Documenting GTA-SA memory addresses

[Beep]

 

0xC2310C - Water Height (float)

0xC23110 - Wave Height (float)

Great finds!

 

Edit

Seems not to work.

Edited April 2, 2007 by Beep

[k.o.e.i.g2]

---------

Edited May 27, 2008 by k.o.e.i.g2

[ntlofub]

 

0xC2310C - Water Height (float)

0xC23110 - Wave Height (float)

Great finds!

 

Edit

Seems not to work.

That is because he is incorrect.

 

006E5B83 mov dword ptr ds:[edx],eax;  store water height variable (from water.dat)

 

0xC22910 begins an array of structures (20 bytes a piece) that stores position-related information per unit of water. If you want to realistically change the water level of every unit in the game, you will have to modify 168 offsets from the base unit to the same value (differing values results in clipping issues). Of course, the game could be patched to obtain the level from a single unit, but that's a different story.

 

[EDIT] Information was posted for my ofsetted executable, corrected.

Edited April 18, 2007 by ntlofub

[aru]

 

0xC22914 begins an array of structures (20 bytes a piece) that stores position-related information per unit of water.

Close.. but not entirely.. I guess a bit of compiler optimization happened there

 

Actual start position of the structures is at 0xC22910.

 

If you open water.dat, you may notice the sets split into 7 values each... with 4 (or 3) of those 7 sets in one line followed by a number. Think of each line as a quad or triangle. The trailing number should be some sort of a flag.

 

In water.dat, the 7 data sets should be documented here: http://www.gtaforums.com/index.php?showtopic=211733

 

0xC22910 = WaterBlockInfo Base Offset

 

X = word: WaterBlockInfo+0

Y = word: WaterBlockInfo+2

Z = float: WaterBlockInfo+4

tU = float: WaterBlockInfo+8

tV = float: WaterBlockInfo+12

Unknown1 = byte: WaterBlockInfo+16

Unknown2 = byte: WaterBlockInfo+17

Unknown3 = word: WaterBlockInfo+18 (can't seem to find any xrefs for this)

 

Size of each WaterBlockInfo: 0x14 (20 bytes)

 

 

[Edit: just linking to the water.dat doc]

Edited April 18, 2007 by aru

[ntlofub]

 

0xC22914 begins an array of structures (20 bytes a piece) that stores position-related information per unit of water.

Actual start position of the structures is at 0xC22910.Thanks for that. I was running an injector that offsetted my executable by 4 bytes, I've edited my original post.

I was going to post the specifics of the water information structure, but Steve-M beat me to it.

[k.o.e.i.g2]

-------

Edited May 27, 2008 by k.o.e.i.g2

[Sacky]

Memory Addresses corresponding with weapons.dat:

 

Weapons:

 

0xC8AAB8 : Base Memory Address

+ 0x70 : Block Size (for each weapon defined in weapons.dat)

 

Variables:

 

+ 0x0 - Fire Type (1 Byte) : 0 - Melee, 1 > Normal (AFAIT)

+ 0x4 - Target Range (float) : How far away a ped has to be before he gets that little triangle above his head

+ 0x8 - Weapon Range (float) : How far the bullets are effective

+ 0xC - Weapon Modelid 1 (1 Byte) : Corresponds to the weapon.dat but changing it in the memory doesnt do anything

+ 0x10 - Weapon Modelid 2 (1 Byte) : ^ See Above

+ 0x14 - Slot (1 Byte) : The Slot ID for the weapon

+ 0x18 - Anim Group (1 Byte) : The animation group that plays when you shoot the weapon, for example setting this to about 6 will make it first person

+ 0x1C - ? : Setting this to 10 or below causes the game to crash when targetting

+ 0x20 - Max Ammo Clip (1 Byte) - How much ammo can be held in a individual clip when it is full

 

Some other things to note:

 

-1 = 255

UNARMED = 1

MELEE = 0

PROJECTILE = 1

 

Aiming Addresses:

