[Bug 48988] New: Riot Vanguard (Riot Games) 'vgk.sys' needs KSHARED_USER_DATA access instruction emulation for 'CMP r/m16/32/64, r16/32/64'
https://bugs.winehq.org/show_bug.cgi?id=48988 Bug ID: 48988 Summary: Riot Vanguard (Riot Games) 'vgk.sys' needs KSHARED_USER_DATA access instruction emulation for 'CMP r/m16/32/64, r16/32/64' Product: Wine Version: 5.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, as it says. Wine's instruction emulation for KSHARED_USER_DATA handles most of the 'MOV' (copy) instruction flavours but no 'CMP r/m16/32/64, r16/32/64' cases. --- snip --- ... 002f:Call ntdll.NtFlushBuffersFile(00000044,00d4f2e0) ret=7bca1f9f 002f: flush( async={handle=0044,event=0000,iosb=00d4f2e0,user=00728c00,apc=00000000,apc_context=00000000} ) 002f: flush() = 0 { event=0048 } 002f: select( flags=2, cookie=00d4e5cc, timeout=infinite, size=8, prev_apc=0000, result={}, data={WAIT_ALL,handles={0048}}, context={} ) 002f: select() = 0 { call={APC_NONE}, apc_handle=0000, context={} } 002f:Ret ntdll.NtFlushBuffersFile() retval=00000000 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ZwFlushBuffersFile() retval=00000000 ret=0115f5ac 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0bc0,656e6f4e) ret=0115fd31 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0BC0 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0bc0) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=0115fd31 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0b40,656e6f4e) ret=00e73ad4 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0B40 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0b40) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0330,656e6f4e) ret=00e73ad4 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0330 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0330) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbbd ip=115cbbd tid=002f 002f:trace:seh:raise_exception info[0]=0000000000000000 002f:trace:seh:raise_exception info[1]=fffff7800000026c 002f:trace:seh:raise_exception rax=0000000001000001 rbx=0000000000728bb8 rcx=0000000000000000 rdx=0000000000000048 002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8 rbp=0000000000727788 rsp=0000000000d4f6a0 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12 r10=0000000000000000 r11=0000000000000000 002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000 r14=0000000000728bb8 r15=0000000000000000 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0 code=c0000005 flags=0 002f:Call KERNEL32.GetTickCount64() ret=18000bccc 002f:Ret KERNEL32.GetTickCount64() retval=01920417 ret=18000bccc 002f:Call msvcrt.memcpy(00d4f108,7ffe026c,00000004) ret=18000bcf8 002f:Ret msvcrt.memcpy() retval=00d4f108 ret=18000bcf8 002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned ffffffff 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbff ip=115cbff tid=002f 002f:trace:seh:raise_exception info[0]=0000000000000000 002f:trace:seh:raise_exception info[1]=fffff78000000270 002f:trace:seh:raise_exception rax=0000000000000001 rbx=0000000000728bb8 rcx=0000000000000006 rdx=fffff78000000270 002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8 rbp=0000000000727788 rsp=0000000000d4f6a0 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12 r10=0000000000000000 r11=0000000000000000 002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000 r14=0000000000728bb8 r15=0000000000000000 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0 code=c0000005 flags=0 002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned 0 --- snip --- The driver code is obfuscated but that doesn't prevent analysis/debugging ;-) Relevant part of driver disassembly: --- snip --- ... 01402ECBAF | 8D82 5A4A900F | lea eax,qword ptr ds:[rdx+F904A5A] 01402ECBB5 | C0ED D2 | shr ch,D2 01402ECBB8 | ED | in eax,dx 01402ECBB9 | 44:0FABF0 | bts eax,r14d 01402ECBBD | A1 6C02000080F7FFFF | mov eax,dword ptr ds:[FFFFF7800000026C] 01402ECBC6 | 40:22CF | and cl,dil 01402ECBC9 | 66:D3F9 | sar cx,cl 01402ECBCC | 8BC8 | mov ecx,eax 01402ECBCE | 66:C1E0 26 | shl ax,26 01402ECBD2 | 66:0FC1C0 | xadd ax,ax 01402ECBD6 | B8 01000000 | mov eax,1 01402ECBDB | 45:84D2 | test r10b,r10b 01402ECBDE | 66:81FF 905B | cmp di,5B90 01402ECBE3 | 83F9 06 | cmp ecx,6 01402ECBE6 | E9 00000000 | jmp vgk.1402ECBEB 01402ECBEB | 0F82 1B000000 | jb vgk.1402ECC0C 01402ECBF1 | 48:BA 7002000080F7FFFF | mov rdx,FFFFF78000000270 01402ECBFB | 80FB 2E | cmp bl,2E 01402ECBFE | F5 | cmc 01402ECBFF | 3902 | cmp dword ptr ds:[rdx],eax ; problem 01402ECC01 | E9 00000000 | jmp vgk.1402ECC06 01402ECC06 | 0F83 17000000 | jae vgk.1402ECC23 01402ECC0C | 83F9 0A | cmp ecx,A 01402ECC0F | E9 00000000 | jmp