GTA SA Android SCM Write memory address value

[OrionSR]

6 hours ago, user1592591 said:

Please define at least the start address of the SCM block for Android, and explain to me how you do it.

I'm working on it. But I decided to cheat and ask a real expert. We might get an answer soon and can jump straight to testing. I also have a couple of plans to figure it out using data dumps and cleo scripts.

 

On 3/10/2019 at 9:52 AM, user1592591 said:

0DD9: write_mem_addr 0x00510D60 value 800000.0 size 4 add_ib 1 protect 1

 

 

Please explain the purpose of this address? What is this command suppose to do?

 

I would like to offer a shared goal that should answer the question of how to use SCM to write to android memory. On PC I've been testing a teleport to marker script designed to run using only SCM commands. The script is running as expected and should be fairly easy to port to Android once we have the 1.08 offset to the start of SCM. Several years ago I worked on a teleport to marker script for Android using cleo, so I should have that available for reference, but I'm pretty sure this was written for 1.06, 1.07 at the most.

My suggestion is that you start working on a teleport to marker script for main.scm. If you can't find a good Cleo version to adapt then I'll post my old script and we can try to tweak it for 1.08. I'll start working on a teleport script that uses a save editing strategy since it also uses only SCM codes. In the end we should have a working example for writing to memory with SCM and can compare strategies to see which might be easier to share with the most users.

 

[MegaFox]

19 minutes ago, OrionSR said:

Я работаю над этим. Но я решил обмануть и спросить настоящего эксперта. Мы можем скоро получить ответ и сразу перейти к тестированию. У меня также есть пара планов, чтобы понять это, используя дампы данных и скрипты.

 

 

Пожалуйста, объясните цель этого адреса? Что должна делать эта команда?

 

Я хотел бы предложить общую цель, которая должна ответить на вопрос о том, как использовать SCM для записи в память Android. На ПК я тестировал скрипт телепортации на маркер, предназначенный для запуска с использованием только команд SCM. Скрипт работает, как и ожидалось, и его будет довольно легко перенести на Android, когда у нас будет смещение 1.08 к началу SCM. Несколько лет назад я работал над сценарием телепортации к маркеру для Android с использованием cleo, поэтому я должен иметь это для справки, но я почти уверен, что он был написан для 1.06, максимум для 1.07.

Я предлагаю вам начать работать над сценарием телепортации к маркеру для main.scm. Если вы не можете найти хорошую версию Cleo для адаптации, я выложу свой старый скрипт, и мы можем попробовать настроить его на 1.08. Я начну работать над сценарием телепортации, который использует стратегию сохранения, так как он также использует только коды SCM. В конце у нас должен быть рабочий пример для записи в память с помощью SCM, и мы можем сравнить стратегии, чтобы увидеть, какими из них легче поделиться с большинством пользователей.

 

I have already said, this opcode and address allow air transport to fly up infinitely (previously there was a limit of 800.0)

Edited March 11, 2019 by user1592591

[OrionSR]

Ah, sorry. I was very tired last night.
 

Quote

71FFB0 is the start of SCM section in 1.08 version.

This is expert advice. I have yet to test this using scripts, but I'm working towards that goal.

 

Next test: This is a variation on the script that was working before. I've added my best guess for reading global variable $9765 using CleoA opcodes. This script has not been tested. But I'll try to work out a similar strategy with Cleo and apply it to a teleport to marker script.

