[Beep]

QUOTE (Sacky @ Apr 1 2007, 11:44)

0xC2310C - Water Height (float) 0xC23110 - Wave Height (float)

Great finds!

Edit
Seems not to work.

This post has been edited by Beep on Monday, Apr 2 2007, 18:41

[k.o.e.i.g2]

---------

This post has been edited by k.o.e.i.g2 on Tuesday, May 27 2008, 18:36

[ntlofub]

QUOTE (Beep @ Apr 2 2007, 15:54)

QUOTE (Sacky @ Apr 1 2007, 11:44) 0xC2310C - Water Height (float) 0xC23110 - Wave Height (float) Great finds! Edit Seems not to work.

That is because he is incorrect.

CODE

006E5B83 mov dword ptr ds:[edx],eax;  store water height variable (from water.dat)

0xC22910 begins an array of structures (20 bytes a piece) that stores position-related information per unit of water. If you want to realistically change the water level of every unit in the game, you will have to modify 168 offsets from the base unit to the same value (differing values results in clipping issues). Of course, the game could be patched to obtain the level from a single unit, but that's a different story.

[EDIT] Information was posted for my ofsetted executable, corrected.

This post has been edited by ntlofub on Wednesday, Apr 18 2007, 13:14

[aru]

QUOTE (ntlofub @ Apr 17 2007, 20:42)

0xC22914 begins an array of structures (20 bytes a piece) that stores position-related information per unit of water.

Close.. but not entirely.. I guess a bit of compiler optimization happened there

Actual start position of the structures is at 0xC22910.

If you open water.dat, you may notice the sets split into 7 values each... with 4 (or 3) of those 7 sets in one line followed by a number. Think of each line as a quad or triangle. The trailing number should be some sort of a flag.

In water.dat, the 7 data sets should be documented here: http://www.gtaforums.com/index.php?showtopic=211733

0xC22910 = WaterBlockInfo Base Offset

X = word: WaterBlockInfo+0
Y = word: WaterBlockInfo+2
Z = float: WaterBlockInfo+4
tU = float: WaterBlockInfo+8
tV = float: WaterBlockInfo+12
Unknown1 = byte: WaterBlockInfo+16
Unknown2 = byte: WaterBlockInfo+17
Unknown3 = word: WaterBlockInfo+18 (can't seem to find any xrefs for this)

Size of each WaterBlockInfo: 0x14 (20 bytes)


[Edit: just linking to the water.dat doc]

This post has been edited by aru on Wednesday, Apr 18 2007, 16:00

[ntlofub]

QUOTE (aru @ Apr 18 2007, 06:53)

QUOTE (ntlofub @ Apr 17 2007, 20:42) 0xC22914 begins an array of structures (20 bytes a piece) that stores position-related information per unit of water. Actual start position of the structures is at 0xC22910.

Thanks for that. I was running an injector that offsetted my executable by 4 bytes, I've edited my original post.
I was going to post the specifics of the water information structure, but Steve-M beat me to it.

[k.o.e.i.g2]

-------

This post has been edited by k.o.e.i.g2 on Tuesday, May 27 2008, 18:37

[Sacky]

Memory Addresses corresponding with weapons.dat:

Weapons:

0xC8AAB8 : Base Memory Address
+ 0x70 : Block Size (for each weapon defined in weapons.dat)

Variables:

+ 0x0 - Fire Type (1 Byte) : 0 - Melee, 1 > Normal (AFAIT)
+ 0x4 - Target Range (float) : How far away a ped has to be before he gets that little triangle above his head
+ 0x8 - Weapon Range (float) : How far the bullets are effective
+ 0xC - Weapon Modelid 1 (1 Byte) : Corresponds to the weapon.dat but changing it in the memory doesnt do anything
+ 0x10 - Weapon Modelid 2 (1 Byte) : ^ See Above
+ 0x14 - Slot (1 Byte) : The Slot ID for the weapon
+ 0x18 - Anim Group (1 Byte) : The animation group that plays when you shoot the weapon, for example setting this to about 6 will make it first person
+ 0x1C - ? : Setting this to 10 or below causes the game to crash when targetting
+ 0x20 - Max Ammo Clip (1 Byte) - How much ammo can be held in a individual clip when it is full

Some other things to note:

-1 = 255
UNARMED = 1
MELEE = 0
PROJECTILE = 1

Aiming Addresses:

0x969179 - Free Aim Driveby (1 Byte) : Toggle 1 or 0 to enable/disable
0xB6EC2E - Auto Aim (1 Byte) : Toggle 1 or 0 to enable/disable

Functions:

0x8582EC - int __stdcall ShowCursor ( BOOL bShow )
0x5BE670 - ParseWeaponDat

This post has been edited by Sacky on Saturday, May 19 2007, 04:33

[DrV]

