Documenting GTA-SA memory addresses

[jburrows 0]

Well found some things by searching for stuff in the stats section when searching for stuff in there. I created a table using artmoney. I uploaded artmoney table I have of the values to http://www.stargatetechworld.com/gta/GTA-%...n%20Andreas.amt .There roughly 50 values in there. There are some that were already posted but not that many I think. Some of values are not important like how much money you spent on haircuts and do to how much time it would take to copy and paste them to the messageboard would take to much so only posting what I thought was the important addresses. Note however you can download the free version of artmoney and get the other addresses.

 

All the numbers except when noted are 4 byte integers.

number of tags 00A9AD74

number of horseshoes 00B791E4

number of oysters. 00B791EC

(for those number above if you change it to maximum amount they appear to pop a message and gives a bonus like weapons in cj house)

 

lowrider hydrailics mission score. 00A4A948 ( change it in that mission to a passing number will let you win the mission even do not even hit 1 button.)

 

life a beach dance score 00A4EC20 (same as above)

 

# photographs taken 00B790B8

 

dating stuff so far.

Please not on the progress ones I have know it appears to change the progress in stats page but have not had the time to verify what if you change it 100 and date her would you on your next date go inside her house and get some.

 

progress with denise 00B79210

progress with michelle 00B79214

progress with katie 00B79220

# of girls dated 00B79108

Current # of girlfriends 00B79100

#of disastrous dates 00B79104

# successfull dates 00B79110

 

 

# unique jumps found 00B79060

# unique jumps done 00B79064

 

[charlieC 0]

Some small findings,

0x008CDEE4 - [dword] Max wanted level

0x00B7CD9C - CWanted structure - 668/0x29C bytes

 

CWanted + 0x2C - [dword] Current wanted level

 

CPed + 0x2F - [byte] Location status (0 = outside, 3 = inside a building)

 

I think the CWanted also contains, current number of cops after you, aggression level etc, not sure.

It looks like it contains some kind of array too. Maybe a list of pointers to every cop after you?

CPed contains a pointer to 0x00B7CD9C also.

[JernejL 47]

Also, the memory address that keeps track of the current car ID does not keep track of when you enter a plane. Anyone know how to do that as well?

that was happening with gtavc skimmer as well..

 

[random_download 0]

 

004640DE    8B90 6099A400   MOV EDX,DWORD PTR DS:[EAX+A49960]

 

this seems to get called every time a new opcode is being executed.. so erm..

0xA43C78 = latest opcode called? (in 4 byte dword, convert to hex for opcode form)

 

could be completely off on this, i was just looking at opcode execution in the dissasembly and noticed this.

 

0xA49960 = start of scm block

Where did 0xA43C78 come from?

[Tyrant Joe 0]

Can anybody find me the address for flight skill please? I need to reset it to zero to do a mission.

[jacob. 1]

Where did 0xA43C78 come from?

0xA43C78 was in the EDX register.. its the address that 'DWORD PTR DS:[EAX+A49960]' was being pushed to.

 

And I just realized how close the address I found is to the actual SCM block.. so it probably is the latest opcode.

[SeBsZ 0]

All memory addresses posted here that have to do with the current wanted level seem to be read-only... any way to change the current wanted level?

[Wohlever 2]

Nutz' date='Jul 1 2005, 00:40'] Found one way to change/disable the annoying solid clouds above 220 meters:

 

0x716642 (float)

0x716655 (float)

 

Both values default to 200 (00 00 48 43). If you change one of them to 100,000 (00 50 c3 47)

you get very few clouds, a much nicer effect. If you change both of them to 100,000

you never get the clouds.

 

It appears that betwen 200m and 500m StrClp (haze) gradually reduces from whatever

is in timecyc.dat (if greater than 800) to 800. I'm still looking for how to disable this.

 

Also, someone pointed out that when the height limit for aircraft is raised to 100,000m

you fall off bikes and motorcycles the instant you touch anything (!) Why the two

would be related is a mystery. Reducing the height limit to 2000m (still more

than double the default) seems to make it normal, though I don't do much biking

so it's hard to tell for sure.

Another way is to make the image cloud1 in particals.txd 100% transparent

 

[jacob. 1]

0x0043A0B0 - some sort of CreateVehicle function

 

In the cheats, it pushes the the vehicle ID and calls this function every time.

[charlieC 0]

 

0x0043A0B0 - some sort of CreateVehicle function

Yes, it spawns a vehicle infront of the player. Only used by the cheat codes.

It checks if the player is outside and not in a cutscene before spawning it.

 

There's some weather related functions to be found within the cheat functions.

Also, there's functions for dressing the player here too. Haven't looked at them closer, but it seem pretty easy to change the clothes of the player using these functions.

Edited July 4, 2005 by charlieC

[AlienX 0]

Whats the offset from the vehicle pointer to get into the rotation matrix?...

