[Bug 13915] Oblivon Script Extender (OBSE) fails to start ("privileged instruction")

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Aug 22 05:05:00 CDT 2010 

http://bugs.winehq.org/show_bug.cgi?id=13915





--- Comment #46 from Anastasius Focht <focht at gmx.net>  2010-08-22 05:04:58 ---
Hello,

I extracted the relevant parts from your log:

--- snip ---
0009:trace:loaddll:load_builtin_dll Loaded L"KERNEL32.dll" at 0x7ed60000:
builtin 
...
0009:Call KERNEL32.CreateFileA(00422430
"C:\\oblivion\\obse_1_2_416.dll",80000000,00000001,00000000,00000003,00000080,00000000)
ret=00403788
0009:Ret  KERNEL32.CreateFileA() retval=00000040 ret=00403788
...
0009:Call KERNEL32.CreateProcessA(00415834
"Oblivion.exe",00000000,00000000,00000000,00000001,00000004,00000000,00000000,0032fdb8,0032fcf4)
ret=00402fa2
0009:trace:process:CreateProcessW app L"Oblivion.exe" cmdline (null)
0009:trace:process:open_exe_file looking for L"Oblivion.exe"
0009:trace:process:CreateProcessW starting L"Oblivion.exe" as Win32 binary
(0x400000-0xbaf000) 
001b:trace:module:load_builtin_callback loaded ntdll.dll 0x110158 0x7ef60000
...
001b:trace:module:load_dll Found L"ntdll.dll" for L"ntdll.dll" at 0x7ef60000,
count=2
001b:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed90000
001b:trace:loaddll:load_builtin_dll Loaded L"KERNEL32.dll" at 0x7ed90000:
builtin
001b:Call KERNEL32.__wine_kernel_init() ret=7ef97f83
...
001b:trace:loaddll:load_native_dll Loaded L"C:\\oblivion\\Oblivion.exe" at
0x400000: native
001b:trace:module:load_dll Loaded module L"C:\\oblivion\\Oblivion.exe" (native)
at 0x400000 
...
0009:trace:process:CreateProcessW started process pid 001a tid 001b
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=00402fa2
0009:Call KERNEL32.OpenProcess(0000043a,00000000,0000001a) ret=004024d0
0009:Ret  KERNEL32.OpenProcess() retval=00000040 ret=004024d0
0009:Call KERNEL32.VirtualAllocEx(00000040,00000000,00002000,00001000,00000040)
ret=004024f0 
...
0009:Call
KERNEL32.WriteProcessMemory(00000040,00340005,00422430,0000001d,0032fc84)
ret=00402556
0009:Ret  KERNEL32.WriteProcessMemory() retval=00000001 ret=00402556
0009:Call
KERNEL32.WriteProcessMemory(00000040,00340000,0032fc88,00000005,0032fc84)
ret=00402578
0009:Ret  KERNEL32.WriteProcessMemory() retval=00000001 ret=00402578
0009:Call
KERNEL32.CreateRemoteThread(00000040,00000000,00000000,00340000,00340005,00000000,00000000)
ret=00402589
0009:Ret  KERNEL32.CreateRemoteThread() retval=00000050 ret=00402589
0009:Call KERNEL32.WaitForSingleObject(00000050,00007530) ret=004025a4
001c:trace:module:alloc_thread_tls thread 001c idx 0: 440/0 bytes from 0xbac000
to 0x126538
001c:Starting thread proc 0x340000 (arg=0x340005)
001c:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7ed6cf50
ip=7ed6cf50 tid=001c
001c:trace:seh:raise_exception  info[0]=00000000
001c:trace:seh:raise_exception  info[1]=7ed6cf50
001c:trace:seh:raise_exception  eax=00340000 ebx=7efe3ff4 ecx=8ccebec1
edx=ffffffff esi=7ffd4f10 edi=00340000
001c:trace:seh:raise_exception  ebp=00efea78 esp=00efea6c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
001c:trace:seh:call_stack_handlers calling handler at 0x7efce930 code=c0000005
flags=0
001c:Call KERNEL32.UnhandledExceptionFilter(00efe5b8) ret=7efce982
wine: Unhandled page fault on read access to 0x7ed6cf50 at address 0x7ed6cf50
(thread 001c), starting debugger...
001c:trace:seh:start_debugger Starting debugger "winedbg --auto 26 24" 
--- snip ---

It seems the kernel32 image load base is still different:

kernel32 base loader: 0x7ed60000
kernel32 base target: 0x7ed90000

The injected thread crashes at 0x7ed6cf50 which is below target kernel32 image
load base. The high word matches the loader (parent) kernel32 image base so the
patched jump trampoline 0x7ed6xxxx matches LoadLibraryA() - in loader address
space!

To cancel out address space randomization problem, we compare the load
addresses of kernel32.dll in all Wine processes:

0009 = initial process = loader

--- snip ---
0009:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed60000 
...
000b:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed90000
000b:trace:module:load_dll Loaded module L"C:\\windows\\system32\\wineboot.exe"
(builtin) at 0x7ef30000 
...
000d:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed90000
000d:trace:module:load_dll Loaded module
L"C:\\windows\\system32\\winemenubuilder.exe" (builtin) at 0x7ef30000 
...
000f:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed90000
000f:trace:module:load_dll Loaded module L"C:\\windows\\system32\\services.exe"
(builtin) at 0x7ef30000 
...
0012:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed90000 
0012:trace:module:load_dll Loaded module
L"C:\\windows\\system32\\winedevice.exe" (builtin) at 0x7ef40000
...
0019:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed90000
0019:trace:module:load_dll Loaded module L"C:\\windows\\system32\\explorer.exe"
(builtin) at 0x7ef30000 
...
001b:trace:module:load_builtin_callback loaded KERNEL32.dll 0x112628 0x7ed90000 
001b:trace:module:load_dll Loaded module L"C:\\oblivion\\Oblivion.exe" (native)
at 0x400000 
--- snip ---

Interestingly only the _first_ process has a different kernel32.dll load base.
All others match.

Can you try the following: start a "helper" process (cmd.exe, notepad.exe
whatever) in background which keeps wineserver alive and then start the loader
from different terminal.

If it still crashes please give another +relay log exactly as previously
described.
Make sure winedbg can do a backtrace run (in your relay log it starts but never
reaches the point because you CTRL+C too early).

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list