What is the benefit of offsets to pointers?

Question

I'm using a memory editing application known as Cheat Engine. I attach Cheat Engine to a game. In my game, I have a 32-bit integer known as HP. HP is stored at a memory address A. If I restart my game, HP is stored at a new memory address B. It seems that using Cheat Engine, I can do a pointer scan and find a static memory address, C, that points to another memory address and its accompanying offset, D and offset, so that [D + offset] always stores HP's memory address during that session. So if I dereference [D + offset], I always get the memory address that stores HP.

Here is a diagram:

A or B --> HP

D + offset --> A or B

C --> D

What is the benefit of using offsets? Why can't C just point to A or B directly? I'm familiar that using offsets are beneficial when dealing with arrays in the C language. Does that mean that whenever I see an offset to a pointer, the pointer is pointing to the first element in an array and the offset is referring to one of the elements in the array?

Answer 1

It should be easy to imagine and understand if you know the C programming language. Anything you write in C is very close to the actual machine code that gets generated when compiling the program.

The abstraction of an object in C is often done with a "struct".

In your example imagine a very simple "Player" struct:

struct Player {
    int id;
    float xposition;
    float yposition;
    int health;
    int maxhealth;
};

If you want to create an object like this you could do something like this:

struct Player *myPlayer = malloc(sizeof(struct Player));

What is a nice looking structured thing in the high language is actually just a block of memory in a compiled program.

To access for example "health" you do myPlayer->health; in C. But now how does this look in a compiled program that doesnt know about the beatiful names and just has a block of memory to work with?

It has to work with offsets from the base pointer. In the above example (assuming windows operating system and any default configured sane compiler) an access in some pseudo machine code will look something like this:

move myHealth, read4bytes[myPlayer + 12]

If you reverse-engineer a progam, you can't tell from an offset-access whether the block of memory was a struct, a array, or maybe a class (from C++ code) or something entirely different.