//////////////////////////////////////////////////////////
// Base game executable patch file; this executable
// contains all patches applied directly to the image.

/////////////////////////////
/////////////////////////////
////   Code adjustments  ////
/////////////////////////////
/////////////////////////////
// This patch adds support for loading the 'LUMP_PAKFILE' lump as a discrete file.
// The function originally loaded the BSP, and stored the header in a local variable.
// This means that we need to store the BSP header in the lump too, if we want to load
// the packfile lump separately. To avoid this, we hook this function in SDK code,
// and load the BSP header into the static 's_MapHeader' memory. The patch below makes
// the function read the static fields instead, and uses the descritprs in the header to
// read out the lump path passed in. A separate tool sets the 'fileofs' field to 0, so the
// packfile lump can be loaded without any additional patching.
0x382152: "cmp dword ptr ds:[0x00000001666EC6C0], 0x50534272" // s_MapHeader.ident
0x382162: "mov eax, dword ptr ds:[0x00000001666EC6C4]"        // s_MapHeader.version

0x382174: "cmp dword ptr ds:[0x00000001666EC954], 0x10"       // s_MapHeader.lumps[LUMP_PAKFILE].filelen
0x382181: "movsxd rcx, dword ptr ds:[0x00000001666EC950]"     // s_MapHeader.lumps[LUMP_PAKFILE].fileofs

0x382188: "mov rdx, rcx" // Move the operation done at 0x382181 (stored into RCX) into RDX; no need to index into it again.

// Due to the simplification of the operation above, 2 bytes had to be nopped.
0x38218B: "nop"
0x38218C: "nop"

0x38226E: "movsxd r8, dword ptr ds:[0x00000001666EC950]"      // s_MapHeader.lumps[LUMP_PAKFILE].fileofs
0x382275: "movsxd rdx, dword ptr ds:[0x00000001666EC954]"     // s_MapHeader.lumps[LUMP_PAKFILE].filelen

0x38247B: "cmp dword ptr ds:[0x00000001666EC6C0], 0x50534272" // s_MapHeader.ident
0x38248B: "mov eax, dword ptr ds:[0x00000001666EC6C4]"        // s_MapHeader.version

0x38249D: "cmp dword ptr ds:[0x00000001666EC954], 0x10"       // s_MapHeader.lumps[LUMP_PAKFILE].filelen
0x3824B6: "movsxd r8, dword ptr ds:[0x00000001666EC950]"      // s_MapHeader.lumps[LUMP_PAKFILE].fileofs

0x38257E: "movsxd r8, dword ptr ds:[0x00000001666EC950]"      // s_MapHeader.lumps[LUMP_PAKFILE].fileofs
0x382585: "movsxd rdx, dword ptr ds:[0x00000001666EC954]"     // s_MapHeader.lumps[LUMP_PAKFILE].filelen

// This patch increases the 'CModelRenderSystem::m_BoneToWorldOriented' memory buffer size to 2MiB. Previously,
// this was 1MiB, but would occasionally overflow when there are about 80 players rendering on the client's
// screen. This satisfies the required memory size to render all 120 player models (active players on server).
0xE6530: "mov     r8d, 200000h"

// This patch assigns the model and anim cache pointers to NULL instead of 0xDEADFEEDDEADFEED,
// if the asset failed to load. The 0xDEADFEEDDEADFEED (DC_INVALID_HANDLE) assignment was most
// likely done to catch errors in the asset loading system, since the pointer test won't fail
// while the pointer is invalid, this cause a hard crash. We however don't want this as this
// would cause issues loading BSP's with missing assets (the SDK handles the errors properly
// and also logs what was failed to load).
0x1E3CB6: "xor rax, rax" // NULL RAX instead of mov'ing '0xDEADFEEDDEADFEED' to cache ptr in 'Pak_UpdateModelAsset()'
0x1E3EE2: "xor rax, rax" // NULL RAX instead of mov'ing '0xDEADFEEDDEADFEED' to cache ptr in 'Pak_UpdateAnimRigAsset()'

