Difference between revisions of "Talk:014C"
Jump to navigation
Jump to search
(Created page with "Is there more information on the bug? The causes, possible fixes? ~~~~") |
|||
| Line 1: | Line 1: | ||
Is there more information on the bug? The causes, possible fixes? [[User:Seemann|Seemann]] ([[User talk:Seemann|talk]]) 10:45, 13 June 2016 (UTC) | Is there more information on the bug? The causes, possible fixes? [[User:Seemann|Seemann]] ([[User talk:Seemann|talk]]) 10:45, 13 June 2016 (UTC) | ||
| + | |||
| + | :The bug is at around 0x5A7617 where it is making a bad comparison. | ||
| + | :<syntaxhighlight lang="nasm"> | ||
| + | ; the switch/counter is at cargen+0x28, size two bytes | ||
| + | ; using a value of 101 or above stores 0xffff, using a value between 0 and 100 stores the number as-is | ||
| + | .text:005A7617 movzx eax, word ptr [ebx+28h] ; grabs a two-byte value, do an unsigned extension | ||
| + | ; this means 0xffff would change to 0x0000ffff | ||
| + | .text:005A761B cmp eax, 0FFFFFFFFh ; compare against 0xffffffff | ||
| + | .text:005A761E jge short loc_5A7624 ; jump if greater than or equal, signed comparison | ||
| + | ; but ALL resulting values are greater than -1 | ||
| + | .text:005A7620 dec word ptr [ebx+28h] ; decrement cargen+0x28 by 1, which is never reached | ||
| + | .text:005A7624 loc_5A7624: | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | :So here's my fix that worked for me. | ||
| + | :<syntaxhighlight lang="nasm"> | ||
| + | .text:005A7617 movsx eax, word ptr [ebx+28h] ; do a signed extension so that 0xffff would change to 0xffffffff | ||
| + | .text:005A761B cmp eax, 0FFFFFFFFh ; | ||
| + | .text:005A761E jz short loc_5A7624 ; jump if equal, signed comparison | ||
| + | .text:005A7620 dec word ptr [ebx+28h] ; | ||
| + | .text:005A7624 loc_5A7624: | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | :Here's the code for CLEO. | ||
| + | :<syntaxhighlight lang="txt"> | ||
| + | 05DF: write_memory 0x5A7618 size 1 value 0xBF virtual_protect 1 | ||
| + | 05DF: write_memory 0x5A761E size 1 value 0x74 virtual_protect 1 | ||
| + | </syntaxhighlight>--[[User:Spaceeinstein|Spaceeinstein]] ([[User talk:Spaceeinstein|talk]]) 16:04, 13 June 2016 (UTC) | ||
Revision as of 16:04, 13 June 2016
Is there more information on the bug? The causes, possible fixes? Seemann (talk) 10:45, 13 June 2016 (UTC)
- The bug is at around 0x5A7617 where it is making a bad comparison.
; the switch/counter is at cargen+0x28, size two bytes ; using a value of 101 or above stores 0xffff, using a value between 0 and 100 stores the number as-is .text:005A7617 movzx eax, word ptr [ebx+28h] ; grabs a two-byte value, do an unsigned extension ; this means 0xffff would change to 0x0000ffff .text:005A761B cmp eax, 0FFFFFFFFh ; compare against 0xffffffff .text:005A761E jge short loc_5A7624 ; jump if greater than or equal, signed comparison ; but ALL resulting values are greater than -1 .text:005A7620 dec word ptr [ebx+28h] ; decrement cargen+0x28 by 1, which is never reached .text:005A7624 loc_5A7624:
- So here's my fix that worked for me.
.text:005A7617 movsx eax, word ptr [ebx+28h] ; do a signed extension so that 0xffff would change to 0xffffffff .text:005A761B cmp eax, 0FFFFFFFFh ; .text:005A761E jz short loc_5A7624 ; jump if equal, signed comparison .text:005A7620 dec word ptr [ebx+28h] ; .text:005A7624 loc_5A7624:
- Here's the code for CLEO.
- --Spaceeinstein (talk) 16:04, 13 June 2016 (UTC)
05DF: write_memory 0x5A7618 size 1 value 0xBF virtual_protect 1 05DF: write_memory 0x5A761E size 1 value 0x74 virtual_protect 1
