Widescreen Gaming Forum

[-noun] Web community dedicated to ensuring PC games run properly on your tablet, netbook, personal computer, HDTV and multi-monitor gaming rig.
It is currently 12 Dec 2024, 18:40

All times are UTC [ DST ]




Post new topic Reply to topic  [ 767 posts ]  Go to page Previous  1 ... 54, 55, 56, 57, 58, 59, 60 ... 77  Next
Author Message
PostPosted: 23 Dec 2015, 01:46 
Offline
User avatar

Joined: 27 Nov 2015, 03:49
Posts: 23
HaYDeN wrote:
That's an interesting problem - it suggests the code is different in some way (ie fallout4.exe)

Have you tried launching without Nexus Mod Manager? (I'm not entirely sure how it interacts with the executable)


Yeah, sorry, I meant to say that yes, it does the same thing without NMM.

I'm assuming the problem is that it's finding addresses that are above 32-bit space and trying to compile jumps to them with 32-bit asm. Note that 0x140636298 is nine hex digits, not eight. I have no idea why this would be happening in a 32-bit app, unless it's talking about the physical address. I do have a boatload of ram in this box, so stuff easily gets loaded above 4GB in physical address terms.


Top
 Profile  
 


PostPosted: 23 Dec 2015, 01:49 
Offline
User avatar

Joined: 27 Nov 2015, 03:49
Posts: 23
Aiken Drum wrote:
I have no idea why this would be happening in a 32-bit app, unless it's talking about the physical address. I do have a boatload of ram in this box, so stuff easily gets loaded above 4GB in physical address terms.

Could also be that your codecave and the patched executable section are more than ±2GB from each other, so even a 32-bit relative jump won't do.


Top
 Profile  
 
PostPosted: 23 Dec 2015, 01:57 
Offline
User avatar

Joined: 27 Nov 2015, 03:49
Posts: 23
Aiken Drum wrote:
Could also be that your codecave and the patched executable section are more than ±2GB from each other, so even a 32-bit relative jump won't do.

Yup, there it is. The original code is circa 0x140000000 and your codecave is at 0x1c7750000. Delta is 0x87750000, which is outside the ±0x80000000 range for relative jmp.

There's no absolute jmp in x86, but you could use the trick where you stick the absolute address in the four bytes after an indirected jump. I don't know how to encode that in your lua file, especially considering I'd need to use the virtual address and not the physical in order to drop the correct value after the jmp.

Edit: DIdn't realize FO4 was 64-bit. My bad. I think you can just do this in place of the plain jmp:

Code:
jmp [rip+0]
dq %returnaddress%


But I'm out of my element with x64, so I'm not sure.

Edit 2: That change in the lua compiles for me, but hacktool is injecting the plain jmp, which doesn't, and I don't know how to change that, so that's as far as I got.


Last edited by Aiken Drum on 23 Dec 2015, 03:14, edited 2 times in total.

Top
 Profile  
 
PostPosted: 23 Dec 2015, 02:14 
Offline

Joined: 12 Nov 2015, 18:54
Posts: 10
Just a quick FIY that with the recent nvidia 361.43 driver they seem to have fixed the SLI issues.
Finally getting 60fps all over with 5760x1080 and no more drops :D


Top
 Profile  
 
PostPosted: 23 Dec 2015, 03:33 
Offline
Insiders
Insiders
User avatar

Joined: 14 Feb 2010, 13:39
Posts: 761
Aiken Drum wrote:
Aiken Drum wrote:
Could also be that your codecave and the patched executable section are more than ±2GB from each other, so even a 32-bit relative jump won't do.

Yup, there it is. The original code is circa 0x140000000 and your codecave is at 0x1c7750000. Delta is 0x87750000, which is outside the ±0x80000000 range for relative jmp.

There's no absolute jmp in x86, but you could use the trick where you stick the absolute address in the four bytes after an indirected jump. I don't know how to encode that in your lua file, especially considering I'd need to use the virtual address and not the physical in order to drop the correct value after the jmp.


64bit mode is Lulz at best - it's such a hack :P - Indeed correct - in theory with a typical fixed jmp you would be restricted to that of an 32bit (hah!) integer (i.e. + or - 2GiB / 0x80000000h) from the jmp position.

If you use a register or other mechanism that can reference or represent a true 64bit value then you can jmp across the entire address space, the problem with this is one is trying not to dirty any registers.

Interesting anyway, it could be because of large amounts of ram but that shouldn't matter, I only have 12GB - I have not seen this problem arise - by design it should try to allocate the memory as close as possible to origin process, only thing I can think of is that your memory is _horribly_ fragmented due to long uptime and/or thrashing micro allocations.

Looking at my prototype:
The prototype for the function call causing the allocation is CompileAssembly(const wchar_t * Assembly,const wchar_t * AllocationName,size_t NearTo) with NearTo being optional, if NearTo is specified at the time of allocation it will dump all memory regions and scan incrementally for a free block(s) large enough, then tries to allocate (more than once if required) until it succeeds.

