Author Topic: FAQ: Chocobo races crash under NT/2000/XP (technical)  (Read 120176 times)

jedwin

  • Guest
Hey, so, I've tracked down the problem with Chocobo races under NT/2000/XP.  The problem looks to me like a NULL pointer dereference.  Specifically, they are doing:

Code: [Select]

mov ecx,  dword ptr [0e626d8h]
mov dx, word ptr [eax + ecx + 0186b8h]


There are no other accesses to the variable at 0e626d8h, which essentially, since it is in the uninitialized data segment, means that it is a NULL pointer.  Under Windows 95/98, for no apparent reason, the pages corresponding to the addresses from 0x10000-0x20000 are mapped to something which looks to me like 16-bit code.  So, since the offset puts it safely into that region, it doesn't crash.  Now, it look like maybe this means that it has a bug under Windows 9x, but since I don't know how this value should be set, I couldn't fix it to correctly set this value.  But, under the assumption that the values that are getting pulled in are just garbage (which again, appears to hold under Windows 9x), I did the next best thing.  I changed the 0x186b8 to a value that puts it inside the FF7 executable itself, so that it still has some values there to read.

I'm not sure of the best way to distribute information on this patch, but if anybody cares to make this change on their own and try it out, the following instructions should suffice:

First off, copy ff7.exe to ff7.bak or whatever.
Now, I'm using an unpatched FF7 executable plucked from the Eidos Platinum Collection version of FF7.  The file size is 5820416, crc32 is E79D5195, and md5 sum is e1a6875b37540d616d34f14102d9c2fc.  If you have the same executable that I do, the change you need to make is at offset 3641e6, otherwise, you'll have to search for the right bytes to change.  So, now, open up ff7.exe in your favorite hex editor, and find the bytes
Code: [Select]
b8 86 01 00.  Again, if you have the same version of the executable that I do, you will find these bytes at 0x3641e6 from the beginning of the file.  Change them to
Code: [Select]
00 00 50 00.  That is sufficient to get the chocobo races working on my machine.  (Note that there may be other difficulties associated with running FF7 under Windows NT/2K/XP, though many of those are solved by the Application Compatibility Toolkit from Microsoft.)

Darkness

  • *
  • Posts: 2181
    • View Profile
    • http://www.x0r.net
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #1 on: 2002-04-21 01:10:00 »
nice work.... trying it now :)

works.... very well. thank you :)
[edited] 249 2002-04-21 02:40

Aaron

  • *
  • Posts: 2818
    • View Profile
    • http://aaron-kelley.net/
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #2 on: 2002-04-21 01:22:00 »
WA HEY!!  I'm about to try this.  If it works... that'd be really cool.

I'm sure someone could develop a patch that does the hex editing automatically for me / everyone else to give to their less computer literate friends who don't know how to dig around in a hex editor?

[Edit] Um heh, does anyone have a save file I can try it on?  If you don't wanna post a URL, you can always e-mail it to me at [email protected] (it's small), but I bet some other people might need one to try this fix.

Oh yeah, if this works, there's no reason for me to keep my '98 installation around anymore (I only had it for CD burning, DOS games, and FF7... CD burning works now in XP with ECDC 5.1, DOS games work in Virtual PC, and FF7 should now work native in XP...).
[edited] 44 2002-04-21 02:34

Darkness

  • *
  • Posts: 2181
    • View Profile
    • http://www.x0r.net
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #3 on: 2002-04-21 01:40:00 »
gamewinners.com

jedwin

  • Guest
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #4 on: 2002-04-21 02:04:00 »
Quote

I'm sure someone could develop a patch that does the hex editing automatically for me / everyone else to give to their less computer literate friends who don't know how to dig around in a hex editor?


Yeah, I was wondering about some standard way of distributing binary patches.  I'm aware of a few tools that handle diffs for binary files, but none of them are very ... consumer oriented.  Dunno.

phaeron

  • *
  • Posts: 30
    • View Profile
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #5 on: 2002-04-21 07:57:00 »
Nice work.

