Documenting GTAIV memory addresses

[the hubster 0]

 

 

Please note the exe version when posting memory addresses (what patch is installed)

 

You will need Rick's xlive.dll Wrapper or xliveless to edit protected memory addresses.

 

http://www.gtamodding.com/index.php?title=...ddresses_(GTA4)

Edited November 6, 2009 by the hubster

[Nulldata 0]

 

Ill start:

Size of gtaiv.exe

 

13411688 bytes (0CCA568h)

 

Start of Securom signature

 

0CC9028h

 

Can you post the CRC hash for your GTAIV.exe? Should help with everyone just incase the EXEs are changed in anyway.

Edited December 3, 2008 by Nulldata

[opium_addict 0]

Can you post the CRC hash for your GTAIV.exe? Should help with everyone just incase the EXEs are changed in anyway.

i suspect that the file size is good enough. . .if something is changed then its more then likely the file size will change also...

[Dangta 0]

Hi guys, i'm not so experienced in disassembling but i've had a bit of progress. I think i've found some pretty good offsets in the following code:

 

In: B51CA0

 

.text:00B51CA0 sub_B51CA0      proc near              ; CODE XREF: sub_7E5A80+69p.text:00B51CA0                 push    offset loc_B51B30.text:00B51CA5                 push    offset aSet_time_one_d; "SET_TIME_ONE_DAY_FORWARD".text:00B51CAA                 call    sub_583420.text:00B51CAF                 push    offset loc_B51B40.text:00B51CB4                 push    offset aSet_time_one_0; "SET_TIME_ONE_DAY_BACK".text:00B51CB9                 call    sub_583420.text:00B51CBE                 push    offset loc_B51C60.text:00B51CC3                 push    offset aGet_time_of_da; "GET_TIME_OF_DAY".text:00B51CC8                 call    sub_583420.text:00B51CCD                 push    offset loc_B51B60.text:00B51CD2                 push    offset aGet_hours_of_d; "GET_HOURS_OF_DAY".text:00B51CD7                 call    sub_583420.text:00B51CDC                 push    offset loc_B51B70.text:00B51CE1                 push    offset aGet_minutes_of; "GET_MINUTES_OF_DAY".text:00B51CE6                 call    sub_583420.text:00B51CEB                 push    offset loc_B51B80.text:00B51CF0                 push    offset aSet_time_of_da; "SET_TIME_OF_DAY".text:00B51CF5                 call    sub_583420.text:00B51CFA                 push    offset loc_B51BA0.text:00B51CFF                 push    offset aForward_to_tim; "FORWARD_TO_TIME_OF_DAY".text:00B51D04                 call    sub_583420.text:00B51D09                 push    offset loc_B51BC0.text:00B51D0E                 push    offset aGet_minutes_to; "GET_MINUTES_TO_TIME_OF_DAY".text:00B51D13                 call    sub_583420.text:00B51D18                 add     esp, 40h.text:00B51D1B                 push    offset loc_B51BE0.text:00B51D20                 push    offset aGet_current_da; "GET_CURRENT_DAY_OF_WEEK".text:00B51D25                 call    sub_583420.text:00B51D2A                 push    offset loc_B51C80.text:00B51D2F                 push    offset aGet_current__0; "GET_CURRENT_DATE".text:00B51D34                 call    sub_583420.text:00B51D39                 push    offset loc_B51BF0.text:00B51D3E                 push    offset aSet_time_of_ne; "SET_TIME_OF_NEXT_APPOINTMENT".text:00B51D43                 call    sub_583420.text:00B51D48                 push    offset loc_B51C10.text:00B51D4D                 push    offset aCompare_two_da; "COMPARE_TWO_DATES".text:00B51D52                 call    sub_583420.text:00B51D57                 push    offset loc_B51C40.text:00B51D5C                 push    offset aForce_time_of_; "FORCE_TIME_OF_DAY".text:00B51D61                 call    sub_583420.text:00B51D66                 push    offset loc_B51B50.text:00B51D6B                 push    offset aRelease_time_o; "RELEASE_TIME_OF_DAY".text:00B51D70                 call    sub_583420.text:00B51D75                 add     esp, 30h.text:00B51D78                 retn.text:00B51D78 sub_B51CA0      endp

 

 

It looks like it's maybe allocating a function to an opcode? I'm not sure... Rockstar may have organized the code in a way that each subject-specific opcode is contained within it's own method. Which would explain why only time related opcodes are in this?

