This is not a complete fix, it's a workaround so that you can't get negative max weight.

The problem when you get negative max weight is that the variable can at most hold the number 32767 (7FFF in hex) before going negative.

What this patch does is to check if the max weight is above 32767 and if that's the case it will set the variable to the maximum number it can hold.

This is the original code we will patch over:

1. 004A0F0C  CMP DWORD PTR SS:[EBP-10],0
   
2. 004A0F10  MOV WORD PTR DS:[ESI+80DC],AX

复制代码

With this jump to the codecave:

1. 004A0F0C  JMP 004A17F4

复制代码

Codecave:

1. 004A17F4  PUSHAD
   
2. 004A17F5  CMP AX,7FFF
   
3. 004A17F9  JB SHORT 004A17FF
   
4. 004A17FB  MOV AX,7FFF
   
5. 004A17FF  MOV WORD PTR DS:[ESI+80DC],AX
   
6. 004A1806  POPAD
   
7. 004A1807  MOV AX,WORD PTR DS:[ESI+80DC]
   
8. 004A180E  CMP DWORD PTR SS:[EBP-10],0
   
9. 004A1812  JNZ 004A0F8F
   
10. 004A1818  JMP 004A0F19

复制代码

Edit: This patch is for ebenezer.

This is not a complete fix, it's a workaround so that you can't get negative max weight.

The problem when you get negative max weight is that the variable can at most hold the number 32767 (7FFF in hex) before going negative.

What this patch does is to check if the max weight is above 32767 and if that's the case it will set the variable to the maximum number it can hold.

This is the original code we will patch over:

1. 004A0F0C  CMP DWORD PTR SS:[EBP-10],0
   
2. 004A0F10  MOV WORD PTR DS:[ESI+80DC],AX

复制代码

With this jump to the codecave:

1. 004A0F0C  JMP 004A17F4

复制代码

Codecave:

1. 004A17F4  PUSHAD
   
2. 004A17F5  CMP AX,7FFF
   
3. 004A17F9  JB SHORT 004A17FF
   
4. 004A17FB  MOV AX,7FFF
   
5. 004A17FF  MOV WORD PTR DS:[ESI+80DC],AX
   
6. 004A1806  POPAD
   
7. 004A1807  MOV AX,WORD PTR DS:[ESI+80DC]
   
8. 004A180E  CMP DWORD PTR SS:[EBP-10],0
   
9. 004A1812  JNZ 004A0F8F
   
10. 004A1818  JMP 004A0F19

复制代码

Edit: This patch is for ebenezer.