[Bug 48988] New: Riot Vanguard (Riot Games) 'vgk.sys' needs KSHARED_USER_DATA access instruction emulation for 'CMP r/m16/32/64, r16/32/64'
WineHQ Bugzilla
wine-bugs at winehq.org
Tue Apr 21 12:47:25 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=48988
Bug ID: 48988
Summary: Riot Vanguard (Riot Games) 'vgk.sys' needs
KSHARED_USER_DATA access instruction emulation for
'CMP r/m16/32/64, r16/32/64'
Product: Wine
Version: 5.6
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says. Wine's instruction emulation for KSHARED_USER_DATA handles most of
the 'MOV' (copy) instruction flavours but no 'CMP r/m16/32/64, r16/32/64'
cases.
--- snip ---
...
002f:Call ntdll.NtFlushBuffersFile(00000044,00d4f2e0) ret=7bca1f9f
002f: flush(
async={handle=0044,event=0000,iosb=00d4f2e0,user=00728c00,apc=00000000,apc_context=00000000}
)
002f: flush() = 0 { event=0048 }
002f: select( flags=2, cookie=00d4e5cc, timeout=infinite, size=8,
prev_apc=0000, result={}, data={WAIT_ALL,handles={0048}}, context={} )
002f: select() = 0 { call={APC_NONE}, apc_handle=0000, context={} }
002f:Ret ntdll.NtFlushBuffersFile() retval=00000000 ret=7bca1f9f
002f:Ret ntoskrnl.exe.ZwFlushBuffersFile() retval=00000000 ret=0115f5ac
002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0bc0,656e6f4e) ret=0115fd31
002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0BC0
002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0bc0) ret=7bca1f9f
002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f
002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=0115fd31
002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0b40,656e6f4e) ret=00e73ad4
002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0B40
002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0b40) ret=7bca1f9f
002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f
002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4
002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0330,656e6f4e) ret=00e73ad4
002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0330
002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0330) ret=7bca1f9f
002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f
002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4
002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbbd ip=115cbbd
tid=002f
002f:trace:seh:raise_exception info[0]=0000000000000000
002f:trace:seh:raise_exception info[1]=fffff7800000026c
002f:trace:seh:raise_exception rax=0000000001000001 rbx=0000000000728bb8
rcx=0000000000000000 rdx=0000000000000048
002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8
rbp=0000000000727788 rsp=0000000000d4f6a0
002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12
r10=0000000000000000 r11=0000000000000000
002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000
r14=0000000000728bb8 r15=0000000000000000
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0
code=c0000005 flags=0
002f:Call KERNEL32.GetTickCount64() ret=18000bccc
002f:Ret KERNEL32.GetTickCount64() retval=01920417 ret=18000bccc
002f:Call msvcrt.memcpy(00d4f108,7ffe026c,00000004) ret=18000bcf8
002f:Ret msvcrt.memcpy() retval=00d4f108 ret=18000bcf8
002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned ffffffff
002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbff ip=115cbff
tid=002f
002f:trace:seh:raise_exception info[0]=0000000000000000
002f:trace:seh:raise_exception info[1]=fffff78000000270
002f:trace:seh:raise_exception rax=0000000000000001 rbx=0000000000728bb8
rcx=0000000000000006 rdx=fffff78000000270
002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8
rbp=0000000000727788 rsp=0000000000d4f6a0
002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12
r10=0000000000000000 r11=0000000000000000
002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000
r14=0000000000728bb8 r15=0000000000000000
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0
code=c0000005 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned 0
--- snip ---
The driver code is obfuscated but that doesn't prevent analysis/debugging ;-)
Relevant part of driver disassembly:
--- snip ---
...
01402ECBAF | 8D82 5A4A900F | lea eax,qword ptr ds:[rdx+F904A5A]
01402ECBB5 | C0ED D2 | shr ch,D2
01402ECBB8 | ED | in eax,dx
01402ECBB9 | 44:0FABF0 | bts eax,r14d
01402ECBBD | A1 6C02000080F7FFFF | mov eax,dword ptr ds:[FFFFF7800000026C]
01402ECBC6 | 40:22CF | and cl,dil
01402ECBC9 | 66:D3F9 | sar cx,cl
01402ECBCC | 8BC8 | mov ecx,eax
01402ECBCE | 66:C1E0 26 | shl ax,26
01402ECBD2 | 66:0FC1C0 | xadd ax,ax
01402ECBD6 | B8 01000000 | mov eax,1
01402ECBDB | 45:84D2 | test r10b,r10b
01402ECBDE | 66:81FF 905B | cmp di,5B90
01402ECBE3 | 83F9 06 | cmp ecx,6
01402ECBE6 | E9 00000000 | jmp vgk.1402ECBEB
01402ECBEB | 0F82 1B000000 | jb vgk.1402ECC0C
01402ECBF1 | 48:BA 7002000080F7FFFF | mov rdx,FFFFF78000000270
01402ECBFB | 80FB 2E | cmp bl,2E
01402ECBFE | F5 | cmc
01402ECBFF | 3902 | cmp dword ptr ds:[rdx],eax ; problem
01402ECC01 | E9 00000000 | jmp vgk.1402ECC06
01402ECC06 | 0F83 17000000 | jae vgk.1402ECC23
01402ECC0C | 83F9 0A | cmp ecx,A
01402ECC0F | E9 00000000 | jmp vgk.1402ECC14
01402ECC14 | 0F83 09000000 | jae vgk.1402ECC23
01402ECC1A | 2AC0 | sub al,al
01402ECC1C | 45:3AE3 | cmp r12b,r11b
01402ECC1F | 41:80F9 65 | cmp r9b,65
01402ECC23 | 48:83C4 28 | add rsp,28
01402ECC27 | E9 00000000 | jmp vgk.1402ECC2C
01402ECC2C | C3 | ret
...
--- snip ---
'cmp dword ptr ds:[rdx],eax' -> 0x39,0x02
The driver checks 'KSHARED_USER_DATA' 'NtMajorVersion' and 'NtMinorVersion'
fields if the OS is supported.
(http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data/index.htm)
In case it encounters something below 'Windows 7', the driver entry point will
return code 0xC000A004 which translates to
'STATUS_INVALID_KERNEL_INFO_VERSION'.
Wine source:
https://source.winehq.org/git/wine.git/blob/f31a29b8d1ea478af28f14cdaf3db1515a932853:/dlls/ntoskrnl.exe/instr.c#l605
$ sha1sum setup.exe
08deca4c0b46a3481e706926c0217d1c944d22a3 setup.exe
$ du -sh setup.exe
15M setup.exe
$ wine --version
wine-5.6-258-gf31a29b8d1
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list