[Bug 30536] New: Avanquest PDF Experte Ultimate 7.0.x installer crashes with stack overflow because user32.dll AdjustWindowRect, AdjustWindowRectEx, SetWindowLongA are not hotpatchable (DECLSPEC_HOTPATCH)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Apr 28 15:39:36 CDT 2012
http://bugs.winehq.org/show_bug.cgi?id=30536
Bug #: 30536
Summary: Avanquest PDF Experte Ultimate 7.0.x installer crashes
with stack overflow because user32.dll
AdjustWindowRect, AdjustWindowRectEx, SetWindowLongA
are not hotpatchable (DECLSPEC_HOTPATCH)
Product: Wine
Version: 1.5.3
Platform: x86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: user32
AssignedTo: wine-bugs at winehq.org
ReportedBy: focht at gmx.net
Classification: Unclassified
Hello,
"Avanquest PDF Experte Ultimate 7.0.x" installer dies quickly with a stack
overflow.
--- snip ---
$ WINEDEBUG=+tid,+seh,+process wine ./PDF\ Experte\ 7\ Ultimate.exe
002d:trace:process:init_current_directory starting in
L"Z:\\home\\focht\\Downloads\\Avanquest PDF Experte Ultimate 7.0.1370.0\\" 0x4
002d:trace:process:__wine_kernel_init starting process
name=L"Z:\\home\\focht\\Downloads\\Avanquest PDF Experte Ultimate
7.0.1370.0\\PDF Experte 7 Ultimate.exe"
argv[0]=L"Z:\\home\\focht\\Downloads\\Avanquest PDF Experte Ultimate
7.0.1370.0\\PDF Experte 7 Ultimate.exe"
...
0030:fixme:exec:SHELL_execute flags ignored: 0x00000100
0030:trace:process:create_process_impl app (null) cmdline
L"C:\\users\\focht\\Temp\\FCW2111.tmp\\ISAdmin.exe /SETUPAQ:196646"
0030:trace:process:find_exe_file looking for
L"C:\\users\\focht\\Temp\\FCW2111.tmp\\ISAdmin.exe"
0030:trace:process:find_exe_file Trying native exe
L"C:\\users\\focht\\Temp\\FCW2111.tmp\\ISAdmin.exe"
0030:trace:process:create_process_impl starting
L"C:\\users\\focht\\Temp\\FCW2111.tmp\\ISAdmin.exe" as Win32 binary
(0x400000-0x4b1000)
0032:trace:process:init_current_directory starting in
L"C:\\users\\focht\\Temp\\FCW2111.tmp\\" 0x1c
0032:trace:process:__wine_kernel_init starting process
name=L"C:\\users\\focht\\Temp\\FCW2111.tmp\\ISAdmin.exe"
argv[0]=L"C:\\users\\focht\\Temp\\FCW2111.tmp\\ISAdmin.exe"
0030:trace:process:create_process_impl started process pid 0031 tid 0032
...
0032:err:rebar:REBAR_NotifyFormat wrong response to WM_NOTIFYFORMAT (0),
assuming ANSI
0032:trace:seh:raise_exception code=c00000fd flags=0 addr=0xa252924 ip=0a252924
tid=0032
0032:trace:seh:raise_exception eax=0a29bc40 ebx=00000000 ecx=00000000
edx=000506f4 esi=0a2a064c edi=00000000
0032:trace:seh:raise_exception ebp=003258b4 esp=00242000 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0032:trace:seh:call_stack_handlers calling handler at 0xa2973ce code=c00000fd
flags=0
0032:trace:seh:call_stack_handlers handler at 0xa2973ce returned 1
0032:trace:seh:call_stack_handlers calling handler at 0xa296ceb code=c00000fd
flags=0
0032:trace:seh:call_stack_handlers handler at 0xa296ceb returned 1
0032:trace:seh:call_stack_handlers calling handler at 0xa296d18 code=c00000fd
flags=0
0032:trace:seh:call_stack_handlers handler at 0xa296d18 returned 1
0032:trace:seh:call_stack_handlers calling handler at 0xb93220 code=c00000fd
flags=0
0032:trace:seh:call_stack_handlers handler at 0xb93220 returned 1
0032:trace:seh:call_stack_handlers calling handler at 0xb931c0 code=c00000fd
flags=0
0032:trace:seh:call_stack_handlers handler at 0xb931c0 returned 1
0032:trace:seh:call_stack_handlers calling handler at 0xb92ffa code=c00000fd
flags=0
0032:trace:seh:call_stack_handlers handler at 0xb92ffa returned 1
0032:trace:seh:call_stack_handlers calling handler at 0x100c503e code=c00000fd
flags=0
0032:err:seh:setup_exception_record stack overflow 1360 bytes in thread 0032
eip f747bac7 esp 00240de0 stack 0x240000-0x241000-0x340000
--- snip ---
"ISAdmin.exe" can be started from temp folder after extraction to
reproduce/debug.
Adding WINEDEBUG=+relay works around.
By adding more debugging channels (without +relay) and comparing the trace
logs, one can converge on certain code/addresses to start debugging.
--- snip ---
0025:Call user32.GetActiveWindow() ret=0a2718ad
0025:Ret user32.GetActiveWindow() retval=00000000 ret=0a2718ad
0025:Call user32.IsZoomed(00020092) ret=0a2718c7
0025:Ret user32.IsZoomed() retval=00000000 ret=0a2718c7
0025:Call KERNEL32.LoadLibraryA(0a28bc40 "UxTheme.dll") ret=0a285cb0
0025:Ret KERNEL32.LoadLibraryA() retval=7dd60000 ret=0a285cb0
0025:Call KERNEL32.InterlockedExchange(0a2981f8,7dd60000) ret=0a285d01
0025:Ret KERNEL32.InterlockedExchange() retval=00000000 ret=0a285d01
0025:Call KERNEL32.GetProcAddress(7dd60000,0a2906f6 "IsThemeActive")
ret=0a285d87
0025:Ret KERNEL32.GetProcAddress() retval=7dd6af64 ret=0a285d87
0025:Call uxtheme.IsThemeActive() ret=0a271908
0025:Ret uxtheme.IsThemeActive() retval=00000000 ret=0a271908
--- snip ---
After user32.IsZoomed() it always goes berserk.
The offending code is located in a dll "NewUI.dll":
--- snip ---
0025:trace:loaddll:load_native_dll Loaded
L"C:\\users\\focht\\Temp\\{0105E420-3327-496D-95E0-756E345AEF72}\\{FC279721-37A6-4777-AFD8-7A56681EBA14}\\Tools.dll"
at 0x9fb0000: native
0025:trace:loaddll:load_native_dll Loaded
L"C:\\users\\focht\\Temp\\{0105E420-3327-496D-95E0-756E345AEF72}\\{FC279721-37A6-4777-AFD8-7A56681EBA14}\\SerialNumberWrapper.dll"
at 0xa120000: native
0025:trace:loaddll:load_builtin_dll Loaded
L"C:\\windows\\system32\\msvfw32.dll" at 0x7d3a0000: builtin
0025:trace:loaddll:load_builtin_dll Loaded
L"C:\\windows\\system32\\gdiplus.dll" at 0x7d320000: builtin
0025:trace:loaddll:load_builtin_dll Loaded
L"C:\\windows\\system32\\imagehlp.dll" at 0x7d300000: builtin
0025:trace:loaddll:load_builtin_dll Loaded
L"C:\\windows\\system32\\dbghelp.dll" at 0x7d290000: builtin
0025:trace:loaddll:load_native_dll Loaded
L"C:\\users\\focht\\Temp\\{0105E420-3327-496D-95E0-756E345AEF72}\\{FC279721-37A6-4777-AFD8-7A56681EBA14}\\NewUI.dll"
at 0xa250000: native
0025:trace:loaddll:load_builtin_dll Loaded
L"C:\\windows\\system32\\windowscodecs.dll" at 0x7d1f0000: builtin
--- snip ---
It seems the installer code hooks various user32 API to "skin" dialogs.
Part of the hooker code (annotated):
--- snip ---
...
0A251C3B 66:813F 8BFF CMP WORD PTR DS:[EDI],0FF8B ; check for "MOV EDI, EDI"
0A251C40 75 39 JNE SHORT 0A251C7B
0A251C42 8A03 MOV AL,BYTE PTR DS:[EBX] ; EBX = [EDI-5]
0A251C44 3C 90 CMP AL,90 ; NOP padding?
0A251C46 75 09 JNE SHORT 0A251C51
0A251C48 817F FC 90909 CMP DWORD PTR DS:[EDI-4],90909090 ; NOP padding?
0A251C4F 74 0D JE SHORT 0A251C5E
0A251C51 3C CC CMP AL,0CC ; INT3 padding?
0A251C53 75 26 JNE SHORT 0A251C7B
0A251C55 817F FC CCCCC CMP DWORD PTR DS:[EDI-4],CCCCCCCC ; INT3 padding?
0A251C5C 75 1D JNE SHORT 0A251C7B
0A251C5E C603 E9 MOV BYTE PTR DS:[EBX],0E9 ; long jump opcode
0A251C61 8B4E 18 MOV ECX,DWORD PTR DS:[ESI+18]
0A251C64 2B4E 14 SUB ECX,DWORD PTR DS:[ESI+14]
0A251C67 894F FC MOV DWORD PTR DS:[EDI-4],ECX ; set address to API hook
0A251C6A 66:C707 EBF9 MOV WORD PTR DS:[EDI],0F9EB ; short jump to long jump
0A251C6F 8B56 14 MOV EDX,DWORD PTR DS:[ESI+14]
0A251C72 83C2 02 ADD EDX,2
0A251C75 8916 MOV DWORD PTR DS:[ESI],EDX ; save real entry addr
0A251C77 C646 20 01 MOV BYTE PTR DS:[ESI+20],1 ; set flag "hooked"
0A251C7B 8B4C24 10 MOV ECX,DWORD PTR SS:[LOCAL.0]
0A251C7F 8D4424 10 LEA EAX,[LOCAL.0]
0A251C83 50 PUSH EAX ; old protect
0A251C84 51 PUSH ECX ; new protect
0A251C85 6A 14 PUSH 14 ; size = 20
0A251C87 53 PUSH EBX ; address
0A251C88 FFD5 CALL EBP ; KERNEL32.VirtualProtect
--- snip ---
The entry is patched if "hotpatch" prolog is detected: 2 byte relative short
jump back to Windows-style long-jump area (which is located before the API
using NOPs or INT3s).
Due to missing HOTPATCH area, setting hooks for following API fails as above
code will not patch these API entries:
user32.dll "AdjustWindowRectEx"
user32.dll "AdjustWindowRect"
user32.dll "SetWindowLongA"
After failure a different code path is taken and several other API get patched:
kernel32.dll "LoadLibraryA"
kernel32.dll "LoadLibraryW"
all "Ex" variants.
I think that code path is actually bugged which has severe consequences.
Later delayed imports are resolved using the stubs:
--- snip ---
...
0A281902 FF15 407A2A0A CALL DWORD PTR DS:[0A2A7A40] ; delayed import
IsThemeActive
...
0A289678 B8 407A2A0A MOV EAX,OFFSET 0A2A7A40
0A28967D E9 00000000 JMP 0A289682
0A289682 51 PUSH ECX
0A289683 52 PUSH EDX
0A289684 50 PUSH EAX
0A289685 68 4C062A0A PUSH OFFSET 0A2A064C
0A28968A E8 25C50000 CALL 0A295BB4 ; "resolver" code
0A28968F 5A POP EDX
0A289690 59 POP ECX
0A289691 FFE0 JMP EAX
--- snip ---
The "resolver" code uses kernel32.LoadLibraryA API which got hooked.
--- snip ---
0A295CA7 FF75 C8 PUSH DWORD PTR SS:[LOCAL.14] ; filename
0A295CAA FF15 B092290A CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]
0A295CB0 8BF8 MOV EDI,EAX
0A295CB2 85FF TEST EDI,EDI
--- snip ---
--- snip ---
...
7B8564AA CC INT3
7B8564AB CC INT3
7B8564AC E9 6FC49F8E JMP 0A252920
kernel32.LoadLibraryA:
7B8564B1 EB F9 JMP SHORT 7B8564AC ; LoadLibraryA hook
7B8564B3 55 PUSH EBP
7B8564B4 8BEC MOV EBP,ESP
7B8564B6 53 PUSH EBX
...
--- snip ---
Out of insanity the wrapper calls kernel32.LoadLibraryA (straight IAT entry!)
--- snip ---
0A252920 8B4424 04 MOV EAX,DWORD PTR SS:[ARG.1] ; filename
0A252924 56 PUSH ESI
0A252925 50 PUSH EAX ; filename
0A252926 FF15 B092290A CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>]
0A25292C 8BF0 MOV ESI,EAX
0A25292E 6A 00 PUSH 0
0A252930 56 PUSH ESI
0A252931 E8 FAFEFFFF CALL 0A252830
0A252936 8BC6 MOV EAX,ESI
0A252938 5E POP ESI
0A252939 C2 0400 RETN 4
--- snip ---
The original IAT entry contains the destination API address which points to
first byte of entry (only makes sense *if* the API is *not* hooked).
For whatever reason the wrapper doesn't make use of the hook-data (see function
that patches the API entries: the +2 address is also saved away to continue on
real API).
This makes the recursion and subsequent stack overflow complete.
---
If you add DECLSPEC_HOTPATCH to all three mentioned user32 API those
LoadLibraryX API which cause the recursion don't get hooked, no stack overflow
occurs and the installer proceeds to show a dialog.
Unfortunately the dialog (that ought to be skinned) isn't redrawn possibly due
to other Wine bugs in user32.
You can drag it around and if you're lucky you can hit/click "next" button in
the dark.
$ du -sh PDF\ Experte\ 7\ Ultimate.exe
35M PDF Experte 7 Ultimate.exe
$ sha1sum PDF\ Experte\ 7\ Ultimate.exe
a06cf16dc98941e333d94111372358ad07286aca PDF Experte 7 Ultimate.exe
$ wine --version
wine-1.5.3
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list