Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Violation, UE 4.26.2 STAR WARS Jedi: Survivor #144

Open
Omega172 opened this issue Jun 7, 2024 · 12 comments
Open

Access Violation, UE 4.26.2 STAR WARS Jedi: Survivor #144

Omega172 opened this issue Jun 7, 2024 · 12 comments

Comments

@Omega172
Copy link
Contributor

Omega172 commented Jun 7, 2024

The exception

//Exception thrown at 0x00007FF87BFCAD0B (Dumper-7.dll) in JediSurvivor.exe: 0xC0000005: Access violation reading location 0x00000000000000B0.
// Line 21 OffsetFinder.h

// Related code
template<int Alignement = 4, typename T>
inline int32_t FindOffset(std::vector<std::pair<void*, T>>& ObjectValuePair, int MinOffset = 0x28, int MaxOffset = 0x1A0)
{
	int32_t HighestFoundOffset = MinOffset;

	for (int i = 0; i < ObjectValuePair.size(); i++)
	{
		uint8_t* BytePtr = (uint8_t*)(ObjectValuePair[i].first);

		for (int j = HighestFoundOffset; j < MaxOffset; j += Alignement)
		{
			if ((*reinterpret_cast<T*>(BytePtr + j)) == ObjectValuePair[i].second && j >= HighestFoundOffset)
			{
				if (j > HighestFoundOffset)
				{
					HighestFoundOffset = j;
					i = 0;
				}
				j = MaxOffset;
			}
		}
	}

	return HighestFoundOffset != MinOffset ? HighestFoundOffset : OffsetNotFound;
}

// Call Stack
/*
>	Dumper-7.dll!OffsetFinder::FindOffset<4,enum EFunctionFlags>(std::vector<std::pair<void *,enum EFunctionFlags>,std::allocator<std::pair<void *,enum EFunctionFlags>>> & ObjectValuePair, int MinOffset, int MaxOffset) Line 21	C++
 	Dumper-7.dll!OffsetFinder::FindFunctionFlagsOffset() Line 413	C++
 	Dumper-7.dll!Off::Init() Line 249	C++
 	Dumper-7.dll!Generator::InitEngineCore() Line 84	C++
 	Dumper-7.dll!MainThread(HINSTANCE__ * Module) Line 54	C++
 	kernel32.dll!00007ffa0ae3257d()	Unknown
 	ntdll.dll!00007ffa0becaa48()	Unknown

*/

Dumper 7 output

Started Generation [Dumper-7]!

Dumper-7 by me, you & him


Searching for GObjects...

Found FChunkedFixedUObjectArray GObjects at offset 0x6902668

Found 'FNamePool GNames' at offset 0x68E9FC0

Found FName::AppendString at Offset 0x1D4D360

Off::UStruct::Children: 0x48
Off::Field::Next: 0x28
Off::UStruct::SuperStruct: 0x40
Off::UStruct::Size: 0x58
Off::UStruct::MinAlignemnts: 0x5C
Off::UClass::CastFlags: 0xD8
Game uses FProperty system

Off::UStruct::ChildProperties: 0x50
Off::FField::Next: 0x18
Off::FField::Name: 0x28
Off::FField::Flags: 0x30
Off::UClass::ClassDefaultObject: 0x120
Off::UEnum::Names: 0x40
@Fischsalat
Copy link
Collaborator

Which function in wasn't found in OffsetFinder::FindFunctionFlagsOffset? Aka which is nullptr in the Infos vector.

@Omega172
Copy link
Contributor Author

Omega172 commented Jun 8, 2024
edited
Loading

image
image

@Fischsalat
Copy link
Collaborator

In that case I propose for you to comment out OffsetFinder.h Line411 as a temporary fix.

If this fix works please DON'T close this issue, and send me the GObjects-Dump.txt file generated by the dumper.

