Warning: Battery Maximizer Resource Leak!!

[AlexanderT]

Hi,

There is a massive resource leak bug in the latest version of IBM's "Battery MaxiMiser and Power Management Features" (1.37a). See here an extended memory dump made after running Windows XP SP2 (with all hotfixes) for approx. 24 hours:

Code: Select all

[Process Pane]
|ProcessID| |Process|                                                                              |% CPU| |CPUGraph| |LT % CPU|       |Time| |Sw/s| |InMem KB| |Private KB| |Total KB|   |Th||Pri|         |Ver||State|   |Handles| |Windows| |USER Obj| |GDI Obj|          |Start Time||Path|
608         + Eine DLL-Datei als Anwendung ausführen                                                                                     0:34      0        872        2.428     36.040    2  Norm            4,032 Gui        4.733         2          5        12   2004-12-28 11:30:38C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
1444        + Eine DLL-Datei als Anwendung ausführen                                                                                     0:03      0        900        2.176     33.628    1  Norm            4,032 Gui        4.655         2          6        11   2004-12-28 11:30:38"C:\WINDOWS\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
1168        + Generic Host Process for Win32 Services                                                                                    1:40      1     13.880       15.656    146.624   77  Norm            4,032 Gui        1.656         0         12        11   2004-12-28 11:30:15C:\WINDOWS\System32\svchost.exe
4           + System                                                                                                                     7:00     76         36           28      1.904   59  Norm            0,0                592         0          0         0                      System
760         + Client Server Runtime Process                                                                                0,04%         3:40    351      3.332        1.796     28.032   11  High            5,132 Con          550         0         75        81   2004-12-28 11:30:11C:\WINDOWS\system32\csrss.exe
784         + Windows NT-Anmeldung                                                                                                       0:54      2      3.780        7.228     55.340   23  High            4,032 Gui          531         0         11        38   2004-12-28 11:30:13C:\WINDOWS\system32\winlogon.exe
368         + Windows Explorer                                                                                             0,29%        13:37     15     19.260       17.632     97.724   12  Norm           4,1032 Gui          502       123        198       347   2004-12-28 11:30:31C:\WINDOWS\Explorer.EXE
840         + LSA Shell (Export Version)                                                                                                 0:09      1        960        3.652     40.984   18  Norm+1          4,032 Gui          367         0          1         6   2004-12-28 11:30:13C:\WINDOWS\system32\lsass.exe
828         + Anwendung für Dienste und Controller                                                   0,99%                 1,09%        31:37     26      1.944        1.964     35.508   15  Norm+1          4,032 Gui          290         0          0         4   2004-12-28 11:30:13C:\WINDOWS\system32\services.exe
1128        + Generic Host Process for Win32 Services                                                                                    0:03      0      1.572        1.772     37.868   10  Norm            4,032 Gui          286         0          0         4   2004-12-28 11:30:15C:\WINDOWS\system32\svchost.exe
1052        + Generic Host Process for Win32 Services                                                                                              0      1.600        3.004     61.704   18  Norm            4,032 Gui          214         0          0         4   2004-12-28 11:30:15C:\WINDOWS\system32\svchost.exe
3736        + Firefox                                                                                                      3,94%         0:23     93     48.256       39.500    100.676    8  Norm            4,032 Gui          209        41         54       179   2005-01-01 20:56:45C:\Programme\Mozilla Firefox\firefox.exe
3040        + Remotedesktopverbindung                                                                                                    0:20      0      1.356       11.172     56.500   12  Norm            4,032 Gui          189        33         57       123   2005-01-01 14:03:31C:\WINDOWS\system32\mstsc.exe
1480        + Generic Host Process for Win32 Services                                                                                              0      1.392        1.592     37.336   13  Norm            4,032 Gui          185         0          0         4   2004-12-28 11:30:16C:\WINDOWS\system32\svchost.exe
1784        + Spooler SubSystem App                                                                                                      0:02      0      2.000        3.340     44.656   13  Norm            4,032 Gui          163         0          0         4   2004-12-28 11:30:16C:\WINDOWS\system32\spoolsv.exe

The top two lines contain both dlls from the Power Management software. Each dll has more than 4.000 windows32 handles opened! None of the following processes comes even close to that value. For instance, Explorer has 502 open handles, Firefox 209 open handles, etc. You can check it out yourself. Open Windows task-manager (taskmgr.exe), under View->Select Columns select Handle Count.

