[Bug 37272] New: CheatEngine 6.4 fails after remote process 'breakin', reporting 'Debugger Crash:Access violation (Last location:41)'

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Sep 14 17:37:06 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=37272

            Bug ID: 37272
           Summary: CheatEngine 6.4 fails after remote process 'breakin',
                    reporting 'Debugger Crash:Access violation (Last
                    location:41)'
           Product: Wine
           Version: 1.7.26
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dbghelp
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net

Hello folks,

as the summary says.

The app works well in general - except when breaking into remote process for
debugging (to single step).

The app is pretty verbose about its doings, using 'OutputDebugString' API.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Cheat Engine 6.4
...
$ WINEDEBUG=+tid,+seh,+loaddll,+process,+debugstr wine ./Cheat\ Engine.exe
>>log.txt 2>&1
...
0023:warn:debugstr:OutputDebugStringA "setThreadContext(28, 110, 07E9710C).
dr0=0 dr1=0 dr2=0 dr3=0 dr7=400"
...
002b:warn:debugstr:OutputDebugStringA "HandleExceptionDebugEvent:80000004"
...
002b:warn:debugstr:OutputDebugStringA "EXCEPTION_SINGLE_STEP. Dr6=00004000"
...
002b:warn:debugstr:OutputDebugStringA "Handling as a single step event"
...
002b:warn:debugstr:OutputDebugStringA "HandleBreak()"
...
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x410464 ip=00410464
tid=0023
0023:trace:seh:raise_exception  info[0]=00000001
0023:trace:seh:raise_exception  info[1]=d000db06
0023:trace:seh:raise_exception  eax=0000000b ebx=044bbc78 ecx=d000dafe
edx=001c9071 esi=044bbc74 edi=001c9071
0023:trace:seh:raise_exception  ebp=01b8ea5c esp=01b8e9f0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210282
0023:trace:seh:call_stack_handlers calling handler at 0x7bc9de17 code=c0000005
flags=0
0023:trace:seh:call_stack_handlers handler at 0x7bc9de17 returned 0
...
--- snip ---

The CheatEngine debugger was attached to 'notepad' process.

--- snip ---
Wine-dbg>info process

 pid      threads  executable (all id:s are in hex)
 00000027 1        'notepad.exe'
 00000022 3        'cheatengine-i386.exe'
 00000020 1        'explorer.exe'
 0000000e 5        'services.exe'
 00000019 3        \_ 'plugplay.exe'
 00000012 4        \_ 'winedevice.exe'

Wine-dbg>info thread

process  tid      prio (all id:s are in hex)
...
00000022 cheatengine-i386.exe
    0000002b    0
    00000024    0
    00000023    0
00000027 notepad.exe
    00000028    0 
--- snip ---

Running the debugger under a debugger yields the following:

--- snip ---
Unhandled exception: page fault on write access to 0xd000db06 in 32-bit code
(0x00410464).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:00410464 ESP:01b8e9f0 EBP:01b8ea5c EFLAGS:00210282(  R- --  I S - - - )
 EAX:0000000b EBX:040341a8 ECX:d000dafe EDX:001c9071
 ESI:040341a4 EDI:001c9071
Stack dump:
0x01b8e9f0:  000000b0 0000000b 040341a4 000000b0
0x01b8ea00:  0423c2e8 0423c2ec 004105ee 0000004c
0x01b8ea10:  0423c2e8 00410bdd 0000001c 0423c2e8
0x01b8ea20:  00000414 0040fa88 006426a9 0423c2e8
0x01b8ea30:  0410a7f8 00000414 006429b7 0423c2e8
0x01b8ea40:  0410a7f8 006427ad 001b2ba8 00000000
000c: sel=0067 base=00000000 limit=00000000 16-bit --x
Backtrace:
=>0 0x00410464 in cheatengine-i386 (+0x10464) (0x01b8ea5c)
  1 0x007011b4 in cheatengine-i386 (+0x3011b3) (0x01b8ea70)
  2 0x0050bc97 in cheatengine-i386 (+0x10bc96) (0x01b8f368)
  3 0x0050c155 in cheatengine-i386 (+0x10c154) (0x01b8f6a0)
  4 0x0044b868 in cheatengine-i386 (+0x4b867) (0x01b8f6b8)
  5 0x00452019 in cheatengine-i386 (+0x52018) (0x01b8f728)
  6 0x004fd312 in cheatengine-i386 (+0xfd311) (0x01b8f7ac)
  7 0x005013c1 in cheatengine-i386 (+0x1013c0) (0x01b8f824)
  8 0x0058ef28 in cheatengine-i386 (+0x18ef27) (0x01b8f898)
  9 0x006e7668 in cheatengine-i386 (+0x2e7667) (0x01b8faa8)
  10 0x7eb8fb5e WINPROC_wrapper+0x19() in user32 (0x01b8fad8)
...
0x00410464: movl    $0x0,0x8(%ecx)
--- snip ---

The app is open source: https://code.google.com/p/cheat-engine

--- snip ---
$ svn checkout http://cheat-engine.googlecode.com/svn/trunk/
cheat-engine-read-only
--- snip ---

'Last location:41' part of error message gives a hint:

htps://code.google.com/p/cheat-engine/source/browse/trunk/Cheat%20Engine/debugeventhandler.pas#180

--- snip ---
procedure TDebugThreadHandler.VisualizeBreak;
begin
  TDebuggerthread(debuggerthread).execlocation:=41;
  if processhandler.SystemArchitecture=archx86 then
    MemoryBrowser.lastdebugcontext:=context^
  else
    MemoryBrowser.lastdebugcontextarm:=armcontext;

  WaitingToContinue:=not lua_onBreakpoint(context);

  if WaitingToContinue then //no lua script or it returned 0
    MemoryBrowser.UpdateDebugContext(self.Handle, self.ThreadId);

end;
--- snip ---

The crashes happens during update of stacktrace listview, after a couple of
'dbghelp.StackWalk64' calls.

