Documenting GTA-SA memory addresses

[saracoglu 6]

As I mentioned a few posts ago, there are 50 garages in the game (at least at the standard scm). The Garage Blocks are 212 bytes, starting at the following memory adresses:

 

0x96C048 Commerce Region, Loading Bay Garage

0x96C120 Unknown Garage

0x96C1F8 Unknown Garage near El Corona

0x96C2D0 Eight Ball Autos near El Corona

0x96C3A8 Unknown Garage near El Corona

0x96C480 Player Garage: El Corona

0x96C558 Unknown Garage near Playe del Seville

0x96C630 LowRider Tuning Garage in Willowfield

0x96C708 Pay'n Spray in Idlewood

0x96C7E0 Player Garage: Johnson House

0x96C8B8 Pay'n Spray in Temple

0x96C990 Transfender in Temple

0x96CA68 Pay'n Spray in Santa Maria Beach

0x96CB40 Player Garage: Santa Maria Beach

0x96CC18 Player Garage: Mulholland

0x96CCF0 Wheel Archangels in Ocean Flats

0x96CDC8 Unknown Garage in Ocean Flats

0x96CEA0 Player Garage: Hashbury

0x96CF78 Transfender near Wang Cars in Doherty

0x96D050 Pay'n Spray near Wang Cars in Doherty

0x96D128 Unknown Garage, Loading Bay near Doherty

0x96D200 Player Garage: Doherty

0x96D2D8 Unknown Garage in Doherty

0x96D3B0 Unknown Garage in Chinatown

0x96D488 Michelles Pay'n Spray in Downtown

0x96D560 Player Garage: Calton Heights

0x96D638 Police Garage in DownTown

0x96D710 Pay'n Spray in Juniper Hollow

0x96D7E8 Player Garage: Paradiso

0x96D8C0 Unknown Garage near Emerald Isle

0x96D998 Airport Plane Garage in Las Venturas

0x96DA70 Unknown Garage near Camel's Toe

0x96DB48 Pay'n Spray near Royal Casino

0x96DC20 Transfender in come-a-lot

0x96DCF8 Player Garage: Rockshore West

0x96DDD0 Welding Wedding Bomb-workshop in Emerald Isle

0x96DEA8 Pay'n Spray in Redsands East

0x96DF80 Player Garage: Redland West

0x96E058 Player Garage: Prickle Pine

0x96E130 Player Garage: Whitewood Estates

0x96E208 Pay'n Spray in El Quebrados

0x96E2E0 Pay'n Spray in Fort Carson

0x96E3B8 Player Garage: Fort Carson

0x96E490 Player Garage: Derdant Meadows

0x96E568 Unknown Garage in Bone County

0x96E640 Airport Garage in Verdant Meadows

0x96E718 Unknown Garage in Angel Pine

0x96E7F0 Pay'n Spray in Dillimore

0x96E8C8 Player Garage: Palomino Creek

0x96E9A0 Player Garage: Dillimore

 

 

At offset 0x4D (byte) the door status is saved (0:closed / 1:open / 2:opening / 3:closing)

 

Which cars are parked in these garages, and their attributes are saved at another memory location. Each player garage can get up to 4 cars (ie. bikes etc.). Starting at 0x96ABD8 (Johnson House Garage Car 1), in 64 bytes blocks.

 

 

[saracoglu 6]

Here are some more offsets to the vehicle blocks, relevant to spawning or teleporting cars/bikes etc.:

 

The locations of the detachable objects are different for cars and bikes.

This is merely because bike object is actually smaller than the car object.

The car object is used for all vehicles (including heli) but the bikes.

 

Offsets for Detachables:

 

+ 1828 CarDetachPosAdr(0)

+ 1872 CarDetachPosAdr(1)

+ 1916 CarDetachPosAdr(2)

+ 1960 CarDetachPosAdr(3)

 

+ 1532 BikeDetachPosAdr(0)

+ 1632 BikeDetachPosAdr(1)

+ 1676 BikeDetachPosAdr(2)

+ 1720 BikeDetachPosAdr(3)

+ 1764 BikeDetachPosAdr(4)

 

 

[Andy80586 1]

And the hacking begins...

