Documenting GTA-SA memory addresses

[UZI-I]

Virtual Protect...

 

[voodoo48]

 

Virtual Protect...

 

It says me nothing... However, I'll search after it on Google, but i'd thank any help. Or you've just corrected my "read-only" word to "virtual-protect"? Well I dunno...

Edited March 19, 2008 by voodoo48

[roby65]

check on msdn the "VirtualProtect" function

[UZI-I]

DWORD d,ds;VirtualProtect( Address, Size, PAGE_EXECUTE_READWRITE, &d );  // Write Memory or whatever you want.VirtualProtect( Address, Size, d, &ds );

 

[voodoo48]

Thank you very much, guys, however, I use VB 2005... And I didn't find any sample/example/whatever to find out how does it work... Neither on Google or MSDN.

[aru]

Hate seeing repeated research done... waste of time. I thought this was already documented somewhere.. but I guess not.. so here goes an update to Sacky's post:

 

CPed

+0x47C CPedIntelligence *pedIntelligence

 

CPedIntelligence

+0x00 CPed *ped

+0x04 CPedTasks tasks (remember this isn't a ptr, its a struct)

+0x34 - 0x294 ???

 

CPedTasks

+0x00 CTask *primaryTasks[5]

+0x14 CTask *secondaryTasks[6]

+0x2C CPed *ped;

 

Primary, Secondary tasks

 

(See MTA's list @ http://development.mtasa.com/index.php?title=Tasks)

 

CTask

+0x00 void *virtualFunctionTable;

+0x04 CTask *previousTask;

 

CTask Virtual Function Table

0: Destructor

1: Clone

2: GetNextTask

3: IsSimpleTask

4: GetID

5: ??

6: Process

 

CTaskSimple

+0x00 Inherits from CTask

 

CTaskSimple Virtual Function Table

7: ??

8: ??

 

CTaskComplex

+0x00 Inherits from CTask

+0x08 CTask *nextTask

+0x0C ??

+0x10 CPed *ped;

+0x14 - 0x24 ??

 

CTaskComplex Virtual Function Table

7: AddTask

8: ??

9: ??

10: ??

 

Tasks are chained... after one task is completed, the next one is executed. Complex tasks can have other tasks chained to them... simple tasks are the end of the chain.

 

If I recall correctly, there is another post about tasks buried somewhere within this topic...

[roby65]

Hate seeing repeated research done... waste of time. I thought this was already documented somewhere.. but I guess not.. so here goes an update to Sacky's post:

 

CPed

+0x47C CPedIntelligence *pedIntelligence

 

CPedIntelligence

+0x00 CPed *ped

+0x04 CPedTasks tasks (remember this isn't a ptr, its a struct)

+0x34 - 0x294 ???

 

CPedTasks

+0x00 CTask *primaryTasks[5]

+0x14 CTask *secondaryTasks[6]

+0x2C CPed *ped;

 

Primary, Secondary tasks

 

(See MTA's list @ http://development.mtasa.com/index.php?title=Tasks)

 

CTask

+0x00 void *virtualFunctionTable;

+0x04 CTask *previousTask;

 

CTask Virtual Function Table

0: Destructor

1: Clone

2: GetNextTask

3: IsSimpleTask

4: GetID

5: ??

6: Process

 

CTaskSimple

+0x00 Inherits from CTask

 

CTaskSimple Virtual Function Table

7: ??

8: ??

 

CTaskComplex

+0x00 Inherits from CTask

+0x08 CTask *nextTask

+0x0C ??

+0x10 CPed *ped;

+0x14 - 0x24 ??

 

CTaskComplex Virtual Function Table

7: AddTask

8: ??

9: ??

10: ??

 

Tasks are chained... after one task is completed, the next one is executed. Complex tasks can have other tasks chained to them... simple tasks are the end of the chain.

 

If I recall correctly, there is another post about tasks buried somewhere within this topic...

how to add a task?

and how to check current task?

 

for example....is there a way to check where an actor is aiming?

[aru]

how to add a task?

and how to check current task?

 

for example....is there a way to check where an actor is aiming?

To programatically create tasks and add them... it's a bit of work (a lot of work, I should say).