A few addresses, not very complicated to find, but anyway (v1.0 hoodlum EU exe)

Code:

0x00748760 - int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)

0x00747F00 - int __stdcall WndProc(HWND hWnd,int msg,WPARAM wParam,int lParam)

0x007486F0 - int __cdecl RegisterSAWindow()

0x00745560 - HWND __cdecl CreateSAWindow(HINSTANCE hInstance)

0x007476B0 - void __cdecl PlayMPEG(int nShowCmd, char *filename)
-- This is used to play the two intro videos, not sure about the first parameter but it's not used at all in the function and seems to get passed the nShowCmd from WinMain in the three cases it's used

Data:

0x00C17054 - pointer to main window HWND (from CreateSAWindow)

This post has been edited by DrV on Tuesday, Apr 24 2007, 20:08

[k.o.e.i.g2]

-----

This post has been edited by k.o.e.i.g2 on Tuesday, May 27 2008, 18:38

[ceedj]

Anyone find anythng with the "screen saver" camera that starts after about a minute of the player being idle? I'd assume it's triggered after a timer hits a certain point, but I haven't been able to nail it down yet...

[TehKiller]

some finds dont know if posted before:

0x00BAA410 - current weapon(read only)
0x00955DE0 - inside interior or not(1=inside/0=outside)(read only)

This post has been edited by TehKiller on Sunday, May 6 2007, 10:12

[Seemann]

The engines sounds list (static exe addresses):

http://sannybuilder.com/dev/enginesounds.htm

Each vehicle model has 2 different engine sounds (one for state when the engine speed grows and one when it is falls).

Each sound value is 2 bytes of length (WORD).


Also, to enable the radio for a vehicle (for ones where its not available) write 0 (byte) to the memory address:

v1.0

CODE

address = 0x85D2CB + (#carmodelID * 36)

For example for Landstalker (id = 400) the addy = 0x00860B0B

v1.01

CODE

address = 0x85E2EB + (#carmodelID * 36)

For example for BRAVURA (id = 401) the addy = 0x00861B4F

There's the mod activating the radio for all vehicles.

This post has been edited by Seemann on Monday, May 7 2007, 10:38

[DracoBlue]

(since I see this is used for discussion, too - I'll append my topic now)

Hello Guys,

Currently most of the big multiplayer modifications have this problem, because players who press ESC are not able to be hitten.

So did somebody found a way to NOP those functions, which make GTA go to menu on ESC/ALT+TAB, yet?

Kind regards,
Jan (DracoBlue)

[Mr Vibrating]

QUOTE (Cowpat @ Nov 25 2006, 00:07)

QUOTE (dustcrazy @ Oct 3 2006, 17:15) Is there any way to run SA at a custom res.? Such as 300x300 or even as low as 150x150(Palm Low Res) Don't know if this is what you're looking for, but if you want to run the game at lower than 640x480, here's one way to do it. Static pointer at 0xC97C48 points to block of game resolution and video card details eg. CODE +0x00 desktop width +0x04 desktop height +0x08 desktop resolution +0x14  minimum width allowed(640) +0x18  minimum height allowed(480) . . there then follows the list of resolutions supported by your card, starting at 0x28 4 bytes width 4 bytes height 4 bytes supported resolution 4 bytes unknown 4 bytes unknown Before you begin you must have your saved game resolution set to anything except 640x480x16. Start up SA and change the values at +0x14 and +0x18 to the resolution of your choice, say 320x240. How you do this is up to you (in-process dll, TSearch, etc). Then once that's done go to the graphic options menu and change the resolution to 640x480x16. You should now be able to enjoy a heavily pixellated, retro game experience. Full screen 320x240 A little trickier to achieve, windowed at 320x200

can anyone explain how to implement this to a lamer like me? I want to run SA at proper screen modes like 3840x2048...

I've downloaded TSearch, but don't understand what i'm supposed to do with it - i can't find a string called "0xC97C48" in the hex ed so now i'm outa ideas...

any help much appreciated

[Cowpat]

Mr Vibrating (bet you get all the girls ), may I suggest you download a copy of SA_Mem from my sig. This should allow you to make the changes you seek, providing your video card supports the desired resolution.

Any probs, PM me.

[space_einstein]

This post has been edited by space_einstein on Saturday, May 12 2007, 05:33

[Mr Vibrating]

QUOTE (Cowpat @ May 11 2007, 11:00)

Mr Vibrating (bet you get all the girls ), may I suggest you download a copy of SA_Mem from my sig.  This should allow you to make the changes you seek, providing your video card supports the desired resolution. Any probs, PM me.

Massive thanks to Cowpat, problem solved. FWIW, a couple of bytes after each 'height' parameter is the refresh rate, (ie. 60/85) and a couple more after that is the depth; 22=32-bit, 23=16-bit.

