[Bug 15437] Multiple programs using madCodeHook crash (in-memory PE image of Wine builtins vs. ELF image on disk)

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Apr 17 17:16:49 CDT 2014 

http://bugs.winehq.org/show_bug.cgi?id=15437

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|Other                       |x86

--- Comment #48 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

another victim: 'Epic Battle Fantasy 4' from Steam (some indie game).

A user reported a crash in WineHQ user forums:
https://forum.winehq.org/viewtopic.php?f=8&t=22303 so I bought it for 10 bucks
to check it out for the poor guy :)

http://store.steampowered.com/app/265610/

Well, in the end it was 10 bucks for 10 minutes of analysis fun.

You can decide for yourself to support the spirit of 'indie' game development
but not having a functional game with Wine ...

No prerequisites required in Steam prefix.

Winedbg backtrace:

--- snip ---
...
Unhandled exception: page fault on read access to 0x0a4103c3 in 32-bit code
(0x009718d6).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:009718d6 ESP:0033fb1c EBP:09e8b2d8 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:0a41006f EBX:7b810000 ECX:00000001 EDX:000000d5
 ESI:7b810040 EDI:09de0000
...
Backtrace:
=>0 0x009718d6 in ebf4 (+0x5718d6) (0x09e8b2d8)
  1 0x00640020 in ebf4 (+0x24001f) (0x00650072)
  2 0x0f685e39 (0xffe4a1ba)
0x009718d6: movl    0x0(%eax,%edx,4),%ebp
Modules:
Module    Address            Debug info    Name (100 modules)
PE      400000- 20cc000    Export          ebf4
ELF    7b800000-7ba60000    Deferred        kernel32<elf>
  \-PE    7b810000-7ba60000    \               kernel32
ELF    7bc00000-7bcee000    Deferred        ntdll<elf>
  \-PE    7bc10000-7bcee000    \               ntdll 
...
Threads:
process  tid      prio (all id:s are in hex) 
...
00000053 (D) C:\Program Files\Steam\SteamApps\common\Epic Battle Fantasy
4\EBF4.exe
    00000054    0 <== 
--- snip ---

Relevant part of trace log:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Steam

$ WINEDEBUG=+tid,+seh,+relay  wine ./steam.exe -no-dwrite -applaunch 265610
...
0054:Call KERNEL32.GetModuleHandleW(09ce0028 L"kernel32.dll") ret=0097dd28
0054:Ret  KERNEL32.GetModuleHandleW() retval=7b810000 ret=0097dd28 
...
0054:Call KERNEL32.lstrcmpA(7b8be89a "CreateFileW",09ce0050 "CreateFileW")
ret=00971821
0054:Ret  KERNEL32.lstrcmpA() retval=00000000 ret=00971821
...
0054:Call KERNEL32.GetModuleFileNameW(7b810000,0014c330,00000104) ret=009716e0
0054:Ret  KERNEL32.GetModuleFileNameW() retval=00000020 ret=009716e0
0054:Call KERNEL32.CreateFileW(0014c330
L"C:\\windows\\system32\\KERNEL32.dll",80000000,00000001,00000000,00000003,00000000,00000000)
ret=009716f5
0054:Ret  KERNEL32.CreateFileW() retval=00000094 ret=009716f5
0054:Call KERNEL32.LocalFree(0014c330) ret=00971730
0054:Ret  KERNEL32.LocalFree() retval=00000000 ret=00971730
0054:Call KERNEL32.GetVersion() ret=0097173a
0054:Ret  KERNEL32.GetVersion() retval=0a280105 ret=0097173a
0054:Call
KERNEL32.CreateFileMappingW(00000094,00000000,00000002,00000000,00000000,00000000)
ret=00971751
0054:Ret  KERNEL32.CreateFileMappingW() retval=00000098 ret=00971751
0054:Call KERNEL32.MapViewOfFile(00000098,00000004,00000000,00000000,00000000)
ret=00971779
0054:Ret  KERNEL32.MapViewOfFile() retval=09de0000 ret=00971779
0054:Call KERNEL32.CloseHandle(00000098) ret=00971781
0054:Ret  KERNEL32.CloseHandle() retval=00000001 ret=00971781
0054:Call KERNEL32.CloseHandle(00000094) ret=00971787
0054:Ret  KERNEL32.CloseHandle() retval=00000001 ret=00971787
0054:trace:seh:raise_exception code=c0000005 flags=0 addr=0x9718d6 ip=009718d6
tid=0054
0054:trace:seh:raise_exception  info[0]=00000000
0054:trace:seh:raise_exception  info[1]=0a4103c3
0054:trace:seh:raise_exception  eax=0a41006f ebx=7b810000 ecx=00000001
edx=000000d5 esi=7b810040 edi=09de0000
0054:trace:seh:raise_exception  ebp=09e8b2d8 esp=0033fb1c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206 
--- snip ---

You have to debug the thing to see what's going on.

The resolver tries to locate some exports from a location that ought to be the
export table in the explicitly mapped placeholder 'kernel32.dll' using
information gathered from the in-memory kernel32 PE image header.

This of course won't work - you can't simply add the export table RVA value to
the virtual load base of the placeholder (Wine loader created PE mappings vs.
explicit mapping of physical placeholder).

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list