RE8 1GB Update today (October 14th) no longer allows vr

[AndiLimits]

Today a 1GB big update came out and since then vr doesn't work anymore! Was running like clockwork yesterday. Getting a crash report saying the game "crashed unexpectedly"

[FransBouma]

My camera tools also crash the game after a short while. Reshade crashes the game at startup... I have the feeling (but that's just a hunch) their anti-tamper crap is tripping up again. I can't find an error in my tools e.g. I hook the right AOBs...

Reports of gamers on steam with crashes also suggest something isn't entirely right with this patch. Wouldn't be surprised they'll release a new patch soon (but knowing crapcom, that might still take a while :D )

[praydog]

My camera tools also crash the game after a short while. Reshade crashes the game at startup... I have the feeling (but that's just a hunch) their anti-tamper crap is tripping up again. I can't find an error in my tools e.g. I hook the right AOBs...

Reports of gamers on steam with crashes also suggest something isn't entirely right with this patch. Wouldn't be surprised they'll release a new patch soon (but knowing crapcom, that might still take a while :D )

There is anti-modding/anti-piracy code in the game now (it was there before, but now it is stronger). Seen similar code causing crashes in MHRise, even the class names are the same. I have a preliminary version working internally that patches out the checks, I just need to fix the actual mods now because the game code itself is actually different (third person code and whatnot).

[FransBouma]

jfc... why would they add that... mods are what keep this game alive... Is it similar to RE2's anti-tamper crap? A thread that scans block modifications at times?

[praydog]

REFramework should at least function now with the latest commit.

@FransBouma I've committed my initial fix for this, so if you want to take a look at the code to use in your own project, the main meat of it is here: https://github.com/praydog/REFramework/blob/master/src/mods/IntegrityCheckBypass.cpp#L304 This NEEDS to be patched immediately after the executable unpacks itself. I've also included the PEB module stuff which was required in MHRise for ReShade and REFramework, however I'm not sure it's needed. Stuff like ReShade seems to work now though.

@AndiLimits VR is not completely fixed yet so don't use it just yet. The base REFramework for flatscreen works right now, VR just needs some more tweaks to get going again.

[praydog]

VR seems to work fully now, however I'm seeing crashing after playing for some time (~10-15 minutes). I don't know if this has anything to do with the new protection added to the executable, will need more investigation.

[FransBouma]

@praydog At startup is sadly something I can't patch, as my stuff is injected after the game has been unpacked.... damn. But I think I found an easy fix, see below :)

(I assume you know most of this already but in case you don't, here's more details what we're dealing with :) ) I've had a look at the second function you patch. I scanned where it was called from, and the exe builds a table with 4 addresses of the functions you need to patch it seems. The first is the first sussy constant using function, the last function is the one you patch as second sussy_constant. No idea what function 2 and 3 do, but as the first and the last are related to this anti-tamper, I guess function 3 and 4 are too.

