[Bug 34407] Multi Theft Auto 1.3 loader fails to initialize core infrastructure in GTA:SA process (msvcrt string collation check fails)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Dec 14 12:44:22 CST 2013
http://bugs.winehq.org/show_bug.cgi?id=34407
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download, obfuscation
Status|UNCONFIRMED |NEW
URL| |https://mtasa-resources.goo
| |glecode.com/files/mtasa-1.3
| |.4.exe
CC| |focht at gmx.net
Component|-unknown |msvcrt
Summary|Multi Theft Auto: does not |Multi Theft Auto 1.3 loader
|start |fails to initialize core
| |infrastructure in GTA:SA
| |process (msvcrt string
| |collation check fails)
Ever confirmed|0 |1
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
Multi Theft Auto loader process starts the original game process and injects
it's own infrastructure using 'CreateRemoteThread with LoadLibrary' technique.
--- snip ---
...
000b:Starting process L"C:\\Program Files\\MTA San Andreas 1.3\\Multi Theft
Auto.exe" (entryproc=0x40d007)
...
000b:Call KERNEL32.CreateProcessA(00ab7b18 "C:\\Program Files\\Rockstar
Games\\GTA San Andreas\\gta_sa.exe",0033fc48
"",00000000,00000000,00000000,00000005,00000000,001d55d0 "C:\\Program
Files\\MTA San Andreas 1.3\\mta",0033fb3c,0033fa28) ret=10013a21
003c:Call KERNEL32.__wine_kernel_init() ret=7bc599ec
000b:Ret KERNEL32.CreateProcessA() retval=00000001 ret=10013a21
...
000b:Call KERNEL32.GetProcAddress(7b810000,100569dc "LoadLibraryA")
ret=10024a3b
000b:Ret KERNEL32.GetProcAddress() retval=7b8240bc ret=10024a3b
000b:Call
KERNEL32.CreateRemoteThread(000000c4,00000000,00000000,7b8240bc,003d0000,00000000,00000000)
ret=10024a43
000b:Ret KERNEL32.CreateRemoteThread() retval=000000e4 ret=10024a43
...
000b:Call KERNEL32.DebugActiveProcessStop(00000018) ret=006a18f3
003b:Starting thread proc 0x7b8240bc (arg=0x3d0000)
003b:Call KERNEL32.LoadLibraryA(003d0000 "C:\\Program Files\\MTA San Andreas
1.3\\mta\\core.dll") ret=7bc85c68
000b:Ret KERNEL32.DebugActiveProcessStop() retval=00000001 ret=006a18f3
000b:Call KERNEL32.WaitForSingleObject(000000e4,ffffffff) ret=006a1909
...
003b:Call PE DLL (proc=0x1a928d9,module=0x1980000
L"core.dll",reason=PROCESS_ATTACH,res=(nil))
--- snip ---
The loader 'core' library does some initialization in entry point which
includes a string collation check.
Wine gets the collation check wrong, resulting in a code path being executed
within 'core' dll entry point which causes a page fault.
Wine's loader unloads the 'core' library (entry entered again, now with
'detach') which leads to the silent termination of the child process.
--- snip ---
003b:Call msvcrt.setlocale(00000000,01ab6424 "C") ret=019a3a1e
003b:trace:msvcrt:MSVCRT__create_locale (0 C)
...
003b:Call msvcrt.setlocale(00000002,01aae0f0 "") ret=019a3a27
003b:trace:msvcrt:MSVCRT__create_locale (2 )
003b:Call KERNEL32.GetSystemDefaultLCID() ret=7e597608
003b:Ret KERNEL32.GetSystemDefaultLCID() retval=00000409 ret=7e597608
003b:Call KERNEL32.GetLocaleInfoA(00000409,80001004,0197e378,00000100)
ret=7e597630
003b:Ret KERNEL32.GetLocaleInfoA() retval=00000005 ret=7e597630
...
003b:Ret msvcrt.setlocale() retval=00129370 ret=019a3a27
003b:Call msvcrt.strcoll(01ab5430 "a",01ab57fc "B") ret=019a3a37
003b:Call KERNEL32.CompareStringA(00000000,00000000,01ab5430
"a",ffffffff,01ab57fc "B",ffffffff) ret=7e5bf74d
003b:Ret KERNEL32.CompareStringA() retval=00000001 ret=7e5bf74d
003b:Ret msvcrt.strcoll() retval=ffffffff ret=019a3a37
003b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x19a3a3e ip=019a3a3e
tid=003b
003b:trace:seh:raise_exception info[0]=00000001
003b:trace:seh:raise_exception info[1]=00000000
003b:trace:seh:raise_exception eax=ffffffff ebx=00000000 ecx=0014f098
edx=ffffffec esi=0014ef78 edi=7e577050
003b:trace:seh:raise_exception ebp=0014e760 esp=0197e584 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010286
003b:trace:seh:call_stack_handlers calling handler at 0x1aa4c9f code=c0000005
flags=0
003b:trace:seh:call_stack_handlers handler at 0x1aa4c9f returned 1
003b:trace:seh:call_stack_handlers calling handler at 0x1aa5132 code=c0000005
flags=0
003b:trace:seh:call_stack_handlers handler at 0x1aa5132 returned 1
003b:trace:seh:call_stack_handlers calling handler at 0x1a92b45 code=c0000005
flags=0
003b:Call
msvcrt._except_handler4_common(01ad9060,01a922e1,0197e52c,0197e6bc,0197e260,0197e0ec)
ret=01a92b65
...
003b:Call KERNEL32.TerminateProcess(ffffffff,00000000) ret=019e853f
...
--- snip ---
The check basically boils down to the following:
--- snip ---
setlocale(LC_ALL,"C");
setlocale(LC_CTYPE,"");
if(strcoll("a","B")>0) good_guy();
--- snip ---
strcoll()'s behaviour depends on LC_COLLATE in the current locale.
For "C" locale one would expect result >0 but Wine's msvcrt returns the
opposite: < 0.
$ sha1sum mtasa-1.3.4.exe
80986c6f30cd6bc2de386ef25f85e6a3462b4391 mtasa-1.3.4.exe
$ du -sh mtasa-1.3.4.exe
20M mtasa-1.3.4.exe
$ wine --version
wine-1.7.8-220-g0bef543
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list