I even contacted IBM tech support via e-mail, but the response was more than meager:

Thank you for your message.

IBM troubleshooting guides
http://www-1.ibm.com/support/docview.ws ... IGR-4YRRG6

It might be better for you to call your country's Technical Support to do a
proper problem determination.
For more information on how to contact your country's Technical Support
please see this web page: http://www.ibm.com/pc/support

Kind regards,

[Leon]

I have version 1.37 (without the "a"). It does not exhibit that behavior.

[AlexanderT]

For how long have you been running Windows? The leak occurs while you are running Windows, the longer you run it, the more handles are left open.

[Leon]

several days up and still not.... it's hard to believe that they introduced such a bug in an "a" release.... do others have this issue?.....

P.S. Firefox 1.0 IS a memory leaker.... after a day, mine has 7,058 handles open!!!! (But I STILL love it)!

[DavidNZ]

what exactly does it mean if some 'handles' are 'open'? I'm a bit confused.

[AlexanderT]

Leon, thanks for the information. Perhaps the bug only occurs with certain settings in Battery Maximizer enabled/disabled.

On my Thinkpad T42, I have a pretty clean XP SP2 system with no extra drivers installed.

Interestingly, I don't have such a high open handles count with Firefox running all day long. It uses a lot of memory, yes, but handle count stays relatively low (far lower than those two Battery Maximizer DLLs).

Btw, if I kill the two DLL processes, and restart them in a command line with
C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

and

C:\WINDOWS\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

Handle for count drops back to 25 and 49, respectively! After several hours, count for each goes back up in the 1000's.

@DavidNZ, by "open handles" or a handle resource leak I refer to Win32 API resource handles that weren't released after they had been used. A resource handle is a variable that stores the resource handle returned by an API function. You can require that such a handle be explicitly destroyed after usage via a corresponding API call. The release call then deletes the handle, frees the underlying memory object (!) and releases any resources. If you don't release the handle, you end up wasting important computer resources. Even worse, since the leak in Battery Maximizer seems to occur in a loop (number of open handles increases), you can run into resource shortage (in paged pool) over time. See here for some more info:
http://www.codeguru.com/Cpp/V-S/debug/m ... php/c4411/

[DavidNZ]

Crikey. I'm digging out my old Commodore 64.

Thanks for that - I'll do some reading on it because it sounds kinda interesting in terms of program structures.

[AlexanderT]

Here is the detailed process to watch the handle counters for the two Battery Maximizer DLLs. This is applicable for Windows 2000 but should be same for Windows NT and Windows XP, as well.

* Open perfmon by clicking Start, Settings, Control Panel, Administrative Tools, Performance.
* Click the Add counters tool box(the tool with the + sign). It will display the Add Counter dialog box.
* Check the 'Use local computer counters' radio button.
* Select Process under the 'Performance Object:' drop-down combo box.
* Select the 'Select counters from list' radio button and select 'Handle Count' and 'Private Bytes' from the combo box. This box is a multiline select combo box.
* Select the 'Select instances from list' radio button and select your the two DLLs (\process\rundll32 and \process\rundll32#1) from the combo box just below it.
* Press the Add button, followed by the Close button.

Watch how the number of open handles increases over time.

[AlexanderT]

Ok I called IBM tech support and some capable person took my report and forwarded it to the IBM software labor. I will keep you in touch!

[Leon]

did it both ways... again, my version does not...

[greghead]

I don't have that problem, but occassionally (rarely) I will notice the whole system slow down. When I eventually get Task Manager up, I see that the rundll32 for Battery Maximizer's DLL has pegged the CPU at 99%.

I have to demote the priority and kill the process, just to be able to restart Windows.

This started happening only after SP2. Although other things have changed so I can't blame SP2 exactly.

[johnson]

I just got my new hdd (7K60) and did a fresh install of Win XP w/ SP2 (slipstreamed) and installed all updated drivers for my T23 on www.tpdrivers.com. I just checked my Battery MaxiMiser version and its the one you listed. Im not sure if it has to do with the batt mm but ive noticed that my system has been slower in loading programs and such than on my old 30gb 4200rpm drive. Start up time and shut down time have decreased but sometimes when im on the desktop and click on my computer, itll lag about 10 seconds before it window opens up.

