I'm going to post this here for reference, to continue on when I get back from Barcelona
ShooterGame:
1] public: void __cdecl FTicker::Tick(float) __ptr64
-> break at this function and on FIRST BREAKPOINT (not other breakpoints) start the trace
-> scroll till the 2nd dynamic call
Code: Select all
00007FF671F2EEC5 | 48:8B01 | MOV RAX,QWORD PTR DS:[RCX]
00007FF671F2EEC8 | FF50 20 | CALL QWORD PTR DS:[RAX+20]
00007FF671F2EECB | 84C0 | TEST AL,AL
00007FF671F2EECD | 0F84 8E000000 | JE shootergame-win64-shipping.7FF671F2EF61
00007FF671F2EED3 | 44:397F 40 | CMP DWORD PTR DS:[RDI+40],R15D
00007FF671F2EED7 | 74 06 | JE shootergame-win64-shipping.7FF671F2EEDF
00007FF671F2EED9 | 48:8B4F 38 | MOV RCX,QWORD PTR DS:[RDI+38]
00007FF671F2EEDD | EB 03 | JMP shootergame-win64-shipping.7FF671F2EEE2
00007FF671F2EEDF | 49:8BCF | MOV RCX,R15
00007FF671F2EEE2 | 48:8B01 | MOV RAX,QWORD PTR DS:[RCX]
00007FF671F2EEE5 | 0F28CE | MOVAPS XMM1,XMM6
00007FF671F2EEE8 | FF50 40 | CALL QWORD PTR DS:[RAX+40] // here
00007FF671F2EEEB | 84C0 | TEST AL,AL
2] enter above call and trace it to the JMP RAX
Code: Select all
00007FF671DD4710 | 40:53 | PUSH RBX
00007FF671DD4712 | 48:83EC 30 | SUB RSP,30
00007FF671DD4716 | 48:8BD9 | MOV RBX,RCX
00007FF671DD4719 | 0F297424 20 | MOVAPS XMMWORD PTR SS:[RSP+20],XMM6
00007FF671DD471E | 48:83C1 08 | ADD RCX,8
00007FF671DD4722 | 0F28F1 | MOVAPS XMM6,XMM1
00007FF671DD4725 | E8 867E3E00 | CALL <shootergame-win64-shipping.public: class UObject * __ptr64 __cdecl FWeakObjectPtr::Get
00007FF671DD472A | 0F1053 10 | MOVUPS XMM2,XMMWORD PTR DS:[RBX+10]
00007FF671DD472E | 0F28CE | MOVAPS XMM1,XMM6
00007FF671DD4731 | 66:0F6FC2 | MOVDQA XMM0,XMM2
00007FF671DD4735 | 66:0F73D8 08 | PSRLDQ XMM0,8
00007FF671DD473A | 66:0F7EC1 | MOVD ECX,XMM0
00007FF671DD473E | 48:63C9 | MOVSXD RCX,ECX
00007FF671DD4741 | 48:03C8 | ADD RCX,RAX
00007FF671DD4744 | 6648:0F7ED0 | MOVQ RAX,XMM2
00007FF671DD4749 | 0F287424 20 | MOVAPS XMM6,XMMWORD PTR SS:[RSP+20]
00007FF671DD474E | 48:83C4 30 | ADD RSP,30
00007FF671DD4752 | 5B | POP RBX
00007FF671DD4753 | 48:FFE0 | JMP RAX // here
3] the JMP RAX leads to this function
public: bool __cdecl UShooterGameInstance::Tick(float) __ptr64
4] inside here you'll find FNames to menu widgets (a FName is an id that gets converted to string via FName::ToString)
5] 2nd CALL in this function is a call to here:
Code: Select all
00007FF671F0C941 | 48:8B96 C8000000 | MOV RDX,QWORD PTR DS:[RSI+C8]
00007FF671F0C948 | 4C:8BC3 | MOV R8,RBX
00007FF671F0C94B | 48:8BCE | MOV RCX,RSI
00007FF671F0C94E | E8 5D98F7FF | CALL <shootergame-win64-shipping.private: void __cdecl UShooterGameInstance::BeginNewState | // here
6] that CALL leads to this:
Code: Select all
00007FF671E862F0 | 48:8987 C8000000 | MOV QWORD PTR DS:[RDI+C8],RAX |
00007FF671E862F7 | E9 04010000 | JMP shootergame-win64-shipping.7FF671E86400 |
