[Bug 21924] Interstate '76 Arsenal crashes (privileged instructions used in attempt to measure the CPU speed)
wine-bugs at winehq.org
wine-bugs at winehq.org
Wed Feb 3 14:26:26 CST 2016
https://bugs.winehq.org/show_bug.cgi?id=21924
--- Comment #7 from Kevin <siegfri3d at gmail.com> ---
(In reply to Anastasius Focht from comment #5)
> Hello folks,
>
> bought the game just for analysis ... confirming.
> In short: the game contains a small code snippet that is incompatible with
> modern Windows NT-based operating systems.
>
> The game calls GetSystemInfo() to retrieve system information:
>
> --- snip ---
> ...
> 0049995A 50 PUSH EAX ; pSysteminfo
> 0049995B FF15 24C14B00 CALL DWORD PTR DS:[<KERNEL32.GetSystemInfo>]
> ...
> --- snip ---
>
> Dump of returned structure:
>
> --- snip ---
> Structure SYSTEM_INFO at 0033F33C
>
> 0033F33C .0000 DW 0 ; Architecture = PROCESSOR_ARCHITECTURE_INTEL
> 0033F33E .0000 DW 0 ; Reserved = 0
> 0033F340 .00100000 DD 00001000 ; PageSize = 4096.
> 0033F344 .00000100 DD 00010000 ; MinimumAppAddress = 10000
> 0033F348 .FFFFFE7F DD 7FFEFFFF ; MaximumAppAddress = 7FFEFFFF
> 0033F34C .0F000000 DD 0000000F ; ActiveProcessorMask = 0F
> 0033F350 .04000000 DD 00000004 ; NumberOfProcessors = 4
> 0033F354 .4A020000 DD 0000024A ; ProcessorType = PROCESSOR_INTEL_PENTIUM
> 0033F358 .00000100 DD 00010000 ; AllocationGranularity = 65536.
> 0033F35C .0600 DW 6 ; ProcessorLevel = 6
> 0033F35E .0525 DW 2505 ; ProcessorRevision = 9477.
> --- snip ---
>
> "ProcessorType" member is evaluated for i386/i486 and pentium class
> processors:
>
> --- snip ---
> 00499961 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10h] ; ProcessorType
> 00499964 2D 82010000 SUB EAX,182 ; switch (cases 182..24A)
> 00499969 74 18 JZ SHORT 00499983
> 0049996B 83E8 64 SUB EAX,64
> 0049996E 74 0C JZ SHORT 0049997C
> 00499970 83E8 64 SUB EAX,64
> 00499973 75 6B JNZ SHORT 004999E0
> 00499975 BE 05000000 MOV ESI,5 ; case 24A of switch 00499964
> 0049997A EB 0C JMP SHORT 00499988
> 0049997C BE 04000000 MOV ESI,4 ; case 1E6 of switch 00499964
> 00499981 EB 05 JMP SHORT 00499988
> 00499983 BE 03000000 MOV ESI,3 ; case 182 of switch 00499964
> 00499988 83FE 03 CMP ESI,3
> 0049998B 73 0A JAE SHORT 00499997
> 0049998D B8 66FDFFFF MOV EAX,-29A ; not i386/i486/i586
> 00499992 5E POP ESI
> 00499993 8BE5 MOV ESP,EBP
> 00499995 5D POP EBP
> 00499996 C3 RETN
> --- snip ---
>
> Upon match the following code ought to be run:
>
> --- snip ---
> 00499997 FA CLI
> 00499998 B0 B8 MOV AL,0B8
> 0049999A E6 43 OUT 43,AL
> 0049999C E4 61 IN AL,61
> 0049999E 0C 01 OR AL,01
> 004999A0 E6 61 OUT 61,AL
> 004999A2 32C0 XOR AL,AL
> 004999A4 E6 42 OUT 42,AL
> 004999A6 E6 42 OUT 42,AL
> 004999A8 B8 00000080 MOV EAX,80000000
> 004999AD 66:BA 5000 MOV DX,50
> 004999B1 0FBCC8 BSF ECX,EAX
> 004999B4 66:4A DEC DX
> 004999B6 66:83FA 01 CMP DX,1
> 004999BA 7D F5 JGE SHORT 004999B1
> 004999BC E4 42 IN AL,42
> 004999BE 8AE0 MOV AH,AL
> 004999C0 E4 42 IN AL,42
> 004999C2 86C4 XCHG AH,AL
> 004999C4 66:F7D8 NEG AX
> 004999C7 66:8945 FC MOV WORD PTR SS:[EBP-4],AX
> 004999CB FB STI
> 004999CC 66:8B0475 40E2 MOV AX,WORD PTR DS:[ESI*2+4FE240]
> 004999D4 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
> 004999D7 66:6BC0 50 IMUL AX,AX,50
> 004999DB 66:85C9 TEST CX,CX
> 004999DE 75 08 JNZ SHORT 004999E8
> 004999E0 83C8 FF OR EAX,FFFFFFFF
> 004999E3 5E POP ESI
> 004999E4 8BE5 MOV ESP,EBP
> 004999E6 5D POP EBP
> 004999E7 C3 RETN
> ...
