search

nipkownix / re4_tweaks

Fixes and tweaks for the "UHD" port of Resident Evil 4
zlib License
342 stars 32 forks source link

game accesses illegal memory if it doesn't pass a certain "check" #197

Open Mister-Curious opened 2 years ago

Mister-Curious commented 2 years ago

While troubleshooting a recent issue whereby the game would crash when trying to reload or exit certain rooms, I was told by a friend that the issue is because the game accesses illegal memory if it doesn't pass a certain "check"

The address is bio4.exe+86393A - The game seems to crash when there is an odd value like the byte was EA or F3

I found this issue while trying out certain enemy combinations in r106 and r107. Things were ok until I started using the ITA to spawn snakes out of ETM objects. I can provide more particulars about those scenarios, but essentially the problem is described below:

bio4.exe+2ADBA7: test byte ptr [esi],02

This is the check in question, if it passes this check, it moves on without crashing, if it doesn't pass (which it isn't supposed to in our case), it accesses a function that tries to check an address somewhere around 0030000 which is illegal memory, which causes a crash

My friend has asked if anyone can delve deeper into the value (bio4.exe+86393A) and see why it is written to not pass the check.

My friend is working on fixing this issue for me now. I will post the assembly code for the fixes here when they are done.

Running 1.0.6

Mister-Curious commented 2 years ago

Ok here is the assmebly code for the fix. 

---------------------------
F6 06 02 74 09 50 E8 AD 06 D6 FF 83 C4 04 8B 4E

Change To:

EB 67 90 74 09 50 E8 AD 06 D6 FF 83 C4 04 8B 4E
---------------------------
Find: 002AD010

Paste:

50 A1 00 0E 2E 10 05 5A CA 00 00 39 C6 75 03 C6 06 08 58 F6 06 02 EB 82
---------------------------
emoose commented 2 years ago 
bio4.exe+2ADBA7:
test byte ptr [esi],02

Seems this is inside the EmReadInit function, if the value at bio4.exe+86393A+X has a certain bit set, then it'll follow the branch down & end up calling DLL_Unlink

These functions are a little weird, in GC/PS2/Wii they were used to load in the code for each level/weapon/Em actor as seperate files (aka overlays), kinda like DLL files on Windows, so that they could save memory by only loading code for things that are actually being used.

In RE4 UHD all that code has been merged into the main EXE though, so I'm not really sure why these functions are still around - the code-in-seperate-files also still exists in UHD version too inside the Rel folder, as the .rel files etc, but that code is PowerPC, and seems to be for a debug Wii build, so would never be able to run on PC.

I noticed that procmon does show it reading from those rel files, but not really sure what it could be reading, maybe it'd be possible to just null out these functions entirely... I was actually trying to look into this a few days ago but didn't go that far with it, maybe I'll take another look over the weekend.