Documenting GTA-SA memory addresses

[steve-m 27]

spooky thats wierd... i wonder what they will do when they release a patch, release a different patch for each country?! that would be odd.

Yep, they also did that for VC. I have a whole bunch of different executables for that game...

[Stretchnutter 2]

I guess we should just stick with the USA version because thats what all those trainers out there and this thread are based on so far, future trainers should also base on it. For the people who bought the EU game they will have to figure out what to do on their own I guess.

Edited June 13, 2005 by Stretchnutter

[JernejL 52]

I guess we should just stick with the USA version because thats what all those trainers out there and this thread are based on so far, future trainers should also base on it. For the people who bought the EU game they will have to figure out what to do on their own I guess.

that was rude, so i will stick to the european exe then and americans will have to figure out what to do on their own I GUESS.

 

[Opius 9]

How about we drop the drama and think about this logically?

 

I'd say at least 66% of people who own the game are using the American version. It's logical that you would use the method that will ensure the most amount of people will be able to use it without modification.

 

Delfi, aren't you always complaining about people not using/conforming to standards? Why would you want to deliberately complicate an already difficult area of modding over something so petty? You're making a mountain out of a molehill.

 

So, be sure to make notes on what version of the EXE the addresses you post are from, so they can be adjusted if needed.

 

[EDIT]And a request: I'd love if someone could find a way to remove the EAX/Nvidia splash screens, the intro movie and the intro splash screen. Tedius as sh*t after the first time.

[SubConscious 1]

surely i can use the US exe with my EU install? i've seen it before where they release different versions of the same patch for different regions, but they worked on all of them.

[jacob. 1]

Why is there different executables for different countries anyway? It can't be for language purposes, thats definatly a GXT thing. So why?

 

Anyway, I'm sure the exes have fixed byte differences between them - just as the 8 byte difference between VC 1.0/1.1.

[JernejL 52]

How about we drop the drama and think about this logically?

 

I'd say at least 66% of people who own the game are using the American version. It's logical that you would use the method that will ensure the most amount of people will be able to use it. Factor into this the fact that it would at most four lines of code to both check the version and add the needed value to addresses seems like you're all making mountains out of molehills.

 

So, be sure to make notes on what version of the EXE the addresses you post are from, so they can be adjusted if needed.

you misunderstood the whole thing, he went so fast assuming and screwing others that i got pissed off ofcourse.

 

[DexX 47]

 

ashdexx: The shaders are inside the executable, but they're compiled at runtime it seems. Open the executable in a hex editor and have a search.

oh sh*t, your right!

 

the block of code starting around 4d63fb, hex, looks like its DirectX 9 asm shader code....hoo-wee, now this should be interesting...

 

oh yea, thats an address in the static exe, my bad

American exe

[kyeman 0]

 

[EDIT]And a request: I'd love if someone could find a way to remove the EAX/Nvidia splash screens, the intro movie and the intro splash screen. Tedius as sh*t after the first time.

 

 

#define NOP 0x90DWORD d,ds;*(PBYTE)0xC8D4C0 = 5;VirtualProtect((PVOID)0x747483,6,PAGE_EXECUTE_READWRITE,&d);memset((PVOID)0x747483,NOP,6);VirtualProtect((PVOID)0x747483,6,d,&ds);

 

 

You'd have to use this with something that gets inprocess with gta_sa. I've had to resort to using a loader since we lost the Miles Sound System *sniff* .

 

 

 

[jacob. 1]

Awesome find kyeman, its about time those annoying advertisements are gone.

 

 

You'd have to use this with something that gets inprocess with gta_sa

Why? Aren't both VisualProtect and memset functions that can be called from external processes? It appears to me like all you'd need is a program that loads gta_sa.exe, then immediatly NOP's 0x747483.

[QJimbo 0]

surely i can use the US exe with my EU install? i've seen it before where they release different versions of the same patch for different regions, but they worked on all of them.

I don't know about the UK version, but I know that the German version has been censored in a few ways, e.g. peds don't drop cash when you kill them, you can't mutilate bodies, etc. All headache causing things for the trainer maker -_-

[Squiddy 3]

Why? Aren't both VisualProtect and memset functions that can be called from external processes? It appears to me like all you'd need is a program that loads gta_sa.exe, then immediatly NOP's 0x747483.

Of course, but this is just a temporary solution. What if others want to make changes like these? We have to think about a standard for this, one major dll that loads all others.

[steve-m 27]

Don't we have that already?

[Squiddy 3]

Don't we have that already?

Wasn't sure if hammer's work has been officially announced, but okay, one problem we don't have to think about anymore.

