https://bugs.winehq.org/show_bug.cgi?id=48895
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|Installer | Summary|Mario Forever 5.0 installer |Multimedia Fusion (MMF) |crashes on exit |runtime 'stdrt.exe' crashes | |on startup (Mario Forever | |5.0)
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
refining summary. It's not the installer but the Multimedia Fusion (MMF) based runtime/engine. I did a quick debug session while re-testing the issue.
One has to keep 'Launch game <foobar>' selected and then exit the installer. This starts the MMF runtime process.
One can reproduce the crash by executing the command line manually from the '%TEMP%' directory:
--- snip --- $ wine "stdrt.exe" /SF "C:\Program Files (x86)\softendo.com\Mario Forever 5.0\Mario Forever 5.0.exe" /SO94208 ... 02f0:trace:heap:RtlAllocateHeap (00110000,70000062,0000004c): returning 0014E2C0 02f0:trace:ole:ITypeInfo_fnReleaseTypeAttr (0017A210)->(0014E2C0) 02f0:trace:heap:RtlFreeHeap (00110000,70000062,0014E2C0): returning TRUE 02f0:trace:ieframe:WebBrowser_QueryInterface (001CF028)->(IID_IOleObject 0031FC7C) 02f0:trace:ieframe:WebBrowser_AddRef (001CF028) ref=4 02f0:trace:ieframe:OleObject_EnumVerbs (001CF028)->(0031FC78) 02f0:trace:heap:RtlAllocateHeap (00110000,70000062,0000000c): returning 0014EB28 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000080): returning 01927478 02f0:trace:ieframe:EnumOLEVERB_Next (0014EB28)->(1 0031FC90 0031FC88) 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000020): returning 01927508 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 01927538 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000080): returning 01927558 02f0:trace:ieframe:EnumOLEVERB_Next (0014EB28)->(1 0031FC90 0031FC88) 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000020): returning 019275E8 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 01927618 02f0:trace:ieframe:EnumOLEVERB_Next (0014EB28)->(1 0031FC90 0031FC88) 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000020): returning 01927638 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 01927668 02f0:trace:ieframe:EnumOLEVERB_Next (0014EB28)->(1 0031FC90 0031FC88) 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000020): returning 01927688 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 019276B8 02f0:trace:ieframe:EnumOLEVERB_Next (0014EB28)->(1 0031FC90 0031FC88) 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000020): returning 019276D8 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 01927708 02f0:trace:ieframe:EnumOLEVERB_Next (0014EB28)->(1 0031FC90 0031FC88) 02f0:trace:heap:RtlFreeHeap (01910000,70000062,01927478): returning TRUE 02f0:trace:ieframe:EnumOLEVERB_Release (0014EB28) ref=0 02f0:trace:heap:RtlFreeHeap (00110000,70000062,0014EB28): returning TRUE 02f0:trace:ieframe:WebBrowser_Release (001CF028) ref=3 02f0:trace:ieframe:WebBrowser_Release (001CF028) ref=2 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 01927728 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000080): returning 01927748 02f0:trace:heap:RtlFreeHeap (01910000,70000062,01927728): returning TRUE 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 019277D8 ... 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 0192E4F8 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000010): returning 0192E518 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000080): returning 0192E538 02f0:trace:heap:RtlAllocateHeap (01910000,70000062,00000090): returning 0192E5C8 02f0:err:heap:HEAP_ValidateInUseArena Heap 01910000: block 0192E5C8 tail overwritten at 0192E658 (byte 0/8 == 0x20) 02f0:trace:heap:HEAP_Dump Heap: 01910000 02f0:trace:heap:HEAP_Dump Next: 01350000 Sub-heaps: 01910048 Free lists: Block Stat Size Id 02f0:trace:heap:HEAP_Dump 019100B0 free 00000018 prev=0192E660 next=019100C0 02f0:trace:heap:HEAP_Dump 019100C0 free 00000020 prev=019100B0 next=019100D0 02f0:trace:heap:HEAP_Dump 019100D0 free 00000028 prev=019100C0 next=019100E0 02f0:trace:heap:HEAP_Dump 019100E0 free 00000030 prev=019100D0 next=019100F0 02f0:trace:heap:HEAP_Dump 019100F0 free 00000038 prev=019100E0 next=01910100 --- snip ---
