R5Reloaded/r5sdk
1
0
Fork 0
mirror of https://github.com/Mauler125/r5sdk.git synced 2025-02-09 19:15:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
r5sdk/r5dev/resource/patch/r5apex.patch
Kawe Mazidjatari 3d207d30a2 DataCache: rework datacache invalid data handling 
This is a more reliable solution as pretty much all code patch in CMDLCache checks the ptr for NULL, but none of them do for 0xDEADFEEDDEADFEED (probably a debug only thing that somehow made it into this build). Patched out so the engine could deal with it properly. Anything interesting already gets logged from the SDK so we won't miss out on anything patching this out.
2024-04-05 17:26:16 +02:00

119 lines
7.2 KiB
Diff
Raw Blame History

//////////////////////////////////////////////////////////
// Base game executable patch file; this executable
// contains all patches applied directly to the image.
/////////////////////////////
/////////////////////////////
//// Code adjustments ////
/////////////////////////////
/////////////////////////////
// This patch adds support for loading the 'LUMP_PAKFILE' lump as a discrete file.
// The function originally loaded the BSP, and stored the header in a local variable.
// This means that we need to store the BSP header in the lump too, if we want to load
// the packfile lump separately. To avoid this, we hook this function in SDK code,
// and load the BSP header into the static 's_MapHeader' memory. The patch below makes
// the function read the static fields instead, and uses the descritprs in the header to
// read out the lump path passed in. A separate tool sets the 'fileofs' field to 0, so the
// packfile lump can be loaded without any additional patching.
0x382152: "cmp dword ptr ds:[0x00000001666EC6C0], 0x50534272" // s_MapHeader.ident
0x382162: "mov eax, dword ptr ds:[0x00000001666EC6C4]" // s_MapHeader.version
0x382174: "cmp dword ptr ds:[0x00000001666EC954], 0x10" // s_MapHeader.lumps[LUMP_PAKFILE].filelen
0x382181: "movsxd rcx, dword ptr ds:[0x00000001666EC950]" // s_MapHeader.lumps[LUMP_PAKFILE].fileofs
0x382188: "mov rdx, rcx" // Move the operation done at 0x382181 (stored into RCX) into RDX; no need to index into it again.
// Due to the simplification of the operation above, 2 bytes had to be nopped.
0x38218B: "nop"
0x38218C: "nop"
0x38226E: "movsxd r8, dword ptr ds:[0x00000001666EC950]" // s_MapHeader.lumps[LUMP_PAKFILE].fileofs
0x382275: "movsxd rdx, dword ptr ds:[0x00000001666EC954]" // s_MapHeader.lumps[LUMP_PAKFILE].filelen
0x38247B: "cmp dword ptr ds:[0x00000001666EC6C0], 0x50534272" // s_MapHeader.ident
0x38248B: "mov eax, dword ptr ds:[0x00000001666EC6C4]" // s_MapHeader.version
0x38249D: "cmp dword ptr ds:[0x00000001666EC954], 0x10" // s_MapHeader.lumps[LUMP_PAKFILE].filelen
0x3824B6: "movsxd r8, dword ptr ds:[0x00000001666EC950]" // s_MapHeader.lumps[LUMP_PAKFILE].fileofs
0x38257E: "movsxd r8, dword ptr ds:[0x00000001666EC950]" // s_MapHeader.lumps[LUMP_PAKFILE].fileofs
0x382585: "movsxd rdx, dword ptr ds:[0x00000001666EC954]" // s_MapHeader.lumps[LUMP_PAKFILE].filelen
// This patch increases the 'CModelRenderSystem::m_BoneToWorldOriented' memory buffer size to 2MiB. Previously,
// this was 1MiB, but would occasionally overflow when there are about 80 players rendering on the client's
// screen. This satisfies the required memory size to render all 120 player models (active players on server).
0xE6530: "mov r8d, 200000h"
// This patch assigns the model and anim cache pointers to NULL instead of 0xDEADFEEDDEADFEED,
// if the asset failed to load. The 0xDEADFEEDDEADFEED (DC_INVALID_HANDLE) assignment was most
// likely done to catch errors in the asset loading system, since the pointer test won't fail
// while the pointer is invalid, this cause a hard crash. We however don't want this as this
// would cause issues loading BSP's with missing assets (the SDK handles the errors properly
// and also logs what was failed to load).