 

1. Create memory in the task pool

2. Call the task constructor

3. Call one of the CPedTasks_AddPrimaryTask or CPedTasks_AddSecondaryTasks functions

 

Now for each different type of task (there are 300+ of them), you'd have to find their size, the address of their constructor(s), the parameters to pass to the constructor, etc. It's a lot of work to do all that... its often easier to find the SCM opcode which does the same thing.

 

To check the current task for each slot...

1. get the CPedIntelligence of a ped,

2. get the CPedTasks (add 4 to CPedIntel offset)

3. for the slot you want (e.g. UseGun would be in the Attack slot, OnFoot/InCar would be in the Default slot I think), check if it contains anything other than NULL.

4. If its not NULL, call GetID() on them.. and you can determine what task it is by its unique ID. (0 = OnFoot, 1 = InCar, 1017 = UseGun).

5. If the task is complex (i.e. IsSimpleTask() returns 0), you can call GetNextTask() on it and figure out what task is in the chain of tasks, and repeat the process on it.

 

If you want to see where an actor is aiming... you'd have to look at the UseGun task. It probably has some data on where the actor is aiming (not sure if it does). Virtual table for UseGun is at 0x86D724, constructor at 0x61DE60. The other alternative is to look at the CCamera object.. there should be a Aim vector in it (probably documented somewhere here... I don't have it offhand).

[roby65]

seems too difficult to do.....

 

 

SetTransform( D3DTS_VIEW , 0xC9BC80 );this call is to set cameras pos, and it's done here:007F8FC2   68 80BCC900      PUSH gta_sa.00C9BC80	<-matrix007F8FC7   6A 03            PUSH 2  	<-D3DTS_VIEW (first parameter)....007F8FF1   E8 DA130000      CALL gta_sa.007FA3D0

 

 

to hook camera, simply change the first push

[Sacky]

Task Name, ID, whether it is Simple and its Class Address

CTaskSimpleUseGun - 1017 - true - 0x86D724

CTaskSimpleAimPos - 1020 - true - 0x86D76C

 

unsigned int uiID = NULL;

void* CTaskSimpleUseGun = (void*) CTask; // Where CTask is the memory address of the CTask struct

void* CTaskGetID = (void*) CTaskSimpleUseGun + 0x10; // GetID() is at 0x10 offset

__asm call CTaskGetID

__asm mov uiID,eax

// Now uiID contains ID Number

 

CTaskSimpleUseGun: (sizeof(CTaskSimpleUseGun) == 0x40)

+0x0 : void* CTaskSimpleUseGunClass

+0x10 : float

+0x2C : void*

+0x30 : CWeaponInfo* cWeaponInfo

+0x34 : unsigned int[2]

+0x3C : float

 

CWeaponInfo: (sizeof(CWeaponInfo == 0x70)

+0x0 : unsigned int

+0x4 : float[2]

+0xC : unsigned int uiWeaponItemDefinition (eg. I used the silenced pistol this comes up with 347[347, silenced, silenced, silenced, 1, 30, 0])

+0x10 : DWORD NULL (its NULL on every one)

+0x14 : unsigned int[4]

+0x24 : float[3]

+0x38 : float[9]

+0x6C : void* ?

This information is nothing to do with aim, although it may influence it, it only changes based on what weapon your using, not where your aiming.

 

CTaskSimpleAimPos

0x61F3F0 : CTaskSimpleAimPos::Constructor(0,AimPos*,0,0,0x1F4,Timelimit); // where ecx is the address of the task allocation

 

0x618970 : ProcPlyrWeapon

 

I'll do some more in depth research into this later

Edited March 28, 2008 by Sacky

[ModelingMan]

2dEffectStore - 0x00B4C2D8(1.0 HOODLUM), 0x00BC11E0(3.0 Steam)

+00: count

+04: C2dEffect[...]

 

C2dEffect: sizeof = 64 bytes. (Structure of this object varies depending on the type of 2dfx).