 

I'm attempting to have a play around by calling some opcodes myself through C/C++. I'll let you know if i have any luck!

Edited December 5, 2008 by Dangta

[opium_addict 0]

Pointer to the D3D9 Device:

 

GTAIV.exe + 0x128B570

 

 

 

IDirect3DDevice9 *pDevice = (IDirect3DDevice9 *)*(DWORD*)((DWORD)g_hGTA + 0x128B570);

 

 

edit:

 

.text:007E5A80 SetupAllNatives proc near              ; CODE XREF: SetupScripts+94p.text:007E5A80.text:007E5A80; FUNCTION CHUNK AT .text:00B49D50 SIZE 00000031 BYTES.text:007E5A80.text:007E5A80                 call    SetupAudioNatives.text:007E5A85                 call    SetupCameraNatives.text:007E5A8A                 call    SetupDebugNatives.text:007E5A8F                 call    SetupHUDNatives.text:007E5A94                 call    SetupEngineNatives.text:007E5A99                 call    SetupInputNatives.text:007E5A9E                 call    SetupCharNatives.text:007E5AA3                 call    SetupPlayerNatives.text:007E5AA8                 call    SetupTaskNatives.text:007E5AAD                 call    SetupCarNatives.text:007E5AB2                 call    SetupObjectNatives.text:007E5AB7                 call    SetupScriptHelperNatives.text:007E5ABC                 call    SetupMissionNatives.text:007E5AC1                 call    SetupWorldNatives.text:007E5AC6                 call    SetupNavigationNatives.text:007E5ACB                 call    SetupWeaponNatives.text:007E5AD0                 call    SetupFireNatives.text:007E5AD5                 call    SetupZoneNatives.text:007E5ADA                 call    SetupRenderNatives.text:007E5ADF                 call    SetupGangNatives.text:007E5AE4                 call    SetupCutsceneNatives.text:007E5AE9                 call    SetupTimeNatives.text:007E5AEE                 call    SetupOnlineNatives.text:007E5AF3                 call    SetupBrainNatives.text:007E5AF8                 call    nullsub_5.text:007E5AFD                 call    SetupCarbombNatives.text:007E5B02                 jmp     SetupWaterNatives.text:007E5B02 SetupAllNatives endp

 

 

 

.text:00B7F360; int __cdecl SetPedDensityMultiplier(float)

 

 

thanks to Mike and Yoann on IRC

Edited December 7, 2008 by opium_addict

[ceedj 29]

It looks like it's maybe allocating a function to an opcode? I'm not sure... Rockstar may have organized the code in a way that each subject-specific opcode is contained within it's own method. Which would explain why only time related opcodes are in this?

 

I'm attempting to have a play around by calling some opcodes myself through C/C++. I'll let you know if i have any luck!

Pretty sure you're dead on right, the little bit of mission script I've seen suggests just that; as though they've moved from a BASIC approach (II/VC/SA) to a more streamlined object-oriented scripting (C/C++).

 

Nice work here guys!

[aru 13]

There's no notion of opcode per each function anymore... The basic opcodes of the IV scripting engine (or should I say RAGE scripting engine ) are just some very low level VM opcodes like add/sub/jmp/call/etc. One of those opcodes calls a native function, and its invoked by the hash of the name of the function... which is why you see all the names there. The hashing algorithm is use is the One-at-a-Time Hash:

 

 

ub4 one_at_a_time(char *key, ub4 len){ ub4   hash, i; for (hash=0, i=0; i<len; ++i) {   hash += key[i];   hash += (hash << 10);   hash ^= (hash >> 6); } hash += (hash << 3); hash ^= (hash >> 11); hash += (hash << 15); return (hash & mask);}

 

(from: http://burtleburtle.net/bob/hash/doobs.html)

 

I have the full specs of the scripting VM and the opcodes written up on paper from the 360 version (and its pretty much identical on PC)... I just haven't had time to type it all up nicely.

 

[Alexander Blade 1,171]

.data:00E4AF70 models hash nodes array pointer

 

model_hash_node struct 0x8 b

-- model_hash 0x4 b

-- model_ingame_id 0x4 b

end

 

.data:00E58CF8 Cheat functions pointers array (17)

 

.text: 008654E0 ; int __cdecl SpawnVehicle(int IngameID);

car spawning function

Edited December 7, 2008 by Alexander Blade

[Andrew 54]

Excellent work so far Pinned.