After alloc(80), with data written to the block:
--- snip --- 01925718 00 00 00 00 00 00 00 00 80 00 00 00 55 53 45 00 ............USE. 01925728 50 46 30 10 90 46 30 10 D0 46 30 10 F0 46 30 10 PF0..F0.ÐF0.ðF0. 01925738 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925748 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925758 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925768 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925778 D0 41 30 10 D0 41 30 10 50 45 30 10 50 45 30 10 ÐA0.ÐA0.PE0.PE0. 01925788 50 45 30 10 50 45 30 10 50 45 30 10 00 00 00 00 PE0.PE0.PE0..... 01925798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
019257A8 49 A8 0F 00 46 52 45 45 B8 00 91 01 C8 02 91 01 I¨..FREE¸...È... 019257B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 019257C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 019257D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ --- snip ---
After alloc(90), next free block is used:
--- snip --- .... 01925718 00 00 00 00 00 00 00 00 80 00 00 00 55 53 45 00 ............USE. 01925728 50 46 30 10 90 46 30 10 D0 46 30 10 F0 46 30 10 PF0..F0.ÐF0.ðF0. 01925738 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925748 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925758 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925768 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925778 D0 41 30 10 D0 41 30 10 50 45 30 10 50 45 30 10 ÐA0.ÐA0.PE0.PE0. 01925788 50 45 30 10 50 45 30 10 50 45 30 10 00 00 00 00 PE0.PE0.PE0..... 01925798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
019257A8 90 00 00 00 55 53 45 00 B8 00 91 01 C8 02 91 01 ....USE.¸...È... 019257B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 019257C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 019257D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 019257E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 019257F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01925808 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01925818 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01925828 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01925838 00 00 00 00 00 00 00 00 B1 A7 0F 00 46 52 45 45 ........±§..FREE 01925848 B8 00 91 01 C8 02 91 01 00 00 00 00 00 00 00 00 ¸...È........... 01925858 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ --- snip ---
Data written past the block boundary:
(FREE magic overwritten)
--- snip --- 01925718 00 00 00 00 00 00 00 00 80 00 00 00 55 53 45 00 ............USE. 01925728 50 46 30 10 90 46 30 10 D0 46 30 10 F0 46 30 10 PF0..F0.ÐF0.ðF0. 01925738 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925748 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925758 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925768 D0 41 30 10 D0 41 30 10 D0 41 30 10 D0 41 30 10 ÐA0.ÐA0.ÐA0.ÐA0. 01925778 D0 41 30 10 D0 41 30 10 50 45 30 10 50 45 30 10 ÐA0.ÐA0.PE0.PE0. 01925788 50 45 30 10 50 45 30 10 50 45 30 10 00 00 00 00 PE0.PE0.PE0..... 01925798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
019257A8 90 00 00 00 55 53 45 00 70 4B 30 10 90 4B 30 10 ....USE.pK0..K0. 019257B8 B0 4B 30 10 40 4C 30 10 B0 4D 30 10 90 4E 30 10 °K0.@L0.°M0..N0. 019257C8 C0 4E 30 10 20 4F 30 10 10 4F 30 10 30 4F 30 10 ÀN0. O0..O0.0O0. 019257D8 90 4F 30 10 C0 4F 30 10 20 47 30 10 20 47 30 10 .O0.ÀO0. G0. G0. 019257E8 20 47 30 10 20 47 30 10 20 47 30 10 20 47 30 10 G0. G0. G0. G0. 019257F8 20 47 30 10 20 47 30 10 20 47 30 10 20 47 30 10 G0. G0. G0. G0. 01925808 20 47 30 10 20 47 30 10 20 47 30 10 20 47 30 10 G0. G0. G0. G0. 01925818 20 47 30 10 20 47 30 10 20 47 30 10 20 47 30 10 G0. G0. G0. G0. 01925828 20 47 30 10 20 47 30 10 20 47 30 10 20 47 30 10 G0. G0. G0. G0. 01925838 20 47 30 10 20 47 30 10 20 47 30 10 20 47 30 10 G0. G0. G0. G0. 01925848 20 47 30 10 20 47 30 10 20 47 30 10 20 47 30 10 G0. G0. G0. G0. 01925858 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01925868 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ --- snip ---
Looks like a vtable pointing to functions within one dll (which are not exported). The last repeating entry 0x10304720 seems to be a default function/handler.
