Documenting GTAIV memory addresses

[man2104]

for the native command handler posted by Seemann

It is incompatible with 1.0.1 exe

 

new addresses should be used for 1.0.1:

 

f_null = 0x00859B90;

f_reg = 0x00615790;

f_hash = 0x00616E10;

[stefanACM]

Can anybody HACK max ping in LAN NETWORK !!!

Go away pirate.

I am not pirat

I need it for play over LAN with my friend because signal is low and ping is 30-40

[BWARazor]

Deleted

Edited December 31, 2008 by BWARazor

[Sacky]

Objects:

 

0x8D8290 : int __cdecl allocateObject()

 

0x9C4700 : int __cdecl setObjectOnFire(int objectID)

0x9C479B : int __stdcall isValidObject(int objectID) (With objectPool in ECX)

0x9C47B0 : int __cdecl isObjectOnFire(int objectID)

0x9C5410 : int __cdecl hasObjectBeenDamagedByWeapon(int objectID, int weaponID)

0x96A3C0 : int __stdcall extinguishObjectFire(int objectID) (With objectFirePool in ECX)

0x9D2D80 : int __cdecl createObject(int modelID, float x, float y, float z, int* handle, int flags)

 

0x11E73E8 : objectPool

0x12825C0 : objectFirePool (256 elements)

 

+0x1E4 : (byte) Last Weapon Damage

Edited January 1, 2009 by Sacky

[Sacky]

Native Injector:

 

http://pastebin.com/m64adee56

 

For use like this:

 

NATIVE n_ABSF = { "ABSF", 1 };

NATIVE n_CREATE_OBJECT = { "CREATE_OBJECT", 6 };

DWORD objectHandle;

 

scripting->injectNative(&n_CREATE_OBJECT,0x6F0783F5,12.0f,12.0f,12.0f,&objectHandle,1);

scripting->injectNative(&n_ABSF,54.367f);

 

Still very experimental... so it's highly likely the limited testing I've done with it hasn't ironed out all the bugs

[Mechan]

Hi

I'm beginner in game memory editing, and I tried to call createObject from C# code: http://pastebin.com/f44842901 but I'm getting AccessViolationException: "Attempted to read or write protected memory. This is often an indication that other memory is corrupt." at line 77.

It's impossible to edit memory just like that or I'm doing it wrong? Maybe I have to inject dll or something like that?

 

With simple memory reading (Rick posted code couple posts above) it works fine.

I've got Rick's XLive Wrapper.

[Sacky]

Mechan, I think your offset might be wrong. Since 0x9D2D80 is assuming a 0x400000 base, try the offset 0x5D2D80. I'd also like to point out calling createObject will fail unless you do REQUEST_MODEL first.

[man2104]

How can you call the function in your own process, but not in GTA IV process?

[Oleg]

--------- request from ZModeler developer ----------

Hi! I'm digging in *.wft files and need some assist to classify entries. There are VMT pointers stored in files and they seem to be the same in *.wft files. I'm not sure whether GTA dynamically writes proper addresses there when loading file, I suspect these addresses are already properly set and binded to some library or .exe file explicitly. I'll list these VMT pointers below and need someone to specify class-names or something that will make a sence what should I search for in associated class data.

 

Example:

0x006B223C, tMaterial, size 0x60

0x006B48F4, tPolyMesh, size 0x50

0x006B0234, tGeometryObject, size 0x1C

 

Unknown:

0x006A35F4, tUnkBlock14, variable size

0x0069A5BC, tUnkBlock15, size 0xC0

0x006A4678, tUnkStub, size 0x1C

 

********** tUnkBlock16Base, base class;

0x0069BBEC tUnkBlock16V0 : tUnkBlock16Base

0x0069D56C tUnkBlock16V0A : tUnkBlock16Base

0x0069D7F4 tUnkBlock16V0B : tUnkBlock16Base

0x0069BBEC tUnkBlock16V1 : tUnkBlock16V0

0x0069AAF4 tUnkBlock16V2 : tUnkBlock16V0

0x0069B41C tUnkBlock16V3 : tUnkBlock16V2

 

If you find out what these classes stand for, you can send a PM me, or e-mail, or post as guest in this thread of my forum:

 

http://forum.zmodeler2.com/viewtopic.php?t=3553

 

Thank You!

[TripleX87]

Hello guys. I'm not an expierenced Trainer Programmer - but I am willing to be one.

 

But I've got a question. Could you please make a quick tutorial that explains, how you find all these adresses (and Functions) you are all talking about. What Program are you using? What have I got to search for?

