cfemen wrote: ↑Mon Mar 02, 2020 7:15 pm
hey,
( at first : i dont have the game, this is about UE4 and MemCopy in generaly)
the call on +75B9AB is used many times, you can see that with a "Find out what addresses this instruction accesses"
call will lead to several functions, and eventually to a call to the MemCopy.
your money address is on RDX (in the MemCopy)
before the call( on +75B9AB ) the registers get parameters
look at +795B995 -> add r8,r15
usually r8 contains the address that will be used on RDX in the MemCopy.
you can use a condition breakpoint(Ctrl+B) -> R8 == 0xRDX_From_MemCopy
now the breakpoint will only break if R8 is holding the address of your money.
so now you can look for a compare.
maybe the stack
maybe some register
or you can backtrace R8.
in your case:
movsxd r8,[RCX+44] -> backtrace this
add r8,15
RCX+44 moves to R8, and something on RCX, and so on.
you know the X64 Calling Convention?
register RCX,RDX,R8,R9 and then stack will be used to give Bool,Short,Int,Long,String,Pointer parameters to functions/methods
one of this registers at the prologue will hold a address that contains the [RCX+44] address.
copy the value of this register.
coz something is calling this function with parameters.
and this parameters are most likely used for more than only this function.
use the stack to find out what is calling, go to this address, and use a condition breakpoint(before the call) on the register that was used to hold the adddress at the prologue of the function.
most likely this call will also be a RAX+xx call.
with the condition breakpoint you can trace every function that is called related to money, and eventually you will find a unqiue function.
inject at this spot and alloc 8 byte to copy the address of the register that is used for the condition breakpoint.
this address can now be used as CMP at the +75B9AB spot ( the address from the prologue parameter register is now usually on R14 or similar)
thats just one of the ways, maybe the call on +75B9AB leads to a function that is already unique if you do a breakpoint on R8 with the RDX MemCopy Address.
i hope this helps you to trace things/ finding related functions / use condition breakpoints