Quantcast
Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
    1. Welcome to GTAForums!

    1. GTA Online

      1. The Diamond Casino Heist
      2. Find Lobbies & Players
      3. Guides & Strategies
      4. Vehicles
      5. Content Creator
      6. Help & Support
    2. Red Dead Online

      1. Frontier Pursuits
      2. Find Lobbies & Outlaws
      3. Help & Support
    3. Crews

      1. Events
    1. Red Dead Redemption 2

      1. PC
      2. Gameplay
      3. Missions
      4. Help & Support
    2. Red Dead Redemption

    1. Grand Theft Auto Series

    2. GTA 6

    3. GTA V

      1. PC
      2. Guides & Strategies
      3. Help & Support
    4. GTA IV

      1. The Lost and Damned
      2. The Ballad of Gay Tony
      3. Guides & Strategies
      4. Help & Support
      5. GTA IV Mods
    5. GTA Chinatown Wars

    6. GTA Vice City Stories

    7. GTA Liberty City Stories

    8. GTA San Andreas

      1. Guides & Strategies
      2. Help & Support
      3. GTA SA Mods
    9. GTA Vice City

      1. Guides & Strategies
      2. Help & Support
      3. GTA VC Mods
    10. GTA III

      1. Guides & Strategies
      2. Help & Support
      3. GTA III Mods
    11. Top Down Games

      1. GTA Advance
      2. GTA 2
      3. GTA
    1. GTA Mods

      1. GTA V
      2. GTA IV
      3. GTA III, VC & SA
      4. Tutorials
    2. Red Dead Mods

    3. Mod Showroom

      1. Scripts & Plugins
      2. Maps
      3. Total Conversions
      4. Vehicles
      5. Textures
      6. Characters
      7. Tools
      8. Other
      9. Workshop
    4. Featured Mods

      1. DYOM
      2. OpenIV
      3. GTA: Underground
      4. GTA: Liberty City
      5. GTA: State of Liberty
    1. Rockstar Games

    2. Rockstar Collectors

    1. Off-Topic

      1. General Chat
      2. Gaming
      3. Technology
      4. Programming
      5. Movies & TV
      6. Music
      7. Sports
      8. Vehicles
    2. Expression

      1. Graphics / Visual Arts
      2. GFX Requests & Tutorials
      3. Writers' Discussion
      4. Debates & Discussion
    3. Gangs

    1. News

    2. Forum Support

    3. Site Suggestions

JernejL

Documenting GTA-SA memory addresses

Recommended Posts

jacob.

No way to NOP from VB? You kidding? Instructions can be overwritten via WriteProcessMemory, just not executed directly from VB, if you know what I mean (unless you want to get all theoretical, you could probably download a VB IDE plugin that poorly supports inline assembly, from there you'd need to change a few compiler settings and get a sub/function from VB executed in GTA's process, I saw an example on this on PSCode - search something along the lines of "process injection")

 

Anyway, veered a bit too far from the subject. I hope this helps:

 

 

Public Function NOP(address As Long, bytesize As Long)Dim A As Long, bteNOP() As ByteReDim bteNOP(bytesize) As ByteFor A = 0 To bytesize: bteNOP(A) = &H90: Next AWriteProcessMemory GTA.ProcessHandle, ByVal address, bteNOP(0), ByVal bytesize, 0End Function

 

 

Share this post


Link to post
Share on other sites
RedFox.com

ok thx for all biggrin.gif

Share this post


Link to post
Share on other sites
J-Fox.GEMM

Uhm yeah... but when i did at some locations in the memory it noped with C++ - but not with VB! That happend a few times so its not sure if the address is nop-ped then maybe i just nop-ped to l8... confused.gif

Share this post


Link to post
Share on other sites
Luke
In my eyes there is no way to NOP 100%ly - so u will need a C++ dll as sample confused.gif

Jacob proved you wrong there, it's perfectly possible to do so. If you're going to NOP instructions then do it asap, but dependant on what exactly it is you're trying to NOP and the code you're NOPing out, doing it as soon as the process loads isn't essential. My guess is that you've been doing something wrong I guess.

 

 

Also i hope that u r using the correct way to draw text to the screen.

There's a correct way?