:HMLES
03A4: name_thread 'HMLES'
0001: wait 0 ms
$9765 = 0xCCAAFFEE    // unique data to compare
[email protected] = 9765             // index of array (each element of the array is 4 bytes in length)
008B: [email protected] = &0([email protected],1i)  // ADMA strategy

0012: [email protected] *= 4        // index * size of element = bytes from start of SCM
000A: [email protected] += 0x71FFB0 // offset to start of Android SCM 1.08
0DD8: [email protected] = read_mem_addr [email protected] size 4 add_ib 1 // CleoA strategy

00D6: if
003B:   [email protected] == [email protected]          // if both strategies find the same value
004D: jump_if_false @End 
00BB: show_text_lowpriority GXT 'FESZ_LS' time 2000 flag 1  // Load Successful.
09F1: play_audio_at_actor $PLAYER_ACTOR event 1137  // SOUND_CHECKPOINT_AMBER 
0001: wait 2000 ms      
:End
02FD: show_text_2numbers_lowpriority GXT 'BJ_OR2' numbers [email protected] [email protected] time 5000 flag 1  // ~1~ or ~1~
004E: end_thread

 

[MegaFox]

1 hour ago, OrionSR said:

Ah, sorry. I was very tired last night.
 

This is expert advice. I have yet to test this using scripts, but I'm working towards that goal.

 

Next test: This is a variation on the script that was working before. I've added my best guess for reading global variable $9765 using CleoA opcodes. This script has not been tested. But I'll try to work out a similar strategy with Cleo and apply it to a teleport to marker script.

:HMLES
03A4: name_thread 'HMLES'
0001: wait 0 ms
$9765 = 0xCCAAFFEE    // unique data to compare
[email protected] = 9765             // index of array (each element of the array is 4 bytes in length)
008B: [email protected] = &0([email protected],1i)  // ADMA strategy

0012: [email protected] *= 4        // index * size of element = bytes from start of SCM
000A: [email protected] += 0x71FFB0 // offset to start of Android SCM 1.08
0DD8: [email protected] = read_mem_addr [email protected] size 4 add_ib 1 // CleoA strategy

00D6: if
003B:   [email protected] == [email protected]          // if both strategies find the same value
004D: jump_if_false @End 
00BB: show_text_lowpriority GXT 'FESZ_LS' time 2000 flag 1  // Load Successful.
09F1: play_audio_at_actor $PLAYER_ACTOR event 1137  // SOUND_CHECKPOINT_AMBER 
0001: wait 2000 ms      
:End
02FD: show_text_2numbers_lowpriority GXT 'BJ_OR2' numbers [email protected] [email protected] time 5000 flag 1  // ~1~ or ~1~
004E: end_thread

 

Crash. Why here 0DD opcode? This SCM. If code not finished, ok, I wait

Edited March 11, 2019 by user1592591

[OrionSR]

Current Progress:

Android 1.08
//image base A16FA000 

Offset from SCM
Start of SCM 0
Start of radar 1D0AD0

add_ib 0
start of SCM A1E19FB0 
start of radar A1FEAA80 

add_ib 1
offset to SCM 71FFB0

Image base is unused at this time.
The add_ib 0 address for the start of radar was obtained from a working teleport script.

The offset from SCM to the start of radar was discovered by searching a memory dump for data from the first marker.

The common point of reference for the start of radar yielded the Start of SCM using add_ib 0 addressing.

 

____________________________

Added: 

0DD8: [email protected] = read_mem_addr 0x510D60 size 4 add_ib 1 

reads the same address as 

[email protected] = 0x510D60   // add_ib 1 address
[email protected] -= 0x71FFB0  // offset to SCM
[email protected] /= 4 // use as ADMA index
0089: [email protected] = &0([email protected],1i)

 

Edited March 14, 2019 by OrionSR

[MegaFox]

5 hours ago, OrionSR said:

Current Progress:

Android 1.08
//image base CD781000 

Offset from SCM
Start of SCM 0
Start of radar 1D0AD0

add_ib 0
start of SCM A1E19FB0 
start of radar A1FEAA80 

add_ib 1
offset to SCM 71FFB0

Image base is unused at this time.
The add_ib 0 address for the start of radar was obtained from a working teleport script.

The offset from SCM to the start of radar was discovered by searching a memory dump for data from the first marker.

The common point of reference for the start of radar yielded the Start of SCM using add_ib 0 addressing.

