[Bug 45922] New: Black Desert Online 1.0.4.x crashes on startup ( custom imports resolver can' t cope with some ucrtbase functions being forwarded to ntdll)

https://bugs.winehq.org/show_bug.cgi?id=45922

Bug ID: 45922 Summary: Black Desert Online 1.0.4.x crashes on startup (custom imports resolver can't cope with some ucrtbase functions being forwarded to ntdll) Product: Wine Version: 3.17 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: msvcrt Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

as it says. Encountered with 32-bit build of the game.

NOTE: The command line is not proper (needs security token), but it's enough to crash in initial stage.

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/Black Desert Online/bin

$ WINEDEBUG=+seh,+relay wine ./BlackDesert32.exe >>log.txt 2>&1 ... 0009:Call KERNEL32.GetPrivateProfileStringW(02a75d90 L"SERVICE",02a75e04 L"nationType",02a12b34 L"",0032c77c,00000100,0720a608 L"c:/program files (x86)/black desert online/service.ini") ret=00cc9dfb 0009:Ret KERNEL32.GetPrivateProfileStringW() retval=00000001 ret=00cc9dfb 0009:Call ucrtbase._errno() ret=00c8b48e 0009:Ret ucrtbase._errno() retval=0015d1a0 ret=00c8b48e 0009:Call ucrtbase.memset(0032c3e4,00000000,00000080) ret=00c8b4a5 0009:Ret ucrtbase.memset() retval=0032c3e4 ret=00c8b4a5 0009:Call ucrtbase.iswspace(00000030) ret=00c8b4bf 0009:Ret ucrtbase.iswspace() retval=00000000 ret=00c8b4bf 0009:trace:seh:raise_exception code=c0000096 flags=0 addr=0xf6ac01a8 ip=f6ac01a8 tid=0009 0009:trace:seh:raise_exception eax=0032c3e4 ebx=038e2a01 ecx=00000000 edx=00000100 esi=0032c77e edi=0032c3e6 0009:trace:seh:raise_exception ebp=0032c3e6 esp=0032c3c0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0009:trace:seh:call_stack_handlers calling handler at 0x18bdbb0 code=c0000096 flags=0 0009:trace:seh:call_stack_handlers handler at 0x18bdbb0 returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x18bdb4d code=c0000096 flags=0 0009:trace:seh:call_stack_handlers handler at 0x18bdb4d returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x18bda6c code=c0000096 flags=0 0009:trace:seh:call_stack_handlers handler at 0x18bda6c returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x13ae04b code=c0000096 flags=0 0009:Call ucrtbase._except_handler4_common(02cf8024,013adaab,0032c368,0032caec,0032c09c,0032bf5c) ret=013ae069 0009:trace:seh:_except_handler4_common exception c0000096 flags=0 at 0xf6ac01a8 handler=0x13ae04b 0x32c09c 0x32bf5c cookie=ac0b0dd7 scope table=0x2ce77c8 cookies=-2/0,-52/0 0009:trace:seh:_except_handler4_common level 0 prev -2 filter 0x13ada5e 0009:Call ucrtbase._seh_filter_exe(c0000096,0032be0c) ret=013ada6f 0009:trace:seh:_XcptFilter (c0000096,0x32be0c) 0009:Ret ucrtbase._seh_filter_exe() retval=00000000 ret=013ada6f 0009:trace:seh:_except_handler4_common filter returned CONTINUE_SEARCH 0009:trace:seh:_except_handler4_common reached -2, returning ExceptionContinueSearch 0009:Ret ucrtbase._except_handler4_common() retval=00000001 ret=013ae069 0009:trace:seh:call_stack_handlers handler at 0x13ae04b returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x7b4904f9 code=c0000096 flags=0 wine: Unhandled privileged instruction at address 0xf6ac01a8 (thread 0009), starting debugger... ... --- snip ---

Disassembly at crash site:

--- snip --- 00C8B470 81EC 84000000 SUB ESP,84 00C8B476 53 PUSH EBX 00C8B477 56 PUSH ESI 00C8B478 8BF1 MOV ESI,ECX 00C8B47A B3 01 MOV BL,1 00C8B47C 57 PUSH EDI 00C8B47D 8BFA MOV EDI,EDX 00C8B47F 85F6 TEST ESI,ESI 00C8B481 0F84 BF000000 JE 00C8B546 00C8B487 55 PUSH EBP 00C8B488 FF15 20AB9601 CALL DWORD PTR DS:[196AB20] ; ucrtbase._errno 00C8B48E 68 80000000 PUSH 80 00C8B493 6A 00 PUSH 0 00C8B495 C700 00000000 MOV DWORD PTR DS:[EAX],0 00C8B49B 8D4424 1C LEA EAX,[ESP+1C] 00C8B49F 50 PUSH EAX 00C8B4A0 E8 5BFCB900 CALL <JMP.memset> ; ucrtbase.memset 00C8B4A5 0FB706 MOVZX EAX,WORD PTR DS:[ESI] 00C8B4A8 8D7C24 20 LEA EDI,[ESP+20] 00C8B4AC 33C9 XOR ECX,ECX 00C8B4AE 83C4 0C ADD ESP,0C 00C8B4B1 8BEF MOV EBP,EDI 00C8B4B3 66:3BC8 CMP CX,AX 00C8B4B6 74 43 JE SHORT 00C8B4FB 00C8B4B8 50 PUSH EAX 00C8B4B9 FF15 68AC9601 CALL DWORD PTR DS:[196AC68] ; ucrtbase.iswspace 00C8B4BF 83C4 04 ADD ESP,4 00C8B4C2 85C0 TEST EAX,EAX 00C8B4C4 74 0D JE SHORT 00C8B4D3 00C8B4C6 8D4424 14 LEA EAX,[ESP+14] 00C8B4CA 3BF8 CMP EDI,EAX 00C8B4CC 75 08 JNE SHORT 00C8B4D6 00C8B4CE 83C6 02 ADD ESI,2 00C8B4D1 EB 1A JMP SHORT 00C8B4ED 00C8B4D3 8D6F 02 LEA EBP,[EDI+2] 00C8B4D6 66:8B06 MOV AX,WORD PTR DS:[ESI] 00C8B4D9 83C6 02 ADD ESI,2 00C8B4DC 66:8907 MOV WORD PTR DS:[EDI],AX 00C8B4DF 83C7 02 ADD EDI,2 00C8B4E2 8D8424 94000000 LEA EAX,[ESP+94] 00C8B4E9 3BF8 CMP EDI,EAX 00C8B4EB 73 0C JAE SHORT 00C8B4F9 00C8B4ED 0FB706 MOVZX EAX,WORD PTR DS:[ESI] 00C8B4F0 33C9 XOR ECX,ECX 00C8B4F2 66:3BC8 CMP CX,AX 00C8B4F5^ 75 C1 JNE SHORT 00C8B4B8 00C8B4F7 EB 02 JMP SHORT 00C8B4FB 00C8B4F9 32DB XOR BL,BL 00C8B4FB 33C0 XOR EAX,EAX 00C8B4FD 66:8945 00 MOV WORD PTR SS:[EBP],AX 00C8B501 8D4424 10 LEA EAX,[ESP+10] 00C8B505 6A 0A PUSH 0A 00C8B507 50 PUSH EAX 00C8B508 8D4424 1C LEA EAX,[ESP+1C] 00C8B50C 50 PUSH EAX 00C8B50D FF15 A4A99601 CALL DWORD PTR DS:[196A9A4] ; ASCII "ntdll.wcstol" 00C8B513 83C4 0C ADD ESP,0C 00C8B516 8D4C24 14 LEA ECX,[ESP+14] 00C8B51A 8BF8 MOV EDI,EAX 00C8B51C 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] 00C8B520 5D POP EBP 00C8B521 3BC1 CMP EAX,ECX 00C8B523 74 21 JE SHORT 00C8B546 00C8B525 66:8338 00 CMP WORD PTR DS:[EAX],0 00C8B529 75 1B JNE SHORT 00C8B546 00C8B52B 81FF FFFFFF7F CMP EDI,7FFFFFFF 00C8B531 74 08 JE SHORT 00C8B53B 00C8B533 81FF 00000080 CMP EDI,80000000 00C8B539 75 0D JNE SHORT 00C8B548 00C8B53B FF15 20AB9601 CALL DWORD PTR DS:[196AB20] ; ucrtbase._errno 00C8B541 8338 22 CMP DWORD PTR DS:[EAX],22 00C8B544 75 02 JNE SHORT 00C8B548 00C8B546 32DB XOR BL,BL 00C8B548 8B8424 94000000 MOV EAX,DWORD PTR SS:[ESP+94] 00C8B54F 85C0 TEST EAX,EAX 00C8B551 74 02 JE SHORT 00C8B555 00C8B553 8818 MOV BYTE PTR DS:[EAX],BL 00C8B555 8BC7 MOV EAX,EDI 00C8B557 5F POP EDI 00C8B558 5E POP ESI 00C8B559 5B POP EBX 00C8B55A 81C4 84000000 ADD ESP,84 00C8B560 C3 RETN

Custom imports resolver table:

--- snip --- ... 0196A7E0 F69B2BA8 ; ucrtbase.wcsstr 0196A7E4 F69ADB50 ; ucrtbase._except_handler3 0196A7E8 F69B2548 ; ucrtbase.set_unexpected 0196A7EC F69C2F64 ; ucrtbase._setjmp3 0196A7F0 F69B1F18 ; ucrtbase.longjmp 0196A7F4 F69ADB68 ; ucrtbase._except_handler4_common 0196A7F8 F69ACB30 ; ucrtbase._CxxThrowException 0196A7FC F6071CB4 ; vcruntime140.__vcrt_InitializeCriticalSectionEx 0196A800 F69AF860 ; ucrtbase._purecall 0196A804 F69B2128 ; ucrtbase.memset 0196A808 F69B20C8 ; ucrtbase.memcpy 0196A80C F69AFC50 ; ucrtbase._set_purecall_handler 0196A810 F69B27A0 ; ucrtbase.strrchr 0196A814 F6A6018D ; ASCII "ntdll.wcsrchr" 0196A818 F69B27B8 ; ucrtbase.strstr 0196A81C F69B2638 ; ucrtbase.strchr 0196A820 F69B2098 ; ucrtbase.memchr 0196A824 F69AD100 ; ucrtbase.__std_exception_destroy 0196A828 F69AD0E8 ; ucrtbase.__std_exception_copy 0196A82C F69B2A70 ; ucrtbase.wcschr 0196A830 F69C210C ; ucrtbase.__CxxFrameHandler 0196A834 F69B28F0 ; ucrtbase.terminate 0196A838 F69B20F8 ; ucrtbase.memmove ... 0196A970 00000000 0196A974 F69B27D0 ; ucrtbase.strtod 0196A978 F6A6001F ; ASCII "ntdll._atoi64" 0196A97C F69B1300 ; ucrtbase.atoi 0196A980 F69B12E8 ; ucrtbase.atof 0196A984 F69B0190 ; ucrtbase._strtoui64_l 0196A988 F69B0130 ; ucrtbase._strtoi64_l 0196A98C F69B0FD0 ; ucrtbase._wtof 0196A990 F69B2860 ; ucrtbase.strtoul 0196A994 F69B0910 ; ucrtbase._wcstoui64 0196A998 F6A600DC ; ASCII "ntdll.atol" 0196A99C F69B00E8 ; ucrtbase._strtod_l 0196A9A0 F69B2830 ; ucrtbase.strtol 0196A9A4 F6A601A8 ; ASCII "ntdll.wcstol" 0196A9A8 F69B2C68 ; ucrtbase.wcstoul 0196A9AC F69B2848 ; ucrtbase.strtoll 0196A9B0 F69B2C20 ; ucrtbase.wcstoll 0196A9B4 F69B2878 ; ucrtbase.strtoull 0196A9B8 F69B2C80 ; ucrtbase.wcstoull 0196A9BC F69B27E8 ; ucrtbase.strtof 0196A9C0 F69B2BD8 ; ucrtbase.wcstof 0196A9C4 F69B1000 ; ucrtbase._wtoi 0196A9C8 00000000 ... 0196AC2C 00000000 0196AC30 F69B2980 ; ucrtbase.toupper 0196AC34 F69B2650 ; ucrtbase.strcmp 0196AC38 F69B2968 ; ucrtbase.tolower 0196AC3C F69B0700 ; ucrtbase._wcslwr 0196AC40 F6A600CE ; ASCII "ntdll._wcsupr" 0196AC44 F69B2C08 ; ucrtbase.wcstok_s 0196AC48 F69B1C18 ; ucrtbase.iswdigit 0196AC4C F69B2770 ; ucrtbase.strncpy_s 0196AC50 F69AFF08 ; ucrtbase._stricmp 0196AC54 F69B1A98 ; ucrtbase.isalnum 0196AC58 F69B2998 ; ucrtbase.towlower 0196AC5C F69B1CD8 ; ucrtbase.isxdigit 0196AC60 F6A6012F ; ASCII "ntdll.strpbrk" 0196AC64 F69B2A58 ; ucrtbase.wcscat_s 0196AC68 F69B1C90 ; ucrtbase.iswspace 0196AC6C F69B1B88 ; ucrtbase.isspace 0196AC70 F69B2BF0 ; ucrtbase.wcstok 0196AC74 F69B2AD0 ; ucrtbase.wcslen 0196AC78 F69B1BA0 ; ucrtbase.isupper 0196AC7C F69B1B58 ; ucrtbase.isprint 0196AC80 F69B1B10 ; ucrtbase.isgraph 0196AC84 F69B0790 ; ucrtbase._wcsnicmp 0196AC88 F6A60157 ; ASCII "ntdll.wcscmp" 0196AC8C F69B1AF8 ; ucrtbase.isdigit 0196AC90 F69B2AE8 ; ucrtbase.wcsncat_s 0196AC94 F69B2800 ; ucrtbase.strtok 0196AC98 F69B1AE0 ; ucrtbase.iscntrl 0196AC9C F69B06A0 ; ucrtbase._wcsicmp 0196ACA0 F69B2668 ; ucrtbase.strcoll 0196ACA4 F69B2710 ; ucrtbase.strncat 0196ACA8 F6A60121 ; ASCII "ntdll.strcspn" 0196ACAC F69B1B40 ; ucrtbase.islower 0196ACB0 F69B1AB0 ; ucrtbase.isalpha 0196ACB4 F69B2620 ; ucrtbase.strcat_s 0196ACB8 F69B1B70 ; ucrtbase.ispunct 0196ACBC F69AFEC0 ; ucrtbase._strdup 0196ACC0 F69B2740 ; ucrtbase.strncmp 0196ACC4 F69B2B00 ; ucrtbase.wcsncmp 0196ACC8 F69B2698 ; ucrtbase.strcpy_s 0196ACCC F69B2758 ; ucrtbase.strncpy 0196ACD0 F69B2818 ; ucrtbase.strtok_s 0196ACD4 F69B2B30 ; ucrtbase.wcsncpy_s 0196ACD8 F69B2AA0 ; ucrtbase.wcscpy_s 0196ACDC F69B2B18 ; ucrtbase.wcsncpy 0196ACE0 00000000 ... --- snip ---