Later when the memory is allocated, the following code is executed - ie If its a 64bit process and you don't tell it your preference with respect to where it should allocate it, it will try to allocate it as close as possible after the Process Image it's attached to; to help combat this exact issue.

I've only needed to use the NearTo functionality when modifying DLL's loaded by the process - so I guess it's possible there's a bug.

Code:
   if (HackTool->GetArchitecture() == 64) {
      size_t TempNearTo = HackTool->GetBaseAddress() + HackTool->GetBaseSize();
      if ((NearTo == 0) && (TempNearTo > 0)) {
         NearTo = TempNearTo;
      }
   }

   if (NearTo != 0) {
      .... scan for block NearTo
   }


Can you paste the relevant base address ( which is shown in the main window ) and the allocation address along with the error - did you identify which function or codecave block this is in the Lua file?

_________________
Resident Jester - Flawless Widescreen - Widescreen gaming the way it should be.
[Steam Profile]

Want to keep Flawless Widescreen alive? Donate Here


Top
 Profile  
 
PostPosted: 23 Dec 2015, 04:23 
Offline
User avatar

Joined: 27 Nov 2015, 03:49
Posts: 23
HaYDeN wrote:
If you use a register or other mechanism that can reference or represent a true 64bit value then you can jmp across the entire address space, the problem with this is one is trying not to dirty any registers.


Not sure if you saw this, as I edited it in around the time you were probably writing your response:

Aiken Drum wrote:
... I think you can just do this in place of the plain jmp:

Code:
jmp [rip+0]
dq %returnaddress%


But I'm out of my element with x64, so I'm not sure.

Edit 2: That change in the lua compiles for me, but hacktool is injecting the plain jmp, which doesn't, and I don't know how to change that, so that's as far as I got.


If you can afford the extra bytes at the source location, you should be able to do full 64-bit jumps in all cases. I don't know how much code you're replacing in each case, though. If something is just diverting a single source jmp, then obviously that's not feasible.

But back to your post:

HaYDeN wrote:
Interesting anyway, it could be because of large amounts of ram but that shouldn't matter, I only have 12GB - I have not seen this problem arise - by design it should try to allocate the memory as close as possible to origin process, only thing I can think of is that your memory is _horribly_ fragmented due to long uptime and/or thrashing micro allocations.


Nope. Even off a fresh boot, I get the same results.

Quote:
Code:
   if (HackTool->GetArchitecture() == 64) {
      size_t TempNearTo = HackTool->GetBaseAddress() + HackTool->GetBaseSize();
      if ((NearTo == 0) && (TempNearTo > 0)) {
         NearTo = TempNearTo;
      }
   }


I don't know what compiler you're using, but size_t is unreliable as a type to hold pointers as integers, which is what you appear to be doing here. Not so much size-wise, unless you're compiling in some kind of 32-bit compatibility mode for source tha was written for x86, but more because it's not guaranteed signed or unsigned. You should really be using intptr_t or uintptr_t, if your STL/compiler supports a recent enough C++ standard to have them.

My concern is that you might have an overflow or underflow or wrap in your ints-as-pointers math. Not here, since this code looks innocuous, but maybe somewhere else. Or maybe one or both values are getting truncated to 32 bits somewhere, in which case 0x1c7000000 -> 0x0C7000000 could appear to be within 2GB of 0x140000000.

Dunno, just throwing out ideas. Can you seed/hardcode a dummy run with the addresses from my quoted debug spew and see if you spot it going awry at some point?


Top
 Profile  
 
PostPosted: 23 Dec 2015, 04:25 
Offline
User avatar

Joined: 27 Nov 2015, 03:49
Posts: 23
Oops, missed this:

HaYDeN wrote:
Can you paste the relevant base address ( which is shown in the main window ) and the allocation address along with the error - did you identify which function or codecave block this is in the Lua file?


Yeah. Here's the debug console spew from a run I just did:

