[badboy]

Can anyone tell me how to use memory functions. I want to create a marker somewhere specific.

Useful radar functions..

CODE

0x583820 = CMarker::Create
0x5839A0 = CMarker::SetAboveEntity
0x583AB0 = CMarker::SetColour
0x583CC0 = CMarker::SetIconSize
0x583D70 = CMarker::SetIcon
0x583D20 = CMarker::SetType
0x583EB0 = CMarker::SetFriendOrThreat
0x583F00 = CMarker::SetEnterExit

Just posting something in the snippets topic to disable or control motion blur in San Andreas.

How to use it? How to insert the handle and location into 0x5839A9?

[Deji]

0AA5 for calling functions with no return.
0AA6 for calling methods with no return.
0AA7 for functions with a return.
0AA8 for methods with a return.

[badboy]

I am using 00A6: but nothing shows up. Which isn't suprising because I probably used incorrect parameters.

CODE

{$CLEO .cs}
hex
    00 00 01 00 05 40 1F
end
00A0: store_actor $PLAYER_ACTOR position_to 1@ 2@ 3@
0AA7: call_function 0x583820 num_params 2 pop 2 1@ 2@ 3@
00BA: show_text_styled GXT 'BEEFY' time 1000 style 2 // Something should have happend
0A93:

How to know num_params?

2 = pointer to the class structure (can be obtained by the opcodes 0A96 - 0A98).

Nothing is created yet, what struct do I have to use?

And pop is 0?

4 = number of parameters to be removed from the stack after the method execution. Commonly, the methods clean the stack themselves, so the pop parameter must equal to 0.

[Deji]

Pointer to class/struct only applies to 0AA6 and 0AA8. You're using 0AA7.

num_params is simply the number of parameters that you want to PUSH to the stack, which is an array of params the function reads from. pop is the number of params to free from the stack, so its usually the same as the number of params you pushed. In some cases, the function pops the params itself, in which case you leave this at 0.

I cant say exactly what params there are for each function as they have not yet perfected IDA for Android... Check the IDB.

[badboy]

I've tried 5, for both num and pop. But it didn't work. I see 5 params in this:
deleted to save space

This post has been edited by badboy: Jun 7 2012, 09:22 PM

[Deji]

Well you just gotta make sure you pass the correct params.

From what I can tell from the ASM, the params are: type, x coord, y coord, z coord, boolean flags

Also I believe you have to enter the params in reverse when using the opcode.

[DK22]

Just look how it called.

CODE

blip = CRadar::createBlip(4, x, y, 0, 0, 2);

[badboy]

I've tried this:

CODE

0AA7: call_function 0x583820 num_params 5 pop 5 4 1@ 2@ 3@ 0 2 result_to 0@

But I get a game crash, I've also tested other ways and removing "result_to 0@".
About the flags, they are 2 params (0, 2) do I have to merge them together somehow?

[Wesser]

Learn more info here. The fifth argument is missing in the function but they're still 6. Change the parameters and popping arguments counter to 6.

[badboy]

Learn more info here. The fifth argument is missing in the function but they're still 6. Change the parameters and popping arguments counter to 6.

I don't get it. But I guess that it would be strange to understand everything by reading a short vague tutorial. Anyway I still don't get the code to work:

CODE

0AA7: call_function 0x583820 num_params 6 pop 6 4 2495.3301 -1680.5298 13.3389 0 2 result_to 0@

I'll try to use an other function and see if I can get that to work. Can anyone tell me what 8, 0Ch and 10h means? Is ptr == pointer?

CODE

.text:00583820 arg_0           = byte ptr  4
.text:00583820 arg_4           = dword ptr  8
.text:00583820 arg_8           = dword ptr  0Ch
.text:00583820 arg_C           = dword ptr  10h
.text:00583820 arg_14          = byte ptr  18h

EDIT: New function doesn't work either (CPed_teleport)

CODE

0AA5: call 0x005E4110 num_params 4 pop 4 $3 2459.5889 -1683.6176 13.5467
---------------------------------------
.text:005E4110
.text:005E4110; =============== S U B R O U T I N E =======================================
.text:005E4110
.text:005E4110
.text:005E4110 sub_5E4110      proc near              ; DATA XREF: .rdata:0086C0E0o
.text:005E4110                                        ; .rdata:0086C158o ...
.text:005E4110
.text:005E4110 arg_0           = dword ptr  4
.text:005E4110 arg_4           = dword ptr  8
.text:005E4110 arg_8           = dword ptr  0Ch
.text:005E4110
.text:005E4110                 push    esi

This post has been edited by badboy: Jun 5 2012, 07:22 PM

[Wesser]

I don't get it. But I guess that it would be strange to understand everything by reading a short vague tutorial.

