Some sigs that one could do things with given some creativity + real hack src

[skinnym666]

hack src =Deleted | file.io - censored - i replied to post with link to hack sr
=

Find main unit iteration function that I focused on a great deal:
-----------------------------------------------------------------
48 83 e0 f0 e8 ?? ?? ?? ?? 48 2b e0 33 d2 4c 8d 7c 24 30 49 8b cf e8

Find UnitType function (aka SC2_Function_Find_Unit_Type):
---------------------------------------------------------
48 83 ec ?? 48 85 c9 75 ?? 33 c0 48 83 c4 ?? c3 f6 41 ?? 01

Find QWORD that may tell us if we are in a game or not:
-------------------------------------------------------
48 8b c7 48 ff c0 80 3c 01 00 75 ?? 48 03 c1

Note: it finds two possabilities... it is obvious which one it is...

40 53 48 83 ec 20 48 8b d9 48 ?? ?? ?? ?? ?? ?? 48 85 c9 74 71 <--- Note: new pattern that should have one match on a function that references the same variable multiple times. The other QWORD for "is in game" can be found with the following signature entry...

Note: the following is a signature pattern that shows part of a function that dereferences both the QWORDs for whether or not we are in a game or not

48 ff c0 80 3c 01 00 75 f7 48 03 c1 80 ?? ?? ?? ?? ?? ?? 48 89 44 24 58 74 28

Find the function that grabs xyz from unit struct:
--------------------------------------------------
48 89 5c 24 20 57 48 83 ec 20 48 8b 01 48 8b da

Finding SC2_Function_That_Actually_Decrypts_XYZ:
------------------------------------------------

Note: you utilize this to write the assembly file to decrypt xyz after calling the function that obtains the argument for the ~"insaneXYZ_Function"

48 89 5C 24 ?? 56 57 41 56 48 83 EC 20 48 8B F1 <--- Note: aka = SC2_Function_That_Actually_Decrypts_XYZ or SC2_Function_Grab_XYZ_No_Decryption (...when instead it appears to hold the code ot decrypt...)

Find the function that grabs xyz from unit struct (this is the function that doesn't the decryption):
-----------------------------------------------------------------------------------------------------
48 89 5c 24 20 56 57 41 56 48 83 ec 20 48 8b f1

Note: this function is named "SC2_Function_That_Actually_Decrypts_XYZ" in SC2_x64_dump_SCY11.exe Ghidra repo
Note: the above note and previous section are very confusing in their wording...

Find function to ideally call raw actions to units:
---------------------------------------------------
48 89 5c 24 08 57 48 83 ec 20 ?? ?? ?? ?? ?? ?? ?? 48 8b d9 48 89 01 8b fa 8b 49 20 85 c9 74 29

---
Misc note: the program base address for ghidra database for SC2_x64_dump1_SCY_latest.exe.1 is -

.text 7ff6dd701000 7ff6e03f53ff 0x2cf4400 true false true false false Default true File: SC2_x64_dump1_SCY_latest.exe: 0x400
.text 7ff6e03f5400 7ff6e03f5fff 0xc00 true false true false false Default false

so... it is 7ff6dd700000...

---

Finding those preamble functions now:
-------------------------------------

IssueRawAction preamble function pointer:
-----------------------------------------

7ff6e08a7268 f0 05 e1 addr SC2_RawAction_VERY_IMPORTANT
df f6 7f
00 00

Note: found this easily by using the search pattern for the function that I am calling SC2_RawAction_VERY_IMPORTANT
Note: update - now calling fp_SC2_Issue_RawAction_Function which is a function pointer QWORD

RawAction preamble function pointer:
------------------------------------
48 89 5c 24 08 57 48 83 ec 20 ?? ?? ?? ?? ?? ?? ?? 8b fa 48 89 01 48 8b d9 8b 41 38

Note: called "SC2_Function_Performs_RawAction" in Ghidra
Note: we are after the address that contains the pointer to this function:

7ff666f4f310 90 8d 4b addr SC2_Function_Performs_RawAction
66 f6 7f
00 00

Note: address for pointer on latest update


7ff6e08a7300 40 07 e1 addr SC2_Function_Performs_RawAction
df f6 7f
00 00

Note: the following is a newer way to find a function that references the function pointer -

40 53 48 83 ec 20 48 ?? ?? ?? ?? ?? ?? 48 8b d9 48 89 01 48 83 c1 08 e8 ?? ?? ?? ?? 33 c9 48 8b c3 48 89 4b 18 48 89 4b 20 48 89 4b 10 89 4b 28

Note: the signature right above this line should lead to a function called SC2_Function_References_offset_for_funcRawAction.

RawAction_Point2D preamble function pointer:
--------------------------------------------
48 89 5c 24 08 57 48 83 ec 20 ?? ?? ?? ?? ?? ?? ?? 48 8b f9 48 89 01 8b da 48 83 c1 08 e8 ?? ?? ?? ?? 48 8b cf e8 ?? ?? ?? ?? f6 c3 01 74 0d ba 20 00 00 00 48 8b cf e8 ?? ?? ?? ?? 48 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3 c8 99 c0 6e b0 7b

Note: we are after the address that contains the pointer to this function:

7ff666f4e6c8 20 36 4b addr SC2_something_to_do_with_Point2D
66 f6 7f
00 00

Note: on latest patch (since these kind of functions are so fucking similiar) I had to use the opcodes proceeding the actual function we are looking for. This brought it down to 3 options where I was able to pick the right option by looking for the "mov EDX, 0x30" in the assembly above this pattern search address...