Edited March 28, 2008 by ModelingMan

[Sacky]

The Aim Vectors from the CCamera Object (all floats)

 

CCamera:

+0x890 : (float[3]) AimPos

+0x8D8 : (float[3]) AimPosCopy

 

0xB76870 : (float[3]) AimPos

0xB76888 : (float[3]) AimPos

 

Curious how they all seem to mirror each other.

 

Useful for getting and setting the players aim, or indeed any players aim because presumably you can just get these and make the actor aim at these points. However not useful for me, because I need to get AI aiming positions.

 

CPlayer:

+0x310 : (float*[3]) floats that influence Aim

 

Enable Multiple SA Windows:

0x7468E0 : (func) CheckForOtherSA(void)

0x74872D : (asm) call CheckForOtherSA (NOP this in the exe)

 

CSearchlight:

0x493000 : (func) CSearchlight::Create

Edited March 29, 2008 by Sacky

[roby65]

where is CCamera object?

[mr.perfect]

Slightly off topic but has anyone figured out why the '$50 Good Citizen Bonus' doesnt work anymore? Theres a call in the EXE for the GXT entry 'GOODBOY' which displays the message (which is mising form the GXT files), just wondering if it can be made to work...?

[Sacky]

Models:

 

0x85BBF0 : Model VMT

+0x0 : Destructor

+0x18 : FillStructure

 

0xA9B0C8 : ModelStructs* modelStructs[20000];

 

ModelStructs:

+0x0 : Model VMT*

+0x18 : float LODDistance

[Seemann]

 

.rdata:0085BBF0     _vmt_CModelObjs dd offset CModelObjs__scalar_destructor.rdata:0085BBF0                                            ; DATA XREF: $CModelObjs__constructor:loc_4C5548o.rdata:0085BBF4                     dd offset $CModelObjs__m04; return this.rdata:0085BBF8                     dd offset $CModelBase__m08; return 0;.rdata:0085BBFC                     dd offset $CModelBase__m0C; return 0;.rdata:0085BC00                     dd offset $CModelObjs__getType; return 1;.rdata:0085BC04                     dd offset $CModelBase__getTimeinfo; return 0;.rdata:0085BC08                     dd offset CModelObjs__init; CModelBase::init ();.rdata:0085BC0C                     dd offset $CModelBase__clear.rdata:0085BC10                     dd offset CModelObjs__clearData.rdata:0085BC14                     dd offset $CModelObjs__m24; return 1;.rdata:0085BC18                     dd offset CModelObjs__cloneDataAndSetMM.rdata:0085BC1C                     dd offset CModelObjs__cloneData.rdata:0085BC20                     dd offset CModelBase__initIfpName.rdata:0085BC24                     dd offset CModelBase__initIfp;;.rdata:0085BC28                     dd offset CModelBase__getIfpIndex; return 0xFFFFFFFF;.rdata:0085BC2C                     dd offset CModelObjs__m3C

 

 

 

00000000 CModelBase      struc; (sizeof=0x20)00000000 __vmt           dd ?00000004 modelNameHash   dd ?00000008 usageCount      dw ?0000000A txdIndex        dw ?                   ; index of entry in the TexDictionaryPool0000000C field_C         db ?0000000D field_D         db ?0000000E field_E         dw ?00000010 field_10        dw ?00000012 flags           dw ?00000014 colModel        dd ?00000018 drawDist        dd ?                   ; float0000001C atomic          dd ?                   ; union { RpAtomic * atomic; RpClump * clump; }00000020 CModelBase      ends

 

[roby65]

what's the atomic and the field_s?

[roby65]

I made some researches on the VMT of the CPed, this is what i discovered:

 

 

0x5347D0 -> Called for every static object (static IPLs) (load?)if disabled, all the static objects are not loaded0x5449B0 -> Collision check, if disabled player falls under the ground...and there are some bugs with models0x60Ea90 -> Onfoot player handle, if disabled player can only drive a car0x54DFB0 -> Actors fall under the ground repeatly, returning to on the ground after 0.5 sec0x54DB10 -> Set Entity Pos0x54DEC0 -> IsPlayerAbleToJump, if disabled player when jumps acts like if he hits a wall0x5E8a20 -> Update Player Matrix0x5E7680 -> Drawp player/actors0x553F00 -> Render textures / Render lights (?) If disabled, player/actors are completely black0x5533B0 -> Something with lights

