Return zero's Blog

mInstance<NpPhyscis>

→ mSceneArray<TArray<NpScene>*>

→ mSQManager<Sq::SceneQueryManager>

→ mPrunerExt<PrunerExt[2]>

→ mPruner<AABBPruner*>

其一

→ mPool<PruningPool>

→ mWorldBoxes<PxBounds3*> AND mObjects<PrunerPayload*>

获取mInstance地址(PhysxSDK)

在IDA中搜索字符串

<aside> 💡

Wrong version: PhysX version is

</aside>

return 返回的地址就是全局地址

获取mRigidActors的偏移

在IDA中搜索字符串

<aside> 💡

PxScene:removeActors(): Actor

</aside>

F5，函数头

v4 = a2;
v6 = a4;
sub_xxxxx(a1 + 16, *(unsigned int *)(a1 + 9760));
// 这里的9760就是TArray的size，(9760 - 8)就是数组指针，具体参见TArray的结构

获取mSQManager以及mPrunerExt的偏移

在IDA中搜索字符串

<aside> 💡

PxScene::fetchSceneQueries was not called!

</aside>

对应PhysX源码

void NpScene::sceneQueriesUpdate(physx::PxBaseTask* completionTask, bool controlSimulation)
{
	PX_SIMD_GUARD;

	bool runUpdateTasks[PruningIndex::eCOUNT] = {true, true};
	{
		// write guard must end before scene queries tasks kicks off worker threads
		NP_WRITE_CHECK(this);

		PX_PROFILE_START_CROSSTHREAD("Basic.sceneQueriesUpdate", getContextId());

		if(mSceneQueriesUpdateRunning)
		{
			//fetchSceneQueries doesn't get called
			Ps::getFoundation().error(PxErrorCode::eINVALID_OPERATION, __FILE__, __LINE__, "PxScene::fetchSceneQueries was not called!");
			return;
		}
	
		// flush scene queries updates
		mSQManager.flushUpdates();

		// prepare scene queries for build - copy bounds
		runUpdateTasks[PruningIndex::eSTATIC] = mSQManager.prepareSceneQueriesUpdate(PruningIndex::eSTATIC);
		runUpdateTasks[PruningIndex::eDYNAMIC] = mSQManager.prepareSceneQueriesUpdate(PruningIndex::eDYNAMIC);

		mSceneQueriesUpdateRunning = true;
	}

	{
		PX_PROFILE_ZONE("Sim.sceneQueriesTaskSetup", getContextId());

		if (controlSimulation)
		{
			{
				PX_PROFILE_ZONE("Sim.resetDependencies", getContextId());
				// Only reset dependencies, etc if we own the TaskManager. Will be false
				// when an NpScene is controlled by an APEX scene.
				mTaskManager->resetDependencies();
			}
			mTaskManager->startSimulation();
		}

		mSceneQueriesCompletion.setContinuation(*mTaskManager, completionTask);
		if(runUpdateTasks[PruningIndex::eSTATIC])
			mSceneQueriesStaticPrunerUpdate.setContinuation(&mSceneQueriesCompletion);
		if(runUpdateTasks[PruningIndex::eDYNAMIC])
			mSceneQueriesDynamicPrunerUpdate.setContinuation(&mSceneQueriesCompletion);

		mSceneQueriesCompletion.removeReference();
		if(runUpdateTasks[PruningIndex::eSTATIC])
			mSceneQueriesStaticPrunerUpdate.removeReference();
		if(runUpdateTasks[PruningIndex::eDYNAMIC])
			mSceneQueriesDynamicPrunerUpdate.removeReference();
	}
}

在IDA中大概伪代码

__int64 __fastcall sub_180042B90(__int64 a1, __int64 a2, char a3)
{
  int v4; // ebx
  __int64 Instance; // rax
  __int64 result; // rax
  char v9; // r15
  char v10; // bp
  __int64 v11; // rax
  __int64 v12; // rdi

  v4 = _mm_getcsr();
  _mm_setcsr(0x9FC0u);
  if ( *(_BYTE *)(a1 + 10520) )
  {
    Instance = physx::shdfnd::Foundation::getInstance();
    result = physx::shdfnd::Foundation::error(
               Instance,
               8LL,
               "D:\\\\Build\\\\++Fortnite\\\\Sync\\\\Engine\\\\Source\\\\ThirdParty\\\\PhysX3\\\\PhysX_3.4\\\\Source\\\\PhysX\\\\src\\\\NpScene.cpp",
               3211LL,
               "PxScene::fetchSceneQueries was not called!");
  }
  else
  {
    sub_1800CF0B0(a1 + 9296); // 此处就是通过mSQManager指针调用flushUpdates
    v9 = sub_1800CF220(a1 + 9296, 0LL); // 访问mPrunerExt[PruningIndex::eSTATIC]
    v10 = sub_1800CF220(a1 + 9296, 1LL); // 访问mPrunerExt[PruningIndex::eDYNAMIC]
    *(_BYTE *)(a1 + 10520) = 1;
    if ( a3 )
    {
      (*(void (__fastcall **)(_QWORD))(**(_QWORD **)(a1 + 10160) + 32LL))(*(_QWORD *)(a1 + 10160));
      (*(void (__fastcall **)(_QWORD))(**(_QWORD **)(a1 + 10160) + 40LL))(*(_QWORD *)(a1 + 10160));
    }
    v11 = *(_QWORD *)(a1 + 10160);
    v12 = a1 + 10264;
    *(_DWORD *)(a1 + 10296) = 1;
    *(_QWORD *)(a1 + 10288) = a2;
    *(_QWORD *)(a1 + 10280) = v11;
    if ( a2 )
      (*(void (__fastcall **)(__int64))(*(_QWORD *)a2 + 24LL))(a2);
    if ( v9 )
    {
      *(_DWORD *)(a1 + 9504) = 1;
      *(_QWORD *)(a1 + 9496) = v12;
      if ( a1 != -10264 )
      {
        (*(void (__fastcall **)(__int64))(*(_QWORD *)v12 + 24LL))(a1 + 10264);
        *(_QWORD *)(a1 + 9488) = *(_QWORD *)(*(_QWORD *)(a1 + 9496) + 16LL);
      }
    }
    if ( v10 )
    {
      *(_DWORD *)(a1 + 9560) = 1;
      *(_QWORD *)(a1 + 9552) = v12;
      if ( a1 != -10264 )
      {
        (*(void (__fastcall **)(__int64))(*(_QWORD *)v12 + 24LL))(a1 + 10264);
        *(_QWORD *)(a1 + 9544) = *(_QWORD *)(*(_QWORD *)(a1 + 9552) + 16LL);
      }
    }
    result = (*(__int64 (__fastcall **)(__int64))(*(_QWORD *)v12 + 32LL))(a1 + 10264);
    if ( v9 )
      result = (*(__int64 (__fastcall **)(__int64))(*(_QWORD *)(a1 + 9472) + 32LL))(a1 + 9472);
    if ( v10 )
      result = (*(__int64 (__fastcall **)(__int64))(*(_QWORD *)(a1 + 9528) + 32LL))(a1 + 9528);
  }
  _mm_setcsr(v4 & 0xFFFFFFC0);
  return result;
}

这样就拿到了mSQManager在NpScene中的偏移，即9296，在不同版本中是不一样的。

跟进函数sub_1800CF220