[Bug 34249] Chromium-based SogouExplorer(=?UTF-8?Q?=E6=90=9C=E7=8B=97=E6=B5=8F=E8=A7=88=E5=99=A8?=) browser crashes (native API sandboxing/hooking scheme incompatible with Wine)

wine-bugs at winehq.org wine-bugs at winehq.org
Wed May 27 17:05:43 CDT 2015 

https://bugs.winehq.org/show_bug.cgi?id=34249

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |focht at gmx.net
          Component|-unknown                    |ntdll
         Resolution|---                         |DUPLICATE
            Summary|SogouExplorer(搜狗浏览器)        |Chromium-based
                   |crashes                     |SogouExplorer(搜狗浏览器)
                   |                            |browser crashes (native API
                   |                            |sandboxing/hooking scheme
                   |                            |incompatible with Wine)

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

dupe of bug 21232 (WONTFIX).

I explained it here in detail:

https://bugs.winehq.org/show_bug.cgi?id=21232#c7

For reference the relevant chunks for SogouExplorer leading up to the crash in
the sandbox/child:

NtMapViewOfSection API entry after hook patch:

--- snip ---
7BCA7BF6    B8 4C240483           MOV EAX,8304244C
7BCA7BFB    BA 282D3500           MOV EDX,352D28
7BCA7C00    FFE2                  JMP EDX
7BCA7C02    E5 57                 IN EAX,57
7BCA7C04    56                    PUSH ESI
7BCA7C05    53                    PUSH EBX
7BCA7C06    51                    PUSH ECX
7BCA7C07    81EC E8010000         SUB ESP,1E8
7BCA7C0D    89CB                  MOV EBX,ECX
7BCA7C0F    8B43 0C               MOV EAX,DWORD PTR DS:[EBX+C]
7BCA7C12    890424                MOV DWORD PTR SS:[ESP],EAX
7BCA7C15    E8 889EFFFF           CALL ntdll.get_mask
7BCA7C1A    8945 D0               MOV DWORD PTR SS:[EBP-30],EAX
7BCA7C1D    C745 84 FFFFFFFF      MOV DWORD PTR SS:[EBP-7C],-1
7BCA7C24    837B 14 00            CMP DWORD PTR DS:[EBX+14],0
7BCA7C28    74 0A                 JE SHORT ntdll.7BCA7C34
7BCA7C2A    8B43 14               MOV EAX,DWORD PTR DS:[EBX+14]
7BCA7C2D    8B50 04               MOV EDX,DWORD PTR DS:[EAX+4]
7BCA7C30    8B00                  MOV EAX,DWORD PTR DS:[EAX]
7BCA7C32    EB 0A                 JMP SHORT ntdll.7BCA7C3E
...
--- snip ---

Internal thunk (trampoline) to final hooker code:

--- snip ---
00352D28    83EC 08               SUB ESP,8
00352D2B    52                    PUSH EDX
00352D2C    8B5424 0C             MOV EDX,DWORD PTR SS:[ESP+C]
00352D30    895424 08             MOV DWORD PTR SS:[ESP+8],EDX
00352D34    C74424 0C 102D3500    MOV DWORD PTR SS:[ESP+C],352D10
00352D3C    C74424 04 4EA24100    MOV DWORD PTR SS:[ESP+4],41A24E
00352D44    5A                    POP EDX
00352D45    C3                    RETN
--- snip ---

Hooker code:

--- snip ---
0041A24E    55                    PUSH EBP
0041A24F    8BEC                  MOV EBP,ESP
0041A251    56                    PUSH ESI
0041A252    FF75 30               PUSH DWORD PTR SS:[EBP+30]
0041A255    8B75 14               MOV ESI,DWORD PTR SS:[EBP+14]
0041A258    FF75 2C               PUSH DWORD PTR SS:[EBP+2C]
0041A25B    FF75 28               PUSH DWORD PTR SS:[EBP+28]
0041A25E    FF75 24               PUSH DWORD PTR SS:[EBP+24]
0041A261    FF75 20               PUSH DWORD PTR SS:[EBP+20]
0041A264    FF75 1C               PUSH DWORD PTR SS:[EBP+1C]
0041A267    FF75 18               PUSH DWORD PTR SS:[EBP+18]
0041A26A    56                    PUSH ESI
0041A26B    FF75 10               PUSH DWORD PTR SS:[EBP+10]
0041A26E    FF75 0C               PUSH DWORD PTR SS:[EBP+C]
0041A271    FF55 08               CALL DWORD PTR SS:[EBP+8] ; org entry contin.
0041A274    803D 7CEB4500 00      CMP BYTE PTR DS:[45EB7C],0
0041A27B    8945 30               MOV DWORD PTR SS:[EBP+30],EAX
0041A27E    75 26                 JNZ SHORT SogouExp.0041A2A6
--- snip ---

Copy of original API entry code in client address space (sandbox)

--- snip ---
00352D10    8D4C24 04             LEA ECX,DWORD PTR SS:[ESP+4]
00352D14    83E4 F0               AND ESP,FFFFFFF0
00352D17    FF71 FC               PUSH DWORD PTR DS:[ECX-4]
00352D1A    55                    PUSH EBP
00352D1B    89E5                  MOV EBP,ESP
00352D1D    57                    PUSH EDI
00352D1E    56                    PUSH ESI
00352D1F    53                    PUSH EBX
00352D20    0000                  ADD BYTE PTR DS:[EAX],AL  ; *boom*
00352D22    73 00                 JNB SHORT 00352D24
00352D24    2023                  AND BYTE PTR DS:[EBX],AH
00352D26    59                    POP ECX
00352D27    0083 EC08528B         ADD BYTE PTR DS:[EBX+8B5208EC],AL
00352D2D    54                    PUSH ESP
00352D2E    24 0C                 AND AL,0C
00352D30    895424 08             MOV DWORD PTR SS:[ESP+8],EDX
00352D34    C74424 0C 102D3500    MOV DWORD PTR SS:[ESP+C],352D10
00352D3C    C74424 04 4EA24100    MOV DWORD PTR SS:[ESP+4],41A24E
00352D44    5A                    POP EDX
00352D45    C3                    RETN
00352D46    0000                  ADD BYTE PTR DS:[EAX],AL
00352D48    0000                  ADD BYTE PTR DS:[EAX],AL
--- snip ---

$ wine --version
wine-1.7.43-166-g39d71c5

Regards

*** This bug has been marked as a duplicate of bug 21232 ***

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list