48 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3 cc 48 89 5c 24 08 57 48 83 ec 20 ?? ?? ?? ?? ?? ?? ?? 48 8b f9 48 89 01 8b da 48 83 c1 08 e8 ?? ?? ?? ?? 48 8b cf e8 ?? ?? ?? ?? f6 c3 01 74 0d ba 20 00 00 00 48 8b cf e8 ?? ?? ?? ?? 48 8b c7 48 8b 5c 24 30 48 83 c4 20 5f c3

Note: we are after the address that contains the pointer to this function:

7ff6e08a66b8 d0 af e0 addr SC2_something_to_do_with_Point2D
df f6 7f
00 00

.rdata:00007FF6D2A0B500 public SC2_something_to_do_with_Point2D
.rdata:00007FF6D2A0B500 90 FE CF E3 F6 7F 00 00 SC2_something_to_do_with_Point2D dq offset byte_7FF6D255AFFF+117A4E91h
.rdata:00007FF6D2A0B500 ; DATA XREF: sub_7FF6D1F6FCD0+6↑o
.rdata:00007FF6D2A0B500 ; SC2_something_to_do_with_Point2D_0_CORRECT_ONE+A↑o
.rdata:00007FF6D2A0B500 ; sub_7FF6D1F71E00+2F↑o
.rdata:00007FF6D2A0B500 ; sub_7FF6D1F72A20+183↑o


Finding DATA_QWORD_PTR_funcIssueRawAction_WTF:
----------------------------------------------

Note: it is also known as fp_SC2_Function_Related_to_RawAction_Message in Ghidra database

48 89 5c 24 08 57 48 83 ec 20 48 ?? ?? ?? ?? ?? ?? 8b da 48 89 01 48 8b f9 e8 ?? ?? ?? ?? 48 8d 4f 08 e8 ?? ?? ?? ?? 48 8b cf e8 ?? ?? ?? ?? f6 c3 01 74 0d ba 48 00 00 00 48 8b cf

fp_SC2_Function_Related_to_RawAction_Message XREF[14]: FUN_7ff6dfe3b5e0:7ff6dfe3b5ea(*),
FUN_7ff6dfe3b5e0:7ff6dfe3b5f4(*),
FUN_7ff6dfe3b640:7ff6dfe3b646(*),
FUN_7ff6dfe3b640:7ff6dfe3b650(*),
SC2_Function_Related_to_RawActio
SC2_Function_Related_to_RawActio
FUN_7ff6dfe4ceb0:7ff6dfe4ced1(*),
FUN_7ff6dfe4ceb0:7ff6dfe4cf90(*),
FUN_7ff6dfe52240:7ff6dfe5226f(*),
FUN_7ff6dfe52240:7ff6dfe5227a(*),
7ff6dfe523cf(*), 7ff6dfe523da(*),
SC2_LoadProtoBuf_Main_Function:7
SC2_LoadProtoBuf_Main_Function:7
7ff6e08ada08 70 ce e3 addr SC2_Function_Related_to_RawAction_Message
df f6 7f
00 00

Finding radar ping enable byte:
-------------------------------

88 4C 24 ?? 48 83 EC 28 B8 03 00 00 00 4C 8D 4C 24 ?? 45 33 C0 66 89 44 24 ?? 48 8D 54 24 ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 C4 28 C3 0f

Note: this signature will hopefully take you to two possible functions. You will know the correct function because there is another approx. equally looking function right above the function that the signature right above points to. The other choice you have something above that doesn't looking anything like where this signature has you land.
Also note that the actual value you are looking for is inside the function block which can be found two functions below the function the signature above points to...

Note: SC2_Attempt_To_Control_Other_Accesses is function that reads it -

**************************************************************
* *
* FUNCTION *
**************************************************************
undefined SC2_Attempt_To_Control_Other_Accesses(void)
assume addrsize = 0x2
assume bit64 = 0x1
assume DF = 0x0
assume longMode = 0x1
assume opsize = 0x1
assume rexprefix = 0x0
undefined AL:1 <RETURN>
SC2_Attempt_To_Control_Other_Accesses XREF[2]: SC2_Calls_Function_That_Handles_
SC2_Handle_Request_GetGameInfo:7
7ff6de40cc20 0f b6 05 MOVZX EAX,byte ptr [SC2_QWORD_for_BYTE_ENABLE_RADAR_
4a a5 6a 03
7ff6de40cc27 c3 RET

Finding DATA_DWORD_ACTIVE_GAME_STATUS:
--------------------------------------

Note: called "SC2_API_Current_Game_State" in Ghidra

Note: first you can search for the string "Activate warmstart failed" and the function that this string is referenced in (which isn't a small function) references DATA_DWORD_ACTIVE_GAME_STATUS/SC2_API_Current_Game_State 3 different times.
Also note that the function it takes you to is called SC2_API_Function_Very_Closely_Tied_to_Handling_The_Progression_of_A_SC2API_Match in the ghidra database.

