor. Also the 2P modes (the co-op) for the pc - i m sure they use the same way (by writing to the keyblock)

 

I try to get the address for vc again. Then i will show u

 

@Redfox.com: Just add me to ur msn - i will send u an sample

(I made it for gunner once )

Edited October 25, 2005 by J-Fox.GEMM

[jacob.]

@J-Fox.GEMM:

 

0xB73458 = Start of controls block

read only unless the subroutine is disabled (not documented yet)

+ 0x20 = [word]Accelerate (255 = on / 0 = off)

+ 0x22 = [word]Brake

A little searching doesn't help. Note that this only works on players, not actors, and that it's a bit more difficult to use this method in SA.

[Squiddy]

J-Fox.GEMM, you should be more specific then. You were talking about keystrokes in general, so I assumed you're talking about getting those send to the window.

[op9080]

Has anyone tried to inject opcodes into the SA script engine? I haven't seen anyone mention this but the "ProcessOneCommand" function in San Andreas actually processes commands in a loop until it encounters a "wait" operation, and only then yields. So if you feed it a script buffer, you need to terminate it with a "wait 0" opcode, or it will go on processing garbage memory locations beyond the script buffer.

[J-Fox.GEMM]

Thx for the reply Jacob - or better Racer_S

 

But no i have another problem: Where to nop - yesterday i searched for 2 hours in this forum and 2 hours i used IDA (Better: I read tutorial, i m a n00b in that area of hacking).

 

No result

 

But i remember that some1 posted the addresses for Vice or SanAndreas here in this forum - Where ?

 

I just want to know where to NOP, that the keystates are not reset by the game

[Supdario]

I'm a noob at hacking

But I want to change these values...

I've not found tutorials...

What Programs I need and what I must do?

[Jarno]

www.gamehacking.com , Start first with hacking of a simple Windows game like Minesweeper.

[Supdario]

No, I want to change SA Values

[jacob.]

 

No, I want to change SA Values

It's the same concept. Everyone has to start somewhere.

 

 

I just want to know where to NOP, that the keystates are not reset by the game

0x541C74 [2 bytes] appears to be the subroutine you'll need to NOP.

[op9080]

I've uploaded source code that demonstrates how to inject a script into the GTA:SA scripting engine.

 

[Note: link deleted, see below for newer versions.]

 

 

Run with

gta_sa_loader [options]

 

The options are:

-window - run game in window

-fullscreen - run game fs

-script - inject the script

-noscript - don't inject the script

-splash - enable the splash screens

-nosplash - disable the splash screens

 

The default options are -window -script -nosplash

 

The script it injects is very simple - displays a message every 20 seconds and changes the weather to rainy. It's just a demo.

 

Note:

Oct 28 - uploaded a new version

- Made a better test to check if a game is in progress. The previous one did not work, the script got executed when the game was suspended and would somethings crash the game.

- Eliminated the need to explicitly order the functions in the injected section.

Edited October 30, 2005 by op9080

[Supdario]

No, I want to change SA Values

It's the same concept. Everyone has to start somewhere.

 

 

I just want to know where to NOP, that the keystates are not reset by the game

0x541C74 [2 bytes] appears to be the subroutine you'll need to NOP.

Ok....

I've ArtMoney....

But how I change value by not searching?

[J-Fox.GEMM]

Y not just having a look in the readme 8-)

 

Anyways right click on the empty table - copy and a box pop up u put the Hex offset in the box offset/address choose the damn value type, and set the status (address/pointer) - if it is a pointer u add the relative addres in the 2nd box.

 

Rofl i have had much fun with the nop lol

i made my actor shoot all the day all other keys are locked

But it doesn't matter anymore we use a better way now

 

uhm at op9080:

 

The file was not found on the server says my dl manager. My Firefox kills itself if i click the link

 

//Edit1: Works with IE :s

//Edit2: Would be nice if u could send me psapi.h - i googled for it :: but no results - just one broken archive

//Edit3: Compiling works!

//Edit4: How to start the game with the loader

Edited October 29, 2005 by J-Fox.GEMM

[op9080]

 

//Edit2: Would be nice if u could send me psapi.h

just #ifdef out the function findGTASAFromProcess(). It's not even used. I'll do it myself when posting the next version. Also comment out the #include <paspi.h> and #pragma comment(lib, "psabi.lib").

 

 

//Edit4: How to start the game with the loader

what do you mean? Run gta_sa_loader.exe. There's a binary in the zip file.

 

[Note: link deleted, see below for a newer version.]

 

Changelog

• Removed reference to PSAPI
• Displays error messages in case of failure
• Completely revamped the injection mechanism. It now contains a makeshift loader that transplants the entire executable image into the gta_sa process and uses linker data to rebase it. In effect, it loads itself as a DLL into the remote process. This allows for use of static variables, static DLL linkage and C runtime library in the remote process and makes the implanted code much simpler.

Edited October 30, 2005 by op9080

[angeles]

basically this says

mov dword ptr [0xC8D4C0],5

jmp 748A93

 

 

the region we are writing code to is called when 0xC8D4C0 = 0x0 just to give a little insight

I'm trying to see the insight, but am having trouble. What do you mean by 'region we are writing code to'? A section of the program's memory?