[AlexanderT]

OK, I was able to pinpoint down the problem by myself. The leak *ONLY* occurs if you have additional settings (under "Improve Battery Health") enabled in Battery Maximizer. I sent my analysis back to IBM Tech, but haven't heard from them since. So I am going to post my findings for you here. As a temporary solution I patched the two dlls in question myself to avoid the resource leak.

Code: Select all

IBM Thinkpad R50 1830-7GG, Windows XP SP2

Bug: Handle leak caused by not properly closing registry key
Software: IBM ThinkPad Battery Maximizer and Power Management Features package V1.37a
File: pwrmonit.dll
MD5: D3F7AF2854976293CAA7568F123F408B
Version: 1.37a

How to reproduce:
Install IBM ThinkPad Battery Maximizer and Power Management Features package V1.37a. Reboot. Then go to "Improve Battery Health" in Battery Maximizer, choose 70% for "Start charging when below", and check both "Automatically determine..." and "Notify me"... options. Click OK and exit the option menu. Now watch # of handles grow every 1000ms for the two processes
"C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\PwrMonit.dll,StartPwrMonitor and
"C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor 

Description:
- In the time interval of 1000ms ('PwrMonitorRunDllWin'), ThinkPad Battery MaxiMiser Gauge (pwrmonit.dll, also BatInfEx.dll) is regularly checking whether the user has customized the Battery Charge Threshold levels.
- The check occurs by first reading the registry key HKCU\SOFTWARE\IBM\BMM\Data\BMMLLB, and subsequently, if the key exists, by checking for its values 'StartStatus' and 'StartThreshold'.
- The registry key HKCU\SOFTWARE\IBM\BMM\Data\BMMLLBARE is only present if the user has previously at least once customized the settings in the "Improve Battery Health" tab. It is not present in a clean install.
- The bug only occurs if the registry key HKCU\SOFTWARE\IBM\BMM\Data\BMMLLBARE is present.

A closer look:
- The program first attempts to open HKCU\SOFTWARE\IBM\BMM\Data\BMMLLBARE (1).
- If the key is not present, it gives control back to Windows (2). No handles were used in the subroutine.
- Otherwise, the program uses the handle hKey returned by RegOpenKeyExA to access the key's values 'StartStatus' and 'StartThreshold' (3).
- If one of the two values 'StartStatus' or 'StartThreshold' is not present, the program properly closes the registry ("frees" the handle hKey and gives control back to Windows (4).
- If, however, both keys are present, and StartStatus is equal to 1, the program will exit the routine WITHOUT first freeing the open handle hkey -> LEAK.

How to fix:
- Call RegCloseKey(hKey) before exiting the subroutine (5).