The reason why it doesn't crash under Windows 95/98 is the OS's Windows 3.1 heritage -- all processes must have a DOS task block, and the entire DOS memory arena from 10000-FFFFF is mapped for read/write access to everyone for speed.  The data being read under 9x is almost certainly not correct.  If the FF7 programmer hadn't used such an insanely large structure, the access would have fallen into 00000-0FFFFF and would have crashed even under 9x.

ficedula

  • *
  • Posts: 2178
    • View Profile
    • http://www.ficedula.co.uk
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #6 on: 2002-04-21 10:48:00 »
Hey, impressive.

jedwin: If you need to distribute a patch-type-thingy, you could wrap it up as a Cetra patch (blatent plug!). It'll do the basic things like backing up the main EXE first, and checking that the data in the position is correct before modifying it ... just a thought ;)

jedwin

  • Guest
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #7 on: 2002-04-21 12:33:00 »
Quote

jedwin: If you need to distribute a patch-type-thingy, you could wrap it up as a Cetra patch (blatent plug!). It'll do the basic things like backing up the main EXE first, and checking that the data in the position is correct before modifying it ... just a thought ;)


Sure.  How would one go about doing this?  Quick web search didn't turn up much on how to create a Cetra patch.

ficedula

  • *
  • Posts: 2178
    • View Profile
    • http://www.ficedula.co.uk
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #8 on: 2002-04-21 15:06:00 »
Erm, it wouldn't, no. After all, it's a program I wrote, so it's not exactly wide spread ;)

The only reason I suggest it is that it has patches to do things like enable 32-bit colour or windowed mode in FF7; so your patch would make a nice addition to the collection :D

I'll email you with details on how to make the file.

Aaron

  • *
  • Posts: 2818
    • View Profile
    • http://aaron-kelley.net/
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #9 on: 2002-04-21 17:09:00 »
And right after fice said:

Quote

...unless, of course, it's an problem with the main EXE. In which case you'd have to patch the main program file, which would be near-impossible.


...on another thread.

Heh heh.  It definately works with the 1.02 or whatever version of the .exe with the NVidia patch.


[edited] 44 2002-04-21 18:14

ficedula

  • *
  • Posts: 2178
    • View Profile
    • http://www.ficedula.co.uk
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #10 on: 2002-04-21 19:00:00 »
Heh, I didn't say it was *totally* impossible ;)

Came in good time too, I upgraded to Win2K myself this morning. Admittedly only because I had a spare Win98 box for games if needs be, but it'll still be good to play FF7 on my main box ;)

Qhimm

  • Founder
  • *
  • Posts: 1996
    • View Profile
    • Qhimm.com
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #11 on: 2002-04-21 21:59:00 »
Not that I'm trying to bash this feat (I think it's great work), but some conclusions were incorrect. Even though 0xE626D8 is part of the uninitialized data segment, that doesn't necessarily make it a NULL pointer. The fact that no instructions reference this address means nothing either, since data is most likely written in large chunks (most likely the entire large structure at once), so the reference would be found much earlier in the address space. Still, someone messed up bigtime when dealing with this struct, so in effect we have a NULL pointer anyway. Right conclusion, different route.

Still, good job at fixing it.

jedwin

  • Guest
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #12 on: 2002-04-21 22:08:00 »
Quote

On 2002-04-21 17:59, Qhimm wrote:
Not that I'm trying to bash this feat (I think it's great work), but some conclusions were incorrect. Even though 0xE626D8 is part of the uninitialized data segment, that doesn't necessarily make it a NULL pointer. The fact that no instructions reference this address means nothing either, since data is most likely written in large chunks (most likely the entire large structure at once), so the reference would be found much earlier in the address space. Still, someone messed up bigtime when dealing with this struct, so in effect we have a NULL pointer anyway. Right conclusion, different route.


Ahh, except running this under Windows 98, setting a memory breakpoint on that address in Softice indicates that that variable is not set before it is used.  I am fully aware that it is common to do things like:

Code: [Select]

mov edx, offset foo
mov [edx+1234h], bar


but Softice doesn't lie.  :)

Goku7

  • *
  • Posts: 1301
    • View Profile
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #13 on: 2002-04-21 22:32:00 »
Un-freakin-believeable!