 

____________________________

Added: 

0DD8: [email protected] = read_mem_addr 0x510D60 size 4 add_ib 1 

reads the same address as 

[email protected] = 0x510D60   // add_ib 1 address
[email protected] -= 0x71FFB0  // offset to SCM
[email protected] /= 4 // use as ADMA index
0089: [email protected] = &0([email protected],1i)

 

It really works! Thanks!

//-------------External script 20 (HOME_BRAINS)---------------

:HMLES
03A4: name_thread 'HMLES'
0001: wait 0 ms
1@ = 0x510D60   // add_ib 1 address
1@ -= 0x71FFB0  // offset to SCM
1@ /= 4 // use as ADMA index
0089: 0@ = &0(1@,1i)
00D6: if 
0038:   0@ == 800.0 
004D: jump_if_false @END
00BB: show_text_lowpriority GXT 'FESZ_LS' time 2000 flag 1
:END 
004E: end_thread 

//-------------External script 21 (POOL_SCRIPT)---------------

 

Edited March 12, 2019 by user1592591

[MegaFox]

Can create a new topic with the documented addresses of GTA SA Android? I'll post there all these addresses, and + my 4 addresses for the increasing of limits.

Search addresses, except for the number, and variables do not know how, only constants.

 

Where can I learn this? Search addresses other than constants? I can only for now through IDA Pro

Edited March 12, 2019 by user1592591

[OrionSR]

A topic for documenting SA Android addresses is a good idea. Version 1.08 has been quite stable for a long time so the information is liable to remain valid for much longer than when I was doing research on earlier versions.  If I create the new topic there's a better chance that the moderators won't merge it with the catch-all mobile modding topic where it's impossible to use as reference. Would you be willing to collect and organize the addresses in the second post?

 

Idea for complete reference:

 

Columns for a Description, String, Pointer, offset, add_ib 0, add_ib 1, and ADMA

 

Description: Start of SCM, Start of Radar struct, etc.

String: Search string used to find address in any version

Pointer: Fixed address that point directly to a structure or variable; used often for dynamic memory

Offset: + or - relative to string, pointer, start of struct

Addresses discovered using one addressing scheme converted for use with add_ib 0, add_ib 1, and ADMA

 

My experience with IDA Pro is quite limited. But I think I may have learned enough to adapt the String method mentioned above to find any-version addresses with IDA Pro - maybe. 

 

These codes early in my teleport script identify the address I need to find the map marker and Radar struct. It is my understanding that IDA Pro is used to find the string and offsets but I have not applied this strategy to something new. 

// Markuza97's any-version address codes - read once
0DD0: [email protected] = get_label_addr @_ZN6CRadar13ms_RadarTraceE
0DD1: [email protected] = get_func_addr_by_cstr_name [email protected] // start of marker structure
0DD0: [email protected] = get_label_addr @gMobileMenu   
0DD1: [email protected] = get_func_addr_by_cstr_name [email protected] // start of... menu data?
000A: [email protected] += 0x48 // offset to marker index

These codes use these "magic" (because I don't understand) hex codes at the end of the script.

// Markuza97's magic hex codes
:gMobileMenu
hex
"gMobileMenu" 00
end

:_ZN6CRadar13ms_RadarTraceE
hex
"_ZN6CRadar13ms_RadarTraceE" 00
end

To get the add_ib 0 address of the radar struct I replaced [email protected] with $9765 and read the value from the save file. So, if we find scripts that use this strategy we have a method for recording the 1.08 address. If we had a better understanding of how this method works we could discover new information using IDA.

 

My methods are much more crude, and rely heavily on hex editors. For reference, my preferred tools are the HxD Editor, a free tool with good memory management, a nice data inspection tool, and a very handy tool for copying offsets. But my primary editor is 010. The binary template feature provide a method to parse and organize data in the save and display and edit data using a defined formats or enumeration. This proprietary tool limits what I can share, but 010 does have a decent trial period.