 

I just have some suggestions for the wiki... I would cross-link it to the VC adresses if there is a directory of them. I would also make a section for limits and how to hack them... quite a few people got confused on what the hacks were for VC... and posting them in a 40-page thread just doesn't really help all that much.

 

So as we get to modding SA, let's post limits here so they can be hacked in a timely manner and so that people can mod the game without having to deal with them for long periods of time.

[DracoBlue 0]

 

I just have some suggestions for the wiki... I would cross-link it to the VC adresses if there is a directory of them. I would also make a section for limits and how to hack them... quite a few people got confused on what the hacks were for VC... and posting them in a 40-page thread just doesn't really help all that much.

 

So as we get to modding SA, let's post limits here so they can be hacked in a timely manner and so that people can mod the game without having to deal with them for long periods of time.

 

Nice idea, thatswhy it is a wiki, you can edit with us to make a bigger database

 

 

that is no excuse, there is no problem of posting addresses here, and if you

were at that you could post them on gtamemory: http://www.gtaconnection.net/gtamemory/

which was mentioned in vc adresses topic.

 

share your things here, on this forum rather than redirect traffic to your site..

 

Its easier to manage a lot of data about gta games.

The wiki is on my server until the gtanet-wiki is finished, and all data will be transferd to this wiki when its done, so why not use this wiki already?

 

See steve-m's Post about this ..., btw. I hate flaming!

 

See you,

[saracoglu 6]

Here is some good news:

 

The trailer of the tanker is handled the same way as the vehicles. Its pointer gets set at offset:

 

+ 0x4C8

 

to the car object start. When warping vehicles that has trailer, we need to warp this 'vehicle' as well. The same pointer is used also when you are towing other vehicles as well.

[saracoglu 6]

Some more information on parking cars in garages:

 

Facts:

Parked Car details in garages are saved in 64 byte blocks.

Except for Johnson House, all garages accept up to 4 vehicles.

Trailer itself counts also as a vehicle.

 

Offsets:

+ 0 X Coord (Float)

+ 4 Y Coord (Float)

+ 8 Z Coord (Float)

+14 BPDPEPFP (Word) coding

+16 Car ID (Word)

+47 Body Color ordinal (Byte)

+48 Stripe Color ordinal (Byte)

+60 Car Angle (Float)

 

Static Mem. Locations for garages:

0x96ABD8 Johnson House Car 1

0x96AC18 Johnson House Car 2

0x96AC58 unknown

0x96AC98 unknown

0x96ACD8 Santa Maria Beach Car 1

0x96AD18 Santa Maria Beach Car 2

0x96AD58 Santa Maria Beach Car 3

0x96AD98 Santa Maria Beach Car 4

0x96ADD8 Rockshore West Car 1

0x96AE18 Rockshore West Car 2

0x96AE58 Rockshore West Car 3

0x96AE98 Rockshore West Car 4

0x96AED8 Fort Carson Car 1

0x96AF18 Fort Carson Car 2

0x96AF58 Fort Carson Car 3

0x96AF98 Fort Carson Car 4

0x96AFD8 Derdant Meadows Car 1

0x96B018 Derdant Meadows Car 2

0x96B058 Derdant Meadows Car 3

0x96B098 Derdant Meadows Car 4

0x96B0D8 Dillimore Car 1

0x96B118 Dillimore Car 2

0x96B158 Dillimore Car 3

0x96B198 Dillimore Car 4

0x96B1D8 Prickle Pine Car 1

0x96B218 Prickle Pine Car 2

0x96B258 Prickle Pine Car 3

0x96B298 Prickle Pine Car 3

0x96B2D8 Whitewood Estates Car 1

0x96B318 Whitewood Estates Car 2

0x96B358 Whitewood Estates Car 3

0x96B398 Whitewood Estates Car 4

0x96B3D8 Palomino Creek Car 1

0x96B418 Palomino Creek Car 2

0x96B458 Palomino Creek Car 3

0x96B498 Palomino Creek Car 4

0x96B4D8 Redlands West Car 1

0x96B518 Redlands West Car 2

0x96B558 Redlands West Car 3

0x96B598 Redlands West Car 4

0x96B5D8 El Corona Car 1

0x96B618 El Corona Car 2

0x96B658 El Corona Car 3

0x96B698 El Corona Car 4

0x96B6D8 MulHolland Car 1

0x96B718 MulHolland Car 2

0x96B758 MulHolland Car 3

0x96B798 MulHolland Car 4

0x96B7D8 location around train station in El Corona

0x96B818 location around johnson house

0x96B858 location around train station in El Corona

0x96B898 unknown

0x96B8D8 location near Xoomer Tank Station

0x96B918 location near Girlfriend Michelle

0x96B958 location near misty's bar in garcia

0x96B998 unknown

0x96B9D8 location near the four dragons casino

0x96BA18 location near the four dragons casino

0x96BA58 location near caliguas palace

0x96BA98 unknown

0x96BAD8 Calton Heights Car 1

0x96BB18 Calton Heights Car 2

0x96BB58 Calton Heights Car 3

0x96BB98 Calton Heights Car 4

0x96BBD8 Paradiso Car 1

0x96BC18 Paradiso Car 2

0x96BC58 Paradiso Car 3

0x96BC98 Paradiso Car 4

0x96BCD8 Doherty Car 1

0x96BD18 Doherty Car 2

0x96BD58 Doherty Car 3

0x96BD98 Doherty Car 4

0x96BDD8 Hashbury Car 1

0x96BE18 Hashbury Car 2

0x96BE58 Hashbury Car 3

0x96BE98 Hashbury Car 4

0x96BED8 Derdant Meadows Airport Car 1

0x96BF18 Derdant Meadows Airport Car 2

0x96BF58 Derdant Meadows Airport Car 3

0x96BF98 Derdant Meadows Airport Car 4

 

 

[kara2005 0]

hi @all,

 

this is my first try to create a trainer.

 

I use Trainer Maker Kit and Game Trainer Studio.

 

I want to edit the wanted level.

 

Add WORD B7CE50 1000 to ad 1000$ work fine!

 

What is the Value for Wanted Level???

 

 

 

Please help me!!!

 

And sorry for my very bad english!!!

[saracoglu 6]

kara2005, be careful with the 0xB7CE50. The value is a DWord, not a Word.

 

Also the wanted level is not on one statical mem. location, but as pointer to a wanted object on the player object. So you cannot add 1 to increase the wanted level.

[kara2005 0]

Hi saracoglu,

 

thank you for your quik answer.

 

can you help me with a tutorial??

 

 

[Spiralvortex 0]

Some more information on parking cars in garages:

 

Facts:

Except for Johnson House, all garages accept up to 4 vehicles.

 

Static Mem. Locations for garages:

0x96ABD8 Johnson House Car 1

0x96AC18 Johnson House Car 2

0x96AC58 unknown

0x96AC98 unknown

I think the those two unknowns are for the Johnson House. The garage itself can store 4 cars(if you do it right )

Heres some screenshots:

4 Cars Fine:

4 Cars after blowing them up and then the magic garage repairing them:

as you can see bits of the blown up banshee around and the fire still remains from the earlier explosion.

The 4 cars also save with the game fine.

[Spooky 1]

 

[20:16:19] [@spookie] 0xBA18FC = current vehicle ptr when in a vehicle, 0 while on foot

[20:16:32] [@Luke] nICE

[20:16:50] [@spookie] oLD SCHooL LuKe

[20:17:08] [@Luke] l4h, I'm l33t

 

0xBA18FC = current vehicle ptr when in a vehicle, 0 while on foot

 

The car pointer addr posted on the first page didn't always point to the current vehicle, and was probably the CCamera target entity.

[jacob. 1]

Does anyone know how to get the pointer of the first vehicle created? That way I can easily get the pointers of all other cars created afterwards by adding (index * carblocksize).. but first I must find the base vehicle pointer, aka the pointer of the very first car.

 

Anyone know?

[JernejL 52]

Does anyone know how to get the pointer of the first vehicle created? That way I can easily get the pointers of all other cars created afterwards by adding (index * carblocksize).. but first I must find the base vehicle pointer, aka the pointer of the very first car.

 

Anyone know?

gta-vc had a entity list table that contained all cars and peds in simple array of pointers

try finding one for san andreas.

 

[f34r 0]

Any address for freezing a player yet? For use while typing etc?