Here we are, complaining or hearing complaints about this crash, and the thing gets solved in a week after someone finally decides to do something about it.  Congratulations, you get the Nobel Peace Prize for stopping a MicroSoft product (WinXP, in this case) from crashing!  What are ya gonna do next?! :naughty:

As for distributing the answer as a patch.....What about Dag's patchmaker program?  The difference engine it seems to use might work well for this kinda thing.....
[edited] 239 2002-04-21 23:33

jedwin

  • Guest
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #14 on: 2002-04-21 22:46:00 »
Quote

On 2002-04-21 18:32, Goku7 wrote:
As for distributing the answer as a patch.....What about Dag's patchmaker program?  The difference engine it seems to use might work well for this kinda thing.....


Ok.  It sounds like it might be better to integrate it into Cetra, but until I hear back from Ficedula on how to do that, I've put together a patch using Dag's patchmaker.  You can snag it from http://www.ugcs.caltech.edu/~jedwin/ff7/ff7-patch.exe.

Goku7

  • *
  • Posts: 1301
    • View Profile
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #15 on: 2002-04-22 02:26:00 »
Oh yeah, by the way.....

Quote

On 2002-04-20 21:04, jedwin wrote:
There are no other accesses to the variable at 0e626d8h, which essentially, since it is in the uninitialized data segment, means that it is a NULL pointer. Under Windows 95/98, for no apparent reason, the pages corresponding to the addresses from 0x10000-0x20000 are mapped to something which looks to me like 16-bit code. So, since the offset puts it safely into that region, it doesn't crash.


It sounds to me that it's pure luck that Win9x operated in such a way to that it didn't fall into that danger zone and crash.  Judging from your explaination, it seems that the programmer designed it to crash on purpose.....

Aaron

  • *
  • Posts: 2818
    • View Profile
    • http://aaron-kelley.net/
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #16 on: 2002-04-22 02:39:00 »
Well, it could be just a programming error that no one caught (after all... it didn't cause any problems).

I remember reading about something like this, for a SNES game (Japanese).  I can't remember what the game was called though.  It was about robots or something.  Anyway, when the game entered a battle, it called on some invalid memory thing, which for some reason, just by chance, worked on a Super Famicom but was causing some emulators to crash.

ANYWAY

I really didn't think anyone would ever figure out / solve the FF7 / Win2K problem.  But then this guy, jedwin, shows up and is like "I'm gonna try and fix it" and then like the next day, he's like, "I figured it out!"

Heh.  I'm very impressed.  Thanks a ton.  Maybe you can help us figure out some other stuff :-p

vvalentine

  • *
  • Posts: 633
    • View Profile
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #17 on: 2002-04-22 03:11:00 »
AMAZING, I could definately use this for my Win2K.  Thank you so much jedwin.  I think that the remake project is attracting really talented people.   With people like jedwin, Shinra Inc, and phaeron, the remake will definately progress faster.  :D

-vvalentine
[edited] 213 2002-04-22 04:11

Sukaeto

  • *
  • Posts: 570
    • View Profile
    • Sukaeto's web server
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #18 on: 2002-04-22 03:12:00 »
Well, I just downloaded and installed the patch.  (came at a good time for me, I'm playing through FF7 again, and I was just up to the part where Barret fights Dyne.)  I would like to say, I've successfully made it through the Chocobo races in Windows XP Professional.

Great work, Jedwin, you're truly amazing.  You've done what Squaresoft and Eidos wouldn't.

Qhimm

  • Founder
  • *
  • Posts: 1996
    • View Profile
    • Qhimm.com
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #19 on: 2002-04-22 09:05:00 »
Quote

Ahh, except running this under Windows 98, setting a memory breakpoint on that address in Softice indicates that that variable is not set before it is used.  I am fully aware that it is common to do things like:

Code: [Select]

mov edx, offset foo
mov [edx+1234h], bar


but Softice doesn't lie.  :)


True, but what I was referring to was this type of reference:

Code: [Select]

mov esi, offset src
mov edi, offset dest
mov ecx, somesize
rep stosb


Where src is an offset say 100 bytes before the offset in question. In this case, disassemblers and debuggers (IDA, softice etc.) pick up the operand reference to src, but a breakpoint does not catch the actual writings to the other offsets affected.