.text:1000CA90 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:1000CA90
.text:1000CA90
.text:1000CA90 _my_subroute    proc near               ; CODE XREF: sub_1000AD60+26p
.text:1000CA90                                         ; sub_1000AD60+51p
.text:1000CA90                                         ; sub_1000AD60+8Ap
.text:1000CA90                                         ; sub_1000AD60+BCp
.text:1000CA90                                         ; sub_1000C370+13Ep
.text:1000CA90                                         ; sub_1000C370+189p
.text:1000CA90
.text:1000CA90 hKey            = dword ptr -10h
.text:1000CA90 Data            = byte ptr -0Ch
.text:1000CA90 cbData          = dword ptr -8
.text:1000CA90 Type            = dword ptr -4
.text:1000CA90 arg_0           = dword ptr  4
.text:1000CA90 arg_4           = dword ptr  8
.text:1000CA90
.text:1000CA90                 sub     esp, 10h
.text:1000CA93                 mov     ecx, off_10012634
.text:1000CA99                 mov     eax, 4
.text:1000CA9E                 push    ebx
.text:1000CA9F                 push    ebp
.text:1000CAA0                 mov     [esp+18h+Type], eax
.text:1000CAA4                 mov     [esp+18h+cbData], eax
.text:1000CAA8                 push    esi
.text:1000CAA9                 lea     eax, [esp+1Ch+hKey]
.text:1000CAAD                 push    edi
.text:1000CAAE                 push    eax             ; phkResult
.text:1000CAAF                 push    20019h          ; Access = KEY_READ
.text:1000CAB4                 push    0               ; ulOptions
.text:1000CAB6                 push    ecx             ; lpSubKey = "SOFTWARE\IBM\BMM\Data\BMMLLB"
.text:1000CAB7                 push    80000001h       ; hKey = HKEY_CURRENT_USER
.text:1000CABC                 mov     dword ptr [esp+34h+Data], 0
.text:1000CAC4                 call    ds:RegOpenKeyExA ; ** 1 **
.text:1000CACA                 test    eax, eax
.text:1000CACC                 jz      short key_exists
.text:1000CACE                 pop     edi             ; ** 2 **
.text:1000CACF                 pop     esi
.text:1000CAD0                 pop     ebp
.text:1000CAD1                 xor     eax, eax
.text:1000CAD3                 pop     ebx
.text:1000CAD4                 add     esp, 10h
.text:1000CAD7                 retn    8
.text:1000CADA ; ---------------------------------------------------------------------------
.text:1000CADA
.text:1000CADA key_exists:                             ; CODE XREF: _my_subroute+3Cj
.text:1000CADA                 mov     ebx, [esp+24h]
.text:1000CADE                 mov     ebp, ds:RegQueryValueExA
.text:1000CAE4                 lea     edx, [esp+20h+cbData]
.text:1000CAE8                 lea     eax, [esp+20h+Data]
.text:1000CAEC                 push    edx             ; lpcbData
.text:1000CAED                 mov     edx, off_10012638[ebx*4]
.text:1000CAF4                 lea     ecx, [esp+24h+Type]
.text:1000CAF8                 push    eax             ; lpData
.text:1000CAF9                 mov     eax, [esp+28h+hKey]
.text:1000CAFD                 push    ecx             ; lpType
.text:1000CAFE                 push    0               ; lpReserved
.text:1000CB00                 push    edx             ; lpValueName = StartStatus
.text:1000CB01                 push    eax             ; hKey
.text:1000CB02                 call    ebp ; RegQueryValueExA ; ** 3 **
.text:1000CB04                 test    eax, eax
.text:1000CB06                 jz      short found_StartStatus
.text:1000CB08                 mov     ecx, [esp+20h+hKey] ; go here if StartStatus not found, then close registry key.
.text:1000CB0C                 push    ecx             ; hKey
.text:1000CB0D                 call    ds:RegCloseKey  ; ** 4 **
.text:1000CB13                 pop     edi
.text:1000CB14                 pop     esi
.text:1000CB15                 pop     ebp
.text:1000CB16                 xor     eax, eax
.text:1000CB18                 pop     ebx
.text:1000CB19                 add     esp, 10h
.text:1000CB1C                 retn    8
.text:1000CB1F ; ---------------------------------------------------------------------------
.text:1000CB1F
.text:1000CB1F found_StartStatus:                      ; CODE XREF: _my_subroute+76j
.text:1000CB1F                 mov     eax, [esp+20h+arg_4] ; see if StartStatus equals 1, if not, close registry key and return to Windows
.text:1000CB23                 mov     edi, 0FFFFh
.text:1000CB28                 mov     ecx, eax
.text:1000CB2A                 shl     ecx, 4
.text:1000CB2D                 sub     ecx, 10h
.text:1000CB30                 lea     esi, [eax+0FFFFFFFh]
.text:1000CB36                 shl     edi, cl
.text:1000CB38                 mov     ecx, dword ptr [esp+20h+Data]
.text:1000CB3C                 shl     esi, 4
.text:1000CB3F                 mov     eax, edi
.text:1000CB41                 and     eax, ecx
.text:1000CB43                 mov     ecx, esi
.text:1000CB45                 shr     eax, cl
.text:1000CB47                 test    eax, eax
.text:1000CB49                 mov     dword ptr [esp+20h+Data], eax
.text:1000CB4D                 jnz     short StartStatusEQ1
.text:1000CB4F                 mov     edx, [esp+20h+hKey]
.text:1000CB53                 push    edx             ; hKey
.text:1000CB54                 call    ds:RegCloseKey  ; ** 4 **
.text:1000CB5A                 pop     edi
.text:1000CB5B                 pop     esi
.text:1000CB5C                 pop     ebp
.text:1000CB5D                 xor     eax, eax
.text:1000CB5F                 pop     ebx
.text:1000CB60                 add     esp, 10h
.text:1000CB63                 retn    8
.text:1000CB66 ; ---------------------------------------------------------------------------
.text:1000CB66
.text:1000CB66 StartStatusEQ1:                         ; CODE XREF: _my_subroute+BDj
.text:1000CB66                 lea     eax, [esp+20h+cbData]
.text:1000CB6A                 lea     ecx, [esp+20h+Data]
.text:1000CB6E                 push    eax             ; lpcbData
.text:1000CB6F                 mov     eax, off_10012640[ebx*4]
.text:1000CB76                 lea     edx, [esp+24h+Type]
.text:1000CB7A                 push    ecx             ; lpData
.text:1000CB7B                 mov     ecx, [esp+28h+hKey]
.text:1000CB7F                 push    edx             ; lpType
.text:1000CB80                 push    0               ; lpReserved
.text:1000CB82                 push    eax             ; lpValueName = StartTreshold
.text:1000CB83                 push    ecx             ; hKey
.text:1000CB84                 call    ebp ; RegQueryValueExA ; ** 3 **
.text:1000CB86                 test    eax, eax
.text:1000CB88                 jz      short actual_leak
.text:1000CB8A                 mov     edx, [esp+20h+hKey] ; go here if StartTreshold not found, then close registry key.
.text:1000CB8E                 push    edx             ; hKey
.text:1000CB8F                 call    ds:RegCloseKey  ; ** 4 **
.text:1000CB95                 pop     edi
.text:1000CB96                 pop     esi
.text:1000CB97                 pop     ebp
.text:1000CB98                 xor     eax, eax
.text:1000CB9A                 pop     ebx
.text:1000CB9B                 add     esp, 10h
.text:1000CB9E                 retn    8
.text:1000CBA1 ; ---------------------------------------------------------------------------
.text:1000CBA1
.text:1000CBA1 actual_leak:                            ; CODE XREF: _my_subroute+F8j
.text:1000CBA1                 mov     eax, dword ptr [esp+20h+Data] ; LEAK LEAK LEAK!
.text:1000CBA5                 mov     ecx, esi        ; RegCloseKey is not called
.text:1000CBA7                 and     eax, edi        ; Registry handle is not freed ** 5 **
.text:1000CBA9                 pop     edi
.text:1000CBAA                 pop     esi
.text:1000CBAB                 pop     ebp
.text:1000CBAC                 shr     eax, cl
.text:1000CBAE                 pop     ebx
.text:1000CBAF                 add     esp, 10h
.text:1000CBB2                 retn    8
.text:1000CBB2 _my_subroute    endp

