[the hubster]

Please note the exe version when posting memory addresses (what patch is installed)

You will need Rick's xlive.dll Wrapper or xliveless to edit protected memory addresses.

http://www.gtamodding.com/index.php?title=...ddresses_(GTA4)

This post has been edited by the hubster on Friday, Nov 6 2009, 18:48

[Nulldata]

QUOTE (the hubster @ Dec 2 2008, 17:50)

Ill start: Size of gtaiv.exe CODE 13411688 bytes (0CCA568h) Start of Securom signature CODE 0CC9028h

Can you post the CRC hash for your GTAIV.exe? Should help with everyone just incase the EXEs are changed in anyway.

This post has been edited by Nulldata on Wednesday, Dec 3 2008, 19:17

[opium_addict]

QUOTE (Nulldata @ Dec 3 2008, 13:07)

Can you post the CRC hash for your GTAIV.exe? Should help with everyone just incase the EXEs are changed in anyway.

i suspect that the file size is good enough. . .if something is changed then its more then likely the file size will change also...

[Dangta]

Hi guys, i'm not so experienced in disassembling but i've had a bit of progress. I think i've found some pretty good offsets in the following code:

In: B51CA0

CODE

.text:00B51CA0 sub_B51CA0      proc near              ; CODE XREF: sub_7E5A80+69p .text:00B51CA0                 push    offset loc_B51B30 .text:00B51CA5                 push    offset aSet_time_one_d; "SET_TIME_ONE_DAY_FORWARD" .text:00B51CAA                 call    sub_583420 .text:00B51CAF                 push    offset loc_B51B40 .text:00B51CB4                 push    offset aSet_time_one_0; "SET_TIME_ONE_DAY_BACK" .text:00B51CB9                 call    sub_583420 .text:00B51CBE                 push    offset loc_B51C60 .text:00B51CC3                 push    offset aGet_time_of_da; "GET_TIME_OF_DAY" .text:00B51CC8                 call    sub_583420 .text:00B51CCD                 push    offset loc_B51B60 .text:00B51CD2                 push    offset aGet_hours_of_d; "GET_HOURS_OF_DAY" .text:00B51CD7                 call    sub_583420 .text:00B51CDC                 push    offset loc_B51B70 .text:00B51CE1                 push    offset aGet_minutes_of; "GET_MINUTES_OF_DAY" .text:00B51CE6                 call    sub_583420 .text:00B51CEB                 push    offset loc_B51B80 .text:00B51CF0                 push    offset aSet_time_of_da; "SET_TIME_OF_DAY" .text:00B51CF5                 call    sub_583420 .text:00B51CFA                 push    offset loc_B51BA0 .text:00B51CFF                 push    offset aForward_to_tim; "FORWARD_TO_TIME_OF_DAY" .text:00B51D04                 call    sub_583420 .text:00B51D09                 push    offset loc_B51BC0 .text:00B51D0E                 push    offset aGet_minutes_to; "GET_MINUTES_TO_TIME_OF_DAY" .text:00B51D13                 call    sub_583420 .text:00B51D18                 add     esp, 40h .text:00B51D1B                 push    offset loc_B51BE0 .text:00B51D20                 push    offset aGet_current_da; "GET_CURRENT_DAY_OF_WEEK" .text:00B51D25                 call    sub_583420 .text:00B51D2A                 push    offset loc_B51C80 .text:00B51D2F                 push    offset aGet_current__0; "GET_CURRENT_DATE" .text:00B51D34                 call    sub_583420 .text:00B51D39                 push    offset loc_B51BF0 .text:00B51D3E                 push    offset aSet_time_of_ne; "SET_TIME_OF_NEXT_APPOINTMENT" .text:00B51D43                 call    sub_583420 .text:00B51D48                 push    offset loc_B51C10 .text:00B51D4D                 push    offset aCompare_two_da; "COMPARE_TWO_DATES" .text:00B51D52                 call    sub_583420 .text:00B51D57                 push    offset loc_B51C40 .text:00B51D5C                 push    offset aForce_time_of_; "FORCE_TIME_OF_DAY" .text:00B51D61                 call    sub_583420 .text:00B51D66                 push    offset loc_B51B50 .text:00B51D6B                 push    offset aRelease_time_o; "RELEASE_TIME_OF_DAY" .text:00B51D70                 call    sub_583420 .text:00B51D75                 add     esp, 30h .text:00B51D78                 retn .text:00B51D78 sub_B51CA0      endp

It looks like it's maybe allocating a function to an opcode? I'm not sure... Rockstar may have organized the code in a way that each subject-specific opcode is contained within it's own method. Which would explain why only time related opcodes are in this?

