Relevant assembly:
$ > 94D3A705 PUSH hw.05A7D394 ; ASCII "glBegin"
$+5 > E8 99C80500 CALL <JMP.&SDL2.SDL_GL_GetProcAddress>
$+A > 83C4 04 ADD ESP,4
$+D > A3 04E03B06 MOV DWORD PTR DS:[63BE004],EAX
$+12 > 8B0D 04E03B06 MOV ECX,DWORD PTR DS:[63BE004] ; OPENGL32.glBegin
$+18 > 890D 38E83B06 MOV DWORD PTR DS:[63BE838],ECX
The first line pushes a string address onto stack as function argument. And the last line copy's value from ECX to this DWORD data object. This address is my target. I want to replace the containing DWORD value.
In my C++ code I first obtain the address for the first line's push function and then I add an offset. By adding the offset 0x1A the code works, but when I try adding + 0x18 then it doesn't work.
I don't fancy testing this for every function, what is the underlying idea that I'm missing?
$+18 > 890D 38E83B06 MOV DWORD PTR DS:[63BE838],ECX
The instruction MOV DWORD PTR DS:[63BE838],ECX starts at +18h from your start point, but the address itself that is hardcoded in the instruction starts 2 bytes later:
890D 38E83B06
38E83B06 in reverse byte order: 063be838. Ollydbg seperates this visually nice for you.
When trying to get the offset of a constant in an instruction you have to look at the bytecode (second row in ollydbg). You will find your constant embedded there and have to take the offset from the beginning of the instruction.