[Andy80586 1]

There are 3 values for money - B7CE50 gives the actual money, B7CE54 gives the number that is being displayed as the current money at any given instant, and the amount of money that is used to calculate the criminal rating is at BAA430. All of the above are 4-byte integers.

[saracoglu 6]

Here is a detailed explanation on car placement and rotation:

 

1. All read values are Floats, unless otherwise stated.

2. The Mem. Adresses are not static, but as pre-calculated example showing the offsets.

3. Offsets are decimal

 

Let's say, a given Car Object Starts at C502AA0:

Adresse Offset Description

0xC502AB4 20 Ptr to Car Position (DWord)

0xC502AE4 68 X (East-West) speed

0xC502AE8 72 Y (North-South) speed

0xC502AEC 76 Z (up-down) speed

0xC502AF0 80 X (NS) Spin

0xC502AF4 84 Y (EW) Spin

0xC502AF8 88 Z (NW) Spin

 

Let's say, the Car Position of this given car starts at C5F5DB4:

0xC5F5DB4 0 X Level to the ground

0xC5F5DB8 4 Y Level to the ground

0xC5F5DBC 8 Z Level to the ground

0xC5F5DC4 16 X Where am I looking

0xC5F5DC8 20 Y Where am I looking

0xC5F5DCC 24 Z Where am I looking

0xC5F5DD4 32 dyn flight data

0xC5F5DD8 36 dyn flight data

0xC5F5DDC 40 dyn flight data

0xC5F5DE4 48 CarPosX

0xC5F5DE8 52 CarPosY

0xC5F5DEC 56 CarPosZ

 

The location, speed and spin matrixes are on constant change, due to wind etc. The car does not actually stand still if a ped is in. If you check these values for a parked car, you will see that the changes are way too little than if a ped/player is in.

 

happy hacking,

Alper

Edited June 22, 2005 by saracoglu

[Opius 9]

Posting on behalf of [KFC]Nutz. This was originally posted in GTASA:Gen Chat, but due to it directly referencing a warez release name it was binned.

 

Nutz] Is there a mod or trainer that removes/adjusts the altitude limit?

 

I know you can increase thrust on helo's but that makes them hard to control below the limit.

 

Edit: Yes I found it!

 

The thrust cutoff altitude for helos and planes is 800m and is stored as a floating point

contant. It's located at offset 4594DC in the

US exe. For other exe's just search for the first occurrence of "00 00 48 44" in your

hex editor.

 

I changed it to 00 50 C3 47 (100,000m) and can now fly as high as I want.

 

This does not change the altimeter, which still reads in two scales, 0-200m and 0-1000m

(when above 200m).

 

I haven't yet found the location of the 200m or 1000m altimiter constants or the point at which the annoying

clouds appear (about 210m).

 

Note: this does not affect the jetpack!

 

And, yes, I've invited him to this topic.

[saracoglu 6]

I have just released the beta version of my GTA SA Admin Console with all the memory locations I have been able to locate myself, and locations that you have located.

 

Please feel free to try and use the console. Here is the link to the GTAForums Thread.

 

happy playing,

 

Alper

 

 

[DracoBlue 0]

CPed + 0x530 - State (1, not driving, 50 driving

CPed + 0x534 - Runningstate (0, while driving, 1 standing still, 4 start to run, 6 running, 7 running fast (e.g. pressed run-key)

 

Please don't forget to add your addresses also to the gtadb (this fetched data will be transferd into an official gtanet-wiki, when this is done)

GTADB : gtadb.tk

 

See you,

DracoBlue

[Olipro 0]

perhaps somebody is already aware of this, perhaps not, but I can safely say that there is no constant of height for the jetpack having just tried reaching maximum hieght from sea level, I was able to raise myself to about 150m (according to the meter) and I then proceeded to fly onto the top of a building close to my maximum, when I did so, I was then able to raise myself higher and caused the bar to go into the second "segment" and raised myself to about 300 feet... so the maximum height I am guessing is a result of adding (perhaps multiplying, doubtful) a certain value onto the elevation of the ground below you, thus interiors don't get classified as measurable elevation.

[Olipro 0]

well, as it turns out, it is already known, still doesn't answer the issue of modifying it though...