I'm attempting to have a play around by calling some opcodes myself through C/C++. I'll let you know if i have any luck!

This post has been edited by Dangta on Friday, Dec 5 2008, 17:22

[opium_addict]

Pointer to the D3D9 Device:

CODE

GTAIV.exe + 0x128B570

CODE

IDirect3DDevice9 *pDevice = (IDirect3DDevice9 *)*(DWORD*)((DWORD)g_hGTA + 0x128B570);

edit:

CODE

.text:007E5A80 SetupAllNatives proc near              ; CODE XREF: SetupScripts+94p .text:007E5A80 .text:007E5A80; FUNCTION CHUNK AT .text:00B49D50 SIZE 00000031 BYTES .text:007E5A80 .text:007E5A80                 call    SetupAudioNatives .text:007E5A85                 call    SetupCameraNatives .text:007E5A8A                 call    SetupDebugNatives .text:007E5A8F                 call    SetupHUDNatives .text:007E5A94                 call    SetupEngineNatives .text:007E5A99                 call    SetupInputNatives .text:007E5A9E                 call    SetupCharNatives .text:007E5AA3                 call    SetupPlayerNatives .text:007E5AA8                 call    SetupTaskNatives .text:007E5AAD                 call    SetupCarNatives .text:007E5AB2                 call    SetupObjectNatives .text:007E5AB7                 call    SetupScriptHelperNatives .text:007E5ABC                 call    SetupMissionNatives .text:007E5AC1                 call    SetupWorldNatives .text:007E5AC6                 call    SetupNavigationNatives .text:007E5ACB                 call    SetupWeaponNatives .text:007E5AD0                 call    SetupFireNatives .text:007E5AD5                 call    SetupZoneNatives .text:007E5ADA                 call    SetupRenderNatives .text:007E5ADF                 call    SetupGangNatives .text:007E5AE4                 call    SetupCutsceneNatives .text:007E5AE9                 call    SetupTimeNatives .text:007E5AEE                 call    SetupOnlineNatives .text:007E5AF3                 call    SetupBrainNatives .text:007E5AF8                 call    nullsub_5 .text:007E5AFD                 call    SetupCarbombNatives .text:007E5B02                 jmp     SetupWaterNatives .text:007E5B02 SetupAllNatives endp

CODE

.text:00B7F360; int __cdecl SetPedDensityMultiplier(float)

thanks to Mike and Yoann on IRC

This post has been edited by opium_addict on Sunday, Dec 7 2008, 03:50

[ceedj]

QUOTE (Dangta @ Dec 5 2008, 13:17)

It looks like it's maybe allocating a function to an opcode? I'm not sure... Rockstar may have organized the code in a way that each subject-specific opcode is contained within it's own method. Which would explain why only time related opcodes are in this? I'm attempting to have a play around by calling some opcodes myself through C/C++. I'll let you know if i have any luck!

Pretty sure you're dead on right, the little bit of mission script I've seen suggests just that; as though they've moved from a BASIC approach (II/VC/SA) to a more streamlined object-oriented scripting (C/C++).

Nice work here guys!

