Documenting GTA-SA memory addresses

[JernejL 61]

CarObjectStart + 0x65E (Byte) front wheel: 0 if OK, 1 if shot

CarObjectStart + 0x65F (Byte) rear wheel: 0 if OK, 1 if shot

 

2 makes tires act like they are not there.

 

[saracoglu 6]

here is an offset for CPed to turn the ped to a given direction (setting the rotation matrix is not enough.)

 

CPed+0x558 (DWord)

 

the value is actually 4 bytes, each byte representing a vector. I do not know how the values should be set if you want to turn the player, say 30 degrees to right.

 

I use constants that represent the value of this offset when the player is looking at North, North-East, East,... and write them back to memory when the player should turn (look) to a given direction.

 

 

[Stretchnutter 2]

 

here is an offset for CPed to turn the ped to a given direction (setting the rotation matrix is not enough.)

 

CPed+0x558 (DWord)

 

the value is actually 4 bytes, each byte representing a vector. I do not know how the values should be set if you want to turn the player, say 30 degrees to right.

 

I use constants that represent the value of this offset when the player is looking at North, North-East, East,... and write them back to memory when the player should turn (look) to a given direction.

its a float! its called a single in VB.

NOT a dword (long), because it has a decimal!!

 

 

its in radians, i found it yesterday, but didnt bother to post.

(180 / PI) = 57.2957795130823

rotz * (180 / PI) + 180 = degrees (0-360)

(PI / 180) = 0.017453292519943295769236907684886

(inDeg - 180) * (PI / 180) = outRad

 

 

there is also a read-only copy at 0x55C

 

+0x504 [word] = muzzle flash intensity 0 to 10000, 65536 = OFF

i should use this for my force feedback mod

 

+0x598 [byte] = PLayer lock - set to 1 to lock player controls (cant move)

 

 

 

There is a maximum height for aircraft, however. It is located in memory at 0x8594DC and I found that you have to hardmod it. Softmodding causes it to instantly return to 800, the original value.

 

thats impossible the memory is probably protected, if you are using tsearch, type 0x00's over the address in the Hex editor window.. then you can change the number in the cheat list.

 

if you are writing a trainer, consider looking at VirtualProtect() api

Edited June 23, 2005 by Stretchnutter

[copini 0]

 

CarObjectStart + 0x65E (Byte) front wheel: 0 if OK, 1 if shot

CarObjectStart + 0x65F (Byte) rear wheel: 0 if OK, 1 if shot

CarObjectStart + 0x6C8 (Byte) is the bike identifier. Gets set to 1 if this vehicle is a bike (or bmx).

 

these addresses don't seem to work in my version (with no-DVD patch)...

 

I did discover CarObjectStart + 0x6AF (Byte?) seems to be the current terrain type. 1 is road, and there are quite a few grass-types etc. There's also a copy of this value in +0x6DB.

 

 

btw, I'm new to this board, hi

 

 

EDIT:

wheel offsets are 2 bytes below your offsets in my version

this doesn't work for the bike identifier, still searching...

 

EDIT 2:

bike identifier seems to be in +0x5C8, but I've seen it changing to zero for a second sometimes during driving

Edited June 23, 2005 by copini

[Eep 0]

With all this hacking, surely it's possible to change/prevent the camera from auto resetting after the mouse is released for a couple seconds, yes?

 

Also, can someone just release a patch to remove the nVidia and EAX intros?

[jburrows 0]

Well found the following using artmoney.

 

 

Well timer that counts up when doing a mission. For example in flight school and timing long it takes doing the flight test.

 

00A49D54 integer 4 bytes The number is stored is the time in milliseconds. 1 second = 1000 milliseconds.

 

Please note that address using a no dvd exe.

 

 

 

 

 

[jacob. 1]

i don't know if the following is read-only or not, havent tested..

 

CPed

+1247 - current animation play-state (61 starting/stopping, 62 looping, 0 nothing)

+1135 - crouch state (132 crouching, 128 not crouching)

+1133 - jump state (34 in air, 36 landing, 32 landed/idle)

+348 - some anim states (205 run, 154 sprint, 102 stopped, 0 landing from jump, 61 punching)

[jacob. 1]

CVehicle

+1300 - is car honking (every time you set this manually, it automatically gets reset back to 0.. to fix this just NOP 0x6E0A3B-6 bytes)

+1412 - headlights switch (same case as above, gets automatically reset - NOP 0x6E1EDE-6 bytes)

 

[JernejL 61]

Please note that address using a no dvd exe.

which is the one we use for hacking, because original is encrypted so it is no problem.