[Andy80586 1]

perhaps somebody is already aware of this, perhaps not, but I can safely say that there is no constant of height for the jetpack having just tried reaching maximum hieght from sea level, I was able to raise myself to about 150m (according to the meter) and I then proceeded to fly onto the top of a building close to my maximum, when I did so, I was then able to raise myself higher and caused the bar to go into the second "segment" and raised myself to about 300 feet... so the maximum height I am guessing is a result of adding (perhaps multiplying, doubtful) a certain value onto the elevation of the ground below you, thus interiors don't get classified as measurable elevation.

There is a maximum height for aircraft, however. It is located in memory at 0x8594DC and I found that you have to hardmod it. Softmodding causes it to instantly return to 800, the original value.

[mattyboy_96 0]

Ive been fiddling with some addys to do with the players rotation (DWORD(plr+14) + 0x0 to 0x2C) and they seem to be read only. All of these are floats. So there are 11 4-bit values and when on foot alot equal 0 however the 1st, 2nd, 5th and 6th represent the players direction. The 1st and 6th values represent the X component of the players direction and the 2nd and 4th values represent the Y component (however one of these values is always positive and one is always negitave). the angle between 1 & 2 gives an acceptable z rotation and (kinda obviously) the angle between 5 and 6 gives the same result as that between 1 & 2 but negated.

 

ive searched for other rotation values that aren't read only but to no avail. Anyone know of such values?

 

[saracoglu 6]

the direction matrixes are a bit tricky. Each XYZ set gives you a vector. The three vectors make up a 3D coordinates system that the player is at the center. Here is the functions that I use when calculating the position, rotation, and the absolute angle where the player (and also the car) looks at:

 

 

Function GetAbsoluteDegrees(ByVal sngXGrad As Single, ByVal sngYGrad As Single) As SingleOn Error Resume Next   'Zero Points:                   Normalization:   ' 0  1 180°                     + +  180 - ArcSin(X°)   ' 1  0  90°                     + -  ArcSin(X°)   ' 0 -1   0°                     - +  180 - ArcSin(X°)   '-1  0 270°                     - -  360 + ArcSin(X°)   '!!Division by Zero happens when sngXGrad=-1 (at this time sngYGrad is somewehere around zero (but not always equal to zero)   Select Case TrueBool       Case sngXGrad = -1 ' And sngYGrad = 0 '-0 0 270° OK (Division by Zero happens when sngXGrad=-1 )           GetAbsoluteDegrees = 270       Case sngXGrad = 0 And sngYGrad > 0 '0 1 180° OK           GetAbsoluteDegrees = 180       Case sngXGrad = 0 And sngYGrad < 0 '0 -1 0° NullPoint OK           GetAbsoluteDegrees = 0       Case sngXGrad = 1                  '1 0 90° OK           GetAbsoluteDegrees = 90       Case sngXGrad > 0 And sngYGrad > 0 '++ OK           GetAbsoluteDegrees = 180 - Atn(sngXGrad / Sqr((0 - sngXGrad) * sngXGrad + 1)) * 180 / mathPI       Case sngXGrad > 0 And sngYGrad < 0 '+- OK           GetAbsoluteDegrees = Atn(sngXGrad / Sqr((0 - sngXGrad) * sngXGrad + 1)) * 180 / mathPI       Case sngXGrad < 0 And sngYGrad > 0 '-+ OK           GetAbsoluteDegrees = 180 - Atn(sngXGrad / Sqr((0 - sngXGrad) * sngXGrad + 1)) * 180 / mathPI       Case sngXGrad < 0 And sngYGrad < 0 '-- OK           GetAbsoluteDegrees = 360 + Atn(sngXGrad / Sqr((0 - sngXGrad) * sngXGrad + 1)) * 180 / mathPI   End Select   Err.ClearEnd FunctionFunction GetDegrees(ByVal sngGrad As Single) As SingleOn Error Resume Next   'Zero Points:   ' 0  0°   ' 1  90°   Select Case TrueBool       Case sngGrad = 0           GetDegrees = 0       Case sngGrad = 1           GetDegrees = 90       Case sngGrad = -1           GetDegrees = 270       Case Else           GetDegrees = Atn(sngGrad / Sqr((0 - sngGrad) * sngGrad + 1)) * 180 / mathPI   End Select   Err.ClearEnd FunctionFunction GetGrad(ByVal sngDegrees As Single) As SingleOn Error Resume Next   GetGrad = Sin(sngDegrees * mathPI / 180)   Err.ClearEnd Function

 

 

TrueBool is a boolean constant that has the value 'True'

mathPI is float constant with the value of PI

 

The Y degrees is always X-90 (that is why on of them is positive when the other is negative)

The Z for player is almost always constant (he is standing on feet). It changes accordingly for example when you jump off a plane.

