http://bugs.winehq.org/show_bug.cgi?id=15437
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #26 from Anastasius Focht focht@gmx.net 2009-06-07 04:49:38 --- Hello,
the demo - a whopping 1.9 GiB download (http://www.4players.de/4players.php/download_info/PC-CDROM/Download/46636.ht...) - exhibits the same problem.
It seems a hook dll is most likely the culprit.
This hook dll is dynamically extracted from the installer PE resources and loaded into memory:
--- snip --- ... 0009:Call KERNEL32.FindResourceA(00400000,006658e8 "hookdll",0000000a) ret=0042414c 0009:Ret KERNEL32.FindResourceA() retval=00a0bbf0 ret=0042414c 0009:Call KERNEL32.LoadResource(00400000,00a0bbf0) ret=00424166 0009:Ret KERNEL32.LoadResource() retval=009a7a7c ret=00424166 0009:Call KERNEL32.SizeofResource(00400000,00a0bbf0) ret=00424180 0009:Ret KERNEL32.SizeofResource() retval=00032a00 ret=00424180 0009:Call KERNEL32.LockResource(009a7a7c) ret=0042418a 0009:Ret KERNEL32.LockResource() retval=009a7a7c ret=0042418a 0009:Call KERNEL32.CreateFileA(00c54cf0 "C:\windows\temp\~gs1367.tmp",c0000000,00000000,00000000,00000002,00000080,00000000) ret=0040afb6 0009:Ret KERNEL32.CreateFileA() retval=00000088 ret=0040afb6 0009:Call KERNEL32.WriteFile(00000088,009a7a7c,00032a00,0032f9e8,00000000) ret=0040b005 0009:Ret KERNEL32.WriteFile() retval=00000001 ret=0040b005 0009:Call KERNEL32.CloseHandle(00000088) ret=0040b056 0009:Ret KERNEL32.CloseHandle() retval=00000001 ret=0040b056 0009:Call KERNEL32.FreeResource(009a7a7c) ret=004241b8 0009:Ret KERNEL32.FreeResource() retval=00000000 ret=004241b8 0009:Call KERNEL32.LoadLibraryA(00c54cf0 "C:\windows\temp\~gs1367.tmp") ret=00663c5a 0009:Call PE DLL (proc=0x3bc914,module=0x390000 L"~gs1367.tmp",reason=PROCESS_ATTACH,res=(nil)) --- snip ---
The origin of the hook dll can be traced by looking at the strings in PE image. It's a Delphi library called "madCodeHook", available from: http://www.madshi.net/madCodeHookDescription.htm The vendor of the game purchased and used it for whatever reason...
This hook dll uses several strategies to ensure proper hooking. The hooker walks the PE structure, specifically exports table and IAT of mapped PE images. The bad thing: it also maps the on-disk images (Wine: placeholders!) of several system dlls into memory. Example: Wine's placeholder "kernel32.dll":
--- snip --- ... 0009:Call KERNEL32.GetModuleHandleW(03030b20 L"kernel32.dll") ret=003b2a72 0009:Ret KERNEL32.GetModuleHandleW() retval=7edc0000 ret=003b2a72 ... 0009:Call KERNEL32.CreateFileW(00179ac8 L"C:\windows\system32\KERNEL32.dll",80000000,00000001,00000000,00000003,00000000,00000000) ret=003afa8a 0009:Ret KERNEL32.CreateFileW() retval=000000b4 ret=003afa8a 0009:Call KERNEL32.LocalFree(00179ac8) ret=003afac5 0009:Ret KERNEL32.LocalFree() retval=00000000 ret=003afac5 0009:Call KERNEL32.GetVersion() ret=003afacf 0009:Ret KERNEL32.GetVersion() retval=0a280105 ret=003afacf 0009:Call KERNEL32.CreateFileMappingW(000000b4,00000000,00000002,00000000,00000000,00000000) ret=003afae6 0009:Ret KERNEL32.CreateFileMappingW() retval=000000b8 ret=003afae6 0009:Call KERNEL32.MapViewOfFile(000000b8,00000004,00000000,00000000,00000000) ret=003afb0e 0009:Ret KERNEL32.MapViewOfFile() retval=03130000 ret=003afb0e 0009:Call KERNEL32.CloseHandle(000000b8) ret=003afb16 0009:Ret KERNEL32.CloseHandle() retval=00000001 ret=003afb16 0009:Call KERNEL32.CloseHandle(000000b4) ret=003afb1c 0009:Ret KERNEL32.CloseHandle() retval=00000001 ret=003afb1c ... --- snip ---
The hooker verifies/correlates the in-memory PE images of system dlls Wine loader mapped (with IAT already patched) with the raw image from disk - Wine's placeholder - mapped into memory as BLOB.
This obviously won't work by design hence the crash.
An interesting tidbit "madCodeHook on Wine": http://forum.madshi.net/viewtopic.php?t=4744
Maybe the developer of the hooker needs some education about some Wine No-No's ;-)
Regarding the game installer: if you find a version not bundled with this hooker you're fine - otherwise this is WONTFIX. Though you might use "copy-over-from-Windows" approach but this isn't supported.
And last: bug 9361 is about the same exact issue. Mark that bug as dupe of this one because I gave the analysis here.
Regards