Share Better Crash Report for General Protection Fault

[eressea]

Hi, I've found a nice way to get better GPF crash reports from the client:

It's simple, there are just few things that must be done to get it working.

1. Create buffer for register and modules dump and function that fills it:

wchar_t MyExceptionBuffer[0x1000];

LONG WINAPI MyUnhandledExceptionFilter(_In_ struct _EXCEPTION_POINTERS *ExceptionInfo)
{
	if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
		wsprintf(
			MyExceptionBuffer,
			L"EAX=0x%08X CS=0x%04X EIP=0x%08X EFLGS=0x%08X\r\n"
			L"EBX=0x%08X SS=0x%04X ESP=0x%08X EBP=0x%08X\r\n"
			L"ECX=0x%08X DS=0x%04X ESI=0x%08X FS=0x%04X\r\n"
			L"EDX=0x%08X ES=0x%04X EDI=0x%08X GS=0x%04X\r\n"
			L"\r\n"
			L"l2.exe:      0x%08X\r\n"
			L"core.dll:    0x%08X\r\n"
			L"engine.dll:  0x%08X\r\n"
			L"nwindow.dll: 0x%08X\r\n",
			ExceptionInfo->ContextRecord->Eax,
			ExceptionInfo->ContextRecord->SegCs,
			ExceptionInfo->ContextRecord->Eip,
			ExceptionInfo->ContextRecord->EFlags,
			ExceptionInfo->ContextRecord->Ebx,
			ExceptionInfo->ContextRecord->SegSs,
			ExceptionInfo->ContextRecord->Esp,
			ExceptionInfo->ContextRecord->Ebp,
			ExceptionInfo->ContextRecord->Ecx,
			ExceptionInfo->ContextRecord->SegDs,
			ExceptionInfo->ContextRecord->Esi,
			ExceptionInfo->ContextRecord->SegFs,
			ExceptionInfo->ContextRecord->Edx,
			ExceptionInfo->ContextRecord->SegEs,
			ExceptionInfo->ContextRecord->Edi,
			ExceptionInfo->ContextRecord->SegGs,
			GetModuleHandleA("l2.exe"),
			GetModuleHandleA("core.dll"),
			GetModuleHandleA("engine.dll"),
			GetModuleHandleA("nwindow.dll"));
	}
	return 0;
}

2. Call AddVectoredExceptionHandler:

AddVectoredExceptionHandler(1, MyUnhandledExceptionFilter);

3. Don't forget to initialize the buffer

MyExceptionBuffer[0] = 0;

4. Now if it crashes, MyExceptionBuffer will be filled with register dump - now we have to hack it so it will be shown. Create function that wraps appStrncat:

wchar_t* appStrncatWrapper(wchar_t *destination, const wchar_t *source, int maxCount)
{
	if (std::wstring(L"MainLoop") != source || !MyExceptionBuffer[0]) {
		return wcsncat(destination, source, maxCount);
	}
	std::wstring data(source);
	data += L"\r\n\r\n";
	data += MyExceptionBuffer;
	return wcsncat(destination, data.c_str(), maxCount);
}

5. Hook our appStrncatWrapper function to the right place - this example is for interlude, for other clients you have to use IDA and find the same code:

WriteInstructionCall(reinterpret_cast<UINT32>(GetModuleHandle(L"core.dll")) + 0x52287, reinterpret_cast<UINT32>(appStrncatWrapper));

Now when the client crashes with GPF error (access violation) and the code is called from MainLoop, you'll see nice crash info with details :)

Enjoy!

[smeli]

this need to be send to ncsoft

[DimensionalGames]

On 10/4/2017 at 6:37 PM, eressea said:

Hi, I've found a nice way to get better GPF crash reports from the client:

It's simple, there are just few things that must be done to get it working.

1. Create buffer for register and modules dump and function that fills it:

wchar_t MyExceptionBuffer[0x1000];