 

[Sobeit 0]

in ollydbg (game not running):

 

Text strings referenced in gta_sa:.text, item 16945

Address=008D59B8

Disassembly=ASCII "MAIN EVENT TONIG"

 

(beginning of bloodring sign)

 

008D59B8  . 4D 41 49 4E 20>ASCII "MAIN EVENT TONIG"

008D59C8  . 48 54 3A 20 43>ASCII "HT: CAR RACING ."

008D59D8  . 20 2E 20 2E 20>ASCII " . .  ",0

008D59E0  . 46 4F 52 20 54>ASCII "FOR TICKETS TO T"

008D59F0  . 48 45 20 48 4F>ASCII "HE HOT RING EVEN"

008D5A00  . 54 20 43 41 4C>ASCII "T CALL 555-3764 "

008D5A10  . 2E 20 2E 20 2E>ASCII ". . .  ",0

008D5A19    00            DB 00

008D5A1A    00            DB 00

008D5A1B    00            DB 00

008D5A1C  . 4D 41 49 4E 20>ASCII "MAIN EVENT TONIG"

008D5A2C  . 48 54 3A 20 44>ASCII "HT: DESTRUCTION "

008D5A3C  . 44 45 52 42 59>ASCII "DERBY . . .  ",0

008D5A4B    00            DB 00

008D5A4C  . 46 4F 52 20 54>ASCII "FOR TICKETS TO T"

008D5A5C  . 48 45 20 42 4C>ASCII "HE BLOOD RING EV"

008D5A6C  . 45 4E 54 20 43>ASCII "ENT CALL 555-376"

008D5A7C  . 35 20 2E 20 2E>ASCII "5 . . .  ",0

008D5A87    00            DB 00

008D5A88  . 4D 41 49 4E 20>ASCII "MAIN EVENT TONIG"

008D5A98  . 48 54 3A 20 42>ASCII "HT: BIKE RACING "

008D5AA8  . 2E 20 2E 20 2E>ASCII ". . .  ",0

008D5AB1    00            DB 00

008D5AB2    00            DB 00

008D5AB3    00            DB 00

008D5AB4  . 46 4F 52 20 54>ASCII "FOR TICKETS TO T"

008D5AC4  . 48 45 20 44 49>ASCII "HE DIRT RING EVE"

008D5AD4  . 4E 54 20 43 41>ASCII "NT CALL 555-3766"

008D5AE4  . 20 2E 20 2E 20>ASCII " . . .  ",0

008D5AEE    00            DB 00

008D5AEF    00            DB 00

008D5AF0  . 48 59 4D 41 4E>ASCII "HYMAN MEMORIAL S"

008D5B00  . 54 41 44 49 55>ASCII "TADIUM. HOME TO "

008D5B10  . 53 4F 4D 45 20>ASCII "SOME OF THE BIGG"

008D5B20  . 45 53 54 20 45>ASCII "EST EVENTS OF TH"

008D5B30  . 45 20 57 45 53>ASCII "E WESTERN HEMISP"

008D5B40  . 48 45 52 45 2E>ASCII "HERE. ALSO AVAIL"

008D5B50  . 41 42 4C 45 20>ASCII "ABLE FOR CHILDRE"

008D5B60  . 4E 20 50 41 52>ASCII "N PARTIES. . . ",0

008D5B70  . 54 48 45 20 54>ASCII "THE TIME IS 12:3"

008D5B80  . 34 20 20 20 20>ASCII "4    ",0

 

[charlieC 0]

Some findings by me:

 

CPed + 0x544 = [float] Max health

CPed + 0x548 = [float] Armor

 

CPed + 0x5D8 = [dword] Pistol weapon type (9mm, silenced 9mm, desert eagle = 24)

CPed + 0x5DC = [dword] Pistol state

CPed + 0x5E0 = [dword] Pistol ammo in clip

CPed + 0x5E4 = [dword] Pistol total ammo (including clip)

CPed + 0x5E8 = [float] Unknown, increases each time you fire your weapon

CPed + 0x5EC = Unknown, is 0 for me

CPed + 0x5F0 = Unknown, is 0 for me, the game freezes when you change it to 1

 

CPed + 0x5F4 = [dword] Shotgun weapon type (26 = sawn-off)

CPed + 0x5F8 = [dword] Shotgun state (1 = firing? 2 = reloading)

CPed + 0x5FC = [dword] Shotgun ammo in clip

CPed + 0x600 = [dword] Shotgun total ammo (including clip)

CPed + 0x604 = [float] Unknown, increases each time you fire your weapon, 0 when weapon not active?

