[BUG - Release/Experimantal] Indigo Park Crashes on startup

[ontrigger]

Branch or Release UE4SS - v3.0.1 Release and latest experimental (UE4SS_v3.0.1-81-gd8189f3)

Game and Engine Version Indigo Park 1.0 UE 5.1

Describe the bug Game crashes on startup. changing bUseUObjectArrayCache doesn't help

Mods directory Default

To Reproduce Steps to reproduce the behavior:

1. Launch game
2. Get a crash message
3. Game runs normally until you click ok on the message, mods do not load

Expected behavior No crash

Screenshots, UE4SS Log, and .dmp file UE4SS.log crash_2024_05_20_19_42_11.zip

Desktop:

• OS: Win10

Additional context The game is completely free, you can get it on steam here https://store.steampowered.com/app/2504480/Indigo_Park_Chapter_1/

[LimoDerEchte]

My experience was that the AOB for FName::ToString had to be found manually. After doing that and setting up the lua script with the AOB it got one further but now it is getting an access violation on start. Screenshots etc. are on the discord in #troubleshoot

[UE4SS]

Screenshots etc. are on the discord in #troubleshoot

Not every developer here uses discord, me for example. As such, your request for help won't reach everyone if you ask on discord. Same obviously goes for information that you put on discord instead of github.

[LimoDerEchte]

Screenshots etc. are on the discord in #troubleshoot

Not every developer here uses discord, me for example. As such, your request for help won't reach everyone if you ask on discord. Same obviously goes for information that you put on discord instead of github.

Ok, I'm sorry :/ Let me summarize what I got so far:

After experimenting a bit I got the lua script ready with the function header so that it actually finds the function. The lua code is this:

function Register()
    return "48 89 5C 24 10 48 89 74 24 18"
end

function OnMatchFound(MatchAddress)
    return MatchAddress
end

I can't really check if this actually finds the correct function, because I'm in no way experienced with low level, but it definitely does find a function with the same header.

After using this script to start the game it completely crashes now because of an access violation. The entire crash dump with analysis from windbg can be found here: https://hastebin.com/share/yupohewacu.yaml

[UE4SS]

After using this script to start the game it completely crashes now because of an access violation. The entire crash dump with analysis from windbg can be found here: https://hastebin.com/share/yupohewacu.yaml

According to the stack trace in that link, it's crashing when it tries to call FName::ToString so you probably haven't found the real FName::ToString.

[LimoDerEchte]

Ok so I tried a few more things and I've come to the conclusion, that the function may not exist in the same way it does in another packaged game from that UE version. I searched for the header but couldn't find the actual function when searching manually in x64dbg.

Edit: Now tried with only 5 Bytes of header - Didn't find it Edit 2: Actually found it now, but can't create a pattern because it sometimes exists and sometimes doesn't ._.

[LimoDerEchte]

Found an AOB now that works... Problem being that it still crashes with the same exception as before even tho the correct function address is found now... Working AOB: 48 89 5C 24 10 48 89 74 24 18 57 48 83 EC 20 80 3D ?? ?? ?? ?? 00 48 8B F1 8B 19 48 8B FA 48

[LimoDerEchte]

This is the Crashdump: https://hastebin.com/share/acanuvutan.yaml The decompiled assembly: https://hastebin.com/share/pibopipito.vbnet The assembly crashing the game: 00007FF74E9B8329 | 8B19 | mov ebx,dword ptr ds:[rcx]

[LimoDerEchte]

Quick Question:

Symbol=?ToString@FName@@QEBAXAEAVFString@@@Z
Symbol (undecorated)=public: void __cdecl FName::ToString(class FString &) const

This is the right signature for FName::ToString that is required by UE4SS, right?

[UE4SS]

Quick Question:

Symbol=?ToString@FName@@QEBAXAEAVFString@@@Z
Symbol (undecorated)=public: void __cdecl FName::ToString(class FString &) const

This is the right signature for FName::ToString that is required by UE4SS, right?