--- snip --- 019257A8 00000090 .... 019257AC 00455355 USE. 019257B0 10304B70 pK0. 019257B4 10304B90 .K0. 019257B8 10304BB0 °K0. 019257BC 10304C40 @L0. 019257C0 10304DB0 °M0. 019257C4 10304E90 .N0. 019257C8 10304EC0 ÀN0. 019257CC 10304F20 O0. 019257D0 10304F10 .O0. 019257D4 10304F30 0O0. 019257D8 10304F90 .O0. 019257DC 10304FC0 ÀO0. 019257E0 10304720 G0. 019257E4 10304720 G0. 019257E8 10304720 G0. 019257EC 10304720 G0. 019257F0 10304720 G0. 019257F4 10304720 G0. 019257F8 10304720 G0. 019257FC 10304720 G0. 01925800 10304720 G0. 01925804 10304720 G0. 01925808 10304720 G0. 0192580C 10304720 G0. 01925810 10304720 G0. 01925814 10304720 G0. 01925818 10304720 G0. 0192581C 10304720 G0. 01925820 10304720 G0. 01925824 10304720 G0. 01925828 10304720 G0. 0192582C 10304720 G0. 01925830 10304720 G0. 01925834 10304720 G0. 01925838 10304720 G0. 0192583C 10304720 G0. 01925840 10304720 G0. 01925844 10304720 G0. 01925848 10304720 G0. 0192584C 10304720 G0. 01925850 10304720 G0. 01925854 10304720 G0. 01925858 00000000 .... --- snip ---
--- snip --- 10304B70 | mov eax,dword ptr ss:[esp+4] | 10304B74 | or word ptr ds:[eax+7C],8000 | 10304B7A | add eax,4F3 | 10304B7F | ret 8 | --- snip ---
alloc(60) -> ntdll HEAP_FindFreeBlock() takes next block out from free list:
0x01925840
--- snip --- 7BC22EF3 | call <ntdll.HEAP_FindFreeBlock> | 7BC22EF8 | add esp,4 | 7BC22EFB | test eax,eax | 7BC22EFD | je ntdll.7BC22F62 | 7BC22EFF | mov edi,eax | 01925840 7BC22F01 | mov edx,eax | 7BC22F03 | mov eax,dword ptr ds:[eax+8] | 10304720 7BC22F06 | mov ecx,dword ptr ds:[edi+C] | 10304720 7BC22F09 | add edx,8 | 7BC22F0C | mov dword ptr ss:[esp+8],edx | 01925848 7BC22F10 | mov dword ptr ds:[eax+4],ecx | *boom* -> writes into .text (rx) --- snip ---
I didn't 't find the reason yet why the number "default" function entries (vtable size) are duplicated past the heap block boundary.
--- snip --- $ ls -la total 1636 drwxrwxr-x. 2 focht focht 4096 Dec 14 19:10 . drwxr-xr-x. 16 focht focht 4096 Dec 14 19:10 .. -rw-rw-r--. 1 focht focht 69632 Apr 7 2020 CCTrans.dll -rw-rw-r--. 1 focht focht 45056 Apr 7 2020 ctrlx.mfx -rw-rw-r--. 1 focht focht 36864 Apr 7 2020 joystick.mfx -rw-rw-r--. 1 focht focht 294912 Apr 7 2020 KcActiveX.mfx -rw-rw-r--. 1 focht focht 36864 Apr 7 2020 kcclock.mfx -rw-rw-r--. 1 focht focht 8704 Apr 7 2020 kcdirect.mfx -rw-rw-r--. 1 focht focht 32768 Apr 7 2020 kcedit.mfx -rw-rw-r--. 1 focht focht 36864 Apr 7 2020 kcfile.mfx -rw-rw-r--. 1 focht focht 24576 Apr 7 2020 kcini.mfx -rw-rw-r--. 1 focht focht 24576 Apr 7 2020 kcplugin.mfx -rw-rw-r--. 1 focht focht 12288 Apr 7 2020 kcwctrl.mfx -rw-rw-r--. 1 focht focht 307200 Apr 7 2020 mmfs2.dll -rw-rw-r--. 1 focht focht 313344 Apr 7 2020 ModFusionEX.mfx -rwxrwxr-x. 1 focht focht 372736 Apr 7 2020 stdrt.exe -rw-rw-r--. 1 focht focht 36864 Apr 7 2020 timex.mfx -rw-rw-r--. 1 focht focht 8192 Apr 7 2020 waveflt.sft --- snip ---
Among others, 'KcActiveX.mfx' is loaded into 'stdrt' process (MMF engine runtime?). The ActiveX loads the 'WebBrowser' control, acting as control container itself. I didn't look much further yet but I saw IDispatch/typelib queries for browser methods, properties and events. Maybe the ax host gets something wrong with wrapping of interfaces.
