[Bug 34623] New: NCsoft's Aion (MMORPG) crashes on startup (WinLicense software protection, avoid forwarding some msvcr80 API to msvcrt)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Sep 29 10:55:24 CDT 2013 

http://bugs.winehq.org/show_bug.cgi?id=34623

             Bug #: 34623
           Summary: NCsoft's Aion (MMORPG) crashes on startup (WinLicense
                    software protection, avoid forwarding some msvcr80 API
                    to msvcrt)
           Product: Wine
           Version: 1.7.3
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: msvcrt
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net
    Classification: Unclassified


Hello folks,

continuation of bug 34470
We're still 'purist' here, no winetricks (VC++ runtimes).

With msvcp80 fordwards fixed, the dll entry points from crysystem.dll and
friends are successfully passed (no more exceptions with loader lock held).

Crashes at this point now invoke the registered crash handler/debugger which is
obviously more helpful ;-)

Besides Winedbg, AION's own crash tool "SendLogClient.exe" gives a bit of
information:

--- snip ---
...
Registers:
EAX=0343e13c CS=0023 EIP=f348e160 EFLGS=00010246
EBX=5653ffd8 SS=002b ESP=0032c63c EBP=0032c6a0
ECX=0349a9c0 DS=002b ESI=564dff90 FS=0063
EDX=032fe560 ES=002b EDI=0349a9c0 GS=006b
Bytes at CS:EIP:
6d 73 76 63 72 74 2e 3f 3f 39 74 79 70 65 5f 69 
Stack dump:
0032C63C: 032FE5AD 0349A9C0 03455245 0343E13D 564DFF90 00000000 00000000
00000000
0032C65C: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
0032C67C: 00000000 00000000 00000000 00000000 F73EE680 00000000 00000000
00000000
...
Call Stack Information
F348E160  0032C6A0  0002:00008160 C:\windows\system32\msvcr80.dll
Params: 0343E13C 0349A9C0 5653FFD8 5649FE00
[msvcr80.dll] Bytes at CS:EIP: 6d 73 76 63 72 74 2e 3f 3f 39 74 79 70 65 5f 69 

0338A3F1  0032C710  0001:000B93F1 C:\Program
Files\NCSOFT\Aion\bin32\CrySystem.dll
Params: 0343E13C 0349A9C0 5653FFD8 5653FFC0
[CrySystem.dll] Bytes at CS:EIP: 5f b0 01 5e 88 43 09 5b 8b e5 5d c2 0c 00 5f
5e 
...
--- snip ---

The protection actually detects certain debuggers when being attached at
runtime/crash time and kills them off through watcher threads.

Using tools like Imprec and LordPE one can dissemble/dump from process address
space without attaching to the actual process (non-invasive method).

Using last good return address -> 0x0338A3F1 (CrySystem.dll):

--- snip ---
0338A3DC  8B45 10                   mov eax,[ebp+10]
0338A3DF  8B4D 0C                   mov ecx,[ebp+C]
0338A3E2  8B13                      mov edx,[ebx]
0338A3E4  8B52 04                   mov edx,[edx+4]
0338A3E7  50                        push eax
0338A3E8  8B45 08                   mov eax,[ebp+8]
0338A3EB  51                        push ecx
0338A3EC  50                        push eax
0338A3ED  8BCB                      mov ecx,ebx
0338A3EF  FFD2                      call edx
0338A3F1  5F                        pop edi
0338A3F2  B0 01                     mov al,1
0338A3F4  5E                        pop esi
0338A3F5  8843 09                   mov [ebx+9],al
0338A3F8  5B                        pop ebx
0338A3F9  8BE5                      mov esp,ebp
0338A3FB  5D                        pop ebp
0338A3FC  C2 0C00                   retn C
--- snip ---

"call edx" -> edx from faulting thread context = 0x032fe560 gets the callee
address:

