[Bug 30499] Multiple Avira AVG product installers crash due to access of undocumented PEB field "UnicodeCaseTableData" (AVG Free Edition 2012, TuneUp Utilities 2014)

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Apr 3 13:56:24 CDT 2014 

http://bugs.winehq.org/show_bug.cgi?id=30499

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Avira AVG Free Edition 2012 |Multiple Avira AVG product
                   |(32/64-bit) installer       |installers crash due to
                   |crashes due to access of    |access of undocumented PEB
                   |undocumented PEB field      |field
                   |"UnicodeCaseTableData"      |"UnicodeCaseTableData" (AVG
                   |                            |Free Edition 2012, TuneUp
                   |                            |Utilities 2014)

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

found another victim: AVG 'TuneUp Utilities 2014' installer

Download: http://www.tune-up.com/download/

The installer extracts a temp dll which peeks into native API.
Its real name is 'avgreplibx.dll' - according to version resource. 

It retrieves function addresses using low level loader API:

--- snip ---
$ WINEDEBUG=+tid,+seh,+relay wine ./TuneUpUtilities2014_en-US.exe >>log.txt
2>&1
...
0023:Call KERNEL32.CreateFileW(00143698
L"C:\\users\\focht\\Temp\\TUM67ce.tmp",40000000,00000000,00000000,00000002,00000080,00000000)
ret=004171a9
0023:Ret  KERNEL32.CreateFileW() retval=00000068 ret=004171a9
0023:Call KERNEL32.WriteFile(00000068,01d80720,0008ab38,0033f8ac,00000000)
ret=004171c3
0023:Ret  KERNEL32.WriteFile() retval=00000001 ret=004171c3
0023:Call KERNEL32.CloseHandle(00000068) ret=004171f3
0023:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004171f3
0023:Call KERNEL32.CreateFileW(00143698
L"C:\\users\\focht\\Temp\\TUM67ce.tmp",80000000,00000005,00000000,00000003,04000000,00000000)
ret=0041f2b7
0023:Ret  KERNEL32.CreateFileW() retval=00000068 ret=0041f2b7 
...
0023:Call KERNEL32.LoadLibraryW(00143d40
L"C:\\users\\focht\\Temp\\TUM67ce.tmp") ret=0040150a
0023:Call PE DLL (proc=0x1005939c,module=0x10000000
L"TUM67ce.tmp",reason=PROCESS_ATTACH,res=(nil)) 
...
0023:Call ntdll.LdrLoadDll(00000000,00000000,0033eba4,0033ebac) ret=10018d0c
0023:Ret  ntdll.LdrLoadDll() retval=00000000 ret=10018d0c
0023:Call ntdll.LdrGetProcedureAddress(7bc10000,0033ebb0,00000000,100840f4)
ret=10018d73
0023:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=10018d73
0023:Call ntdll.LdrGetProcedureAddress(7bc10000,0033ebb0,00000000,10084154)
ret=10018d9f
0023:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=10018d9f
0023:Call ntdll.LdrGetProcedureAddress(7bc10000,0033ebb0,00000000,100840f8)
ret=10018dcb
...
0023:Call ntdll.RtlInitUnicodeString(0033ebbc,10074458 L"kernel32.dll")
ret=1001c3b5
0023:Ret  ntdll.RtlInitUnicodeString() retval=0033ebbc ret=1001c3b5
0023:Call ntdll.LdrGetDllHandle(00000000,00000000,0033ebbc,0033ebcc)
ret=1001c3c7
0023:Ret  ntdll.LdrGetDllHandle() retval=00000000 ret=1001c3c7
0023:Call ntdll.LdrGetProcedureAddress(7b810000,0033ebc4,00000000,10084180)
ret=1001c402
0023:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=1001c402
0023:Call ntdll.LdrGetProcedureAddress(7b810000,0033ebc4,00000000,1008417c)
ret=1001c42e
0023:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=1001c42e
0023:Call ntdll.LdrGetProcedureAddress(7b810000,0033ebc4,00000000,10084184)
ret=1001c45a
0023:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=1001c45a 
...
--- snip ---

Unfortunately Wine's LdrGetProcedureAddress() doesn't have TRACE so I did some
'log' breakpoint magic to get the lists.
Failure to look up API is not critical at that point (unless called later).