 

My expertise is in save editing. Almost everything I know about memory is associated with saved data. I've learned to manipulate game saves to seed unique data into the game to make it easier to find with a hex editor. On PC I can access active game memory. For PS2 I was able to use save states from an emulator to map game memory. On Android I was relying on memory dumps created by other players. If I recall correctly they were using a "Cheat" program, a tool that requires root access. My old phone with this tool has long since died, but I remember functions that would search for data that changed as you performed certain actions or executed cleo scripts. Eventually it could whittle down the changing values to isolate the specific data in memory.

However, I recently developed a new strategy to use game saves to capture game memory on Android . The data begins at the Start of SCM so I'm missing the block that includes your limits. Now that I have a better idea of the addressing scheme I think I can copy that data to the global variable space and splice the missing data together in a series of saves.

The extra large save dumps are breaking my template, so I'm having problems confirming the integrity of the data. I deleted the beginning of the game save and now have a file that aligns with the start of SCM. I need to craft a save with unique data but I expect I'll be able to make rapid progress on documenting the addresses of familiar (saved) structures and variables.

[OrionSR]

21 hours ago, user1592591 said:

create a new topic with the documented addresses of GTA SA Android

I didn't want to start a topic for addresses when we didn't have much useful information yet. Instead I created a new spreadsheet and made a quick search for familiar structures. My goal is to find key information within each save block in an effort to map out general areas of memory.

 

It looks like I have a major problem with my memory dump strategy. The easy strategy will only copy data after the start of SCM, and SCM has a fairly late address, so a lot of key information is more difficult to access. 

I have not verified any of the new addresses or the formulas used to convert between the 3 addressing schemes.

 

GTASA Android 1.08 Memory Addresses on Google Docs

[MegaFox]

5 hours ago, OrionSR said:

Я не хотел начинать тему для адресов, когда у нас еще не было много полезной информации. Вместо этого я создал новую электронную таблицу и сделал быстрый поиск знакомых структур. Моя цель - найти ключевую информацию в каждом блоке сохранения, чтобы наметить общие области памяти.

 

Похоже, у меня есть серьезная проблема с моей стратегией дампа памяти. Простая стратегия будет копировать данные только после запуска SCM, а SCM имеет довольно поздний адрес, поэтому доступ к большому количеству ключевой информации затруднен. 

Я не проверял ни один из новых адресов или формул, используемых для преобразования между 3 схемами адресации.

 

Адреса памяти GTASA Android 1.08 в Документах Google

Add this:

0x4B865C - unlimited height for jetpack

0x402584 - unlimited object render distance in IDE (more than 299) without losing collision (default: >=300.0 and object is permeable, even if there is a collision).

 

Now I attempt to detect address for allow climbing for fences in Interiors. If you can help to find this address, please help, I need with this address for my mod.

 

And I do not understand what is the difference between add_ib 0 and add_ib 1? I'm looking for addresses through IDA Pro, and you called them in your table "add_ib 1". What is add_ib 0?

Edited March 13, 2019 by user1592591

[OrionSR]

2 hours ago, user1592591 said:

Add this:

Done.

 

2 hours ago, user1592591 said:

climbing for fences in Interiors

I don't know where to start. I am unlikely to be much help on data that is not part of the save file. Sorry.

 

2 hours ago, user1592591 said:

what is the difference between add_ib 0 and add_ib 1?

add_ib 1 seems to be similar to PC and PS2 addressing. I believe offset 0 marks the start of game memory.

add_ib 0 was new in Android. These address are very large. I suspect offset 0 marks the start of Android memory. I'm not sure if this is true, but it helps me if I think about the addresses this way.

 

Currently I'm finding ADMA address because my limited memory dump trick starts at ADMA 0. If I can find a way to make a complete memory dump starting at the beginning of game memory then the offsets I'll find in my hex editor will be appropriate for add_ib 1. Current examples suggest that the hex string strategy used by other scripts (ric-013 had a gangwar mod) will report add_ib 0 addresses. 

 

Again, I'm not sure if this exactly or always true: (a hypothesis)

Global variables use ADMA addressing (Sanny does the conversion from global to ADMA).

Static memory is addressed using add_ib 1.