[northyen.dk]

Apparently, Lenovo doesn't give a poo about this issue at all. It's 2007 now, version of battery optimizer is 1.38 and the leak is STILL present. Even when EVERY SINGLE DETAIL of the of problem have been handed over to the tech, as per. AlexanderT's post.

This is a snapshot of the current state of two programs on my T42:
http://xs313.xs.to/xs313/07113/nutty.png

15k handles, what the *beep*.

[Stargate199]

I don't think I have ever run into this problem, then again my T21 is only on a couple of hours at a time. Interesting bug.

[AlexanderT]

Wow this has already been two years ago? I remember when I was in contact with IBM tech at that time, but there were unable to reproduce the problem. What's interesting is much later I reinstalled my computer and the problem was gone. The leak must be triggered by some parameter and is not present in the default settings.

[northyen.dk]

Well to quote yourself two years back:

The leak *ONLY* occurs if you have additional settings (under "Improve Battery Health") enabled in Battery Maximizer.

The issue is that the battery is already hammered, currently it sits at 28 Wh at full charge. One of the things that ages a Li-Ion battery is small but lots of charges (from what I know).

Setting the charge point to 55% removes that problem of small charges (though I figured that out too late). So how do one patch out the error (the code is the same in 1.38), or what kind of program could do the same?

[AlexanderT]

So how do one patch out the error (the code is the same in 1.38), or what kind of program could do the same?

Well, since we only have the dll binaries, the thing one can do is use a HEX editor and put in some inline assembler around $1000CBA9 to close the handle w/ RegCloseKey before the function returns. I did that back then, but I don't have the patched file anymore.

