I have source code for a project that inspects a game’s memory values. The thing I don’t understand is this: How did the author so precisely determined the type and location of these values? For example, here’s a struct he defined:
typedef struct {
UInt16 times_used; // 0x0
UInt16 token; // 0x2
SInt16 previous_id; // 0x4
SInt16 next_id; // 0x6
SInt32 model; // 0x8
char unknown00[0x1B]; // 0xC
UInt8 player_owner; // 0x27
char unknown01[0x18]; // 0x28
UInt32 position_x; // 0x40
UInt32 position_y; // 0x44
char unknown02[0x1F]; // 0x48
UInt32 death_type; // 0x69
char unknown03[0x7]; // 0x6D
UInt32 destination_x; // 0x74
UInt32 destination_y; // 0x78
char unknown04[0x84]; // 0x7C
UInt32 health_damage; // 0x100
UInt32 shield_damage; // 0x104
UInt32 energy_damage; // 0x108
char unknown05[0x74]; // 0x10C
} Unit;
He looks for it at this address 0x3BC2060 and it’s size is 0x8B8. I ran the program and watch the memory at this location, and sure, I could identify some things like the name property, but how did he find this out so precisely?
Thanks.
I hope I get this straight:
You look at 0x3bc2060 and the next 0x8b8 bytes/octets.
To reverse engineer a struct like this it is crucial to observe the program using this struct by filling it with values for the different fields in it.
Then you can deduce from many dumps starting at 0x3bc2060 and the following 0x8b8 bytes
what is happening.
But it is not so precise as you might expect, because some fields are apparently not assignable. These are the char unknown[].
Doing a struct reverse is a very tedious task and you need much patience with your debugger 😉
Hope this helps to understand how it works in principle