[Bug 30528] Tibia bot crashes when connecting to tibia process (kernel32 K32EnumProcessModules() 'needed' out parameter needs a check for NULL)

30 Apr 2012


      http://bugs.winehq.org/show_bug.cgi?id=30528
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download
             Status|UNCONFIRMED                 |NEW
                URL|                            |http://sourceforge.net/proj
                   |                            |ects/tibiaauto/
                 CC|                            |focht@gmx.net
          Component|-unknown                    |kernel32
            Summary|Tibia bot crashes when      |Tibia bot crashes when
                   |connecting to tibia         |connecting to tibia process
                   |process.                    |(kernel32
                   |K32EnumProcessModules+0x31( |K32EnumProcessModules()
                   |) in kernel32               |'needed' out parameter
                   |                            |needs a check for NULL)
     Ever Confirmed|0                           |1
--- Comment #10 from Anastasius Focht focht@gmx.net 2012-04-30 15:03:19 CDT ---
Hello,
confirming.
It seems the app deliberately passes NULL pointer as "out" parameter to
K32EnumProcessModules().
--- snip ---
Unhandled exception: page fault on write access to 0x00000000 in 32-bit code
(0x7b857856).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7b857856 ESP:00320aa8 EBP:00320b20 EFLAGS:00010202(  R- --  I   - - - )
 EAX:00000000 EBX:00403ec0 ECX:00000000 EDX:0000009c
 ESI:00000000 EDI:00320cf6
Stack dump:
0x00320aa8:  00320abc 0000009c 00000000 0000009c
0x00320ab8:  00000000 0000009c 7bcda22c 00110750
0x00320ac8:  7bcda22c 00163b88 00111998 00110160
0x00320ad8:  00163b88 00000000 7dc00000 7dc340d4
0x00320ae8:  00110000 00000070 00111af0 00403ec0
0x00320af8:  00320b28 7ed50482 00110000 0000000a
Backtrace:
=>0 0x7b857856 K32EnumProcessModules+0x26(process=0x9c, lphModule=0x163b90,
cb=0x6c, needed=0x0(nil))
[/home/focht/projects/wine/wine-git/dlls/kernel32/module.c:1178] in kernel32
(0x00320b20)
  1 0x006c7f51 in tibiaauto_util (+0x7f50) (0x00320ba8)
  2 0x006c7cc4 in tibiaauto_util (+0x7cc3) (0x00320bc4)
  3 0x006c805a in tibiaauto_util (+0x8059) (0x00320be0)
  4 0x006c3ff4 in tibiaauto_util (+0x3ff3) (0x00320c40)
  5 0x006d42c7 in tibiaauto_util (+0x142c6) (0x00320c4c)
...
0x7b857856 K32EnumProcessModules+0x26
[/home/focht/projects/wine/wine-git/dlls/kernel32/module.c:1178] in kernel32:
movl    $0x0,0x0(%eax)
1178        *needed = 0;
Modules:
Module    Address            Debug info    Name (95 modules)
PE      400000-  49d000    Export          tibiaauto
PE      6c0000-  717000    Export          tibiaauto_util
...
Threads:
process  tid      prio (all id:s are in hex)
00000008 (D) C:\Program Files\Tibia Auto\tibiaauto.exe
    00000009    0 <==
--- snip ---
Injector code (annotated):
--- snip ---
006C7F08  MOV DWORD PTR SS:[LOCAL.5],0
006C7F0F  LEA EDX,[LOCAL.5]
006C7F12  PUSH EDX                       ; arg4 => needed = offset [LOCAL.5]
006C7F13  PUSH 0                         ; arg3 => cb = 0
006C7F15  PUSH 0                         ; arg2 => lphModule = 0
006C7F17  MOV EAX,DWORD PTR SS:[LOCAL.2]
006C7F1A  PUSH EAX                       ; arg1 => process
006C7F1B  CALL <JMP.&PSAPI.EnumProcessModules>
006C7F20  MOV ECX,DWORD PTR SS:[LOCAL.5]
006C7F23  SHR ECX,2
006C7F26  MOV DWORD PTR SS:[LOCAL.5],ECX
006C7F29  PUSH 4                         ; elementsize = 4
006C7F2B  MOV EDX,DWORD PTR SS:[LOCAL.5]
006C7F2E  PUSH EDX
006C7F2F  CALL DWORD PTR DS:[<&MSVCRT.calloc>]
006C7F35  ADD ESP,8
006C7F38  MOV DWORD PTR SS:[LOCAL.6],EAX
006C7F3B  PUSH 0                         ; arg4 => needed = 0 (!)
006C7F3D  MOV EAX,DWORD PTR SS:[LOCAL.5]
006C7F40  SHL EAX,2
006C7F43  PUSH EAX                       ; arg3 => cb
006C7F44  MOV ECX,DWORD PTR SS:[LOCAL.6]
006C7F47  PUSH ECX                       ; arg2 => lphModule
006C7F48  MOV EDX,DWORD PTR SS:[LOCAL.2]
006C7F4B  PUSH EDX                       ; arg1 => process
006C7F4C  CALL <JMP.&PSAPI.EnumProcessModules>
006C7F51  MOV DWORD PTR SS:[LOCAL.4],0
--- snip ---
Source:
http://source.winehq.org/git/wine.git/blob/d08f34cd8ecd883a0f0c6bd9b150d9240...
--- snip ---
1169 BOOL WINAPI K32EnumProcessModules(HANDLE process, HMODULE *lphModule,
1170                                   DWORD cb, DWORD *needed)
1171 {
1172     MODULE_ITERATOR iter;
1173     INT ret;
1174 
1175     if (!init_module_iterator(&iter, process))
1176         return FALSE;
1177 
1178     *needed = 0;
1179 
1180     while ((ret = module_iterator_next(&iter)) > 0)
1181     {
1182         if (cb >= sizeof(HMODULE))
1183         {
1184             *lphModule++ = iter.ldr_module.BaseAddress;
1185             cb -= sizeof(HMODULE);
1186         }
1187         *needed += sizeof(HMODULE);
1188     }
1189 
1190     return ret == 0;
1191 }
--- snip ---
$ du -sh python-2.4.4.msi 
9.3M    python-2.4.4.msi
$ sha1sum python-2.4.4.msi 
38fbfd0250a8d72b1557986417f431e482fafdec  python-2.4.4.msi
$ du -sh tibia952.exe 
30M    tibia952.exe
$ sha1sum tibia952.exe 
f291c573c19beba762484d32c4f249b4487d6fe7  tibia952.exe
$ du -sh TibiaAutoSetup_2_19_2.exe 
2.7M    TibiaAutoSetup_2_19_2.exe
$ sha1sum TibiaAutoSetup_2_19_2.exe 
b200340b96adb7a0318653dd9996156d51b634c3  TibiaAutoSetup_2_19_2.exe
$ wine --version
wine-1.5.3-39-gd2581e6
Regards
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 30528] Tibia bot crashes when connecting to tibia process (kernel32 K32EnumProcessModules() 'needed' out parameter needs a check for NULL)