I've copied the following implementations from 'ntdll' into 'msvcrt' (MSVCRT_xxx) to be used as 'ucrtbase' exports and it fixes the problem:

* ntdll._atoi64 * ntdll._wcsupr * ntdll.atol * ntdll.wcscmp * ntdll.wcsrchr * ntdll.wcstol * ntdll.strcspn * ntdll.strpbrk

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ucrtbase/ucrtbase.spe...

etc.

There are more offenders in general when looking at the .spec file but it seems the above list contains the only ones that need to be fixed for game (based off the dumped in-memory IAT).

ProtectionID scan:

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files (x86)\Black Desert Online\Black Desert Online Launcher.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 10524824 (0A09898h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5B56DCAD -> Tue 24th Jul 2018 08:00:45 (GMT) [TimeStamp] 0x5B56DCAD -> Tue 24th Jul 2018 08:00:45 (GMT) | PE Header | - | Offset: 0x00000140 | VA: 0x00400140 | - [TimeStamp] 0x5B56DCAD -> Tue 24th Jul 2018 08:00:45 (GMT) | DebugDirectory | - | Offset: 0x00230E94 | VA: 0x00632094 | - [TimeStamp] 0x5B56DCAD -> Tue 24th Jul 2018 08:00:45 (GMT) | DebugDirectory | - | Offset: 0x00230EB0 | VA: 0x006320B0 | - -> File Appears to be Digitally Signed @ Offset 0A08000h, size : 01898h / 06296 byte(s) [LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64) [LoadConfig] CodeIntegrity -> Flags 0xC | Catalog 0x0 (0) | Catalog Offset 0x575C3A44 | Reserved 0x736B726F [LoadConfig] GuardAddressTakenIatEntryTable 0x65636170 | Count 0x61724F5C (1634881372) [LoadConfig] GuardLongJumpTargetTable 0x5465676E | Count 0x6C5C5446 (1817990214) [LoadConfig] HybridMetadataPointer 0x636E7561 | DynamicValueRelocTable 0x70615F68 [LoadConfig] FailFastIndirectProc 0x425C7370 | FailFastPointer 0x614C4F44 [LoadConfig] UnknownZero1 0x68636E75 [File Heuristics] -> Flag #1 : 00000100000001001101000000000100 (0x0404D004) [Entrypoint Section Entropy] : 6.55 (section #0) ".text " | Size : 0x22F895 (2291861) byte(s) [DllCharacteristics] -> Flag : (0x8140) -> ASLR | DEP | TSA [SectionCount] 5 (0x5) | ImageSize 0xA5A000 (10854400) byte(s) [VersionInfo] Company Name : Daum Games [VersionInfo] Product Name : Black Desert Online Launcher [VersionInfo] Product Version : 1.0.4.1 [VersionInfo] File Description : Black Desert Online Launcher [VersionInfo] File Version : 1.0.4.1 [VersionInfo] Original FileName : DGGlobalLauncher.exe [VersionInfo] Internal Name : DGGlobalLauncher.exe [VersionInfo] Legal Copyrights : ? Daum Games. All Rights Reserved. [ModuleReport] [IAT] Modules -> MPR.dll | libcef.dll | KERNEL32.dll | USER32.dll | GDI32.dll | MSIMG32.dll | WINSPOOL.DRV | ADVAPI32.dll | SHELL32.dll | COMCTL32.dll | SHLWAPI.dll | UxTheme.dll | ole32.dll | OLEAUT32.dll | oledlg.dll | gdiplus.dll | VERSION.dll | RPCRT4.dll | d3d9.dll | WINHTTP.dll | WS2_32.dll | IPHLPAPI.DLL | NETAPI32.dll | OLEACC.dll | IMM32.dll | WINMM.dll | WININET.dll [Debug Info] (record 1 of 2) (file offset 0x230E90) Characteristics : 0x0 | TimeDateStamp : 0x5B56DCAD (Tue 24th Jul 2018 08:00:45 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x6B (107) AddressOfRawData : 0x292780 | PointerToRawData : 0x291580 CvSig : 0x53445352 | SigGuid 648B2239-A4D0-4B66-A999FCF36EF83622 Age : 0xC (12) | Pdb : D:\Workspace\OrangeTFT\launch_apps\BDOLauncher\Release\DGGlobalLauncherForCBT2.pdb [Debug Info] (record 2 of 2) (file offset 0x230EAC) Characteristics : 0x0 | TimeDateStamp : 0x5B56DCAD (Tue 24th Jul 2018 08:00:45 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 12 (0xC) -> Undocumented | Size : 0x14 (20) AddressOfRawData : 0x2927EC | PointerToRawData : 0x2915EC [CompilerDetect] -> Visual C++ 12.0 (Visual Studio 2012) [!] File appears to have no protection or is using an unknown protection - Scan Took : 2.952 Second(s) [000000800h (2048) tick(s)] [506 of 580 scan(s) done]