--- snip ---
ntdll.dll:

 ASCII "RtlGetVersion"
 ASCII "RtlGetProductInfo"
 ASCII "ZwCreateMutant"
 ASCII "RtlAddMandatoryAce"
 ASCII "ZwQueryDirectoryObject"
 ASCII "ZwOpenProcessToken"
 ASCII "RtlExitUserThread"
 ASCII "CsrGetProcessId"
 ASCII "RtlGetNativeSystemInformation"
 ASCII "RtlGetUnloadEventTrace"
 ASCII "NtGetTickCount"
 ASCII "RtlDowncaseUnicodeChar"
 ASCII "RtlGetUnloadEventTraceEx"
 ASCII "ZwCreateTransaction"
 ASCII "RtlGetCurrentTransaction"
 ASCII "RtlSetCurrentTransaction"
 ASCII "ZwCommitTransaction"
 ASCII "ZwRollbackTransaction"
 ASCII "RtlWow64EnableFsRedirectionEx"
 ASCII "ZwOpenKeyTransacted"
 ASCII "ZwCreateKeyTransacted"
 ASCII "EtwEventRegister"
 ASCII "EtwEventUnregister"
 ASCII "EtwEventWrite"
 ASCII "EtwEventWriteEx"
 ASCII "ZwCancelIoFileEx"
 ASCII "RtlEncodePointer"
 ASCII "RtlDecodePointer"
--- snip ---

--- snip ---
kernel32.dll:

 ASCII "CopyFileW"
 ASCII "CopyFileA"
 ASCII "ReadFile"
 ASCII "WriteFile"
 ASCII "UnhandledExceptionFilter"
 ASCII "SetUnhandledExceptionFilter"
 ASCII "GlobalMemoryStatusEx"
 ASCII "GetEnvironmentStringsA"
 ASCII "GetEnvironmentStringsW"
 ASCII "FreeEnvironmentStringsA"
 ASCII "FreeEnvironmentStringsW"
 ASCII "CreateProcessW"
 ASCII "CreateProcessA"
 ASCII "DefineDosDeviceW"
 ASCII "DefineDosDeviceA"
 ASCII "GetACP"
 ASCII "FindResourceExA"
 ASCII "FindResourceExW"
--- snip ---

It crashes here:

--- snip ---
...
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x10013817
ip=10013817 tid=0023
0023:trace:seh:raise_exception  info[0]=00000000
0023:trace:seh:raise_exception  info[1]=00000002
0023:trace:seh:raise_exception  eax=10072fd8 ebx=1007302a ecx=7ffdf000
edx=00000000 esi=00000001 edi=00000029
0023:trace:seh:raise_exception  ebp=0033eb54 esp=0033eb3c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0023:trace:seh:call_stack_handlers calling handler at 0x10066aed code=c0000005
flags=0
0023:Call KERNEL32.GetLastError() ret=1005aaed
0023:Ret  KERNEL32.GetLastError() retval=00000000 ret=1005aaed
0023:trace:seh:call_stack_handlers handler at 0x10066aed returned 1
0023:trace:seh:call_stack_handlers calling handler at 0x10065f58 code=c0000005
flags=0
0023:Call KERNEL32.GetLastError() ret=1005aaed
0023:Ret  KERNEL32.GetLastError() retval=00000000 ret=1005aaed
0023:trace:seh:call_stack_handlers handler at 0x10065f58 returned 1
0023:trace:seh:call_stack_handlers calling handler at 0x10059ea0 code=c0000005
flags=0 
...
0023:Call user32.MessageBoxW(00000000,10080b30 L"Runtime Error!\n\nProgram:
Z:\\home\\focht\\Downloads\\TuneUpUtilities2014_en-US.exe\n\nR6016\r\n- not
enough space for thread data\r\n",1006c130 L"Microsoft Visual C++ Runtime
Library",00012010) ret=1005e8a8 
--- snip ---

The actual code:

--- snip ---
...
1001380A  MOV ECX,DWORD PTR FS:[18]
10013811  MOV ECX,DWORD PTR DS:[ECX+30]
10013814  MOV EDX,DWORD PTR DS:[ECX+60]
10013817  MOVZX ECX,WORD PTR DS:[EDX+2]
1001381B  ADD ECX,2
1001381E  LEA ECX,[ECX*2+EDX]
10013821  MOV DWORD PTR SS:[EBP+18],ECX
10013824  CMP EAX,EBX
10013826  JAE 10013923
--- snip ---

That's 'PEB->UnicodeCaseTableData'

$ sha1sum TuneUpUtilities2014_en-US.exe 
77f9bf5c3c154ee33cec9e146443db5b98b3b80b  TuneUpUtilities2014_en-US.exe

$ du -sh TuneUpUtilities2014_en-US.exe 
27M    TuneUpUtilities2014_en-US.exe

$ wine --version
wine-1.7.15-173-ge851999

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list