 

 

Another way would be to use scm injection - which can be done in VB too.  wow.gif

It can? Using the term "scm injection" is a bit ambiguous, in theory you could rewrite the whole SCM during runtime using nothing but writeprocessmemory - the complication there is that: What would be the point? Also, you'd have to stop it executing whilst you did the replacing, and then dependant on where the code was, it'd crash anyway.

 

If you mean doing it like spookie did, then you would need to be inprocess, so no, that can't be done from VB in any easy (ok, easy isn't the right word really, sensible is more appropriate) way.

 

 

And y not just using other text positions? That would make it much easier...

Giving up is for losers.

Share this post


Link to post
Share on other sites
J-Fox.GEMM

k u won - biggrin.gif

 

But its true i did the nop really correctly. I tested with the anti-cheat address. Sometimes it works sometime not :: Don't say i typed the cheats incorrect: i used the SA Trainer by saracoglu confused.gif

 

And maybe he uses a wrong way. Maybe he's using a wrong function. dozingoff.gif

 

//Edit: i mean that he uses just writeprocessmemory <handle>, Textstring, address, ...

Edited by J-Fox.GEMM

Share this post


Link to post
Share on other sites
jacob.
Anyone know where CPlayerPed::ProcessControl(void) is located?

Share this post


Link to post
Share on other sites
DexX

the cracked american exe seems to be the standard for this topic, according to the first few pages anyway, so this post and all others i make will use that, unless specified otherwise. Likewisee, all addresses will be in Hex!

 

How to trace images in memory. This uses plant image txgrass0_2 @ 5DD9A4 (cracked Exe, disassembled), as an example. see below:

 

.text:005DD99F push offset aTxgrass0_2 ; "txgrass0_2"

.text:005DD9A4 mov ds:dword_C039A4, eax ; pointers to textures in memory?

.text:005DD9A9 call _RwTextureRead

 

C039A4 - dword, contains pointer to texture name. value should be 47AFF80h. The pointer may vary, but it should always be located @ C039A4

 

47AFF80 - dword, pointer to DXT header (This pointer is usually +42h, starting on the first null byte after the texture name, but ive seen +44h, +45h and +46h as well). The value at this address should be 47A9480h.

 

47A9480 - dword, DXT header for image. this address, will contain a pointer to itself. add 48h to this address, to

get the address of the pointer, to the actual image data. 47A9480h + 48h = 47A94C8h, and the value at 47A94C8h is

350B0C0h, the pointer to the image data.

 

350B0C0 - image data for traced texture.

 

dxt header info

pointer (47A9480) - 0Ch = DXT format

pointer (47A9480) - 1Ch = dword, mipmap count?

pointer (47A9480) - 2Ch = dword, image height

pointer (47A9480) - 30h = dword, image width

 

possible uses include advanced debugging, or maybe writing a more complex directx hook, that can interact with already loaded textures (!), who knows...

 

btw, is there any sort of consistent standard offset between the american 1.0 and 1.01 exes? there's little mention of version offsets in this topic, which is a minor inconvenience, but still..

Share this post


Link to post
Share on other sites
AdTec_224

My First Memory Address biggrin.gif

 

0xBAB23C [4 bytes] = All White Text And Bar colors (RGBA) in bytes

 

Im Crap At Describing Things So If Any Of You Don't Know What Im On About Then Look At The Screenshots Below tounge.gif

 

Screenshot 1

 

Screenshot 2

 

EDIT Found Some More:

 

0xBAB238 [4 bytes] = Title Menu Text (RGBA) in bytes

 

Screenshot

 

0xBAB240 [4 bytes] = Title Menu Text Boarder (RGBA) in bytes

 

Screenshot

 

0xBAB244 [4 bytes] = Wanted Level Star Color (RGBA) in bytes

 

Screenshot

 

0xBAB24C [4 bytes] = Radio Station Color (When Selecting Station Only) (RGBA) in bytes

 

Screenshot

 

Enjoy!!!

