[Bug 48988] New: Riot Vanguard (Riot Games) 'vgk.sys' needs KSHARED_USER_DATA access instruction emulation for 'CMP r/m16/32/64, r16/32/64'

Tue Apr 21 12:47:25 CDT 2020

https://bugs.winehq.org/show_bug.cgi?id=48988

            Bug ID: 48988
           Summary: Riot Vanguard (Riot Games) 'vgk.sys' needs
                    KSHARED_USER_DATA access instruction emulation for
                    'CMP r/m16/32/64, r16/32/64'
           Product: Wine
           Version: 5.6
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says. Wine's instruction emulation for KSHARED_USER_DATA handles most of
the 'MOV' (copy) instruction flavours but no 'CMP r/m16/32/64, r16/32/64'
cases.

--- snip ---
...
002f:Call ntdll.NtFlushBuffersFile(00000044,00d4f2e0) ret=7bca1f9f
002f: flush(
async={handle=0044,event=0000,iosb=00d4f2e0,user=00728c00,apc=00000000,apc_context=00000000}
)
002f: flush() = 0 { event=0048 }
002f: select( flags=2, cookie=00d4e5cc, timeout=infinite, size=8,
prev_apc=0000, result={}, data={WAIT_ALL,handles={0048}}, context={} )
002f: select() = 0 { call={APC_NONE}, apc_handle=0000, context={} }
002f:Ret  ntdll.NtFlushBuffersFile() retval=00000000 ret=7bca1f9f
002f:Ret  ntoskrnl.exe.ZwFlushBuffersFile() retval=00000000 ret=0115f5ac
002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0bc0,656e6f4e) ret=0115fd31
002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0BC0
002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0bc0) ret=7bca1f9f
002f:Ret  KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f
002f:Ret  ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=0115fd31
002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0b40,656e6f4e) ret=00e73ad4
002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0B40
002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0b40) ret=7bca1f9f
002f:Ret  KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f
002f:Ret  ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4
002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0330,656e6f4e) ret=00e73ad4
002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0330
002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0330) ret=7bca1f9f
002f:Ret  KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f
002f:Ret  ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4
002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbbd ip=115cbbd
tid=002f
002f:trace:seh:raise_exception  info[0]=0000000000000000
002f:trace:seh:raise_exception  info[1]=fffff7800000026c
002f:trace:seh:raise_exception  rax=0000000001000001 rbx=0000000000728bb8
rcx=0000000000000000 rdx=0000000000000048
002f:trace:seh:raise_exception  rsi=0000000000d4f7bc rdi=0000000000728bb8
rbp=0000000000727788 rsp=0000000000d4f6a0
002f:trace:seh:raise_exception   r8=0000000000000000  r9=0000000000d4ec12
r10=0000000000000000 r11=0000000000000000
002f:trace:seh:raise_exception  r12=0000000000728a50 r13=00007fffffea4000
r14=0000000000728bb8 r15=0000000000000000
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0
code=c0000005 flags=0
002f:Call KERNEL32.GetTickCount64() ret=18000bccc
002f:Ret  KERNEL32.GetTickCount64() retval=01920417 ret=18000bccc
002f:Call msvcrt.memcpy(00d4f108,7ffe026c,00000004) ret=18000bcf8
002f:Ret  msvcrt.memcpy() retval=00d4f108 ret=18000bcf8
002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned ffffffff
002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbff ip=115cbff
tid=002f
002f:trace:seh:raise_exception  info[0]=0000000000000000
002f:trace:seh:raise_exception  info[1]=fffff78000000270
002f:trace:seh:raise_exception  rax=0000000000000001 rbx=0000000000728bb8
rcx=0000000000000006 rdx=fffff78000000270
002f:trace:seh:raise_exception  rsi=0000000000d4f7bc rdi=0000000000728bb8
rbp=0000000000727788 rsp=0000000000d4f6a0
002f:trace:seh:raise_exception   r8=0000000000000000  r9=0000000000d4ec12
r10=0000000000000000 r11=0000000000000000
002f:trace:seh:raise_exception  r12=0000000000728a50 r13=00007fffffea4000
r14=0000000000728bb8 r15=0000000000000000
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0
code=c0000005 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned 0
--- snip ---

The driver code is obfuscated but that doesn't prevent analysis/debugging ;-)

Relevant part of driver disassembly:

--- snip ---
...
01402ECBAF | 8D82 5A4A900F          | lea eax,qword ptr ds:[rdx+F904A5A]     
01402ECBB5 | C0ED D2                | shr ch,D2                              
01402ECBB8 | ED                     | in eax,dx                              
01402ECBB9 | 44:0FABF0              | bts eax,r14d                           
01402ECBBD | A1 6C02000080F7FFFF    | mov eax,dword ptr ds:[FFFFF7800000026C]
01402ECBC6 | 40:22CF                | and cl,dil                             
01402ECBC9 | 66:D3F9                | sar cx,cl                              
01402ECBCC | 8BC8                   | mov ecx,eax                            
01402ECBCE | 66:C1E0 26             | shl ax,26                              
01402ECBD2 | 66:0FC1C0              | xadd ax,ax                             
01402ECBD6 | B8 01000000            | mov eax,1                              
01402ECBDB | 45:84D2                | test r10b,r10b                         
01402ECBDE | 66:81FF 905B           | cmp di,5B90                            
01402ECBE3 | 83F9 06                | cmp ecx,6                              
01402ECBE6 | E9 00000000            | jmp vgk.1402ECBEB                      
01402ECBEB | 0F82 1B000000          | jb vgk.1402ECC0C                       
01402ECBF1 | 48:BA 7002000080F7FFFF | mov rdx,FFFFF78000000270               
01402ECBFB | 80FB 2E                | cmp bl,2E                              
01402ECBFE | F5                     | cmc                                    
01402ECBFF | 3902                   | cmp dword ptr ds:[rdx],eax ; problem      
01402ECC01 | E9 00000000            | jmp vgk.1402ECC06                      
01402ECC06 | 0F83 17000000          | jae vgk.1402ECC23                      
01402ECC0C | 83F9 0A                | cmp ecx,A                              
01402ECC0F | E9 00000000            | jmp vgk.1402ECC14                      
01402ECC14 | 0F83 09000000          | jae vgk.1402ECC23                      
01402ECC1A | 2AC0                   | sub al,al                              
01402ECC1C | 45:3AE3                | cmp r12b,r11b                          
01402ECC1F | 41:80F9 65             | cmp r9b,65                             
01402ECC23 | 48:83C4 28             | add rsp,28                             
01402ECC27 | E9 00000000            | jmp vgk.1402ECC2C                      
01402ECC2C | C3                     | ret                                    
...
--- snip ---

'cmp dword ptr ds:[rdx],eax' -> 0x39,0x02

The driver checks 'KSHARED_USER_DATA' 'NtMajorVersion' and 'NtMinorVersion'
fields if the OS is supported.

(http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data/index.htm)

In case it encounters something below 'Windows 7', the driver entry point will
return code 0xC000A004 which translates to
'STATUS_INVALID_KERNEL_INFO_VERSION'.

Wine source:

https://source.winehq.org/git/wine.git/blob/f31a29b8d1ea478af28f14cdaf3db1515a932853:/dlls/ntoskrnl.exe/instr.c#l605

$ sha1sum setup.exe 
08deca4c0b46a3481e706926c0217d1c944d22a3  setup.exe

$ du -sh setup.exe 
15M    setup.exe

$ wine --version
wine-5.6-258-gf31a29b8d1

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.