[Peter 0]

To avoid spamming the first page, I'll only list the most interesting ones in this post. A full list of vTable names can be found on this page

 

Interesting vTables

CEntity (0xCF7FF4)

-- CBuilding (0xD1E7B4)

-- CPhysical (0xD0A014)

-- -- CVehicle (0xCFA804)

-- --- -- CAutomobile (0xD49754)

-- --- -- CBike (0xD4BA24)

-- --- -- CPlane (0xCFB31C)

-- --- -- CTrain (0xCF31AC)

-- --- -- CHeli (0xCE712C)

-- -- CPed (0xCF4864)

-- --- -- CPlayerPed (0xD005B4)

-- --- -- CDummyPed (0xD267F4)

-- -- CObject (0xCF41BC)

-- --- -- CCutsceneObject (0xD493EC)

-- --- -- CDummyObject (0xD20C9C)

 

CTask (0xCFABDC)

CTaskSimple (0xCFAC24)

CTaskComplex (0xCFAC7C)

 

CPedIntelligence (0xCFDB9C)

[UZI-I 0]

Address from IDA

 

Pool Documentation :

http://public.yoa2n.fr/gtaiv/Pools.txt

 

Class Documentation :

http://public.yoa2n.fr/gtaiv/Documentation.txt

 

And not sure About that :

 

// - Returned value is in the EAX Registarmov ecx, PoolStartGetEntityFromID ( int iIndex )       -> 0x40A1F0

 

 

EDIT :

 

// - Affect All Car (Parked And Circulation)SetCarDensityMultiplier ( int iMultiplier )          -> 0x00B63830// - Affect Only CirculationSetRandomCarDensityMultiplier ( int iMultiplier )    -> 0x00B63850// - Affect Only Parked CarSetParkedCarDensityMultiplier ( int iMultiplier )    -> 0x00B638600x00E5F75C -> g_dwCarDensityMultiplier0x00E5F764 -> g_dwParkedCarDensityMultiplier

 

 

Thanks to Opium

Edited December 7, 2008 by UZI-I

[Seemann 218]

Those of you who are using IDA may find this useful.

http://public.sannybuilder.com/GTA4/native.idc

 

It is an IDA script that gives a name for every native command handler (there are about 2800 of them). So, for example, this code

 

 

.text:00B5A19E                 push    offset sub_B5A120                  ; handler.text:00B5A1A3                 push    offset aHas_script_loa             ; "HAS_SCRIPT_LOADED".text:00B5A1A8                 call    registerNativeScriptCommand        ; Call Procedure

 

becomes

 

.text:00B5A19E                 push    offset n_HAS_SCRIPT_LOADED         ; handler.text:00B5A1A3                 push    offset aHas_script_loa             ; "HAS_SCRIPT_LOADED".text:00B5A1A8                 call    registerNativeScriptCommand        ; Call Procedure

 

and 00B5A120 accordingly is changed to the procedure n_HAS_SCRIPT_LOADED.

 

Run the script via File > IDC file... menu

 

 

[Rafioso 0]

Hi,

 

which tool did you use to find the opcodes?

 

[listener 32]

Unfinished class hierarchy: http://public.sannybuilder.com/GTA4/gta4_pc_classes.txt

 

parsed .ide/.ipl contents:

 

template<class T> class CDataStore {public: int nSize; // +0, total size of store, in objects int nAllocated; // +4, numer of allocated objects in store T * pData;};0xE4AE4C - CDataStore<CBaseModelInfo> g_baseModelStore;0xE4AE58 - CDataStore<CInstanceModelInfo> g_instanceModelStore;0xE4AE64 - CDataStore<CTimeModelInfo> g_timeModelStore;0xE4AE70 - CDataStore<CWeaponModelInfo> g_weaponModelStore;0xE4AE7C - CDataStore<CVehicleModelInfo> g_vehicleModelStore;0xE4AE88 - CDataStore<CPedModelInfo> g_pedModelStore;0xE4AE94 - CDataStore<CMloModelInfo> g_mloModelStore;0xE4AEA0 - unknown store0xE4AEAC - unknown store0xE4AEB8 - unknown store0xE4AEC4 - unknown store0xE4AED0 - unknown store0xE4AEDC - CDataStore<CParticleAttr> g_particleAttrStore;0xE4AEE8 - CDataStore<CExplosionAttr> g_explosionAttrStore;0xE4AEF4 - CDataStore<CProcObjAttr> g_procObjAttrStore;0xE4AF00 - CDataStore<CLadderInfo> g_ladderInfoStore;0xE4AF0C - CDataStore<CSpawnPoint> g_spawnPointStore;0xE4AF18 - CDataStore<CLightShaftAttr> g_lightShaftAttrStore;0xE4AF24 - CDataStore<CScrollBar> g_scrollBarStore;0xE4AF30 - CDataStore<CSwayableAttr> g_swayableAttrStore;0xE4AF3C - CDataStore<CBouyancyAttr> g_bouyancyAttrStore;0xE4AF48 - CDataStore<CAudioAttr> g_audioAttrStore;0xE4AF54 - CDataStore<CWorldPointAttr> g_worldPointAttrStore;0xE4AF60 - CDAtaStore<CWalkDontWalkAttr> g_walkDontWalkAttrStore;0xFAA7F8 - CDataStore<CEscalatorAttr> g_escalatorAttrStore;0xFAA804 - CDataStore<CLightAttrStore> g_lightAttrStore;