 

-AdTec_224

Edited by AdTec_224

Share this post


Link to post
Share on other sites
4cebbe2

Hi, here are some adresses I found. Some of them are probably allready known even though i haven't seen them before:

 

car_base

+0x22 car_id

+0x130 something with lighting (active when you turn on taxilight, or drop a flare for example)

+0x37C nitro on/of

+0x42D siren

+0x48A nitro: 2/5/10

+0x514 horn on/off (read-only)

+0x5B0 carlights

+0x868 taxilight on/off 48/49

+0x86c angle of truck-bed/small hydra-cones (float)

+0x9CC plane landing gears (float)

+0xA00 stunt plane smoke discharger on/off

 

actor_base

+0x130 something with lighting, same as for cars

+0x47C pointer to some kind of animation structure

+0x55C z angle (read/write, unlike 0x558 which is read-only;actor will move to set angle only when he's on ground)

+0x79C adress of targetet actor

+0x7A0 timer; has somethig to do with targetet actor

 

animation_base (actor_base+0x47C points here)

+0x0 pointer to actor_base

+0x4

+0x8 pointer to falling/enter car/etc. animations

+0xC pointer to swim/wasted/etc. animations

+0x10 pointer to jump/jetpack animations

+0x14 pointer to various onfoot/in car animations

+0x18 pointer to fighting animations

+0x1C pointer to crouching animations

... <- haven't found out what these are for, probably other less often used animations

+0x2C pointer to aim animations (only active when using weapons that you can point elswewhere than the running direction(sawn of shotgun for example))

 

Most of the animation adresses are initially 0, they only get set when you start some kind of animation. For example if you crouch a pointer to the crouching animations is created. If you stand up the adress is reset to 0 and if you crouch again a NEW pointer is created, which is most likely different to the one used before.

Also, one adress can point to different stuff. For example animation_base+0xC points to swimming-animations while swimming and to wasted-animations when wasted. The swimming and wasted structures are built up differently. So "swim/wasted" doesn't mean it's the same kind of data, it just means the pointer for both of these is at animation_base+0xC.

 

 

Some animation related stuff I found by using the animation pointer (actor_base+0x47C):

I'm quite sure there is alot more to find here, but it's pretty annoying to search with the adresses always changing...

Most are read-only I think, but some are read/write(needs testing).

 

swim/wasted animations

+0x8 pointer to swim_data

+0x10 pointer to loaded_anim

 

swim_data

+0xA swim_state1 (byte: 0: not moving, 1: swimming slow, 2: swimming fast, 3:starting to dive, 4:diving, 5 :jumping)

+0xC swim_state2 (byte: like swim_state1 with different numbers?)

 

loaded_anim (an animation that an actor is doing in a loop, startet with a scm-script; only tested with some animations)

+0x10 String: name of animation used in scm-script

+0x28 String: name of animation group used in scm-script

 

 

jump/jetpack animations

+0x8 pointer to jump_vector

 

jump_vector

+0x8 some x-coordinate

+0xC some y-coordinate

+0x10 some x-coordinate

 

 

car/onfoot animations

+0xC some timer (stops while in air)

+0x10 boxing-stance-timer (actor goes back to normal stance when counter reaches 2000)

 

 

fight-animations

+0x10 shooting_state (1=trageting;2=shooting;4=reloading)

+0x18 for/backward-movement while targeting (float: 1.0: moving backward -1.0: moving forward)

 

 

crouch-animations (both are read/write, so you can force a step for/backwards or a roll)

+0x1F rolling sideways (byte: 191=left; 63=right)

+0x20 for/backward-movement (float: 1.0: moving backward -1.0: moving forward)

 

 

aim-animations

+0x8 pointer to aim_vector

 

aim_vector (aim_direction?)

+0x30 x

+0x34 y

+0x38 z

 

 

 

Other Stuff:

B74494 = CarDataPointer (someone else found this, i just added some information)

CarDataPointer + 0 = FirstCarPointer

CarDataPointer + 4 = pointer to a bytelist (110 long;is somehow used when spawning cars)

CarDataPointer + 8 = Number of car structures (110)

CarDataPointer + C = last or next used car slot(multiply with 0xA18 and add to FirstCarPointer to get address) (max: 110, restarts at 1 if 110 reached)

 

B744A8 = LoadedAnimsPointer ??? (not sure)

LoadedAnimsPointer + 0 = pointer to First loaded anim

LoadedAnimsPointer + 4 = ? (maybe list like above)

LoadedAnimsPointer + 8 = Number of anim structures (500)

LoadedAnimsPointer + C = last or next used anim slot

 

Sorry for the somewhat unstructured post. Also, I'm too lazy to look up the sizes now, all pointers are 4 bytes, most of the rest is 1 byte long. Otherwise you'll have to try and see. ;)