[Stretchnutter 2]

 

[EDIT]And a request: I'd love if someone could find a way to remove the EAX/Nvidia splash screens, the intro movie and the intro splash screen. Tedius as sh*t after the first time.

 

 

#define NOP 0x90DWORD d,ds;*(PBYTE)0xC8D4C0 = 5;VirtualProtect((PVOID)0x747483,6,PAGE_EXECUTE_READWRITE,&d);memset((PVOID)0x747483,NOP,6);VirtualProtect((PVOID)0x747483,6,d,&ds);

 

 

You'd have to use this with something that gets inprocess with gta_sa. I've had to resort to using a loader since we lost the Miles Sound System *sniff* .

found an easier way.

 

also give a quick tutorial how to use HIEW.

 

First you will want to make sure you backup gta_sa.exe

 

These instructions are for the USA version 1.0*

 

Download HIEW here: http://www.serje.net/sen/

 

Unzip then run HIEWDEMO.EXE

 

Browse to gta_sa.exe and load it

 

You should see a bunch of wierd text. Press F4 then select 'Decode'.

Now it should look like something familiar to you ASM heads.

 

For the no intro hack do the following:

 

press F5 then type ".00748AA8" without the parenthesis

 

at this address you should see

push ebx

pusi edi...

 

 

at this point press F3 then type the following exactly: C7 05 C0 D4 C8 00 05 00 00 00 EB DF

without the spaces.

 

basically this says

mov dword ptr [0xC8D4C0],5

jmp 748A93

 

 

the region we are writing code to is called when 0xC8D4C0 = 0x0 just to give a little insight

 

when you are done press F9 (save) then press F10 (quit)

 

now when you load the game you are taken directly to the main menu.

 

No loader or trainer...

Edited June 14, 2005 by Stretchnutter

[random_download 0]

B793D4: Float, Fat stat

B793D8: Float, Stamina stat

B793DC: Float, Muscle stat

 

B79496: Float, pistol stat

B79498: Float, silenced pistol stat

B7949C: Float, desert eagle stat

B794A0: Float, shotgun stat

B794A4: Float, sawn-off shotgun stat

B794A8: Float, combat shotgun stat

B794AC: Float, machine pistol stat

B794B0: Float, smg stat

B794B4: Float, AK47 stat

B794B8: Float, M4 stat

[jacob. 1]

Racer.. in that case, all of the static offsets found with that patched executable would be a few bytes off from what others have found, right? The last thing we need is people coming in here and posting offsets that aren't correct for other people. Which is why some sort of "universal" executable should be chosen as we did with VC (1.0/1.1). Might I suggest the unpacked nocd patch?

 

 

Edited June 18, 2005 by !cMc! Jacob

[Stretchnutter 2]

Racer.. in that case, all of the static offsets found with that patched executable would be a few bytes off from what others have found, right? The last thing we need is people coming in here and posting offsets that aren't correct for other people. Which is why some sort of "universal" executable should be chosen as we did with VC (1.0/1.1). Might I suggest the unpacked nocd patch?

No that little tutorial only overwrites some code... HIEW is just a better way to do it compared to a hex editor because it accounts for the 'real' memory location. I would have some trouble finding the correct offset to edit with a hex editor.

[JernejL 52]

Racer.. in that case, all of the static offsets found with that patched executable would be a few bytes off from what others have found, right? The last thing we need is people coming in here and posting offsets that aren't correct for other people. Which is why some sort of "universal" executable should be chosen as we did with VC (1.0/1.1). Might I suggest the unpacked nocd patch?

right, now pm me where to get it.

 

btw, the game is on a dvd - not cd..

 

 

[Cowpat 1]

 

#define NOP 0x90DWORD d,ds;*(PBYTE)0xC8D4C0 = 5;VirtualProtect((PVOID)0x747483,6,PAGE_EXECUTE_READWRITE,&d);memset((PVOID)0x747483,NOP,6);VirtualProtect((PVOID)0x747483,6,d,&ds);

 

 

 

Hooray! I've been trying to get VirtualProtect to work for two nights now - no more .rdata blues

 

Now I can switch gravity off with a button and slide dead peds around like ice pucks

[saracoglu 6]

I have found some time to have a closer look to the vehicle object, and compared to the gta3 and gtavc vehicles.

