https://bugs.winehq.org/show_bug.cgi?id=39570
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://web.archive.org/web | |/20141116142554/http://web. | |mit.edu/gambit/summer12/spe | |edoflight/A_Slower_Speed_of | |_Light.zip Keywords| |download
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present. Lots of time has passed since the initial report and many bugs have been fixed which triggered app crash handlers. There is always some way - by using fault injection technique.
Taking the game from bug 32237 as example.
https://web.archive.org/web/20141116142554/http://web.mit.edu/gambit/summer1...
Requirements to fulfil:
* app crash handler is registered * at least one (builtin) module loaded into > 2GB range
--- snip --- Base Module ... 00400000 a slower speed of light.exe 00D50000 rpcrt4.dll 00EA0000 shcore.dll 00ED0000 ole32.dll 01230000 winmm.dll 01350000 msacm32.dll 01390000 oleaut32.dll 015F0000 imm32.dll 01620000 hid.dll 01640000 wsock32.dll 05E20000 mono.dll 06040000 psapi.dll 06050000 mswsock.dll 09130000 d3d9.dll 10000000 setupapi.dll 7A840000 opengl32.dll 7B000000 kernelbase.dll 7B420000 kernel32.dll 7BC30000 ntdll.dll 7DA60000 iphlpapi.dll 7DAB0000 netapi32.dll 7DAF0000 dnsapi.dll 7DB40000 shell32.dll 7E540000 gdi32.dll 7E680000 advapi32.dll 7E720000 ucrtbase.dll 7E830000 user32.dll 7EFD0000 ws2_32.dll F75A0000 wined3d.dll <--- suitable F7B20000 winex11.drv <--- suitable --- snip ---
Find suitable place for fault injection:
--- snip --- 006A4780 | 55 | push ebp | 006A4781 | 8BEC | mov ebp,esp | 006A4783 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | 006A4786 | 83EC 10 | sub esp,10 | 006A4789 | 56 | push esi | 006A478A | 68 C816B800 | push a slower speed of light.B816C8 | 006A478F | A3 C06DC600 | mov dword ptr ds:[C66DC0],eax | 006A4794 | FF15 6453B200 | call dword ptr ds:[B25364] | load D3D9.dll 006A479A | 33F6 | xor esi,esi | 006A479C | A3 186EC600 | mov dword ptr ds:[C66E18],eax | lets die here 006A47A1 | 3BC6 | cmp eax,esi | 006A47A3 | 75 14 | jne a slower speed of light.6A47B9 | 006A47A5 | 68 B016B800 | push a slower speed of light.B816B0 | 006A47AA | E8 E127F6FF | call a slower speed of light.606F90 | 006A47AF | 83C4 04 | add esp,4 | 006A47B2 | 32C0 | xor al,al | 006A47B4 | 5E | pop esi | 006A47B5 | 8BE5 | mov esp,ebp | 006A47B7 | 5D | pop ebp | 006A47B8 | C3 | ret | --- snip ---
D3D9.dll -> wined3d = target
Trigger NULL pointer access by patching the game binary:
--- snip --- 006A479C | A3 00000000 | mov dword ptr ds:[0],eax --- snip ---
--- snip --- $ pwd /home/focht/Downloads/A Slower Speed of Light
# backup $ mv 'A Slower Speed of Light.exe' 'A Slower Speed of Light.exe.bak'
$ printf '\x00\x00\x00' | \ dd of='A Slower Speed of Light.exe' bs=1 seek=2767774 count=3 conv=notrunc --- snip ---
Run the game:
--- snip --- $ WINEDEBUG=+seh,+loaddll,+dbghelp wine ./A\ Slower\ Speed\ of\ Light.exe ... 00b0:trace:loaddll:load_so_dll Loaded L"C:\windows\system32\wined3d.dll" at 0xf75a0000: builtin 00b0:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\d3d9.dll" at 0x9130000: PE builtin 00b0:trace:seh:raise_exception code=c0000005 flags=0 addr=0x6a479c ip=006a479c tid=00b0 00b0:trace:seh:raise_exception info[0]=00000001 00b0:trace:seh:raise_exception info[1]=00000018 00b0:trace:seh:raise_exception eax=09130000 ebx=01e073e8 ecx=0911fc90 edx=7bc7f9b9 esi=00000000 edi=00000000 00b0:trace:seh:raise_exception ebp=0911ff0c esp=0911fef8 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 00b0:trace:seh:call_stack_handlers calling handler at 0x7bcd7650 code=c0000005 flags=0 00b0:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\dbghelp.dll" at 0x9260000: PE builtin 00b0:trace:dbghelp:SymInitializeW (FFFFFFFF L".;Z:\home\focht\Downloads\A Slower Speed of Light;Z:\home\focht\Downloads\A Slower Speed of Light;C:\windows;C:\windows\system32;SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;" 0) 00b0:trace:dbghelp:check_live_target got debug info