[Bug 27680] 64 bit Aion client crashes on load

http://bugs.winehq.org/show_bug.cgi?id=27680

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Status|UNCONFIRMED |NEW URL| |http://dl.dropbox.com/u/461 | |37118/Aion-2.7-GameForge-20 | |-01-2012.zip CC| |focht@gmx.net Component|-unknown |ntdll Ever Confirmed|0 |1

--- Comment #2 from Anastasius Focht focht@gmx.net 2012-04-01 15:09:21 CDT --- Hello,

confirming, it's still happening within NtQueryInformationProcess().

Old backtrace from bug reporter, wine-1.3.23:

--- snip --- =>0 0x00007f22cfe66379 NtQueryInformationProcess+0x59(ProcessHandle=0xffffffffffffffff, ProcessInformationClass=ProcessDebugObjectHandle, ProcessInformation=0x23fcf0, ProcessInformationLength=0x8, ReturnLength=0x0(nil)) [/home/****/wine64/dlls/ntdll/../../../wine-git/dlls/ntdll/process.c:112] in ntdll (0x000000000023f4c0) 1 0x000000000058e09e in aion.bin (+0x18e09d) (0x000000000023f4c0) 2 0x000000000058e09e in aion.bin (+0x18e09d) (0x000000000023f4c0) 3 0x00007f22cfe10000 _init+0x5e7() in ntdll<elf> (0x000000000023f4c0) 0x00007f22cfe66379 NtQueryInformationProcess+0x59 [/home/*****/wine64/dlls/ntdll/../../../wine-git/dlls/ntdll/process.c:112] in ntdll: movq %mm4,%mm6 --- snip ---

It got worse now ... the unwinding goes into recursion, no backtrace.

--- snip --- 0026:Starting process L"Z:\home\focht\Downloads\bin64\aion.bin" (entryproc=0x54cd41) 0026:Call KERNEL32.LoadLibraryA(0022fc20 "kernel32.dll") ret=00590e14 0026:Ret KERNEL32.LoadLibraryA() retval=7b820000 ret=00590e14 0026:Call KERNEL32.LoadLibraryA(0022fc24 "ntdll.dll") ret=00590e14 0026:Ret KERNEL32.LoadLibraryA() retval=7fbe1aa50000 ret=00590e14 0026:Call KERNEL32.IsDebuggerPresent() ret=00590e14 0026:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=00590e14 0026:Call KERNEL32.CheckRemoteDebuggerPresent(ffffffffffffffff,0022fc30) ret=00590e14 0026:Ret KERNEL32.CheckRemoteDebuggerPresent() retval=00000001 ret=00590e14 0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7fbe1aaa7e39 ip=7fbe1aaa7e39 tid=0026 0026:trace:seh:raise_exception rax=00007fbe1aa5ab30 rbx=000000001a065f83 rcx=00007fbe1ad20d20 rdx=0000000000050347 0026:trace:seh:raise_exception rsi=00000000005116d8 rdi=000000000022f290 rbp=000000000022f228 rsp=000000000022f0f8 0026:trace:seh:raise_exception r8=000000000022f260 r9=0000000000000008 r10=0000000000000008 r11=000000399ab7c680 0026:trace:seh:raise_exception r12=000000000058ffe7 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 0026:trace:seh:dwarf_virtual_unwind function 7fbe1aaa7e39 base 0x7fbe1aaa7e27 cie 0x7fbe1aafeaa8 len 14 id 0 version 1 aug 'zR' code_align 1 data_align -8 retaddr %rip 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e27: DW_CFA_def_cfa %rsp, 8 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e27: DW_CFA_offset %rip, -8 0026:trace:seh:dwarf_virtual_unwind fde 0x7fbe1ab0d618 len 54 personality (nil) lsda (nil) code 7fbe1aaa7e27-7fbe1aaa823a 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e27: DW_CFA_advance_loc 1 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e28: DW_CFA_def_cfa_offset 16 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e28: DW_CFA_offset %rbp, -16 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e28: DW_CFA_advance_loc 3 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e2b: DW_CFA_def_cfa_register %rbp 0026:trace:seh:execute_cfa_instructions 7fbe1aaa7e2b: DW_CFA_advance_loc 19 ... 0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7fbe1aabffd1 ip=7fbe1aabffd1 tid=0026 0026:trace:seh:raise_exception rax=e9e1c4e0e8fffef4 rbx=000000007b878618 rcx=0000000000000006 rdx=fffffffffffcafd1 0026:trace:seh:raise_exception rsi=0000000000000006 rdi=0000000000134140 rbp=0000000000134120 rsp=0000000000134120 0026:trace:seh:raise_exception r8=00007fbe1ad34cb7 r9=0000000000000018 r10=00000000ffff8000 r11=000000399ab7c680 0026:trace:seh:raise_exception r12=000000007b8b6b19 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 0026:err:seh:setup_exception stack overflow 2992 bytes in thread 0026 eip 00007fbe1aac1263 esp 0000000000130a50 stack 0x130000-0x132000-0x230000 --- snip ---

The app code is heavily obfuscated and has some anti-debugging checks after entry.

After bypassing two anti-debugging checks a third one is done: NtQueryInformationProcess for ProcessDebugObjectHandle.