 

 

UZI-I

first field (4 bytes) of all classes with virtual methods - pointer to virtual methods table

Edited December 7, 2008 by listener

[UZI-I 0]

Hum.

 

So I edited my doc.

It should be as that : http://public.yoa2n.fr/gtaiv/Documentation.txt ?

[listener 32]

UZI-I

Uhhh... No.

 

If you define inherited class/struct/union, all fields from the parent class will be added automatically (no need to define them again).

First field of the inherited class follows last field of the parent class.

 

Also, if you define at least one virtual method, VMT pointer wil be added by compiler.

 

And look at the inheritance diagram (search for CVirtualBase):

 

class CVirtualBase;

class CEntity : public CVirtualBase;

class CDynamicEntity : public CEntity;

class CPhysical : public CDynamicEntity;

class CVehicle : public CPhysical;

class CAutomobile : public CVehicle;

.. and so on

[UZI-I 0]

I know class are inherited from other in GTA. But I don't understand what is this pointer to the vTable...

[listener 32]

Good description of class internals (structure, inheritance, multiple inheritance, RTTI, etc):

http://www.openrce.org/articles/full_view/23

[Alexander Blade 1,171]

0x7FBF30 _cdecl SetMaxWantedLevel(int WantedLevel); // Wanted level [0..6]

 

dword 0xE57700 - max wanted level

dword 0xE57704 - (?) police activity

Edited December 11, 2008 by Alexander Blade

[wildmotzi 0]

10948FC - current wanted level

F77BDC - money

 

changing these doesnt do anything ingame

 

health adress in startpost isnt working anymore with patch

 

FB4D00 - Health float

4B3F944 - Health float

59004EC - Health float ??

Edited December 15, 2008 by wildmotzi

[saracoglu 6]

Blued-out pieces of this post, as they are no more relevant

 

anyone successful with fixing/editing any of the memory values?

 

FB4D00 - float: health is most probably stats related. Before the patch, this stat was on 12777C0.

The memory footprint around the address is not populated enough for a ped object.

 

There are two more dynamic locations holding the same value as the FB4D00:

5DF33C4 and 6BB9AEC (dynamic, still need to resolve offsets to object start)

Values around both the locations are fairly similar. Also similar to those of GTA SA.

One of them seems to be the shadow copy of the other (of the player ped).

 

There should also be a mirror ped for the values, or at least a mirrored copy of values that would

probably be edited by trainers. Changing health value on all three locations at once does change

the health. However, I thins the mirror copy has also to be found and changed to the appropriate value.

 

Example: with a health of 180, changing all three to 200 back results in a red bar (mirror?) of

20 so that the health changes to full, but pending deduction of 20 remains. Next time player

gets injured, this pending 20 also gets executed. Bad news is, the several copies got out of

sync, so the deduction gets executed in a loop until player dies.

 

CPlayer is a CPed class. The health should also apply to the other peds within the game. The ped object

should fairly be same as our player. We might corner one of the peds (not loose them from sight to prevent

them to be respawned/recycled), aim at them, and use the player targeting entity -> targeting ped -> ped object to check if the same shadow copy exists for them as well, or if we can edit their health / armor

without game interfering and setting them back.

 

The memory around 5DF33C4 and 6BB9AEC consists of several location values, changing as the

player moves around. There are several of these blocks, also including vector information for

the direction each piece of the ped is looking at.

 

The CPed of GTASA was very similar to its CVehicle

object. I hope that this is also the case for GTA4, so we can decode car offsets looking at the ped memory.