 

I hope you can help me because i want to find the first adress on my own (and post them here)

 

(sry for bad englisch)

 

Peace

[Sacky]

GXT Hook:

 

.text:007E5F50 ; char *__stdcall convertGXTToString(char *key)

.data:00FE7568 gxtTable

.text:00458090 ; int __cdecl CRC32Hash(char *text, int textSize)

.text:007E5B00 ; char *__stdcall getGXTTextFromTable(int hash, int)

 

http://pastebin.com/m724466a0

[Seemann]

 

Those of you who are using IDA may find this useful.

http://public.sannybuilder.com/GTA4/native.idc

for 1.0.2.0

 

 

	f_null = 0x00C78DD0;f_reg = 0x00583420;f_hash = 0x00585550;

 

[saracoglu]

some startpoint memory locations for gta iv 1.0.2 patched:

 

(codebase is 0x400000)

 

 

0x1009798 (DWord) Pointer to CPlayer0x0FFCDA0 (Float) XPosition (stats only)0x0FFCDA4 (Float) YPosition (stats only)0x0FFCDA8 (Float) ZPosition (stats only)0x0F70154 (DWord) Current Money (stats only)0x10514C0 (DWord) Current Hours (read/write)0x10514BC (DWord) Current Minutes (read/write)0x10514D4 (DWord) GameDay (read/write)0x10514B8 (DWord) GameMonth (read/write)0x10375B0 (DWord) XLive Buffer Pointer for Float Stats starts here. This is the Game Progress Stat+0x4 (DWord) Next XLive Buffer Pointer, for the next Float Stat and so on. For the float stats enum, see aru's scripthook sdk, scriptenums.h

 

[Sacky]

1.0.2.0

 

SCO Stuff:

 

class CSCO

{

#pragma pack(1)

public:

virtual void method () {};

 

BYTE zPadding1[4];

BYTE* scoBinary;

};

 

struct SCO_POOL

{

#pragma pack(1)

DWORD scriptName; // hash of name

CSCO* scoInst;

};

 

0xF6D0F4 : SCO_POOL*

0xF6D100 : (DWORD) SCO_POOL_COUNT

 

GXT Table:

 

struct GXT_ENTRY

{

#pragma pack(1)

char* entry;

DWORD crc32Hash;

};

 

class GXTClass

{

#pragma pack(1)

public:

virtual void method() {};

 

int numGXTItems;

GXT_ENTRY GXTItems[200]; // I guessed the amount, it's probably thousands

};

 

0xFE0F88 : GXTClass (Statically Allocated)

Edited January 27, 2009 by Sacky

[MrGtaman]

Has anybody found the address for player's FPS? I need it because I get 8-15fps(according to Fraps, the game's benchmark says my avg. fps is 11.**) with EVERYTHING on low and so I can't play MP in the city, the game kicks me saying "you've been disconnected because your computer is running too slowly", airport is actually the only map I can play without getting kicked unless there are too many vehicles around, effects or I get too close to Broker(too many trees and details, I think)... So I thought maybe if we knew that address we could have made some kind of FPS hack for MP

 

There are so many trainers for those idiots who can't play fairly and no really useful things like FPS hack for those who can't afford a better pc

[g4mGunner]

Has anybody found the address for player's FPS? I need it because I get 8-15fps(according to Fraps, the game's benchmark says my avg. fps is 11.**) with EVERYTHING on low and so I can't play MP in the city, the game kicks me saying "you've been disconnected because your computer is running too slowly", airport is actually the only map I can play without getting kicked unless there are too many vehicles around, effects or I get too close to Broker(too many trees and details, I think)... So I thought maybe if we knew that address we could have made some kind of FPS hack for MP

 

There are so many trainers for those idiots who can't play fairly and no really useful things like FPS hack for those who can't afford a better pc

You don't need the address for FPS, you aren't able to edit it, only read it (unless is for a framelimiter). You are looking for a NOP so the game doesn't make you leave MP on low fps.

[MrGtaman]

Has anybody found the address for player's FPS? I need it because I get 8-15fps(according to Fraps, the game's benchmark says my avg. fps is 11.**) with EVERYTHING on low and so I can't play MP in the city, the game kicks me saying "you've been disconnected because your computer is running too slowly", airport is actually the only map I can play without getting kicked unless there are too many vehicles around, effects or I get too close to Broker(too many trees and details, I think)... So I thought maybe if we knew that address we could have made some kind of FPS hack for MP

 

There are so many trainers for those idiots who can't play fairly and no really useful things like FPS hack for those who can't afford a better pc

You don't need the address for FPS, you aren't able to edit it, only read it (unless is for a framelimiter). You are looking for a NOP so the game doesn't make you leave MP on low fps.