0x1E3CB6: "xor rax, rax" // NULL RAX instead of mov'ing '0xDEADFEEDDEADFEED' to cache ptr in 'Pak_UpdateModelAsset()'
0x1E3EE2: "xor rax, rax" // NULL RAX instead of mov'ing '0xDEADFEEDDEADFEED' to cache ptr in 'Pak_UpdateAnimRigAsset()'
/////////////////////////////
/////////////////////////////
//// Code defects ////
/////////////////////////////
/////////////////////////////
// This fixes an engine bug where '-forceborder' did not force the border over the application window.
0x249DEE: "or byte ptr [rdi+14h], 3" --> "and byte ptr [rdi+14h], 0FDh";
// Concat happened due to bug in engine; Valve forgot a comma separator in the array.
0x1477876: 'FIELD_INTERVALFIELD_MODELINDEX\x00\x00' --> 'FIELD_INTERVAL\x00FIELD_MODELINDEX\x00';
0x1318C00: 0x0000000000 --> 0x7792474101; // Add new entry in 'g_FieldTypes', this entry points to the 'FIELD_MODELINDEX' string we separated from 'FIELD_INTERVAL'.
// This fixes a bug where the help string of a ConVar is set as the conVar name, which prevents you from
// setting it in the console due to the precense of space characters.
0x115EAE: "lea rax, ds:[0x141516578]" // Change ConVar name assignment from helpstring to "player_vehicle"
0x115EBC: "lea rax, ds:[0x141459F20]" // Change ConVar help string assignment from null string to the helpstring.
// This operation has been inserted within the function, all instructions past this one
// have been shifted.
0x115ECA: "lea rax, ds:[0x141324120]" // Load NULL_STRING back into rax to assign to usage string.
// Path below is exactly the same as above, but at a different address as this particular convar has
// 2 dynamic initializers.
0x15B8AE: "lea rax, ds:[0x141516578]"
0x15B8BC: "lea rax, ds:[0x141459F20]"
0x15B8CA: "lea rax, ds:[0x141324120]"
// In 'CInput::JoyStickApplyMovement' an extraneous 'fmin' clamp is performed on the frame time. BinDiff revealed that this was no longer performed on
// the 'Season 9.1 Genesis' executable. Further testing revealed that patching out just this clamp fixes the controller view stick problems when usercmd's
// get dropped in CL_Move.
0x6FD0E1: "movaps xmm0, xmm6" // Move frame time directly into the register that originally contained the clamped frame time.
0x6FD0EE: "nop (x4)" // Nop 'minss xmm0, xmm6' (extraneous clamp).
0x6FD114: "nop (x3)" // Nop 'movaps xmm6, xmm0' (extraneous move operation).
/////////////////////////////
/////////////////////////////
//// Exploitable defects ////
/////////////////////////////
/////////////////////////////
// This fixes a stack smash in 'CNetChan::ProcessSubChannelData' caused by the last fragment
// of a split packet, which could exceed the stack allocated buffer size of 560 bytes.
0x117F484: "jmp 0x1412950AE" // Jump to code cave (alignment padding at end of executable segment).
0x12944AE: "cmp rbp, 0x230" // Check if fragment size of 'last' split packet doesn't exceed stack buffer size.
0x12944B5: "jg 0x140261CE6" // Jump to gadget (xor al, al; pop..; ret;).
// Below the reconstruction of overwritten bytes caused by the long jump to code cave...
0x12944BB: "lea r8d, ds:[rbp*8]" // fragSize << 3
0x12944C3: "mov rcx, rbx"
0x12944C6: "jmp 0x140261A6B" // Jump back to original code; final split packet fragment is sane.
// This fixes a vulnerability in which the index field in the NET_SetConVar message
// could be used to read outside the static userinfo cvar string array.
0x030DD2B: "jmp 0x1412950E3" // Jump to code cave (alignment padding at end of executable segment).
// The instruction prior to the jump above performs a 'test' on the eax register.
// If the zero flag is set, it jumps to the rebuild of overwritten instructions
// caused by the long jmp to code cave.
0x12944E3: "je 0x1412950EE"
// This check was missing causing OOB reads! String array size is 0x27,
// so only index into it if its within bounds..
0x12944E5: "cmp eax, 0x28"
0x12944E8: "jb 0x14030E951"
// The following is rebuild as the long jump overwrote it,
// basically perform what was overwritten and jump back to
// original code...
0x12944EE: "mov r8d, 0x104"
0x12944F4: "jmp 0x14030E933"
Reference in New Issue View Git Blame Copy Permalink