00007FF671E862FC | 48:3B1D B584A102 | CMP RBX,QWORD PTR DS:[<class FName const ShooterGameInstanceState::WelcomeScreen>] |
00007FF671E86303 | 75 0A | JNE shootergame-win64-shipping.7FF671E8630F |
00007FF671E86305 | E8 C60E0000 | CALL <shootergame-win64-shipping.private: void __cdecl UShooterGameInstance::BeginWelcomeScreenState(void) __ptr64> |
00007FF671E8630A | E9 F1000000 | JMP shootergame-win64-shipping.7FF671E86400 |
00007FF671E8630F | 48:3B1D AA84A102 | CMP RBX,QWORD PTR DS:[<class FName const ShooterGameInstanceState::MainMenu>] |
00007FF671E86316 | 75 0A | JNE shootergame-win64-shipping.7FF671E86322 |
00007FF671E86318 | E8 53F8FFFF | CALL <shootergame-win64-shipping.private: void __cdecl UShooterGameInstance::BeginMainMenuState(void) __ptr64> | // here
00007FF671E8631D | E9 DE000000 | JMP shootergame-win64-shipping.7FF671E86400 |
00007FF671E86322 | 48:3B1D 9F84A102 | CMP RBX,QWORD PTR DS:[<class FName const ShooterGameInstanceState::MessageMenu>] |
00007FF671E86329 | 75 0A | JNE shootergame-win64-shipping.7FF671E86335 |
00007FF671E8632B | E8 00FCFFFF | CALL <shootergame-win64-shipping.private: void __cdecl UShooterGameInstance::BeginMessageMenuState(void) __ptr64> |
00007FF671E86330 | E9 CB000000 | JMP shootergame-win64-shipping.7FF671E86400 |
00007FF671E86335 | 48:3B1D 9484A102 | CMP RBX,QWORD PTR DS:[<class FName const ShooterGameInstanceState::Playing>] |
00007FF671E8633C | 0F85 BE000000 | JNE shootergame-win64-shipping.7FF671E86400 |
7] and that CALL leads to this:
Code: Select all
00007FF671E85E15 | FF50 08 | CALL QWORD PTR DS:[RAX+8] |
00007FF671E85E18 | 49:8BD4 | MOV RDX,R12 |
00007FF671E85E1B | 48:8D4D 30 | LEA RCX,QWORD PTR SS:[RBP+30] |
00007FF671E85E1F | E8 0C633300 | CALL <shootergame-win64-shipping.public: void __cdecl FWeakObjectPtr::operator=(class UObject const * __ptr64) __ptr64> |
00007FF671E85E24 | 48:8BD6 | MOV RDX,RSI |
00007FF671E85E27 | 48:8D4D 38 | LEA RCX,QWORD PTR SS:[RBP+38] |
00007FF671E85E2B | E8 00633300 | CALL <shootergame-win64-shipping.public: void __cdecl FWeakObjectPtr::operator=(class UObject const * __ptr64) __ptr64> |
00007FF671E85E30 | 49:8B0E | MOV RCX,QWORD PTR DS:[R14] |
00007FF671E85E33 | 4C:8D45 30 | LEA R8,QWORD PTR SS:[RBP+30] |
00007FF671E85E37 | 48:8D55 38 | LEA RDX,QWORD PTR SS:[RBP+38] |
00007FF671E85E3B | E8 F0C30000 | CALL <shootergame-win64-shipping.public: void __cdecl FShooterMainMenu::Construct(struct TWeakObjectPtr<class UShooterGa | // here
00007FF671E85E40 | 49:8B0E | MOV RCX,QWORD PTR DS:[R14] |
00007FF671E85E43 | E8 88F0FFFF | CALL <shootergame-win64-shipping.public: void __cdecl FShooterMainMenu::AddMenuToGameViewport(void) __ptr64> |
How all of the above ties back to Star Wars.. well, here's the cookie:
000000014A168B90 | 48:89E0 | MOV RAX,RSP | FTicker::Tick
Now trace all the way to the Construct of the menu, following the steps I mentioned