For this kind of FPS game, the player's blood volume is not very critical, but if you want to analyze other information in the player object, you still need to use the blood volume as a breakthrough.
However, since the test drive field rarely sends out contracts, including tank attacks, etc., it can only be scanned through normal matching battles. And since there are no enemy units in the matching mode, we will obediently let us scan the blood volume, so we need to use the character's object as a breakthrough.
In the previous article, there is an analysis of role objects, which we use directly. Access the breakpoint when the character's HP is up or down, and the game will be disconnected soon (as shown in the figure)
. Due to the large number of access codes, the location of the disconnection may be different. After returning, continue to analyze upwards to an array (as shown in the figure)
and edi at 012FDE46, edi in dword ptr [ecx+edx*4] is always -1, so you only need to analyze the subsequent arrays. Analyzing ecx upwards can directly get the base address [1FC76AC].
And continue to analyze the source of edi, get lea edx, [eax+eax*2] at 012FDE31, and then add eax, 2AAD and and eax, 0FFF to get the source of the array number.
After sorting, the formula can be obtained as follows
[[Crossout.exe+0F876AC]+(ID&0FFF+2AAD)*C]+0BC HP
[[Crossout.exe+0F876AC]+(ID&0FFF+2AAD)*C]+0C0 Max HP
[[Crossout.exe+0F876AC]+(ID&0FFF+2AAD)*C]+02B0 X
[[Crossout.exe+0F876AC]+(ID&0FFF+2AAD)*C]+02B4 Z
[[Crossout.exe+0F876AC]+(ID&0FFF+2AAD)*C]+02B8 Y
When accessing a breakpoint, the positions returned by different access codes are also different, but the final traversal codes are the same.