Fix SA crash at 0x00897C28 (dump name wrongly identifies it as 0x003F0090), likely 'caused' by VS2026 but a latent stack offsets bug since its introduction (736660b).

Dutchman101 · Dutchman101 · commit 65f5afc81655 · 2025-12-03T13:38:21.000+08:00
Theory: VS2026 changed changed how inline assembly works. Probably something with different stack alignment, optimization choices, register allocation, calling convention optimizations, or code generation. (This can all be relevant to spot similar bugs manifesting now across hooks).

The broken, now patched, assembly code was reading stack values from wrong offsets, and while the old compiler's code generation might have accidentally put "harmless" values at those wrong locations, the new compiler's different stack layout or register usage puts critical values (like 0xC97C28 - the address of _RwD3DDevice) at those locations.

Affected only users with "optimus-alt-startup" setting enabled
diff --git a/Client/multiplayer_sa/CMultiplayerSA_Direct3D.cpp b/Client/multiplayer_sa/CMultiplayerSA_Direct3D.cpp
@@ -90,19 +90,23 @@ void _declspec(naked) HOOK_PreCreateDevice()
         push    ecx                                // pDirect3D
 
         // Now we have 7 parameters on stack (28 bytes)
-        // Stack layout: [pDirect3D][Adapter][DeviceType][hFocusWindow][BehaviorFlags][pPresentationParameters][ppReturnedDeviceInterface]
+        // Stack layout at ESP: [pDirect3D][Adapter][DeviceType][hFocusWindow][BehaviorFlags][pPresentationParameters][ppReturnedDeviceInterface]
 
-        pushad  // Save all registers (32 bytes)
+        pushad  // Save all registers (32 bytes), ESP now at ESP-32
         
-        // Pass parameters to OnPreCreateDevice - stack offset is now 32 (pushad) + 28 (pushes) = 60
-        push    [esp+60+24]                        // ppReturnedDeviceInterface
-        push    [esp+60+20]                        // pPresentationParameters
-        lea     eax,[esp+60+16]                    // BehaviorFlags as pointer
-        push    eax                                
-        push    [esp+60+12]                        // hFocusWindow
-        push    [esp+60+8]                         // DeviceType
-        push    [esp+60+4]                         // Adapter
-        push    [esp+60+0]                         // pDirect3D
+        // Pass parameters to OnPreCreateDevice
+        // After pushad, params start at ESP+32. Each push decreases ESP by 4,
+        // so [esp+32+4*6] effectively walks backward through the params:
+        // 1st access: ESP+56 = ppReturnedDeviceInterface, then ESP -= 4
+        // 2nd access: ESP+56 = pPresentationParameters (was at ESP+52), etc.
+        push    [esp+32+4*6]                       // ppReturnedDeviceInterface
+        push    [esp+32+4*6]                       // pPresentationParameters
+        lea     eax,[esp+32+4*6]                   // BehaviorFlags as pointer
+        push    eax
+        push    [esp+32+4*6]                       // hFocusWindow
+        push    [esp+32+4*6]                       // DeviceType
+        push    [esp+32+4*6]                       // Adapter
+        push    [esp+32+4*6]                       // pDirect3D
         call    OnPreCreateDevice
         add     esp, 4*7
         popad
