[Bug 27221] Full Spectrum Warrior crashes on start (SoftWrap DRM scheme, Wine must not send window object creation event/call notify event hook for fake D3D window)

https://bugs.winehq.org/show_bug.cgi?id=27221

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation URL|http://www.joystiq.com/game |http://www.gamershell.com/d |/full-spectrum-warrior/down |ownload_33784.shtml |load/full-spectrum-warrior- | |full-free-game | CC| |focht@gmx.net Summary|Full Spectrum Warrior |Full Spectrum Warrior |crashes on start |crashes on start (SoftWrap | |DRM scheme, Wine must not | |send window object creation | |event/call notify event | |hook for fake D3D window)

--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming, still present. Adjusting download link. The game is protected by SoftWrap DRM scheme.

--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> Z:\home\focht.wine\drive_c\Program Files\THQ\Pandemic Studios\Full Spectrum Warrior\Launcher.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1445888 (0161000h) Byte(s) [File Heuristics] -> Flag : 00000000000000000100000000100011 (0x00004023) [Entrypoint Section Entropy] : 7.63 [!] SoftWrap detected ! [!] Possible License Protection String -> License Activation - Scan Took : 0.323 Second(s) [000000143h tick(s)] [533 scan(s) done] --- snip ---

Some info: http://www.softwrap.com/page.aspx?page_id=109

It seems the company dissolved itself in 2013.

The recursion is basically the result of the way the DRM scheme hooks API and the Wine-specific creation of internal WineD3D fake window. The game hooks a huge amount of API, not limited to DirectX/DirectSound .. many win32 core functionality.

The following graphics API are considered for hooking by the engine (DFRTIEngine.dll):

* OpenGL * DirectDraw * DirectDraw7 * DirectX8 * DirectX9 * DirectX10 * GDI

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/THQ/Pandemic Studios/Full Spectrum Warrior

$ WINEDEBUG=+tid,+seh,+relay,+d3d wine ./Launcher.exe >>log.txt 2>&1 ... 0025:Call KERNEL32.CreateProcessA(00000000,0058f618 ""C:\Program Files\THQ\Pandemic Studios\Full Spectrum Warrior\Launcher.locked"",00000000,00000000,00000000,00000004,00000000,00000000,0033d260,0033d820) ret=004284d9 ... 0028:Call KERNEL32.__wine_kernel_init() ret=7bc5a326 0025:Ret KERNEL32.CreateProcessA() retval=00000001 ret=004284d9 ... 0028:Call KERNEL32.LoadLibraryW(10040250 L"C:\Program Files\THQ\Pandemic Studios\Full Spectrum Warrior\DFRTIEngine.dll") ret=10001541 ... 0028:Call PE DLL (proc=0x70cc2d,module=0x630000 L"DFRTIEngine.dll",reason=PROCESS_ATTACH,res=(nil)) ... 0028:Call user32.SetWinEventHook(00000001,7fffffff,00630000,00633310,00000027,00000000,00000004) ret=006333e0 0028:Ret user32.SetWinEventHook() retval=0002006a ret=006333e0 ... 0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8 0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8 0028:Call KERNEL32.GetModuleHandleA(0074b104 "d3d8.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8 0028:Call KERNEL32.GetModuleHandleA(0074b6c0 "d3d9.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=7ed60000 ret=0067cba8 0028:Call KERNEL32.GetProcAddress(7ed60000,0074b7b4 "Direct3DCreate9") ret=0066dc8a 0028:Ret KERNEL32.GetProcAddress() retval=7ed6962c ret=0066dc8a ... 0028:Call d3d9.Direct3DCreate9(00000020) ret=0066dc92 0028:trace:d3d9:Direct3DCreate9 sdk_version 0x20. ... 0028:trace:d3d:wined3d_init Initializing adapters. 0028:trace:d3d:wined3d_adapter_init adapter 0x13dc38, ordinal 0. ... 0028:Call user32.CreateWindowExA(00000000,7ed12203 "WineD3D_OpenGL",7ed121ef "WineD3D fake window",00cf0000,0000000a,0000000a,0000000a,0000000a,00000000,00000000,00000000,00000000) ret=7ec47d1b ... 0028:Call window proc 0x7ebff9e8 (hwnd=0x20064,msg=WM_CREATE,wp=00000000,lp=0033e710) 0028:Call user32.DefWindowProcA(00020064,00000001,00000000,0033e710) ret=7e885f2a 0028:Ret user32.DefWindowProcA() retval=00000000 ret=7e885f2a 0028:Ret window proc 0x7ebff9e8 (hwnd=0x20064,msg=WM_CREATE,wp=00000000,lp=0033e710) retval=00000000 0028:Call winex11.drv.CreateWindow(00020064) ret=7e877875 0028:Ret winex11.drv.CreateWindow() retval=00000001 ret=7e877875 0028:Call winevent hook proc 0x633310 (hhook=0x2006a,event=8000,hwnd=0x20064,object_id=0,child_id=0,tid=0028,time=b2fe56)

<recursion here>

0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8 0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8 0028:Call KERNEL32.GetModuleHandleA(0074b104 "d3d8.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8 0028:Call KERNEL32.GetModuleHandleA(0074b6c0 "d3d9.dll") ret=0067cba8 0028:Ret KERNEL32.GetModuleHandleA() retval=7ed60000 ret=0067cba8 0028:Call KERNEL32.GetProcAddress(7ed60000,0074b7b4 "Direct3DCreate9") ret=0066dc8a 0028:Ret KERNEL32.GetProcAddress() retval=7ed6962c ret=0066dc8a 0028:Call d3d9.Direct3DCreate9(00000020) ret=0066dc92 ... --- snip ---

The game installs an event handler via SetWinEventHook() before doing any serious stuff. The handler is used to create further API hooks (via patching of API entries).

