Title
https://xemu.app/titles/4d53004d/#NFL-Fever-2004
NFL Fever 2004 (NTSC, v1.00)
Bug Description
Upon loading the game, it crashes which has been documented previously.
Expected Behavior
The game should boot to the main menu.
xemu Version
0.8.135
System Information
CPU: AMD Ryzen 5 3600X 6-Core Processor
OS Platform: Windows
OS Version: 25H2
Manufacturer: NVIDIA Corporation
GPU Model: NVIDIA GeForce RTX 4070 Ti/PCIe/SSE2
Driver: 4.0.0 NVIDIA 591.86
Shader: 4.00 NVIDIA via Cg compiler
Additional Context
Detailed Memory Analysis - NFL Fever 2004 Crash
I've done hands-on debugging of this crash using xemu's built-in QEMU monitor and wanted to share the findings in detail, as this goes significantly deeper than previous reports.
Environment
- Xemu Version: 0.8.135
- Game: NFL Fever 2004 (NTSC)
Step 1: Register dump at crash
After the crash at the Xbox logo screen, info registers produced:
EAX=0000001e EBX=d00e0714 ECX=c0000005 EDX=0034f2e4
ESI=00000000 EDI=00000007 EBP=d00e048c ESP=d00e0480
EIP=800151ef EFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=1
CR0=8001003b CR2=00000007 CR3=0000f000 CR4=00000610
Key observations:
EIP=0x800151ef - crash is inside the Xbox kernel, not game codeCR2=0x00000007 - the faulting address is 0x7 (effectively a null pointer dereference)ECX=0xc0000005 - STATUS_ACCESS_VIOLATIONEDI=0x00000007 - EDI holds the bad pointer valueHLT=1 - CPU halted, kernel panic spin loop (eb fc at EIP confirmed)
Step 2: Disassembly of crash site in game code (0x34f380)
Raw bytes at 0x34f380:
57 push edi
8b 7c 24 0c mov edi, [esp+0x0c] ; load pointer from stack arg
8b 07 mov eax, [edi] ; *** FAULT HERE - EDI = 0x7 ***
83 e8 03 sub eax, 3
74 22 je 0x34f3a8
48 dec eax
74 12 je 0x34f39e
83 e8 05 sub eax, 5
75 43 jne 0x34f3c7
8b 47 04 mov eax, [edi+4] ; read field at offset 4
This is a dispatch/switch function. It loads a pointer from a stack argument, then immediately dereferences it to read a type field. The pointer value is 0x7 which is clearly garbage. The function boundary is confirmed by 0xCC padding bytes at 0x34f370-0x34f37f.
Step 3: Stack analysis
Stack dump at ESP=0xd00e0480:
d00e0480: b3 6e 56 bc ac b2 c7 bb 00 00 00 00 5c c0 21 bc
d00e0490: 4a aa 9f be 88 38 73 bf 00 00 00 00 cd 8d ea be
d00e04a0: c1 fa 96 3e 42 3b d3 3e
All return addresses fall in the 0xBxxxxxxx range, which is the Xbox tiled memory / framebuffer region not valid executable address space. The stack was already corrupted before reaching 0x34f380. The crash there is a secondary symptom.
Step 4: Tracing the origin of 0x7
Following the kernel data reference at 0x80035a6c (seen in the kernel code: mov edx, [0x80035a6c]) led to a user-space structure at 0x005a5fcc:
005a5fcc: 6c 5a 03 80 - 0x80035a6c (back-pointer to kernel resource tracker)
005a5fd0: 40 05 07 d0 - 0xd0070540 (tiled memory address — GPU surface)
005a5fd4: 00 00 04 00 - 0x400 = 1024 (pitch or dimension)
005a5fd8: 00 00 00 00 - NULL
005a5fdc: dc 5f 5a 00 - 0x005a5fdc (Flink, self-referencing = empty list)
005a5fe0: dc 5f 5a 00 - 0x005a5fdc (Blink, circular)
005a5fe4: 06 00 07 00 - *** type field = 0x06, index/handle field = 0x07 ***
005a5fe8: 9c 14 51 00 - 0x0051149c (pointer into game code)
005a5fec: 02 00 00 00 - 2
The 0x07 at offset +0x18 of this structure is the source of the bad pointer. Something in the boot path reads this field and dereferences it as a struct pointer instead of treating it as an integer type/index value.