Dynamic memory is addressed using add_ib 0.

 

MaxHeightAircraft, MaxHeightJetpack, RenderDistance

 

Please look for and use "official" names for variables and constants (not an easy task). Sometimes player's have discovered official Rockstar names, or well known coders create names that are widely used. I invented names for your constants, so other reference won't provide much confidence about their function. I included a Reference column in the spreadsheet for links to documentation for each address, but haven't started filling in any data.

[OrionSR]

Link: How to find Addresses with IDA and Magic Hex strings.

 

The post includes useful examples of discovering unknown address. Gangwar strings were added to the database but I don't have addresses yet.

 

I'm going to give this strategy another try. I don't think I had the required tools at the time.

 

___________________ Updates ___________________

 

What's been working (1.08):

 

I was quite lost in the IDA view for a while until I brought up the Names window. Sorting alphabetically made it easy to find pointers to the data I was looking for. Using ric-013's example from 1.06: 

 

String: _ZN9CTheZones13ZoneInfoArrayE

Found: _ZN9CTheZones13ZoneInfoArrayE_ptr

Double clicking on the pointer name brought me to this data in IDA view:

.got:005D0014 _ZN9CTheZones13ZoneInfoArrayE_ptr DCD _ZN9CTheZones13ZoneInfoArrayE
.got:005D0014                                         ; DATA XREF: CGangWars::AddKillToProvocation(int)+30r
.got:005D0014                                         ; .text:off_2C5CE8o ...
.got:005D0014                                         ; CTheZones::ZoneInfoArray

D-clicking on "_ZN9CTheZones13ZoneInfoArrayE" brought up this data:

.bss:008E8E6C                 EXPORT _ZN9CTheZones13ZoneInfoArrayE
.bss:008E8E6C ; CTheZones::ZoneInfoArray
.bss:008E8E6C _ZN9CTheZones13ZoneInfoArrayE % 1       ; DATA XREF: CGangWars::AddKillToProvocation(int)+30o
.bss:008E8E6C                                         ; CGangWars::PickZoneToAttack(void)+64o ...

The address (008E8E6C) matches what I had calculated for add_ib 1 by searching through a data dump.

Working from a known address:

 

I found the Special Plates handler at 0x960DC0. Press G to bring up the Goto window. Paste in that value to jump to that address in IDA view. This take me directly to data where I can find the search string and proper name for the structure.

.bss:00960DC0                 EXPORT _ZN17CTheCarGenerators21m_SpecialPlateHandlerE
.bss:00960DC0 ; CTheCarGenerators::m_SpecialPlateHandler
.bss:00960DC0 _ZN17CTheCarGenerators21m_SpecialPlateHandlerE % 1
.bss:00960DC0                                         ; DATA XREF: CRunningScript::ProcessCommands2500To2599(int)+1070o
.bss:00960DC0                                         ; CTheCarGenerators::Save(void)+D6o ...

 

Data like maxHealth isn't as straight forward as this is just one of many unnamed variables that describe the player. Scrolling up from 0x 8E879F eventually brought me to this data, and I was able to calculate and offset to maxHealth from the beginning of the player data. The offset from the start Players/PlayerInfo was included with the string reference. More information on the contents of this structure can be found in DK22Pac's SDK plug-in. This reference is specific to PC but is bound to be pretty close to the mark.

.bss:008E8650                 EXPORT _ZN6CWorld7PlayersE
.bss:008E8650 ; CWorld::Players
.bss:008E8650 _ZN6CWorld7PlayersE % 1                 ; DATA XREF: sub_17D2A8+14o
.bss:008E8650                                         ; CWidgetPlayerInfo::RenderHealthBar(int,float)+2Co ...
.bss:008E8651                 % 1
.bss:008E8652                 % 1
.bss:008E8653                 % 1
(...)

Data like maxHealth will require special handling using ADMA addressing.

