[Bug 45194] Painkiller (Dreamcatcher original, Multiplayer demo, GOG.com Black Edition 1.64) crashes at start on systems with high uptime (overflow in game engine time calculation)

https://bugs.winehq.org/show_bug.cgi?id=45194

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|Painkiller Multiplayer demo |Painkiller (Dreamcatcher |(Dreamcatcher) 1.0 crashes |original, Multiplayer demo, |at start (overflow in game |GOG.com Black Edition 1.64) |engine time calculation) |crashes at start on systems | |with high uptime (overflow | |in game engine time | |calculation)

--- Comment #28 from Anastasius Focht focht@gmx.net --- Hello Henri,

--- quote --- I can confirm that this bug is also present in the full version (GOG, single player, did not test multiplayer), --- quote ---

The GOG release is mentioned as "Black Edition" here:

https://www.gog.com/game/painkiller

It seems the latest official version of the game is 1.64, according to this comment:

https://www.gog.com/forum/painkiller_series/installing_mega_patch_and_unoffi...

--- quote --- I have not played Painkiller for a long time but I have decided to play it again, with unofficial 1.65 patch, everything was fine until the City on Water level, where it breaked the game for me. I can not proceed to fountain area, as 3 monster do not spawn so the game does not open the door to the next area. I do not know if anyone else experiencied this, just saying, I was forced to return to original 1.64 version of game.

Win10, GOG Black Edition of the game. --- quote ---

WineHQ appdb

https://appdb.winehq.org/objectManager.php?sClass=version&iId=16200

"Painkiller: Black Edition 1.64 (GOG)"

====

The original 'engine.dll' from the multiplayer demo in this bug report:

--- snip --- $ ll Engine.dll -rw-rw-r--. 1 focht focht 4173824 Jul 12 2004 Engine.dll

$ sha1sum Engine.dll 3f3c5d744613cfa684ab2934b9d1ca86f55dc01c Engine.dll --- snip ---

Protection ID scan:

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files (x86)\DreamCatcher\PainkillerMultiplayerDemo\Bin\Engine.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 4173824 (03FB000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x40F2B47A -> Mon 12th Jul 2004 15:55:38 (GMT) [TimeStamp] 0x40F2B47A -> Mon 12th Jul 2004 15:55:38 (GMT) | PE Header | - | Offset: 0x00000120 | VA: 0x10000120 | - [TimeStamp] 0x40F2B479 -> Mon 12th Jul 2004 15:55:37 (GMT) | Export | - | Offset: 0x00388644 | VA: 0x10388644 | - [TimeStamp] 0x40F2B47A -> Mon 12th Jul 2004 15:55:38 (GMT) | DebugDirectory | - | Offset: 0x00278494 | VA: 0x10278494 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000100000000000000000100000000 (0x04000100) [Entrypoint Section Entropy] : 6.59 (section #0) ".text " | Size : 0x276A45 (2583109) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 5 (0x5) | ImageSize 0x4C4C000 (80003072) byte(s) [Export] 98% of function(s) (2707 of 2759) are in file | 0 are forwarded | 2613 code | 146 data | 0 uninit data | 0 unknown | [ModuleReport] [IAT] Modules -> DINPUT8.dll | WS2_32.dll | mss32.dll | WINMM.dll | binkw32.dll | KERNEL32.dll | USER32.dll | ADVAPI32.dll | SHELL32.dll | ole32.dll [Debug Info] (record 1 of 1) (file offset 0x278490) Characteristics : 0x0 | TimeDateStamp : 0x40F2B47A (Mon 12th Jul 2004 15:55:38 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x50 (80) AddressOfRawData : 0x37085C | PointerToRawData : 0x37085C CvSig : 0x53445352 | SigGuid 889426AE-8628-48B4-BA86829EC7AD5718 Age : 0x1 (1) | Pdb : c:\painkiller\Game\Bin\ObjectsRelease\Engine\Engine.pdb [CdKeySerial] found "CDKey" @ VA: 0x0027C6F0 / Offset: 0x0027C6F0 [CdKeySerial] found "CDKey" @ VA: 0x0027C6FB / Offset: 0x0027C6FB [CdKeySerial] found "CDKey" @ VA: 0x0027D3A8 / Offset: 0x0027D3A8 [CdKeySerial] found "Invalid code" @ VA: 0x002A21BC / Offset: 0x002A21BC [CdKeySerial] found "CDKey" @ VA: 0x003A0605 / Offset: 0x003A0605 [CdKeySerial] found "CDKey" @ VA: 0x003A490C / Offset: 0x003A490C [CdKeySerial] found "CDKey" @ VA: 0x003A49D2 / Offset: 0x003A49D2 [CdKeySerial] found "CDKey" @ VA: 0x003A8F9F / Offset: 0x003A8F9F [CdKeySerial] found "CDKey" @ VA: 0x003A9227 / Offset: 0x003A9227 [CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003) [!] File appears to have no protection or is using an unknown protection - Scan Took : 1.828 Second(s) [000000494h (1172) tick(s)] [246 of 580 scan(s) done] --- snip ---