CPed + 0x608 = Unknown, is 0 for me

CPed + 0x60C = Unknown, is 0 for me

 

The list could just go on for each weapon type. Assault, SMG, Rocket launcher(s) etc etc.

My first post in a long time

[jacob. 1]

CPed + 0x5D8 = [dword] Pistol weapon type (9mm, silenced 9mm, desert eagle = 24)

CPed + 0x5DC = [dword] Pistol state

CPed + 0x5E0 = [dword] Pistol ammo in clip

CPed + 0x5E4 = [dword] Pistol total ammo (including clip)

CPed + 0x5E8 = [float] Unknown, increases each time you fire your weapon

CPed + 0x5EC = Unknown, is 0 for me

CPed + 0x5F0 = Unknown, is 0 for me, the game freezes when you change it to 1

 

CPed + 0x5F4 = [dword] Shotgun weapon type (26 = sawn-off)

CPed + 0x5F8 = [dword] Shotgun state (1 = firing? 2 = reloading)

CPed + 0x5FC = [dword] Shotgun ammo in clip

CPed + 0x600 = [dword] Shotgun total ammo (including clip)

CPed + 0x604 = [float] Unknown, increases each time you fire your weapon, 0 when weapon not active?

CPed + 0x608 = Unknown, is 0 for me

CPed + 0x60C = Unknown, is 0 for me

Yeah, it's easy to find out all the data for each weapon..

 

CPed + 0x5A0 = Start of weapon data. Each slot has 28 bytes.

 

so based on your findings..

 

Weapon

+00 - type

+04 - state

+08 - ammo in clip

+12 - total ammo remaining

+16 - unknown, adds on bullet fire

[charlieC 0]

Weapon

+00 - type

+04 - state

+08 - ammo in clip

+12 - total ammo remaining

+16 - unknown, adds on bullet fire[/color]

It's probably easier to sum it all up the way you just did

 

But from what I can tell each weapon slot is reserved for a special weapon type.

For example, you can't change weapon type from an SMG to a shotgun type.

Not when I tried at least.

[jburrows 0]

Well found using artmoney. I do not see posted here yet.

 

 

00A5153C integer 4 bytes Mission timer that counts from a number to zero. It is stored in milliseconds. 1 second = 1000 milliseconds.

[mattyboy_96 0]

Heres some stuff i found out about the weapon structure in memory (

 

Overview of wepon structure: (All Offsets are decimal)

structure:

Weapon Structure starts at Cped + 1440

Each weapon slot contains data about its corrosponding weapon and is 28 bytes long

Slot Start = Cped + 1440 + (28 * Slot)

 

 

eg. Slot3(Shotguns) = Cped + 1440 + (28 * 3) = Cped + 1524

 

 

The Weapon Slot Structure:

+00 - [long] type(see Below)

+04 - [long] state(0 - idle, 1 - firing, 2 - reloading)

+08 - [long] ammo in clip

+12 - [long] total ammo remaining (all ammo, including that in clip)

+16 - [long] unknown, adds on bullet fire, also adds on reload

+20 - [long] goggle mode (0 - off, 256 - on)

+24 - [long] not sure, to do with slot9 weapons, filled with non-zero value while firing

 

(sorry, for those that dont use VB a long is a dword)

 

Weapon types:

 

Slot0: No Weapon

0 - Fist

1 - Brass Knuckles

 

Slot1: Melee

2 - Golf Club --not tested

3 - Nitestick

4 - Knife

5 - Baseball Bat

6 - Shovel --not tested

8 - Katana

7 - Pool Cue --not tested

9 - Chainsaw

 

Slot2: Handguns

22 - Pistol

23 - Silenced Pistol

24 - Desert Eagle

 

Slot3: Shotguns

25 - Shotgun

26 - Sawn-Off Shotgun

27 - SPAZ12

 

Slot4: Sub-Machineguns

28 - Micro UZI

29 - MP5

32 - Tech9

 

Slot5: Machineguns

30 - AK47

31 - M4

 

Slot6: Rifles

33 - Country Rifle

34 - Sniper Rifle

 

Slot7: Heavy Weapons

35 - Rocket Launcher

36 - Heat Seaking RPG

37 - Flame Thrower

38 - Minigun

 

Slot8: Projectiles

16 - Grenade

18 - Molotov Cocktail

39 - Remote Explosives

 

Slot9:Special1

41 - Spray Can

42 - Fire Extinguisher

43 - Camera

 

Slot10: Gifts

14 - Flowers

 

Slot11:Special2

44 - NV Goggles

45 - IR Goggles

46 - Parachute

 

Slot12:Detonators?