Refer to the following assembly -

7ff6de242ba3 74 3f JZ LAB_7ff6de242be4
7ff6de242ba5 e8 66 d8 CALL FUN_7ff6de240410 undefined FUN_7ff6de240410(void)
ff ff
7ff6de242baa 40 88 35 MOV byte ptr [DAT_7ff6e1734b68],SIL
b7 1f 4f 03
7ff6de242bb1 84 c0 TEST AL,AL
7ff6de242bb3 75 2f JNZ LAB_7ff6de242be4
7ff6de242bb5 48 8d 05 LEA RAX,[s_Activate_warmstart_failed_7ff6e044ebb8] = "Activate warmstart failed" <--- Note: string we were searching for
fc bf 20 02
7ff6de242bbc 48 89 45 e0 MOV qword ptr [RBP + local_28],RAX=>s_Activate_war = "Activate warmstart failed"
7ff6de242bc0 48 8d 4d e0 LEA RCX=>local_28,[RBP + -0x20]
7ff6de242bc4 48 8d 05 LEA RAX,[s__7ff6e044ebb8+25] = ""
06 c0 20 02
7ff6de242bcb 48 89 45 e8 MOV qword ptr [RBP + local_20],RAX=>s__7ff6e044ebb = ""
7ff6de242bcf e8 ec e8 CALL FUN_7ff6de2414c0 undefined FUN_7ff6de2414c0(void)
ff ff
7ff6de242bd4 48 8b 74 MOV RSI,qword ptr [RSP + local_res20]
24 68
7ff6de242bd9 4c 8b 74 MOV R14,qword ptr [RSP + local_18]
24 30
7ff6de242bde 48 83 c4 40 ADD RSP,0x40
7ff6de242be2 5d POP RBP
7ff6de242be3 c3 RET
LAB_7ff6de242be4 XREF[6]: 7ff6de242ba3(j), 7ff6de242bb3(j),
7ff6e0b9b698(*), 7ff6e0b9b6cc(*),
7ff6e534eea0(*), 7ff6e534eea8(*)
7ff6de242be4 8b 0d 6e MOV ECX,dword ptr [SC2_API_Current_Game_State] <--- Note: !!! this is how to find SC2_API_Current_Game_State !!!
52 50 03
LAB_7ff6de242bea XREF[6]: 7ff6e0b9b69c(*), 7ff6e0b9b6ac(*),
7ff6e0b9b6bc(*), 7ff6e0b9b6d0(*),
7ff6e534eeac(*), 7ff6e534eeb4(*)
7ff6de242bea 48 89 7c MOV qword ptr [RSP + local_10],RDI
24 38
7ff6de242bef 48 8b 3d MOV RDI,qword ptr [null_0000000000000000h_7ff6e173
22 1c 4f 03

Finding DATA_QWORD_VALUE_PTR_TO_REQUEST_MESSAGE_FUNCTION:
---------------------------------------------------------

48 89 5C 24 ?? 57 48 83 EC 20 48 8D 05 ?? ?? ?? ?? 48 8B D9 48 89 01 83 79 ?? 00

Note: the QWORD that references a function pointer is dereferenced early on in this function that the signature directly above this sentence locates. We are looking for the address of the variable named SC2_QWORD_VALUE_PTR_TO_REQUEST_MESSAGE_FUNCTION.

.rdata:00007FF6D2A10840 30 2B D3 E3 F6 7F 00 00 SC2_QWORD_VALUE_PTR_TO_REQUEST_MESSAGE_FUNCTION dq offset byte_7FF6D255AFFF+117D7B31h
.rdata:00007FF6D2A10840 ; DATA XREF: sub_7FF6D1FA0980+6↑o
.rdata:00007FF6D2A10840 ; SC2_Function_that_References_QWORD_VALUE_PTR_TO_REQUEST_MESSAGE_FUNCTION+A↑o
.rdata:00007FF6D2A10840 ; sub_7FF6D1FB85E0+2F↑o
.rdata:00007FF6D2A10840

Finding DATA_QWORD_VALUE_PTR_TO_REQUEST_GET_GAME_INFO_MESSAGE_FUNCTION:
-----------------------------------------------------------------------

