Initial commit — leak-hunt project complete

Five bugs identified and patched in retail Asheron's Call client:
- v3b: palette refcount over-increment (3-byte NOP at two sites)
- v5: RenderSurface PurgeResource no-op stub (vtable slot 2 thunk)
- v11: two dangling-pointer crash guards (NULL-check + reorder)
- v14: CEnvCell::Destroy ClipPlaneList leak (18-byte JMP to cleanup thunk)
- v22: unpacker stale-pointer SEH guard (whole-function __try/__except)

All five ship in leakfix.dll (117 KB, SHA d282f23c…) which is loaded
by acclient.exe at process start via PE import table patching by
tools/install_leakfix.py.

Controlled 15-client fleet soak: unpatched control died at 26h with
palette exhaustion; all 14 patched clients survived past that point
and reached ≥5-day uptime.

Residual ~15 MB/h growth traced to d3d9.dll's internal slab allocator
(260KB surface backing buffers retained after Release). See REPORT.md
§10 for the full investigation; conclusion is that it's unfixable from
outside d3d9.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
acbot 2026-05-23 21:05:17 +02:00
commit 57b5e43d0e
199 changed files with 1648333 additions and 0 deletions

66
tools/read_vtable_live.py Normal file
View file

@ -0,0 +1,66 @@
"""read_vtable_live.py <pid> <vtable_va> [num_slots=16]
Read vtable slot pointers from a live process via ReadProcessMemory.
"""
import argparse, ctypes, ctypes.wintypes as wt, struct, sys
PROCESS_VM_READ = 0x10
PROCESS_QUERY_INFORMATION = 0x400
k = ctypes.windll.kernel32
k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]
k.OpenProcess.restype = wt.HANDLE
k.CloseHandle.argtypes = [wt.HANDLE]
k.CloseHandle.restype = wt.BOOL
k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID,
ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)]
k.ReadProcessMemory.restype = wt.BOOL
def read_bytes(h, addr, n):
buf = (ctypes.c_ubyte * n)()
sz = ctypes.c_size_t(0)
if not k.ReadProcessMemory(h, addr, buf, n, ctypes.byref(sz)):
return None
return bytes(buf[:sz.value])
def main():
ap = argparse.ArgumentParser()
ap.add_argument("pid", type=int)
ap.add_argument("vtable", type=lambda x: int(x, 0))
ap.add_argument("slots", type=int, nargs="?", default=16)
ap.add_argument("--peek", type=int, default=8,
help="bytes to peek at each slot's target")
args = ap.parse_args()
h = k.OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, False, args.pid)
if not h:
print(f"OpenProcess({args.pid}) err={ctypes.get_last_error()}")
sys.exit(2)
buf = read_bytes(h, args.vtable, args.slots * 4)
if not buf:
print(f"read vtable @ 0x{args.vtable:08x} failed")
sys.exit(3)
print(f"vtable @ 0x{args.vtable:08x}")
for i in range(args.slots):
slot = struct.unpack_from("<I", buf, i*4)[0]
peek = read_bytes(h, slot, args.peek)
peek_hex = peek.hex() if peek else "??"
note = ""
if peek_hex.startswith("b001c3"):
note = " <- NOOP STUB (mov al,1; ret)"
elif peek_hex.startswith("b000c3"):
note = " <- mov al,0; ret"
elif peek_hex.startswith("c3"):
note = " <- bare ret"
elif peek_hex.startswith("c20400"):
note = " <- ret 4"
print(f" +0x{i*4:02x} (slot {i:2d}): 0x{slot:08x} peek={peek_hex}{note}")
k.CloseHandle(h)
if __name__ == "__main__":
main()