Step 5: Structure identification
This structure is consistent with an Xbox D3D surface or texture resource descriptor:
0xd0070540 is a tiled memory address (0xD0000000+ range = GPU tiled memory)0x400 is a plausible surface pitch- The self-referencing LIST_ENTRY at
+0x10/+0x14 indicates an empty linked list (no sub-resources)
- The back-pointer to
0x80035a6c links it into the kernel's resource tracking
- Fields
0x06 / 0x07 at +0x18 look like resource type and handle/index
This structure is being created during D3D initialization, before the Xbox logo animation completes.
Hypothesis
NFL Fever 2003 works; NFL Fever 2004 does not. The 2004 build appears to create a D3D surface or resource type early in boot that exercises a slightly different initialization path. xemu's D3D resource descriptor layout or initialization may be placing a type/index integer (0x07) where the game code expects a valid pointer, either due to a struct field offset mismatch or an unimplemented/stubbed resource type.
Specifically worth investigating: does xemu's NV097 / D3D__pDevice initialization handle the resource type represented by 0x06/0x07 differently from the types used by NFL Fever 2003? A diff of the XBE headers and early D3D calls between the 2003 and 2004 builds would likely pinpoint the divergence.
Here is my monitor output from how I gathered the data:
x/20i 0x800151ef
0xffffffff800151ef: Asm output not supported on this arch
x/20i 0x34f380
0x0034f380: Asm output not supported on this arch
x/40xb 0x800151ef
800151ef: 0xeb 0xfc 0x53 0x56 0x57 0xe8 0x4f 0xf1
800151f7: 0xff 0xff 0x80 0x7c 0x24 0x14 0x00 0x8b
800151ff: 0x15 0x6c 0x5a 0x03 0x80 0x8a 0xc8 0xb8
80015207: 0x6c 0x5a 0x03 0x80 0x74 0x3e 0x3b 0xd0
8001520f: 0x8b 0x7c 0x24 0x10 0x74 0x24 0x8b 0x77
x/40xb 0x34f380
0034f380: 0x57 0x8b 0x7c 0x24 0x0c 0x8b 0x07 0x83
0034f388: 0xe8 0x03 0x74 0x22 0x48 0x74 0x12 0x83
0034f390: 0xe8 0x05 0x75 0x43 0x8b 0x47 0x04 0x5f
0034f398: 0x89 0x44 0x24 0x08 0xe9 0x8f 0xff 0xff
0034f3a0: 0xff 0x8b 0x57 0x04 0x5f 0x89 0x54 0x24
x/40xb 0xd00e0480
d00e0480: 0xb3 0x6e 0x56 0xbc 0xac 0xb2 0xc7 0xbb
d00e0488: 0x00 0x00 0x00 0x00 0x5c 0xc0 0x21 0xbc
d00e0490: 0x4a 0xaa 0x9f 0xbe 0x88 0x38 0x73 0xbf
d00e0498: 0x00 0x00 0x00 0x00 0xcd 0x8d 0xea 0xbe
d00e04a0: 0xc1 0xfa 0x96 0x3e 0x42 0x3b 0xd3 0x3e
x/60xb 0xbc566e90
bc566e90: Cannot access memory
x/40xb 0x80035e60
80035e60: 0x9c 0xb3 0x08 0x00 0x00 0x8e 0x01 0x80
80035e68: 0xc8 0xb3 0x08 0x00 0x00 0x8e 0x01 0x80
