[Bug 44860] New: 4k/ 8k demos crash due to Crinkler executable file compressor expecting PEB address in %EBX on process entry

Fri Mar 30 09:12:04 CDT 2018

https://bugs.winehq.org/show_bug.cgi?id=44860

            Bug ID: 44860
           Summary: 4k/8k demos crash due to Crinkler executable file
                    compressor expecting PEB address in %EBX on process
                    entry
           Product: Wine
           Version: 3.4
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: kernel32
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

split out from bug 42125 which is about OS loader compatibility/PE image header
fields/mappings.

Most of the PE tools struggle or even crash when trying to get something useful
out of this due to the "optimized" usage (truncation) of DOS, PE headers
(basically providing the bare minimum info to not have the OS loader crash).

Example: http://www.pouet.net/prod.php?which=66502 ("Psyltcipher by Loonies")

ProtectionID scan:

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> Z:\home\focht\Downloads\lns-lpt-psyltcipher_720.exe
[!] Warning : File has NO sections (suspicious)
[!] Warning : File has NO imports (suspicious)
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 7242 (01C4Ah) Byte(s)
| Machine: 0x14C (I386)
[!] Warning - Entrypoint is INVALID (file may be damaged)
Compilation TimeStamp : 0x7F61DB01 -> Mon 21st Sep 2037 04:18:09 (GMT)
[TimeStamp] 0x7F61DB01 -> Mon 21st Sep 2037 04:18:09 (GMT) | PE Header | - |
Offset: 0x0000000C | VA: 0x0040000C | -
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00010001000001111110000011001000 (0x1107E0C8)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 0 (0x0) | ImageSize 0x2263B6EB (576960235) byte(s)
[!} Warning - image has NO Data Directories... 
[!] Warning : Import Table is bad !!!
-> Suspicious MZ Header.. 
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.211 Second(s) [0000000D3h (211) tick(s)] [506 of 580 scan(s)
done]
--- snip ---

LordPE dump (helper tool crashes during analysis but main app still shows
info):

--- snip ---
->DOS Header
   e_magic:     0x5A4D
   e_cblp:      0x3032
   e_cp:        0x4550
   e_crlc:      0x0000
   e_cparhdr:   0x014C
   e_minalloc:  0x0000
   e_maxalloc:  0xDB01
   e_ss:        0x7F61
   e_sp:        0xD010
   e_csum:      0x7317
   e_ip:        0x4775
   e_cs:        0xF9EB
   e_lfarlc:    0x0008
   e_ovno:      0x0002
   e_res:       0x010BC911854579C0
   e_oemid:     0x011F
   e_oeminfo:   0x50D3
   e_res2:      0xE2F73D90005C0000F3F7C139DB1948EB00000040
   e_lfanew:    0x00000004

->File Header
   Machine:               0x014C  (I386)
   NumberOfSections:      0x0000
   TimeDateStamp:         0x7F61DB01  (GMT: Mon Sep 21 04:18:09 2037)
   PointerToSymbolTable:  0x7317D010
   NumberOfSymbols:       0xF9EB4775
   SizeOfOptionalHeader:  0x0008
   Characteristics:       0x0002
                          (EXECUTABLE_IMAGE)

->Optional Header
   Magic:                        0x010B  (HDR32_MAGIC)
   MajorLinkerVersion:           0x11
   MinorLinkerVersion:           0xC9  -> 17.201
   SizeOfCode:                   0x79C08545
   SizeOfInitializedData:        0x50D3011F
   SizeOfUninitializedData:      0x3D90E2F7
   AddressOfEntryPoint:          0x0000005C
   BaseOfCode:                   0xC139F3F7
   BaseOfData:                   0x48EBDB19
   ImageBase:                    0x00400000
   SectionAlignment:             0x00000004
   FileAlignment:                0x00000004
   MajorOperatingSystemVersion:  0xA30F
   MinorOperatingSystemVersion:  0x7D2D  -> 41743.32045
   MajorImageVersion:            0x4001
   MinorImageVersion:            0x8D00  -> 16385.36096
   MajorSubsystemVersion:        0x0004
   MinorSubsystemVersion:        0xCEEB  -> 4.52971
   Win32VersionValue:            0x00000000
   SizeOfImage:                  0x2263B6EB      ; <------- important!
   SizeOfHeaders:                0x00000040
   CheckSum:                     0xBBED3153
   Subsystem:                    0x0002  (WINDOWS_GUI)
   DllCharacteristics:           0x0000
   SizeOfStackReserve:           0x0154BE90
   SizeOfStackCommit:            0x016A0040
   SizeOfHeapReserve:            0x0000BF58
   SizeOfHeapCommit:             0x00B10042
   LoaderFlags:                  0x12EB5757
   NumberOfRvaAndSizes:          0x00000000
--- snip ---

The PE compressor used for most of these 4K/8K demos is named 'Crinkler':

http://www.crinkler.net/

--- quote ---
Crinkler is an executable file compressor (or rather, a compressing linker) for
Windows specifically targeted towards executables with a size of just a few
kilobytes. As of 2018, it is the most widely used tool for compressing 4k
intros.

Crinkler is being developed by Rune L. H. Stubbe (Mentor/TBC) and Aske Simon
Christensen (Blueberry/Loonies). 
--- quote ---

The compression itself and some parts of imports resolver are nicely covered
here:

http://code4k.blogspot.de/2010/12/crinkler-secrets-4k-intro-executable.html

The decompression area for code, data etc. starts usually at fixed 0x420000
address range.
One can easily bypass all the decompression stuff from entry and set a hardware
breakpoint on execution to 0x420000.