40 57 48 83 EC 20 83 79 ?? 09

Assembly for reference -

**************************************************************
* *
* FUNCTION *
**************************************************************
undefined SC2_Function_References_DATA_QWORD_VALUE_PTR_T
assume addrsize = 0x2
assume bit64 = 0x1
assume DF = 0x0
assume longMode = 0x1
assume opsize = 0x1
assume rexprefix = 0x0
undefined AL:1 <RETURN>
undefined8 Stack[0x8]:8 local_res8 XREF[3]: 7ff6dfe5cb1f(W),
7ff6dfe5cb7c(R),
7ff6dfe5cb8e(R)
SC2_Function_References_DATA_QWORD_VALUE_PTR_T XREF[5]: 7ff6dfe4f0ba(c), 7ff6e0edfb94(*),
7ff6e0edfba8(*), 7ff6e0edfbb8(*),
7ff6e552a54c(*)
7ff6dfe5cb10 40 57 PUSH RDI
7ff6dfe5cb12 48 83 ec 20 SUB RSP,0x20
7ff6dfe5cb16 83 79 40 09 CMP dword ptr [RCX + 0x40],0x9
7ff6dfe5cb1a 48 8b f9 MOV RDI,RCX
7ff6dfe5cb1d 74 7a JZ LAB_7ff6dfe5cb99
LAB_7ff6dfe5cb1f XREF[5]: 7ff6e0edfb98(*), 7ff6e0edfbac(*),
7ff6e0edfbbc(*), 7ff6e552a550(*),
7ff6e552a558(*)
7ff6dfe5cb1f 48 89 5c MOV qword ptr [RSP + local_res8],RBX
24 30
7ff6dfe5cb24 e8 87 ea CALL FUN_7ff6dfe5b5b0 undefined FUN_7ff6dfe5b5b0(void)
ff ff
7ff6dfe5cb29 b9 68 00 MOV ECX,0x68
00 00
7ff6dfe5cb2e c7 47 40 MOV dword ptr [RDI + 0x40],0x9
09 00 00 00
7ff6dfe5cb35 e8 86 79 CALL SC2_Maybe_Related_To_Grabbing_Structure_Memory undefined SC2_Maybe_Related_To_G
e4 fe
7ff6dfe5cb3a 48 8b d8 MOV RBX,RAX
7ff6dfe5cb3d 48 85 c0 TEST RAX,RAX
7ff6dfe5cb40 74 45 JZ LAB_7ff6dfe5cb87
7ff6dfe5cb42 48 8d 05 LEA RAX,[SC2_QWORD_VALUE_PTR_TO_REQUEST_GET_GAME_I = 7FF6DFE3DD50h <--- Note: this is the value you are looking for
57 fc a4 00
7ff6dfe5cb49 48 8d 4b 08 LEA RCX,[RBX + 0x8]
7ff6dfe5cb4d 48 89 03 MOV qword ptr [RBX],RAX=>SC2_QWORD_VALUE_PTR_TO_RE = 7FF6DFE3DD50h
7ff6dfe5cb50 e8 4b ae CALL FUN_7ff6df3679a0 undefined FUN_7ff6df3679a0(void)
50 ff
7ff6dfe5cb55 33 c0 XOR EAX,EAX
7ff6dfe5cb57 48 8b cb MOV RCX,RBX
7ff6dfe5cb5a 48 89 43 20 MOV qword ptr [RBX + 0x20],RAX
7ff6dfe5cb5e 48 89 43 28 MOV qword ptr [RBX + 0x28],RAX
7ff6dfe5cb62 89 43 30 MOV dword ptr [RBX + 0x30],EAX
7ff6dfe5cb65 48 89 43 40 MOV qword ptr [RBX + 0x40],RAX
7ff6dfe5cb69 48 89 43 48 MOV qword ptr [RBX + 0x48],RAX
7ff6dfe5cb6d 89 43 50 MOV dword ptr [RBX + 0x50],EAX
7ff6dfe5cb70 e8 1b dc CALL FUN_7ff6dfe5a790 undefined FUN_7ff6dfe5a790(void)
ff ff
7ff6dfe5cb75 48 8b c3 MOV RAX,RBX
7ff6dfe5cb78 48 89 5f 38 MOV qword ptr [RDI + 0x38],RBX
7ff6dfe5cb7c 48 8b 5c MOV RBX,qword ptr [RSP + local_res8]
24 30
7ff6dfe5cb81 48 83 c4 20 ADD RSP,0x20
7ff6dfe5cb85 5f POP RDI
7ff6dfe5cb86 c3 RET
LAB_7ff6dfe5cb87 XREF[3]: 7ff6dfe5cb40(j), 7ff6e552a55c(*),
7ff6e552a564(*)
7ff6dfe5cb87 48 8b d8 MOV RBX,RAX
7ff6dfe5cb8a 48 89 47 38 MOV qword ptr [RDI + 0x38],RAX
7ff6dfe5cb8e 48 8b 5c MOV RBX,qword ptr [RSP + local_res8]
24 30
7ff6dfe5cb93 48 83 c4 20 ADD RSP,0x20
7ff6dfe5cb97 5f POP RDI
7ff6dfe5cb98 c3 RET
LAB_7ff6dfe5cb99 XREF[3]: 7ff6dfe5cb1d(j), 7ff6e552a568(*),
7ff6e552a570(*)
7ff6dfe5cb99 48 8b 41 38 MOV RAX,qword ptr [RCX + 0x38]
7ff6dfe5cb9d 48 83 c4 20 ADD RSP,0x20
7ff6dfe5cba1 5f POP RDI
7ff6dfe5cba2 c3 RET


Finding FUNCTION_ISSUE_GET_GAME_INFO:
-------------------------------------

Note: this function is also called SC2_Handle_Request_GetGameInfo in Ghidra database

48 89 4C 24 ?? 55 53 56 57 41 54 41 56 48 8B EC

Note: just grab the offset of this function that is pointed directly to the start of by the signature directly above this sentence

Finding FUNCTION_SERIALIZE_GET_GAME_INFO:
-----------------------------------------

Note: this function is referred to as SC2_Function_Serialize_ResponseGameInfo in Ghidra database.

Procedure - first locate SC2_Function_ProtoBuf_Response_Handler (as per signature below) and then you are looking for the 9th (start counting from 1 not 0) comparison to find SC2_Function_Serialize_ResponseGameInfo


Finding DATA_BYTE_SC2API_RAWMODE:
---------------------------------

48 89 5C 24 ?? 55 56 57 41 54 41 55 41 56 41 57 48 8D AC 24 ?? ?? ?? ?? 48 81 EC 30 08 00 00

Note: also string "PowerSource" is referenced in the function we seek (i.e., SC2_Function_that_References_BYTE_SC2API_RAWMODE) that references SC2_BYTE_ProtoBuf_SC2API_RawMode_Specifically_I_Think_or_A_Way_to_Bypass_Autodec ode_Function.

Assembly to help -

**************************************************************
* *
* FUNCTION *
**************************************************************
undefined SC2_Function_Returns_Whether_SC2API_is_Active_
assume addrsize = 0x2
assume bit64 = 0x1
assume DF = 0x0
assume longMode = 0x1
assume opsize = 0x1
assume rexprefix = 0x0
undefined AL:1 <RETURN>
SC2_Function_Returns_Whether_SC2API_is_Active_ XREF[15]: FUN_7ff6de235920:7ff6de23598e(c),
FUN_7ff6de237350:7ff6de237365(c),
FUN_7ff6de237350:7ff6de237486(c),
FUN_7ff6de237620:7ff6de23762c(c),
SC2_Function_that_References_BYT <--- Note: trying to locate this function which is called SC2_Function_that_References_BYTE_SC2API_RAWMODE in Ghidra database
SC2_Function_that_References_BYT
SC2_Function_that_References_BYT
SC2_Calls_Function_That_Handles_
SC2_Calls_Function_That_Handles_
SC2_Calls_Function_That_Handles_
DEAD_7ff6de22ffa0:7ff6de23e265(c
DEAD_7ff6de22ffa0:7ff6de23e332(c
SC2_Handle_Request_GetGameInfo:7
FUN_7ff6de242410:7ff6de2425b2(c),
FUN_7ff6de35faa0:7ff6de35fc3b(c)
7ff6de40c9b0 0f b6 05 MOVZX EAX,byte ptr [SC2_BYTE_ProtoBuf_SC2API_RawMode
5a aa 6a 03
7ff6de40c9b7 c3 RET

More assembly to help -

**************************************************************
* *
* FUNCTION *
**************************************************************
undefined SC2_Function_that_References_BYTE_SC2API_RAWMO PowerSource
PowerSource
PowerSource
assume addrsize = 0x2
assume bit64 = 0x1
assume DF = 0x0
assume longMode = 0x1
assume opsize = 0x1
assume rexprefix = 0x0
undefined AL:1 <RETURN>
undefined8 Stack[0x20]:8 local_res20 XREF[21]: 7ff6de2383d8(*),
7ff6de2384c9(W),
7ff6de2384e5(*),
7ff6de2384f6(*),
7ff6de238507(*),
7ff6de238518(*),
7ff6de238529(*),
7ff6de23853a(*),
7ff6de23854b(*),
7ff6de238559(*),
7ff6de238567(*),
7ff6de238575(*),
7ff6de238583(*),
7ff6de238591(*),
7ff6de23859f(*),
7ff6de2385ad(*),
7ff6de2385bb(*),
7ff6de2385c9(*),
7ff6de2385f7(*),
7ff6de238666(*)
undefined4 Stack[0x18]:4 local_res18 XREF[2]: 7ff6de238262(*),
7ff6de238272(R)
undefined8 Stack[0x10]:8 local_res10 XREF[42]: 7ff6de23811a(*),
7ff6de23813e(*),
7ff6de2382c5(W),
7ff6de2382e1(*),
7ff6de2382f2(*),
7ff6de238303(*),
7ff6de238314(*),
7ff6de238325(*),
7ff6de238336(*),
7ff6de238347(*),
7ff6de238355(*),
7ff6de238363(*),
7ff6de238371(*),
7ff6de23837f(*),
7ff6de23838d(*),
7ff6de23839b(*),
7ff6de2383a9(*),
7ff6de2383b7(*),
7ff6de2383c5(*),
7ff6de2383d1(*)
undefined8 Stack[0x8]:8 local_res8 XREF[2]: 7ff6de238090(W),
7ff6de238955(R)
undefined1[16] Stack[-0x48] local_48 XREF[2]: 7ff6de2380af(W),
7ff6de23895d(R)
undefined1 Stack[-0x768 local_768 XREF[1]: 7ff6de2380a0(*)
undefined8 Stack[-0x7d0 local_7d0 XREF[1]: 7ff6de2381dc(W)
undefined8 Stack[-0x7d8 local_7d8 XREF[2]: 7ff6de2381bb(*),
7ff6de2381d9(*)
undefined8 Stack[-0x7e0 local_7e0 XREF[1]: 7ff6de2381cf(W)
undefined8 Stack[-0x7e8 local_7e8 XREF[1]: 7ff6de2381cb(W)
undefined8 Stack[-0x7f0 local_7f0 XREF[1]: 7ff6de2381c7(W)
undefined8 Stack[-0x7f8 local_7f8 XREF[1]: 7ff6de2381c3(W)
undefined8 Stack[-0x800 local_800 XREF[1]: 7ff6de2381bf(W)
undefined8 Stack[-0x808 local_808 XREF[1]: 7ff6de2381b7(W)
undefined8 Stack[-0x810 local_810 XREF[1]: 7ff6de2381b3(W)
undefined8 Stack[-0x818 local_818 XREF[3]: 7ff6de238191(*),
7ff6de2381b0(*),
7ff6de2381e8(*)
undefined1 Stack[-0x820 local_820 XREF[1]: 7ff6de238601(*)
undefined8 Stack[-0x828 local_828 XREF[4]: 7ff6de23846f(W),
7ff6de238484(*),
7ff6de23848e(*),
7ff6de2384a2(R)
undefined1 Stack[-0x830 local_830 XREF[1]: 7ff6de2381fb(*)
undefined8 Stack[-0x838 local_838 XREF[3]: 7ff6de238223(W),
7ff6de23872d(W),
7ff6de23890d(R)
undefined8 Stack[-0x840 local_840 XREF[4,2]: 7ff6de238217(W),
7ff6de238464(W),
7ff6de238728(W),
7ff6de238909(R),
7ff6de238206(R),
7ff6de238228(W)
undefined8 Stack[-0x848 local_848 XREF[8,1]: 7ff6de23820f(W),
7ff6de238234(*),
7ff6de23823e(R),
7ff6de238242(*),
7ff6de23845c(W),
7ff6de23847f(*),
7ff6de238717(W),
7ff6de238734(*),
7ff6de238723(W)
SC2_Function_that_References_BYTE_SC2API_RAWMODE XREF[2]: FUN_7ff6de236a10:7ff6de236a84(c),
7ff6e534e5e4(*)
7ff6de238090 48 89 5c MOV qword ptr [RSP + local_res8],RBX PowerSource
24 08 PowerSource
PowerSource
7ff6de238095 55 PUSH RBP
7ff6de238096 56 PUSH RSI
7ff6de238097 57 PUSH RDI
7ff6de238098 41 54 PUSH R12
7ff6de23809a 41 55 PUSH R13
7ff6de23809c 41 56 PUSH R14
7ff6de23809e 41 57 PUSH R15
7ff6de2380a0 48 8d ac LEA RBP=>local_768,[RSP + -0x730]
24 d0 f8
ff ff
7ff6de2380a8 48 81 ec SUB RSP,0x830
30 08 00 00
7ff6de2380af 0f 29 b4 MOVAPS xmmword ptr [RSP + local_48[0]],XMM6
24 20 08
00 00
7ff6de2380b7 4c 8b f1 MOV R14,RCX
7ff6de2380ba e8 61 48 CALL FUN_7ff6de40c920 undefined FUN_7ff6de40c920(void)