[aru]

There's no notion of opcode per each function anymore... The basic opcodes of the IV scripting engine (or should I say RAGE scripting engine ) are just some very low level VM opcodes like add/sub/jmp/call/etc. One of those opcodes calls a native function, and its invoked by the hash of the name of the function... which is why you see all the names there. The hashing algorithm is use is the One-at-a-Time Hash:

CODE

ub4 one_at_a_time(char *key, ub4 len) {  ub4   hash, i;  for (hash=0, i=0; i<len; ++i)  {    hash += key[i];    hash += (hash << 10);    hash ^= (hash >> 6);  }  hash += (hash << 3);  hash ^= (hash >> 11);  hash += (hash << 15);  return (hash & mask); }

(from: http://burtleburtle.net/bob/hash/doobs.html)

I have the full specs of the scripting VM and the opcodes written up on paper from the 360 version (and its pretty much identical on PC)... I just haven't had time to type it all up nicely.

[Alexander Blade]

.data:00E4AF70 models hash nodes array pointer

model_hash_node struct 0x8 b
-- model_hash 0x4 b
-- model_ingame_id 0x4 b
end

.data:00E58CF8 Cheat functions pointers array (17)

.text: 008654E0 ; int __cdecl SpawnVehicle(int IngameID);
car spawning function

This post has been edited by Alexander Blade on Sunday, Dec 7 2008, 11:42

[Andrew]

Excellent work so far Pinned.

[Peter]

To avoid spamming the first page, I'll only list the most interesting ones in this post. A full list of vTable names can be found on this page

Interesting vTables
CEntity (0xCF7FF4)
-- CBuilding (0xD1E7B4)
-- CPhysical (0xD0A014)
-- -- CVehicle (0xCFA804)
-- --- -- CAutomobile (0xD49754)
-- --- -- CBike (0xD4BA24)
-- --- -- CPlane (0xCFB31C)
-- --- -- CTrain (0xCF31AC)
-- --- -- CHeli (0xCE712C)
-- -- CPed (0xCF4864)
-- --- -- CPlayerPed (0xD005B4)
-- --- -- CDummyPed (0xD267F4)
-- -- CObject (0xCF41BC)
-- --- -- CCutsceneObject (0xD493EC)
-- --- -- CDummyObject (0xD20C9C)

CTask (0xCFABDC)
CTaskSimple (0xCFAC24)
CTaskComplex (0xCFAC7C)

CPedIntelligence (0xCFDB9C)

[UZI-I]

Address from IDA

Pool Documentation :
http://public.yoa2n.fr/gtaiv/Pools.txt

Class Documentation :
http://public.yoa2n.fr/gtaiv/Documentation.txt

And not sure About that :

CODE

// - Returned value is in the EAX Registar mov ecx, PoolStart GetEntityFromID ( int iIndex )       -> 0x40A1F0

EDIT :

CODE

// - Affect All Car (Parked And Circulation) SetCarDensityMultiplier ( int iMultiplier )          -> 0x00B63830 // - Affect Only Circulation SetRandomCarDensityMultiplier ( int iMultiplier )    -> 0x00B63850 // - Affect Only Parked Car SetParkedCarDensityMultiplier ( int iMultiplier )    -> 0x00B63860 0x00E5F75C -> g_dwCarDensityMultiplier 0x00E5F764 -> g_dwParkedCarDensityMultiplier

Thanks to Opium

This post has been edited by UZI-I on Sunday, Dec 7 2008, 14:39

[Seemann]

Those of you who are using IDA may find this useful.
http://public.sannybuilder.com/GTA4/native.idc

It is an IDA script that gives a name for every native command handler (there are about 2800 of them). So, for example, this code

CODE

.text:00B5A19E                 push    offset sub_B5A120                  ; handler .text:00B5A1A3                 push    offset aHas_script_loa             ; "HAS_SCRIPT_LOADED" .text:00B5A1A8                 call    registerNativeScriptCommand        ; Call Procedure

becomes

CODE

.text:00B5A19E                 push    offset n_HAS_SCRIPT_LOADED         ; handler .text:00B5A1A3                 push    offset aHas_script_loa             ; "HAS_SCRIPT_LOADED" .text:00B5A1A8                 call    registerNativeScriptCommand        ; Call Procedure

and 00B5A120 accordingly is changed to the procedure n_HAS_SCRIPT_LOADED.

Run the script via File > IDC file... menu

[Rafioso]

Hi,

which tool did you use to find the opcodes?