Yes, that's correct, as described here: https://docs.ue4ss.com/guides/fixing-compatibility-problems.html#what-onmatchfound-must-return-for-each-aob

[UE4SS]

This is the Crashdump: https://hastebin.com/share/acanuvutan.yaml The decompiled assembly: https://hastebin.com/share/pibopipito.vbnet The assembly crashing the game: 00007FF74E9B8329 | 8B19 | mov ebx,dword ptr ds:[rcx]

That's still crashing when it tries to call FName::ToString, suggesting it's not the correct function. What's your method for locating the function ? Ideally you have a test game (that has a PDB) using the same engine version as your game, and then find the function in your test game, look for references to it, and scan for those in your game instead of the function directly. That way you can be a lot more sure that you've got the correct function.

If FName::ToString is unable to be found, it might mean that this game uses unusually aggressive inlining (optimization) of functions, meaning that the code of the function is placed directly in the code path instead of calling the function. This should be fairly evident because a lot of code should be different than expected in an unchanged engine, and I would expect a lot of other AOBs to fail to be found which doesn't appear to be the case here so I'm not sure that this is the case for this game, you might've just found the wrong function.

Aggressive inlining is a fairly rare occurrence, I'm only aware of a handful of such occurrences. When I've run into it myself I've always been able to find the function still, it's just harder because there are no references to it anywhere, however, other people have told me that they have found games where the function literally doesn't exist and then the only option is to inject the function back into the game or otherwise custom implement it in UE4SS.

[LimoDerEchte]

I used a test game with pdb to find the header etc. Then I made my AOB. Then I ran the game. Then I compared the address that was found with the code of the test game and except for a few addresses the code was 1:1 the same. If you wait a bit I can send two screenshots :)

[LimoDerEchte]

This is the code that the pdb said was FName::ToString

This is the code at the address my AOB found

[UE4SS]

Then I compared the address that was found with the code of the test game and except for a few addresses the code was 1:1 the same.

Try find references to the function. Some times the direct AOB just isn't unique enough and gives you the wrong function, but if you find references to the function, you have a lot more different possible AOBs that you can scan for, and it'll make it more obvious if it's the correct function if the AOB for the reference exists in your game and it leads to the same function that your direct AOB does.

[UE4SS]

@LimoDerEchte If you enable FullMemoryDump in UE4SS-settings.ini, and let it crash again, and send me the generated .dmp file, I can take a look at it. Please give it a good amount of time to generate the .dmp file, it might appear to be doing nothing but it can take some time for a full memory dump to generate, and it should let you know when the .dmp file is done generating.

[LimoDerEchte]

I can't access my pc until Wednesday sadly :/ I can try getting it to run on my steamdeck this evening tho

[LimoDerEchte]

Then I compared the address that was found with the code of the test game and except for a few addresses the code was 1:1 the same.

Try find references to the function. Some times the direct AOB just isn't unique enough and gives you the wrong function, but if you find references to the function, you have a lot more different possible AOBs that you can scan for, and it'll make it more obvious if it's the correct function if the AOB for the reference exists in your game and it leads to the same function that your direct AOB does.

But as I said and as you see in the two images: It does find the function. That's what's at the address that was written in the AE4SS log as the output of the lua script :/ (I looked at it using x64dbg)

[LimoDerEchte]

@ontrigger did you get it working yet?

[ontrigger]

@ontrigger did you get it working yet?

Nope

[narknon]

Case preserving?

[LimoDerEchte]

Case preserving?

Wdym by "preserving"? Yes the problem isn't solved yet

[UE4SS]

Case preserving?

Wdym by "preserving"? Yes the problem isn't solved yet

It's a UE setting that some games use that changes how a core struct in the engine works. Any game with that change needs UE4SS to replicate that change, which we can do, but we don't do releases with that setting enabled, instead people have to build UE4SS themselves with that setting enabled. The setting can be enabled by building the CasePreserving target instead of the Game target, for example: CasePreserving__Shipping__Win64 instead of Game__Shipping__Win64.

EDIT: For anyone that knows UE, the actual UE setting is controlled by the WITH_CASE_PRESERVING_NAME define.

[LimoDerEchte]

@UE4SS How would I check for that?

