[Bug 34407] Multi Theft Auto 1.3 loader fails to initialize core infrastructure in GTA:SA process (msvcrt string collation check fails)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Dec 14 12:44:22 CST 2013


http://bugs.winehq.org/show_bug.cgi?id=34407

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download, obfuscation
             Status|UNCONFIRMED                 |NEW
                URL|                            |https://mtasa-resources.goo
                   |                            |glecode.com/files/mtasa-1.3
                   |                            |.4.exe
                 CC|                            |focht at gmx.net
          Component|-unknown                    |msvcrt
            Summary|Multi Theft Auto: does not  |Multi Theft Auto 1.3 loader
                   |start                       |fails to initialize core
                   |                            |infrastructure in GTA:SA
                   |                            |process (msvcrt string
                   |                            |collation check fails)
     Ever confirmed|0                           |1

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

Multi Theft Auto loader process starts the original game process and injects
it's own infrastructure using 'CreateRemoteThread with LoadLibrary' technique.

--- snip ---
...
000b:Starting process L"C:\\Program Files\\MTA San Andreas 1.3\\Multi Theft
Auto.exe" (entryproc=0x40d007) 
...
000b:Call KERNEL32.CreateProcessA(00ab7b18 "C:\\Program Files\\Rockstar
Games\\GTA San Andreas\\gta_sa.exe",0033fc48
"",00000000,00000000,00000000,00000005,00000000,001d55d0 "C:\\Program
Files\\MTA San Andreas 1.3\\mta",0033fb3c,0033fa28) ret=10013a21
003c:Call KERNEL32.__wine_kernel_init() ret=7bc599ec
000b:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=10013a21
...
000b:Call KERNEL32.GetProcAddress(7b810000,100569dc "LoadLibraryA")
ret=10024a3b
000b:Ret  KERNEL32.GetProcAddress() retval=7b8240bc ret=10024a3b
000b:Call
KERNEL32.CreateRemoteThread(000000c4,00000000,00000000,7b8240bc,003d0000,00000000,00000000)
ret=10024a43
000b:Ret  KERNEL32.CreateRemoteThread() retval=000000e4 ret=10024a43 
...
000b:Call KERNEL32.DebugActiveProcessStop(00000018) ret=006a18f3
003b:Starting thread proc 0x7b8240bc (arg=0x3d0000)
003b:Call KERNEL32.LoadLibraryA(003d0000 "C:\\Program Files\\MTA San Andreas
1.3\\mta\\core.dll") ret=7bc85c68
000b:Ret  KERNEL32.DebugActiveProcessStop() retval=00000001 ret=006a18f3
000b:Call KERNEL32.WaitForSingleObject(000000e4,ffffffff) ret=006a1909 
...
003b:Call PE DLL (proc=0x1a928d9,module=0x1980000
L"core.dll",reason=PROCESS_ATTACH,res=(nil))  
--- snip ---

The loader 'core' library does some initialization in entry point which
includes a string collation check.

Wine gets the collation check wrong, resulting in a code path being executed
within 'core' dll entry point which causes a page fault.
Wine's loader unloads the 'core' library (entry entered again, now with
'detach') which leads to the silent termination of the child process.

--- snip ---
003b:Call msvcrt.setlocale(00000000,01ab6424 "C") ret=019a3a1e
003b:trace:msvcrt:MSVCRT__create_locale (0 C) 
...
003b:Call msvcrt.setlocale(00000002,01aae0f0 "") ret=019a3a27
003b:trace:msvcrt:MSVCRT__create_locale (2 )
003b:Call KERNEL32.GetSystemDefaultLCID() ret=7e597608
003b:Ret  KERNEL32.GetSystemDefaultLCID() retval=00000409 ret=7e597608
003b:Call KERNEL32.GetLocaleInfoA(00000409,80001004,0197e378,00000100)
ret=7e597630
003b:Ret  KERNEL32.GetLocaleInfoA() retval=00000005 ret=7e597630 
...
003b:Ret  msvcrt.setlocale() retval=00129370 ret=019a3a27
003b:Call msvcrt.strcoll(01ab5430 "a",01ab57fc "B") ret=019a3a37
003b:Call KERNEL32.CompareStringA(00000000,00000000,01ab5430
"a",ffffffff,01ab57fc "B",ffffffff) ret=7e5bf74d
003b:Ret  KERNEL32.CompareStringA() retval=00000001 ret=7e5bf74d
003b:Ret  msvcrt.strcoll() retval=ffffffff ret=019a3a37
003b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x19a3a3e ip=019a3a3e
tid=003b
003b:trace:seh:raise_exception  info[0]=00000001
003b:trace:seh:raise_exception  info[1]=00000000
003b:trace:seh:raise_exception  eax=ffffffff ebx=00000000 ecx=0014f098
edx=ffffffec esi=0014ef78 edi=7e577050
003b:trace:seh:raise_exception  ebp=0014e760 esp=0197e584 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010286
003b:trace:seh:call_stack_handlers calling handler at 0x1aa4c9f code=c0000005
flags=0
003b:trace:seh:call_stack_handlers handler at 0x1aa4c9f returned 1
003b:trace:seh:call_stack_handlers calling handler at 0x1aa5132 code=c0000005
flags=0
003b:trace:seh:call_stack_handlers handler at 0x1aa5132 returned 1
003b:trace:seh:call_stack_handlers calling handler at 0x1a92b45 code=c0000005
flags=0
003b:Call
msvcrt._except_handler4_common(01ad9060,01a922e1,0197e52c,0197e6bc,0197e260,0197e0ec)
ret=01a92b65 
...
003b:Call KERNEL32.TerminateProcess(ffffffff,00000000) ret=019e853f
...
--- snip ---

The check basically boils down to the following:

--- snip ---
setlocale(LC_ALL,"C");
setlocale(LC_CTYPE,"");
if(strcoll("a","B")>0) good_guy();
--- snip ---

strcoll()'s behaviour depends on LC_COLLATE in the current locale.
For "C" locale one would expect result >0 but Wine's msvcrt returns the
opposite: < 0.

$ sha1sum mtasa-1.3.4.exe 
80986c6f30cd6bc2de386ef25f85e6a3462b4391  mtasa-1.3.4.exe

$ du -sh mtasa-1.3.4.exe 
20M    mtasa-1.3.4.exe

$ wine --version
wine-1.7.8-220-g0bef543

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.



More information about the wine-bugs mailing list