Five bugs identified and patched in retail Asheron's Call client: - v3b: palette refcount over-increment (3-byte NOP at two sites) - v5: RenderSurface PurgeResource no-op stub (vtable slot 2 thunk) - v11: two dangling-pointer crash guards (NULL-check + reorder) - v14: CEnvCell::Destroy ClipPlaneList leak (18-byte JMP to cleanup thunk) - v22: unpacker stale-pointer SEH guard (whole-function __try/__except) All five ship in leakfix.dll (117 KB, SHA d282f23c…) which is loaded by acclient.exe at process start via PE import table patching by tools/install_leakfix.py. Controlled 15-client fleet soak: unpatched control died at 26h with palette exhaustion; all 14 patched clients survived past that point and reached ≥5-day uptime. Residual ~15 MB/h growth traced to d3d9.dll's internal slab allocator (260KB surface backing buffers retained after Release). See REPORT.md §10 for the full investigation; conclusion is that it's unfixable from outside d3d9. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
63 lines
2.4 KiB
Python
63 lines
2.4 KiB
Python
"""find_holder.py <pid> <target_va>
|
|
Scan all committed private RW memory in process for pointers equal to target_va.
|
|
Reports addresses where the pointer was found + small context."""
|
|
import ctypes, ctypes.wintypes as wt, sys, struct
|
|
|
|
PROCESS_VM_READ = 0x10
|
|
PROCESS_QUERY_INFORMATION = 0x400
|
|
k = ctypes.windll.kernel32
|
|
k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]; k.OpenProcess.restype = wt.HANDLE
|
|
k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID, ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)]
|
|
k.ReadProcessMemory.restype = wt.BOOL
|
|
k.VirtualQueryEx.argtypes = [wt.HANDLE, wt.LPCVOID, ctypes.c_void_p, ctypes.c_size_t]
|
|
k.VirtualQueryEx.restype = ctypes.c_size_t
|
|
|
|
class MBI(ctypes.Structure):
|
|
_fields_ = [("BaseAddress", ctypes.c_void_p), ("AllocationBase", ctypes.c_void_p),
|
|
("AllocationProtect", wt.DWORD), ("RegionSize", ctypes.c_size_t),
|
|
("State", wt.DWORD), ("Protect", wt.DWORD), ("Type", wt.DWORD)]
|
|
|
|
def rd(h, va, n):
|
|
buf = (ctypes.c_ubyte * n)(); sz = ctypes.c_size_t(0)
|
|
if not k.ReadProcessMemory(h, va, buf, n, ctypes.byref(sz)): return None
|
|
return bytes(buf[:sz.value])
|
|
|
|
pid = int(sys.argv[1])
|
|
target = int(sys.argv[2], 0)
|
|
target_bytes = struct.pack('<I', target)
|
|
|
|
h = k.OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, False, pid)
|
|
if not h: print("OpenProcess fail"); sys.exit(2)
|
|
|
|
found = []
|
|
mbi = MBI()
|
|
addr = 0
|
|
while k.VirtualQueryEx(h, addr, ctypes.byref(mbi), ctypes.sizeof(mbi)):
|
|
base = mbi.BaseAddress or 0
|
|
sz = mbi.RegionSize
|
|
if (mbi.State == 0x1000 and mbi.Type == 0x20000 and (mbi.Protect & 0xFF) in (0x04, 0x40)
|
|
and sz < 64*1024*1024):
|
|
data = rd(h, base, sz)
|
|
if data:
|
|
off = 0
|
|
while True:
|
|
off = data.find(target_bytes, off)
|
|
if off < 0: break
|
|
if (off & 3) == 0:
|
|
holder_va = base + off
|
|
# Read 32 bytes around to see what context
|
|
ctx = data[max(0, off-16): off+16].hex(' ')
|
|
found.append((holder_va, ctx))
|
|
if len(found) >= 20: break
|
|
off += 4
|
|
if len(found) >= 20: break
|
|
next_addr = base + sz
|
|
if next_addr <= addr: break
|
|
addr = next_addr
|
|
if addr >= 0x80000000: break
|
|
|
|
k.CloseHandle(h)
|
|
|
|
print(f"Pointers to 0x{target:08x} (top {len(found)}):")
|
|
for holder_va, ctx in found:
|
|
print(f" @0x{holder_va:08x}: ...{ctx}...")
|