Cheat Engine

LongBeardedLion

(images below)

I've been beating my head against the wall with this. And i will not quit. Smile

So i have my __thiscall function that changes my unit stance. And im able to call it.
As you know __thiscall functions take one object as an argument in the ECX, and the others are pushed into the stack.
So when i call my function. The ECX is the player object and its always the same. And it has one more argument pushed into the stack. So its 2 parameters only, the ECX and an ESP+4. As you can see in the image below v.
This is the function in ida:

int __thiscall sub_58AAA0(void *this, int a2)

But the problem here is. Everytime the function is called the ADDRESS that points to the value where my unit stance is, changes everytime, but not the value inside it, it remains the same for the corresponding type of unit and stance you commanded, in this case int a2 is 131B74E8 and points to 12 01 01 05.
However the next time i call the function it will be 11223344 (random), but yet containing the same value that defines the stance of my unit.
So I cant call the function because i cant guess the address that seems to be randomly generated? I mean i called it and it worked, but i simply used the previous address that still had the same value. And it only works a few times and then it either crashes or stops working.
Changing the stance of the unit will change the value in the random address to 12 01 02 05 . So that byte in bold is the byte that defines the stance. Yet the 12 01 02 05 seems to define the unit.
I also found the pointer that points to this address that changes. Image below v.

So my questions are:

1. How is this random address generated. How can i find how and what generates that address. And how can i generate it myself and call the function if that is possible?

2. Knowing that probably just writting a random address in the memory with that value 12 01 01 05 will probably still work. Can i call the function somehow by simulate/writting on another address by injection? Or thats not the way to go?

ParkourPenguin · Posted: Fri Jun 19, 2020 10:19 am Post subject:

LongBeardedLion · Posted: Sat Jun 20, 2020 12:03 pm Post subject:

Thank you. Thats what i did. I basically injected assembly that uses another address where i have that same code. The problem is this code changes from unit to unit. And my actual fear is if this code is actually connected to some other task or function and if its needed for the code to be in a specific place where its offsets lead to other values that are needed. Thats what i worry about. But so far its working.

Additionally, I figured out a pointer that has two of the main bytes for each unit. So all i will have to do is grab those bytes and associate them with the other 2 bytes and i have the 4 bytes. Still it intrigues me how the game creates a new address that contains this same value every time i change the stance of the unit.

But if this way works then its ok. Perhaps im just having noob delusions. I can imagine some things must be impossible. Or very hard to do.

For example the more i go up on this sequence of functions, the more it gets complicated. With loops and calls to obscure places of the code, and getting values from addresses that are probably written into the memory by other functions. Thats probably the line where its just better to make a new game yourself than trying to hack such complex stuff.