The plot thickens! (slightly).
I've found the 3 locations where the function I posted about is called. Here they are:
#1:
Code:
___:005204D8 push 4
___:005204DA push 43083DBEh
___:005204DF push offset a56272884ac87c6 ; some random string of numbers
___:005204E4 push 26AFh
___:005204E9 push offset sub_51FF20 ; THIS IS THE ADDRESS OF THE FUNCTION
___:005204EE lea edx, [esp+4D4h]
___:005204F5 push edx
___:005204F6 call sub_729662
#2 (almost exactly the same):
Code:
___:0052051C push 4
___:0052051E push 43083DBEh
___:00520523 push offset a56272884ac87c6
___:00520528 push 26AFh
___:0052052D push offset sub_51FF20 ; Address of function
___:00520532 lea edx, [esp+4D4h]
___:00520539 push edx
___:0052053A call sub_729662
#3 (This is different and is embedded in some hackshield stuff itself):
Code:
___:0052069A loc_52069A:
___:0052069A push offset sub_51FB00
___:0052069F push offset loc_5200C0
___:005206A4 push offset sub_51FF20 ; Our function
___:005206A9 push 3
___:005206AB call sub_729AA1
___:005206B0 add esp, 10h ; I stopped adding NOPs after this
___:005206B3 push offset aHackshieldInit ; "Hackshield initialized succeessfully" (!!)
___:005206B8 mov byte_806B18, 1
___:005206BF call loc_4612B0
___:005206C4 push eax
___:005206C5 call sub_461060
___:005206CA add esp, 8
So, I've filled in those 3 spots with NOPs and the game is crashing. Bleh. Are packed addresses different from unpacked ones? (sorry if the answer to this question is painfully obvious, it's not to me)
Edit: by the way the only reason I care about this HS stuff is to make my D3D hooks work, a lot of stuff seems to be detected now.