Manipulating memory

[james227uk]

I've done basic scripts for a long time (1-2 years?). Cool, now I want to do something more challenging. I noticed memory opcodes, and found an address for weapons set one to see if I get using them right. This is what I made

 

 

{$CLEO .cs}thread 'FUNC':1wait 0if   Player.Defined($PLAYER_CHAR)jf @1if   00E1: 0 11jf @10A8C: write_memory 0x969130 size 4 value 1 virtual_protect 0wait 1000jump @1

 

 

However, nothing happened. Can someone write me a sample script on using a mem address please?

[Horny Quintus]

This is something I have just started getting to grips with as well.

 

According to the GTA modding page, the memory address for that weapon cheat code is one byte. So instead of size 4, you need size 1:

 

 

0A8C: write_memory 0x969130 size 1 value 1 virtual_protect 0

 

 

The size is size in bytes. For future reference, float and dword are 4 bytes.

[james227uk]

Thanks for the help. Size 1 was my original number and that didnt work either

[james227uk]

Well, 24 hours. Thanks for all your help guys, really, your help has meant alot [/sarcasm]

[Horny Quintus]

Unfortunately I am running v1.01 so the memory addresses listed for v1.0 do not work for me and I was unable to run your script and see how it worked out for me. I had a look at finding the v1.01 addresses for cheat codes but was unable to.

 

[james227uk]

Unfortunately I am running v1.01 so the memory addresses listed for v1.0 do not work for me and I was unable to run your script and see how it worked out for me. I had a look at finding the v1.01 addresses for cheat codes but was unable to.

I've got 1.01 but as long as you have a V1 EXE it doesnt matter

[Seemann]

No need for sarcasm. Memory manipulating is not an easy area of modding where everyone could give you advices, so be patient. About your problem, you're doing almost everything right (except wrong size, there actually must be 1 instead of 4, because you were set a cheat flag, which is one byte in length). But sadly you misunderstood the whole thing: not an every cheat could be activated by setting its flag to 1. Yes, some of them could work so if you set a flag to 1, the game begins to think the cheat was typed so it does something new. But for some cheats the game should perform specific actions before. For example, for the weapon cheat the game must load proper models, give weapons to player, set its ammo and so on. Only then the flag is set to 1, indicating that the cheat was there (actually it does not really matter for these kind of cheats is the flag set or not, they are executed once and that's it - like cheat that clear your wanted level, the game clears it and does nothing with the flag).

 

So, for the cheats to work, you should not set the flags, but should call proper functions from the exe file, which makes actual changes in game. Addresses of these functions are located at 0x008A5B58 and further.

[james227uk]

Thanks Seemann,

 

So I need the call_function opcode and a function memory address?

[OrionSR]

Hm... I guess it's just as well that I didn't read Seemann's notes earlier. I was poking around with the write memory codes and found some interesting results. Only some of the flags will work. I found some cheats I didn't know existed, but that's not saying much since I seldom use cheats. I found Recruit Anyone and they get an AK-47. I also found Cars Drive on Water flags, but two flags need to be set to get it to work (oh, it looks like there is a PS2 version of this cheat). Anyway, here's a set of flags that had an apparent effect. Occasionally I went with the flag definition that was triggered in SACC and didn't investigate much further.

 

 

//0A8C: write_memory 0x96913B size 1 value 1 virtual_protect 0 // Speed up Clock
//0A8C: write_memory 0x96913E size 1 value 1 virtual_protect 0 // Peds Rioting
//0A8C: write_memory 0x96913F size 1 value 1 virtual_protect 0 // Everyone Attacks CJ
//0A8C: write_memory 0x969140 size 1 value 1 virtual_protect 0 // Peds have Weapons
//0A8C: write_memory 0x96914B size 1 value 1 virtual_protect 0 // Invisible Cars
//0A8C: write_memory 0x96914C size 1 value 1 virtual_protect 0 // Perfect Handling
//0A8C: write_memory 0x96914E size 1 value 1 virtual_protect 0 // All green lights
//0A8C: write_memory 0x96914F size 1 value 1 virtual_protect 0 // Aggressive Drivers
//0A8C: write_memory 0x969150 size 1 value 1 virtual_protect 0 // Pink Traffic
//0A8C: write_memory 0x969151 size 1 value 1 virtual_protect 0 // Black Traffic 
//0A8C: write_memory 0x969152 size 1 value 1 virtual_protect 0 // Cars Drive On Water
//0A8C: write_memory 0x969153 size 1 value 1 virtual_protect 0 // Boats Can Fly
//0A8C: write_memory 0x969154 size 1 value 1 virtual_protect 0 // unknown (was Cars Drive On Water part 2)
//0A8C: write_memory 0x969159 size 1 value 1 virtual_protect 0 // Beach Traffic
//0A8C: write_memory 0x96915B size 1 value 1 virtual_protect 0 // No Traffic 
//0A8C: write_memory 0x96915C size 1 value 1 virtual_protect 0 // Motorcycle Traffic (Ninja?)
//0A8C: write_memory 0x96915E size 1 value 1 virtual_protect 0 // Crappy Car Traffic
//0A8C: write_memory 0x96915F size 1 value 1 virtual_protect 0 // Fast Car Traffic
//0A8C: write_memory 0x969160 size 1 value 1 virtual_protect 0 // Cars Can Fly 
//0A8C: write_memory 0x969161 size 1 value 1 virtual_protect 0 // Huge Bunnyhop 
//0A8C: write_memory 0x969164 size 1 value 1 virtual_protect 0 // Tank Mode
//0A8C: write_memory 0x969165 size 1 value 1 virtual_protect 0 // Cars Have Nitro
//0A8C: write_memory 0x969166 size 1 value 1 virtual_protect 0 // Bubble Cars
//0A8C: write_memory 0x969167 size 1 value 1 virtual_protect 0 // Stop Game Clock
//0A8C: write_memory 0x969168 size 1 value 1 virtual_protect 0 // Stop Game Clock
//0A8C: write_memory 0x96916C size 1 value 1 virtual_protect 0 // Mega Jump
//0A8C: write_memory 0x96916D size 1 value 1 virtual_protect 0 // Infinite Health
//0A8C: write_memory 0x96916E size 1 value 1 virtual_protect 0 // Infinite Oxygen
//0A8C: write_memory 0x969171 size 1 value 1 virtual_protect 0 // Never Wanted
//0A8C: write_memory 0x969173 size 1 value 1 virtual_protect 0 // Mega Punch
//0A8C: write_memory 0x969174 size 1 value 1 virtual_protect 0 // Never Hungry
//0A8C: write_memory 0x969175 size 1 value 1 virtual_protect 0 // Riot Mode
//0A8C: write_memory 0x969176 size 1 value 1 virtual_protect 0 // Funhouse Traffic
//0A8C: write_memory 0x969178 size 1 value 1 virtual_protect 0 // Infinite Ammo
//0A8C: write_memory 0x969179 size 1 value 1 virtual_protect 0 // Full Aim Driving
//0A8C: write_memory 0x96917A size 1 value 1 virtual_protect 0 // Decreased Traffic
//0A8C: write_memory 0x96917B size 1 value 1 virtual_protect 0 // Farm Traffic 
//0A8C: write_memory 0x96917C size 1 value 1 virtual_protect 0 // Recruit Anyone w/Pistol
//0A8C: write_memory 0x96917D size 1 value 1 virtual_protect 0 // Recruit Anyone w/AK-47
//0A8C: write_memory 0x96917E size 1 value 1 virtual_protect 0 // Recruit Anyone w/Rockets
//0A8C: write_memory 0x96917F size 1 value 1 virtual_protect 0 // Max Respect 
//0A8C: write_memory 0x969180 size 1 value 1 virtual_protect 0 // Max Sex Appeal 

 

 

 

I find it very helpful to use Tsearch to make memory dumps so I can examine the data I intend to edit with memory writes. Perhaps that's because I got started with save editing and I'm mostly trying to recreate those types of modifications. I've got some examples but most of them are subroutines and I'm not sure they'll make any sense out of context.

Edited August 3, 2019 by OrionSR
Code Tags

[james227uk]

Thanks Orion. So would value 0 for a cheat turn it off?

 

EDIT: Thanks again Orion. You've proved my theory. Cars drive on water is apparently not in the PC version, yet I tried the mem address and it worked perfect.

Edited October 29, 2009 by james227uk

[Deji]

Yeah, hardly anyone knows much about memory here. Since your getting started there are a few of those basic things you should know (if you don't already know them)...