====

Unofficial Patch v1.65 for Painkiller

http://pkzone.org/unofficial-patch-v1-65/

--- snip --- $ ll Engine.dll -rw-rw-r--. 1 focht focht 4440064 Feb 17 2005 Engine.dll

$ sha1sum Engine.dll e124d3bbd364e060e019201c1154a83c6a9d027f Engine.dll --- snip ---

Although the engine dll seems newer/updated, the code in the function didn't change (potential overflow still present):

--- snip --- 10001450 | sub esp,8 | 10001453 | fld st(0),qword ptr ds:[102AE578] | 10001459 | sub esp,8 | 1000145C | fdiv st(0),qword ptr ds:[ecx+50] | 1000145F | fstp qword ptr ss:[esp],st(0) | 10001462 | call engine.10286760 | floor() 10001467 | fnstcw word ptr ss:[esp+8] | 1000146B | movzx eax,word ptr ss:[esp+8] | 10001470 | add esp,8 | 10001473 | or ah,C | 10001476 | mov dword ptr ss:[esp+4],eax | 1000147A | fldcw word ptr ss:[esp+4] | 1000147E | fistp dword ptr ss:[esp+4],st(0) | 10001482 | mov eax,dword ptr ss:[esp+4] | 10001486 | mov dword ptr ss:[esp+4],eax | 1000148A | fldcw word ptr ss:[esp] | 1000148D | xor eax,eax | 1000148F | xor edx,edx | 10001491 | rdtsc | 10001493 | div dword ptr ss:[esp+4] | 10001497 | mov dword ptr ss:[esp],eax | 1000149A | mov eax,dword ptr ss:[esp] | 1000149D | add esp,8 | 100014A0 | ret | --- snip ---

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42

Scanning -> C:\Program Files (x86)\DreamCatcher\PainkillerMultiplayerDemo\Bin\Painkiller.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1474560 (0168000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x4214B256 -> Thu 17th Feb 2005 15:03:50 (GMT) [TimeStamp] 0x4214B256 -> Thu 17th Feb 2005 15:03:50 (GMT) | PE Header | - | Offset: 0x00000120 | VA: 0x00400120 | - [TimeStamp] 0x4214B256 -> Thu 17th Feb 2005 15:03:50 (GMT) | DebugDirectory | - | Offset: 0x0006E904 | VA: 0x0046E904 | - [LoadConfig] Struct determined as v2 (Expected size 72 | Actual size 72) [!] Executable uses SEH Tables (/SAFESEH) (388 calculated 388 recorded... 0 invalid addresses) [File Heuristics] -> Flag #1 : 00000100000000000000000000000000 (0x04000000) [Entrypoint Section Entropy] : 6.51 (section #0) ".text " | Size : 0x6C9F6 (444918) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 5 (0x5) | ImageSize 0x16D000 (1495040) byte(s) [VersionInfo] Company Name : People Can Fly [VersionInfo] Product Name : Painkiller [VersionInfo] Product Version : 1.0.0.0 [VersionInfo] File Description : Painkiller [VersionInfo] File Version : 0.0.1.5 [VersionInfo] Original FileName : PainGame.exe [VersionInfo] Internal Name : PainGame.exe [VersionInfo] Legal Copyrights : (c) People Can Fly. All rights reserved. [ModuleReport] [IAT] Modules -> Engine.dll | KERNEL32.dll | USER32.dll | GDI32.dll | comdlg32.dll | WINSPOOL.DRV | ADVAPI32.dll | SHELL32.dll | COMCTL32.dll | SHLWAPI.dll | ole32.dll | OLEAUT32.dll | WS2_32.dll | WINMM.dll | oledlg.dll [ModuleReport] [DelayImport] Modules -> OLEACC.dll [Debug Info] (record 1 of 1) (file offset 0x6E900) Characteristics : 0x0 | TimeDateStamp : 0x4214B256 (Thu 17th Feb 2005 15:03:50 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x58 (88) AddressOfRawData : 0x81D00 | PointerToRawData : 0x81D00 CvSig : 0x53445352 | SigGuid 87465267-0864-4DB7-AC389EC65DF46F2A Age : 0x3 (3) | Pdb : w:\Painkiller\Game\Bin\ObjectsRelease\PainEditor\PainEditor.pdb [CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003) [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.925 Second(s) [00000039Dh (925) tick(s)] [506 of 580 scan(s) done]