[LimoDerEchte]

@UE4SS Ok so ig I got my steamdeck to generate a crashdump. I couldn't check if the AOB was right with it's address this time tho :/ Took an awfully high amount of time to get this into a zip and actually uploaded xD

Here's the crash dump: https://drive.google.com/file/d/1Z52mBn8VXdIPF0lGMB4MTyYYVrnYv2yZ/view?usp=sharing This is the UE4SS log: UE4SS.log The UE4SS settings: UE4SS-settings.zip The updated lua script: FName_ToString.zip

Hope you can find anything with this ^^

[LimoDerEchte]

The setting can be enabled by building the CasePreserving target instead of the Game target, for example: CasePreserving__Shipping__Win64 instead of Game__Shipping__Win64.

EDIT: For anyone that knows UE, the actual UE setting is controlled by the WITH_CASE_PRESERVING_NAME define.

Is there any tutorial on how to build UE4SS with this enabled?

[UE4SS]

It appears that this game uses a customized FUObjectItem struct.

This is how FUObjectItem in GUObjectArray looks like in 5.1:

m_guobjectarray_internal->obj_objects.objects[0][0]:
0x00 00000220aca78780 <- Object
0x08 0000000000000000 <- Flags & ClusterRootIndex
0x10 0000000000000000 <- SerialNumber & Padding

m_guobjectarray_internal->obj_objects.objects[0][1]:
0x18 00000220aa430e00 <- Object
0x20 0000000042000000 <- Flags & ClusterRootIndex
0x28 00000000000003f0 <- SerialNumber & Padding

This is what it looks like in this game:

m_guobjectarray_internal->obj_objects.objects[0][0]:
0x00 0000000012aeae40 <- Object
0x08 0000000040000000 <- Flags & ClusterRootIndex
0x10 cdcdcdcd00000000 <- SerialNumber & Padding
0x18 000000014fb79b90 <- Unknown pointer

m_guobjectarray_internal->obj_objects.objects[0][1]:
0x20 0000000005378680 <- Object
0x28 0000000042000000 <- Flags & ClusterRootIndex
0x30 cdcdcdcd000003eb <- SerialNumber & Padding
0x38 000000014fb79b90 <- Unknown pointer

Notice the unknown pointer at the end of FUObjectItem ? That's the problem. It appears to be the same value for both objects in the example above, whatever that means. When the global array of objects is iterated by UE4SS, it assumes that FUObjectItem is unchanged by the game developers. In this case, it's not unchanged, our perception of FUObjectItem is misaligned with the game. This is the worst case scenario for a user of UE4SS because we don't provide a way to fix this. The only way to fix this is to make a custom build of UE4SS with an extra pointer at the end of FUObjectItem in deps/first/Unreal/include/Unreal/VersionedContainer/Base.hpp, or make a new container for this game specifically to make maintenance easier (otherwise you break compat with several non-custom engine versions), but either way it's a custom build.

This is what's inside that pointer, for the curious:

0x000000014FB79B90  0000000000000000 0000000000000000  ................
0x000000014FB79BA0  0000000000000000 0001b5fa07050005  ............úµ..
0x000000014FB79BB0  0000000000000000 000000014cbd4ab8  ........¸J.L....
0x000000014FB79BC0  0000000004e00400 0000000004e004b8  ..à.....¸.à.....
0x000000014FB79BD0  0000000000000001 0000000044d04270  ........pBÐD....
0x000000014FB79BE0  0000000044d04410 0000000044d03f30  .DÐD....0?ÐD....
0x000000014FB79BF0  0000000044d040d0 0000000000000000  Ð@ÐD............

[LimoDerEchte]

@UE4SS Can you maybe help me with acomplishing this task of building a custom UE4SS version? Do you maybe have some way of more direct contact than through Github issues?

Edit: I'll try solo first

[LimoDerEchte]

@UE4SS Would I be able to make a pr to UE4SS where it uses this structure when it detects Indigo Park, so it works in future versions?

[UE4SS]

@UE4SS Would I be able to make a pr to UE4SS where it uses this structure when it detects Indigo Park, so it works in future versions?

Yes, but how much experience do you have with programming ? I'm happy to help if you do have some experience, because then you'll have a foot in the door for UE4SS development, even if you don't contribute anything else in the future, it'll still be worth it just in case you do, because you never know. If not, I'd rather make the changes myself because it will be quicker and less painful.

[LimoDerEchte]

Yes, but how much experience do you have with programming ?

Well I don't have much experience with cpp but I sure do have a good bit of experience in Java/C# etc.