Code:
DisplayDetection -> Scanning process for signs of SoftTH injection
c_HackTool -> Successfully opened process, ID=11656
Suspending Thread
HUDSafeZoneWide - Addr=Fallout4Launcher.exe+45B0770
HUDSafeZoneWide->X - Addr=Fallout4Launcher.exe+45B0770 (float=64.00)
HUDSafeZoneWide->Y - Addr=Fallout4Launcher.exe+45B0788 (float=36.00)
HUDSafeZone - Addr=Fallout4Launcher.exe+45B07A0
HUDSafeZone->X - Addr=Fallout4Launcher.exe+45B07A0 (float=64.00)
HUDSafeZone->Y - Addr=Fallout4Launcher.exe+45B07B8 (float=36.00)
HUDSafeZoneWide16x10 - Addr=Fallout4Launcher.exe+45B0740
HUDSafeZoneWide16x10->X - Addr=Fallout4Launcher.exe+45B0740 (float=15.00)
HUDSafeZoneWide16x10->Y - Addr=Fallout4Launcher.exe+45B0758 (float=15.00)
VATSZoomFix - Addr=Fallout4Launcher.exe+A8D47F
HUDFix - Addr=Fallout4Launcher.exe+2565F72
HUDFix_Cursor - Addr=Fallout4Launcher.exe+16843F8
HUDFix_Scoped - Addr=Fallout4Launcher.exe+E514A1
MouseFix_Regs - Addr=Fallout4Launcher.exe+255D8F0
MouseFix - Addr=Fallout4Launcher.exe+256B485
ObjectAspectFix - Addr=Fallout4Launcher.exe+DA6298
CenterMouse - Addr=Fallout4Launcher.exe+1019D49
CenterMouse1 - Addr=Fallout4Launcher.exe+1019D5F
CenterMouse2 - Addr=Fallout4Launcher.exe+1019D67
CenterMouse3 - Addr=Fallout4Launcher.exe+1019D84
CenterMouse4 - Addr=Fallout4Launcher.exe+1019D8C
FPFOV - Addr=Fallout4Launcher.exe+4598A30 (float=80.00)
TPFOV - Addr=Fallout4Launcher.exe+4598A18 (float=70.00)
WEPFOV - Addr=Fallout4Launcher.exe+1660F10
Un-Suspending Thread
Configure Success = true
Inject delay: 250ms, Configure() took: 900ms, Adjusted Inject delay: -650ms
Actual delay: 1ms
Suspending Thread
X: 137.73
c_HackTool -> JMP candidate for ObjectAspectFix_cc, NOPS=1, Address=0x1401a6298
c_HackTool -> JMP candidate for MouseFix_Regs_cc, NOPS=1, Address=0x14195d8f0
c_HackTool -> JMP candidate for MouseFix_cc, NOPS=0, Address=0x14196b485
c_HackTool -> JMP candidate for HUDFix_cc, NOPS=2, Address=0x141965f72
c_HackTool -> JMP candidate for WEPFOV_cc, NOPS=2, Address=0x140a60f10
c_HackTool -> Successfully allocated 4096 bytes at 0x1c7280000 for ASM block "Fixes"
c_HackTool -> Failed to compile assembly... Error during compile, check your assembly is accurate and valid.
c_HackTool -> Error occured near: jmp 0x14072629e (Relative Jump Out Of Range)
Un-Suspending Thread


The issue is with any jmp into or out of the codecave. If I fix the ones in the lua that jump back to the return address, then the jmps made for the source location that jump into the cave become the problem.


Top
 Profile  
 
PostPosted: 23 Dec 2015, 04:36 
Offline
User avatar

Joined: 27 Nov 2015, 03:49
Posts: 23
BTW, this could possibly be due to having the machine set up for development as well. It could be something like windows debug symbols getting loaded up with the executable or something like that, though I'm pretty sure that only happens when a debugger is attached. Still, could be something like that which is pushing the available heap further away from the executable.


Top
 Profile  
 
PostPosted: 23 Dec 2015, 04:39 
Offline
Insiders
Insiders
User avatar

Joined: 14 Feb 2010, 13:39
Posts: 761
Aiken Drum wrote:
BTW, this could possibly be due to having the machine set up for development as well. It could be something like windows debug symbols getting loaded up with the executable or something like that, though I'm pretty sure that only happens when a debugger is attached. Still, could be something like that which is pushing the available heap further away from the executable.


What's the base address of the executable as per the main window (not debug window, it's not provided) - screenshot it probably is easiest.

And what is the MD5 hash of your executable, I note it's named Fallout4Launcher.exe rather than Fallout4.exe?

ie

Code:
PS C:\Program Files (x86)\Steam\steamapps\common\Fallout 4> get-filehash .\Fallout4.exe -algorithm md5

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             C80BDB3FB9EF4D34BC751CDB31996843                                       C:\Program Files (x86)\Steam\...

_________________
Resident Jester - Flawless Widescreen - Widescreen gaming the way it should be.
[Steam Profile]

Want to keep Flawless Widescreen alive? Donate Here


Top
 Profile  
 
PostPosted: 23 Dec 2015, 04:49 
Offline
User avatar

Joined: 27 Nov 2015, 03:49
Posts: 23
HaYDeN wrote:
What's the base address of the executable as per the main window (not debug window, it's not provided) - screenshot it probably is easiest.


Ah, I didn't notice that, sorry. Here you go:

http://i.imgur.com/LdAiIH1.png
Image

Quote:
And what is the MD5 hash of your executable, I note it's named Fallout4Launcher.exe rather than Fallout4.exe?


It's just named that because you can circumvent the unnecessary launcher by swapping their names around. And no, doing it the right way around doesn't make any difference. :)

Code:
C:\Program Files (x86)\Steam\steamapps\common\Fallout 4>CertUtil -hashfile Fallout4Launcher.exe MD5
MD5 hash of file Fallout4Launcher.exe:
c8 0b db 3f b9 ef 4d 34 bc 75 1c db 31 99 68 43
CertUtil: -hashfile command completed successfully.


Appears to match.


Last edited by Aiken Drum on 23 Dec 2015, 05:05, edited 1 time in total.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 767 posts ]  Go to page Previous  1 ... 54, 55, 56, 57, 58, 59, 60 ... 77  Next

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 79 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  




Powered by phpBB® Forum Software © phpBB Group