[Bug 19743] Acrobat Reader 5 page fault on load (docbox.api plugin uses custom imports resolver verifying/using on-disk image of Windows core dlls)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Jan 16 15:55:02 CST 2012
http://bugs.winehq.org/show_bug.cgi?id=19743
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
Status|NEW |RESOLVED
CC| |focht at gmx.net
Resolution| |WONTFIX
Summary|Acrobat Reader 5 page fault |Acrobat Reader 5 page fault
|on load |on load (docbox.api plugin
| |uses custom imports
| |resolver verifying/using
| |on-disk image of Windows
| |core dlls)
--- Comment #4 from Anastasius Focht <focht at gmx.net> 2012-01-16 15:55:02 CST ---
Hello,
this is a WONTFIX.
The docbox.api plugin guys from "InterTrust" tried to be very "clever".
The plugin has it's own internal imports resolver that verifies/uses on-disk PE
images of Windows core dlls (kernel32.dll, ...) in conjunction with in-memory
mapped PE image.
--- snip ---
...
0024:Call KERNEL32.CreateFileA(01301e20
"C:\\windows\\system32\\kernel32.dll",80000000,00000001,00000000,00000003,00000080,00000000)
ret=37043b3e
0024:Ret KERNEL32.CreateFileA() retval=0000000c ret=37043b3e
0024:Call KERNEL32.GetFileSize(0000000c,0032e14c) ret=3703f725
0024:Ret KERNEL32.GetFileSize() retval=00053094 ret=3703f725
0024:Call ntdll.RtlAllocateHeap(011e1000,00000000,000530a0) ret=37033ebe
0024:Ret ntdll.RtlAllocateHeap() retval=011e6de8 ret=37033ebe
0024:Call KERNEL32.GetCurrentThreadId() ret=37032aa5
0024:Ret KERNEL32.GetCurrentThreadId() retval=00000024 ret=37032aa5
0024:Call KERNEL32.SetFilePointer(0000000c,00000000,0032e134,00000000)
ret=37026d43
0024:Ret KERNEL32.SetFilePointer() retval=00000000 ret=37026d43
0024:Call KERNEL32.ReadFile(0000000c,011e6de8,00053094,0032e128,00000000)
ret=37026d9d
0024:Ret KERNEL32.ReadFile() retval=00000001 ret=37026d9d
...
<build custom import verification structures from PE disk image>
...
0024:Call KERNEL32.LoadLibraryA(0032ec14 "C:\\windows\\system32\\kernel32.dll")
ret=3702e5b5
0024:Ret KERNEL32.LoadLibraryA() retval=7b810000 ret=3702e5b5
...
<resolve imports using own loader, cross check>
...
0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x3702e6cb
ip=3702e6cb tid=0024
0024:trace:seh:raise_exception info[0]=00000000
0024:trace:seh:raise_exception info[1]=00000008
0024:trace:seh:raise_exception eax=00000000 ebx=0000000b ecx=01301c40
edx=00000000 esi=00dcfe58 edi=00000000
0024:trace:seh:raise_exception ebp=0032f064 esp=0032e2c8 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0024:trace:seh:call_stack_handlers calling handler at 0x37022d08 code=c0000005
flags=0
0024:trace:seh:call_stack_handlers handler at 0x37022d08 returned 1
0024:trace:seh:call_stack_handlers calling handler at 0x6172f0 code=c0000005
flags=0
...
--- snip ---
They also try hide stuff while resolving imports, destroying original lookup
data.
Additionally anti debugging trickery is pulled at later state.
There is little to no value in this plugin and still they managed to make whole
product incompatible with certain Windows versions.
Good job. Only a brain damaged soul could have done this.
Acrobat 5.0 is officially reported incompatible with newer Windows versions by
Microsoft/Adobe due to this plugin (not even application shims can fix this).
Just get rid of this plugin or don't use this version at all.
--- snip ---
rm ~/.wine/drive_c/Program Files/Adobe/Acrobat
5.0/Reader/plug_ins/InterTrust/DocBox.api
--- snip ---
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list