ShellShock Live Ruler (Example Project)

This repository is inactive and does not work with current versions of ShellShock Live. It is a reference implementation for dynamic games where memory pointers are deeply nested, unstable, or not discoverable via classic pointer scans.

Goal & Context

The project started as a reverse-engineering exercise on a simple Unity game. The goal was to identify player objects despite obfuscated names and missing stable pointers, reconstruct the game state, and render a predictive trajectory overlay.

How It Works (Short Version)

1. Pattern Scan
   A runtime-generated function (for example, the player update routine) is located via signature/pattern scan once the game mode is active.
2. Code Injection
   A jump is injected at the function entry. The hook writes live player addresses into a known memory buffer on each call.
3. Extraction & Reconstruction
   The extracted addresses are used to read player, terrain, and weapon data, which then drives collision checks, trajectory calculations, and the overlay render.

The key idea is to anchor on dynamic functions instead of static pointers when the memory layout is volatile.

Pattern Scan & Injection Details

Finding the Hook Location

The player update routine is generated at runtime by the game/Mono JIT, so a classic static pointer scan is unreliable. The typical workflow is:

• Wait until the game mode creates the function.
• Search memory for a stable byte signature near the routine (pattern scan).
• Compute the entry point and hook offset from that signature.

In this repository the resolved address is represented by a pointer chain: MonoDLL + 0x1F795C plus OffsetsPositionUpdateFunction, then + 0x77C. That chain stands in for the pattern scan result that would be re-derived after each game update.

What the Injected Code Does

The injected stub (see app/Game.cpp) does three things:

1. Preserves registers, then writes the current EAX value (the player object pointer at that moment) into a ring buffer.
2. Restores registers and executes the original bytes that were overwritten by the hook.
3. Jumps back to continue normal game execution.

This turns a volatile, short-lived pointer into a stable stream of addresses the tool can read every frame.

Why This Enables More Than Pointer Scans

The player objects are not reachable through a reliable static pointer chain. By intercepting the update function, the tool receives fresh, valid object addresses on each call. That makes it possible to:

• Enumerate all active players.
• Track changing values (position, weapon, wind) in real time.
• Reconstruct trajectory physics and draw a predictive overlay.

Project Structure

• app/ Main C++/Win32/GDI+ project, Visual Studio solution: app/ExShellShockDigitalRuler.sln
• gui test app/ Separate test solution for UI/overlay experiments
• doc/ Notes, diagrams, and assets documenting memory relationships

Build & Run

Visual Studio (recommended):

1. Open app/ExShellShockDigitalRuler.sln
2. Select Debug/Release and x86/x64
3. Build

Historical flow:

1. Launch the game and enter a mode that creates the target function.
2. Start the tool and run the pattern scan.
3. The hook records addresses; the overlay draws the predicted path.

Screenshots & Diagrams

Overlay preview in a live match: predicted trajectory and hit markers. Alternative angle showing the same overlay pipeline in action. Original loading screen captured during early tests.

Hook flow: where the update routine is intercepted and how addresses are written into the buffer. Memory map and relationships between extracted objects, offsets, and custom classes. This is the core reverse-engineering outcome.

Notes & Limits

• This project is not compatible with current game versions.
• Offsets and patterns are brittle and must be updated frequently.
• Intended for learning and reference only.