 

[listener]

atomic - pointer to 3d engine object (RpAtomic - basic 3d object, RpClump - hierarchical collection of atomics)

field_s - unknown yet

 

More complete version:

 

00000000 CModelBase      struc; (sizeof=0x20)00000000 __vmt           dd ?00000004 modelNameHash   dd ?00000008 usageCount      dw ?0000000A txdIndex        dw ?                   ; index of entry in the TexDictionaryPool0000000C field_C         db ?0000000D count2dfx       db ?0000000E index2dFx       dw ?00000010 objectInfoIndex dw ?; index in the array of the structures from object.dat00000012 flags           dw ?00000014 colModel        dd ?00000018 drawDist        dd ?                   ; float0000001C rwObject        dd ?                   ; union { RpAtomic * atomic; RpClump * clump; }00000020 CModelBase      ends

 

 

00000000 CModelHier      struc; (sizeof=0x24)00000000 __parent        CModelBase ?00000020 _ifp            dd ?                   ; union { int ifpIndex; char * ifpName; }00000024 CModelHier      ends

 

 

00000000 CModelPeds      struc; (sizeof=0x44)00000000 __parent        CModelHier ?00000024 animType        dd ?                   ; animation style00000028 pedType         dd ?0000002C statType        dd ?00000030 carMask         dw ?00000032 pedFlags        dw ?00000034 field_34        dd ?                   ; CColModel *00000038 radio1          db ?00000039 radio2          db ?0000003A pedModel        db ?0000003B field_3B        db ?0000003C voiceType       dw ?0000003E voice1          dw ?00000040 voice2          dw ?00000042 voice3          dw ?                   ; same as voice100000044 CModelPeds      ends

 

 

 

.rdata:0085BDC0     __vt__CModelPeds dd offset CModelPeds__scalar_destructor.rdata:0085BDC0                                            ; DATA XREF: $CModelPeds__constructor+8o.rdata:0085BDC0                                            ; CModelPeds__destructor+1Eo.rdata:0085BDC4                     dd offset CModelBase__m04; return 0;.rdata:0085BDC8                     dd offset CModelBase__m08; return 0;.rdata:0085BDCC                     dd offset CModelBase__m0C; return 0;.rdata:0085BDD0                     dd offset CModelPeds__getType; return 7; //u08.rdata:0085BDD4                     dd offset CModelBase__getTimeinfo; return 0;.rdata:0085BDD8                     dd offset CModelHier__init.rdata:0085BDDC                     dd offset CModelHier__clear; CModelBase::clear ().rdata:0085BDE0                     dd offset CModelPeds__deleteRwObject.rdata:0085BDE4                     dd offset CModelHier__getRwObjectType; return 2; // CLUMP.rdata:0085BDE8                     dd offset CModelHier__cloneDataAndSetMM; MM - modelling matrix.rdata:0085BDEC                     dd offset CModelHier__cloneData.rdata:0085BDF0                     dd offset CModelHier__initIfpName.rdata:0085BDF4                     dd offset CModelHier__initIfp.rdata:0085BDF8                     dd offset CModelHier__getIfpIndex .rdata:0085BDFC                     dd offset CModelHier__getColModel .rdata:0085BE00                     dd offset CModelPeds__setRwObject

 

 

 