LONG WINAPI MyUnhandledExceptionFilter(_In_ struct _EXCEPTION_POINTERS *ExceptionInfo)
{
	if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
		wsprintf(
			MyExceptionBuffer,
			L"EAX=0x%08X CS=0x%04X EIP=0x%08X EFLGS=0x%08X\r\n"
			L"EBX=0x%08X SS=0x%04X ESP=0x%08X EBP=0x%08X\r\n"
			L"ECX=0x%08X DS=0x%04X ESI=0x%08X FS=0x%04X\r\n"
			L"EDX=0x%08X ES=0x%04X EDI=0x%08X GS=0x%04X\r\n"
			L"\r\n"
			L"l2.exe:      0x%08X\r\n"
			L"core.dll:    0x%08X\r\n"
			L"engine.dll:  0x%08X\r\n"
			L"nwindow.dll: 0x%08X\r\n",
			ExceptionInfo->ContextRecord->Eax,
			ExceptionInfo->ContextRecord->SegCs,
			ExceptionInfo->ContextRecord->Eip,
			ExceptionInfo->ContextRecord->EFlags,
			ExceptionInfo->ContextRecord->Ebx,
			ExceptionInfo->ContextRecord->SegSs,
			ExceptionInfo->ContextRecord->Esp,
			ExceptionInfo->ContextRecord->Ebp,
			ExceptionInfo->ContextRecord->Ecx,
			ExceptionInfo->ContextRecord->SegDs,
			ExceptionInfo->ContextRecord->Esi,
			ExceptionInfo->ContextRecord->SegFs,
			ExceptionInfo->ContextRecord->Edx,
			ExceptionInfo->ContextRecord->SegEs,
			ExceptionInfo->ContextRecord->Edi,
			ExceptionInfo->ContextRecord->SegGs,
			GetModuleHandleA("l2.exe"),
			GetModuleHandleA("core.dll"),
			GetModuleHandleA("engine.dll"),
			GetModuleHandleA("nwindow.dll"));
	}
	return 0;
}

2. Call AddVectoredExceptionHandler:

AddVectoredExceptionHandler(1, MyUnhandledExceptionFilter);

3. Don't forget to initialize the buffer

MyExceptionBuffer[0] = 0;

4. Now if it crashes, MyExceptionBuffer will be filled with register dump - now we have to hack it so it will be shown. Create function that wraps appStrncat:

wchar_t* appStrncatWrapper(wchar_t *destination, const wchar_t *source, int maxCount)
{
	if (std::wstring(L"MainLoop") != source || !MyExceptionBuffer[0]) {
		return wcsncat(destination, source, maxCount);
	}
	std::wstring data(source);
	data += L"\r\n\r\n";
	data += MyExceptionBuffer;
	return wcsncat(destination, data.c_str(), maxCount);
}

5. Hook our appStrncatWrapper function to the right place - this example is for interlude, for other clients you have to use IDA and find the same code:

WriteInstructionCall(reinterpret_cast<UINT32>(GetModuleHandle(L"core.dll")) + 0x52287, reinterpret_cast<UINT32>(appStrncatWrapper));

Now when the client crashes with GPF error (access violation) and the code is called from MainLoop, you'll see nice crash info with details :)

Enjoy!

sorry for the dumb question, but in which file am i adding this and how?

[sepultribe]

3 hours ago, DimensionalGames said:

sorry for the dumb question, but in which file am i adding this and how?

 

should be the l2.exe you would inject with this code.

 

great stuff OP, hadn't seen this one.

[DimensionalGames]

yeah but how is it possible to do this?? ive never worked with client :/

[eressea]

6 hours ago, DimensionalGames said:

yeah but how is it possible to do this?? ive never worked with client :/

 

Get Visual Studio (with support for Windows XP if you want to support players with this obsolete system), create new C++ Win32 project -> choose DLL. Implement those bits I've posted and build DLL. Then edit l2.exe to load this DLL.

[DimensionalGames]

On 6/21/2018 at 8:21 AM, eressea said:

 

Get Visual Studio (with support for Windows XP if you want to support players with this obsolete system), create new C++ Win32 project -> choose DLL. Implement those bits I've posted and build DLL. Then edit l2.exe to load this DLL.

i know about the first, but how do i edit the l2.exe? btw thx for answering. This way i can add more too? also are there any dependencies for the dll (other dlls?)

[eressea]

6 hours ago, DimensionalGames said:

i know about the first, but how do i edit the l2.exe? btw thx for answering. This way i can add more too? also are there any dependencies for the dll (other dlls?)

 

There are tools like CFF Explorer etc, you just open l2.exe there and add an import to import table.

If you write your DLL, it's up to you what it will depend on. If it depends on other DLLs, it will automatically load them so you still need just to add your DLL to import table of l2.exe and system will do the rest for you.

[DimensionalGames]

thx a lot

[DimensionalGames]

On 6/23/2018 at 10:36 AM, eressea said:

 

There are tools like CFF Explorer etc, you just open l2.exe there and add an import to import table.

If you write your DLL, it's up to you what it will depend on. If it depends on other DLLs, it will automatically load them so you still need just to add your DLL to import table of l2.exe and system will do the rest for you.

one last question :D is it possible to write the dll in C#?

[eressea]

8 hours ago, DimensionalGames said:

one last question :D is it possible to write the dll in C#?

 

Short answer: No.

Long answer: There's some chance it could be done (somehow) but it would be very very hard (and maybe you would still have to write some parts in assembly).

[DimensionalGames]

On 6/25/2018 at 12:22 PM, eressea said:

 

Short answer: No.

Long answer: There's some chance it could be done (somehow) but it would be very very hard (and maybe you would still have to write some parts in assembly).

ah ok thx