Well, I didn't mean to make my performance better Just want to avoid the fps auto-kicking. When my fps is 10 or higher, it's ok but when it drops below 10 I still have a couple of seconds to point the camera down so fps is "fine" again, otherwise the game kicks me... So I'm looking for a way to disable that auto-kicking function.

[stym]

hey, how i find d3d9 and d3d9 device address?

[Sacky]

 

0xF56BC4 : BYTE[32] Encrytion key used in AES (Note it's just a pointer not the actual encryption key)

[iGeo]

Don't suppose anyone knows where the 'Exposure' value is?

[warclaw]

hi there is new on that! what is it and how i open GTA IV .EXE and edit the doc?files? and how i change the traffic light time? to green can it be edit and how many parked cars ??? please give me some info about this XD sounds intresting!

and how i install it ?? and how it work i have lunch the program that i need Ricks games stuff.

 

I dont press OK when i come up SYSTEM copy to win 32 i copy to the GTA IV directory only and lunch the game and afther that it pop up .

 

Need to exract xlive.dll froom windwos/win32 to GTA IV Directory how do there?? and are this safe ?

 

and how i start to copy in codes and change!? thanks for all help!

Edited February 21, 2009 by warclaw

[HazardX]

hi there is new on that! what is it and how i open GTA IV .EXE and edit the doc?files? and how i change the traffic light time? to green can it be edit and how many parked cars ??? please give me some info about this XD sounds intresting!

and how i install it ?? and how it work i have lunch the program that i need Ricks games stuff.

 

I dont press OK when i come up SYSTEM copy to win 32 i copy to the GTA IV directory only and lunch the game and afther that it pop up .

 

Need to exract xlive.dll froom windwos/win32 to GTA IV Directory how do there?? and are this safe ?

 

and how i start to copy in codes and change!? thanks for all help!

meh. If you just want to spam requests do so in the Requests Thread!

If you really want to start looking for memory addresses open GTAIV.exe in IDA Pro. You'll find your way if you have got the basic knowledge to do this. If you don't know what IDA Pro is, what it does or how to use it: Let it be and come back when you've learned Assembler and some basics on Reverse Engineering and really understand it! Do not ask before this requirement is met, because noone will be able to help you.

[iGeo]

I'm very new to finding memory addresses and the likes, but I did manage to find the memory address for the 'Exposure' value I was looking for. I was able to edit it, but then all of a sudden it stopped responding to edits, and I found that the address had changed. How do I overcome this? Someone mentioned something to me about 'Pointers' but I'm not sure how they work, or how I can get a way to always find the right memory value for this value, if it's forever changing.

[Sacky]

OK the 'Exposure' value can be found like this:

 

0x10CAEB8 : (float) Exposure

 

Then add +0x1290 to that Memory Address and you get the next Exposure value. You can keep doing this for all the exposure values in timecyc.dat. I'll publish the structures here soon.

[Hergonan]

I'm very new to finding memory addresses and the likes, but I did manage to find the memory address for the 'Exposure' value I was looking for. I was able to edit it, but then all of a sudden it stopped responding to edits, and I found that the address had changed. How do I overcome this? Someone mentioned something to me about 'Pointers' but I'm not sure how they work, or how I can get a way to always find the right memory value for this value, if it's forever changing.

Pointers...

They have always been a hard topic to me

What I understood is, the game has a header, and the header contains different pointers of settings, models it currently displays, functions, etc.

The header never changes. So you can go from header->settings to point to the container of "settings".

That container's location changes, but its shape doesn't. And it's always pointed from the header.

The place of the location is called the offset.

So, header has an offset for settings, settings has an offset for each setting. As the game goes on, the memory constantly changes, therefore the individual settings can move around too. However, since the structure of settings (usually)don't change, the pointer header->settings->individual always points to the correct offset.

 

I might not be correct, but that's how I understand it.

[Sacky]

typedef cell DWORD;

 

0x15AD8B4 : (cell**) Global Variables Pool

Edited February 27, 2009 by Sacky

[HazardX]

 

typedef cell DWORD;

 

0x15AD8B4 : (cell**) Global Variables Pool

Amazing! That's exactly what i've been looking for! Do you have an idea where to find it for game version 1.0.1.0? I've been searching for known values in the expected memory range but didn't find it.

 

[EDIT] Got it. It's at 0x015B5A88. Was easier to find with IDA, actually.

Edited March 6, 2009 by HazardX

[stym]

for version 1.0.2.0

 

 

0x10AC530 - BYTE - Time Hour0x10AC52C - BYTE - Time Minute

 

Edited March 22, 2009 by stym

[Andrew]

Unpinned topic, topic is included in the forum header.

[jenksta]

....

Edited October 8, 2009 by JeNkStA