Cheat Engine

[grasmanek94]

I have a table with pointers, for all vehicles:

VehiclePointer_Index1
VehiclePointer_Index2
VehiclePointer_Index3
VehiclePointer_Index4

All those are multi level pointers with the same base address and end offsets, except the first offset which is the pointer to the car information at that index.

Now, I can imagine that the game code would do something like this:

VehiclePointer* CreateCar(input)
{
return new Car(input);
}

VehiclePointer_Index1 = CreateCar(some params);

How can I get the address of the "CreateCar" function with Cheat Engine (Or Car)?
I can force the game to re-create the cars from invalid addresses to valid cars (just select "race" from menu and cars will be created)

Is there any way to accomplish this?

[Dark Byte]

Find what writes to the pointer and then check the stacktrace to see the calls that preceded it. (Or look above it)
If they are register calls and the registervalue is gone manually find the fuctionstart (push ebp, or look for int3 or mov [eax],al)

[grasmanek94]

Hm I don't see any push ebp, int3 or mov [eax],al :$

I also saw the comments and now started wondering if it's possible to determine why the pointer for the first car position X is
[[["speed2.exe"+0046B2E0]+0x38]+0x0C]+0x20]

and for the next car

[[["speed2.exe"+0046B2E0]+0x248]+0x0C]+0x20]

Where the first offset is exactly +0x210 away from the last one, is that the RigidBody pointer? So where does that 0x0C come from? ;o

The next car positions are also each +0x210 first offset away

[Dark Byte]

function calls usually set EAX as a result

EAX most likely got it's value from the call at speed2.exe+198e8 (probably some kind of lookup in the RigidBodySlotPool )

As for the rest no idea, I don't have this game and might just be coincidense