1d 00
7ff6de2380bf 45 33 ed XOR R13D,R13D
7ff6de2380c2 44 0f b6 f8 MOVZX R15D,AL
7ff6de2380c6 44 38 2d CMP byte ptr [null_01h_7ff6e157905a],R13B = 01h
8d 0f 34 03
7ff6de2380cd 75 05 JNZ LAB_7ff6de2380d4
7ff6de2380cf 41 8b fd MOV EDI,R13D
7ff6de2380d2 eb 0e JMP LAB_7ff6de2380e2
LAB_7ff6de2380d4 XREF[1]: 7ff6de2380cd(j)
7ff6de2380d4 33 d2 XOR EDX,EDX
7ff6de2380d6 41 0f b6 cf MOVZX ECX,R15B
7ff6de2380da e8 71 19 CALL FUN_7ff6dde49a50 undefined FUN_7ff6dde49a50(void)
c1 ff
7ff6de2380df 48 8b f8 MOV RDI,RAX
LAB_7ff6de2380e2 XREF[1]: 7ff6de2380d2(j)
7ff6de2380e2 49 8b ce MOV RCX,R14
7ff6de2380e5 e8 66 0b CALL FUN_7ff6de248c50 undefined FUN_7ff6de248c50(void)
01 00
7ff6de2380ea 41 0f b6 cf MOVZX ECX,R15B
7ff6de2380ee 33 d2 XOR EDX,EDX
7ff6de2380f0 48 8b d8 MOV RBX,RAX
7ff6de2380f3 83 48 10 01 OR dword ptr [RAX + 0x10],0x1
7ff6de2380f7 89 48 18 MOV dword ptr [RAX + 0x18],ECX
7ff6de2380fa 48 8b cf MOV RCX,RDI
7ff6de2380fd e8 de ad CALL FUN_7ff6ddd82ee0 undefined FUN_7ff6ddd82ee0(void)
b4 ff
7ff6de238102 83 4b 10 02 OR dword ptr [RBX + 0x10],0x2
7ff6de238106 ba 01 00 MOV EDX,0x1
00 00
7ff6de23810b 48 8b cf MOV RCX,RDI
7ff6de23810e 89 43 1c MOV dword ptr [RBX + 0x1c],EAX
7ff6de238111 e8 ca ad CALL FUN_7ff6ddd82ee0 undefined FUN_7ff6ddd82ee0(void)
b4 ff
7ff6de238116 83 4b 10 04 OR dword ptr [RBX + 0x10],0x4
7ff6de23811a 48 8d 95 LEA RDX=>local_res10,[RBP + 0x778]
78 07 00 00
7ff6de238121 48 8b cf MOV RCX,RDI
7ff6de238124 89 43 20 MOV dword ptr [RBX + 0x20],EAX
7ff6de238127 e8 b4 6f CALL FUN_7ff6ddd9f0e0 undefined FUN_7ff6ddd9f0e0(void)
b6 ff
7ff6de23812c 48 8d 97 LEA RDX,[RDI + 0xa74]
74 0a 00 00
7ff6de238133 8b 08 MOV ECX,dword ptr [RAX]
7ff6de238135 39 0a CMP dword ptr [RDX]=>DAT_00000a74,ECX
7ff6de238137 48 8b cf MOV RCX,RDI
7ff6de23813a 48 0f 4c c2 CMOVL RAX,RDX
7ff6de23813e 48 8d 95 LEA RDX=>local_res10,[RBP + 0x778]
78 07 00 00
7ff6de238145 8b 00 MOV EAX,dword ptr [RAX]
7ff6de238147 83 4b 10 08 OR dword ptr [RBX + 0x10],0x8
7ff6de23814b c1 f8 0c SAR EAX,0xc
7ff6de23814e 89 43 24 MOV dword ptr [RBX + 0x24],EAX
7ff6de238151 e8 6a 70 CALL FUN_7ff6ddd9f1c0 undefined FUN_7ff6ddd9f1c0(void)
b6 ff
7ff6de238156 ba 63 00 MOV EDX,0x63
00 00
7ff6de23815b 8b 08 MOV ECX,dword ptr [RAX]
7ff6de23815d 83 4b 10 10 OR dword ptr [RBX + 0x10],0x10
7ff6de238161 c1 f9 0c SAR ECX,0xc
7ff6de238164 89 4b 28 MOV dword ptr [RBX + 0x28],ECX
7ff6de238167 48 8b cf MOV RCX,RDI
7ff6de23816a e8 81 5e CALL FUN_7ff6dde5dff0 undefined FUN_7ff6dde5dff0(void)
c2 ff
7ff6de23816f 83 4b 10 20 OR dword ptr [RBX + 0x10],0x20
7ff6de238173 ba 44 00 MOV EDX,0x44
00 00
7ff6de238178 48 8b cf MOV RCX,RDI
7ff6de23817b 89 43 2c MOV dword ptr [RBX + 0x2c],EAX
7ff6de23817e e8 6d 5e CALL FUN_7ff6dde5dff0 undefined FUN_7ff6dde5dff0(void)
c2 ff
7ff6de238183 83 4b 10 40 OR dword ptr [RBX + 0x10],0x40
7ff6de238187 89 43 30 MOV dword ptr [RBX + 0x30],EAX
7ff6de23818a e8 21 b0 CALL FUN_7ff6de3631b0 undefined FUN_7ff6de3631b0(void)
12 00
7ff6de23818f 8b 08 MOV ECX,dword ptr [RAX]
7ff6de238191 48 8d 44 LEA RAX=>local_818,[RSP + 0x50]
24 50
7ff6de238196 81 4b 10 OR dword ptr [RBX + 0x10],0x80
80 00 00 00
7ff6de23819d 89 4b 34 MOV dword ptr [RBX + 0x34],ECX
7ff6de2381a0 b9 1f 00 MOV ECX,0x1f
00 00
7ff6de2381a5 66 66 66 NOP word ptr [RAX + RAX*0x1]
0f 1f 84
00 00 00
LAB_7ff6de2381b0 XREF[1]: 7ff6de2381d7(j)
7ff6de2381b0 4c 89 28 MOV qword ptr [RAX]=>local_818,R13
7ff6de2381b3 4c 89 68 08 MOV qword ptr [RAX + local_810],R13
