[Bug 34457] Proteus 8 Professional crashes in process PE entry point (non-legit patch makes assumptions about entry point register layout)

https://bugs.winehq.org/show_bug.cgi?id=34457

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|UNCONFIRMED |RESOLVED Component|-unknown |kernel32 Resolution|--- |INVALID Summary|Proteus 8 Professional does |Proteus 8 Professional |not run |crashes in process PE entry | |point (non-legit patch | |makes assumptions about | |entry point register | |layout)

--- Comment #9 from Anastasius Focht focht@gmx.net --- Hello folks,

OP's backtrace is a crash directly in main executable entry point.

In short: It's a version which was modified in non-legit ways, containing some brain damaged code.

The original vendor executables from 8.0 and 8.0 SP1 work.

--- snip --- ... Unhandled exception: page fault on write access to 0x00400201 in 32-bit code (0x00531b62). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:00531b62 ESP:0033fe40 EBP:0033fe78 EFLAGS:00210212( R- -- I -A- - ) EAX:00000000 EBX:00000040 ECX:00000201 EDX:00400000 ESI:7ffdf000 EDI:00531b27 Stack dump: 0x0033fe40: 00531b27 7ffdf000 0033fe78 0033fe60 0x0033fe50: 7b8b4ff4 00400000 0033fef0 00000000 0x0033fe60: 00200216 7b85f22c 7ffdf000 7bc5076a 0x0033fe70: 7b8b4ff4 7ffdf000 0033feb8 7b8604ab 0x0033fe80: 7ffdf000 00531b27 00000000 00000000 0x0033fe90: 00000000 00000000 00000000 00000000 Backtrace: =>0 0x00531b62 in pds (+0x131b62) (0x0033fe78) 1 0x7b8604ab in kernel32 (+0x504aa) (0x0033feb8) 2 0x7bc791c0 call_thread_func_wrapper+0xb() in ntdll (0x0033fed8) 3 0x7bc7c1cd call_thread_func+0x7c() in ntdll (0x0033ffa8) 4 0x7bc7919e RtlRaiseException+0x21() in ntdll (0x0033ffc8) 5 0x7bc4e45e call_dll_entry_point+0x33d() in ntdll (0x0033ffe8) 6 0xf758376d wine_call_on_stack+0x1c() in libwine.so.1 (0x00000000) 7 0xf758382b wine_switch_to_stack+0x2a() in libwine.so.1 (0xffac0d18) 8 0x7bc542c0 LdrInitializeThunk+0x3af() in ntdll (0xffac0d88) 9 0x7b866a82 __wine_kernel_init+0xa21() in kernel32 (0xffac1f38) 10 0x7bc54a7b __wine_process_init+0x25a() in ntdll (0xffac1fc8) 11 0xf7580ccc wine_init+0x2db() in libwine.so.1 (0xffac2038) 12 0x7bf00f43 main+0xf2() in <wine-loader> (0xffac2488) 13 0xf739d935 __libc_start_main+0xf4() in libc.so.6 (0x00000000) 0x00531b62: movb %bl,0x0(%ecx,%edx,1) Modules: Module Address Debug info Name (124 modules) PE 340000- 36d000 Deferred wincore PE 370000- 3c4000 Deferred windialog PE 3d0000- 3e0000 Deferred xlib PE 3e0000- 3fa000 Deferred zlib PE 400000- 533d6a Export pds PE 540000- 848000 Deferred libmmd PE 850000- 8e9000 Deferred appframe PE 8f0000- 945000 Deferred vgdvc PE 950000- 966000 Deferred internet PE 970000- 990000 Deferred licence PE 990000- 9d5000 Deferred ssleay32 PE 9e0000- b03000 Deferred libeay32 PE b10000- b44000 Deferred netlist PE 10000000-10093000 Deferred lxlcore PE 61000000-61053000 Deferred qtxml4 PE 64000000-640f3000 Deferred qtnetwork4 PE 65000000-657e3000 Deferred qtgui4 PE 67000000-6727d000 Deferred qtcore4 PE 78480000-7850e000 Deferred msvcp90 PE 78520000-785c3000 Deferred msvcr90 ... Threads: process tid prio (all id:s are in hex) ... 0000003b (D) C:\Program Files (x86)\Labcenter Electronics\Proteus 8 Professional\BIN\PDS.EXE 0000003c 0 <== --- snip ---

The entry point is located in '.reloc' section. The appended imports section '.Silvana' is probably from the guy who did it.

--- snip --- ->Section Header Table ...

5. item: Name: .reloc VirtualSize: 0x00006D6A VirtualAddress: 0x0012C000 SizeOfRawData: 0x00006E00 PointerToRawData: 0x00125400 PointerToRelocations: 0x00000000 PointerToLinenumbers: 0x00000000 NumberOfRelocations: 0x0000 NumberOfLinenumbers: 0x0000 Characteristics: 0xE2000040 (INITIALIZED_DATA, DISCARDABLE, EXECUTE, READ, WRITE)

6. item: Name: .Silvana VirtualSize: 0x00001000 VirtualAddress: 0x00133000 SizeOfRawData: 0x000001E2 PointerToRawData: 0x0012C200 PointerToRelocations: 0x00000000 PointerToLinenumbers: 0x00000000 NumberOfRelocations: 0x0000 NumberOfLinenumbers: 0x0000 Characteristics: 0xC0000040 (INITIALIZED_DATA, READ, WRITE) --- snip ---

Entry point:

--- snip --- 00531B27 9C PUSHFD 00531B28 60 PUSHAD 00531B29 B9 72030000 MOV ECX,372 00531B2E 90 NOP 00531B2F 66:833C11 53 CMP WORD PTR DS:[EDX+ECX],53 00531B34 90 NOP 00531B35 74 1D JE SHORT 00531B54 00531B37 83E9 01 SUB ECX,1 00531B3A 83F9 00 CMP ECX,0 00531B3D 74 61 JE SHORT 00531BA0 00531B3F 90 NOP 00531B40 EB ED JMP SHORT 00531B2F --- snip ---

From a technical perspective this bug falls into same category as bug 24374

Both make assumptions about the way Windows OS loader prepares the entry point stack and register context.

I could certainly explain the problem here but since this code is not part of a *legit* protection scheme no gold for you.

$ wine --version wine-1.7.26-44-gb10b391

Regards