40 - Detonator(for remote explosives)

 

 

[charlieC 0]

Good work, mattyboy_96!

 

0x008A5B58 - Contains an array of pointers to all the functions used to activate the cheats.

I haven't checked them all out. The first 3 pointers activates the different weapon cheats. (It gives the player different kinds of weapons).

 

I know the cheats do interesting stuff to the game and they maybe worthwhile to check out.

Just choose a pointer and breakpoint it in your favorite debugger, then start enter cheat codes.

 

EDIT: Judging by the first 4 cheats, the cheat function pointers seem to follow the order found at this address

Edited June 25, 2005 by charlieC

[Stretchnutter 2]

0xB7CDBC [dword] current weapon slot

0xB7CB49 [byte] set this to 1 while playing and everything stops .. related to menus

0xBA677B [byte] set this to 1 to bring up the menu (automatically changes to 0 after menu is brought up)

 

 

CarPoint + 0x7E4 [float] Front-Left suspension height (CAR)

CarPoint + 0x7E8 [float] Rear-Left suspension height (CAR)

CarPoint + 0x7EC [float] Front-Rear suspension height (CAR)

CarPoint + 0x7F0 [float] Rear-Rear suspension height (CAR)

 

bikes seem to have 4 suspension values too

CarPoint + 0x720 [float] Front-Left suspension height (BIKE)

CarPoint + 0x724 [float] Rear-Left suspension height (BIKE)

CarPoint + 0x728 [float] Front-Rear suspension height (BIKE)

CarPoint + 0x72C [float] Rear-Rear suspension height (BIKE)

 

there is also a copy of the suspension values at -0x10, but these are 'smoother'

 

they range from 0 to 1 -- 1 = fully extended/airborne 0 = fully compressed

 

CarPoint + 0xD8 [float] increases when collision occurs

Edited June 25, 2005 by Stretchnutter

[mattyboy_96 0]

Found some addresses while looking at Car Pointers

 

969084 and 969088

 

Pointer to the last two cars you have been in.

 

Basically, it goes:

 

Start game:

969084 = 0

969088 = 0

 

get in car A:

969084 = pointer to Car A

969088 = 0

 

get out of Car A and into car B:

969084 = pointer to Car A

969088 = pointer to Car B

 

get out of Car B and into car C:

969084 = pointer to Car C

969088 = pointer to Car B

 

get out of Car C and into car A:

969084 = pointer to Car C

969088 = pointer to Car A

 

And so on...

 

I have no idea what this could be used for... but thought somone will probably find a use for it sooner or later.

[jacob. 1]

0x008A5B58 - Contains an array of pointers to all the functions used to activate the cheats.

What executable do you have? Mine doesn't even go that far.

[charlieC 0]

 

0x008A5B58 - Contains an array of pointers to all the functions used to activate the cheats.

What executable do you have? Mine doesn't even go that far.

 

 

 

Well, I assume you are using IDA. For some reason, IDA doesn't decompile the whole executable. I have forced some sections to be disassembled because IDA didn't get it. Modelingman did solve it though, he changed some disassemble settings. Try talking to him about.

 

If you find out anything more, maybe you could post it here? I've tried to reach Modelingman too about it, yet no answer.

 

Some other stuff I found:

CVehicle + 0x460 - [pointer] Front-left seat CPed pointer

CVehicle + 0x464 - [pointer] Front-right seat CPed pointer

CVehicle + 0x468 - [pointer] Back-left seat CPed pointer

CVehicle + 0x46C - [pointer] Back-right seat CPed pointer

CVehicle + 0x470 - [pointer] Other passenger 1 CPed pointer

CVehicle + 0x474 - [pointer] Other passenger 2 CPed pointer

CVehicle + 0x478 - [pointer] Other passenger 3 CPed pointer

CVehicle + 0x47C - [pointer] Other passenger 4 CPed pointer

 

CVehicle + 0x514 - [dword] Alternate siren on/off (1 = on, 0 = off)

[copini 0]

 

+16 - [long] unknown, adds on bullet fire, also adds on reload

could this be some kind of counter for the weapon stats progress??

