This is a good hint how to fix CabalMain v374 crashes. The code needs to be adjusted for your hooking/code patching solution, so it doesn't really belong in the releases section. My CabalMain actually happened to be stable when run normally, but crashed every time on startup when run under debugger. Apparently Cabal is reading some uninitialized memory allocated with `new`. It somehow (usually?) gets away with this under normal conditions, but running under debugger makes that memory always initialized to certain value - a 0xbaadf00d pattern - Cabal eventually tries to dereference it, then crashes. I don't see how you can make certain assumptions on uninitialized heap memory. Very likely, the same crashes are sometimes happening on regular usage, without a debugger. So here's a fix:
(it's an array of c++ strings, we're initializing them to "0") After patching that, the client starts fine, but crashes after 10-20 seconds. Apparently it's calling some bike-related destructor. It's the same crash that happens on regular game exit. Seems like bike extensions DLLs patched the bike usage code, but not the destructor. Simply NOP the relevant call, we won't need the destructor at all:
This will also fix the crash on regular game exit, but the game will still auto-close after 10-20 seconds. I tracked it down to this suspicious piece of code at 0x87c79f:
Under 0x10cdf6c it's uninitialized memory again, the code above will read it and make you crash, randomly. This happens at the end of some resource loading routine which is called multiple times from what I see. It almost seems like malicious code, but it's present in every v374 CabalMain.exe out there.... Just NOP the relevant JMP:
C:
/* Cabal doesn't initialize some memory but tries to read it, dereferences an address
* under some condition, and occasionally crashes. Initialize the data ourselves. */
void * __cdecl (*org_operator_new)(uint32_t size) = (void *)0x9c78e2;
void * __cdecl hooked_operator_new(uint32_t size)
{
void *ret = org_operator_new(size);
assert(size % 0x1c == 0);
void *el = ret;
while (el < ret + size) {
*(uint8_t *)(el + 0x4) = '0';
*(uint8_t *)(el + 0x4 + 1) = 0;
*(uint32_t *)(el + 0x18) = 0xf;
el += 0x1c;
}
return ret;
}
PATCH_JMP32(0x45d15e, hooked_operator_new);(it's an array of c++ strings, we're initializing them to "0") After patching that, the client starts fine, but crashes after 10-20 seconds. Apparently it's calling some bike-related destructor. It's the same crash that happens on regular game exit. Seems like bike extensions DLLs patched the bike usage code, but not the destructor. Simply NOP the relevant call, we won't need the destructor at all:
C:
PATCH_MEM(0x8cea20, 2, "pop eax");This will also fix the crash on regular game exit, but the game will still auto-close after 10-20 seconds. I tracked it down to this suspicious piece of code at 0x87c79f:
Code:
if ((DAT_010cdf6c & 1) != 0) {
iVar1 = _rand();
_DAT_00b733f0 = _DAT_00b733f0 + (-1 - iVar1 % 3);
if (_DAT_00b733f0 < 0) {
PostMessageQuit();
return;
}
}Under 0x10cdf6c it's uninitialized memory again, the code above will read it and make you crash, randomly. This happens at the end of some resource loading routine which is called multiple times from what I see. It almost seems like malicious code, but it's present in every v374 CabalMain.exe out there.... Just NOP the relevant JMP:
C:
PATCH_MEM(0x6724cc, 5, "nop"); // disable anti-debugger trick
