You don't need to let it crash, you can unhook a hooked function in itself, call itself, save the return value, rehook it and just return the saved value, so for the engine it's like nothing happened.
Example from
PHP Code:
static int size_all = 0;
static int i = 0;
cHook *hook_MSG_WriteBigString;
void MSG_WriteBigString(int *MSG, char *s)
{
int len;
len = strlen(s);
printf("i=%d size_all=%d len=%d MSG=%p %s\n", i, size_all, len, MSG, s);
size_all += len;
i++;
hook_MSG_WriteBigString->unhook();
void (*sig)(int *MSG, char *s);
*(int *)&sig = 0x0806825E;
sig(MSG, s);
hook_MSG_WriteBigString->hook();
}
And instead of writing the hardcoded address (*(int *)&sig = 0x0806825E;), you can take the value of hook_MSG_WriteBigString->from.
For finding stuff you want: e.g. at the start of libcod I wanted to find a script function ("closer" because it was easy to reimplement and I actually never used it) and I had no clue about anything, since cracking was totally new to me. I started with some C knowledge and WinHex, like this:
At first I searched the plain string in WinHex: lets say it was at file offset 0x12345
Then you go to that file address in IDA (some option in menu) and then IDA shows you the actual memory address of that file offset, lets say 0xaabbccdd is "closer". But the address wasn't linked anywhere, but it had to be linked somewhere I thought, so I searched the hex numbers of it in WinHex with no success, till I reversered them (0xddccbbaa), since x86 is using little-endianness. That way I found the actual table which hold the string->function address relations and I could slowly decompile all kind of glued C function to the script engine e.g.
On the other hand you could just search an error string from anything in WinHex too and enter the file offset in IDA again. Since IDA has analyzed a lot from beginning, it can show all found function which point to the error message then.
And don't forget all the GPL engines, RTCW, Quake 3 etc., which all have a lot of code in common.