7ff6de2381b7 4c 89 68 10 MOV qword ptr [RAX + local_808],R13
7ff6de2381bb 48 8d 40 40 LEA RAX=>local_7d8,[RAX + 0x40]
7ff6de2381bf 4c 89 68 d8 MOV qword ptr [RAX + local_800],R13
7ff6de2381c3 4c 89 68 e0 MOV qword ptr [RAX + local_7f8],R13
7ff6de2381c7 4c 89 68 e8 MOV qword ptr [RAX + local_7f0],R13
7ff6de2381cb 4c 89 68 f0 MOV qword ptr [RAX + local_7e8],R13
7ff6de2381cf 4c 89 68 f8 MOV qword ptr [RAX + local_7e0],R13
7ff6de2381d3 48 83 e9 01 SUB RCX,0x1
7ff6de2381d7 75 d7 JNZ LAB_7ff6de2381b0
7ff6de2381d9 4c 89 28 MOV qword ptr [RAX]=>local_7d8,R13
7ff6de2381dc 4c 89 68 08 MOV qword ptr [RAX + local_7d0],R13
7ff6de2381e0 e8 3b 47 CALL FUN_7ff6de40c920 undefined FUN_7ff6de40c920(void)
1d 00
7ff6de2381e5 0f b6 c8 MOVZX ECX,AL
7ff6de2381e8 4c 8d 44 LEA R8=>local_818,[RSP + 0x50]
24 50
7ff6de2381ed 33 d2 XOR EDX,EDX
7ff6de2381ef e8 6c c0 CALL FUN_7ff6de414260 undefined FUN_7ff6de414260(void)
1d 00
7ff6de2381f4 81 4b 10 OR dword ptr [RBX + 0x10],0x100
00 01 00 00
7ff6de2381fb 48 8d 4c LEA RCX=>local_830,[RSP + 0x38]
24 38
7ff6de238200 0f b7 c0 MOVZX EAX,AX
7ff6de238203 89 43 38 MOV dword ptr [RBX + 0x38],EAX
7ff6de238206 8b 44 24 2c MOV EAX,dword ptr [RSP + local_840+0x4]
7ff6de23820a 25 40 00 AND EAX,0x80000040
00 80
7ff6de23820f 44 89 6c MOV dword ptr [RSP + local_848],R13D
24 20
7ff6de238214 83 c8 40 OR EAX,0x40
7ff6de238217 c7 44 24 MOV dword ptr [RSP + local_840],0x1
28 01 00
00 00
7ff6de23821f 0f ba f0 1f BTR EAX,0x1f
7ff6de238223 48 89 4c MOV qword ptr [RSP + local_838],RCX
24 30
7ff6de238228 89 44 24 2c MOV dword ptr [RSP + local_840+0x4],EAX
7ff6de23822c e8 ef 46 CALL FUN_7ff6de40c920 undefined FUN_7ff6de40c920(void)
1d 00
7ff6de238231 0f b6 c8 MOVZX ECX,AL
7ff6de238234 48 8d 54 LEA RDX=>local_848,[RSP + 0x20]
24 20
7ff6de238239 e8 42 d1 CALL FUN_7ff6de415380 undefined FUN_7ff6de415380(void)
1d 00
7ff6de23823e 8b 44 24 20 MOV EAX,dword ptr [RSP + local_848]
7ff6de238242 48 8d 4c LEA RCX=>local_848,[RSP + 0x20]
24 20
7ff6de238247 81 4b 10 OR dword ptr [RBX + 0x10],0x200
00 02 00 00
7ff6de23824e 89 43 3c MOV dword ptr [RBX + 0x3c],EAX
7ff6de238251 e8 1a 90 CALL FUN_7ff6dddc1270 undefined FUN_7ff6dddc1270(void)
b8 ff
7ff6de238256 41 0f b6 cf MOVZX ECX,R15B
7ff6de23825a e8 11 42 CALL FUN_7ff6ddedc470 undefined FUN_7ff6ddedc470(void)
ca ff
7ff6de23825f 48 8b c8 MOV RCX,RAX
7ff6de238262 48 8d 95 LEA RDX=>local_res18,[RBP + 0x780]
80 07 00 00
7ff6de238269 e8 82 85 CALL FUN_7ff6de3007f0 undefined FUN_7ff6de3007f0(void)
0c 00
7ff6de23826e 84 c0 TEST AL,AL
7ff6de238270 74 10 JZ LAB_7ff6de238282
7ff6de238272 8b 85 80 MOV EAX,dword ptr [RBP + local_res18]
07 00 00
7ff6de238278 81 4b 10 OR dword ptr [RBX + 0x10],0x400
00 04 00 00
7ff6de23827f 89 43 40 MOV dword ptr [RBX + 0x40],EAX
LAB_7ff6de238282 XREF[1]: 7ff6de238270(j)
7ff6de238282 49 8b ce MOV RCX,R14
7ff6de238285 e8 66 0c CALL FUN_7ff6de248ef0 undefined FUN_7ff6de248ef0(void)
01 00
7ff6de23828a 48 8b c8 MOV RCX,RAX
7ff6de23828d 48 8b f0 MOV RSI,RAX
7ff6de238290 e8 3b 09 CALL FUN_7ff6de248bd0 undefined FUN_7ff6de248bd0(void)
01 00
7ff6de238295 41 0f b6 d7 MOVZX EDX,R15B
7ff6de238299 48 8b c8 MOV RCX,RAX
7ff6de23829c 4c 8b e0 MOV R12,RAX
7ff6de23829f e8 9c 07 CALL FUN_7ff6de238a40 undefined FUN_7ff6de238a40(void)
00 00
7ff6de2382a4 e8 07 47 CALL SC2_Function_Returns_Whether_SC2API_is_Active_ undefined SC2_Function_Returns_W <--- Note: this is the function call you are looking for
1d 00
7ff6de2382a9 48 8d 1d LEA RBX,[IMAGE_DOS_HEADER__7ff6dd700000]
50 7d 4c ff