/////////////////////////////
/////////////////////////////
////    Code defects     ////
/////////////////////////////
/////////////////////////////
// This fixes an engine bug where '-forceborder' did not force the border over the application window.
0x249DEE: "or      byte ptr [rdi+14h], 3" --> "and     byte ptr [rdi+14h], 0FDh";

// Concat happened due to bug in engine; Valve forgot a comma separator in the array.
0x1477876:  'FIELD_INTERVALFIELD_MODELINDEX\x00\x00' --> 'FIELD_INTERVAL\x00FIELD_MODELINDEX\x00';
0x1318C00: 0x0000000000 --> 0x7792474101; // Add new entry in 'g_FieldTypes', this entry points to the 'FIELD_MODELINDEX' string we separated from 'FIELD_INTERVAL'.

// This fixes a bug where the help string of a ConVar is set as the conVar name, which prevents you from
// setting it in the console due to the precense of space characters.
0x115EAE: "lea rax, ds:[0x141516578]" // Change ConVar name assignment from helpstring to "player_vehicle"
0x115EBC: "lea rax, ds:[0x141459F20]" // Change ConVar help string assignment from null string to the helpstring.
// This operation has been inserted within the function, all instructions past this one
// have been shifted.
0x115ECA: "lea rax, ds:[0x141324120]" // Load NULL_STRING back into rax to assign to usage string.
// Path below is exactly the same as above, but at a different address as this particular convar has
// 2 dynamic initializers.
0x15B8AE: "lea rax, ds:[0x141516578]"
0x15B8BC: "lea rax, ds:[0x141459F20]"
0x15B8CA: "lea rax, ds:[0x141324120]"

// In 'CInput::JoyStickApplyMovement' an extraneous 'fmin' clamp is performed on the frame time. BinDiff revealed that this was no longer performed on
// the 'Season 9.1 Genesis' executable. Further testing revealed that patching out just this clamp fixes the controller view stick problems when usercmd's
// get dropped in CL_Move.
0x6FD0E1: "movaps  xmm0, xmm6" // Move frame time directly into the register that originally contained the clamped frame time.
0x6FD0EE: "nop (x4)" // Nop 'minss   xmm0, xmm6' (extraneous clamp).
0x6FD114: "nop (x3)" // Nop 'movaps  xmm6, xmm0' (extraneous move operation).

/////////////////////////////
/////////////////////////////
//// Exploitable defects ////
/////////////////////////////
/////////////////////////////
// This fixes a stack smash in 'CNetChan::ProcessSubChannelData' caused by the last fragment
// of a split packet, which could exceed the stack allocated buffer size of 560 bytes.
0x117F484: "jmp 0x1412950AE" // Jump to code cave (alignment padding at end of executable segment).
0x12944AE: "cmp rbp, 0x230"  // Check if fragment size of 'last' split packet doesn't exceed stack buffer size.
0x12944B5: "jg 0x140261CE6"  // Jump to gadget (xor al, al; pop..; ret;).
// Below the reconstruction of overwritten bytes caused by the long jump to code cave...
0x12944BB: "lea r8d, ds:[rbp*8]" // fragSize << 3
0x12944C3: "mov rcx, rbx"
0x12944C6: "jmp 0x140261A6B" // Jump back to original code; final split packet fragment is sane.

// This fixes a vulnerability in which the index field in the NET_SetConVar message
// could be used to read outside the static userinfo cvar string array.
0x030DD2B: "jmp 0x1412950E3" // Jump to code cave (alignment padding at end of executable segment).
// The instruction prior to the jump above performs a 'test' on the eax register.
// If the zero flag is set, it jumps to the rebuild of overwritten instructions
// caused by the long jmp to code cave.
0x12944E3: "je 0x1412950EE"
// This check was missing causing OOB reads! String array size is 0x27,
// so only index into it if its within bounds..
0x12944E5: "cmp eax, 0x28" 
0x12944E8: "jb 0x14030E951"
// The following is rebuild as the long jump overwrote it,
// basically perform what was overwritten and jump back to
// original code...
0x12944EE: "mov r8d, 0x104"
0x12944F4: "jmp 0x14030E933"