[Bug 38956] New: Creo Elements/Direct Modeling Express 6.0 .NET based licensing tool fails with .NET Framework error (Xenocode registry virtualization fails to intercept Wine's root key handles)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Jul 20 16:51:02 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=38956
Bug ID: 38956
Summary: Creo Elements/Direct Modeling Express 6.0 .NET based
licensing tool fails with .NET Framework error
(Xenocode registry virtualization fails to intercept
Wine's root key handles)
Product: Wine
Version: 1.7.47
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: advapi32
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 38950
(avoid relay thunks, they interfere with Xenocode hooks).
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/PTC/Creo Elements/Direct Modeling
Express 6.0/binNT/OLAPE
$ WINEDEBUG=+tid,+seh,+loaddll,+process,+reg,+msgbox wine ./OLAPEP.exe
>>log.txt 2>&1
...
002c:trace:loaddll:load_native_dll Loaded L"C:\\windows\\system32\\mscoree.dll"
at 0x79000000: native
002c:trace:loaddll:load_native_dll Loaded L"C:\\Program Files\\PTC\\Creo
Elements\\Direct Modeling Express 6.0\\binNT\\OLAPE\\OLAPEPP.exe" at 0x400000:
native
002c:trace:reg:GetSystemInfo si=0x0x2142f9d8
002c:trace:reg:GetSystemInfo si=0x0x2142f73c
002c:trace:reg:NtOpenKey
(0x20,L"System\\CurrentControlSet\\Control\\Video\\{f996be7c-6eca-46cd-96df-3524ac767421}\\0000",2000000,0x2142eff0)
002c:trace:reg:NtOpenKey <- 0x24c
002c:trace:reg:RegQueryValueExW
(0x24c,L"GraphicsDriver",(nil),(nil),0x2142f348,0x2142f550=520)
002c:trace:reg:NtQueryValueKey (0x24c,L"GraphicsDriver",2,0x2142f11c,256)
002c:trace:loaddll:load_builtin_dll Loaded
L"C:\\windows\\system32\\winex11.drv" at 0x7e280000: builtin
002c:trace:reg:NtOpenKey (0x24,L"Software\\Wine\\X11
Driver",2000000,0x2142e6e0)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x24,L"Software\\Wine\\AppDefaults",2000000,0x2142e6e0)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtCreateKey (0x24,L"Keyboard
Layout\\Preload",(null),0,f003f,0x2142e57c)
002c:trace:reg:NtCreateKey <- 0x25c
002c:trace:reg:RegQueryValueExW (0x25c,L"1",(nil),(nil),(nil),(nil)=0)
002c:trace:reg:NtQueryValueKey (0x25c,L"1",2,0x2142e6dc,12)
002c:trace:reg:NtOpenKey (0x2c,L"Software\\Fonts",2000000,0x2142ebe0)
002c:trace:reg:NtOpenKey <- 0x24c
002c:trace:reg:RegQueryValueExW
(0x24c,L"LogPixels",(nil),0x2142ee94,0x2142ee8c,0x2142ee90=4)
002c:trace:reg:NtQueryValueKey (0x24c,L"LogPixels",2,0x2142ed0c,16)
002c:trace:reg:NtOpenKey
(0x20,L"System\\CurrentControlSet\\Control\\FontAssoc\\Associated
Charset",2000000,0x2142eb40)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\\Microsoft\\.NETFramework",20019,0x2142ebc0)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\\Microsoft\\.NETFramework",20019,0x2142d090)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\\Microsoft\\.NETFramework",20019,0x2142d440)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\\Microsoft\\.NETFramework",20019,0x2142cb70)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x24,L"Software\\Microsoft\\.NETFramework\\Policy\\Upgrades",20019,0x2142d440)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\\Microsoft\\.NETFramework\\Policy\\Upgrades",20019,0x2142d440)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\\Microsoft\\.NETFramework",20019,0x2142cb70)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtCreateKey (0x24,L"Control
Panel\\Desktop\\WindowMetrics",(null),0,2000000,0x2142d82c)
002c:trace:reg:NtCreateKey <- 0x25c
...
002c:trace:msgbox:MSGBOX_OnInit L"A fatal error occurred. However, mscorees.dll
could not be loaded to display the appropriate error message.\n\nPlease
reinstall the .NET Framework."
--- snip ---
The call in question from virtualized/sandboxed .NET Framework (unwrapped in
memory):
--- snip ---
4252EDFC 79003ECE CALL to RegOpenKeyExW from mscoree.79003EC8
4252EE00 80000002 hKey = HKEY_LOCAL_MACHINE
4252EE04 79004010 Subkey = "Software\Microsoft\.NETFramework"
4252EE08 00000000 Reserved = 0
4252EE0C 00020019 Access = KEY_READ
4252EE10 4252EE44 pHandle = 4252EE44
4252EE14 00000000
4252EE18 4252EE48
4252EE1C 790063FD RETURN to mscoree.790063FD from mscoree.79003EA4
4252EE20 80000002
4252EE24 79004010 UNICODE "Software\Microsoft\.NETFramework"
4252EE28 00000000
...
