[Bug 45936] IW4x 0.5.4 crashes on keyboard input, failure to delay load 'imm32.dll.ImmProcessKey' ('kernel32.dll.LoadLibraryA' made no-op by protection scheme, breaks '__wine_spec_delay_load')
WineHQ Bugzilla
wine-bugs at winehq.org
Wed Apr 22 13:27:33 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=45936
--- Comment #10 from Anastasius Focht <focht at gmx.net> ---
Hello mirh,
--- quote ---
So.. Like, the thing has gone open source just for the records.
Not sure if it couldn't help.
--- quote ---
well, it essentially confirms my analysis for LoadLibrary{Ex}{A,W} hooks.
The issue is obviously still present.
https://github.com/IW4x/iw4x-client/blob/23e9aa7ac0107a3a7a8c7cda2de4287f127a871d/src/Components/Modules/AntiCheat.cpp#L79
--- snip ---
void AntiCheat::InitLoadLibHook()
{
__VMProtectBeginUltra("");
static uint8_t kernel32Str[] = { 0xB4, 0x9A, 0x8D, 0xB1, 0x9A, 0x93, 0xCC,
0xCD, 0xD1, 0x9B, 0x93, 0x93 }; // KerNel32.dll
static uint8_t loadLibAStr[] = { 0xB3, 0x90, 0x9E, 0x9B, 0xB3, 0x96, 0x9D,
0x8D, 0x9E, 0x8D, 0x86, 0xBE }; // LoadLibraryA
static uint8_t loadLibWStr[] = { 0xB3, 0x90, 0x9E, 0x9B, 0xB3, 0x96, 0x9D,
0x8D, 0x9E, 0x8D, 0x86, 0xA8 }; // LoadLibraryW
HMODULE kernel32 =
GetModuleHandleA(Utils::String::XOR(std::string(reinterpret_cast<char*>(kernel32Str),
sizeof kernel32Str), -1).data());
if (kernel32)
{
FARPROC loadLibA = GetProcAddress(kernel32,
Utils::String::XOR(std::string(reinterpret_cast<char*>(loadLibAStr), sizeof
loadLibAStr), -1).data());
FARPROC loadLibW = GetProcAddress(kernel32,
Utils::String::XOR(std::string(reinterpret_cast<char*>(loadLibWStr), sizeof
loadLibWStr), -1).data());
std::string libExA =
Utils::String::XOR(std::string(reinterpret_cast<char*>(loadLibAStr), sizeof
loadLibAStr), -1);
std::string libExW =
Utils::String::XOR(std::string(reinterpret_cast<char*>(loadLibWStr), sizeof
loadLibWStr), -1);
libExA.insert(libExA.end() - 1, 'E');
libExA.insert(libExA.end() - 1, 'x');
libExW.insert(libExW.end() - 1, 'E');
libExW.insert(libExW.end() - 1, 'x');
FARPROC loadLibExA = GetProcAddress(kernel32, libExA.data());
FARPROC loadLibExW = GetProcAddress(kernel32, libExW.data());
if (loadLibA && loadLibW && loadLibExA && loadLibExW)
{
#ifdef DEBUG_LOAD_LIBRARY
AntiCheat::LoadLibHook[0].initialize(loadLibA, LoadLibaryAStub,
HOOK_JUMP);
AntiCheat::LoadLibHook[1].initialize(loadLibW, LoadLibaryWStub,
HOOK_JUMP);
AntiCheat::LoadLibHook[2].initialize(loadLibExA, LoadLibaryExAStub,
HOOK_JUMP);
AntiCheat::LoadLibHook[3].initialize(loadLibExW, LoadLibaryExWStub,
HOOK_JUMP);
#else
static uint8_t loadLibStub[] = { 0x33, 0xC0, 0xC2, 0x04, 0x00 }; //
xor eax, eax; retn 04h
static uint8_t loadLibExStub[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00 };
// xor eax, eax; retn 0Ch
AntiCheat::LoadLibHook[0].initialize(loadLibA, loadLibStub,
HOOK_JUMP);
AntiCheat::LoadLibHook[1].initialize(loadLibW, loadLibStub,
HOOK_JUMP);
AntiCheat::LoadLibHook[2].initialize(loadLibExA, loadLibExStub,
HOOK_JUMP);
AntiCheat::LoadLibHook[3].initialize(loadLibExW, loadLibExStub,
HOOK_JUMP);
#endif
}
}
static uint8_t ldrLoadDllStub[] = { 0x33, 0xC0, 0xC2, 0x10, 0x00 };
static uint8_t ldrLoadDll[] = { 0xB3, 0x9B, 0x8D, 0xB3, 0x90, 0x9E, 0x9B,
0xBB, 0x93, 0x93 }; // LdrLoadDll
HMODULE ntdll = Utils::GetNTDLL();
//AntiCheat::LoadLibHook[4].initialize(GetProcAddress(ntdll,
Utils::String::XOR(std::string(reinterpret_cast<char*>(ldrLoadDll), sizeof
ldrLoadDll), -1).data()), ldrLoadDllStub, HOOK_JUMP);
// Patch LdrpLoadDll
Utils::Hook::Signature::Container container;
container.signature =
"\x8B\xFF\x55\x8B\xEC\x83\xE4\xF8\x81\xEC\x00\x00\x00\x00\xA1\x00\x00\x00\x00\x33\xC4\x89\x84\x24\x00\x00\x00\x00\x53\x8B\x5D\x10\x56\x57";
container.mask = "xxxxxxxxxx????x????xxxxx????xxxxxx";
container.callback = [](char* addr)
{
static uint8_t ldrpLoadDllStub[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00 };
AntiCheat::LoadLibHook[5].initialize(addr, ldrpLoadDllStub, HOOK_JUMP);
};
Utils::Hook::Signature signature(ntdll, Utils::GetModuleSize(ntdll));
signature.add(container);
//signature.process();
__VMProtectEnd;
}
--- snip ---
$ wine --version
wine-5.6-299-gf65cfbfe9b
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list