Scanning -> C:\Program Files (x86)\DreamCatcher\PainkillerMultiplayerDemo\Bin\Engine.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 4440064 (043C000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x4214B251 -> Thu 17th Feb 2005 15:03:45 (GMT) [TimeStamp] 0x4214B251 -> Thu 17th Feb 2005 15:03:45 (GMT) | PE Header | - | Offset: 0x00000118 | VA: 0x10000118 | - [TimeStamp] 0x4214B250 -> Thu 17th Feb 2005 15:03:44 (GMT) | Export | - | Offset: 0x003C2504 | VA: 0x103C2504 | - [TimeStamp] 0x4214B251 -> Thu 17th Feb 2005 15:03:45 (GMT) | DebugDirectory | - | Offset: 0x002AE4D4 | VA: 0x102AE4D4 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000100000000000000000100000000 (0x04000100) [Entrypoint Section Entropy] : 6.58 (section #0) ".text " | Size : 0x2ACD75 (2805109) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 5 (0x5) | ImageSize 0x5045000 (84168704) byte(s) [Export] 98% of function(s) (2813 of 2867) are in file | 0 are forwarded | 2718 code | 149 data | 0 uninit data | 0 unknown | [ModuleReport] [IAT] Modules -> DINPUT8.dll | WS2_32.dll | mss32.dll | WINMM.dll | binkw32.dll | KERNEL32.dll | USER32.dll | ADVAPI32.dll | SHELL32.dll | ole32.dll [Debug Info] (record 1 of 1) (file offset 0x2AE4D0) Characteristics : 0x0 | TimeDateStamp : 0x4214B251 (Thu 17th Feb 2005 15:03:45 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x50 (80) AddressOfRawData : 0x3A8D7C | PointerToRawData : 0x3A8D7C CvSig : 0x53445352 | SigGuid BEC5D164-2B0A-4A0E-A6B5DAE9643DCDA6 Age : 0x3 (3) | Pdb : w:\Painkiller\Game\Bin\ObjectsRelease\Engine\Engine.pdb [CdKeySerial] found "CDKey" @ VA: 0x002B2D14 / Offset: 0x002B2D14 [CdKeySerial] found "CDKey" @ VA: 0x002B2D1F / Offset: 0x002B2D1F [CdKeySerial] found "CDKey" @ VA: 0x002B39D0 / Offset: 0x002B39D0 [CdKeySerial] found "Invalid code" @ VA: 0x002DA6DC / Offset: 0x002DA6DC [CdKeySerial] found "CDKey" @ VA: 0x003D9784 / Offset: 0x003D9784 [CdKeySerial] found "CDKey" @ VA: 0x003DB9CF / Offset: 0x003DB9CF [CdKeySerial] found "CDKey" @ VA: 0x003DFB7C / Offset: 0x003DFB7C [CdKeySerial] found "CDKey" @ VA: 0x003E4398 / Offset: 0x003E4398 [CdKeySerial] found "CDKey" @ VA: 0x003E4623 / Offset: 0x003E4623 [CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003) [!] File appears to have no protection or is using an unknown protection - Scan Took : 1.757 Second(s) [0000004DBh (1243) tick(s)] [246 of 580 scan(s) done] --- snip ---

Unofficial Patch v1.66 for Painkiller

https://www.moddb.com/mods/painkiller-black-edition-unofficial-patch-166/dow...

I've checked the v1.66 patch 'engine.dll' and it's identical to v1.65 patch.

GOG.com and/or the original publisher Dreamcatcher were apparently never made aware of the problem. They probably wouldn't do anything as the effort to fix the problem and provide an updated version is not worth the cost. Only a negligible number of users encountered this problem and an easy workaround exists.

I've updated the summary again. Thanks for the information on the GOG version.

Regards