0000000146FEE660 | 48:895C24 08           | mov     qword ptr ss:[rsp+8],rbx       |
0000000146FEE665 | 57                     | push    rdi                            |
0000000146FEE666 | 48:83EC 30             | sub     rsp,30                         |
0000000146FEE66A | 48:8D05 AF0E0000       | lea     rax,qword ptr ds:[146FEF520]   |  << Address of first sussy_constant function
0000000146FEE671 | 33FF                   | xor     edi,edi                        |
0000000146FEE673 | 48:894424 20           | mov     qword ptr ss:[rsp+20],rax      |
0000000146FEE678 | 4C:8D4424 20           | lea     r8,qword ptr ss:[rsp+20]       |
0000000146FEE67D | 897C24 28              | mov     dword ptr ss:[rsp+28],edi      |
0000000146FEE681 | BA 0E010000            | mov     edx,10E                        |
0000000146FEE686 | 0F284424 20            | movaps  xmm0,xmmword ptr ss:[rsp+20]   |
0000000146FEE68B | 48:8BD9                | mov     rbx,rcx                        | 
0000000146FEE68E | 66:0F7F4424 20         | movdqa  xmmword ptr ss:[rsp+20],xmm0   |
0000000146FEE694 | E8 B7811800            | call    re8_dump_20221014.147176850    |
0000000146FEE699 | 897C24 28              | mov     dword ptr ss:[rsp+28],edi      |
0000000146FEE69D | 48:8D05 DC010000       | lea     rax,qword ptr ds:[146FEE880]   |  << Address of scan function
0000000146FEE6A4 | 48:894424 20           | mov     qword ptr ss:[rsp+20],rax      |
0000000146FEE6A9 | 4C:8D4424 20           | lea     r8,qword ptr ss:[rsp+20]       |
0000000146FEE6AE | 0F284424 20            | movaps  xmm0,xmmword ptr ss:[rsp+20]   |
0000000146FEE6B3 | 8D57 46                | lea     edx,qword ptr ds:[rdi+46]      |
0000000146FEE6B6 | 48:8BCB                | mov     rcx,rbx                        | 
0000000146FEE6B9 | 66:0F7F4424 20         | movdqa  xmmword ptr ss:[rsp+20],xmm0   |
0000000146FEE6BF | E8 8C811800            | call    re8_dump_20221014.147176850    |
0000000146FEE6C4 | 897C24 28              | mov     dword ptr ss:[rsp+28],edi      |
0000000146FEE6C8 | 48:8D05 61000000       | lea     rax,qword ptr ds:[146FEE730]   |  << Address of scan function
0000000146FEE6CF | 48:894424 20           | mov     qword ptr ss:[rsp+20],rax      |
0000000146FEE6D4 | 4C:8D4424 20           | lea     r8,qword ptr ss:[rsp+20]       |
0000000146FEE6D9 | 0F284424 20            | movaps  xmm0,xmmword ptr ss:[rsp+20]   |
0000000146FEE6DE | BA 3C010000            | mov     edx,13C                        |
0000000146FEE6E3 | 48:8BCB                | mov     rcx,rbx                        | 
0000000146FEE6E6 | 66:0F7F4424 20         | movdqa  xmmword ptr ss:[rsp+20],xmm0   |
0000000146FEE6EC | E8 5F811800            | call    re8_dump_20221014.147176850    |
0000000146FEE6F1 | 897C24 28              | mov     dword ptr ss:[rsp+28],edi      |
0000000146FEE6F5 | 48:8D05 54100000       | lea     rax,qword ptr ds:[146FEF750]   |  << Address of second sussy constant function
0000000146FEE6FC | 48:894424 20           | mov     qword ptr ss:[rsp+20],rax      |
0000000146FEE701 | 4C:8D4424 20           | lea     r8,qword ptr ss:[rsp+20]       |
0000000146FEE706 | 0F284424 20            | movaps  xmm0,xmmword ptr ss:[rsp+20]   |
0000000146FEE70B | BA AD000000            | mov     edx,AD                         |
0000000146FEE710 | 48:8BCB                | mov     rcx,rbx                        | 
0000000146FEE713 | 66:0F7F4424 20         | movdqa  xmmword ptr ss:[rsp+20],xmm0   |
0000000146FEE719 | E8 32811800            | call    re8_dump_20221014.147176850    |
0000000146FEE71E | 48:8B5C24 40           | mov     rbx,qword ptr ss:[rsp+40]      | 
0000000146FEE723 | B0 01                  | mov     al,1                           |
0000000146FEE725 | 48:83C4 30             | add     rsp,30                         |
0000000146FEE729 | 5F                     | pop     rdi                            |
0000000146FEE72A | C3                     | ret                                    |

This code barely makes any sense tho :D I mean, load the address in rsp+20, then load that in xmm0 and write it back again...

I think you can AOB that function above and grab the 4 addresses and insert the RET at the addresses in the code. That should cover it and make your code a lot easier :) The constants seem to be hardcoded in the exe (Hex workshop shows them in the exe so they're not generated by denuvo). This function doesn't have a hard reference so couldn't track down where it's called from. The addresses are used in code like this:

re8.exe+6FEF736 - 8B CA                 - mov ecx,edx
re8.exe+6FEF738 - C1 E1 08              - shl ecx,08 { 8 }
re8.exe+6FEF73B - 48 0B CA              - or rcx,rdx
re8.exe+6FEF73E - E8 5D6923FD           - call re8.exe+42260A0
re8.exe+6FEF743 - E8 287223FD           - call re8.exe+4226970
re8.exe+6FEF748 - 48 83 C4 20           - add rsp,20 { 32 }
re8.exe+6FEF74C - 5F                    - pop rdi
re8.exe+6FEF74D - 5E                    - pop rsi
re8.exe+6FEF74E - 5B                    - pop rbx
re8.exe+6FEF74F - C3                    - ret                  << Reads address of our beloved sussy constant 2 using function

So resetting these to 0 won't work as that would crash the game too.

So I thought, what would happen if I just patch the 4 functions from the function above? In a simple cheat table:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

146FEF520:
  ret

146FEE880:
  ret

146FEE730:
  ret

146FEF750:
  ret

And this fixes it 100% :) Also after the game has been unpacked. I've applied these 4 ret's then injected my tools and it keeps working.

Hope this helps and makes your life a bit easier. Keep up the good work, your framework is awesome :)

[praydog]

It seems that cutting the whole solution down like this is causing DLCs not to load. It might not be an issue on your end because you can delay the injection until after everything is loaded. There are other scans that are littered throughout the executable which I'm looking into. A good chunk of them seem to run at startup, and instead of crashing the game they stop certain code from running, loading the DLCs for example.

[praydog]

Seemingly fully fixed in a5fa94e0ae75ff909a97bdeb6065e4e79dac1a99. Re-open this issue or make a new one if more crashes or unexpected behavior occurs.

https://github.com/praydog/REFramework-nightly/releases/

[FransBouma]

Tbh I don't have DLCs for RE8 so I didn't run into this issue for testing hence I missed it. If I didn't patch the other 2 functions it would crash after a minute or earlier. Glad you found a solution tho :) 👍

[Mercer07]

As requested, I extracted only the dinput8.dll file to the game folder. The error is gone, but the game starts and immediately crashes.