Wine creates a window object (fake D3D window, Wine-specific) during creation of IDirect3D9 object which triggers the event hook.

Source: http://source.winehq.org/git/wine.git/blob/6bf64f0ac278b826b526504d69f384dfc...

--- snip --- 1304 HWND WIN_CreateWindowEx( CREATESTRUCTW *cs, LPCWSTR className, HINSTANCE module, BOOL unicode ) 1305 { ... 1620 /* call the driver */ 1621 1622 if (!USER_Driver->pCreateWindow( hwnd )) goto failed; 1623 1624 NotifyWinEvent(EVENT_OBJECT_CREATE, hwnd, OBJID_WINDOW, 0); 1625 1626 /* send the size messages */ ... --- snip ---

This is something the hook code doesn't anticipate/handle well.

I disabled the propagation of window object creation during fake D3D window creation and it allowed the game successfully hook D3D9.

Trace log with fix applied:

--- snip --- ... 0028:Call KERNEL32.GetProcAddress(7ed60000,0074b7b4 "Direct3DCreate9") ret=0066dc8a 0028:Ret KERNEL32.GetProcAddress() retval=7ed6962c ret=0066dc8a 0028:Call d3d9.Direct3DCreate9(00000020) ret=0066dc92 ... 0028:Call wined3d.wined3d_create(00000009,00000004) ret=7ed7a717 ... 0028:trace:d3d:wined3d_init Initializing adapters. 0028:trace:d3d:wined3d_adapter_init adapter 0x13dc48, ordinal 0. ... 0028:trace:d3d:wined3d_adapter_init Allocated LUID 00000000:000003f4 for adapter 0x13dc48. 0028:trace:d3d:wined3d_caps_gl_ctx_create getting context... ... 0028:Call user32.CreateWindowExA(00000000,7ed12203 "WineD3D_OpenGL",7ed121ef "WineD3D fake window",00cf0000,0000000a,0000000a,0000000a,0000000a,00000000,00000000,00000000,00000000) ret=7ec47d1b .. 0028:Ret window proc 0x7ebff9e8 (hwnd=0x20064,msg=WM_CREATE,wp=00000000,lp=0033e600) retval=00000000 0028:Call winex11.drv.CreateWindow(00020064) ret=7e87787b 0028:Ret winex11.drv.CreateWindow() retval=00000001 ret=7e87787b 0028:Ret user32.CreateWindowExA() retval=00020064 ret=7ec47d1b ... 0028:Call gdi32.ChoosePixelFormat(000f002b,0033e6fc) ret=7ec47e41 0028:Call opengl32.wglChoosePixelFormat(000f002b,0033e6fc) ret=7ea35d4a ... 0028:Ret opengl32.wglChoosePixelFormat() retval=00000001 ret=7ea35d4a ... 0028:Call opengl32.wglCreateContext(000f002b) ret=7ec47ef1 ... 0028:Ret opengl32.wglCreateContext() retval=00010000 ret=7ec47ef1 0028:Call opengl32.wglMakeCurrent(000f002b,00010000) ret=00655da2 0028:Ret opengl32.wglMakeCurrent() retval=00000001 ret=00655da2 0028:Call KERNEL32.VirtualProtect(7eaf11cc,00000008,00000040,0033e678) ret=0069e4f7 0028:Ret KERNEL32.VirtualProtect() retval=00000001 ret=0069e4f7 0028:Call KERNEL32.IsBadWritePtr(7eaf11cc,00000005) ret=0069e507 0028:Ret KERNEL32.IsBadWritePtr() retval=00000000 ret=0069e507 0028:Call KERNEL32.VirtualProtect(7eaf11cc,00000008,00000020,0033e67c) ret=0069e52b 0028:Ret KERNEL32.VirtualProtect() retval=00000001 ret=0069e52b 0028:Call KERNEL32.FlushInstructionCache(ffffffff,7eaf11cc,00000005) ret=0069e541 0028:Ret KERNEL32.FlushInstructionCache() retval=00000001 ret=0069e541 ... --- snip ---

The game runs fine, albeit slow on my machine.

$ sha1sum thq_fsw_free.zip 780c485bb5097434c38d3d632d775ecd9b5d599a thq_fsw_free.zip

$ du -sh thq_fsw_free.zip 1.7G thq_fsw_free.zip

$ wine --version wine-1.7.11-115-gdb8dc30

Regards