address 0x7c000000 from PEB 7FFDF000 00b0:trace:dbghelp:get_wine_loader_name returning L"wine" 00b0:trace:dbghelp:elf_load_file Processing elf file 'L"wine"' at 7c000000 00b0:trace:dbghelp:get_wine_loader_name returning L"wine" 00b0:trace:dbghelp:pcs_callback 01B82C10 8 0911D7F8 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" "A Slower Speed of Light.exe" 400000 00945000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" L"A Slower Speed of Light.exe" 400000 00945000 00000000 00000000) 00b0:warn:dbghelp:module_is_container_loaded Couldn't find container for L"Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" 00b0:trace:dbghelp:module_new => PE 400000-d45000 L"Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" 00b0:trace:dbghelp:pe_load_stabs failed to load the STABS debug info 00b0:trace:dbghelp:pe_load_dwarf failed to load the DWARF debug info ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 1640000 0911D228 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "C:\windows\system32\winex11.drv" "winex11.drv" fffffffff7b30000 00090000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"C:\windows\system32\winex11.drv" L"winex11.drv" fffffffff7b30000 00090000 00000000 00000000) ... 00b0:fixme:dbghelp:validate_addr64 Unsupported address fffffffff7b30000 ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF fffffffff7b30000 0911D228 ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 6050000 0911D228 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "C:\windows\system32\d3d9.dll" "d3d9.dll" 9130000 0010b000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"C:\windows\system32\d3d9.dll" L"d3d9.dll" 9130000 0010b000 00000000 00000000) 00b0:warn:dbghelp:module_is_container_loaded Couldn't find container for L"C:\windows\system32\d3d9.dll" 00b0:trace:dbghelp:module_new => PE 9130000-923b000 L"C:\windows\system32\d3d9.dll" 00b0:trace:dbghelp:pe_load_stabs failed to load the STABS debug info 00b0:trace:dbghelp:pe_load_dwarf failed to load the DWARF debug info 00b0:trace:dbghelp:path_find_symbol_file (pcs = 01B82C10, full_path = "/home/focht/projects/wine/mainline-build-i686/dlls/d3d9/d3d9.pdb", guid = {9642e7fd-fb42-11c6-4c4c-44205044422e}, dw1 = 0x00000000, dw2 = 0x00000001, buffer = 0911E3C8) ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 9130000 0911D228 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "C:\windows\system32\wined3d.dll" "wined3d.dll" fffffffff75a0000 00160000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"C:\windows\system32\wined3d.dll" L"wined3d.dll" fffffffff75a0000 00160000 00000000 00000000) ... 00b0:fixme:dbghelp:validate_addr64 Unsupported address fffffffff75a0000 ... 00b0:trace:dbghelp:SymGetLineFromAddr64 FFFFFFFF 0 0911DD98 0911F808 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 0 0911A598 00b0:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc56ae5 ip=7bc56ae5 tid=00b0 00b0:trace:seh:raise_exception info[0]=00000000 00b0:trace:seh:raise_exception info[1]=00000014 00b0:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=0911c244 edx=00000003 esi=00000000 edi=00000000 00b0:trace:seh:raise_exception ebp=0911c238 esp=0911c220 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 00b0:trace:seh:call_stack_handlers calling handler at 0x7bcb25d0 code=c0000005 flags=0 00b0:trace:seh:call_stack_handlers handler at 0x7bcb25d0 returned 2 00b0:trace:seh:call_stack_handlers calling handler at 0x7bcd7650 code=c0000005 flags=10 00b0:trace:seh:call_stack_handlers handler at 0x7bcd7650 returned 1 00b0:err:seh:raise_exception Unhandled exception code c0000005 flags 0 addr 0x7bc56ae5 --- snip ---
There is actually another fault in Wine code itself during walk, but that's a different issue.
$ sha1sum A_Slower_Speed_of_Light.zip f722493dd3afc6475500cc296d36f38d824a0d7d A_Slower_Speed_of_Light.zip
$ du -sh A_Slower_Speed_of_Light.zip 99M A_Slower_Speed_of_Light.zip
$ wine --version wine-5.7-97-g7ccc45f754
Regards