 

ive searched preetymuch everywhere

 

Many Thanks

[mattyboy_96 0]

AlienX:

(all the following are floats)

Dword(car + 20) + 0

Dword(car + 20) + 4

Dword(car + 20) + 8

(blank)

Dword(car + 20) + 16

Dword(car + 20) + 20

Dword(car + 20) + 24

(blank)

Dword(car + 20) + 32

Dword(car + 20) + 36

Dword(car + 20) + 40

 

as you can see, if you follow the pattern you then get:

 

(blank)

Dword(car + 20) + 48

Dword(car + 20) + 52

Dword(car + 20) + 56

 

which is the cars position

[AlienX 0]

What about the rotation tho... ive been toled by jacob to go from the rotation matrix, from 0 to 36 with a step of 4...

 

But, it seems i dont have the rotation matrix, Or is the rotation matrix the same as the matrix with the Z Y and Z coords in em?

Edited July 6, 2005 by AlienX

[Marklund 0]

What's Cped?

[jacob. 1]

AlienX, no offence, but you need to go read some coding/memory tutorials yourself for once. You've been doing nothing but posting code and demanding people to fix it recently, and if I'm not mistaken, this is a memory documentation topic; not a "write-my-code" topic. It especially gets annoying when mattyboy_96 and I have both already told you exactly what you need, yet you cease to put it to any use.

 

 

ive been toled by jacob to go from the rotation matrix, from 0 to 36 with a step of 4...

And that's exactly what mattyboy_96 just told you. Now, must be the third time I've told you this across different forums.. I won't give you code but I'll tell you all you need:

 

Rotation matrix = CVehicle + 20

XA XB XC YA YB YC ZA ZB ZC = +0 +4 +8 +12 +16 +20 +24 +28 +36

Values are FLOATS, not dwords!

 

 

What's Cped?

When someone here says cped, its just a different way of saying 'player' or 'actor'.

[AlienX 0]

i only asked on this one :S....

 

im sorry i misunderstood.

 

and my mate toled me a float was a double... ah well lol

 

EDIT

 

All Sorted Now... Cheers Jacob

Edited July 6, 2005 by AlienX

[jburrows 0]

Well found all of the addresses of driving school test. All of them appear to 4 byte integer.I have not experimented to much with them but noticed the following. If I changed all the scores the scores on a savegame which driing school was completed and a hotknife appeared. Also noticed one time on a savegame where no driving school test where taken it did not let me see the 2nd test even though it said I got a 100 on the first test.

 

360 score 00A49B0C

 

180 score 00A49B04

 

whip and terminate 00A49AE8

 

pop and control 00A49AE0

 

lap and burn 00A49AD8

 

90's 00A49ACC

 

wheelie wave 00A49AF4

 

spin and go 00A49AD0

 

pit maneuver 00A49AF8

 

allie oop 00A49AF0

 

city slicking 00A49AE4

 

cone coil 00A49AFC

 

 

[AlienX 0]

nice find, will add to the trainer im making lol cheers

[AlienX 0]

i was wondering is there a pointer, and if so what?... for the x and y coord of the marker you can place on the map (In the menu)

 

thanks

 

Whoops sorry for double post!

[[KFC]Nutz 0]

Ok, this is a weird one. I was looking for what controls the reduction of StrClp (haze distance) above

500 meters. I found in memory:

 

858C4C: (float) which is set to 1000 (00 00 7A 44).

It's located at offset 45744C in the exe.

 

Changing this in the exe does in fact change the StrClp above 500m to the value

you set it to. Unfortunately this constant is also used for a number of game timers!

 

doubling it to 2000 cuts the frame rate with frame limiter on to 14 fps. It also increases

the size of particle animations like the jetpack flames and ejected shell casings. It also

affects other timings like npc vehicles, weapon fire rate and certain random events. Turning

off frame limiter fixes the frame rate and some of the timings but not the particle animations.

 

I will try to use this address to isolate which function actually performs the StrClp modification

so we can hack that and leave this address alone.

 

A similar effort should be done to the aircraft height limiter constant mentioned earlier because

changing that seems to affect other things like how easially you get knocked off of bikes.

 

I'm guessing this multiple use of a constant is a side effect of compiler optimization. I can't

imagine these functions would be related on purpose in the source code.

 

I guess the fact that there are several (float) 1000 constants in the exe results from

it being assembeled from several .o files with each .o file being optimized for at most one instance

of (float) 1000.

[jburrows 0]

Well I found what appears to be the score of flight school test. I have not done any real test besides after editing the score and the test score appears to have been changed.After changing all the scores to 100 and left and check if I saw the army helicopter there on the airport but did not. All of address appear to be 4 byte integer.

 

 

f school takeoff 00A4B7B8

 

f school land plane 00A4B7BC

 

f school circle airstip 00A4B7C0

 

f school circle airstip and land 00A4B7C4

 

f school helicopter takeoff 00A4B7C8

 

f school helicopter land 00A4B7CC

 

f school destroy all targets 00A4B7D0

 

f school loop 00A4B7DB

 

f school barrel roll 00A4B7D8

 

f school parachute onto target 00A4B7DC

 

 

 

[copini 0]

0x0043A0B0 - some sort of CreateVehicle function

Yes, it spawns a vehicle infront of the player. Only used by the cheat codes.

