[Bug 47027] Wine built with GCC 8.x+ and -O2 causes apps and games using madCodeHook 3.x /4.x to crash (hook engine can't cope with GOT/ PIC code emitted within 15-byte range at Win32 API entries)(EA Origin, HeidiSQL 10.x)

https://bugs.winehq.org/show_bug.cgi?id=47027

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|EA Origin client crashes on |Wine built with GCC 8.x+ |startup (Origin IGO using |and -O2 causes apps and |madCodeHook 3.x engine |games using madCodeHook |can't cope with GOT/PIC |3.x/4.x to crash (hook |register load code within |engine can't cope with GOT/ |15-byte range at API entry) |PIC code emitted within | |15-byte range at Win32 API | |entries)(EA Origin, | |HeidiSQL 10.x)

--- Comment #15 from Anastasius Focht focht@gmx.net --- Hello folks,

refining summary again to capture not only (EA) games but many other commercial and FOSS apps that make use of madCodeHook 3.x and 4.x engine.

Additionally, the description is more suitable for news sites that make their own summaries out of Wine 4.8 release bug lists.

Found another victim here:

https://forum.winehq.org/viewtopic.php?f=8&t=32337 ("Wine 4.6 + HeidiSQL 10.1")

HeidiSQL Github project/bug tracker:

https://github.com/HeidiSQL/HeidiSQL/issues/630

Download:

https://www.heidisql.com/builds/heidisql32.r5547.exe

Internet Archive snapshot for reproduce:

https://web.archive.org/web/20190503072629/https://www.heidisql.com/builds/h...

There are multiple offenders with GOT/PIC loads where madCodeHook chokes on. One example:

user32.DrawEdge

--- snip --- 7E6C1250 E9 D54AC482 JMP 01305D2A ; to trampoline 7E6C1255 05 ABAD0600 ADD EAX,6ADAB ; continuation 7E6C125A 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4] 7E6C125E 83E4 F0 AND ESP,FFFFFFF0 7E6C1261 FF71 FC PUSH DWORD PTR DS:[ECX-4] ... 7E6C12D0 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] 7E6C12D3 83E3 0F AND EBX,0F 7E6C12D6 0FB68C18 6879FCF>MOVZX ECX,BYTE PTR DS:[EAX+EBX+FFFC7968] ; *boom* 7E6C12DE 0FB68418 7879FCF>MOVZX EAX,BYTE PTR DS:[EAX+EBX+FFFC7978] ... --- snip ---

Trampoline:

--- snip --- 01305D2A 90 NOP 01305D2B FF25 0A5D3001 JMP DWORD PTR DS:[1305D0A] ; heidisql.00A060E8 ... 01346F4D FF25 536F3401 JMP DWORD PTR DS:[1346F53] ; 01346F4D ... 01305D31 FF25 0E5D3001 JMP DWORD PTR DS:[1305D0E] ; 02750000 ... 02750000 E8 1C2AEF7B CALL user32.__x86.get_pc_thunk.ax 02750005 FF25 0B007502 JMP DWORD PTR DS:[275000B] ; cont user32.7E6C1255 ... --- snip ---

App hook:

--- snip --- ... 00A060E8 55 PUSH EBP 00A060E9 8BEC MOV EBP,ESP 00A060EB 51 PUSH ECX 00A060EC 53 PUSH EBX 00A060ED 56 PUSH ESI 00A060EE 57 PUSH EDI 00A060EF 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10] 00A060F2 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] 00A060F5 E8 7E30C6FF CALL heidisql.00669178 ... 00A06176 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00A06179 50 PUSH EAX 00A0617A E8 2D28A1FF CALL heidisql.004189AC ; OFFSET gdi32.RestoreDC 00A0617F C3 RETN ... 00A06192 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00A06195 50 PUSH EAX 00A06196 FF15 5814AE00 CALL DWORD PTR DS:[AE1458] ; 01346F4D org prologue 00A0619C 5F POP EDI 00A0619D 5E POP ESI 00A0619E 5B POP EBX 00A0619F 59 POP ECX 00A061A0 5D POP EBP 00A061A1 C2 1000 RETN 10 --- snip ---

$ sha1sum heidisql32.r5547.exe c4b0b0e803c38fa58b6bf7d99e40cf57c9e1ede4 heidisql32.r5547.exe

$ du -sh heidisql32.r5547.exe 7.9M heidisql32.r5547.exe

Regards