Share this post


Link to post
Share on other sites
Agret

4cebbe2 that information is damn useful, thanks! smile.gif

Share this post


Link to post
Share on other sites
J-Fox.GEMM

OMG - Give him cookies - thats just awesome

 

THX so much

 

cookie.gifcookie.gifcookie.gif

 

But can some1 plz explain here - or pm me how to hook the game functions? (the filemngr as sample) Shifty41s_beerhatsmilie2.gif

 

//Edit

 

rampage_ani.gif wont work to me rampage_ani.gif

 

 

DWORD *PlayerOffset = (DWORD*)(11990512);DWORD *ActorOffset = PlayerOffset;DWORD *ActorAnimOffset = (DWORD*)(ActorOffset+0x47C);DWORD *ActorAimOffset = (DWORD*)(ActorAnimOffset+0x2C);float *ActorAimX = (FLOAT*)(ActorAimOffset+48);sprintf(NewText,"AnimX is %f Player at %u Anim at %u Aim at %u",*ActorAimX,*ActorOffset,*ActorAnimOffset,*ActorAimOffset);

 

Edited by J-Fox.GEMM

Share this post


Link to post
Share on other sites
4cebbe2

You forgot one pointer. Maybe I didn't write it clear enough above.

aim-animations +0x8 is a pointer to "aim_vector"

aimvector +0x30 is the x-coordinate

 

This should work:

 

DWORD *PlayerOffset = (DWORD*)(11990512);DWORD *ActorOffset = PlayerOffset;DWORD *ActorAnimOffset = (DWORD*)(ActorOffset+0x47C);DWORD *ActorAimOffset = (DWORD*)(ActorAnimOffset+0x2C);DWORD *ActorAimVectorOffset = (DWORD*)(ActorAimOffset +0x8);float *ActorAimX = (FLOAT*)(ActorAimVectorOffset +48);sprintf(NewText,"AnimX is %f Player at %u Anim at %u Aim at %u",*ActorAimX,*ActorOffset,*ActorAnimOffset,*ActorAimOffset);

 

  • Like 1

Share this post


Link to post
Share on other sites
FalconGT

Any idea's how to make actor get into aiming animation ??

 

 

 

Share this post


Link to post
Share on other sites
J-Fox.GEMM

If u use C++ i would say u use a scm injection biggrin.gif

 

If i remember correctly it calls tons of game functions confused.gif

 

//Edit:

 

Still wont work devil.gif

I think my read process memory is wrong

 

how do i get the process handle of the exe where my dll is injected? die.gif

 

//Edit2:

 

Actor_Base +0x7A0 timer; has somethig to do with targetet actor - Maybe time untile cone dissapears ? xmas.gif - not tested yet colgate.gif

Edited by J-Fox.GEMM

Share this post


Link to post
Share on other sites
4cebbe2

 

If u use C++ i would say u use a scm injection

 

Yes, but which opcode do you use? I've tried to get an actor into aiming-state before with scm but i didn't get it to work properly.

If i could get him into aiming-state with scm it would probably be possible to control him with the aim/fight-animation-adresses in memory.

 

 

Still wont work

 

I don't know why your code doesn't work, but the program i sent you works definitely. If you look into that you should get yours running too.

 

 

Actor_Base +0x7A0 timer; has somethig to do with targetet actor - Maybe time untile cone dissapears ?

 

No, I dont think that's it. It just keeps counting up whenever you target someone, it's never reset. I don't know what it's good for. Maybe there's some kind of statistic on how long you have aimed at ppl. blink.gif

Share this post


Link to post
Share on other sites
J-Fox.GEMM

 

Yes, but which opcode do you use? I've tried to get an actor into aiming-state before with scm but i didn't get it to work properly.

 

I would say u create a invisible actor - and put him away then let the actor shoot - just an idea sigh.gif

 

I will have a look into that soon if i get my damn code working ph34r.gif

 

//Edit:

 

0667: actor_task_aim_at_point [ found by spaceeinstein ]

Edited by J-Fox.GEMM

Share this post


Link to post
Share on other sites
FalconGT

 

Yes, but which opcode do you use? I've tried to get an actor into aiming-state before with scm but i didn't get it to work properly.