I find it interesting that you could fix it simply by changing the offset, though. That would mean the read data can't exactly be critical to the operation of the minigame...

jedwin

  • Guest
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #20 on: 2002-04-22 14:22:00 »
Quote

On 2002-04-22 05:05, Qhimm wrote:
True, but what I was referring to was this type of reference:

Code: [Select]

mov esi, offset src
mov edi, offset dest
mov ecx, somesize
rep stosb


Where src is an offset say 100 bytes before the offset in question. In this
case, disassemblers and debuggers (IDA, softice etc.) pick up the operand
reference to src, but a breakpoint does not catch the actual writings to the
other offsets affected.


Actually, a Softice memory breakpoint is set using the Intel hardware --
the "Debug Registers".  Basically, they allow the processor to say "trap when
an access is made to memory location X -- regardless of how it is indirected,
or what instruction is used.  So, even in the case of 'rep stosb', the
breakpoint still would have been tripped, since it is generated by the
processor itself.  Memory breakpoints are an extraordinarily powerful feature.

Quote

I find it interesting that you could fix it simply by changing the offset,
though. That would mean the read data can't exactly be critical to the
operation of the minigame...


I was a bit surprised by this myself, but the data in that range was
unmistakably DOS, for reasons that Phaeron described.  I haven't taken the
time for find out what the data is used for, but I certainly concur that it
must not be all that important.

[edited] 363 2002-04-23 01:14

dgp9999

  • *
  • Posts: 247
    • View Profile
    • http://molexroots.com
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #21 on: 2002-04-22 15:09:00 »
Sounds like it's a success. Were you saying that it hapenned in a SNES game on Windows XP? It wouldn't be suprising. All they need is to get one memory address wrong and you're screwed. To bad I can't a get a decent copy of Windows XP to try it out on, I don't suppose any one could help me out?   :wink:

Aaron

  • *
  • Posts: 2818
    • View Profile
    • http://aaron-kelley.net/
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #22 on: 2002-04-22 23:58:00 »
Quote

On 2002-04-22 11:09, dgp9999 wrote:
Sounds like it's a success. Were you saying that it hapenned in a SNES game on Windows XP? It wouldn't be suprising. All they need is to get one memory address wrong and you're screwed. To bad I can't a get a decent copy of Windows XP to try it out on, I don't suppose any one could help me out?   :wink:


I was saying that it happened to a SNES game running on emulators, not necessarily in Windows XP.

Sephiroth 3D

  • *
  • Posts: 1679
    • View Profile
    • ModCitizen 42
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #23 on: 2002-04-23 08:10:00 »
Hey! Great work. Sounds like a lot of success all around the board... I wonder if the game will WORK for me now... I'll use your patch and try playing tomorrow when I get home from school. Let's see if I can crash your patch! (My favorite thing to do for the developers of this board is crash their programs and force them to make them better. I do this for just about everyone, so don't take it personally. I'm not out to get you or anything.)

Sephiroth 3D

"I don't understand..." "You don't have to understand." - Final Fantasy: The Spirits Within

Sephiroth 3D.com
[email protected]
[edited] 135 2002-04-23 09:12

Sir Canealot

  • *
  • Posts: 900
    • View Profile
FAQ: Chocobo races crash under NT/2000/XP (technical)
« Reply #24 on: 2002-04-23 09:08:00 »
So the races are...working.

Right. To get Dags patch working we simply point it towards FFVII.exe right? I'll start telling people on Eidos with XP to use this patch!

Allthough we had better keep it quietish. Eidos might get pissed if we go arround solveing there problems. What do ya guys think? Maybe we should even mail this to Eidos with the instructions of putting it up on there site (but giving credit to you guys).

Hmm.   :laugh: