as I said in past, maybe we need a eip loger.
That exit process, crash, or what ever unknow close, loged the current eip of every thread tho. That's helpful, it can eazly local the function which crashed game
crash maybe when list map(? confused in this, maybe not map-relax)
it crash due to ebx==-1 which not 0 but a invalid ptr
this function look like this maybe:
int sub_0_634A24(struct unknow * , int argc1, int argc2)
//---------- there some wrong between this understanding, just look at code, this is intermediate think, no helpful tho, ;P
struct unknow at least 0x10 size, cause unknow->0x10 is a ptr, which used to save a 0x400 size arrary(maybe int [0x100])
then let (argc1/ 0x100) * 0x4, so it can be a struct that size 0x40(0x100/ 0x4)' Subscript?
it will used in local a ptr from int __cdecl _malloc_wapper(int) 's return, this first malloc will init array with 0x0000 0000
by this local, the ptr point to a ptr that point to a array int, it can be this int (* i_UnknowArray)[0x400]. I named this ptr in PTR
here is s test of PTR, when it's valid, then argc2 used in set the value in (*PTR)[edx]. which maybe you want set this new malloc array's first elment to argc2, but edx didn't init before this! It can be crashed due to edx=12#!@#$
Or the PTR is NULL in the test before set (*PTR)[edx] , it will call _malloc_wapper(int) again to get a 0x400 size array, and init this array with 0xffff ffff.
//---------------
CPU Disasm
Address Hex dump Command Comments
00634A27 ? 57 push edi
00634A28 ? 56 push esi
00634A29 ? 53 push ebx
00634A2A ? 83EC 2C sub esp,2C
00634A2D ? 8B75 08 mov esi,dword ptr ss:[arg.1]
00634A30 ? 8B5E 10 mov ebx,dword ptr ds:[esi+10]
00634A33 ? 85DB test ebx,ebx
00634A35 ? 74 6A je short ta3d.00634AA1
00634A37 ? C74424 04 00010000 mov dword ptr ss:[local.13],100
00634A3F ? 8B45 0C mov eax,dword ptr ss:[arg.2]
00634A42 ? 890424 mov dword ptr ss:[local.14],eax
00634A45 ? E8 AE010100 call <jmp.&msvcrt.div> ; Jump to msvcrt.ldiv
00634A4A ? 8D3C85 00000000 lea edi,[eax*4]
00634A51 ? 01FB add ebx,edi
00634A53 ? 8B0B mov ecx,dword ptr ds:[ebx]
00634A55 ? 85C9 test ecx,ecx
00634A57 ? 74 0F je short ta3d.00634A68
00634A59 ? 8B45 10 mov eax,dword ptr ss:[arg.3]
00634A5C ? 890491 mov dword ptr ds:[edx*4+ecx],eax //--
00634A5F ? 83C4 2C add esp,2C
also can be crash when load models
it can be this:
Code: Select all
typedef struct tagunknow
{
DWORD dw_unknow;
DWORD dw_unknow;
DWORD dw_unknow;
DWORD dw_unknow;
int * (* pint_unknowArray)[0x100];
} unknow;
int __cdecl sub_0_634A24(struct unknow * pstu_argc0, int i_argc1, int i_argc2)
{
int i_temp;
int i_SubScript; //(not init!)
int i_divRtn;
if (NULL== (pstu_argc0->pint_unknowArray))
{
pstu_argc0->pint_unknowArray= _malloc_wapper ( 0x100* sizeof(int));
i_SubScript= 0;// it just init in here!!!!!!
memset ( pstu_argc0pint_unknowArray, 0x0, 0x100* sizeof(int));
}
dicRtn= div ( i_argc1, 0x100);
if (NULL==((pstu_argc0->pint_unknowArray) [divRtn]))
{
i_temp= i_SubScript;
(pstu_argc0->pint_unknowArray) [divRtn]= _malloc_wapper ( 0x400);
i_SubScript= i_temp;
memset ( (pstu_argc0->pint_unknowArray) [divRtn], 0xff, 0x400);
}
((pstu_argc0->pint_unknowArray) [divRtn]) [i_SubScript]= i_argc2; // so it crash TA3D in here!!!!!
return i_argc2;// or maybe not return;
}
this crash make me mad, can't play TA3D in 2 weeks /:^\
another one maybe crash, nearly a string "windib"
CPU Disasm
Address Hex dump Command Comments
0042F352 ? C1E2 10 硈hl edx,10
0042F355 ? 31C0 硏or eax,eax
0042F357 ? 90 硁op
0042F358 ? 89D1 弛mov ecx,edx
0042F35A ? C1F9 10 吵sar ecx,10
0042F35D ? 8B73 14 吵mov esi,dword ptr ds:[ebx+14]
0042F360 ? 8A0C0E 吵mov cl,byte ptr ds:[ecx+esi]//-- here ecx can be a invalid value, ffff0000
//
you can local this by search all call to SDL_CreateRGBSurface
into the function which used string "make_texture used with empty SDL_Surface"
just the next call after call SDL_CreateRGBSurface
I didn't pay much attention to this, due to just catch once crash in here, and maybe it crash due to data set.
What crashed game, maybe due to this function didn't check argc1's valid