 

FYI: I'm a C programmer by nature, and I'm trying to get a feel for this ASM stuff seeing as it is popular on the GTA scene. *cough* newb *cough*

[J-Fox.GEMM]

Neither the new binary from the new version can start GTA

 

It just says unable to start GTA - and the source says that i can't compile cuz it jumps to docopy b4 it is doing sthin else

[op9080]

[Note: this discussion has been moved here. There's a link to the download there.]

 

Nov 5 Changelog:

- removed dependency on symbols not available in MSVC 6.0.

- define symbol EU_VERSION to use addresses from the EU version.

- packed EU version executable gta_sa_loader_eu.exe.

 

J-Fox.GEMM:

• I think you couldn't run it because it wasn't able to locate your copy of gta_sa.exe. I improved the search algorithm somewhat, and I hope it'll work now.
• It's been brought to my attention that people compiling with MSVC 6.0 are getting a compilation error. My version is MSVC 7.1 and it's not giving any errors. However, for the sake of MSVC 6.0 users, I made a change in the source code that should do away with the error. Now, if you're not using the project file I supplied (due to older compiler), you should know that you need to link the program with the /FIXED:NO linker switch. So add that to your project/make file.

Edited November 9, 2005 by op9080

[J-Fox.GEMM]

Still wont work to me

 

 

--------------------Konfiguration: Inject - Win32 Release--------------------Kompilierung läuft...FindGTASA.cppC:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : error C2146: Syntaxfehler : Fehlendes ';' vor Bezeichner 'IDirect3D9'C:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : fatal error C1004: Unerwartetes Dateiende gefundenInject.cppC:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : error C2146: Syntaxfehler : Fehlendes ';' vor Bezeichner 'IDirect3D9'C:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : fatal error C1004: Unerwartetes Dateiende gefundenInjectedSection.cppC:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : error C2146: Syntaxfehler : Fehlendes ';' vor Bezeichner 'IDirect3D9'C:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : fatal error C1004: Unerwartetes Dateiende gefundenLoader.cppC:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : error C2146: Syntaxfehler : Fehlendes ';' vor Bezeichner 'IDirect3D9'C:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : fatal error C1004: Unerwartetes Dateiende gefundenScripting.cppC:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : error C2146: Syntaxfehler : Fehlendes ';' vor Bezeichner 'IDirect3D9'C:\Dokumente und Einstellungen\J-Fox\Desktop\gta_sa_loader\Common.h(13) : fatal error C1004: Unerwartetes Dateiende gefundenGenerieren von Code...Fehler beim Ausführen von cl.exe.gta_sa_loader.exe - 10 Fehler, 0 Warnung(en)

 

 

 

And if i try the exe it still says unable to start GTA

 

But y not starting gta_sa.exe in the gta_sa_loader.exe dir

I m sure it wud work fine then - the problem is i can't fix cause i can't compile

 

Fox

 

Maybe some1 could send me his dsw/dsp files used by C++ 6.0

I used a converter - maybe that is the cause

 

Because i allready added the /FIXED:NO

[op9080]

J-Fox.GEMM:

I uploaded a change that fixes this compilation problem you have with __interface. Use the link in my previous post, I updated it.

 

As for why the binary doesn't run -- I'm stumped. If you can compile, you'll be able to single step it in a debugger and see why it's failing. Like I said before, check the values of gta_saFullPath & gta_saFolder.

 

 

But y not starting gta_sa.exe in the gta_sa_loader.exe dir 

 

I hadn't thought of that I'll add that to the next version...

 

[PS: sorry for littering the thread with all these C++ compilation quirks, J-Fox.GEMM, please PM me if you have problems instead of posting]

Edited October 31, 2005 by op9080

[BBumper]

Is there an address that controls the brightness, size or flashrate of lights on vehicles specificly on police/fire vehicles, the lights appear to operate very simple.

[RedFox.com]

these are wierd if you try writing something to these they dont appear because the game constantly sets the first byte to 0, but if you turn that off they operate in same manner as the busted/wasted text box.

 

0xBAB040 = BOTTOM TEXT BOX - stunt bonus information is written here

0xBAAEC0 = TOP MIDDLE - i dont know, some orange text

0xBAAFC0 = ?

0xBAAF40 = ?

0xBAAE40 = ?

how can i turn it off ?

[jacob.]

these are wierd if you try writing something to these they dont appear because the game constantly sets the first byte to 0,  but if you turn that off they operate in same manner as the busted/wasted text box.

 

0xBAB040 = BOTTOM TEXT BOX - stunt bonus information is written here

0xBAAEC0 = TOP MIDDLE - i dont know, some orange text

0xBAAFC0 = ?

0xBAAF40 = ?

0xBAAE40 = ?

how can i turn it off ?

To enable full manual control of:

 

0xBAB040, NOP 0x588FA9 [6 bytes]

0xBAAECO, NOP 0x58905E [6 bytes]

 

[RedFox.com]

what have i to do exactly ?

WriteProcessMemory ln_Handle, &H588FA9, 0, 4, 0 ? (VB)

Edited November 2, 2005 by RedFox.com

[J-Fox.GEMM]

In my eyes there is no way to NOP 100%ly - so u will need a C++ dll as sample

Also i hope that u r using the correct way to draw text to the screen.

 

Another way would be to use scm injection - which can be done in VB too.

 

And y not just using other text positions? That would make it much easier...

Edited November 3, 2005 by J-Fox.GEMM