ProtectionID scan for documentation:
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> Z:\home\focht\Downloads\mrt6e38.tmp\stdrt.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 372736 (05B000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x4C172C3A -> Tue 15th Jun 2010 07:31:06 (GMT) [TimeStamp] 0x4C172C3A -> Tue 15th Jun 2010 07:31:06 (GMT) | PE Header | - | Offset: 0x000000F8 | VA: 0x004000F8 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000000000000000000000000 (0x00000000) [Entrypoint Section Entropy] : 6.38 (section #0) ".text " | Size : 0x4A4C5 (304325) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 4 (0x4) | ImageSize 0x5B000 (372736) byte(s) [VersionInfo] Company Name : Softendo (c) 2010 www.softendo.com [VersionInfo] File Description : Softendo (c) 2010 www.softendo.com [VersionInfo] File Version : 5.0 [VersionInfo] Legal Copyrights : Softendo (c) 2010 www.softendo.com [ModuleReport] [IAT] Modules -> KERNEL32.dll | USER32.dll | GDI32.dll | comdlg32.dll | ADVAPI32.dll | SHELL32.dll | MMFS2.dll | COMCTL32.dll | WINMM.dll | MSVCRT.dll [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.402 Second(s) [000000192h (402) tick(s)] [506 of 580 scan(s) done] ... Scanning -> Z:\home\focht\Downloads\mrt6e38.tmp\KcActiveX.mfx File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 294912 (048000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x4C172F3C -> Tue 15th Jun 2010 07:43:56 (GMT) [TimeStamp] 0x4C172F3C -> Tue 15th Jun 2010 07:43:56 (GMT) | PE Header | - | Offset: 0x000000F8 | VA: 0x103000F8 | - [TimeStamp] 0x4C172F3C -> Tue 15th Jun 2010 07:43:56 (GMT) | Export | - | Offset: 0x00037664 | VA: 0x10337664 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000000000000010100000000 (0x00000500) [Entrypoint Section Entropy] : 6.65 (section #0) ".text " | Size : 0x2BAA2 (178850) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 5 (0x5) | ImageSize 0x4B000 (307200) byte(s) [Export] 47% of function(s) (47 of 98) are in file | 0 are forwarded | 47 code | 0 data | 0 uninit data | 0 unknown | [VersionInfo] Company Name : Clickteam [VersionInfo] Product Name : ActiveX Object [VersionInfo] Product Version : 3.0.228.0 [VersionInfo] File Description : ActiveX Object [VersionInfo] File Version : 3.0.228.0 [VersionInfo] Original FileName : KCActiveX.mfx [VersionInfo] Internal Name : KCActiveX [VersionInfo] Version Comments : Code : David Scrève [VersionInfo] Legal Copyrights : Copyright © 1996-2006 Clickteam [ModuleReport] [IAT] Modules -> MMFS2.dll | KERNEL32.dll | USER32.dll | GDI32.dll | comdlg32.dll | WINSPOOL.DRV | ADVAPI32.dll | COMCTL32.dll | oledlg.dll | ole32.dll | OLEPRO32.DLL | OLEAUT32.dll | urlmon.dll | WSOCK32.dll [CompilerDetect] -> Visual C++ 6.0 [CompilerDetect] -> Clickteam [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.503 Second(s) [0000001F7h (503) tick(s)] [246 of 580 scan(s) done] --- snip ---
Multimedia Fusion (MMF)
https://en.wikipedia.org/wiki/Multimedia_Fusion
Multimedia Fusion is a gaming and animation engine similar to flash.
$ wine --version wine-6.0-rc2
Regards