.rdata:0086C358     __vt__CPed      dd offset CPed__scalar_destructor.rdata:0086C358                                            ; DATA XREF: CPed__constructor+2Fo.rdata:0086C358                                            ; CPed__destructor+22o.rdata:0086C35C                     dd offset CEntity__m04.rdata:0086C360                     dd offset CPhysical__add; void CPhysical::add ();.rdata:0086C364                     dd offset CPhysical__remove; void CPhysical::remove ();.rdata:0086C368                     dd offset CEntity__m10 .rdata:0086C36C                     dd offset CPed__setModelIndex; void CPed::setModelIndex (signed int modelId).rdata:0086C370                     dd offset CEntity__setModelIndexNoCreate; void CEntity::setModelIndexNoCreate (signed int modelId);.rdata:0086C374                     dd offset CEntity__createRwObject; RwObjectHasFrame * CEntity::createRwObject ();.rdata:0086C378                     dd offset CPed__deleteRwObject; void CPed::deleteRwObject () { CEntity::deleteRwObject (); }.rdata:0086C37C                     dd offset CPhysical__getBoundRect; CRect * CPhysical::getBoundRect (CRect * );.rdata:0086C380                     dd offset CPed__processControl; void CPed::processControl ();.rdata:0086C384                     dd offset CPhysical__m2C.rdata:0086C388                     dd offset CPhysical__m30.rdata:0086C38C                     dd offset CPhysical__m34.rdata:0086C390                     dd offset CPed__teleport; void CPed::teleport (float x, float y, float z, float);.rdata:0086C394                     dd offset CPed__m3C.rdata:0086C398                     dd offset CPed__m40.rdata:0086C39C                     dd offset CPed__preRender; void CPed::preRender ();.rdata:0086C3A0                     dd offset CPed__render; void CPed::render ();.rdata:0086C3A4                     dd offset CPed__setupLighting; void CPed::setupLighting ();.rdata:0086C3A8                     dd offset CPed__removeLighting; void CPed::removeLighting (DWORD);.rdata:0086C3AC                     dd offset CPed__flagToDestroyWhenNextProcessed; void CPed::flagToDestroyWhenNextProcessed ();.rdata:0086C3B0                     dd offset CPed__processEntityCollision; int CPed::processEntityCollision (CEntity *, void *);.rdata:0086C3B4                     dd offset CPed__m5C.rdata:0086C3B8                     dd offset CPed__m60.rdata:0086C3BC                     dd offset CPed__m64

 

[roby65]

how did you find all the VMT names?

[listener]

From many sources, mostly from decompiling. Also from string in the executables, comments in config files, sascm.ini, searching the web, etc.

In last 1.5 years, I had named more than 10K functions and 300 structures and classes.

 

More info: 3D objects inheritance diagram

 

CPlaceable (vmt=0x863C40, size=0x18):   CCamera (vmt=0x8630E8, size=unknown)   CEntity (vmt=0x863928, size=0x38):       CBuilding (vmt=0x8585C8, size=0x38)           CTreadable (vmt=0x8639B0, size=0x38)       CDummy (vmt=0x8638C0, size=0x38)           CDummyObject (size=0x38)           CDummy_86C198 (vmt=0x86C198, size=unknown, unused)       CPhysical (vmt=0x863BA0, size=0x138)           CObject (vmt=0x866F60, size=0x17C)               CHand (vmt=0x866EE0, size=0x18C) // actor's hand in cutchenes               CProjectile (vmt=0x867030, size=0x17C)               CCutsceneObject (vmt=0x868A60, size=0x19C)           CPed (vmt=0x86C358)               CCivilianPed (vmt=0x86C0A8, size=0x79C)                CCopPed (vmt=0x86C120, size=0x7C4)                CEmergencyPed (vmt=0x86C200, size=0x79C)                CPlayerPed (vmt=0x86D168, size=0x7A4)            CVehicle (vmt=0x871E80)               CAutomobile (vmt=0x871120, size=0x988)                   CHeli (vmt=0x871680, size=0xA18)                   CMtruck (vmt=0x8717D8, size=0x99C)                   CPlane (vmt=0x871948, size=0xA04)                   CQuad (vmt=0x871AE8, size=0x9BC)                   CTrailer (vmt=0x871C28, size=0x9F4)               CBike (vmt=0x871360, size=0x814)                   CBmx (vmt=0x871528, size=0x838)               CBoat (size=0x8721A0, size=0x7E8)                CTrain (vmt=0x872370, size=0x6AC)

 

Edited April 9, 2008 by listener

[Sacky]

Stats: (ar_stats.dat):

 

0xB78F10 : float fStats[58];

 

If you look in ar_stats.dat you'll see that each stat has an index, thats the index in this array.

