https://bugs.winehq.org/show_bug.cgi?id=43567
Paul Gofman gofmanp@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp@gmail.com
--- Comment #2 from Paul Gofman gofmanp@gmail.com --- Created attachment 63119 --> https://bugs.winehq.org/attachment.cgi?id=63119 Preserve ecx in GetTickCount
I tested this on demo version. The game goes for some obscure system call trickery at certain moment. Below are two fragments of relevant disassembly from winedbg with my comments starting with ';'.
-------- ; the following trickery in game.dll should effectively result into kernel32.GetTickCount() call
0x0060b8ca in game: xorl %edi,%edi 0x0060b8cc in game: movl $0x60b8e4,%ecx ; return address in ecx 0x0060b8d1 in game: movl $0x4,%eax 0x0060b8d6 in game: addl $12705608,%eax 0x0060b8db in game: movl 0x0(%eax),%eax 0x0060b8dd in game: subl $1480757628,%eax ; eax is 0x0040522c here 0x0060b8e2 in game: jmp *%eax ; ecx holds this address 0x0060b8e4 in game: movl %eax,0xfffffffc(%ebp) 0x0060b8e7 in game: movl 0xfffffffc(%ebp),%eax
....
; Here we get through 'jmp *%eax' above 0x0040522c in vietcong: pushl %edx 0x0040522d in vietcong: call *0x410110 -> 0x7b44b700 GetTickCount in kernel32 ; application expects ecx to stay unchanged 0x00405233 in vietcong: popl %edx 0x00405234 in vietcong: subl $0x17c34111,%edx 0x0040523a in vietcong: jnz 0x0040524e in vietcong 0x0040523c in vietcong: subl $0x7af7327,%esi 0x00405242 in vietcong: jnz 0x0040524e in vietcong 0x00405244 in vietcong: subl $0x3af4623f,%edi 0x0040524a in vietcong: jnz 0x0040524e in vietcong 0x0040524c in vietcong: xorl %eax,%eax 0x0040524e in vietcong: jmp *%ecx ; if ecx changed in GetTickCount, jumps to the garbage address --------------
So this works on Windows versions where GetTickCount does not change ecx, and fails otherwise. I have attached an ugly patch which fixes the crash during radio call (at least the first one in the beginning of the mission in demo which I used).