• Data is only one byte in length, and ADMA always reads 4 bytes. Special handling will be required to manage a single byte within a dword of other data that should be maintained.
• Address is not evenly divisible by 4. The ADMA format will need to be modified to address the 3rd byte. (&3([email protected],1i)

 

The addresses supplied by User appear to be hard coded into the associated script. It was't hard to Goto the address and confirm that these values were floats for aircraft, jetpack and rendering, but the don't have proper names and I can't make much sense of the pseudo-code other than this appears to be compared to ground height.

.text:004B865C flt_4B865C      DCFS 100.0              ; DATA XREF: CTaskSimpleJetPack::ProcessThrust(CPed *)+13Er
.text:004B865C                                         ; CTaskSimpleJetPack::ProcessThrust(CPed *)+170r

 

Edited March 14, 2019 by OrionSR

[OrionSR]

Image Base: Another part of the puzzle.

0DD7: $9765 = get_image_base ; android

Your image base: 0xCD781000

My image base: 0xA16FA000

 

To make sure there was no mistake, I checked the currentIP of one of our running threads. Our IPs are in the appropriate range for our own image base but not the other. That explains why I couldn't work your image base into my formulas. My image base seems to always be the same value on my game though. At this point I don't know how to get my image base without the CleoA opcode. This might be a problem if I need to perform calculations with add_ib 0 offsets.

0DD7: $9765 = get_image_base ; android

Tomorrow I'll try testing out some of the address I've gleaned from IDA Pro and see if I can figure out what's going on with dynamic memory. On PC and PS2, many structures get loaded to different addresses from session to session. To use these structures their location must be read from pointers. I remember using pointers on earlier versions, but my notes suggest that the structures didn't jump around as much as on PC or PS2. This could be because all my memory dumps came from the same source.

[MegaFox]

8 hours ago, OrionSR said:

Image Base: Another part of the puzzle.

0DD7: $9765 = get_image_base ; android

Your image base: 0xCD781000

My image base: 0xA16FA000

 

To make sure there was no mistake, I checked the currentIP of one of our running threads. Our IPs are in the appropriate range for our own image base but not the other. That explains why I couldn't work your image base into my formulas. My image base seems to always be the same value on my game though. At this point I don't know how to get my image base without the CleoA opcode. This might be a problem if I need to perform calculations with add_ib 0 offsets.

0DD7: $9765 = get_image_base ; android

Tomorrow I'll try testing out some of the address I've gleaned from IDA Pro and see if I can figure out what's going on with dynamic memory. On PC and PS2, many structures get loaded to different addresses from session to session. To use these structures their location must be read from pointers. I remember using pointers on earlier versions, but my notes suggest that the structures didn't jump around as much as on PC or PS2. This could be because all my memory dumps came from the same source.

I found another address that did not allow to increase the visible render distance of objects added to the game using the mod by more than 299. Even if I write 500, the object is still visible for 299.

 

Please replace the description of the RenderDistance address in the table with CollisionRenderDistanceLimit, you did not correctly name it.

 

After that add this address, and name it:

0x3B319C - VisibleRenderDistanceLimit

 

If you use both of these addresses together, for example, you can put a drawing on 600 at Alcatraz mod, and the island will appear much earlier, and the collision will cease to disappear.

 

Address, prohibiting climbing in the interiors has not yet been found, it is difficult to find, there are no unique numbers.

[OrionSR]

58 minutes ago, user1592591 said:

0x3B319C - VisibleRenderDistanceLimit

Updated. Please confirm that this is a float. Your examples suggest these are integers (299, 300), but in game I find values like 299.0 and 300.0.

 

I am relying on your reports to properly name these values.

 

Edited March 14, 2019 by OrionSR

[MegaFox]

1 hour ago, OrionSR said:

Обновлено. Пожалуйста, подтвердите, что это поплавок. Ваши примеры показывают, что это целые числа (299, 300), но в игре я нахожу такие значения, как 299.0 и 300.0.

 

Я полагаюсь на ваши отчеты, чтобы правильно назвать эти значения.