There are still a lot to check, but here are some memory offsets (as offset to player car adr.), and what they do:

(offsets are decimal)

 

66 Byte, Specials: 1..111.. EP/NA/NA/DP/FP/BP/NA/NA

68 Float, X (East-West) speed

72 Float, Y (North-South) speed

76 Float, Z (up-down) speed

80 Float, X (NS) Spin

84 Float, Y (EW) Spin

88 Float, Z (NW) Spin

140 Float, Mass (kg) from handling.cfg

144 Float, Turn Mass from handling.cfg

148 Float, Grip Divider (0.1=10xgGrip / 1=1xgGrip / 100=g/100Grip)

152 Float, Mass-to-Grip Multiplier. Ie. G Force when flying/during suspension/driving (acceleration towards ground)

160 Float, Normalized Grip Level

164 Float, CoM X

168 Float, CoM Y

172 Float, CoM Z

1076 Byte, Body Color (as in carcolors.dat, black being the 0)

1077 Byte, Stripe Color (as in carcolors.dat, black being the 0)

1080 DWord, modding data as in garage info

1084 DWord, modding data as in garage info

1088 DWord, modding data as in garage info

1092 DWord, modding data as in garage info

1096 DWord, modding data as in garage info

1100 DWord, modding data as in garage info

1104 DWord, modding data as in garage info

1108 DWord, modding data as in garage info

1112 Float, Car Wheel Size from vehicle.ide

1116 DWord, Siren Time Left ms

1216 Float, Car Damage Left (1000: undamaged)

1272 Dword, Car Door Locked State (1:open 2:locked)

1444 Byte, Car Wheels Shot: (.1.1.1..=NA/RF/NA/LB/NA/LF/NA/NA) RF:RightFrontWheel 1:shot, 0:OK

[EDIT]

Following offsets are Floats, as positions of doors and other car parts that gets detached by damage

We need to recalculate and set their locations if we warp a car from one location to another. Otherwise

the car spins uncontrollable:

1828 Detachables1 Pos X

1832 Detachables1 Pos Y

1836 Detachables1 Pos Z

1872 Detachables2 Pos X

1876 Detachables2 Pos Y

1880 Detachables2 Pos Z

1916 Detachables3 Pos X

1920 Detachables3 Pos Y

1924 Detachables3 Pos Z

1960 Detachables4 Pos X

1964 Detachables4 Pos Y

1968 Detachables4 Pos Z

[/EDIT]

[EDIT]

Here is the detachable locations for bikes. At each offset, there are 12 bytes, ie. 3 Floats having the X,Y and Z coords.:

+ 1532 BikeDetachPosAdr(0)

+ 1632 BikeDetachPosAdr(1)

+ 1676 BikeDetachPosAdr(2)

+ 1720 BikeDetachPosAdr(3)

+ 1764 BikeDetachPosAdr(4)

[/EDIT]

have a nice time hacking,

Alper

Edited June 18, 2005 by saracoglu

[jacob. 1]

Following offsets are Floats, as positions of doors and other car parts that gets detached by damage

We need to recalculate and set their locations if we warp a car from one location to another. Otherwise

the car spins uncontrollable:

1828 Detachables1 Pos X

1832 Detachables1 Pos Y

1836 Detachables1 Pos Z

1872 Detachables2 Pos X

1876 Detachables2 Pos Y

1880 Detachables2 Pos Z

1916 Detachables3 Pos X

1920 Detachables3 Pos Y

1924 Detachables3 Pos Z

1960 Detachables4 Pos X

1964 Detachables4 Pos Y

1968 Detachables4 Pos Z

That would explain why my velocity gets totally screwed when spawning in a vehicle.. do you know how these Detachable offsets are calculated? I'd imagine they'd be different for each vehicle, but it sure would be a pain to have to do a preset calculation for every single bloody car...

[saracoglu 6]

I guess you would just need to recalculate some values on runtime and assign them to the detachables.

You can even assign the car location directly to them. It is better than letting them have 0-0-0 as location values.

 

 

By the way, how do you 'spawn' a car?

[JernejL 52]

just subtract the detachables positions from current location, warp the car and sum

them with new location i assume..

 

[saracoglu 6]

For the garage editor coders:

 

There are 50 Garages in the game. Each garage position, details, usage information, location in game,

location of door, width, depth and height, direction it looks, coordinates of lower left corner, and

upper right corner, if it is usable by the player, which property (safe house) it belongs, number of

cars that can be parked into, the door state (closed, opening, open and closing) is found in the

garage object of 212 bytes. The memory location where the garages start in the exe I use is:

0x96C048 (I am using non-patched original v1.0 german exe with english language option selected, and

original scm file.) The next garage is at 0xD4 offset, so on 0x96C120

 

Here is the offsets that I was able to figure out by now:

0 Float, X Coord of the Garage Lower Left corner

4 Float, Y Coord of the Garage Lower Left corner

8 Float, Z Coord of the Garage Lower Left corner

12 Float, X Value of direction vector 1

16 Float, Y Value of direction vector 1

20 Float, X Value of direction vector 2

24 Float, Y Value of direction vector 2

28 Float, Top Z Coord of the garage (TopZCoord - ZCoord = Garage Height)

32 Float, Normalized Width of the garage

36 Float, Normalized Depth of the garage

40 Float, Left Border (X) corrdinate

44 Float, Right Border (X) corrdinate

48 Float, Front Border (Y) corrdinate

52 Float, Back Border (Y) corrdinate

77 Byte, Garage Door State: 0:closed 1:open 2:opening 3:closing

 

The direction vector 3 is completely left out, I think because the garages are always even to the ground.

I think that is also why the Z values of the direction vectors are also left-out.

 

I have not yet checked all garages. But some of the known adresses are:

0x96C480 El Corona

0x96C7E0 Johnson House

0x96CB40 Santa Maria Beach

0x96CC18 Mulholland

 

The contents of the garages are also in the memory in almost the same manner. Like 0x96ABD8 is the 60 Bytes info

block start of the first car parked in Johnson House garage. First 12 bytes are (Float) location matrix (XYZ),

Offset 14 (Word) is BPDPEPFP coding, Offset 16 (Word) is CarID, Offset 20 to 44 is DWords, with tuning info.

I am now working on the details. I will soon finish and post the complete car parking information.

Edited June 16, 2005 by saracoglu

[jacob. 1]

By the way, how do you 'spawn' a car?

I was talking about teleporting a car the player is already in, which in that case you can use the same method of teleporting players on foot.

 

But for a vehicle your not in, I'd imagine it'd go something like this..

It must first be created somewhere in the game, then its just a matter of finding its pointer. You should be able to do this similiar to GameGetVehicle, just start from the base car pointer and add (index * carblocksize).

Then it's (vehicle+20)+0x30=x, +0x34=y, +0x38=z.. unless the xyz structure is different for vehicles.

[saracoglu 6]

An idea to spawn a car would be to copy current and known car pointers around player, trigger the car spawn cheat, and compare them with the pointers after car spawn cheat to find the actual pointer. This would however spawn only one type of car. Grabbing the nearest available car and bringing it to user will also result in spawning a random car. We should check the car spawn cheat trigger and see if it is internally so coded that it accepts a CarID to spawn. Because then, we can just trigger the cheat with the desired ID, and not bother about bringing it to the user (with the cheat, the car gets spawned on nearest valid road location).

 

I am using several methods for controlling the car the user is in (or was in), from flight assistance to changing or fixing speed, spin, flipping car, locking doors, repairing wheel and other damage, changing car colors, etc.

If you have ever used my old GTA3 Admin Console you would remember how it works in game. I am currently working on upgrading the trainer to GTA SA. The User and Car Controls are already OK. After I finish the garage coding (you will be able to not only park cars/bikes/etc in garages and set DPBPEPFP, but also tune them, and give them NOS etc. as well), I will happily announce the beta version and ask for testers. The console does not change anything on the game files or functionality of gta_sa.exe, but overrides memory locations with the wanted values. So it is safe to use it without crashes etc.

 

Alper

Edited June 17, 2005 by saracoglu

[DracoBlue 0]

I searched for some also, because it was a bit difficult to read and edit things (in this board) so I put all the collected data in the Wiki @ http://GTADB.tk/Memory_adresses_San_Andreas

 

Please adjust when you find a failure or something is missing.

 

See you,

[JernejL 52]

so I put all the collected data in the Wiki

that is no excuse, there is no problem of posting addresses here, and if you

were at that you could post them on gtamemory: http://www.gtaconnection.net/gtamemory/

which was mentioned in vc adresses topic.

 

share your things here, on this forum rather than redirect traffic to your site..

 

[Squiddy 3]

0xBA6748

 

+ 0x15D - BYTE Current Menu ID

+ 0x78D - BYTE Show menu item hover

+ 0x54 - DWORD Selected menu item

 

+ 0xE9 - BYTE Main menu switch (startup menu/menu when playing)

+ 0x84 - DWORD language

+ 0x15F - BYTE selected savegame

+ 0x24 - DWORD radar mode

 

+ 0x64 - FLOAT map zoom

+ 0x68 - FLOAT map x position

+ 0x6C - FLOAT map y position

 

+ 0x5C - BYTE Player in menu?

 

Menu IDs: http://squiddy.marway.org/gta/sanandreas/prv/menu.txt