80035e70: 0xfc 0xb3 0x30 0x00 0x00 0x85 0x01 0x80
80035e78: 0x50 0xb4 0x08 0x00 0x00 0xee 0x01 0x80
80035e80: 0x94 0xb4 0x08 0x00 0x00 0xee 0x01 0x80
x/40xb 0xd00e0400
d00e0400: 0xb8 0xea 0xd1 0xbd 0xe1 0x3b 0x03 0xbb
d00e0408: 0xe2 0xd5 0x9f 0xbe 0x00 0x00 0x00 0x00
d00e0410: 0xb8 0x9b 0x1e 0xbe 0xf1 0x68 0xeb 0xbe
d00e0418: 0x1e 0xfb 0xf9 0x3e 0x00 0x00 0x80 0x3f
d00e0420: 0x00 0x00 0x00 0x00 0x00 0x00 0x11 0x00
x/80xb 0x80015000
80015000: 0x14 0x8d 0x9c 0x4e 0x01 0x80 0x89 0x14
80015008: 0x8d 0x2c 0x5a 0x03 0x80 0xa1 0x28 0x5a
80015010: 0x03 0x80 0xba 0xd0 0x04 0x00 0x00 0xee
80015018: 0xeb 0x00 0x8a 0xc4 0x42 0xee 0xb8 0x01
80015020: 0x00 0x00 0x00 0xd3 0xe0 0xf7 0xd0 0xfa
80015028: 0x21 0x05 0x24 0x5a 0x03 0x80 0xa1 0x24
80015030: 0x42 0x01 0x80 0x0b 0x05 0x24 0x5a 0x03
80015038: 0x80 0xe6 0x21 0xc1 0xe8 0x08 0xe6 0xa1
80015040: 0xfb 0xc2 0x08 0x00 0x8b 0x44 0x24 0x04
80015048: 0x83 0xc0 0x30 0x83 0xf8 0x30 0x72 0x11
x/40xb 0x80010000
80010000: 0x4d 0x5a 0x90 0x00 0x03 0x00 0x00 0x00
80010008: 0x04 0x00 0x00 0x00 0xff 0xff 0x00 0x00
80010010: 0xb8 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80010018: 0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80010020: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
x/4xb 0x8001003c
8001003c: 0x00 0x01 0x00 0x00
x/40xb 0x800100f8
800100f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80010100: 0x50 0x45 0x00 0x00 0x4c 0x01 0x05 0x00
80010108: 0xb0 0xae 0xfc 0x3c 0x00 0x00 0x00 0x00
80010110: 0x00 0x00 0x00 0x00 0xe0 0x00 0x0f 0x01
80010118: 0x0b 0x01 0x07 0x00 0x20 0x40 0x09 0x00
x/8xb 0x80010178
80010178: 0xc0 0x02 0x00 0x00 0xed 0x05 0x00 0x00
x/8xb 0x8001017c
8001017c: 0xed 0x05 0x00 0x00 0x00 0x00 0x00 0x00
x/40xb 0x800102c0
800102c0: 0x00 0x00 0x00 0x00 0xa4 0xa1 0xfc 0x3c
800102c8: 0x00 0x00 0x00 0x00 0xa0 0x08 0x00 0x00
800102d0: 0x01 0x00 0x00 0x00 0x6e 0x01 0x00 0x00
800102d8: 0x00 0x00 0x00 0x00 0xe8 0x02 0x00 0x00
800102e0: 0xa0 0x08 0x00 0x00 0xa0 0x08 0x00 0x00
x/4xb 0x80010300
80010300: 0x00 0x00 0x00 0x00
x/80xb 0x34f340
0034f340: 0x24 0x08 0x56 0x8b 0x71 0x08 0x48 0x23
0034f348: 0xc6 0x8b 0x72 0x10 0x6b 0xc0 0x1c 0x03
0034f350: 0xc6 0x5e 0x83 0x38 0x09 0x75 0x05 0x39
0034f358: 0x48 0x04 0x74 0x0f 0x8b 0x40 0x18 0x85
0034f360: 0xc0 0x75 0xef 0xb8 0xac 0xd8 0x59 0x00
0034f368: 0xc2 0x08 0x00 0x83 0xc0 0x0c 0xc2 0x08
0034f370: 0x00 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc
0034f378: 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc
0034f380: 0x57 0x8b 0x7c 0x24 0x0c 0x8b 0x07 0x83
0034f388: 0xe8 0x03 0x74 0x22 0x48 0x74 0x12 0x83
x/80xb 0xd00e0440
d00e0440: 0xb3 0x6e 0x56 0xbc 0x4a 0xaa 0x9f 0xbe
d00e0448: 0x00 0x00 0x00 0x00 0xf7 0xb6 0x9f 0xbe
d00e0450: 0xac 0xb2 0xc7 0xbb 0x88 0x38 0x73 0xbf
d00e0458: 0x00 0x00 0x00 0x00 0xe3 0x25 0x16 0xbe
d00e0460: 0xf4 0xca 0xed 0x3e 0x2d 0x74 0xf5 0x3e
d00e0468: 0x00 0x00 0x80 0x3f 0x3a 0x97 0x2c 0x3c
d00e0470: 0xfc 0x35 0x73 0x3f 0xf7 0xb6 0x9f 0xbe
d00e0478: 0x00 0x00 0x00 0x00 0x2b 0xf9 0x7f 0x3f
d00e0480: 0xb3 0x6e 0x56 0xbc 0xac 0xb2 0xc7 0xbb
d00e0488: 0x00 0x00 0x00 0x00 0x5c 0xc0 0x21 0xbc
x/80xb 0x80035a60
80035a60: 0x10 0x4f 0x01 0x80 0x10 0x4f 0x01 0x80
80035a68: 0xe3 0x4e 0x01 0x80 0x8c 0x0d 0x00 0x80
80035a70: 0xcc 0x5f 0x5a 0x00 0x00 0x00 0x00 0x00
80035a78: 0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
80035a80: 0x46 0x02 0x00 0x00 0x01 0x00 0x00 0x00
80035a88: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80035a90: 0x06 0x00 0x44 0x00 0x00 0x00 0x00 0x00
80035a98: 0x98 0x5a 0x03 0x80 0x98 0x5a 0x03 0x80
80035aa0: 0xa0 0x5a 0x03 0x80 0xa0 0x5a 0x03 0x80
80035aa8: 0xd2 0x03 0x00 0x00 0x40 0x98 0x03 0x80
x/40xb 0x80000d8c
80000d8c: 0x14 0x03 0x45 0x00 0x6c 0x5a 0x03 0x80
80000d94: 0x02 0x97 0xea 0xfe 0x00 0x00 0x00 0x00
80000d9c: 0x7c 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80000da4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80000dac: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
x/40xb 0x005a5fcc
005a5fcc: 0x6c 0x5a 0x03 0x80 0x40 0x05 0x07 0xd0
005a5fd4: 0x00 0x00 0x04 0x00 0x00 0x00 0x00 0x00
005a5fdc: 0xdc 0x5f 0x5a 0x00 0xdc 0x5f 0x5a 0x00
005a5fe4: 0x06 0x00 0x07 0x00 0x9c 0x14 0x51 0x00
005a5fec: 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Title
https://xemu.app/titles/4d53004d/#NFL-Fever-2004
NFL Fever 2004 (NTSC, v1.00)
Bug Description
Upon loading the game, it crashes which has been documented previously.
Expected Behavior
The game should boot to the main menu.
xemu Version
0.8.135
System Information
CPU: AMD Ryzen 5 3600X 6-Core Processor
OS Platform: Windows
OS Version: 25H2
Manufacturer: NVIDIA Corporation
GPU Model: NVIDIA GeForce RTX 4070 Ti/PCIe/SSE2
Driver: 4.0.0 NVIDIA 591.86
Shader: 4.00 NVIDIA via Cg compiler
Additional Context
Detailed Memory Analysis - NFL Fever 2004 Crash
I've done hands-on debugging of this crash using xemu's built-in QEMU monitor and wanted to share the findings in detail, as this goes significantly deeper than previous reports.