 

 

1 hour ago, OrionSR said:

Обновлено. Пожалуйста, подтвердите, что это поплавок. Ваши примеры показывают, что это целые числа (299, 300), но в игре я нахожу такие значения, как 299.0 и 300.0.

 

Я полагаюсь на ваши отчеты, чтобы правильно назвать эти значения.

 

I did not immediately understand this, in general, we need a third address that corrects the field of view. All these addresses must be used together, otherwise it will not work.

 

0x402584 - CollisionRenderDistanceLimit //8000000.0 and more
0x3B26A8 - VisibleRenderDistanceLimit //1500.0 only
0x3B319C - FOWRenderDistanceLimit //1500.0 only

 

This is float.

 

There is a side effect, all objects using a render distance less than 1500 will be visible 100 meters further. But in my opinion it’s even better, there are no empty spaces from afar in the cities now. This has no effect on performance.

 

Instead of 1500, you can write 1400 or 1300 and render distance will be the same as before

Edited March 14, 2019 by user1592591

[OrionSR]

26 minutes ago, user1592591 said:

There is a side effect, ...

Updated. Thank you for a comprehensive report.

Reference links for these addresses lead to the post above. Update the post as required.

[Junior_Djjr]

I started learning CLEO for Android today, and coincidentally I come across this topic with such interesting informations.  

 

Good to know that there are people on this forum still working on mobile hack stuffs.

[OrionSR]

Welcome to the conversation Junior. Got any fun projects going on?

 

A primary goal of this particular topic was to find strategies to manage memory without Cleo, but I'm certainly taking full advantage of cleo to run my tests. And now that we're moving on to documenting memory addresses I'm trying to provide information useful to cleo as well.

 

My memory tests went very well. I was able to confirm that most of the addresses are working properly using CleoA opcodes, including pointers for stunt jumps and enex. I labeled these as p2p - these are (static) pointers to (dynamic?) pointers that lead to the structure.

 

I am pretty sure the ped pool pointer is working properly as it provided the same address and the player ped pointer. But I'm not sure how to use this information or interpret the information. The same thing is true for the vehicle and object pools - pools in general. But I've got a bigger problem.

 

The addresses returned by pointers use the add_ib 0 format. The 0 and 1 settings seem backwards; add_ib 0 are equal to the add_ib 1 address reported by IDA plus the image base for that device (installation?). I don't have a strategy for my scripts to learn the image base without using the CleoA opcode. So I don't have the information needed to convert the pointers to ADMA.

Edited March 15, 2019 by OrionSR

[OrionSR]

14 hours ago, OrionSR said:

I don't have the information needed to convert the pointers to ADMA.

 

Get Image Base using Cleo and ADMA

 

Image Base is the offset from the start of device (?) memory to the start of game memory.

 

The image base is not a constant, even on my own system. It must be read at runtime if the script needs to work with pointers or other add_ib 0 addresses. In the snippet below I included the intermediate step of reading memory with cleo to confirm my calculations and clarify the process.

0DD7: $9769 = get_image_base

// Get Image Base CleoA
0DD8: $9765 = read_mem_addr 0x5CDD1C size 4 add_ib 1 
$9765 -= 0x71FFB0  // offset to ScriptSpace

// Get Image Base ADMA
$9766 = 0x5CDD1C // ScriptSpace pointer
$9766 -= 0x71FFB0  // offset to ScriptSpace
$9766 /= 4  
0084: $9767 = &0($9766,1i)
$9767 -= 0x71FFB0  // offset to ScriptSpace

 

[Kucing.Bertelur]

Hi all, how to activate function "fopen" and "fwrite" for write file.?

[XMDS]

0A9F=1,%1d% = current_thread_pointer

 

How to get the current CLEO thread on Android?

As we all know, we can't use the OP of CLEO4. Is there any other way?

[OrionSR]

6 hours ago, China·XMDS said:

How to get the current CLEO thread on Android?

What is the purpose? 

