https://bugs.winehq.org/show_bug.cgi?id=48988
Bug ID: 48988 Summary: Riot Vanguard (Riot Games) 'vgk.sys' needs KSHARED_USER_DATA access instruction emulation for 'CMP r/m16/32/64, r16/32/64' Product: Wine Version: 5.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says. Wine's instruction emulation for KSHARED_USER_DATA handles most of the 'MOV' (copy) instruction flavours but no 'CMP r/m16/32/64, r16/32/64' cases.
--- snip --- ... 002f:Call ntdll.NtFlushBuffersFile(00000044,00d4f2e0) ret=7bca1f9f 002f: flush( async={handle=0044,event=0000,iosb=00d4f2e0,user=00728c00,apc=00000000,apc_context=00000000} ) 002f: flush() = 0 { event=0048 } 002f: select( flags=2, cookie=00d4e5cc, timeout=infinite, size=8, prev_apc=0000, result={}, data={WAIT_ALL,handles={0048}}, context={} ) 002f: select() = 0 { call={APC_NONE}, apc_handle=0000, context={} } 002f:Ret ntdll.NtFlushBuffersFile() retval=00000000 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ZwFlushBuffersFile() retval=00000000 ret=0115f5ac 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0bc0,656e6f4e) ret=0115fd31 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0BC0 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0bc0) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=0115fd31 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0b40,656e6f4e) ret=00e73ad4 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0B40 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0b40) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0330,656e6f4e) ret=00e73ad4 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0330 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0330) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbbd ip=115cbbd tid=002f 002f:trace:seh:raise_exception info[0]=0000000000000000 002f:trace:seh:raise_exception info[1]=fffff7800000026c 002f:trace:seh:raise_exception rax=0000000001000001 rbx=0000000000728bb8 rcx=0000000000000000 rdx=0000000000000048 002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8 rbp=0000000000727788 rsp=0000000000d4f6a0 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12 r10=0000000000000000 r11=0000000000000000 002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000 r14=0000000000728bb8 r15=0000000000000000 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0 code=c0000005 flags=0 002f:Call KERNEL32.GetTickCount64() ret=18000bccc 002f:Ret KERNEL32.GetTickCount64() retval=01920417 ret=18000bccc 002f:Call msvcrt.memcpy(00d4f108,7ffe026c,00000004) ret=18000bcf8 002f:Ret msvcrt.memcpy() retval=00d4f108 ret=18000bcf8 002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned ffffffff 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbff ip=115cbff tid=002f 002f:trace:seh:raise_exception info[0]=0000000000000000 002f:trace:seh:raise_exception info[1]=fffff78000000270 002f:trace:seh:raise_exception rax=0000000000000001 rbx=0000000000728bb8 rcx=0000000000000006 rdx=fffff78000000270 002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8 rbp=0000000000727788 rsp=0000000000d4f6a0 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12 r10=0000000000000000 r11=0000000000000000 002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000 r14=0000000000728bb8 r15=0000000000000000 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0 code=c0000005 flags=0 002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned 0 --- snip ---
The driver code is obfuscated but that doesn't prevent analysis/debugging ;-)
Relevant part of driver disassembly:
--- snip --- ... 01402ECBAF | 8D82 5A4A900F | lea eax,qword ptr ds:[rdx+F904A5A] 01402ECBB5 | C0ED D2 | shr ch,D2 01402ECBB8 | ED | in eax,dx 01402ECBB9 | 44:0FABF0 | bts eax,r14d 01402ECBBD | A1 6C02000080F7FFFF | mov eax,dword ptr ds:[FFFFF7800000026C] 01402ECBC6 | 40:22CF | and cl,dil 01402ECBC9 | 66:D3F9 | sar cx,cl 01402ECBCC | 8BC8 | mov ecx,eax 01402ECBCE | 66:C1E0 26 | shl ax,26 01402ECBD2 | 66:0FC1C0 | xadd ax,ax 01402ECBD6 | B8 01000000 | mov eax,1 01402ECBDB | 45:84D2 | test r10b,r10b 01402ECBDE | 66:81FF 905B | cmp di,5B90 01402ECBE3 | 83F9 06 | cmp ecx,6 01402ECBE6 | E9 00000000 | jmp vgk.1402ECBEB 01402ECBEB | 0F82 1B000000 | jb vgk.1402ECC0C 01402ECBF1 | 48:BA 7002000080F7FFFF | mov rdx,FFFFF78000000270 01402ECBFB | 80FB 2E | cmp bl,2E 01402ECBFE | F5 | cmc 01402ECBFF | 3902 | cmp dword ptr ds:[rdx],eax ; problem 01402ECC01 | E9 00000000 | jmp vgk.1402ECC06 01402ECC06 | 0F83 17000000 | jae vgk.1402ECC23 01402ECC0C | 83F9 0A | cmp ecx,A 01402ECC0F | E9 00000000 | jmp vgk.1402ECC14 01402ECC14 | 0F83 09000000 | jae vgk.1402ECC23 01402ECC1A | 2AC0 | sub al,al 01402ECC1C | 45:3AE3 | cmp r12b,r11b 01402ECC1F | 41:80F9 65 | cmp r9b,65 01402ECC23 | 48:83C4 28 | add rsp,28 01402ECC27 | E9 00000000 | jmp vgk.1402ECC2C 01402ECC2C | C3 | ret ... --- snip ---
'cmp dword ptr ds:[rdx],eax' -> 0x39,0x02
The driver checks 'KSHARED_USER_DATA' 'NtMajorVersion' and 'NtMinorVersion' fields if the OS is supported.
(http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_share...)
In case it encounters something below 'Windows 7', the driver entry point will return code 0xC000A004 which translates to 'STATUS_INVALID_KERNEL_INFO_VERSION'.
Wine source:
https://source.winehq.org/git/wine.git/blob/f31a29b8d1ea478af28f14cdaf3db151...
$ sha1sum setup.exe 08deca4c0b46a3481e706926c0217d1c944d22a3 setup.exe
$ du -sh setup.exe 15M setup.exe
$ wine --version wine-5.6-258-gf31a29b8d1
Regards