--- snip --- Wine-dbg>info regs Register dump: rip:0000000000590e12 rsp:000000000023f268 rbp:000000000023f400 eflags:00000202 ( - -- I - - - ) rax:00007f6cea80ac00 rbx:000000001a065f83 rcx:ffffffffffffffff rdx:000000000000001e rsi:00000000005116d8 rdi:000000000023f290 r8:000000000023fc30 r9:0000000000000008 r10:0000000000000008 r11:0000000000000246 r12:000000000058ffe7 r13:0000000000000000 r14:0000000000000000 r15:0000000000000000

Wine-dbg>x/10x 0x00007f6cea80ac00 0x00007f6cea80ac00 NtQueryInformationProcess: e5894855 48535657 07c8ec81 290f0000 0x00007f6cea80ac10 NtQueryInformationProcess+0x10: ffff40b5 bd290fff ffffff50 85290f44 0x00007f6cea80ac20 NtQueryInformationProcess+0x20: ffffff60 8d290f44 --- snip ---

The registers RCX, RDX, R8, R9 are used for integer and pointer arguments (in that order left to right)

0xffffffffffffffff, 000000000000001e, 000000000023fc30, 0000000000000008

Additional arguments are pushed onto the stack (right to left)

Stepping through the code is blind flying on some locations as winedbg can't disassemble some instructions (after "sub $0x7c8,%rsp" for example). You need objdump disassembly side-by-side.

--- snip --- Wine-dbg>si NtQueryInformationProcess () at /home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112 0x00007fc857e66c00 NtQueryInformationProcess [/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq %rbp 112 { Wine-dbg>si 0x00007fc857e66c01 NtQueryInformationProcess+0x1 [/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: movq %rsp,%rbp 112 { Wine-dbg> 0x00007fc857e66c04 NtQueryInformationProcess+0x4 [/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq %rdi 112 { Wine-dbg> 0x00007fc857e66c05 NtQueryInformationProcess+0x5 [/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq %rsi 112 { Wine-dbg> 0x00007fc857e66c06 NtQueryInformationProcess+0x6 [/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: pushq %rbx 112 { Wine-dbg> 0x00007fc857e66c07 NtQueryInformationProcess+0x7 [/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: subq $0x7c8,%rsp 112 { Wine-dbg>si 0x00007fc857e66c0e NtQueryInformationProcess+0xe [/home/focht/projects/wine/wine-git/dlls/ntdll/process.c:112] in ntdll: 112 { Wine-dbg>info reg Register dump: rip:00007fc857e66c0e rsp:000000000023ea78 rbp:000000000023f258 eflags:00000316 ( - -- IT -A-P- ) rax:00007fc857e66c00 rbx:000000001a065f83 rcx:ffffffffffffffff rdx:000000000000001e rsi:00000000005116d8 rdi:000000000023f290 r8:000000000023fc30 r9:0000000000000008 r10:0000000000000008 r11:0000000000000246 r12:000000000058ffe7 r13:0000000000000000 r14:0000000000000000 r15:0000000000000000 Wine-dbg>si err:seh:setup_exception stack overflow 4656 bytes in thread 002c eip 00007fc857e87263 esp 00000000001403d0 stack 0x140000-0x142000-0x240000 Process of pid=002b has terminated --- snip ---

Running objdump gives:

--- snip --- 000000007bc73c00 <NtQueryInformationProcess>: 7bc73c00: 55 push %rbp 7bc73c01: 48 89 e5 mov %rsp,%rbp 7bc73c04: 57 push %rdi 7bc73c05: 56 push %rsi 7bc73c06: 53 push %rbx 7bc73c07: 48 81 ec c8 07 00 00 sub $0x7c8,%rsp 7bc73c0e: 0f 29 b5 40 ff ff ff movaps %xmm6,-0xc0(%rbp) 7bc73c15: 0f 29 bd 50 ff ff ff movaps %xmm7,-0xb0(%rbp) 7bc73c1c: 44 0f 29 85 60 ff ff movaps %xmm8,-0xa0(%rbp) 7bc73c23: ff 7bc73c24: 44 0f 29 8d 70 ff ff movaps %xmm9,-0x90(%rbp) 7bc73c2b: ff 7bc73c2c: 44 0f 29 55 80 movaps %xmm10,-0x80(%rbp) 7bc73c31: 44 0f 29 5d 90 movaps %xmm11,-0x70(%rbp) 7bc73c36: 44 0f 29 65 a0 movaps %xmm12,-0x60(%rbp) 7bc73c3b: 44 0f 29 6d b0 movaps %xmm13,-0x50(%rbp) 7bc73c40: 44 0f 29 75 c0 movaps %xmm14,-0x40(%rbp) 7bc73c45: 44 0f 29 7d d0 movaps %xmm15,-0x30(%rbp) 7bc73c4a: 48 89 4d 10 mov %rcx,0x10(%rbp) 7bc73c4e: 89 55 18 mov %edx,0x18(%rbp) 7bc73c51: 4c 89 45 20 mov %r8,0x20(%rbp) 7bc73c55: 44 89 4d 28 mov %r9d,0x28(%rbp) 7bc73c59: c7 85 3c ff ff ff 00 movl $0x0,-0xc4(%rbp) 7bc73c60: 00 00 00 7bc73c63: c7 85 38 ff ff ff 00 movl $0x0,-0xc8(%rbp) --- snip ---

Looking at the history of "signal_x86_64.c" there were some changes to unwinding code on 64 bits.

http://source.winehq.org/git/wine.git/history/HEAD:/dlls/ntdll/signal_x86_64...

I found a download with 64-bit part only - not full client - sufficient enough to reproduce the bug (http://www.aionsource.com/topic/129292-instructions-for-the-64bit-client/)

Debugging notes:

b LoadLibraryA (hit two times) ... b 0x0000000000590e12 (obfuscator API callout -> si+c until win64 API entries are seen) Cheat IsDebuggerPresent() and CheckRemoteDebuggerPresent(). The next win64 API call will be NtQueryInformationProcess( ... ProcessDebugObjectHandle).

Regards