 

An untested idea:

 

ScriptsArray 0x52C40 

size of thread, 256

number of threads, 96

offset to name string, +8

offset to local vars, +60

 

It would be interesting to learn if negative indexing of an array of local [email protected] could be used to read the name string.

 

Idea: Build a routine that can read local var [email protected] based on the index of each thread. Set [email protected] to a random float. If the value read matches the value of your local var then generate another random float and confirm another match. Use the matching index to calculated your pointer.

 

Cleo threads on Android: (These are new observations - I'm not quite sure what to make of this new information.)

• It looks like CleoA is placing it's threads in the running threads queue. In this structure, the bottom fills up first, and usually main occupies slot 95, the last slot. 
• In my Android save I just noticed that main is using slot 92. In a memory dump I can see my two .csa scripts and the "menu" for .csi scripts occupying the last 3 slots.
• The slot number of running threads should always be the same unless it ends and restarts. I suspect the cleo scripts are filling the first available slot. In this case, these three cleo threads were active when the save was created. On other saves the cleo scripts are liable to be mixed in with the other running threads.

 

 

[goku mods]

On 15/1/2018 at 17:19, Markuza said:

en inglés por favor

Ok

[XMDS]

00D7: create_thread @FPSShow 

 

 

:FPSShow
thread 'FPSShow'

:FPSShow_0
wait 8000 

:FPSShow_1
wait 0
//0DD8: [email protected] = read_mem_addr 0x0096B50C size 4 add_ib 1
[email protected] = 0x0096B50C   // _ZN6CTimer8game_FPSE
[email protected] -= 0x007BD794
[email protected] /= 4
0089: [email protected] = &0([email protected],1i)
008C: [email protected] = float [email protected] to_integer
045A: draw_text_1number -80.0 435.0 GXT 'NUMBER' number [email protected]
03F0: enable_text_draw 0
jump @FPSShow_1

 

I created a new thread in main. Used to display FPS, read the memory address of the game, but there are 2 problems.

1. Wait 8000 ms. If the start does not give a delay of more than 5 seconds, then after starting the new game to read the progress bar, the animation will flash back at the beginning, but the FPS will display successfully.

2. After successfully displaying the FPS in the game, after returning to the game main menu interface, and then restoring the game, the game card flashes back

 

What is going on here? I am using version 2.0 SA.

[RiyanArtz]

can you make script call function reflection at water, like water reflection ? this is make graphic gta sa android like realistic

[Om Gp]

well, if it's ARM, the address must be calculated before it is in white memory

 

Example Cleo :

0AB1: call_scm_func @getLabelOffset 1 label @CPadHook store_to [email protected]
[email protected] -= 0x53BF9C
0A8C: write_memory 0x53BF98 size 4 value [email protected] virtual_protect 1
end_thread

:CPadHook
hex
B8 D01D5400 // mov eax, 541DD0h
FFD0 // call eax
B8 34C25300 // mov eax, 53C234h
FFE0 // jmp eax
end

Example B.W Label : 

0x3597B2
the results
59F3D9BB FE F7 BD BF 18 F0 F5 B8 FF F7 BE BB FF F7 A5 B9

 

[KirBar228]

On 26.03.2019 at 14:52, OrionSR said:

Hello! I was looking for you, After changing main.scm, nothing changes in missions - I tried changing the colt with a silencer in the "Ice Cold Killa" mission to Desert Eagle, but nothing changed! If you know what this is related to, please tell me how to fix it!

 

 

 

[OrionSR]

Your question would appear to be off-topic as it has nothing to do with memory management. Find a topic specific to your issue or create a new one. Be more specific about which version you are playing.

 

Edited January 22, 2020 by OrionSR

[Nesthor]

Hi, I'm not sure what I will say, but hey, I have a question, when I use a saaexten the vehicles and peds are drawn further, this pleases me since I have mods with skins at 2024 x 2024 and without saaexten I only see white cubes  and blacks in the distance, or avaces are not seen, is there a way to make a cleo to solve this without using saaexten?  I use Android 9 and the saaexten don't work for me