 

 

Hex Numbers

 

GTA stores memory as hex. In fact, the whole .scm file is originally written in hex. Notice how opcodes are often typed: 03F9.

 

Now memory is read and written in hex, although Sanny does indeed support converting to decimal, it's handy to know the basic hex numbering system. Basically, it's just like the normal numbers except with 6 extra 1-digit numbers which are defined as letters...

 

Hex

0 1 2 3 4 5 6 7 8 9 A B C D E F

 

(Remember that in Sanny, hex numbers are usually identified by having 0x in front of them. Example: 0x2A)

 

Decimal

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

 

F is the hex number for 15, but just imagine it as the new limit for your count to 2-digit numbers. Usually it ends at 9, but now we go to a whole new number, F.

 

F is 15, so what is 16?

 

10!

 

Hex numbers go up to F before adding or changing a digit to the start of a number and resetting the last number back to 0. Just like counting to 10 in decimal.

 

10 = 16

11 = 17

12 = 18

13 = 19

14 = 20

15 = 21

16 = 22

17 = 23

18 = 24

19 = 25

1A = 26

1B = 27

1C = 28

1D = 29

1E = 30

1F = 31

20 = 32

[...]

AA = 170

FF = 255

100 = 256

 

Just some examples of hex numbers and what they equal in decimal.

 

 

But note that you can also spell letters in hex, which only works for some techniques for San Andreas (ones that use this lettering system)... Let's play a game!

 

A = 41

Z = 5A

 

Remembering that these hex numbers are just going up by 1 hex number per letter (so B is 42 and Y is 59) try and figure out the rest of the alphabet... Then decode the message below:

 

4D 59 20 53 45 43 52 45 54 20 4D 45 53 53 41 47 45

 

Answer:

MY SECRET MESSAGE

 

 

Ever notice how the keycodes for 0AB0 are simply the same as the letters? So keypress "A" is simply letter "A".

 

 

Lowercase letters are different:

 

61 = a

7a = z

 

 

Although often aren't used in San Andreas. Keypresses are always uppercase.

 

 

By the way, you can also spell words in decimal. Simply the same operation of converting letters to numbers.

 

 

Memory/Function

 

Memory addresses and function addresses are different things... Although commonly classed under the same thing.

 

 

Memory addresses are usually for settings and generally stuff to remember. Variables are also stored in these addresses.

 

 

0A8D: $result = read_memory [email protected] size 4 virtual_protect 00A8C: write_memory 0xC0BC15 size 1 value 1 virtual_protect 0

 

 

Addresses are different sizes and some are "read only". If you ever find an address that cant be written or read, try changing the size or switching the virtual protect flag on.

 

I'm not too sure about this, but I believe these are the sizes of different things:

 

Boolean (1 or 0 / true or false): 1

Number (Float/Integer): 4

Short string: 8

Long string: 16

 

I believe I missed out 2 as I'm not too sure whether there is a specific type assigned with it. I just remember using 2 for making cheat codes.

 

 

 

That's all I can be bothered to type at the moment, but if you have a question... Feel free to ask.

 

Hopefully someone can help me with some sort of address to completely freeze the game... Like when you press Esc...

Edited October 29, 2009 by Deji

[OrionSR]

 

Thanks Orion. So would value 0 for a cheat turn it off?

I didn't test setting a value of 0 very often, but in the few cases where I did try it worked to disable the effects of setting a value of 1. I suspect that due to the nature of these flags this should always be the case, but didn't test the idea so I can't know for sure.

 

I suspect that more experimentation with the addresses in the range 0x969130 to 0x969189 not included in my previous post might result in additional cheat type effects. 0x96915A or 0x96915D seems to alter the ped group information enough to have reduced peds and traffic, but I couldn't isolate the effects. It was similar to setting gangs in a zone where they don't below without altering the mysterious ped group (0874:) information or 0767: popcycle. (Hm... didn't 076A: ped wealth ever get updated to dealer density?) Anyway, frequently the effects are a bit subtle so I would not be surprised if more interesting information could be discovered.

 

james227uk, do you have enough examples of memory writes to get started, or do you need more sample code?

Edited October 29, 2009 by OrionSR

[james227uk]

Enough to get started, thanks.

 

EDIT: Saw Deji's post. WOW. Still having a good read through. Thanks

Edited October 29, 2009 by james227uk

[spaceeinstein]

[james227uk]

lol, when I tried it I used the same car