'TMemoryBrowser.UpdateDebugContext' -> 'TfrmStacktrace.stacktrace'

https://code.google.com/p/cheat-engine/source/browse/trunk/Cheat%20Engine/frmstacktraceunit.pas#120

The crash address is an indirect reference from ECX = 0xd000dafe (+8) .. a
value which corresponds to Wine's 'frame->KdHelp.KiCallUserMode' magic value.

The stack frame data structure passed to 'StackWalk64' is allocated from
internal Delphi heap and initialized.

--- snip ---
procedure TfrmStacktrace.stacktrace(threadhandle:thandle;context:_context);
var
stackframe: PStackframe64;
cxt:_context;
wow64ctx: CONTEXT32;
a,b,c,d: dword;
sa,sb,sc,sd:string;
machinetype: dword;

cp: pointer;

found: boolean;
begin

...
getmem(stackframe,sizeof(tstackframe));
zeromemory(stackframe,sizeof(tstackframe));
stackframe^.AddrPC.Offset:=context.{$ifdef cpu64}rip{$else}eip{$endif};
stackframe^.AddrPC.mode:=AddrModeFlat;

stackframe^.AddrStack.Offset:=context.{$ifdef cpu64}rsp{$else}esp{$endif};
stackframe^.AddrStack.Mode:=addrmodeflat;

stackframe^.AddrFrame.Offset:=context.{$ifdef cpu64}rbp{$else}ebp{$endif};
stackframe^.AddrFrame.Mode:=addrmodeflat;
...
--- snip ---

The corresponding disassembly, annotated:

--- snip ---
0050BBD1     8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
0050BBD4     BA A4000000      MOV EDX,0A4            ; sizeof(tstackframe)
0050BBD9     E8 323EF0FF      CALL cheateng.0040FA10 ; getmem()
0050BBDE     68 A4000000      PUSH 0A4               ; sizeof(tstackframe)
0050BBE3     FF75 F8          PUSH DWORD PTR SS:[EBP-8]
0050BBE6     E8 C5121600      CALL cheateng.0066CEB0 ; zeromemory()
0050BBEB     8B4D F8          MOV ECX,DWORD PTR SS:[EBP-8]
0050BBEE     8B95 38F8FFFF    MOV EDX,DWORD PTR SS:[EBP-7C8]
0050BBF4     B8 00000000      MOV EAX,0
0050BBF9     8911             MOV DWORD PTR DS:[ECX],EDX ; stackframe^.AddrPC..
0050BBFB     8941 04          MOV DWORD PTR DS:[ECX+4],EAX
--- snip ---

0xA4 is a bit too small for 'STACKFRAME64' structure.

MSDN:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680646%28v=vs.85%29.aspx

My guess is that Delphi/Pascal's definition of 'tstackframe' doesn't include
the 'KDHELP64' part which is reserved for kernel debuggers.

The problem is that Wine writes magic values into an area that should be left
untouched since we're dealing with usermode debugging.
That corrupts the internal heap.

Source:
http://source.winehq.org/git/wine.git/blob/61a9eef9a1c0a72e6571742dbb830f7b22c05230:/dlls/dbghelp/stack.c#l210

--- snip ---
...
242     /* we don't handle KdHelp */
243     frame->KdHelp.Thread = 0xC000FADE;
244     frame->KdHelp.ThCallbackStack = 0x10;
245     frame->KdHelp.ThCallbackBStore = 0;
246     frame->KdHelp.NextCallback = 0;
247     frame->KdHelp.FramePointer = 0;
248     frame->KdHelp.KiCallUserMode = 0xD000DAFE;
249     frame->KdHelp.KeUserCallbackDispatcher = 0xE000F000;
250     frame->KdHelp.SystemRangeStart = 0xC0000000;
251     frame->KdHelp.Reserved[0] /* KiUserExceptionDispatcher */ = 0xE0005000;
...
--- snip ---

The code that writes the magic values was added 8 years ago:

http://source.winehq.org/git/wine.git/commitdiff/558130a696a1e6c11a84f3d1f12515c74b9ef17f

Not sure what the intention was since usermode debuggers can't deal with these
things anyway.

With that part fixed, CheatEngine can debug remote processes after attaching.

$ sha1sum CheatEngine64.exe 
8cb06bca312ed2bfa02c7f9344f2717d02ecd931  CheatEngine64.exe

$ du -sh CheatEngine64.exe 
8.7M    CheatEngine64.exe

$ wine --version
wine-1.7.26-44-gb10b391

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list