 

Let me also know if there is a better way to calculate the vectors

 

[mattyboy_96 0]

how can i find an actor?

my scm simply loads the player and other neccessary things. then loads one actor.

how can i find the start of the block of memory for the actor in memory?

i have found it but... it changes every time you restart SA.

 

124712392 (0x76EF5C8)

 

124843464 (0x770F5C8)

 

155645384 (0x946F5C8)

 

These were the three values i found (pointers to the actor structure, not the start of the structure itself)

as you can see they all end in F5C8. maybe this has somehing to do with anything, maybe it doesnt. Regardless i would really appreciate help with this coz im lost...

[jacob. 1]

how can i find an actor?

my scm simply loads the player and other neccessary things. then loads one actor.

how can i find the start of the block of memory for the actor in memory?

i have found it but... it changes every time you restart SA.

 

124712392 (0x76EF5C8)

 

124843464 (0x770F5C8)

 

155645384 (0x946F5C8)

 

These were the three values i found (pointers to the actor structure, not the start of the structure itself)

as you can see they all end in F5C8. maybe this has somehing to do with anything, maybe it doesnt. Regardless i would really appreciate help with this coz im lost...

Each CPed block is 1988 bytes long, simply add 1988 to the player pointer and you've reached the end of the first player and the beginning of the first actor created afterwards.

 

gamegetactor = player + (1988 * actorindex)

[mattyboy_96 0]

Jacob, cheers for that i got it to work now. i kept moving houses, trees, lightpoles... it was really starting to annoy me .

[DracoBlue 0]

Update for PedState and PedRunningstate at GTADB.tk

 

# CPed + 0x530 State (dword)

 

* 0 - Leaving a car, falling down from a bike or something like this.

* 1 - Normal case

* 50 - Driving

* 63 - Busted

* 12 - Targeting (hmm problem, if I get into 12, it doesn't change back?)

 

# CPed + 0x534 - Runningstate

 

* 0 - while driving,

* 1 - standing still

* 4 - start to run

* 6 - running

* 7 - running fast (e.g. pressed run-key)

 

Someone know whats the problem with 12 in CPed.State ?

 

See you, DracoBlue

[DracoBlue 0]

 

 

Each CPed block is 1988 bytes long, simply add 1988 to the player pointer and you've reached the end of the first player and the beginning of the first actor created afterwards.

Jacob, cheers for that i got it to work now. i kept moving houses, trees, lightpoles... it was really starting to annoy me .

But remember, if you die once, your playeraddress won't be the first anymore.

 

I recommend to save this var once you got it.

 

See you, DracoBlue

[saracoglu 6]

An addition to wheels shot status.

 

The wheels shot information for bikes are at a different offset as the cars.

 

CarObjectStart + 0x65E (Byte) front wheel: 0 if OK, 1 if shot

CarObjectStart + 0x65F (Byte) rear wheel: 0 if OK, 1 if shot

 

I think you cannot actually shoot the wheels of bmx. but if you set the value 1 at above offsets, it rides as if the wheels were shot.

 

Also, the offset

CarObjectStart + 0x6C8 (Byte) is the bike identifier. Gets set to 1 if this vehicle is a bike (or bmx).

 

There is also a flag for placing a car-bomb:

CarObjectStart + 0x4A8 (Byte)

values:

0 = no bomb

1 = car has bomb, but not armed

you can set the above values to 0 and 1 to give the car a bomb.

 

4 = car has bomb, and is armed. Some other flags get set when you arm the bomb. so if you set this value to 4, or actually arm the bomb thru normal gameplay, it does not help to change this value back.

 

Alper