I can now run SA double triplehead (6 LCD panels), 3840x2048x32, which is nice.

Screenie here.

ps. It'd be great if this fix was available in lamer format, ie. a loader or summik ...

Best wishes all

Edit: ...and a shot in standard triplehead mode - 3840x1024x32 (w/ Matrox TH2G)....

This post has been edited by Mr Vibrating on Sunday, May 13 2007, 06:41

[Cowpat]

QUOTE (Mr Vibrating @ May 12 2007, 23:17)

FWIW, a couple of bytes after each 'height' parameter is the refresh rate, (ie. 60/85) and a couple more after that is the depth; 22=32-bit, 23=16-bit.

...and the last value in each data set is a 1 for full-screen. Setting to 0 indicates windowed mode. The catch is I couldn't get it to operate reliably. Perhaps some greater mind than mine can.

[Sacky]

Memory Address's corresponding to carcols.dat:

0xB4E480 : Base Carcols Address
0x4 : Block Size of each colour
+ 0x0 : Red
+ 0x1 : Green
+ 0x2 : Blue
+ 0x3 : Alpha

You can read that as a DWORD for RGBA or individual bytes for R,G,B,A

Changing these addresses works on the fly

File Addresses:

0x859D60 : 'main.scm'
0x866CCC : 'loadsc%d'
0x866CF0 : 'LOADSCS.TXD'
0x86AA28 : 'DATA\WEAPON.DAT'
0x86A964 : 'DATA\HANDLING.CFG'
0x86A778 : 'TIMECYC.DAT'
0x869724 : 'DATA\CARCOLS.DAT'
0x86A8CC : 'stream.ini'
0x85A6D4 : 'models\effects.fxp'

Overwriting these at runtime will change what file the game picks (tested for all of these)

Function Addresses:

0x49EA90 : void LoadEffectsFXP ( void )
0x552C00 : void SetupStaticRendering ( void )
0x552AF0 : int __stdcall AllocateRenderTrees(int QuadTreeNodes)

Memory Addresses corresponding to effects.fxp:

0xA9AE80 : Pointer to the effectsfxp information block
0x258 : Block Size for each effect (Instead of adding it to the block, subtract it)
+ 0x0 : EffectID (byte) ?
+ 0x4 : Effect Length (float)
+ 0x8 : Loop Interval Min (float)
+ 0xC : Length 2 (float) ?
+ 0x10 : ? (I'd like to say playmode, that's what it should be but doesn't correspond to the fxp)

I am very confused with this file load, the culling distance doesnt even appear in it , neither does red,green,blue or alpha

Texture Addresses:

0xC039A0 : Pointer to txgrass0_1
0xC039A4 : Pointer to txgrass0_2
0xC039A8 : Pointer to txgrass0_3
0xC039AC : Pointer to txgrass1_0
0xC039B0 : Pointer to txgrass1_1
0xC039B4 : Pointer to txgrass1_2
0xC039B8 : Pointer to txgrass1_3
0xC039BC : Pointer to gras07Si

All i could find , the rest are stored in a Texture Dictionary, i'll have a poke around there and see what i can find

Limit Hacking:

So in IDA i stumbled on this in SetupRenderTrees

QUOTE

.text:00552C39                push    offset aQuadtreenodes ; "QuadTreeNodes" .text:00552C3E                push    400            ; Extending SA's boundaries? .text:00552C43                mov    ecx, eax .text:00552C45                call    AllocateRenderTrees

Perhaps changing the push 400 to maybe 500 will extend SA's boundaries (Late Edit: No go, still the same bounds whether i increase it or decrease it

Misc Addresses:

0x484B820 : I don't know but when changed to 5000.0 all static objects become un solid in the area around the airfield and Las Venturas (float)

IPL Addresses:

0x38 : Block Size for each IPL entry

This post has been edited by Sacky on Friday, May 25 2007, 07:28

[TehKiller]

QUOTE (DracoBlue @ May 10 2007, 13:11)

(since I see this is used for discussion, too - I'll append my topic now) Hello Guys, Currently most of the big multiplayer modifications have this problem, because players who press ESC are not able to be hitten. So did somebody found a way to NOP those functions, which make GTA go to menu on ESC/ALT+TAB, yet? Kind regards,   Jan (DracoBlue)

SA singelplayer features a ''skill'' which shows bullets fired and bullets hit and stuff
So to see if the bullets hitted a person they would do some sort of checking(did it hit world or did it hit a entity/player) so if we would be able to find this adress we could add damage on being hit by bullets

this would also be nice for a anticheat for godmode coz if u get hit by bullets and ur health does not drop it means ur hacking ->


i like this emote >