[Bug 27680] 64 bit Aion client crashes on load
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Apr 1 15:09:21 CDT 2012
http://bugs.winehq.org/show_bug.cgi?id=27680
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download
Status|UNCONFIRMED |NEW
URL| |http://dl.dropbox.com/u/461
| |37118/Aion-2.7-GameForge-20
| |-01-2012.zip
CC| |focht at gmx.net
Component|-unknown |ntdll
Ever Confirmed|0 |1
--- Comment #2 from Anastasius Focht <focht at gmx.net> 2012-04-01 15:09:21 CDT ---
Hello,
confirming, it's still happening within NtQueryInformationProcess().
Old backtrace from bug reporter, wine-1.3.23:
--- snip ---
=>0 0x00007f22cfe66379
NtQueryInformationProcess+0x59(ProcessHandle=0xffffffffffffffff,
ProcessInformationClass=ProcessDebugObjectHandle, ProcessInformation=0x23fcf0,
ProcessInformationLength=0x8,
ReturnLength=0x0(nil))
[/home/****/wine64/dlls/ntdll/../../../wine-git/dlls/ntdll/process.c:112] in
ntdll (0x000000000023f4c0)
1 0x000000000058e09e in aion.bin (+0x18e09d) (0x000000000023f4c0)
2 0x000000000058e09e in aion.bin (+0x18e09d) (0x000000000023f4c0)
3 0x00007f22cfe10000 _init+0x5e7() in ntdll<elf> (0x000000000023f4c0)
0x00007f22cfe66379 NtQueryInformationProcess+0x59
[/home/*****/wine64/dlls/ntdll/../../../wine-git/dlls/ntdll/process.c:112] in
ntdll: movq %mm4,%mm6
--- snip ---
It got worse now ... the unwinding goes into recursion, no backtrace.
--- snip ---
0026:Starting process L"Z:\\home\\focht\\Downloads\\bin64\\aion.bin"
(entryproc=0x54cd41)
0026:Call KERNEL32.LoadLibraryA(0022fc20 "kernel32.dll") ret=00590e14
0026:Ret KERNEL32.LoadLibraryA() retval=7b820000 ret=00590e14
0026:Call KERNEL32.LoadLibraryA(0022fc24 "ntdll.dll") ret=00590e14
0026:Ret KERNEL32.LoadLibraryA() retval=7fbe1aa50000 ret=00590e14
0026:Call KERNEL32.IsDebuggerPresent() ret=00590e14
0026:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=00590e14
0026:Call KERNEL32.CheckRemoteDebuggerPresent(ffffffffffffffff,0022fc30)
ret=00590e14
0026:Ret KERNEL32.CheckRemoteDebuggerPresent() retval=00000001 ret=00590e14
0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7fbe1aaa7e39
ip=7fbe1aaa7e39 tid=0026
0026:trace:seh:raise_exception rax=00007fbe1aa5ab30 rbx=000000001a065f83
rcx=00007fbe1ad20d20 rdx=0000000000050347
0026:trace:seh:raise_exception rsi=00000000005116d8 rdi=000000000022f290
rbp=000000000022f228 rsp=000000000022f0f8
0026:trace:seh:raise_exception r8=000000000022f260 r9=0000000000000008
r10=0000000000000008 r11=000000399ab7c680
0026:trace:seh:raise_exception r12=000000000058ffe7 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
0026:trace:seh:dwarf_virtual_unwind function 7fbe1aaa7e39 base 0x7fbe1aaa7e27
cie 0x7fbe1aafeaa8 len 14 id 0 version 1 aug 'zR' code_align 1 data_align -8
retaddr %rip
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e27: DW_CFA_def_cfa %rsp, 8
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e27: DW_CFA_offset %rip, -8
0026:trace:seh:dwarf_virtual_unwind fde 0x7fbe1ab0d618 len 54 personality (nil)
lsda (nil) code 7fbe1aaa7e27-7fbe1aaa823a
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e27: DW_CFA_advance_loc 1
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e28: DW_CFA_def_cfa_offset 16
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e28: DW_CFA_offset %rbp, -16
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e28: DW_CFA_advance_loc 3
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e2b: DW_CFA_def_cfa_register
%rbp
0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e2b: DW_CFA_advance_loc 19
...
0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7fbe1aabffd1
ip=7fbe1aabffd1 tid=0026
0026:trace:seh:raise_exception rax=e9e1c4e0e8fffef4 rbx=000000007b878618
rcx=0000000000000006 rdx=fffffffffffcafd1
0026:trace:seh:raise_exception rsi=0000000000000006 rdi=0000000000134140
rbp=0000000000134120 rsp=0000000000134120
0026:trace:seh:raise_exception r8=00007fbe1ad34cb7 r9=0000000000000018
r10=00000000ffff8000 r11=000000399ab7c680
0026:trace:seh:raise_exception r12=000000007b8b6b19 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
0026:err:seh:setup_exception stack overflow 2992 bytes in thread 0026 eip
00007fbe1aac1263 esp 0000000000130a50 stack 0x130000-0x132000-0x230000
--- snip ---
The app code is heavily obfuscated and has some anti-debugging checks after
entry.
After bypassing two anti-debugging checks a third one is done:
NtQueryInformationProcess for ProcessDebugObjectHandle.