vgk.1402ECC14 01402ECC14 | 0F83 09000000 | jae vgk.1402ECC23 01402ECC1A | 2AC0 | sub al,al 01402ECC1C | 45:3AE3 | cmp r12b,r11b 01402ECC1F | 41:80F9 65 | cmp r9b,65 01402ECC23 | 48:83C4 28 | add rsp,28 01402ECC27 | E9 00000000 | jmp vgk.1402ECC2C 01402ECC2C | C3 | ret ... --- snip --- 'cmp dword ptr ds:[rdx],eax' -> 0x39,0x02 The driver checks 'KSHARED_USER_DATA' 'NtMajorVersion' and 'NtMinorVersion' fields if the OS is supported. (http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_share...) In case it encounters something below 'Windows 7', the driver entry point will return code 0xC000A004 which translates to 'STATUS_INVALID_KERNEL_INFO_VERSION'. Wine source: https://source.winehq.org/git/wine.git/blob/f31a29b8d1ea478af28f14cdaf3db151... $ sha1sum setup.exe 08deca4c0b46a3481e706926c0217d1c944d22a3 setup.exe $ du -sh setup.exe 15M setup.exe $ wine --version wine-5.6-258-gf31a29b8d1 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation URL| |https://riot-client.secure. | |dyn.riotcdn.net/channels/pu | |blic/rccontent/vanguard/0.3 | |.2.2/setup.exe -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|https://riot-client.secure. |https://web.archive.org/web |dyn.riotcdn.net/channels/pu |/20200421165713/https://rio |blic/rccontent/vanguard/0.3 |t-client.secure.dyn.riotcdn |.2.2/setup.exe |.net/channels/public/rccont | |ent/vanguard/0.3.2.2/setup. | |exe -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #1 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, revisiting, still present. Also encountered with Vanguard v1.0.x.x versions. https://web.archive.org/web/20211026070447/https://riot-client.secure.dyn.ri... v1.0.x.x needs bug 51939 to be worked around to come to this place. --- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl,+module,+imports wine net start vgk >>log.txt 2>&1 ... 0118:trace:seh:dispatch_exception code=c0000005 flags=0 addr=00000000012F45B8 ip=00000000012F45B8 tid=0118 0118:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception (code=c0000005) raised 0118:trace:seh:dispatch_exception rax=0000000000000001 rbx=0000000000173aa8 rcx=0000000000000006 rdx=fffff78000000270 0118:trace:seh:dispatch_exception rsi=0000000000173810 rdi=0000000000173aa8 rbp=0000000000c6f8b0 rsp=0000000000c6f760 0118:trace:seh:dispatch_exception r8=0000000000000000 r9=0000000000000040 r10=00007f3d604ff6a0 r11=0000000000000000 0118:trace:seh:dispatch_exception r12=0000000000173940 r13=0000000000173aa8 r14=0000000067fd0000 r15=0000000000000000 0118:trace:seh:call_vectored_handlers calling handler at 00000000003ED430 code=c0000005 flags=0 0118:trace:seh:call_vectored_handlers handler at 00000000003ED430 returned 0 0118:trace:seh:call_stack_handlers found wine frame 0000000000C6FE80 rsp 0000000000C6FFE0 handler 000000007BC61270 0118:trace:seh:call_teb_handler calling TEB handler 000000007BC61270 (rec=0000000000C6F560, frame=0000000000C6FE80 context=0000000000C6EB50, dispatch=0000000000C6EA28) 0118:Call ntdll.NtCreateEvent(00c6e6d0,001f0003,00c6e7b0,00000000,00c6e600) ret=7b013093 0118:Ret ntdll.NtCreateEvent() retval=00000000 ret=7b013093 0118:Call ntdll.RtlInitUnicodeString(00c6e6e0,7b070a96 L"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug") ret=7b01311a 0118:Ret ntdll.RtlInitUnicodeString() retval=0000008e ret=7b01311a ... --- snip --- --- snip --- ... 012F4577 | A1 6C02000080F7FFFF | mov eax,dword ptr ds:[FFFFF7800000026C] 012F4580 | E9 09000000 | jmp vgk.12F458E 012F4585 | 6641:0F43CF | cmovae cx,r15w 012F458A | 48:0FB7CC | movzx rcx,sp 012F458E | 8BC8 | mov ecx,eax 012F4590 | D3D8 | rcr eax,cl 012F4592 | D3D0 | rcl eax,cl 012F4594 | D3F0 | shl eax,cl 012F4596 | B8 01000000 | mov eax,1 012F459B | 83F9 06 | cmp ecx,6 012F459E | E9 00000000 | jmp vgk.12F45A3 012F45A3 | 0F82 1C000000 | jb vgk.12F45C5 012F45A9 | 48:BA 7002000080F7FFFF | mov rdx,FFFFF78000000270 012F45B3 | 66:F7C6 9468 | test si,6894 012F45B8 | 3902 | cmp dword ptr ds:[rdx],eax ; *boom* 012F45BA | E9 00000000 | jmp vgk.12F45BF 012F45BF | 0F83 13000000 | jae vgk.12F45D8 012F45C5 | 83F9 0A | cmp ecx,A 012F45C8 | E9 00000000 | jmp vgk.12F45CD 012F45CD | 0F83 05000000 | jae vgk.12F45D8 ... --- snip --- $ sha1sum setup.exe b8ff7192073b701557354f75e9232e8e237e5814 setup.exe $ du -sh setup.exe 17M setup.exe $ wine --version wine-6.20-159-g80a30625a70 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 Tareque Md Hanif <tarequemd.hanif(a)yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tarequemd.hanif(a)yahoo.