[JernejL 61]

 

there is also a copy of the suspension values at -0x10, but these are 'smoother'

because the engine needs older values to derive new ones from old ones.

 

aniway i just seen interesting stuff posted that i also discovered today (like last car ptr)

meh, whatever there are some still not posted things inside:

 

00B6B98C - player actor pointer, if zero the player is on foot

82317200 - same as before but when you are wasted still stays on your last actor until you respawn

 

82186128 - player actor pointer

00B6F3B8 - whatever is in players control

 

00969A40, 00B79530 - last controlled car

 

04FBD4F8 & 04FBD538 - closest car to player, may be zero if there are no cars in world or you are inside a shop or other interior or no car that hasn't been wrecked is near you (max searching distance is around 50 meters i think), these are not fixed address, i once found them on this offset but they vary, the memory was probably in player actor's memory block.

 

82317664 = jetpack equipment 1 byte boolean

82317668 = pointer to jetpack equipment (?)

82317672 82317676 82317680 - more jetpack stuff

 

in player block (all decimal)

185 = player is on ground, byte

654 = byte, ped state, $C8 = vehicle, $E8 = on foot (unreliable data)

1332 = byte, power usage (?) increases when running

1328 = byte, 1 when on foot, $32 when in car, 0 when exiting car

1268 = unint32 if non-zero then the parachute weapon is selected, this could be parachute backpack data

 

the addresses are hex and decimal, that is because i use combination of 2 memory hacking tools (artmoney and ped32)

 

any info on how to decompile the exe with ida would be really helpful, it makes me nuts, it gets caught in infinite analysis loop :S

 

btw, i found this in wiki:

 

Filemanagement   * 004AB260 : CFileMgr::CloseFile((int))   * 005389D0 : CFileMgr::CloseFile((int))   * 004AB240 : CFileMgr::OpenFile((char const *))   * 00538900 : CFileMgr::OpenFile((char const *))   * 00538950 : CFileMgr::Read((int,char *,int))   * 005387D0 : CFileMgr::SetDir((char const *)) 

 

 

are these disk file management functions or IMG functions? and which interface do they use?

 

also i am working on a stable ASI loader by replacing oggvorbis.dll with my custom version, should be done in few days, i tried those dxd9 variants and none of them worked properly (graphical glitches)

 

edit: does anyone know how if rhino's tires can be still popped? it seems every wheel is standalone with its own suspension unline gta3 and vc that faked middle wheel by using rear wheel's suspension data, so there has to be a lot of new stuff with the new tank.

 

[jacob. 1]

any info on how to decompile the exe with ida would be really helpful, it makes me nuts, it gets caught in infinite analysis loop :S

Try using OllyDbg, seems to work for me. But I do get frequent access violations and it doesn't seem to dissasemble the entire exe (some people have posted offsets beyond the capacity displayed in ollybdbg).

[Cowpat 1]

 

any info on how to decompile the exe with ida would be really helpful, it makes me nuts, it gets caught in infinite analysis loop :S

 

It doesn't get caught in an infinite loop - it just seems that way

Wait for about 15 minutes and it will eventually break free.

 

I did my first disassembly with a memory image dumped by LordPE, but I couldn't find what I was looking for. So then I downloaded the Hoodlum thing, thinking it would be better. I needn't have bothered - it gives an almost identical disassembly to the image version.

 

Does anyone have any idea where "ProcessOneCommand" is located? I've searched every address I can think of for the function but can't find any likely code.

[Spooky 1]

Does anyone have any idea where "ProcessOneCommand" is located? I've searched every address I can think of for the function but can't find any likely code.

Here ya go:

 

00469F00 - CRunningScript_ProcessOneCommand

Found by kyeman.

[Cowpat 1]

 

Here ya go:

 

00469F00 - CRunningScript_ProcessOneCommand

Found by kyeman.

That's one of the addresses I've already tried and failed to get working! The other serious contender was 0x469390. I have nasty feeling that the Game_Script_Thread struct may have changed for SA.

 

Anyway, it's good to have the address narrowed down. Now I can concentrate on working out why I couldn't get that function to work.