NOTE: Not all 8K demos from http://www.pouet.net can be fixed in Wine nor run
in modern Windows (bug 42125). Crinkler uses the PE optional header
'SizeOfImage' field to have the loader allocate a huge chunk of memory used for
decompression.

Memory map:

--- snip ---
Address   Size      Owner     Section         Contains
00110000  00010000
00220000  00001000                            Process Parameters
00230000  00003000                            Environment
00400000  2263C000  lns-lpt-psyltcipher_720   PE header (+SizeOfImage)
22A40000  00001000
22A41000  00001000
22A42000  016AE000                            Stack of main thread
7B420000  00001000  KERNEL32                  PE header
7B421000  00221000  KERNEL32  .text           Code
7B642000  001B1000  KERNEL32  .data           Data,imports,exports, ..
7BC30000  00001000  ntdll                     PE header
7BC31000  000BF000  ntdll     .text           Code
7BCF0000  0001D000  ntdll     .data           Data,exports,resources
7FFD8000  00004000                            Data block of main thread
7FFDF000  00001000                            Process Environment Block
7FFE0000  00010000
...
--- snip ---

https://github.com/wine-staging/wine-staging/blob/master/patches/kernel32-PE_Loader_Fixes/0003-kernel32-On-process-entry-store-PEB-address-in-ebx.patch

Relevant part of Crinkler code:

--- snip ---
; PE entry
0040005C  53           PUSH EBX                 ; PEB, see later
0040005D  31ED         XOR EBP,EBP
0040005F  BB 02000000  MOV EBX,2
00400064  90           NOP
00400065  BE 54014000  MOV ESI,OFFSET 00400154
0040006A  6A 01        PUSH 1
0040006C  58           POP EAX
0040006D  BF 00004200  MOV EDI,OFFSET 00420000
00400072  B1 00        MOV CL,0
00400074  57           PUSH EDI
00400075  57           PUSH EDI
00400076  EB 12        JMP SHORT 0040008A
...

; OEP after decompression
00420000  5F           POP EDI
00420001  B9 1D000000  MOV ECX,1D
00420006  B0 E8        MOV AL,0E8
00420008  AE           SCAS BYTE PTR ES:[EDI]
00420009  75 FB        JNE SHORT 00420006
0042000B  8B07         MOV EAX,DWORD PTR DS:[EDI]
0042000D  98           CWDE
0042000E  3B07         CMP EAX,DWORD PTR DS:[EDI]
00420010  75 F4        JNE SHORT 00420006
00420012  29F8         SUB EAX,EDI
00420014  98           CWDE
00420015  AB           STOS DWORD PTR ES:[EDI]
00420016  E2 EE        LOOP SHORT 00420006
00420018  BB 08014000  MOV EBX,OFFSET 00400108
0042001D  BE D3124200  MOV ESI,OFFSET 004212D3
00420022  BF 00004300  MOV EDI,OFFSET 00430000
00420027  58           POP EAX                       ; was EBX -> PEB
00420028  8B40 0C      MOV EAX,DWORD PTR DS:[EAX+0C] ; PEB_LDR_DATA
; InLoadOrderModuleList->LDR_DATA_TABLE_ENTRY
0042002B  8B40 0C      MOV EAX,DWORD PTR DS:[EAX+0C]
; LDR_DATA_TABLE_ENTRY->InLoadOrderLinks
0042002E  8B00         MOV EAX,DWORD PTR DS:[EAX]
00420030  8B00         MOV EAX,DWORD PTR DS:[EAX]    ; Flink
; _LDR_DATA_TABLE_ENTRY.DllBase (kernel32)
00420032  8B68 18      MOV EBP,DWORD PTR DS:[EAX+18] 
00420035  31C0         XOR EAX,EAX
00420037  AC           LODS BYTE PTR DS:[ESI]        ; "user32"
00420038  85ED         TEST EBP,EBP
0042003A  75 12        JNE SHORT 0042004E
0042003C  85C0         TEST EAX,EAX
0042003E  74 5B        JE SHORT 0042009B
00420040  6A 00        PUSH 0
00420042  6A 00        PUSH 0
00420044  52           PUSH EDX                      ; "d3d11"
00420045  6A 00        PUSH 0
00420047  FF15 180043. CALL DWORD PTR DS:[430018]    ; user32.MessageBoxA
0042004D  C3           RETN
...
--- snip ---

$ sha1sum lns-*
482e8d0fe4b5e6f7ffa6f2125143da5aadab34ad  lns-lpt-psyltcipher_1080.exe
1da4738309c2738f5f89c4713c689a93b94cd898  lns-lpt-psyltcipher_1080_vsync.exe
7bab7cb1c8f528878b1547147d2c97dfa1032eab  lns-lpt-psyltcipher_720.exe
85d1624523110af6c00cc53027e3b504ef3d5362  lns-lpt-psyltcipher.zip

$ du -sh lns-*
8.0K    lns-lpt-psyltcipher_1080.exe
8.0K    lns-lpt-psyltcipher_1080_vsync.exe
8.0K    lns-lpt-psyltcipher_720.exe
24K    lns-lpt-psyltcipher.zip

$ wine --version
wine-3.4-256-g725ad420e1

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.