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 Ker noa <blue-t(a)web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |blue-t(a)web.de -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 etaash.mathamsetty(a)gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |etaash.mathamsetty(a)gmail.co | |m --- Comment #2 from etaash.mathamsetty(a)gmail.com --- I am no expert on assembly, but mov rdx,FFFFF78000000270 where does adress FFFFF78000000270 point to, im stumped on this (and btw it still does not work in wine 7.9) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #3 from etaash.mathamsetty(a)gmail.com --- oh I get it now, FFFFF78000000270 points to NT version minor right? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #4 from etaash.mathamsetty(a)gmail.com --- Let me try this on a windows system -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #5 from etaash.mathamsetty(a)gmail.com --- after lots and lots of digging the real reason it is crashing vgk.sys is looking for the data at 0xFFFFF78000000000, but the only place that KSHARED_USER_DATA is stored is 0x7ffe0000 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #6 from Etaash Mathamsetty <etaash.mathamsetty(a)gmail.com> --- ok so after doing a bunch of work, it is an instruction emulation issue lmao, I spent all that time thinking "wine doesn't emulate instructions", but it does lol -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 Zeb Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12(a)gmail.com --- Comment #7 from Zeb Figura <z.figura12(a)gmail.com> --- (In reply to Etaash Mathamsetty from comment #6)
ok so after doing a bunch of work, it is an instruction emulation issue lmao, I spent all that time thinking "wine doesn't emulate instructions", but it does lol
Right, one of the defining features of Wine is that it doesn't emulate *most* instructions, but there are some privileged instructions that we can't allow the host system to handle, and have to deal with ourselves. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #8 from Etaash Mathamsetty <etaash.mathamsetty(a)gmail.com> --- I am using the latest version of vanguard (I have no idea which version), but instead of using mov they are using movabs, which wine doesn't support. (or maybe objdump is doing that) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #9 from Etaash Mathamsetty <etaash.mathamsetty(a)gmail.com> --- well unfortnuately where I am crashing, I haven't reached that yet lol -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #10 from Etaash Mathamsetty <etaash.mathamsetty(a)gmail.com> --- I made a probably terrible implementation of this instruction, feedback is appreciated! case 0x38: case 0x39: { BYTE *data = INSTR_GetOperandAddr(context, instr + 1, prefixlen + 1, long_addr, rex, segprefix, &len); BYTE* data2 = INSTR_GetOperandAddr(context, instr + 2, prefixlen + 2, long_addr, rex, segprefix, &len); SIZE_T offset = data - user_shared_data; SIZE_T data_size = get_op_size( long_op, rex ); if(offset <= KSHARED_USER_DATA_PAGE_SIZE - data_size) { FIXME("data 1 = %llx data 2 = %llx\n", data, data2); //clear ZF and CF context->EFlags &= ~(1UL << 6); context->EFlags &= ~(1UL); if( *(wine_user_shared_data + offset) == *data2) context->EFlags |= (1 << 6); else if(*(wine_user_shared_data + offset) < *data2) context->EFlags |= (1); context->Rip += prefixlen + len + 1; return ExceptionContinueExecution; } break; } -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #11 from Ker noa <blue-t(a)web.de> --- I think gitlab pull requests are more visible than comments on bugs https://gitlab.winehq.org/groups/wine/-/merge_requests -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #12 from Etaash Mathamsetty <etaash.mathamsetty(a)gmail.com> --- (In reply to Ker noa from comment #11)
I think gitlab pull requests are more visible than comments on bugs https://gitlab.winehq.org/groups/wine/-/merge_requests
I don't really want to submit a pull request for this since I have no idea if it is a good implementation or not, so I want to have some feedback/testing before submitting it in. This is my literal first time working with the wine source code. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48988 --- Comment #13 from Austin English <austinenglish(a)gmail.com> --- (In reply to Etaash Mathamsetty from comment #12)
(In reply to Ker noa from comment #11)
I think gitlab pull requests are more visible than comments on bugs https://gitlab.winehq.org/groups/wine/-/merge_requests
I don't really want to submit a pull request for this since I have no idea if it is a good implementation or not, so I want to have some feedback/testing before submitting it in.
FYI you can mark your MR as a draft to note that it's not ready to be merged/that you're requesting feedback. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla