[Bug 23585] AvaFX Trader program stop with error "The ordinal 37 could not be located in the DLL kernel32.dll"

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Jul 10 12:20:04 CDT 2010 

http://bugs.winehq.org/show_bug.cgi?id=23585


Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net




--- Comment #8 from Anastasius Focht <focht at gmx.net>  2010-07-10 12:20:03 ---
Hello,

this problem can't be fixed in Wine -> WONTFIX.

The crashing app, located in "C:\\users\\<username>\\Application
Data\\AvaTrader\\APP#<crc32>\\Fx_Client.exe" is wrapped by PEcompact v2.x-3.x,
a PE compressor.

Most likely due to a bug in the PE compressor, there are some exports
accidentally referenced by ordinal (non-fixed ones across Windows versions).

Relevant PE compressor IAT, dumped from memory - partially restored up to
ordinals:

--- snip ---
...
00C09080  683D1EA0  offset advapi32.GetServiceKeyNameW
00C09084  683CF280  offset advapi32.EnumServicesStatusW
00C09088  683D0D10  offset advapi32.CloseServiceHandle
00C0908C  00000000
00C09090  80000025  -> kernel32 ordinal 0x25
00C09094  80000024  -> kernel32 ordinal 0x24
00C09098  80000023  -> kernel32 ordinal 0x23
00C0909C  00000000
00C090A0  0080D94E  Fx_Clien.0080D94E
00C090A4  0080D95E  Fx_Clien.0080D95E
00C090A8  0080D970  Fx_Clien.0080D970
....
--- snip ---

While restoring the IAT, the PE compressor encounters the ordinals and resolves
the first kernel32.dll ordinal 0x25 to "kernel386.exe16.GetProcAddress16".
The resolved API name is then reverse tokenized by "dot" to get the module
name: "kernel386.exe16.GetProcAddress16" -> "kernel386.exe16" and
"GetProcAddress16".

This serves as input for another consistency check: the PE compressor uses
GetModuleHandle() to fetch the module handle which fails in this case
("kernel386.exe16") because 16 bit modules are not loaded at this point - if
ever - resulting in "ordinal xx error".

In Windows these ordinals don't have that Wine-specific module name by design
and the resolved API are most likely never called by app code.
If the app calls these three ordinal-resolved imports it would crash for sure
because that kind of import-by-ordinal trickery is not applicable across
Windows versions and is only used for very specific API.

If you really want that app running in Wine, contact the vendor of the software
and ask them to repackage the client .exe with a bugfixed PE compressor version
or drop the use of PE compression/obfuscation tools at all.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list