[northyen.dk]

Indeed, that's the usual way to go about the problem. The problem here is though, to do that, you need to find something that can be replaced.

Unless you recalculate the jumps and memory references, it breaks the program if you try to append code in the middle of the file.

So, what did you replace of code, to make room for the

Code: Select all

mov     ecx, [esp+20h+hKey]
push    ecx
call    ds:RegCloseKey

I'm thinking of adding space at the bottom of the file, jump there, close the key and then finally jump back.

[AlexanderT]

Good news, I found the patched dll somewhere in my archives. It's from 1.37a, so if you like, e-mail me pwrmonit.dll from the latest version and I'll have a look at it (see http://tools.4dots.com/thinkpad/ for my address).

[northyen.dk]

Thanks for taking the time to find them! However, I managed to patch it myself, after figuring out how do actually write the changes to the file (took me a good deal of time heh).

Okay, so here's the specific changes (if somebody drops by a few years from now ;), to be sure not wrecking something up, the md5sum of the originial files which I patched are:

Code: Select all

BATINFEX.DLL v1.0.0.0: ed64501d280d09ec9eda82c470b55dae
PWRMONIT.DLL v1.0.0.0: 808ce84102acc5f382ae5a6d80b36859

Now when that's established here's what to patch in
For BATINFEX.DLL:

Code: Select all

File offset 2299: E9DF8A03009090909090909090909090909090909090909090
File offset 3AD7D: 8B4E08B8FFFF0000FEC9C0E104D3E0214424108B442410D3E88BD88B44241450FF15942605108BC3E90875FCFF9075FCFF

For PWRMONIT.DLL:

Code: Select all

File offset CBC0: E9801F000090
File offset EB46: 8B54241052FF152CF000108B4424148BCEE96BE0FFFF

If one want to see what's actually going on, I can recommend OllyDbg, jump to the correct offset, and take a look.

Yes, I know, the BATINFEX.DLL patch isn't exactly elegant, but at the time I wasn't sure on much (the EAX usage gave me some troubles among other things).

Oh well, it was fun trying that out :).

[tyanlion]

Can any ibm laptop use this fix?

[northyen.dk]

Can any ibm laptop use this fix?

Yes, as long as the versions of the files are the same. Do remember that the patch is only required, if you use the battery charge threshold option.

[Moroner]

Thanks for the solution, which is still not fixed in the current 1.38 version (from 2005) of the software, not too surprising given that it is no longer used for current products.

For those who want to fix the dlls themselves, here are the diffs. This is for 1.38.

Code: Select all

Comparing files BatInfEx Patched.dll and BATINFEX-ORIG.DLL
00002280: 8B 74
00002281: 44 17
00002282: 24 8B
00002283: 14 44
00002284: 74 24
00002285: 0B 14
0000228F: EB 5D
00002290: 21 5F
00002291: 50 5E
00002292: FF 5B
00002293: 15 83
00002294: 94 C4
00002295: 26 10
00002296: 05 C2
00002297: 10 08
00002298: 90 00

Code: Select all

Comparing files PwrMonit Patched.dll and PWRMONIT-orig.DLL
0000CBA8: 8B 74
0000CBA9: 54 17
0000CBAA: 24 8B
0000CBAB: 10 54
0000CBAC: 74 24
0000CBAD: 13 10
0000CBC1: 52 8B
0000CBC2: FF 44
0000CBC3: 15 24
0000CBC4: 2C 14
0000CBC5: F0 8B
0000CBC6: 00 CE
0000CBC7: 10 23
0000CBC8: 8B C7
0000CBC9: 44 5F
0000CBCA: 24 5E
0000CBCB: 14 5D
0000CBCC: 8B D3
0000CBCD: CE E8
0000CBCE: 21 5B
0000CBCF: F8 83
0000CBD0: 5F C4
0000CBD1: 5E 10
0000CBD2: 5D C2
0000CBD3: D3 08
0000CBD4: E8 00
0000CBD5: 5B 90
0000CBD6: 83 90
0000CBD7: C4 90
0000CBD8: 10 90
0000CBD9: C2 90
0000CBDA: 08 90
0000CBDB: 00 90

In both cases the patched content is to the left, and the original one to the right.