--- snip ---
Here: NtOpenKey -> lookup predefined handle for HKEY_LOCAL_MACHINE -> 0x20
(internally cached)
Initial: get_special_root_hkey -> create_special_root_hkey -> create_key ->
NtCreateKey
Xenocode VM uses a handle tracker for objects of interest which includes
registry handles.
It intercepts various native API calls and injects/translates to its own data
as needed.
The problem here is the interception of the special registry root directory
key(s).
Although 'NtOpenKey' API is hooked, Xenocode fails to translate the parent key
(= special root key handle), falling back by calling Wine implementation.
Since .NET Framework is not installed, the .NET registry keys and values are
not present in the "real" registry, leading to failure.
The native API interception logic is set up after the main executable got
unwrapped and mapped with imports resolved by Xenocode loader.
Unfortunately the special root key handles were already created as part of
original startup code by Wine hence the creation of those parent handles (out
parameter) is never seen by the Xenocode handle tracker.
---
For completeness the native registry API that can be potentially hooked:
--- snip ---
423F0B66 68 0C754042 PUSH OLAPEP.4240750C ; "NtCompactKeys"
423F0B7F 68 1C754042 PUSH OLAPEP.4240751C ; "NtCompressKey"
423F0B98 68 2C754042 PUSH OLAPEP.4240752C ; "NtCreateKey"
423F0BB1 68 38754042 PUSH OLAPEP.42407538 ; "NtDeleteKey"
423F0BCA 68 44754042 PUSH OLAPEP.42407544 ; "NtDeleteValueKey"
423F0BE3 68 58754042 PUSH OLAPEP.42407558 ; "NtEnumerateKey"
423F0BFC 68 68754042 PUSH OLAPEP.42407568 ; "NtEnumerateValueKey"
423F0C15 68 7C754042 PUSH OLAPEP.4240757C ; "NtFlushKey"
423F0C31 68 88754042 PUSH OLAPEP.42407588 ; "NtLoadKey"
423F0C4A 68 94754042 PUSH OLAPEP.42407594 ; "NtLoadKey2"
423F0C63 68 A0754042 PUSH OLAPEP.424075A0 ; "NtLoadKeyEx"
423F0C7C 68 AC754042 PUSH OLAPEP.424075AC ; "NtLockRegistryKey"
423F0C95 68 C0754042 PUSH OLAPEP.424075C0 ; "NtNotifyChangeKey"
423F0CAE 68 D4754042 PUSH OLAPEP.424075D4 ; "NtNotifyChangeMultipleKeys"
423F0CC7 68 F0754042 PUSH OLAPEP.424075F0 ; "NtOpenKey"
423F0CE0 68 FC754042 PUSH OLAPEP.424075FC ; "NtQueryKey"
423F0CFC 68 08764042 PUSH OLAPEP.42407608 ; "NtQueryMultipleValueKey"
423F0D15 68 20764042 PUSH OLAPEP.42407620 ; "NtQueryOpenSubKeys"
423F0D2E 68 34764042 PUSH OLAPEP.42407634 ; "NtQueryOpenSubKeysEx"
423F0D47 68 4C764042 PUSH OLAPEP.4240764C ; "NtQueryValueKey"
423F0D60 68 5C764042 PUSH OLAPEP.4240765C ; "NtRenameKey"
423F0D79 68 68764042 PUSH OLAPEP.42407668 ; "NtReplaceKey"
423F0D92 68 78764042 PUSH OLAPEP.42407678 ; "NtRestoreKey"
423F0DAB 68 88764042 PUSH OLAPEP.42407688 ; "NtSaveKey"
423F0DC7 68 94764042 PUSH OLAPEP.42407694 ; "NtSaveKeyEx"
423F0DE0 68 A0764042 PUSH OLAPEP.424076A0 ; "NtSaveMergedKeys"
423F0DF9 68 B4764042 PUSH OLAPEP.424076B4 ; "NtSetInformationKey"
423F0E12 68 C8764042 PUSH OLAPEP.424076C8 ; "NtSetValueKey"
423F0E2B 68 D8764042 PUSH OLAPEP.424076D8 ; "NtUnloadKey"
423F0E44 68 E4764042 PUSH OLAPEP.424076E4 ; "NtUnloadKey2"
423F0E5D 68 F4764042 PUSH OLAPEP.424076F4 ; "NtUnloadKeyEx"
--- snip ---
$ sha1sum ModelingPE__setup_EN.exe
333736c553c2eb985436e63f20bfcbb59932b6fb ModelingPE__setup_EN.exe
$ du -sh ModelingPE__setup_EN.exe
207M ModelingPE__setup_EN.exe
$ wine --version
wine-1.7.47-162-g0f9a0aa
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list