Scanning -> C:\Program Files (x86)\Black Desert Online\bin\BlackDesert32.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 13239704 (0CA0598h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5BA32040 -> Thu 20th Sep 2018 04:21:20 (GMT) [TimeStamp] 0x5BA32040 -> Thu 20th Sep 2018 04:21:20 (GMT) | PE Header | - | Offset: 0x000001A8 | VA: 0x004001A8 | - [TimeStamp] 0x5BA31B8A -> Thu 20th Sep 2018 04:01:14 (GMT) | Export | - | Offset: 0x00C6B3C8 | VA: 0x03F681C8 | - [TimeStamp] 0x5BA32040 -> Thu 20th Sep 2018 04:21:20 (GMT) | DebugDirectory | - | Offset: 0x00C9EA13 | VA: 0x03F9B813 | - -> File Appears to be Digitally Signed @ Offset 0C9EE00h, size : 01798h / 06040 byte(s) [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000100000001001100000100110111 (0x0404C137) [Entrypoint Section Entropy] : 7.27 (section #5) "rpowsxgy" | Size : 0x200 (512) byte(s) [DllCharacteristics] -> Flag : (0x8000) -> TSA [SectionCount] 6 (0x6) | ImageSize 0x3B9D000 (62509056) byte(s) [Export] 4% of function(s) (15 of 356) are in file | 0 are forwarded | 356 code | 0 data | 0 uninit data | 0 unknown | [ModuleReport] [IAT] Modules -> kernel32.dll | comctl32.dll [Debug Info] (record 1 of 1) (file offset 0xC9EA0F) Characteristics : 0x0 | TimeDateStamp : 0x5BA32040 (Thu 20th Sep 2018 04:21:20 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x51 (81) AddressOfRawData : 0x3B9B7BE | PointerToRawData : 0xC9E9BE CvSig : 0x53445352 | SigGuid 6C870D7A-4F98-4A0B-9F7B23B5B1E85AE6 Age : 0x1 (1) | Pdb : F:\Global_Alpha\code\CrimsonDesert\bin\BlackDesert32.pdb [!] Themida/Winlicense detected ! - Scan Took : 2.807 Second(s) [000000891h (2193) tick(s)] [506 of 580 scan(s) done] --- snip ---

$ sha1sum BlackDesertOnlineSetup_20180524_10010.exe e729c18f0ee555e913fe4c2524d2a0091d1231e5 BlackDesertOnlineSetup_20180524_10010.exe

$ du -sh BlackDesertOnlineSetup_20180524_10010.exe 50M BlackDesertOnlineSetup_20180524_10010.exe

$ wine --version wine-3.17-32-gd8249c638c

Regards