--- snip ---
032FE560  55                        push ebp
032FE561  8BEC                      mov ebp,esp
032FE563  83EC 50                   sub esp,50
032FE566  833D B00B4C03 00          cmp dword ptr [34C0BB0],0
032FE56D  53                        push ebx
032FE56E  8B5D 10                   mov ebx,[ebp+10]
032FE571  56                        push esi
032FE572  57                        push edi
032FE573  8B7D 0C                   mov edi,[ebp+C]
032FE576  8BF1                      mov esi,ecx
032FE578  74 27                     je short 032FE5A1
032FE57A  68 7CA54903               push 349A57C
032FE57F  B9 C0A94903               mov ecx,349A9C0
032FE584  90                        nop
032FE585  E8 B5FB18F0               call F348E13F
032FE58A  84C0                      test al,al
032FE58C  74 13                     je short 032FE5A1
032FE58E  8D46 10                   lea eax,[esi+10]
032FE591  50                        push eax
032FE592  53                        push ebx
032FE593  57                        push edi
032FE594  FF15 B00B4C03             call [34C0BB0]
...
--- snip ---

The interesting call is at 0x032FE585 -> "call F348E13F"

No need to disassemble the call target as it's obvious from the backtrace that
the fault is caused by executing ascii characters and not opcodes.

" Bytes at CS:EIP: 6d 73 76 63 72 74 2e 3f 3f 39 74 79 70 65 5f 69 "

Dump gives:

--- snip ---
F348E13F   6D 73 76 63 72 74 2E 3F 3F 38 74 79 70 65 5F 69   msvcrt.??8type_i
F348E14F   6E 66 6F 40 40 51 42 45 48 41 42 56 30 40 40 5A   nfo@@QBEHABV0@@Z
F348E15F   00 6D 73 76 63 72 74 2E 3F 3F 39 74 79 70 65 5F   .msvcrt.??9type_
F348E16F   69 6E 66 6F 40 40 51 42 45 48 41 42 56 30 40 40   info@@QBEHABV0@@
F348E17F   5A 00 6D 73 76 63 72 74 2E 3F 3F 5F 37 5F 5F 6E   Z.msvcrt.??_7__n
F348E18F   6F 6E 5F 72 74 74 69 5F 6F 62 6A 65 63 74 40 40   on_rtti_object@@
--- snip ---

It wants msvcr80.dll "??8type_info@@QBE_NABV0@@Z" which is unfortunately
forwarded to msvcrt.dll

Source:
http://source.winehq.org/git/wine.git/blob/dadb2fdfa9f73ef49a71837c3a21483056950d09:/dlls/msvcr80/msvcr80.spec#l49

--- snip ---
 49 @ thiscall -arch=i386 ??8type_info@@QBE_NABV0@@Z(ptr ptr)
msvcrt.??8type_info@@QBEHABV0@@Z
--- snip ---

Source:
http://source.winehq.org/git/wine.git/blob/e931b5d17ee481798a72de2bd3103ed2d7afb131:/dlls/msvcrt/cpp.c#l538

--- quote ---
538 /******************************************************************
539 * ??8type_info@@QBEHABV0@@Z (MSVCRT.@)
540 */
541 DEFINE_THISCALL_WRAPPER(MSVCRT_type_info_opequals_equals,8)
542 int __thiscall MSVCRT_type_info_opequals_equals(type_info * _this, const
type_info * rhs)
543 {
544 int ret = !strcmp(_this->mangled + 1, rhs->mangled + 1);
545 TRACE("(%p %p) returning %d\n", _this, rhs, ret);
546 return ret;
547 }
--- quote ---

Figuring out the list imports that can't be forwarded to msvcrt is usually done
using following approach (assuming no IAT/indirect calls)...

Basically you search the mapped range of unpacked dll code section(s), checking
all call/jmp destinations that match the range of mapped system dll (all
sections), throw away the ones that point to code section and analyse the ones
that point to other (data) section(s). 

The following APIs that should not be forwarded to msvcrt:

--- quote ---
msvcr80.dll.??0exception at std@@QAE at ABQBD@Z
msvcr80.dll.??0exception at std@@QAE at ABQBDH@Z
msvcr80.dll.??0exception at std@@QAE at ABV01@@Z
msvcr80.dll.??0exception at std@@QAE at XZ
msvcr80.dll.??1exception at std@@UAE at XZ
msvcr80.dll.??8type_info@@QBE_NABV0@@Z
msvcr80.dll.??9type_info@@QBE_NABV0@@Z
msvcr80.dll.?_name_internal_method at type_info@@QBEPBDPAU__type_info_node@@@Z
--- quote ---

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list