search

Encryqed / Dumper-7

Unreal Engine SDK Generator
691 stars 174 forks source link

Access Violation in ObjectArray with Soulmask game #185

Closed CrystalFerrai closed 2 months ago

CrystalFerrai commented 2 months ago

I have been using Dumper-7 with the game Soulmask, and it has been working wonderfully. However, as of today when the game updated, Dumper-7 now causes a crash.

Unhandled Exception: EXCEPTION_ACCESS_VIOLATION reading address 0x0000000000000000

Dumper_7!ObjectArray::Init() [H:\Projects\_External_\Dumper-7\Dumper\ObjectArray.cpp:204]
Dumper_7!MainThread() [H:\Projects\_External_\Dumper-7\Dumper\Main.cpp:36]
kernel32
ntdll

I just synced and built the latest commit in case the issue might have been fixed, but it still exists. Line 204 in ObjectArray.cpp looks like this.

if (FixedArray->IsValid())

So I guess FixedArray is null? I don't know anything about this code, so I am hopeful you might know what could cause this.

P.S. Soulmask uses Unreal Engine 4.27.2

CrystalFerrai commented 2 months ago

I just built a debug build and tried with that. It gives a bit more detailed call stack.

Unhandled Exception: EXCEPTION_ACCESS_VIOLATION reading address 0x0000000000000004

Dumper_7!FFixedUObjectArray::IsValid() [H:\Projects\_External_\Dumper-7\Dumper\ObjectArray.cpp:79]
Dumper_7!ObjectArray::Init() [H:\Projects\_External_\Dumper-7\Dumper\ObjectArray.cpp:204]
Dumper_7!Generator::InitEngineCore() [H:\Projects\_External_\Dumper-7\Dumper\Generator.cpp:81]
Dumper_7!MainThread() [H:\Projects\_External_\Dumper-7\Dumper\Main.cpp:36]
kernel32
ntdll

Line 79 looks like this.

FUObjectItem* ObjectsButDecrypted = (FUObjectItem*)ObjectArray::DecryptPtr(Objects);
Fischsalat commented 2 months ago

Try finding and entering the GObjects offset manually. See if that works. Else it would be nice if you could dump the game and analyze it in ida, so I can see what's up with GObjects on that game.

CrystalFerrai commented 2 months ago

So the issue is that there is no .data section in the exe. Therefore, GetSectionByName returns 0. Maybe this is a side effect of the Themida protection the game uses. However, it has always had that protection and this issue only appeared after a recent game update. So I am not sure.

I changed Generator::InitEngineCore() so that it passes true when calling ObjectArray::Init(true). This seems to have worked and everything was found and dumped properly as far as I can tell. Perhaps the code could be modified to handle the case of no .data section and fallback to a full scan?

Anyway, this is no longer an issue for me at this point given the workaround.

Fischsalat commented 2 months ago

This is already done. But obviously it wont reach that point if it crashes first. image What's the values of SearchBase, SearchRange and i on the iteration where it crashes?

CrystalFerrai commented 2 months ago

SearchBase is 0, i is 0 and SearchRange is -80 (wrapped to a positive value due to being unsigned). GetSectionName returns 0 when it cannot find a section. The code is not checking for that at all, assuming the function succeeded. It then subtracts 80 from SearchRange and loops forward from 0 to uint max - 80.

It crashes on the first iteration when it tries to dereference 0.

Fischsalat commented 2 months ago

Damn that's smart code. I should probably fix that. Thanks for checking.

Fischsalat commented 2 months ago

Test main real quick please. (I pushed a fix)

CrystalFerrai commented 2 months ago

It is working great now. Thank you!