@Omega172
Copy link
Contributor Author

Omega172 commented Jun 9, 2024
edited
Loading

New error after attempting the suggested fix

// Exception thrown at 0x00007FF9FF4D6EC9 (Dumper-7.dll) in JediSurvivor.exe: 0xC0000005: Access violation reading location 0x0000000000000008.
// Line 151 ObjectArray.cpp

void ObjectArray::InitializeChunkSize(uint8_t* ChunksPtr)
{
	int IndexOffset = 0x0;
	uint8* ObjAtIdx374 = (uint8*)ByIndex(ChunksPtr, 0x374, SizeOfFUObjectItem, FUObjectItemInitialOffset, 0x10000);
	uint8* ObjAtIdx106 = (uint8*)ByIndex(ChunksPtr, 0x106, SizeOfFUObjectItem, FUObjectItemInitialOffset, 0x10000);

	for (int i = 0x8; i < 0x20; i++)
	{
		if (*reinterpret_cast<int32*>(ObjAtIdx374 + i) == 0x374 && *reinterpret_cast<int32*>(ObjAtIdx106 + i) == 0x106)
		{
			IndexOffset = i;
			break;
		}
	}

	int IndexToCheck = 0x10400;
	while (ObjectArray::Num() > IndexToCheck)
	{
		if (void* Obj = ByIndex(ChunksPtr, IndexToCheck, SizeOfFUObjectItem, FUObjectItemInitialOffset, 0x10000))
		{
			const bool bIsTrue = *reinterpret_cast<int32*>((uint8*)Obj + IndexOffset) != IndexToCheck;
			NumElementsPerChunk = bIsTrue ? 0x10400 : 0x10000;
			break;
		}
		IndexToCheck += 0x10400;
	}

	Off::InSDK::ObjArray::ChunkSize = NumElementsPerChunk;
}

// Call Stack
/*
>	Dumper-7.dll!ObjectArray::InitializeChunkSize(unsigned char * ChunksPtr) Line 151	C++
 	Dumper-7.dll!ObjectArray::Init(bool bScanAllMemory) Line 271	C++
 	Dumper-7.dll!Generator::InitEngineCore() Line 82	C++
 	Dumper-7.dll!MainThread(HINSTANCE__ * Module) Line 54	C++
 	kernel32.dll!00007ffb4e41257d()	Unknown
 	ntdll.dll!00007ffb4ff2aa48()	Unknown
 */

Dumper 7 Output

Started Generation [Dumper-7]!

Dumper-7 by me, you & him


Searching for GObjects...

Found FChunkedFixedUObjectArray GObjects at offset 0x5e74024

image

@Fischsalat
Copy link
Collaborator

So without the fix you reached the Offset initialization, but with the fix you're now crashing at an earlier point?
That doesn't make any sense, are you sure that crash occurs consistently?

@Omega172
Copy link
Contributor Author

Omega172 commented Jun 9, 2024

The crash is indeed occurring constantly, and i have made sure too use the same game launch method every time., to launch without EA

@Fischsalat
Copy link
Collaborator

Still doesn't make any sense. Why would the dll suddenly crash earlier? Does it work if you revert the fix?

@Omega172
Copy link
Contributor Author

Omega172 commented Jun 11, 2024
edited
Loading

I have no clue how I got that second error.
To be 100% sure I got proper reproducible results , I reverted any changes I made and rebuilt

With no changes just pulled and compiled, I get the same error as my initial message.