 

Car Groups (cargrp.dat):

 

0xC0ED38 : unsigned short PopcycleModels[33][21]

 

 

Edited April 10, 2008 by Sacky

[xmen]

im new to memory address, i wanna know the mean of CPed and NOP(link), i know it might be answered before but im unable to read every post of this topic...

[Sacky]

IMG's

 

0x8E4010 : FILE* fIMGs[32];

 

Yes the pool for IMGs is 32, however the reason it can only load 8-9 is because of this sh*t code here:

0x1564A94

 

To surpass this limit I reckon a small recode is in order (apart from reallocating the array)

 

Loop:

[0x1564A94] mov eax,ds:ImgPool[esi*4]

[0x1564A9B] inc esi 0x46

[0x1564A9C] test eax,eax 0x85 0xC0

[0x1564A9E] jnz Loop 0x75 0xF4

[0x1564A95] jmp Found 0xE9 0x97 0x00 0x00 0x00

Found:

[jacob.]

 

im new to memory address, i wanna know the mean of CPed and NOP(link), i know it might be answered before but im unable to read every post of this topic...

CPed is Rockstar's internal class name definition for a playerped/actor. There are numerous examples in this topic as to how to obtain a specific CPed object's location in memory.

 

NOP is an instruction in assembly meaning 'no-operation', i.e. do nothing. It is represented by the 0x90 identifier. When someone says to NOP a specific address with X number of bytes, they are saying to write a binary array of 0x90's with X elements to the address, telling the game to execute nothing as opposed to whatever instructions were previously at that address.

[xmen]

 

telling the game to execute nothing

something like putting '#' in the starting of line in IPL or IDE etc, but what if my value is 144, eg. i want to teleport CJ to 144, 144, 144 then i think game will crash or it wont teleport, or any other ??

 

and thanks for explaination

[jacob.]

 

telling the game to execute nothing

something like putting '#' in the starting of line in IPL or IDE etc, but what if my value is 144, eg. i want to teleport CJ to 144, 144, 144 then i think game will crash or it wont teleport, or any other ??

 

and thanks for explaination

I don't think you quite understand. Putting a '#' in the starting line of Rockstar's text-editable files simply tells the internal parsing routine to skip passed the line, you aren't modifying the actual course of code execution.

 

Also, I don't know what you mean by 'what if my value is 144' because you aren't specifying what the value applies to. NOP is a term used by reverse engineers and people that write programs in low-level assembly, if you want to further familiarize yourself with this concept then go download a disassembler or debugger and start messing around with executables.

[xmen]

 

I don't know what you mean by 'what if my value is 144'

you said "When someone says to NOP a specific address with X number of bytes, they are saying to write a binary array of 0x90's with X elements to the address"

i wanna know what if my value is 144 (ie. 0x90), then it will be NOP instead of my value, its making me confuse but i hope it wont confuse any more

 

 

 

if you want to further familiarize yourself with this concept then go download a disassembler or debugger and start messing around with executables

yeah i downloaded, but it quite bounced over the mind xD i just use Tsearch...

[jacob.]

 

I don't know what you mean by 'what if my value is 144'

you said "When someone says to NOP a specific address with X number of bytes, they are saying to write a binary array of 0x90's with X elements to the address"

i wanna know what if my value is 144 (ie. 0x90), then it will be NOP instead of my value, its making me confuse but i hope it wont confuse any more

Ah, I see what you're asking now. Just because you have a value of 144 somewhere doesn't mean the game will stop executing things You have to write 0x90 into very specific locations in the game's memory, where instructions are executed. There are plenty of areas in memory where no instructions lie, i.e. variables and structs etc.

Edited April 14, 2008 by jacob.

[xmen]

I don't know what you mean by 'what if my value is 144'

you said "When someone says to NOP a specific address with X number of bytes, they are saying to write a binary array of 0x90's with X elements to the address"

i wanna know what if my value is 144 (ie. 0x90), then it will be NOP instead of my value, its making me confuse but i hope it wont confuse any more

Ah, I see what you're asking now. Just because you have a value of 144 somewhere doesn't mean the game will stop executing things You have to write 0x90 into very specific locations in the game's memory, where instructions are executed. There are plenty of areas in memory where no instructions lie, i.e. variables and structs etc.

thats good now