So Loop EUPs (link) have given us light memory editing ability, though restrictions such as execution time and map size still prevent us from...

A) Venturing far from the death/unit tables
B) Editing all addresses around the death/unit tables (due to restrictions on the give trigger)
C) Editing an address by more than a few thousand

https://code.google.com/p/bwapi/source/browse/trunk/bwapi/BWAPI/Source/BW/CUnit.h#40

In the carrier struct, there is a pointer, BW::CUnit *pInHanger, this can potentially be changed with loop EUPs, the carrier can then be operated on changing values where starcraft believes an interceptor is located (i'll refer to this as "interceptor"), then changed back with loop EUPs, I have thought of a number of ways this could be harassed...

- Move carrier, with every value for x and every value for y potentially reachable on the map, moving the carrier may set the coordinates of the "interceptor" giving us a full 4-byte set operation (does not work, interceptors do not change coordinates immediately)
- Move carrier to change target coordinates of "interceptor" (doesn't work in same cycle, iffy usage)
- Give carrier
    - Variation 0: gives the unit inside carrier regardless of its unitID/player (confirmed)
    - Variation 1: set interceptor pointer to death table, modify player and unitID freely (confirmed)
    - Variation 2: set interceptor pointer to a byte you want to clear, by giving the carrier the player value in the "interceptor" changes changing the targeted byte to a value 0-11
    - Variation 3: increment the number of interceptors contained in the carrier and make the interceptor list circularly linked, allowing fast changes (does not work, verifies player change for each individual give)

Combining these operations we can do interesting things.

Getting the value of the string table pointer: determine the value of the highest byte (256 triggers), set it to 0 using variation 2, determine the next highest byte... and so on
Putting the value of the string table pointer in an input function pointer: move the carrier to a position representative of the value determined in the previous sentence, using location sliding from original EUP thread if necessary
Executing code from string section (executes after user clicks or key presses or something)


For quick ref, with 1-based players:

All Unit Counts Table:
48*UnitID + 4*Player + 5776160 (Placed/Given Unit)

Completed Unit Counts Table:
48*UnitID + 4*Player + 5787104 (Placed/Given Unit)

Killed Unit Counts Table:
48*UnitID + 4*KillingPlayer + 5798052 (Adds After Kill)

Death Counts Table:
48*UnitID + 4*Player + 5808992 (Adds After Death)

Other avenues to explore (in order of promise): held powerups, subunits, scarabs, addons

Post has been edited 11 time(s), last time on May 7 2014, 7:57 am by jjf28.