It checks if the player is outside and not in a cutscene before spawning it.

 

There's some weather related functions to be found within the cheat functions.

Also, there's functions for dressing the player here too. Haven't looked at them closer, but it seem pretty easy to change the clothes of the player using these functions.

So it's possible to call such a function from a different application?!? Can you please explain how to do this?

[jacob. 1]

0x0043A0B0 - some sort of CreateVehicle function

Yes, it spawns a vehicle infront of the player. Only used by the cheat codes.

It checks if the player is outside and not in a cutscene before spawning it.

 

There's some weather related functions to be found within the cheat functions.

Also, there's functions for dressing the player here too. Haven't looked at them closer, but it seem pretty easy to change the clothes of the player using these functions.

So it's possible to call such a function from a different application?!? Can you please explain how to do this?

The game's functions are only callable through assembly, but any language capable of using the API declaration WriteProcessMemory is capable of doing so.

 

You could put a conditional jump in the cheat processor that checks if $someaddress is a 1, and if so, continue on to call the function and reset $someaddress to 0. You have to be creative if you aren't in process.

[JernejL 47]

So it's possible to call such a function from a different application?!? Can you please explain how to do this?

yeah, with something powerful as madshi's utilities (www.madshi.com) you can do that as well, its even got a small disassembler in it as well.. ofcourse you can call the function by manually editing it to be executed as you want it and restore the edited pieces in the new edited function itself back to original..

 

[caytchen 0]

 

B79496: Float, pistol stat

Seems to be wrong, real stat can be found at 0xB79494 (floats are 4byte)

Edited July 9, 2005 by caytchen

[copini 0]

You could put a conditional jump in the cheat processor that checks if $someaddress is a 1, and if so, continue on to call the function and reset $someaddress to 0. You have to be creative if you aren't in process.

Thank's alot! Why didn't I think of that...

 

So I'll have to find a piece of code that can be changed without influencing the game too much. And I could put the original code back once $someaddress is 0 again...

Great stuff, I'll try it tomorrow.

[copini 0]

 

madshi's utilities (www.madshi.com)

 

Do you mean the Delphi packages on www.madshi.net?

Edited July 9, 2005 by copini

[copini 0]

 

Some small findings,

0x008CDEE4 - [dword] Max wanted level

0x00B7CD9C - CWanted structure - 668/0x29C bytes

 

CWanted + 0x2C - [dword] Current wanted level

 

CPed + 0x2F - [byte] Location status (0 = outside, 3 = inside a building)

 

I think the CWanted also contains, current number of cops after you, aggression level etc, not sure.

It looks like it contains some kind of array too. Maybe a list of pointers to every cop after you?

CPed contains a pointer to 0x00B7CD9C also.

The function for setting the wanted level is @ 00561C90

If you walk through the function, you'll see 4 values in the CWanted structure are set when the wanted level changes:

CWanted + 0x2C [dword] (current wanted level)

CWanted + 0x1A [byte]

CWanted + 0x19 [byte] (number of cops chasing you)

CWanted + 0x1C [dword]

 

I haven't tested what the other values are, but they increase along with the wanted level. So probably something like the number of cops/helis/etc. chasing you.

 

Trying to clear the wanted level by setting all values to 0 doesn't work...

 

 

EDIT:

CWanted + 0x19 is the number of cops simultaniously shooting at you. Helicopters will still shoot if you change this to 0.

 

You can clear the wanted level by setting max wanted level and the four values in CWanted to 0. But then you'll never get a wanted level again. If you change the max wanted level back after clearing it, you'll get your old wanted level as soon as you do something.

There's probably some value for how pissed the cops are that you'll have to set to 0. Still searching...

 

EDIT 2:

Okay, I've been blind

The first dword at CWanted (CWanted + 0), is the counter for how pissed the cops are. Changing this will change the wanted level as soon as you do something in the game.

The wanted level is calculated from this value:

above 4600 - 6 stars

above 2400 - 5 stars

above 1200 - 4 stars

above 550 - 3 stars

above 180 - 2 stars

above 50 - 1 star

Edited July 9, 2005 by copini

[JernejL 47]

madshi's utilities (www.madshi.com)

 

Do you mean the Delphi packages on www.madshi.net?

yeah, it is madshi.NET, my mistake..

 

[jburrows 0]

I found a few addresses not sure useful but mostly for people that want pass certain missions without doing certian sections. All are integer 4 bytes.

 

number of crates you put in robbing uncle sam mission (change to 6 in the part of mission where you puts crates in the van you it acts like you all six in there and passes that section of mission and starts next sequence. ) 00A48B5C

 

ambulance missions (not sure exactly what is stands but something like number of paitents you need to deliver to pass that level). Changing it to 0 will pass that level and give you the reward for that level. Note however freezing it does seem to crash gta sa but if change it as new level starts it will work fine.

00A489F4

 

firefighter mission (not sure exactly but believe something number of fires still need to put out.) If you change it to 0 you complete that level on firefiring missions and get full reward like you would if you completed.

00A48AC0