[UE4SS]

Yes, but how much experience do you have with programming ?

Well I don't have much experience with cpp but I sure do have a good bit of experience in Java/C# etc.

I don't use Discord, but if you give your Steam name, I can add you and we can continue from there. I can guide you through the process, with however much detail is required, I just don't want to teach the basics of programming while doing so.

[LimoDerEchte]

@UE4SS How would I go about making such a change? Cause the actual file that would have to be changed is in UEPseudo. But can UEPseudo even find out if it's playing Indigo Park rn?

[UE4SS]

@UE4SS How would I go about making such a change? Cause the actual file that would have to be changed is in UEPseudo. But can UEPseudo even find out if it's playing Indigo Park rn?

Yeah it can, let's move this away from github though. You'll need to link your github account to your Epic account, and of course you'll need to make an Epic account if you don't have one, otherwise you won't be able to access the UEPseudo repo.

[LimoDerEchte]

Yeah it can, let's move this away from github though.

Wdym? To a different platform or to the UEPseudo repo?

You'll need to link your github account to your Epic account, and of course you'll need to make an Epic account if you don't have one, otherwise you won't be able to access the UEPseudo repo.

I already did that a while back ^^

[UE4SS]

Yeah it can, let's move this away from github though.

Wdym? To a different platform or to the UEPseudo repo?

As I said here, on Steam.

[LimoDerEchte]

@UE4SS Oh sry didn't see that ._. My Steam friend code is 867183480 and my quick invite is https://s.team/p/ffqb-dqkm/vthkwwgq ^^

[UE4SS]

Can you try this version of UE4SS: https://www.dropbox.com/scl/fi/echxv65kc8barynwz015c/UE4SS_IndigoPark.zip?rlkey=52dypallcblftv9fi10mcb65j&dl=1 It's just UE4SS.dll, replace the old one with the one from the link. This is based on the main branch, not on 3.0.1.

I don't know if you need the custom FName_ToString.zip but if it doesn't work without it, try it.

[LimoDerEchte]

@UE4SS Will try later ^^

[LimoDerEchte]

It's still crashing with and without the AOB Didn't have enough time to generate a full memory dump but will do later

[LimoDerEchte]

Oh wait I'm stupid I forgot to switch to the main branch first ._. Will try again later ig

[UE4SS]

Oh wait I'm stupid I forgot to switch to the main branch first ._. Will try again later ig

That shouldn't matter as long as you replace the dll file.

[LimoDerEchte]

That shouldn't matter as long as you replace the dll file.

Then it's not a me-thing I'll get to the dump in the next hour

[Buckminsterfullerene02]

I'm on phone so can't open the zip file but did you also include the dwmapi dll? It's different to the 3.0.1 one.

[UE4SS]

I'm on phone so can't open the zip file but did you also include the dwmapi dll? It's different to the 3.0.1 one.

I did not. I don't think dwmapi should have any affect on UE4SS as long as it's successfully able to load the dll, and it seems to me it got injected since it crashed.

[Buckminsterfullerene02]

If they are using the proxy dll from experimental it's fine but if they are using it from 3.0.1 it will crash

[UE4SS]

If they are using the proxy dll from experimental it's fine but if they are using it from 3.0.1 it will crash

I'm fairly sure they're using the 3.0.1 dwmapi with UE4SS.dll from main/experimental.

[UE4SS]

I believe I've fixed the problem. Please try this version: https://www.dropbox.com/scl/fi/echxv65kc8barynwz015c/UE4SS_IndigoPark.zip?rlkey=52dypallcblftv9fi10mcb65j&dl=1

The PR (UEPseudo#92) has been updated.

[LimoDerEchte]

Will do rn

[LimoDerEchte]

It works! So the issue is solved I think ^^

[LimoDerEchte]

https://www.dropbox.com/scl/fi/echxv65kc8barynwz015c/UE4SS_IndigoPark.zip?rlkey=52dypallcblftv9fi10mcb65j&dl=1

To summarize for any1 who wants to mod the game: You have to replace the UE4SS.dll file of your installation with this one until the change is pushed to the main releases (if that ever happens) The AOB is apparently not needed, so ignore those messages.

I believe this issue can be closed now ^^

[UE4SS]

I'm gonna keep this open until the fix gets merged.