 

I would say u create a invisible actor - and put him away then let the actor shoot - just an idea sigh.gif

 

I will have a look into that soon if i get my damn code working ph34r.gif

Works too tested already how ever its abit unstable.

Share this post


Link to post
Share on other sites
MrJax

Im crashing trying to read these confused.gif Anyone else managed to use them?

Share this post


Link to post
Share on other sites
FalconGT
Im crashing trying to read these confused.gif Anyone else managed to use them?

Which ones ??

Share this post


Link to post
Share on other sites
MrJax

All the ones from the anim pointer (from 4cebbe2)

Share this post


Link to post
Share on other sites
FalconGT
All the ones from the anim pointer (from 4cebbe2)

They work for me, except fight anim you must get actor into aiming anim before the pointer is created.

Share this post


Link to post
Share on other sites
Yegorchic

Hello people!

How I can create car, using memory adresses?

Share this post


Link to post
Share on other sites
JernejL

you can't it takes too much manual work, use mission scripting instead.

 

Share this post


Link to post
Share on other sites
MrJax

Managed to use those animation pointers the other day, didn't realise at first, to use the crouch pointer, the actor has to be crouched etc.

 

 

fight-animations

+0x10 shooting_state (1=trageting;2=shooting;4=reloading)

+0x18 for/backward-movement while targeting (float: 1.0: moving backward -1.0: moving forward)

 

+0x14 left/right-movement while targeting (float: 1.0: moving right -1.0: moving left) biggrin.gif

Share this post


Link to post
Share on other sites
[FP]Gunner

yeah, i need too nop teh replay sys but i cant find them,

also i cant write the cam x y z??? wtf suicidal.gif

Share this post


Link to post
Share on other sites
J-Fox.GEMM

I was wondering if some1 allready found out how to set the current controlled player.

 

When i create 2 players i have the control of the last one. But i still want the control of first one.

 

Or maybe that can be done using the structure Jacob asked for turn.gif

Share this post


Link to post
Share on other sites
FalconGT

 

I was wondering if some1 allready found out how to set the current controlled player.

 

When i create 2 players i have the control of the last one. But i still want the control of first one.

 

Or maybe that can be done using the structure Jacob asked for  turn.gif

 

DWORD* Player_Base = (DWORD*)0xB6F5F0;DWORD Actor_base = *Player_Base+(1988*ActorID);

 

 

Thats how i get Actor base.

 

 

Share this post


Link to post
Share on other sites
jacob.

 

I was wondering if some1 allready found out how to set the current controlled player.

I have not looked into this area as much as I'd wanted to, but I believe the ecx register of cplayerped::processcontrol() is what you're asking for? Detour hook this function and you'll see this register contains the player entity next in line to be processed, so experiment around there - you could try modifying the keystate structure (posted earlier by Stretchnutter) immediately after you've hijacked the ecx register and seeing whether or not the modified controls would be processed to the applied actor with visible results.. it's worth a shot. icon14.gif

 

-Edit:

 

yeah, i need too nop teh replay sys but i cant find them

 

0053C090: CALL gta_sa.00460500;; Call to replay processing [4 bytes]

 

NOP'ing this address will render the keys F1, F2, and F3 disfunctional.

Edited by jacob.

Share this post


Link to post
Share on other sites
J-Fox.GEMM

Would be nice to know where cplayerped::processcontrol() located is biggrin.gif

 

//Edit:

 

Tested this:

 

 

0053C090: CALL gta_sa.00460500;; Call to replay processing [4 bytes]

 

 

Which exe u use? - It crashes for me and says error at address 0x53C090 cant call 0x000001

 

 

VirtualProtect((PVOID)0x53C090,4,PAGE_EXECUTE_READWRITE,&dwVP3);memset((PVOID)0x53C090,0x90,4);VirtualProtect((PVOID)0x53C090,4,dwVP3,&dwVP4);

 

 

//Edit:

 

Size must be 5 NOT 4 rah.gif

Edited by J-Fox.GEMM

Share this post


Link to post
Share on other sites
QJimbo

Does anyone have the address for weather in GTA 1.01, I know the V1.00 one is $C8131C. Surprisingly the one in the sourcecode for GTA:SA Control Centre is wrong (it has $C8131C + $2680) which if you try it with the console does not work.

 

So yeah, anyone? smile.gif

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • 2 Users Currently Viewing
    0 members, 0 Anonymous, 2 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.