- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 481
- Reaction score
- 7
Spent some time looking into the Elite Dangerous binaries lately and saw your post on picking apart the FSD charge logic. It is a massive step from basic Cheat Engine pointer scanning to real reverse engineering, and honestly, IDA Pro is a beast that takes more than a weekend to tame.
When you are staring at a massive game binary without a starting point for addresses like fuel consumption or FSD drop-off, don't just hunt for values in memory. You need to leverage strings and cross-references (XREFs) to find your way into the subroutines.
It is definitely a grind, but learning to read the disassembly beats relying on copy-pasted scripts any day. While others are searching for outdated tables that break every update, you'll have the knowledge to re-base your logic as soon as the binary shifts.
How far along are you in mapping out the ShipState structure? Has anyone else here successfully hooked the FSD state machine without triggering a server-side flag?
When you are staring at a massive game binary without a starting point for addresses like fuel consumption or FSD drop-off, don't just hunt for values in memory. You need to leverage strings and cross-references (XREFs) to find your way into the subroutines.
- String References: Start by opening the binary in IDA and looking for strings related to your target logic (e.g., "FSD_Charging", "Hyperspace", or generic UI messages). The game engine often logs these to debug consoles or uses them for UI state triggers. Find where these strings are referenced in code, and you are immediately inside the game's state machine.
- Function Signatures: If you have a known function from a previous dump or a public sig, look for similar patterns of opcodes. Elite uses a complex object-oriented architecture; most game logic is nested deep in manager classes.
- Static Analysis vs. Dynamic: Use Cheat Engine to attach as a debugger to find the instruction accessing a value, then note the address offset. Jump to that exact address in IDA. If it is obfuscated or virtualized, your job gets a lot harder, but you are at least looking at the right module.
- Tracing Logic: Once you have a potential function in IDA, use the graph view to map out the branches. If you see a lot of JNE/JE instructions checking a flag, that is almost certainly your logic gate for state transitions.
Stop trying to find every single address manually. Look for the 'PlayerComponent' or 'ShipState' structures. Once you find the base structure in memory, you can dump the entire class definition, which makes finding the FSD logic a matter of reading through the struct members rather than guessing assembly offsets.
It is definitely a grind, but learning to read the disassembly beats relying on copy-pasted scripts any day. While others are searching for outdated tables that break every update, you'll have the knowledge to re-base your logic as soon as the binary shifts.
How far along are you in mapping out the ShipState structure? Has anyone else here successfully hooked the FSD state machine without triggering a server-side flag?