...

Note: there are 3 different references in the functions' assembly above. Look for the first reference and it will be a if check based on the return value of a function (the one we actually seek) which is located after 3 function calls before the first switch/case block.

Signature for SC2_Function_I_Believe_is_Closely_Related_to_that_SC2API_RawMode_Function_That_R eturns_a_Single_Byte:
-------------------------------------------------------------------------------------------------------------------

Note: appears not to be working on the macosx decompiled image (I can see why that would make sense... but then again... maybe that functionality was not there on the current older release I used of the macosx binary).

48 83 EC 28 80 3D ?? ?? ?? ?? 00 74 ?? 48 8B 0D ?? ?? ?? ?? 48 85 C9 74 ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8B 0D ?? ?? ?? ?? 48 85 C9 74 ?? E8 ?? ?? ?? ?? 84 C0 74 ??
\x48\x83\xEC\x28\x80\x3D\x2A\x2A\x2A\x2A\x00\x74\x2A\x48\x8B\x0D\x2A\x2A\x2A\x2A \x48\x85\xC9\x74\x2A\xE8\x2A\x2A\x2A\x2A\x84\xC0\x74\x2A\x48\x8B\x0D\x2A\x2A\x2A \x2A\x48\x85\xC9\x74\x2A\xE8\x2A\x2A\x2A\x2A\x84\xC0\x74\x2A

Finding SC2_API_Another_Checker_Function:
-----------------------------------------

48 83 EC 28 80 3D ?? ?? ?? ?? 00 74 ?? 48 8B 0D ?? ?? ?? ?? 48 85 C9 74 ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8B 0D ?? ?? ?? ?? 48 85 C9 74 ?? E8 ?? ?? ?? ?? 84 C0 75 ??

Note: this function will have the first 3 'check' variables as well as the 4th one near the end of the function.

Finding SC2_API_BYTE_CHECKER4:
------------------------------

48 89 5C 24 ?? 57 48 83 EC 30 80 3D ?? ?? ?? ?? 00 48 8B FA 48 8B D9 75 ?? 48 8B 02 48 89 01 48 8B C1 48 8B 5C 24 ?? 48 83 C4 30 5F C3 E8 ?? ?? ?? ?? 84 C0

Note: two matches with the above signature. Both functions appear similiar and they both appear to check the same byte value in their outer-most if statement I believe.

Finding DATA_DWORD_SC2API_IsObserver:
-------------------------------------

8B 15 ?? ?? ?? ?? 33 15 ?? ?? ?? ?? 44 8B 05 ?? ?? ?? ?? 81 F2 EE 6A 69 C1 44 33 05 ?? ?? ?? ?? 44 8B 0D ?? ?? ?? ?? 89 54 24 ?? 44 89 44 24 ?? 48 8B 44 24 ?? 8B 08

Note: this will return ~6-7 hits

Note: arggg... i gave up trying to find this in the latest IDA database...

Finding FUNCTION_ACTIVATE_REPLAY_WATCHING_STATE:
------------------------------------------------

48 83 EC 28 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 45 33 C9

Note: this signature should take you directly to the function of interest starting location

Finding FUNCTION_ISSUE_TARGET_ORDER:
------------------------------------

40 55 41 56 48 8d 6c 24 d8 48 81 ec 28 01 00 00

Note: this signature should take you directly to the function of interest starting location

Find CRC32s (Note: currently see 24 different instances of this opcode):
------------------------------------------------------------------------
Note: oddly the following string often shows up around said found functions "Af%X!Sdy"

F2 ?? 0F 38

Find SC2_API_MapHack_Related_DATA_BYTE_Patch_Function:
------------------------------------------------------
CC 80 ?? ?? ?? ?? ?? 10 0F 95 C0 C3
41 88 B4 ?? ?? ?? ?? ?? 40 88 B7 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 4C 24 ??

[skinnym666]

might release sample PoC of how to utilize the sigs to obtain all information about all things (map; enemies; actions... all works on Battlenet ladder).. hesitant to post because it uses a fairly generic method to obtain full state of game which could have effects on other games/source-code.

[skinnym666]

gggsdasdasad