leakhunt/tools/dump_hot_region.py
acbot 57b5e43d0e Initial commit — leak-hunt project complete
Five bugs identified and patched in retail Asheron's Call client:
- v3b: palette refcount over-increment (3-byte NOP at two sites)
- v5: RenderSurface PurgeResource no-op stub (vtable slot 2 thunk)
- v11: two dangling-pointer crash guards (NULL-check + reorder)
- v14: CEnvCell::Destroy ClipPlaneList leak (18-byte JMP to cleanup thunk)
- v22: unpacker stale-pointer SEH guard (whole-function __try/__except)

All five ship in leakfix.dll (117 KB, SHA d282f23c…) which is loaded
by acclient.exe at process start via PE import table patching by
tools/install_leakfix.py.

Controlled 15-client fleet soak: unpatched control died at 26h with
palette exhaustion; all 14 patched clients survived past that point
and reached ≥5-day uptime.

Residual ~15 MB/h growth traced to d3d9.dll's internal slab allocator
(260KB surface backing buffers retained after Release). See REPORT.md
§10 for the full investigation; conclusion is that it's unfixable from
outside d3d9.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-23 21:07:58 +02:00

74 lines
2.7 KiB
Python

"""dump_hot_region.py <pid> <base_addr> [num_hits=8]
Dump bytes around N occurrences of 0x0079385c in a specific region,
showing 32 bytes before + 64 bytes after each hit. Goal: visualize
the surrounding object structure to identify the class.
"""
import argparse, ctypes, ctypes.wintypes as wt, struct, sys
from collections import Counter
ap = argparse.ArgumentParser()
ap.add_argument("pid", type=int)
ap.add_argument("base", type=lambda s: int(s, 0))
ap.add_argument("--size", type=lambda s: int(s, 0), default=260*1024)
ap.add_argument("--n", type=int, default=10)
args = ap.parse_args()
PROCESS_VM_READ = 0x10
PROCESS_QUERY_INFORMATION = 0x400
k = ctypes.windll.kernel32
k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]; k.OpenProcess.restype = wt.HANDLE
k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID, ctypes.c_size_t,
ctypes.POINTER(ctypes.c_size_t)]
k.ReadProcessMemory.restype = wt.BOOL
h = k.OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, False, args.pid)
if not h:
print(f"OpenProcess failed err={ctypes.get_last_error()}"); sys.exit(2)
buf = (ctypes.c_ubyte * args.size)()
sz = ctypes.c_size_t(0)
if not k.ReadProcessMemory(h, args.base, buf, args.size, ctypes.byref(sz)):
print(f"read failed err={ctypes.get_last_error()}"); sys.exit(2)
data = bytes(buf[:sz.value])
print(f"Read {sz.value} bytes from 0x{args.base:08x}")
# Find all hits
TARGET = 0x0079385c
target_bytes = struct.pack("<I", TARGET)
hits = []
pos = 0
while True:
idx = data.find(target_bytes, pos)
if idx < 0: break
if idx % 4 == 0:
hits.append(idx)
pos = idx + 1
print(f"Found {len(hits)} hits in region")
# Compute hit-to-hit distances to see if there's a stride
dists = [hits[i+1] - hits[i] for i in range(len(hits)-1)]
dist_hist = Counter(dists)
print("\nTop 15 inter-hit distances (in bytes):")
for d, c in dist_hist.most_common(15):
print(f" {d:>6} count={c}")
# Sample N hits and dump context
step = max(1, len(hits) // args.n)
samples = hits[::step][:args.n]
print(f"\n=== Sampling {len(samples)} hits with 64 bytes before + 80 after ===")
for idx in samples:
addr = args.base + idx
start = max(0, idx - 64)
end = min(len(data), idx + 80)
chunk = data[start:end]
print(f"\n--- hit at 0x{addr:08x} (region offset 0x{idx:x}) ---")
for i in range(0, len(chunk), 16):
row = chunk[i:i+16]
addr_row = args.base + start + i
hex_part = " ".join(f"{b:02x}" for b in row)
ascii_part = "".join(chr(b) if 32 <= b < 127 else "." for b in row)
marker = " <-- HIT" if (start + i) <= idx < (start + i + 16) else ""
print(f" {addr_row:08x} {hex_part:<47} {ascii_part}{marker}")