> ---- snip ---
>
> *Eeeekkk*
>
> That's an ancient way to determine CPU speed using PIT (Intel 8253
> programmable interval timer, 16-Bit).
> The whole sequence contains several instructions that can't be executed in
> user mode on modern operating systems.
>
> For example "cli" will always raise a "privileged instruction" exception in
> user mode when executed on Windows NT based systems.
>
> In Windows 95, executing "cli" instruction in user mode generates a general
> protection fault which is transparently handled by the OS, eventually giving
> the same result (IF cleared) as a regular "cli".
>
> Interestingly the comment section for this game on GOG.com shares some
> opinion (most likely related to other issues):
>
> --- quote ---
> However this game is not properly compatible with modern systems! There are
> tons of bugs which the community has had to fix! This wasn't really what I
> hoped from GoG and seriously damages their reputation for games that work on
> modern PC's. I was considering gifting this game to my friends but I can't
> really give them a game in this state. The game is easily 5 stars but minus
> 3 stars for the trouble trying to get the game to work properly! :P
> --- quote ---
>
> The game executable "i76.exe" is from year 2009 so it was likely recompiled.
> I wonder why GOG.com or the contractor who prepared the game did not remove
> this brain damaged ancient code to allow running on NT based systems.
>
> I made a short workaround patch which allows to run the game in any WinVer
> mode in Wine:
>
> --- snip ---
> $ printf '\xEB\x22' | dd of=i76.exe bs=1 seek=626025 count=2 conv=notrunc
> --- snip ---
>
> What does it do?
>
> It changes the opcode 0x74,0x18 (jz short 00499983) at file offset 0x98D69 to
> 0xEB,0x22 (jmp short 0049998D), avoiding the incompatible code.
>
> I tested this only on the executable from GOG.com:
>
> --- snip ---
> $ pwd
> /home/focht/.wine/drive_c/Program Files/GOG.com/Interstate 76
> Arsenal/interstate 76
>
> $ du -sh i76.exe
> 1.1M i76.exe
>
> $ sha1sum i76.exe
> 0d21c35d6b4f81f645f14c345dcbe7f33b2cfdc5 i76.exe
> --- snip ---
>
> There is also an "Interstate 76 Nitro" pack included in the download.
> The executable for this pack has the same problem, hence I present another
> patch:
>
> --- snip ---
> $ printf '\xEB\x22' | dd of=nitro.exe bs=1 seek=630921 count=2 conv=notrunc
> --- snip ---
>
> --- snip ---
> $ pwd
> /home/focht/.wine/drive_c/Program Files/GOG.com/Interstate 76
> Arsenal/Interstate 76 Nitro Pack
>
> $ du -sh nitro.exe
> 1.1M nitro.exe
>
> $ sha1sum nitro.exe
> 753a73a205f7f8d973f452e5ec2c90f5f5b2c34b nitro.exe
> --- snip ---
>
> Download from GOG.com:
>
> $ du -sh setup_interstate76_arsenal.exe
> 592M setup_interstate76_arsenal.exe
>
> $ sha1sum setup_interstate76_arsenal.exe
> 21671fbd8dce7d573095fda2612133bb24128bd8 setup_interstate76_arsenal.exe
>
> $ wine --version
> wine-1.7.3-231-g264e27b
>
> If you have a different version, exhibiting the same issues, it should
> fairly easy to find the place where to patch the executable.
>
> ==
>
> In general: That game will most likely only run in Win9X compat mode on
> Windows NT systems.
> I wonder how/if they did a full Intel 8253 emulation to allow this code to
> work or if they just cheat with an application shim, having GetSystemInfo()
> _not_ returning i386/i486/i585 to avoid the critical code path.
>
> Regards
You did an awesome work there, the game then runs with wine.
However the game is still unplayable as cars go slow, they seem to brake,
including our car. Other cars do the same, making the game quite easy.
On the first mission Taurus car goes very very slowly and often brakes, same
for ennemies.
On the second mission our car and Taurus car go too slow and can't pass the
"jump".
I think it's framerate related or something, there is another piece of code in
the game that seem to log and calculate framerate, it's probably buggy. Somehow
the sky passes VERY quickly, but cars go too slow.
Same issue on recent windows with recent hardware, it was working on old
windows+old hardware only.
Posting this here in case another clever person like you passes by.
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list