[listener]

Unfinished class hierarchy: http://public.sannybuilder.com/GTA4/gta4_pc_classes.txt

parsed .ide/.ipl contents:

CODE

template<class T> class CDataStore { public:  int nSize; // +0, total size of store, in objects  int nAllocated; // +4, numer of allocated objects in store  T * pData; }; 0xE4AE4C - CDataStore<CBaseModelInfo> g_baseModelStore; 0xE4AE58 - CDataStore<CInstanceModelInfo> g_instanceModelStore; 0xE4AE64 - CDataStore<CTimeModelInfo> g_timeModelStore; 0xE4AE70 - CDataStore<CWeaponModelInfo> g_weaponModelStore; 0xE4AE7C - CDataStore<CVehicleModelInfo> g_vehicleModelStore; 0xE4AE88 - CDataStore<CPedModelInfo> g_pedModelStore; 0xE4AE94 - CDataStore<CMloModelInfo> g_mloModelStore; 0xE4AEA0 - unknown store 0xE4AEAC - unknown store 0xE4AEB8 - unknown store 0xE4AEC4 - unknown store 0xE4AED0 - unknown store 0xE4AEDC - CDataStore<CParticleAttr> g_particleAttrStore; 0xE4AEE8 - CDataStore<CExplosionAttr> g_explosionAttrStore; 0xE4AEF4 - CDataStore<CProcObjAttr> g_procObjAttrStore; 0xE4AF00 - CDataStore<CLadderInfo> g_ladderInfoStore; 0xE4AF0C - CDataStore<CSpawnPoint> g_spawnPointStore; 0xE4AF18 - CDataStore<CLightShaftAttr> g_lightShaftAttrStore; 0xE4AF24 - CDataStore<CScrollBar> g_scrollBarStore; 0xE4AF30 - CDataStore<CSwayableAttr> g_swayableAttrStore; 0xE4AF3C - CDataStore<CBouyancyAttr> g_bouyancyAttrStore; 0xE4AF48 - CDataStore<CAudioAttr> g_audioAttrStore; 0xE4AF54 - CDataStore<CWorldPointAttr> g_worldPointAttrStore; 0xE4AF60 - CDAtaStore<CWalkDontWalkAttr> g_walkDontWalkAttrStore; 0xFAA7F8 - CDataStore<CEscalatorAttr> g_escalatorAttrStore; 0xFAA804 - CDataStore<CLightAttrStore> g_lightAttrStore;

UZI-I
first field (4 bytes) of all classes with virtual methods - pointer to virtual methods table

This post has been edited by listener on Sunday, Dec 7 2008, 18:47

[UZI-I]

Hum.

So I edited my doc.
It should be as that : http://public.yoa2n.fr/gtaiv/Documentation.txt ?

[listener]

UZI-I
Uhhh... No.

If you define inherited class/struct/union, all fields from the parent class will be added automatically (no need to define them again).
First field of the inherited class follows last field of the parent class.

Also, if you define at least one virtual method, VMT pointer wil be added by compiler.

And look at the inheritance diagram (search for CVirtualBase):

class CVirtualBase;
class CEntity : public CVirtualBase;
class CDynamicEntity : public CEntity;
class CPhysical : public CDynamicEntity;
class CVehicle : public CPhysical;
class CAutomobile : public CVehicle;
.. and so on

[UZI-I]

I know class are inherited from other in GTA. But I don't understand what is this pointer to the vTable...

[listener]

Good description of class internals (structure, inheritance, multiple inheritance, RTTI, etc):
http://www.openrce.org/articles/full_view/23

[Alexander Blade]

0x7FBF30 _cdecl SetMaxWantedLevel(int WantedLevel); // Wanted level [0..6]

dword 0xE57700 - max wanted level
dword 0xE57704 - (?) police activity

This post has been edited by Alexander Blade on Thursday, Dec 11 2008, 10:55

[wildmotzi]

10948FC - current wanted level
F77BDC - money

changing these doesnt do anything ingame

health adress in startpost isnt working anymore with patch

FB4D00 - Health float
4B3F944 - Health float
59004EC - Health float ??

This post has been edited by wildmotzi on Monday, Dec 15 2008, 15:54