Environment
Step 1: Register dump at crash
After the crash at the Xbox logo screen,
info registersproduced:Key observations:
EIP=0x800151ef- crash is inside the Xbox kernel, not game codeCR2=0x00000007- the faulting address is0x7(effectively a null pointer dereference)ECX=0xc0000005- STATUS_ACCESS_VIOLATIONEDI=0x00000007- EDI holds the bad pointer valueHLT=1- CPU halted, kernel panic spin loop (eb fcat EIP confirmed)Step 2: Disassembly of crash site in game code (0x34f380)
Raw bytes at
0x34f380:This is a dispatch/switch function. It loads a pointer from a stack argument, then immediately dereferences it to read a type field. The pointer value is
0x7which is clearly garbage. The function boundary is confirmed by0xCCpadding bytes at0x34f370-0x34f37f.Step 3: Stack analysis
Stack dump at
ESP=0xd00e0480:All return addresses fall in the
0xBxxxxxxxrange, which is the Xbox tiled memory / framebuffer region not valid executable address space. The stack was already corrupted before reaching0x34f380. The crash there is a secondary symptom.Step 4: Tracing the origin of 0x7
Following the kernel data reference at
0x80035a6c(seen in the kernel code:mov edx, [0x80035a6c]) led to a user-space structure at0x005a5fcc:The
0x07at offset+0x18of this structure is the source of the bad pointer. Something in the boot path reads this field and dereferences it as a struct pointer instead of treating it as an integer type/index value.Step 5: Structure identification
This structure is consistent with an Xbox D3D surface or texture resource descriptor:
0xd0070540is a tiled memory address (0xD0000000+ range = GPU tiled memory)0x400is a plausible surface pitch+0x10/+0x14indicates an empty linked list (no sub-resources)0x80035a6clinks it into the kernel's resource tracking0x06/0x07at+0x18look like resource type and handle/indexThis structure is being created during D3D initialization, before the Xbox logo animation completes.
Hypothesis
NFL Fever 2003 works; NFL Fever 2004 does not. The 2004 build appears to create a D3D surface or resource type early in boot that exercises a slightly different initialization path. xemu's D3D resource descriptor layout or initialization may be placing a type/index integer (
0x07) where the game code expects a valid pointer, either due to a struct field offset mismatch or an unimplemented/stubbed resource type.Specifically worth investigating: does xemu's
NV097/D3D__pDeviceinitialization handle the resource type represented by0x06/0x07differently from the types used by NFL Fever 2003? A diff of the XBE headers and early D3D calls between the 2003 and 2004 builds would likely pinpoint the divergence.Here is my monitor output from how I gathered the data:
x/20i 0x800151ef
0xffffffff800151ef: Asm output not supported on this arch
x/20i 0x34f380
0x0034f380: Asm output not supported on this arch
x/40xb 0x800151ef
800151ef: 0xeb 0xfc 0x53 0x56 0x57 0xe8 0x4f 0xf1
800151f7: 0xff 0xff 0x80 0x7c 0x24 0x14 0x00 0x8b
800151ff: 0x15 0x6c 0x5a 0x03 0x80 0x8a 0xc8 0xb8
80015207: 0x6c 0x5a 0x03 0x80 0x74 0x3e 0x3b 0xd0
8001520f: 0x8b 0x7c 0x24 0x10 0x74 0x24 0x8b 0x77
x/40xb 0x34f380
0034f380: 0x57 0x8b 0x7c 0x24 0x0c 0x8b 0x07 0x83
0034f388: 0xe8 0x03 0x74 0x22 0x48 0x74 0x12 0x83
0034f390: 0xe8 0x05 0x75 0x43 0x8b 0x47 0x04 0x5f
0034f398: 0x89 0x44 0x24 0x08 0xe9 0x8f 0xff 0xff
0034f3a0: 0xff 0x8b 0x57 0x04 0x5f 0x89 0x54 0x24
x/40xb 0xd00e0480
d00e0480: 0xb3 0x6e 0x56 0xbc 0xac 0xb2 0xc7 0xbb
d00e0488: 0x00 0x00 0x00 0x00 0x5c 0xc0 0x21 0xbc
d00e0490: 0x4a 0xaa 0x9f 0xbe 0x88 0x38 0x73 0xbf
d00e0498: 0x00 0x00 0x00 0x00 0xcd 0x8d 0xea 0xbe
d00e04a0: 0xc1 0xfa 0x96 0x3e 0x42 0x3b 0xd3 0x3e
x/60xb 0xbc566e90
bc566e90: Cannot access memory
x/40xb 0x80035e60
80035e60: 0x9c 0xb3 0x08 0x00 0x00 0x8e 0x01 0x80
80035e68: 0xc8 0xb3 0x08 0x00 0x00 0x8e 0x01 0x80
80035e70: 0xfc 0xb3 0x30 0x00 0x00 0x85 0x01 0x80
80035e78: 0x50 0xb4 0x08 0x00 0x00 0xee 0x01 0x80
80035e80: 0x94 0xb4 0x08 0x00 0x00 0xee 0x01 0x80
x/40xb 0xd00e0400
d00e0400: 0xb8 0xea 0xd1 0xbd 0xe1 0x3b 0x03 0xbb
d00e0408: 0xe2 0xd5 0x9f 0xbe 0x00 0x00 0x00 0x00
d00e0410: 0xb8 0x9b 0x1e 0xbe 0xf1 0x68 0xeb 0xbe
d00e0418: 0x1e 0xfb 0xf9 0x3e 0x00 0x00 0x80 0x3f
d00e0420: 0x00 0x00 0x00 0x00 0x00 0x00 0x11 0x00
x/80xb 0x80015000
80015000: 0x14 0x8d 0x9c 0x4e 0x01 0x80 0x89 0x14
80015008: 0x8d 0x2c 0x5a 0x03 0x80 0xa1 0x28 0x5a
80015010: 0x03 0x80 0xba 0xd0 0x04 0x00 0x00 0xee
80015018: 0xeb 0x00 0x8a 0xc4 0x42 0xee 0xb8 0x01
80015020: 0x00 0x00 0x00 0xd3 0xe0 0xf7 0xd0 0xfa
80015028: 0x21 0x05 0x24 0x5a 0x03 0x80 0xa1 0x24
80015030: 0x42 0x01 0x80 0x0b 0x05 0x24 0x5a 0x03
80015038: 0x80 0xe6 0x21 0xc1 0xe8 0x08 0xe6 0xa1
80015040: 0xfb 0xc2 0x08 0x00 0x8b 0x44 0x24 0x04
80015048: 0x83 0xc0 0x30 0x83 0xf8 0x30 0x72 0x11
x/40xb 0x80010000
80010000: 0x4d 0x5a 0x90 0x00 0x03 0x00 0x00 0x00
80010008: 0x04 0x00 0x00 0x00 0xff 0xff 0x00 0x00
80010010: 0xb8 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80010018: 0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80010020: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
x/4xb 0x8001003c
8001003c: 0x00 0x01 0x00 0x00
x/40xb 0x800100f8
800100f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80010100: 0x50 0x45 0x00 0x00 0x4c 0x01 0x05 0x00
80010108: 0xb0 0xae 0xfc 0x3c 0x00 0x00 0x00 0x00
80010110: 0x00 0x00 0x00 0x00 0xe0 0x00 0x0f 0x01
80010118: 0x0b 0x01 0x07 0x00 0x20 0x40 0x09 0x00
