"""find_parent_null_writes.py Scan the .text section for instructions that null the field at offset +0x40 of any register-pointed structure (CPhysicsObj's parent field). Patterns: c7 4? 40 00 00 00 00 mov dword ptr [reg+0x40], 0 89 4? 40 mov [reg+0x40], reg (then we'd need to check for xor'd reg) c7 8? 40 00 00 00 00 00 00 00 mov [reg+0x40], 0 with disp32 Reports each match's VA + 16 bytes of surrounding context.""" import struct, sys def parse_pe(path): with open(path, 'rb') as f: data = f.read() pe_off = struct.unpack_from('