 

Thanks again

[Stretchnutter 2]

0xBAB22C [4 bytes] = health bar color (RGBA) in bytes

0xBAB230 [4 bytes] = money font color (RGBA) in bytes

0xBAB220 [float] height value for BUSTED/WASTED text... write a value here after text has been displayed

 

 

there is more around this area.. dont have patience to investigate.. discovered by accident

 

[mattyboy_96 0]

Found some Addys to do with Text on the screen and such

 

From 0xBAACD0 To 0xBAB0BF is text that gets drawn to the screen

 

each one is 128 bytes and they all have a different 'style' as you'll see below.

 

and here they are:

 

How i will state these:

Address - Vertical pos, Horizontal pos, Text Colour, Text Style, eg. of what it's used for

 

NOP 0x588FA9 (6 Bytes) to make the below addy work

 

0xBAB040 - Bottom, Middle, White, Plain, Stunt Bonus Info

 

 

NOP 0x58905E (6 Bytes) to make the below addys work (note: some already work without NOPing this address)

 

0xBAAEC0 - Top, Middle, Orange, Black Outline, ?

 

0xBAAFC0 - Top, Middle, Blue, Bold+Black Outline, ?

 

0xBAAF40 - Center, Center, White, Black Outline+Small+Fades Out, ?

 

0xBAAE40 - Center, Center, Orange, Black Outline+Small, ?

 

0xBAADC0 - Center, Center, White, Black Outline+That cool like 16th century font, ?

 

0xBAAD40 - Bottom, Right, Orange, Black Outline+Medium+Fades Out, Mission Title

 

0xBAACC0 - Center, Center, Orange, Black Outline+Medium+Fade Out+Cool FadeIn/Out Effect, "Mission Complete"

 

 

For the address below, you can put whatever data you want into it then, to make it appear set 0xBAA475 to 88 (58 Hex)

To make it dissapear again set it back to zero (if the game continously resets this try NOPing 0x58B91E (6 bytes).

NOP 0x69DBB8 (3 bytes) prevent the game from using this textbox.

 

0xBAA480 - top, left, white, In transerant box, used at start of game to tell you how to use the bike.

 

havent tested for all but using the tag ~b~ will make text from that point on blue, just

as ~g~ will make it green and ~r~ red etc. (edit: it does work with all of them)

 

Enjoy.

~Matt

[JernejL 61]

stretchnutter:

0xB7CB49 [byte] set this to 1 while playing and everything stops .. related to menus

 

- changing this byte doesn't work.. at least not for me..

 

edit:

just as a side note, about all those d3d9 asi loader that causes graphical to me i made my own asi loader that replaces vorbisfile.dll:

 

http://www.gtatools.com/pafiledb/pafiledb....tion=file&id=31

 

works 100% but is there a working asi debug hook that won't cause cj's body to be displaced?

 

so now go and make some cool asi code hooks!!

 

edit:

playing with ida pro, this functions seem to be the one responsible for getting text out the gxt data: :

.text:006A0050 GET_GXT_ENTRY proc near

 

maybe we can hook it up and use plain text file instead of gxt?

 

also, someone that knows please answer my previous question:

"are these disk file management functions or IMG functions? and which interface do they use?"

 

[copini 0]

 

0xBAAEC0 - Top, Middle, Orange, Black Outline, ?

is used during dancing minigames ("synchronised", "too late", etc.)

 

 

0xBAAFC0 - Top, Middle, Blue, Bold+Black Outline, ?

is used during dancing minigames for overall state (eg. "BAD")

 

 

0xBAADC0 - Center, Center, White, Black Outline+That cool like 16th century font, ?

is used for "wasted" message

 

there more addresses that seem to be for text, but they don't appear on screen (maybe only in menus?, not tested): 0xBAA9C0, 0xBAAAC0 and 0xBAABC0. if you put any text in there, the game automaticly changes the first byte to 0. even if you NOP out the code responsible for erasing the text (0x589064, 6 bytes), no text appears in the game...

 

 

havent tested for all but using the tag ~b~ will make text from that point on blue, just

as ~g~ will make it green and ~r~ red etc. (edit: it does work with all of them)

you can also use ~N~ to go to a new line and I've seen in-game texts using ~s~, ~h~ and ~z~, but didn't test what they do.

also, ~1~ is replaced by a variable for in-game texts (for example the values in a stunt-bonus message).

you can use ~k~~COMMAND_NAME~ to display the key corresponding with the command. you can find a list of valid command names from address 0x86329C in the executable...

Edited June 26, 2005 by copini