x/8xb 0x80010178
80010178: 0xc0 0x02 0x00 0x00 0xed 0x05 0x00 0x00
x/8xb 0x8001017c
8001017c: 0xed 0x05 0x00 0x00 0x00 0x00 0x00 0x00
x/40xb 0x800102c0
800102c0: 0x00 0x00 0x00 0x00 0xa4 0xa1 0xfc 0x3c
800102c8: 0x00 0x00 0x00 0x00 0xa0 0x08 0x00 0x00
800102d0: 0x01 0x00 0x00 0x00 0x6e 0x01 0x00 0x00
800102d8: 0x00 0x00 0x00 0x00 0xe8 0x02 0x00 0x00
800102e0: 0xa0 0x08 0x00 0x00 0xa0 0x08 0x00 0x00
x/4xb 0x80010300
80010300: 0x00 0x00 0x00 0x00
x/80xb 0x34f340
0034f340: 0x24 0x08 0x56 0x8b 0x71 0x08 0x48 0x23
0034f348: 0xc6 0x8b 0x72 0x10 0x6b 0xc0 0x1c 0x03
0034f350: 0xc6 0x5e 0x83 0x38 0x09 0x75 0x05 0x39
0034f358: 0x48 0x04 0x74 0x0f 0x8b 0x40 0x18 0x85
0034f360: 0xc0 0x75 0xef 0xb8 0xac 0xd8 0x59 0x00
0034f368: 0xc2 0x08 0x00 0x83 0xc0 0x0c 0xc2 0x08
0034f370: 0x00 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc
0034f378: 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc 0xcc
0034f380: 0x57 0x8b 0x7c 0x24 0x0c 0x8b 0x07 0x83
0034f388: 0xe8 0x03 0x74 0x22 0x48 0x74 0x12 0x83
x/80xb 0xd00e0440
d00e0440: 0xb3 0x6e 0x56 0xbc 0x4a 0xaa 0x9f 0xbe
d00e0448: 0x00 0x00 0x00 0x00 0xf7 0xb6 0x9f 0xbe
d00e0450: 0xac 0xb2 0xc7 0xbb 0x88 0x38 0x73 0xbf
d00e0458: 0x00 0x00 0x00 0x00 0xe3 0x25 0x16 0xbe
d00e0460: 0xf4 0xca 0xed 0x3e 0x2d 0x74 0xf5 0x3e
d00e0468: 0x00 0x00 0x80 0x3f 0x3a 0x97 0x2c 0x3c
d00e0470: 0xfc 0x35 0x73 0x3f 0xf7 0xb6 0x9f 0xbe
d00e0478: 0x00 0x00 0x00 0x00 0x2b 0xf9 0x7f 0x3f
d00e0480: 0xb3 0x6e 0x56 0xbc 0xac 0xb2 0xc7 0xbb
d00e0488: 0x00 0x00 0x00 0x00 0x5c 0xc0 0x21 0xbc
x/80xb 0x80035a60
80035a60: 0x10 0x4f 0x01 0x80 0x10 0x4f 0x01 0x80
80035a68: 0xe3 0x4e 0x01 0x80 0x8c 0x0d 0x00 0x80
80035a70: 0xcc 0x5f 0x5a 0x00 0x00 0x00 0x00 0x00
80035a78: 0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
80035a80: 0x46 0x02 0x00 0x00 0x01 0x00 0x00 0x00
80035a88: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80035a90: 0x06 0x00 0x44 0x00 0x00 0x00 0x00 0x00
80035a98: 0x98 0x5a 0x03 0x80 0x98 0x5a 0x03 0x80
80035aa0: 0xa0 0x5a 0x03 0x80 0xa0 0x5a 0x03 0x80
80035aa8: 0xd2 0x03 0x00 0x00 0x40 0x98 0x03 0x80
x/40xb 0x80000d8c
80000d8c: 0x14 0x03 0x45 0x00 0x6c 0x5a 0x03 0x80
80000d94: 0x02 0x97 0xea 0xfe 0x00 0x00 0x00 0x00
80000d9c: 0x7c 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80000da4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
80000dac: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
x/40xb 0x005a5fcc
005a5fcc: 0x6c 0x5a 0x03 0x80 0x40 0x05 0x07 0xd0
005a5fd4: 0x00 0x00 0x04 0x00 0x00 0x00 0x00 0x00
005a5fdc: 0xdc 0x5f 0x5a 0x00 0xdc 0x5f 0x5a 0x00
005a5fe4: 0x06 0x00 0x07 0x00 0x9c 0x14 0x51 0x00
005a5fec: 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00