[Bug 38714] 64-bit ARM Windows applications from Windows SDK for Windows 10 crash in entry (loader needs to set/randomize security cookie for PE modules)
wine-bugs at winehq.org
wine-bugs at winehq.org
Tue Jun 16 19:12:59 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=38714
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello André,
I've seen your patch on mailing list.
https://source.winehq.org/patches/data/112108
Although the bug is about 64-bit ARM, apps targeting Windows 8.x x64 and
Windows 10 x64 will require the same mechanism.
You are not free to chose any "magic" cookie value when you do the security
cookie initialization in loader.
Example application, targeting newer 64-bit Windows x64:
http://files.emeditor.com/emed64_15.1.4_portable.zip
The app crashes with your patch.
Unfortunately through some fast exit path, without winedbg/debugger being able
to attach (bug 24038)
"init cookie" function at entry point:
--- snip ---
...
0000000140103CA0 mov [rsp+20h], rbx
0000000140103CA5 push rbp
0000000140103CA6 mov rbp, rsp
0000000140103CA9 sub rsp, 20h
0000000140103CAD mov rax, cs:qword_140135540 ; security cookie
0000000140103CB4 and qword ptr [rbp+18h], 0
0000000140103CB9 mov rbx, 2B992DDFA232h ; default init value for x64?
0000000140103CC3 cmp rax, rbx
0000000140103CC6 jnz short 140103D37 ; no? init already done by loader
0000000140103CC8 lea rcx, [rbp+18h]
0000000140103CCC call cs:GetSystemTimeAsFileTime
0000000140103CD2 mov rax, qword ptr [rbp+18h]
0000000140103CD6 mov [rbp+10h], rax
0000000140103CDA call cs:GetCurrentThreadId
0000000140103CE0 mov eax, eax
0000000140103CE2 xor [rbp+10h], rax
0000000140103CE6 call cs:GetCurrentProcessId
0000000140103CEC lea rcx, [rbp+20h]
0000000140103CF0 mov eax, eax
0000000140103CF2 xor [rbp+10h], rax
0000000140103CF6 call cs:QueryPerformanceCounter
0000000140103CFC mov eax, dword ptr [rbp+20h]
0000000140103CFF shl rax, 20h
0000000140103D03 lea rcx, [rbp+10h]
0000000140103D07 xor rax, qword ptr [rbp+20h]
0000000140103D0B xor rax, [rbp+10h]
0000000140103D0F xor rax, rcx
0000000140103D12 mov rcx, 0FFFFFFFFFFFFh ; highest word = zero!
0000000140103D1C and rax, rcx
0000000140103D1F mov rcx, 2B992DDFA233h
0000000140103D29 cmp rax, rbx
0000000140103D2C cmovz rax, rcx
0000000140103D30 mov cs:qword_140135540, rax ; newly randomized cookie
0000000140103D37 mov rbx, [rsp+48h]
0000000140103D3C not rax
0000000140103D3F mov cs:qword_140135548, rax
0000000140103D46 add rsp, 20h
0000000140103D4A pop rbp
0000000140103D4B retn
...
--- snip ---
Runtime check for proper security cookie value:
--- snip ---
00000001400FB080 cmp rcx, cs:qword_140135540 ; security cookie
00000001400FB087 jnz short 1400FB09A
00000001400FB089 rol rcx, 10h ; get highest word
00000001400FB08D test cx, 0FFFFh ; highest word == zero?
00000001400FB092 jnz short 1400FB096
00000001400FB094 rep retn ; yes, oki
00000001400FB096 ror rcx, 10h ; restore highest word
00000001400FB09A jmp 1400FAE5C ; problem -> bail!
--- snip ---
--- snip ---
.data
...
0000000140135540 qword_140135540 dq 2B992DDFA232h ; default cookie magic x64
--- snip ---
Debugger:
ECX = 0x5ec0617fc0041eb9 = your "magic" value set in loader
--- snip ---
Wine-dbg>info reg
Register dump:
rip:00000001400fb087 rsp:000000000023f2e8 rbp:000000000023f530 eflags:00000346
( - -- IT Z- -P- )
rax:0000000000000001 rbx:000000000023f330 rcx:5ec0617fc0041eb9
rdx:00000000ffffffff
rsi:0000000000000100 rdi:0000000000000001 r8:0000000000000100
r9:000000000023f950 r10:0000000000000001
r11:000000000023f330 r12:000000000023f650 r13:0000000000000001
r14:00000000000004e4 r15:0000000000000100
Wine-dbg>si
0x00000001400fb089: rolq $0x10,%rcx
Wine-dbg>si
0x00000001400fb08d: testw $0xffff,%cx
Wine-dbg>info reg
Register dump:
rip:00000001400fb08d rsp:000000000023f2e8 rbp:000000000023f530 eflags:00000346
( - -- IT Z- -P- )
rax:0000000000000001 rbx:000000000023f330 rcx:617fc0041eb95ec0
rdx:00000000ffffffff
rsi:0000000000000100 rdi:0000000000000001 r8:0000000000000100
r9:000000000023f950 r10:0000000000000001
r11:000000000023f330 r12:000000000023f650 r13:0000000000000001
r14:00000000000004e4 r15:0000000000000100
Wine-dbg>si
0x00000001400fb092: jnz 0x00000001400fb096
Wine-dbg>si
0x00000001400fb096: rorq $0x10,%rcx
<process termination>
--- snip ---
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list