[Bug 30528] Tibia bot crashes when connecting to tibia process (kernel32 K32EnumProcessModules() 'needed' out parameter needs a check for NULL)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Apr 30 15:03:19 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=30528

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download
             Status|UNCONFIRMED                 |NEW
                URL|                            |http://sourceforge.net/proj
                   |                            |ects/tibiaauto/
                 CC|                            |focht at gmx.net
          Component|-unknown                    |kernel32
            Summary|Tibia bot crashes when      |Tibia bot crashes when
                   |connecting to tibia         |connecting to tibia process
                   |process.                    |(kernel32
                   |K32EnumProcessModules+0x31( |K32EnumProcessModules()
                   |) in kernel32               |'needed' out parameter
                   |                            |needs a check for NULL)
     Ever Confirmed|0                           |1

--- Comment #10 from Anastasius Focht <focht at gmx.net> 2012-04-30 15:03:19 CDT ---
Hello,

confirming.
It seems the app deliberately passes NULL pointer as "out" parameter to
K32EnumProcessModules().

--- snip ---
Unhandled exception: page fault on write access to 0x00000000 in 32-bit code
(0x7b857856).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7b857856 ESP:00320aa8 EBP:00320b20 EFLAGS:00010202(  R- --  I   - - - )
 EAX:00000000 EBX:00403ec0 ECX:00000000 EDX:0000009c
 ESI:00000000 EDI:00320cf6
Stack dump:
0x00320aa8:  00320abc 0000009c 00000000 0000009c
0x00320ab8:  00000000 0000009c 7bcda22c 00110750
0x00320ac8:  7bcda22c 00163b88 00111998 00110160
0x00320ad8:  00163b88 00000000 7dc00000 7dc340d4
0x00320ae8:  00110000 00000070 00111af0 00403ec0
0x00320af8:  00320b28 7ed50482 00110000 0000000a
Backtrace:
=>0 0x7b857856 K32EnumProcessModules+0x26(process=0x9c, lphModule=0x163b90,
cb=0x6c, needed=0x0(nil))
[/home/focht/projects/wine/wine-git/dlls/kernel32/module.c:1178] in kernel32
(0x00320b20)
  1 0x006c7f51 in tibiaauto_util (+0x7f50) (0x00320ba8)
  2 0x006c7cc4 in tibiaauto_util (+0x7cc3) (0x00320bc4)
  3 0x006c805a in tibiaauto_util (+0x8059) (0x00320be0)
  4 0x006c3ff4 in tibiaauto_util (+0x3ff3) (0x00320c40)
  5 0x006d42c7 in tibiaauto_util (+0x142c6) (0x00320c4c)
...
0x7b857856 K32EnumProcessModules+0x26
[/home/focht/projects/wine/wine-git/dlls/kernel32/module.c:1178] in kernel32:
movl    $0x0,0x0(%eax)
1178        *needed = 0;
Modules:
Module    Address            Debug info    Name (95 modules)
PE      400000-  49d000    Export          tibiaauto
PE      6c0000-  717000    Export          tibiaauto_util
...
Threads:
process  tid      prio (all id:s are in hex)
00000008 (D) C:\Program Files\Tibia Auto\tibiaauto.exe
    00000009    0 <==
--- snip ---

Injector code (annotated):

--- snip ---
006C7F08  MOV DWORD PTR SS:[LOCAL.5],0
006C7F0F  LEA EDX,[LOCAL.5]
006C7F12  PUSH EDX                       ; arg4 => needed = offset [LOCAL.5]
006C7F13  PUSH 0                         ; arg3 => cb = 0
006C7F15  PUSH 0                         ; arg2 => lphModule = 0
006C7F17  MOV EAX,DWORD PTR SS:[LOCAL.2]
006C7F1A  PUSH EAX                       ; arg1 => process
006C7F1B  CALL <JMP.&PSAPI.EnumProcessModules>
006C7F20  MOV ECX,DWORD PTR SS:[LOCAL.5]
006C7F23  SHR ECX,2
006C7F26  MOV DWORD PTR SS:[LOCAL.5],ECX
006C7F29  PUSH 4                         ; elementsize = 4
006C7F2B  MOV EDX,DWORD PTR SS:[LOCAL.5]
006C7F2E  PUSH EDX
006C7F2F  CALL DWORD PTR DS:[<&MSVCRT.calloc>]
006C7F35  ADD ESP,8
006C7F38  MOV DWORD PTR SS:[LOCAL.6],EAX
006C7F3B  PUSH 0                         ; arg4 => needed = 0 (!)
006C7F3D  MOV EAX,DWORD PTR SS:[LOCAL.5]
006C7F40  SHL EAX,2
006C7F43  PUSH EAX                       ; arg3 => cb
006C7F44  MOV ECX,DWORD PTR SS:[LOCAL.6]
006C7F47  PUSH ECX                       ; arg2 => lphModule
006C7F48  MOV EDX,DWORD PTR SS:[LOCAL.2]
006C7F4B  PUSH EDX                       ; arg1 => process
006C7F4C  CALL <JMP.&PSAPI.EnumProcessModules>
006C7F51  MOV DWORD PTR SS:[LOCAL.4],0
--- snip ---

Source:
http://source.winehq.org/git/wine.git/blob/d08f34cd8ecd883a0f0c6bd9b150d92407f0f7c9:/dlls/kernel32/module.c#l1169

--- snip ---
1169 BOOL WINAPI K32EnumProcessModules(HANDLE process, HMODULE *lphModule,
1170                                   DWORD cb, DWORD *needed)
1171 {
1172     MODULE_ITERATOR iter;
1173     INT ret;
1174 
1175     if (!init_module_iterator(&iter, process))
1176         return FALSE;
1177 
1178     *needed = 0;
1179 
1180     while ((ret = module_iterator_next(&iter)) > 0)
1181     {
1182         if (cb >= sizeof(HMODULE))
1183         {
1184             *lphModule++ = iter.ldr_module.BaseAddress;
1185             cb -= sizeof(HMODULE);
1186         }
1187         *needed += sizeof(HMODULE);
1188     }
1189 
1190     return ret == 0;
1191 }
--- snip ---

$ du -sh python-2.4.4.msi 
9.3M    python-2.4.4.msi

$ sha1sum python-2.4.4.msi 
38fbfd0250a8d72b1557986417f431e482fafdec  python-2.4.4.msi

$ du -sh tibia952.exe 
30M    tibia952.exe

$ sha1sum tibia952.exe 
f291c573c19beba762484d32c4f249b4487d6fe7  tibia952.exe

$ du -sh TibiaAutoSetup_2_19_2.exe 
2.7M    TibiaAutoSetup_2_19_2.exe

$ sha1sum TibiaAutoSetup_2_19_2.exe 
b200340b96adb7a0318653dd9996156d51b634c3  TibiaAutoSetup_2_19_2.exe

$ wine --version
wine-1.5.3-39-gd2581e6

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list