leakhunt/tools/read_vtable.py
acbot 57b5e43d0e Initial commit — leak-hunt project complete
Five bugs identified and patched in retail Asheron's Call client:
- v3b: palette refcount over-increment (3-byte NOP at two sites)
- v5: RenderSurface PurgeResource no-op stub (vtable slot 2 thunk)
- v11: two dangling-pointer crash guards (NULL-check + reorder)
- v14: CEnvCell::Destroy ClipPlaneList leak (18-byte JMP to cleanup thunk)
- v22: unpacker stale-pointer SEH guard (whole-function __try/__except)

All five ship in leakfix.dll (117 KB, SHA d282f23c…) which is loaded
by acclient.exe at process start via PE import table patching by
tools/install_leakfix.py.

Controlled 15-client fleet soak: unpatched control died at 26h with
palette exhaustion; all 14 patched clients survived past that point
and reached ≥5-day uptime.

Residual ~15 MB/h growth traced to d3d9.dll's internal slab allocator
(260KB surface backing buffers retained after Release). See REPORT.md
§10 for the full investigation; conclusion is that it's unfixable from
outside d3d9.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-23 21:07:58 +02:00

31 lines
730 B
Python

"""read_vtable.py <dump.dmp> <vtable_addr> [num_slots=16]
Read vtable slot pointers from a minidump.
"""
import struct, sys
from minidump.minidumpfile import MinidumpFile
def _ei(v):
if v is None: return 0
if hasattr(v, 'value'): return int(v.value)
return int(v)
def main():
md = MinidumpFile.parse(sys.argv[1])
vt = int(sys.argv[2], 0)
n = int(sys.argv[3]) if len(sys.argv) > 3 else 16
reader = md.get_reader().get_buffered_reader()
reader.move(vt)
buf = reader.read(n * 4)
print(f"vtable @ 0x{vt:08x}")
for i in range(n):
slot = struct.unpack_from("<I", buf, i*4)[0]
print(f" +0x{i*4:02x} (slot {i:2d}): 0x{slot:08x}")
if __name__ == "__main__":
main()