 

until then, I try further to document the offsets around the CPed object.

cheers

 

Edit:

The 5DF33C4 (still dynamic) seems to be the Health of the CPlayer, stays stabile, and same as player gets injured. The Shadow copy in 6Bnnnnn is a block of 1280 bytes, repeating itself. By each injury not only the

health, but the whole object gets re-copied/cloned prior to entering the changed value, and the newly created

clone becomes the new shadow making it harder to fix memory values on the fly.

Here are some locations of health (probably the whole ped object), that got filled by each punch as player

got beaten by another ped:

06BBA9EC, 06BBD6EC, 06BBDBEC, 06BBE0EC, 06BBEAEC, 06BC1CEC, 06BC2BEC e

As you see, the smallest offset is 1280 bytes, and all above locations are offseted by a multiplier of 1280.

 

Also, this time, Ped object has also have detachable parts similar to the vehicle object (example: door to car is detachable as handbag to ped)

 

Edit2:

Grayed out all irrelevant comments. With Rick's xlive.dll, it is now possible to edit xlive-buffered values.

I have been able to beam the player around map, on foot or in car. Will post offsets soon

 

cheers,

Edited December 19, 2008 by saracoglu

[saracoglu 6]

Good news.

At least stat Information can be fixed/edited.

 

Current Game Time:

 

Hours:    0x010AC530Minutes:  0x010AC52C

 

 

Values are Bytes, changing them also changes day/night within the game.

The Missions like 'Pick me up in one hour' or 'deliver by 19:00' can be tricked by editing these values.

 

cheers,

 

[~Rick 0]

Can a new stickied thread be made for GTA IV 1.0.1.0 (patch #1)?

[UZI-I 0]

Based on the Version 1.01 (First Patch)

 

Functions :

0x00615790 -> void __cdecl RegisterNative ( char* szNativeName, void* pNativeFunction );

0x007F5920 -> void __cdecl RegisterAllNative ( void );

0x00A03CA0 -> void __cdecl RegisterPadsNative ( void );

0x00A00DF0 -> void __cdecl RegisterCharsNative ( void );

0x009F0190 -> void __cdecl RegisterPlayersNative ( void );

0x009EBC70 -> void __cdecl RegisterTasksNative ( void );

0x009DEA90 -> void __cdecl RegisterCarsNative ( void );

0x009D43E0 -> void __cdecl RegisterObjectsNative ( void );

 

 

0x009D5010 -> void __cdecl SetCarDensityMultiplier ( int iMultiplier ); // - Affect All Cars

0x009D5030 -> void __cdecl SetRandomCarDensityMultiplier ( int iMultiplier ); // - Affect Only The Circulation

0x009D5040 -> void __cdecl SetParkedCarDensityMultiplier ( int iMultiplier ); // - Affect Only the Parked Car

0x00943090 -> void __cdecl SetPedDensityMultiplier ( int iMultiplier );

 

0x0082CE30 -> DWORD* __cdecl GetPlayerFromID ( int iPlayerID );

0x00496EE0 -> DWORD* __cdecl GetEntityFromIndex ( int iPlayerID );

 

0x009EDFE0 -> int __cdecl GetPlayerIndex ( void )

0x009EE3B0 -> int __cdecl GivePlayerHelmet ( int iPlayerID )

 

0x00494AF0 -> int __cdecl AllocateCharPool ( void );

 

Variables :

 

0x00E989F0 -> (DWORD) g_dwCarDensityMultiplier

0x00E989F8 -> (DWORD) g_dwParkedCarDensityMultiplier

0x00E95ECC -> (DWORD) g_dwPedDensityMultiplier

 

0x011E1540 -> (DWORD) g_dwVehiclePoolStart

0x016EB9A0 -> (DWORD) g_dwCharPoolStart

 

0x01064808 -> (DWORD) Pointer to the first Player. The pointer to the second Player is at 0x01064808 + 0x4

 

CVector

+ 0x30 -> (FLOAT) Position X

+ 0x34 -> (FLOAT) Position Y

+ 0x38 -> (FLOAT) Position Z

 

CEntity

+ 0x2E -> (WORD) Model ID

+ 0x20 -> (CVector*) Position

+ 0x24 -> (DWORD) IsVisible

+ 0xFC -> (FLOAT) Health

 

CVehicle : CEntity

+ 0xE1C -> (DWORD) HasHydraulics

+ 0xFA0 -> (CChar*) Driver

+ 0xFE4 -> (BYTE) Color 1

+ 0xFE5 -> (BYTE) Color 2

+ 0x1118 -> (DWORD) Dirt Level

+ 0x14C4 -> (BYTE) CanBeResprayed

 

