[Bug 34407] Multi Theft Auto 1.3 loader fails to initialize core infrastructure in GTA:SA process (msvcrt string collation check fails)

http://bugs.winehq.org/show_bug.cgi?id=34407

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation Status|UNCONFIRMED |NEW URL| |https://mtasa-resources.goo | |glecode.com/files/mtasa-1.3 | |.4.exe CC| |focht@gmx.net Component|-unknown |msvcrt Summary|Multi Theft Auto: does not |Multi Theft Auto 1.3 loader |start |fails to initialize core | |infrastructure in GTA:SA | |process (msvcrt string | |collation check fails) Ever confirmed|0 |1

--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming.

Multi Theft Auto loader process starts the original game process and injects it's own infrastructure using 'CreateRemoteThread with LoadLibrary' technique.

--- snip --- ... 000b:Starting process L"C:\Program Files\MTA San Andreas 1.3\Multi Theft Auto.exe" (entryproc=0x40d007) ... 000b:Call KERNEL32.CreateProcessA(00ab7b18 "C:\Program Files\Rockstar Games\GTA San Andreas\gta_sa.exe",0033fc48 "",00000000,00000000,00000000,00000005,00000000,001d55d0 "C:\Program Files\MTA San Andreas 1.3\mta",0033fb3c,0033fa28) ret=10013a21 003c:Call KERNEL32.__wine_kernel_init() ret=7bc599ec 000b:Ret KERNEL32.CreateProcessA() retval=00000001 ret=10013a21 ... 000b:Call KERNEL32.GetProcAddress(7b810000,100569dc "LoadLibraryA") ret=10024a3b 000b:Ret KERNEL32.GetProcAddress() retval=7b8240bc ret=10024a3b 000b:Call KERNEL32.CreateRemoteThread(000000c4,00000000,00000000,7b8240bc,003d0000,00000000,00000000) ret=10024a43 000b:Ret KERNEL32.CreateRemoteThread() retval=000000e4 ret=10024a43 ... 000b:Call KERNEL32.DebugActiveProcessStop(00000018) ret=006a18f3 003b:Starting thread proc 0x7b8240bc (arg=0x3d0000) 003b:Call KERNEL32.LoadLibraryA(003d0000 "C:\Program Files\MTA San Andreas 1.3\mta\core.dll") ret=7bc85c68 000b:Ret KERNEL32.DebugActiveProcessStop() retval=00000001 ret=006a18f3 000b:Call KERNEL32.WaitForSingleObject(000000e4,ffffffff) ret=006a1909 ... 003b:Call PE DLL (proc=0x1a928d9,module=0x1980000 L"core.dll",reason=PROCESS_ATTACH,res=(nil)) --- snip ---

The loader 'core' library does some initialization in entry point which includes a string collation check.

Wine gets the collation check wrong, resulting in a code path being executed within 'core' dll entry point which causes a page fault. Wine's loader unloads the 'core' library (entry entered again, now with 'detach') which leads to the silent termination of the child process.

--- snip --- 003b:Call msvcrt.setlocale(00000000,01ab6424 "C") ret=019a3a1e 003b:trace:msvcrt:MSVCRT__create_locale (0 C) ... 003b:Call msvcrt.setlocale(00000002,01aae0f0 "") ret=019a3a27 003b:trace:msvcrt:MSVCRT__create_locale (2 ) 003b:Call KERNEL32.GetSystemDefaultLCID() ret=7e597608 003b:Ret KERNEL32.GetSystemDefaultLCID() retval=00000409 ret=7e597608 003b:Call KERNEL32.GetLocaleInfoA(00000409,80001004,0197e378,00000100) ret=7e597630 003b:Ret KERNEL32.GetLocaleInfoA() retval=00000005 ret=7e597630 ... 003b:Ret msvcrt.setlocale() retval=00129370 ret=019a3a27 003b:Call msvcrt.strcoll(01ab5430 "a",01ab57fc "B") ret=019a3a37 003b:Call KERNEL32.CompareStringA(00000000,00000000,01ab5430 "a",ffffffff,01ab57fc "B",ffffffff) ret=7e5bf74d 003b:Ret KERNEL32.CompareStringA() retval=00000001 ret=7e5bf74d 003b:Ret msvcrt.strcoll() retval=ffffffff ret=019a3a37 003b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x19a3a3e ip=019a3a3e tid=003b 003b:trace:seh:raise_exception info[0]=00000001 003b:trace:seh:raise_exception info[1]=00000000 003b:trace:seh:raise_exception eax=ffffffff ebx=00000000 ecx=0014f098 edx=ffffffec esi=0014ef78 edi=7e577050 003b:trace:seh:raise_exception ebp=0014e760 esp=0197e584 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010286 003b:trace:seh:call_stack_handlers calling handler at 0x1aa4c9f code=c0000005 flags=0 003b:trace:seh:call_stack_handlers handler at 0x1aa4c9f returned 1 003b:trace:seh:call_stack_handlers calling handler at 0x1aa5132 code=c0000005 flags=0 003b:trace:seh:call_stack_handlers handler at 0x1aa5132 returned 1 003b:trace:seh:call_stack_handlers calling handler at 0x1a92b45 code=c0000005 flags=0 003b:Call msvcrt._except_handler4_common(01ad9060,01a922e1,0197e52c,0197e6bc,0197e260,0197e0ec) ret=01a92b65 ... 003b:Call KERNEL32.TerminateProcess(ffffffff,00000000) ret=019e853f ... --- snip ---

The check basically boils down to the following:

--- snip --- setlocale(LC_ALL,"C"); setlocale(LC_CTYPE,""); if(strcoll("a","B")>0) good_guy(); --- snip ---

strcoll()'s behaviour depends on LC_COLLATE in the current locale. For "C" locale one would expect result >0 but Wine's msvcrt returns the opposite: < 0.

$ sha1sum mtasa-1.3.4.exe 80986c6f30cd6bc2de386ef25f85e6a3462b4391 mtasa-1.3.4.exe

$ du -sh mtasa-1.3.4.exe 20M mtasa-1.3.4.exe

$ wine --version wine-1.7.8-220-g0bef543

Regards