[Bug 34249] Chromium-based SogouExplorer(=?UTF-8?Q?=E6=90=9C=E7=8B=97=E6=B5=8F=E8=A7=88=E5=99=A8?=) browser crashes (native API sandboxing/hooking scheme incompatible with Wine)
wine-bugs at winehq.org
wine-bugs at winehq.org
Wed May 27 17:05:43 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=34249
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
Status|UNCONFIRMED |RESOLVED
CC| |focht at gmx.net
Component|-unknown |ntdll
Resolution|--- |DUPLICATE
Summary|SogouExplorer(搜狗浏览器) |Chromium-based
|crashes |SogouExplorer(搜狗浏览器)
| |browser crashes (native API
| |sandboxing/hooking scheme
| |incompatible with Wine)
--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
dupe of bug 21232 (WONTFIX).
I explained it here in detail:
https://bugs.winehq.org/show_bug.cgi?id=21232#c7
For reference the relevant chunks for SogouExplorer leading up to the crash in
the sandbox/child:
NtMapViewOfSection API entry after hook patch:
--- snip ---
7BCA7BF6 B8 4C240483 MOV EAX,8304244C
7BCA7BFB BA 282D3500 MOV EDX,352D28
7BCA7C00 FFE2 JMP EDX
7BCA7C02 E5 57 IN EAX,57
7BCA7C04 56 PUSH ESI
7BCA7C05 53 PUSH EBX
7BCA7C06 51 PUSH ECX
7BCA7C07 81EC E8010000 SUB ESP,1E8
7BCA7C0D 89CB MOV EBX,ECX
7BCA7C0F 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
7BCA7C12 890424 MOV DWORD PTR SS:[ESP],EAX
7BCA7C15 E8 889EFFFF CALL ntdll.get_mask
7BCA7C1A 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
7BCA7C1D C745 84 FFFFFFFF MOV DWORD PTR SS:[EBP-7C],-1
7BCA7C24 837B 14 00 CMP DWORD PTR DS:[EBX+14],0
7BCA7C28 74 0A JE SHORT ntdll.7BCA7C34
7BCA7C2A 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14]
7BCA7C2D 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
7BCA7C30 8B00 MOV EAX,DWORD PTR DS:[EAX]
7BCA7C32 EB 0A JMP SHORT ntdll.7BCA7C3E
...
--- snip ---
Internal thunk (trampoline) to final hooker code:
--- snip ---
00352D28 83EC 08 SUB ESP,8
00352D2B 52 PUSH EDX
00352D2C 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
00352D30 895424 08 MOV DWORD PTR SS:[ESP+8],EDX
00352D34 C74424 0C 102D3500 MOV DWORD PTR SS:[ESP+C],352D10
00352D3C C74424 04 4EA24100 MOV DWORD PTR SS:[ESP+4],41A24E
00352D44 5A POP EDX
00352D45 C3 RETN
--- snip ---
Hooker code:
--- snip ---
0041A24E 55 PUSH EBP
0041A24F 8BEC MOV EBP,ESP
0041A251 56 PUSH ESI
0041A252 FF75 30 PUSH DWORD PTR SS:[EBP+30]
0041A255 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14]
0041A258 FF75 2C PUSH DWORD PTR SS:[EBP+2C]
0041A25B FF75 28 PUSH DWORD PTR SS:[EBP+28]
0041A25E FF75 24 PUSH DWORD PTR SS:[EBP+24]
0041A261 FF75 20 PUSH DWORD PTR SS:[EBP+20]
0041A264 FF75 1C PUSH DWORD PTR SS:[EBP+1C]
0041A267 FF75 18 PUSH DWORD PTR SS:[EBP+18]
0041A26A 56 PUSH ESI
0041A26B FF75 10 PUSH DWORD PTR SS:[EBP+10]
0041A26E FF75 0C PUSH DWORD PTR SS:[EBP+C]
0041A271 FF55 08 CALL DWORD PTR SS:[EBP+8] ; org entry contin.
0041A274 803D 7CEB4500 00 CMP BYTE PTR DS:[45EB7C],0
0041A27B 8945 30 MOV DWORD PTR SS:[EBP+30],EAX
0041A27E 75 26 JNZ SHORT SogouExp.0041A2A6
--- snip ---
Copy of original API entry code in client address space (sandbox)
--- snip ---
00352D10 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
00352D14 83E4 F0 AND ESP,FFFFFFF0
00352D17 FF71 FC PUSH DWORD PTR DS:[ECX-4]
00352D1A 55 PUSH EBP
00352D1B 89E5 MOV EBP,ESP
00352D1D 57 PUSH EDI
00352D1E 56 PUSH ESI
00352D1F 53 PUSH EBX
00352D20 0000 ADD BYTE PTR DS:[EAX],AL ; *boom*
00352D22 73 00 JNB SHORT 00352D24
00352D24 2023 AND BYTE PTR DS:[EBX],AH
00352D26 59 POP ECX
00352D27 0083 EC08528B ADD BYTE PTR DS:[EBX+8B5208EC],AL
00352D2D 54 PUSH ESP
00352D2E 24 0C AND AL,0C
00352D30 895424 08 MOV DWORD PTR SS:[ESP+8],EDX
00352D34 C74424 0C 102D3500 MOV DWORD PTR SS:[ESP+C],352D10
00352D3C C74424 04 4EA24100 MOV DWORD PTR SS:[ESP+4],41A24E
00352D44 5A POP EDX
00352D45 C3 RETN
00352D46 0000 ADD BYTE PTR DS:[EAX],AL
00352D48 0000 ADD BYTE PTR DS:[EAX],AL
--- snip ---
$ wine --version
wine-1.7.43-166-g39d71c5
Regards
*** This bug has been marked as a duplicate of bug 21232 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list