When the fix is applied

// Commented out OffsetFinder.h Line411
//Infos.push_back({ ObjectArray::FindObjectFast("SwitchLevel").GetAddress(), EFunctionFlags::Exec | EFunctionFlags::Native | EFunctionFlags::Public });

/*
Exception thrown at 0x00007FF9C2906961 (Dumper-7.dll) in JediSurvivor.exe: 0xC0000005: Access violation reading location 0x00000000000000D8.
OffsetFinder.h Line 434
*/

inline int32_t FindFunctionNativeFuncOffset()
{
	std::vector<std::pair<void*, EFunctionFlags>> Infos;

	uintptr_t WasInputKeyJustPressed = reinterpret_cast<uintptr_t>(ObjectArray::FindObjectFast("WasInputKeyJustPressed").GetAddress());
	uintptr_t ToggleSpeaking = reinterpret_cast<uintptr_t>(ObjectArray::FindObjectFast("ToggleSpeaking").GetAddress());
	uintptr_t SwitchLevel = reinterpret_cast<uintptr_t>(ObjectArray::FindObjectFast("SwitchLevel").GetAddress());

	for (int i = 0x40; i < 0x140; i += 8)
	{
		if (IsInProcessRange(*reinterpret_cast<uintptr_t*>(WasInputKeyJustPressed + i)) && IsInProcessRange(*reinterpret_cast<uintptr_t*>(ToggleSpeaking + i)) && IsInProcessRange(*reinterpret_cast<uintptr_t*>(SwitchLevel + i)))
			return i;
	}

	return 0x0;
}

/*
>	Dumper-7.dll!OffsetFinder::FindFunctionNativeFuncOffset() Line 434	C++
 	Dumper-7.dll!Off::Init() Line 252	C++
 	Dumper-7.dll!Generator::InitEngineCore() Line 84	C++
 	Dumper-7.dll!MainThread(HINSTANCE__ * Module) Line 54	C++
 	kernel32.dll!00007ffb4e41257d()	Unknown
 	ntdll.dll!00007ffb4ff2aa48()	Unknown
*/

/*
Started Generation [Dumper-7]!

Dumper-7 by me, you & him


Searching for GObjects...

Found FChunkedFixedUObjectArray GObjects at offset 0x6902668

Found 'FNamePool GNames' at offset 0x68E9FC0

Found FName::AppendString at Offset 0x1D4D360

Off::UStruct::Children: 0x48
Off::Field::Next: 0x28
Off::UStruct::SuperStruct: 0x40
Off::UStruct::Size: 0x58
Off::UStruct::MinAlignemnts: 0x5C
Off::UClass::CastFlags: 0xD8
Game uses FProperty system

Off::UStruct::ChildProperties: 0x50
Off::FField::Next: 0x18
Off::FField::Name: 0x28
Off::FField::Flags: 0x30
Off::UClass::ClassDefaultObject: 0x120
Off::UEnum::Names: 0x40
Off::UFunction::FunctionFlags: 0xB0
*/

What i believe is the issue

uintptr_t SwitchLevel = reinterpret_cast<uintptr_t>(ObjectArray::FindObjectFast("SwitchLevel").GetAddress());

// According to the debugger these are the values
// Switchlevel = 0;
// i = 216; Which is 0xD8
// 0 + 0xD8 = 0xD8;
IsInProcessRange(*reinterpret_cast<uintptr_t*>(SwitchLevel + i); // The crash is caused here trying to access location 0xD8

I double & triple checked by making sure to launch the game with the same method everytime and using the same Debug x64 built DLL, and I got the same error every time.

@Omega172
Copy link
Contributor Author

So it seems to me like the object SwitchLevel just cannot ever be found.

@Fischsalat
Copy link
Collaborator

In that case try also commenting out lines/places using SwitchLevel. Would also be nice if you could send me an object dump of your game. You can call ObjectArray::DumpObjects() on a line before the crash.

@Omega172
Copy link
Contributor Author

Omega172 commented Jun 12, 2024
edited
Loading

Object Dump:
https://mega.nz/file/CIgREJBY#VeqzG4BIuyIyQi5CP_J1jiR4fAGhz8NwM9e8g5E_I7g had to upload it because GitHub only allows files that are 25mb but it was 35mb

@xVoidie
Copy link

xVoidie commented Aug 11, 2024

I had the same issue what worked for me in manually defining the offsets for UFunction

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Fischsalat @Omega172 @xVoidie