I have found another crashing bug in the game.
By setting a break point in assembly code, I managed to pin down that the assembly code that causes the crash is called whenever patch_location() is called (of course most of the time it does not crash), however I have not further knowledge beyond this. (patch_location() is the function used by AI to find out where each Timonium Patch is located)
By investigating, I am pretty sure now that patch_location() is not the direct cause but some internal Location handling routine that patch_location() uses is the cause. Specifically, sometimes the x,y coordinate of something becomes (-1,-1) and when that happens the routine crashes as it does not handle negative coordinates.
Although I am not able to find out the exact reason, I managed to come up with a fixed binary that does not crash by adding simple check. However I am afraid there might be deeper issue and this simple check might cause strange behavior of the game.
If anyone is able to help to see if this binary causes any strange bahavior (especially whether the location of objects become weird) it will be helpful.
The download link is below. Place it in the same place as legends.exe and run this legendsfix5.exe instead.
https://gofile.io/d/YaLhuX
Additional notes (keeps updating when new things are found):
The assembly code is as follows
===============================
00B50050 8B 4C 24 04 mov ecx,dword ptr[esp+4]
00B50054 8B 81 C0 00 00 00 mov eax,dword ptr[ecx+0C0h]
00B5005A 8B 89 C4 00 00 00 mov ecx,dword ptr[ecx+0C4h]
00B50060 69 C0 31 64 00 00 imul eax,eax,6431h
00B50066 53 push ebx
00B50067 8D 98 C5 63 2D 01 lea ebx,[eax+12D63C5h]
00B5006D 8D 04 CD 00 00 00 00 lea eax,[ecx*8]
00B50074 2B C1 sub eax,ecx
00B50076 56 push esi
00B50077 8B 74 24 10 mov esi,dword ptr[esp+10h]
00B5007B 8B 56 30 mov edx,dword ptr[esi+30h]
00B5007E 8B 76 2C mov esi,dword ptr[esi+2Ch]
00B50081 57 push edi
00B50082 8D 3C C1 lea edi,[ecx+eax*8]
00B50085 8B 0B mov ecx,dword ptr[ebx]
00B50087 C1 FA 02 sar edx,2
00B5008A 03 FF add edi,edi
00B5008C 03 FF add edi,edi
00B5008E 03 CF add ecx,edi
00B50090 C1 FE 02 sar esi,2
00B50093 89 B1 D4 00 00 00 mov dword ptr[ecx+0D4h],esi
00B50099 89 91 D8 00 00 00 mov dword ptr[ecx+0D8h],edx
00B5009F A1 F0 DA 2C 01 mov eax,dword ptr ds:[012CDAF0h]
00B500A4 0F AF C2 imul eax,edx
00B500A7 03 C6 add eax,esi
00B500A9 8B D0 mov edx,eax
00B500AB C1 E2 05 shl edx,5
00B500AE 03 15 04 DB 2C 01 add edx,dword ptr ds:[12CDB04h]
00B500B4 0F BF 44 10 0A movsx eax,word ptr[eax+edx+0Ah]
00B500B9 89 81 D0 00 00 00 mov dword ptr[ecx+0D0h],eax
00B500BF 8B 0B mov ecx,dword ptr[ebx]
00B500C1 03 CF add ecx,edi
00B500C3 E8 78 E8 A6 FF call 005BE940
=============================================
and when crashing at the following line,
---------------------------
00B500B4 0F BF 44 10 0A movsx eax,word ptr
---------------------------
the value of eax is always a negative number (like FFFFFF8F).
Memory address 012CDAF0h stores the map's "x" dimension. (125 for Northland Flurry)
By setting a break point in assembly code, I managed to pin down that the assembly code that causes the crash is called whenever patch_location() is called (of course most of the time it does not crash), however I have not further knowledge beyond this. (patch_location() is the function used by AI to find out where each Timonium Patch is located)
By investigating, I am pretty sure now that patch_location() is not the direct cause but some internal Location handling routine that patch_location() uses is the cause. Specifically, sometimes the x,y coordinate of something becomes (-1,-1) and when that happens the routine crashes as it does not handle negative coordinates.
Although I am not able to find out the exact reason, I managed to come up with a fixed binary that does not crash by adding simple check. However I am afraid there might be deeper issue and this simple check might cause strange behavior of the game.
If anyone is able to help to see if this binary causes any strange bahavior (especially whether the location of objects become weird) it will be helpful.
The download link is below. Place it in the same place as legends.exe and run this legendsfix5.exe instead.
Additional notes (keeps updating when new things are found):
The assembly code is as follows
===============================
00B50050 8B 4C 24 04 mov ecx,dword ptr
00B50054 8B 81 C0 00 00 00 mov eax,dword ptr
00B5005A 8B 89 C4 00 00 00 mov ecx,dword ptr
00B50060 69 C0 31 64 00 00 imul eax,eax,6431h
00B50066 53 push ebx
00B50067 8D 98 C5 63 2D 01 lea ebx,
00B5006D 8D 04 CD 00 00 00 00 lea eax,
00B50074 2B C1 sub eax,ecx
00B50076 56 push esi
00B50077 8B 74 24 10 mov esi,dword ptr
00B5007B 8B 56 30 mov edx,dword ptr
00B5007E 8B 76 2C mov esi,dword ptr
00B50081 57 push edi
00B50082 8D 3C C1 lea edi,
00B50085 8B 0B mov ecx,dword ptr
00B50087 C1 FA 02 sar edx,2
00B5008A 03 FF add edi,edi
00B5008C 03 FF add edi,edi
00B5008E 03 CF add ecx,edi
00B50090 C1 FE 02 sar esi,2
00B50093 89 B1 D4 00 00 00 mov dword ptr
00B50099 89 91 D8 00 00 00 mov dword ptr
00B5009F A1 F0 DA 2C 01 mov eax,dword ptr ds:
00B500A4 0F AF C2 imul eax,edx
00B500A7 03 C6 add eax,esi
00B500A9 8B D0 mov edx,eax
00B500AB C1 E2 05 shl edx,5
00B500AE 03 15 04 DB 2C 01 add edx,dword ptr ds:
00B500B4 0F BF 44 10 0A movsx eax,word ptr
00B500B9 89 81 D0 00 00 00 mov dword ptr
00B500BF 8B 0B mov ecx,dword ptr
00B500C1 03 CF add ecx,edi
00B500C3 E8 78 E8 A6 FF call 005BE940
=============================================
and when crashing at the following line,
---------------------------
00B500B4 0F BF 44 10 0A movsx eax,word ptr
---------------------------
the value of eax is always a negative number (like FFFFFF8F).
Memory address 012CDAF0h stores the map's "x" dimension. (125 for Northland Flurry)
[This message has been edited by modder00 (edited 09-25-2020 @ 06:39 AM).]