 

0x969179 - Free Aim Driveby (1 Byte) : Toggle 1 or 0 to enable/disable

0xB6EC2E - Auto Aim (1 Byte) : Toggle 1 or 0 to enable/disable

 

Functions:

 

0x8582EC - int __stdcall ShowCursor ( BOOL bShow )

0x5BE670 - ParseWeaponDat

Edited May 19, 2007 by Sacky

[DrV]

A few addresses, not very complicated to find, but anyway (v1.0 hoodlum EU exe)

 

Code:

 

0x00748760 - int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)

 

0x00747F00 - int __stdcall WndProc(HWND hWnd,int msg,WPARAM wParam,int lParam)

 

0x007486F0 - int __cdecl RegisterSAWindow()

 

0x00745560 - HWND __cdecl CreateSAWindow(HINSTANCE hInstance)

 

0x007476B0 - void __cdecl PlayMPEG(int nShowCmd, char *filename)

-- This is used to play the two intro videos, not sure about the first parameter but it's not used at all in the function and seems to get passed the nShowCmd from WinMain in the three cases it's used

 

Data:

 

0x00C17054 - pointer to main window HWND (from CreateSAWindow)

Edited April 24, 2007 by DrV

[k.o.e.i.g2]

-----

Edited May 27, 2008 by k.o.e.i.g2

[ceedj]

Anyone find anythng with the "screen saver" camera that starts after about a minute of the player being idle? I'd assume it's triggered after a timer hits a certain point, but I haven't been able to nail it down yet...

[TehKiller]

some finds dont know if posted before:

 

0x00BAA410 - current weapon(read only)

0x00955DE0 - inside interior or not(1=inside/0=outside)(read only)

Edited May 6, 2007 by TehKiller

[Seemann]

The engines sounds list (static exe addresses):

 

http://sannybuilder.com/dev/enginesounds.htm

 

Each vehicle model has 2 different engine sounds (one for state when the engine speed grows and one when it is falls).

 

Each sound value is 2 bytes of length (WORD).

 

 

Also, to enable the radio for a vehicle (for ones where its not available) write 0 (byte) to the memory address:

 

v1.0

 

address = 0x85D2CB + (#carmodelID * 36)

 

For example for Landstalker (id = 400) the addy = 0x00860B0B

 

v1.01

 

address = 0x85E2EB + (#carmodelID * 36)

 

For example for BRAVURA (id = 401) the addy = 0x00861B4F

 

There's the mod activating the radio for all vehicles.

Edited May 7, 2007 by Seemann

[DracoBlue]

(since I see this is used for discussion, too - I'll append my topic now)

 

Hello Guys,

 

Currently most of the big multiplayer modifications have this problem, because players who press ESC are not able to be hitten.

 

So did somebody found a way to NOP those functions, which make GTA go to menu on ESC/ALT+TAB, yet?

 

Kind regards,

Jan (DracoBlue)

[Mr Vibrating]

Is there any way to run SA at a custom res.? Such as 300x300 or even as low as 150x150(Palm Low Res)

Don't know if this is what you're looking for, but if you want to run the game at lower than 640x480, here's one way to do it.

 

Static pointer at 0xC97C48 points to block of game resolution and video card details eg.

 

+0x00 desktop width+0x04 desktop height+0x08 desktop resolution+0x14  minimum width allowed(640)+0x18  minimum height allowed(480)..there then follows the list of resolutions supported by your card, starting at 0x284 bytes width4 bytes height4 bytes supported resolution4 bytes unknown4 bytes unknown

 

Before you begin you must have your saved game resolution set to anything except 640x480x16. Start up SA and change the values at +0x14 and +0x18 to the resolution of your choice, say 320x240. How you do this is up to you (in-process dll, TSearch, etc). Then once that's done go to the graphic options menu and change the resolution to 640x480x16. You should now be able to enjoy a heavily pixellated, retro game experience.

 

Full screen 320x240

 

A little trickier to achieve, windowed at 320x200

can anyone explain how to implement this to a lamer like me? I want to run SA at proper screen modes like 3840x2048...

 

I've downloaded TSearch, but don't understand what i'm supposed to do with it - i can't find a string called "0xC97C48" in the hex ed so now i'm outa ideas...

 

any help much appreciated

 

 

[Cowpat]

 

Mr Vibrating (bet you get all the girls ), may I suggest you download a copy of SA_Mem from my sig. This should allow you to make the changes you seek, providing your video card supports the desired resolution.

 

Any probs, PM me.

[space_einstein]

Edited May 12, 2007 by space_einstein

[Mr Vibrating]

 

Mr Vibrating (bet you get all the girls ), may I suggest you download a copy of SA_Mem from my sig.  This should allow you to make the changes you seek, providing your video card supports the desired resolution.

 

Any probs, PM me.

Massive thanks to Cowpat, problem solved. FWIW, a couple of bytes after each 'height' parameter is the refresh rate, (ie. 60/85) and a couple more after that is the depth; 22=32-bit, 23=16-bit.

 

I can now run SA double triplehead (6 LCD panels), 3840x2048x32, which is nice.

 

Screenie here.

 

ps. It'd be great if this fix was available in lamer format, ie. a loader or summik ...

 

Best wishes all

 

Edit: ...and a shot in standard triplehead mode - 3840x1024x32 (w/ Matrox TH2G)....

Edited May 13, 2007 by Mr Vibrating

[Cowpat]

 

FWIW, a couple of bytes after each 'height' parameter is the refresh rate, (ie. 60/85) and a couple more after that is the depth; 22=32-bit, 23=16-bit.

 

...and the last value in each data set is a 1 for full-screen. Setting to 0 indicates windowed mode. The catch is I couldn't get it to operate reliably. Perhaps some greater mind than mine can.

[Sacky]

Memory Address's corresponding to carcols.dat:

 

0xB4E480 : Base Carcols Address

0x4 : Block Size of each colour

+ 0x0 : Red

+ 0x1 : Green

+ 0x2 : Blue

+ 0x3 : Alpha

 

You can read that as a DWORD for RGBA or individual bytes for R,G,B,A

 

Changing these addresses works on the fly

 

File Addresses:

 

0x859D60 : 'main.scm'

0x866CCC : 'loadsc%d'

0x866CF0 : 'LOADSCS.TXD'

0x86AA28 : 'DATA\WEAPON.DAT'

0x86A964 : 'DATA\HANDLING.CFG'

0x86A778 : 'TIMECYC.DAT'

0x869724 : 'DATA\CARCOLS.DAT'

0x86A8CC : 'stream.ini'

0x85A6D4 : 'models\effects.fxp'

 

Overwriting these at runtime will change what file the game picks (tested for all of these)

 

Function Addresses:

 

0x49EA90 : void LoadEffectsFXP ( void )

0x552C00 : void SetupStaticRendering ( void )

0x552AF0 : int __stdcall AllocateRenderTrees(int QuadTreeNodes)

 

Memory Addresses corresponding to effects.fxp:

 

0xA9AE80 : Pointer to the effectsfxp information block

0x258 : Block Size for each effect (Instead of adding it to the block, subtract it)

+ 0x0 : EffectID (byte) ?

+ 0x4 : Effect Length (float)

+ 0x8 : Loop Interval Min (float)

+ 0xC : Length 2 (float) ?

+ 0x10 : ? (I'd like to say playmode, that's what it should be but doesn't correspond to the fxp)

 

I am very confused with this file load, the culling distance doesnt even appear in it , neither does red,green,blue or alpha

 

Texture Addresses:

 

0xC039A0 : Pointer to txgrass0_1

0xC039A4 : Pointer to txgrass0_2

0xC039A8 : Pointer to txgrass0_3

0xC039AC : Pointer to txgrass1_0

0xC039B0 : Pointer to txgrass1_1

0xC039B4 : Pointer to txgrass1_2

0xC039B8 : Pointer to txgrass1_3

0xC039BC : Pointer to gras07Si

 

All i could find , the rest are stored in a Texture Dictionary, i'll have a poke around there and see what i can find

 

Limit Hacking:

 

So in IDA i stumbled on this in SetupRenderTrees

 

 

.text:00552C39                push    offset aQuadtreenodes ; "QuadTreeNodes"

.text:00552C3E                push    400            ; Extending SA's boundaries?

.text:00552C43                mov    ecx, eax

.text:00552C45                call    AllocateRenderTrees

 

Perhaps changing the push 400 to maybe 500 will extend SA's boundaries (Late Edit: No go, still the same bounds whether i increase it or decrease it

 

Misc Addresses:

 

0x484B820 : I don't know but when changed to 5000.0 all static objects become un solid in the area around the airfield and Las Venturas (float)

 

IPL Addresses:

 

0x38 : Block Size for each IPL entry

Edited May 25, 2007 by Sacky

[TehKiller]

 

(since I see this is used for discussion, too - I'll append my topic now)

 

Hello Guys,

 

Currently most of the big multiplayer modifications have this problem, because players who press ESC are not able to be hitten.

 

So did somebody found a way to NOP those functions, which make GTA go to menu on ESC/ALT+TAB, yet?

 

Kind regards,

  Jan (DracoBlue)

 

SA singelplayer features a ''skill'' which shows bullets fired and bullets hit and stuff

So to see if the bullets hitted a person they would do some sort of checking(did it hit world or did it hit a entity/player) so if we would be able to find this adress we could add damage on being hit by bullets

 

this would also be nice for a anticheat for godmode coz if u get hit by bullets and ur health does not drop it means ur hacking ->

 

 

i like this emote >

[JeanChenYu]

In MTA:SA,when I press G,I can enter a vehicle as a guest,

but never can I achieve this in GTA:SA for PC.

I think there are inside commands,when I press a key,a function

read the key in and change it into a command that the inside function

can recognize,and then do what the command says.

I want to know,how can I enter inside commands?Is it possible?

 

[Sacky]

You need to use a keyhook (say SetWindowsHookEx) and injected opcodes to achieve that, same with passenger driveby's and absailing

[JeanChenYu]

Do you know exactly how to achive that?

It's not easy for a beginner like me to make this.

[JeanChenYu]

Really I don't quite understand Cped and Cvehicle,please

explane them.

Are they always changing position?

how can I get the position of Cped or Cvehicle?

 

I also want to know how to get the information of the vehicle

selected by the rocket,when I point to a vehicle using the

rocket and launch the missile,the missile would fly after the vehicle,

that is to say,it has got the X,Y,Z posistion and X,Y,Z velocity of

the vehicle,where are these parameters stored?How could I get

the offsets of them in memory?

[Sacky]

Sorry but what you need to do is look at some source, and posts in this topic

 

Control of a Visible Cursor:

 

0x7481CD : Nop 2 Bytes

0x7481CF : Nop 6 Bytes

 

Now with ShowCursor in a C++ environment you can control if the cursor shows on the screen, it still sticks in the middle with a SetCursorPos and i'm currently working on fixing that (EDIT: done)

 

Free Cursor Pos:

 

0x74542B : Nop 1 Byte

0x74542C : Nop 1 Byte

0x74542D : Nop 6 Bytes

 

Prevents the game from setting the cursor pos to the middle of the screen, however it still reacts to the mouse movements by positioning the camera, i'm currently working on a fix for that

Edited June 9, 2007 by Sacky

[Cowpat]

 

Does anyone know the address of a function which does something to the effect of "Render me all graphical objects"? I don't need to Update(), just do a render.

[Sacky]

Well there was this function from Dexx's function dump:

 

0x74F570 : _RpWorldRender

 

or you could try the Camera Mover Routine

 

On a side note, has anyone tried replacing textures on the fly with the AddEntry and RemoveEntry RW functions?

 

EDIT: Maybe like this (Pseudocode in a sense)?

 

 

void ReplaceTexture(char* TextName,IDirect3DTexture9 Texture){_asm{ push TextName call 0x7F39C0 push TextName push Texture call 0x7F3980}}

 

 

To freeze the camera at a certain positon:

 

0x53C104 : Nop 5 Bytes

 

Objects:

 

0x19C : Object Block Size

0xB74498 : Pointer to the Object Block

 

IPL's:

 

0xB74494 : Pointer to the IPL Pool

 

COL's:

 

0xB744A0 : Pointer to the COL Pool

 

RenderTree's:

 

0xB745BC : Pointer to the RenderTree Pool

 

Vehicle Limits:

 

To make the vehicle limit bigger than the push value to the AllocateVehicles function, change the block multiplier:

 

 

.text:005504C8                imul    eax, 0A18h      ; BlockSize

 

For instance 0xA18 x 2 will give you twice as many vehicles etc

Edited June 10, 2007 by Sacky

[Beep]

Great work Sacky. I hope you post more .

 

For what vehicle limit is that memory offset? I can't remember a 2584 (0xA18) vehicle limit.

[Sacky]

Well firstly i recomend changing the initial push value into the AllocateVehicles function to 125, which would look like this:

 

Change 0x55102A To 125 by simply writing the value in, although i'm rather partial to doing full patches when changing instructions so atm my code looks like this:

 

 

void InitMod ( void ){BYTE Vehicles[] = { 0x6A, 0x7D };Patch ( 0x551029, sizeof(Vehicles), Vehicles );}

 

 

That changes push 110 to push 125, going over that causes the game to crash (due to the small push instruction), so this allows 125 vehicles to be in SA

 

Now we get to the interesting part, changing the multiplier in the AllocateVehicles function, each vehicle block is 0xA18, so the function handles it by going malloc(limit * 0xA18), so if we double that multiplier we get double the number of vehicles, giving us 250, now if we triple that we get triple, so 375 and so on, this is the block size multiplied by 6, which gives us 750 vehicles

 

 

void InitMod ( void ){BYTE Vehicles[] = { 0x6A, 0x7D };BYTE Vehicles2[]= { 0x69, 0xC0, 0x90, 0x3C, 0x0, 0x0 }; // where 3C90 is the multiplication valuePatch ( 0x551029, sizeof(Vehicles), Vehicles );Patch ( 0x5504C8, sizeof(Vehicles2), Vehicles2 );}

 

 

What I still need to work out is how to increase the number of vehicle models that can be loaded during a game

[ModelingMan]

 

so if we double that multiplier we get double the number of vehicles, giving us 250, now if we triple that we get triple, so 375 and so on, this is the block size multiplied by 6, which gives us 750 vehicles

That's an interesting approach. The pools work the same way in VC, not once did I think that increasing the block multiplier would help since you would still be bounded by the limit set. But by looking at this code which gets the next free CPed slot, you can see that it doesn't matter what the limit is set to since there is no reference to it:

 

loc_50F0A0:                inc     dword ptr [ecx+0Ch]loc_50F0A3:                mov     edx, [ecx+4]                mov     eax, [ecx+0Ch]                movzx   eax, byte ptr [edx+eax]                and     eax, 80h                jz      short loc_50F0A0

 

For those who don't know this code goes round in a loop until it finds a free slot for a CPed in the ped pools. This code in no way refers to the CPed limit, it will just keep reading memory until it finds a free slot, therefore explaining the reason why the game crashes when spawning too many peds in the game (reading beyond the allocated memory).

 

 

What I still need to work out is how to increase the number of vehicle models that can be loaded during a game

This is quite a tedious process since the memory used for storing the vehicle model info and handling is static, and has alot of cross-references making it a very long task to complete. I got extra vehicle slots partially working in VC, but had no sound or collision. But as we all know anything is possible if we are willing to put the time into it...