--- snip ---
Wine-dbg>info regs
Register dump:
rip:0000000000590e12 rsp:000000000023f268 rbp:000000000023f400 eflags:00000202
( - -- I - - - )
rax:00007f6cea80ac00 rbx:000000001a065f83 rcx:ffffffffffffffff
rdx:000000000000001e
rsi:00000000005116d8 rdi:000000000023f290 r8:000000000023fc30
r9:0000000000000008 r10:0000000000000008
r11:0000000000000246 r12:000000000058ffe7 r13:0000000000000000
r14:0000000000000000 r15:0000000000000000
Wine-dbg>x/10x 0x00007f6cea80ac00
0x00007f6cea80ac00 NtQueryInformationProcess: e5894855 48535657 07c8ec81
290f0000
0x00007f6cea80ac10 NtQueryInformationProcess+0x10: ffff40b5 bd290fff ffffff50
85290f44
0x00007f6cea80ac20 NtQueryInformationProcess+0x20: ffffff60 8d290f44
--- snip ---
The registers RCX, RDX, R8, R9 are used for integer and pointer arguments (in
that order left to right)
0xffffffffffffffff, 000000000000001e, 000000000023fc30, 0000000000000008
Additional arguments are pushed onto the stack (right to left)
Stepping through the code is blind flying on some locations as winedbg can't
disassemble some instructions (after "sub $0x7c8,%rsp" for example).
You need objdump disassembly side-by-side.
--- snip ---
Wine-dbg>si
NtQueryInformationProcess () at
/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112
0x00007fc857e66c00 NtQueryInformationProcess
[/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq
%rbp
112 {
Wine-dbg>si
0x00007fc857e66c01 NtQueryInformationProcess+0x1
[/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: movq
%rsp,%rbp
112 {
Wine-dbg>
0x00007fc857e66c04 NtQueryInformationProcess+0x4
[/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq
%rdi
112 {
Wine-dbg>
0x00007fc857e66c05 NtQueryInformationProcess+0x5
[/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq
%rsi
112 {
Wine-dbg>
0x00007fc857e66c06 NtQueryInformationProcess+0x6
[/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq
%rbx
112 {
Wine-dbg>
0x00007fc857e66c07 NtQueryInformationProcess+0x7
[/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: subq
$0x7c8,%rsp
112 {
Wine-dbg>si
0x00007fc857e66c0e NtQueryInformationProcess+0xe
[/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll:
112 {
Wine-dbg>info reg
Register dump:
rip:00007fc857e66c0e rsp:000000000023ea78 rbp:000000000023f258 eflags:00000316
( - -- IT -A-P- )
rax:00007fc857e66c00 rbx:000000001a065f83 rcx:ffffffffffffffff
rdx:000000000000001e
rsi:00000000005116d8 rdi:000000000023f290 r8:000000000023fc30
r9:0000000000000008 r10:0000000000000008
r11:0000000000000246 r12:000000000058ffe7 r13:0000000000000000
r14:0000000000000000 r15:0000000000000000
Wine-dbg>si
err:seh:setup_exception stack overflow 4656 bytes in thread 002c eip
00007fc857e87263 esp 00000000001403d0 stack 0x140000-0x142000-0x240000
Process of pid=002b has terminated
--- snip ---
Running objdump gives:
--- snip ---
000000007bc73c00 <NtQueryInformationProcess>:
7bc73c00: 55 push %rbp
7bc73c01: 48 89 e5 mov %rsp,%rbp
7bc73c04: 57 push %rdi
7bc73c05: 56 push %rsi
7bc73c06: 53 push %rbx
7bc73c07: 48 81 ec c8 07 00 00 sub $0x7c8,%rsp
7bc73c0e: 0f 29 b5 40 ff ff ff movaps %xmm6,-0xc0(%rbp)
7bc73c15: 0f 29 bd 50 ff ff ff movaps %xmm7,-0xb0(%rbp)
7bc73c1c: 44 0f 29 85 60 ff ff movaps %xmm8,-0xa0(%rbp)
7bc73c23: ff
7bc73c24: 44 0f 29 8d 70 ff ff movaps %xmm9,-0x90(%rbp)
7bc73c2b: ff
7bc73c2c: 44 0f 29 55 80 movaps %xmm10,-0x80(%rbp)
7bc73c31: 44 0f 29 5d 90 movaps %xmm11,-0x70(%rbp)
7bc73c36: 44 0f 29 65 a0 movaps %xmm12,-0x60(%rbp)
7bc73c3b: 44 0f 29 6d b0 movaps %xmm13,-0x50(%rbp)
7bc73c40: 44 0f 29 75 c0 movaps %xmm14,-0x40(%rbp)
7bc73c45: 44 0f 29 7d d0 movaps %xmm15,-0x30(%rbp)
7bc73c4a: 48 89 4d 10 mov %rcx,0x10(%rbp)
7bc73c4e: 89 55 18 mov %edx,0x18(%rbp)
7bc73c51: 4c 89 45 20 mov %r8,0x20(%rbp)
7bc73c55: 44 89 4d 28 mov %r9d,0x28(%rbp)
7bc73c59: c7 85 3c ff ff ff 00 movl $0x0,-0xc4(%rbp)
7bc73c60: 00 00 00
7bc73c63: c7 85 38 ff ff ff 00 movl $0x0,-0xc8(%rbp)
--- snip ---
Looking at the history of "signal_x86_64.c" there were some changes to
unwinding code on 64 bits.
http://source.winehq.org/git/wine.git/history/HEAD:/dlls/ntdll/signal_x86_64.c
I found a download with 64-bit part only - not full client - sufficient enough
to reproduce the bug
(http://www.aionsource.com/topic/129292-instructions-for-the-64bit-client/)
Debugging notes:
b LoadLibraryA (hit two times)
...
b 0x0000000000590e12 (obfuscator API callout -> si+c until win64 API entries
are seen)
Cheat IsDebuggerPresent() and CheckRemoteDebuggerPresent().
The next win64 API call will be NtQueryInformationProcess( ...
ProcessDebugObjectHandle).
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list