Neither from nothing as you're doing.

Can anyone tell me what 8, 0Ch and 10h means? Is ptr == pointer?

Those are the offsets which are added to the stack pointer (esp) to get the argument pointer. Note that local variable offsets are subtracted.

New function doesn't work either (CPed__teleport).

__thiscall methods need the this pointer to be passed, and so the class pointer. Read the tutorial I linked.

I cannot answer the rest since I don't have the game installed at the moment.

This post has been edited by Wesser: Jun 5 2012, 07:45 PM

[Deji]

CODE

0AA7: call_function 0x583820 num_params 5 pop 5 4 1@ 2@ 3@ 0 2 result_to 0@

Well you've got 6 params there. The function only wants 5... So this would be the code:

CODE

0AA7: call_function 0x583820 num_params 5 pop 5 4 1@ 2@ 3@ 2 result_to 0@

For CPed::Teleport, it works off a CPed pointer ('ped struct'), so we need to use 0AA6. Also, usually thiscalls clean their own stack. At the bottom of that function you may see the asm "retn 0Ch", which means it's returning from the function and popping 12 (0xC) bytes off the stack, so you can leave the pop value at 0. Also, as I said before, these opcodes have a tendency of wanting params passed backwards.

CODE

0A96: 0@ = actor $PLAYER_ACTOR struct
0AA6: call_method 0x5E4110 struct 0@ num_params 3 pop 0 13.5467 -1683.6176 2459.5889

It should call correctly like that with no crashes. It's just whether that function will work for teleporting the ped alone and it is happy with the coordinates not being radian values that I'm really unsure of.


If you get a crash, you can use the error address to tell where the problem was caused by going to that address in IDA (hit G and enter the address without the 0x prefix). This is always a major help when trying to figure out what's causing a crash when one occurs in gta_sa.exe. If Windows says the module is "cleo.asi" or something, then the crash is most likely directly due to a CLEO opcode (e.g. 0AA7 crashed before CLEO could call the function).

[badboy]

The first function still doesn't work (maybe no pop?), but I'll leave that one. The second one doesn't work either.

EDIT: I can't find those addresses in IDA

Crash:

CODE

Version: US 1.0

Last File Loaded: AUDIO\STREAMS\AMBIENCE
Last Library Loaded:
Error: Unknown

Assembly Info:
Exception At Address: 0x00394F4E
Exception Code: 0xc0000005 (EXCEPTION_ACCESS_VIOLATION)

Registers:
EAX: 0x00000011    EBX: 0x00000000
ECX: 0x03594F40    EDX: 0x00000000
ESI: 0x00000001    EDI: 0x03594F40
EBP: 0x0028FD44    ESP: 0x0028FBEC

I've read some more about asm and I understand fastman92 tutorial now. These are very good tutorials for the basics:
An Introduction to Assembly Language Part II
An Introduction to Assembly Language Part III

And does anyone know how to debug in IDA? If an exception takes place the game freezes, and I can't open up IDA to look at the exception. I had to terminate both processes. Windowed mode will probably fix this, but I can't debug with IDA when I use a windowed mode mod.

This post has been edited by badboy: Jun 6 2012, 05:02 PM

[Deji]

MS Visual Studio makes a better debugger...

Where you gettin that exception address from?

[Wesser]

Well you've got 6 params there. The function only wants 5...

Nope. arg_10 is missing but the function still requires 6 arguments to pop off the stack.

[Deji]

Oh yeah, the unused colour param from GTA3... You're right.

[badboy]

Visual Studio has the same problem, I can't do anything in vs when sa crashes.
But I made a note from what vs showed:
Something with "Stack" was scmlog.cleo!003a4f4e() and some other addresses 0x003a4f4e (the same), 0xc0000005 and 0x00000011

EDIT: I've managed to debug properly in Visual Studio
The exact crash is at 01D24F4E, eax has a value of 17

This post has been edited by badboy: Jun 6 2012, 07:02 PM

[Deji]

And you're definitely sure those lines of code are the problem?

Kinda hard for me to be sure of anything without doing it hands on.

[badboy]

Nothing crashed in the function, but then the code jumped to god knows where and I got the error message.

[badboy]

Can anyone tell me how to see the values are added in the function? I can add breakpoints, but the values are added before the function is executed and I don't know where they are added (when I use the normal opcode).

And how do I now what all types are? For example if I load a model using function 0x4087E0 I need to add 0 and #ADMIRAL. But why 0? And I sort of know why the first function didn't work because something is wrong and the opcode doesn't work either. Don't know how to describe that in a proper sentence

This post has been edited by badboy: Jun 8 2012, 01:31 PM