 

CPlayer

+ 0x538 -> (BYTE) Fire Proof

+ 0x53F -> (BYTE) Free Health Care

+ 0x578 -> (CChar*) Char

+ 0x564 -> (DWORD) Team

 

CChar : CEntity

+ 0x380 -> (CEntity*) Targetted Entity

 

From my doc @ http://public.yoa2n.fr/gtaiv/

 

 

DWORD dwPlayerPointer = * ( DWORD* )ADDR_PLAYERPOINTER;if ( dwPlayerPointer ){   DWORD dwPlayerCharPointer = * ( DWORD* )( dwPlayerPointer + 0x578 );   if ( dwPlayerCharPointer )   {       DWORD dwCoordPointer = * ( DWORD* )( dwPlayerCharPointer + 0x20 );       if ( dwCoordPointer )       {           float fX = * ( float* )( dwCoordPointer + 0x30 );           float fY = * ( float* )( dwCoordPointer + 0x34 );           float fZ = * ( float* )( dwCoordPointer + 0x38 );           // - g_pLogFile->Write ( "Position : %f, %f, %f\n", fX, fY, fZ );       }   }}

 

 

Haven't tested everything, but using the function, GivePlayerHelmet() is funny

Edited December 18, 2008 by UZI-I

[~Rick 0]

 

Based on the Version 1.01 (First Patch)

 

CPlayer

+ 0x538  -> (BYTE) Fire Proof

+ 0x53F  -> (BYTE) Free Health Care

+ 0x578  -> (CChar*) Char

+ 0x564  -> (DWORD) Team

 

For CPlayer,

 

CPlayer

+ 0x590 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer)

+ 0x594 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer, again for some reason)

 

Unconfirmed, but it appears that player health is available at CPlayer->Char->+0xE8C (a XLiveProtectedBuffer *).

Edited December 18, 2008 by ~Rick

[gamerzworld 977]

 

Based on the Version 1.01 (First Patch)

 

CPlayer

+ 0x538  -> (BYTE) Fire Proof

+ 0x53F  -> (BYTE) Free Health Care

+ 0x578  -> (CChar*) Char

+ 0x564  -> (DWORD) Team

 

For CPlayer,

 

CPlayer

+ 0x590 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer)

+ 0x594 -> (XLiveProtectedBuffer *) Current Money (4 byte sized protected buffer, again for some reason)

 

Unconfirmed, but it appears that player health is available at CPlayer->Char->+0xE8C (a XLiveProtectedBuffer *).

The money protection might be due to Social Club tracking those stats.

[~Rick 0]

 

The money protection might be due to Social Club tracking those stats.

No, XLiveProtectedBuffer are buffers allocated by GTAIV with the XLive protected buffers API,

 

see http://blog.gib.me/2008/12/16/hacking-gran...uto-iv-part-ii/ for more details.

[saracoglu 6]

 

The money protection might be due to Social Club tracking those stats.

No, XLiveProtectedBuffer are buffers allocated by GTAIV with the XLive protected buffers API,

 

see http://blog.gib.me/2008/12/16/hacking-gran...uto-iv-part-ii/ for more details.

Thank you very much Rick.

Now that it is possible to edit some protected bits&bytes and see the changes in the game, I can go memory fishing. I will try to document as much vehicle and player offsets as possible before start coding the GTA4Center

 

cheers

[~Rick 0]

Based on the Version 1.01 (First Patch)

From discussion in #iv-modding, some information posted about CPlayer/CChar is incorrect.

 

CPlayer

+ 0x578 -> (CPlayerPed *) playerPed

 

CPhysical : CDynamicEntity

+ 0x1F0 -> (FLOAT) Health

+ 0x210 -> (FLOAT) related to health changes?

+ 0x214 -> (FLOAT) related to health changes? old health?

 

CPed : CPhysical

 

CPlayerPed : CPed

+ 0x1F0 -> (FLOAT) (inherited, just mentioning as it is unused, always 200.0 in CPlayerPed)

+ 0xE8C -> (XLiveProtectedBuffer *) Health, float

 

[Sacky 3]

Disable xlive memory hashing

 

xlive.dll + 0xCB8DA NOP 6 bytes

 

This allows the game to run, but no xlive functions will work, and some may cause the game to stop working. Whether or not it loads your profile is pot luck.

 

0xFA6D70 : (int) language

 

0: English

1: French

2: German

3: Italian

4: Spanish

Edited December 19, 2008 by Sacky