I think it's pretty cool.
Just one question though (since I have like zero knowledge of "hacking" into games like this): if the game engine code was changed enough, wouldn't that change the executable and you'd need to find all the address all over again?
Sooort of. We don't statically link our addresses, at least not after we finish debugging and stuff. We do what's called signature scanning where it searches through the executable to find machine code we ask it to, then return the address it's at. So we find the 'signature' for the assembly at the start of a specific function, then when the DLL gets injected it searches through the executable and finds that function. The only way this would break is if the machine code of the signature changed, meaning Badspot directly modified the beginning of the function we're looking for.
For example, this is the code I use to find the address of the function inside Blockland to register a Torque function that returns an integer:
typedef void (WINAPI *aFunc)(const char* className, const char* funcName, void *func, const char* usage, DWORD minArgs, DWORD maxArgs);
aFunc addIntFunction; // address inside Blockland.exe for Con::addCommand (int)
DWORD setup = findPattern("\x83\xEC\x0C\x56\x8B\x35\x00\x00\x00\x00\x85\xF6", "xxxxxx????xx");
addIntFunction = (aFunc)(setup+0xA4+*(int *)(setup+0xA0));
Poll