https://bugs.winehq.org/show_bug.cgi?id=57819
--- Comment #9 from Mike Lothian mike@fireburn.co.uk --- From: LIU Hao 2025-02-10 15:02:28 UTC
``` 00007FFA9AF3C81C <ntdll.sub_7FFA | 48:8BC4 | mov rax, rsp | 00007FFA9AF3C81F | 48:8958 08 | mov qword ptr ds:[rax + 0x8], rbx | 00007FFA9AF3C823 | 48:8968 10 | mov qword ptr ds:[rax + 0x10], rbp | ... ... 00007FFA9AF3C93A | 48:893E | mov qword ptr ds:[rsi], rdi | rdi:InitCommonControls 00007FFA9AF3C93D | EB D8 | jmp ntdll.7FFA9AF3C917 | 00007FFA9AF3C93F | 45:33C0 | xor r8d, r8d | 00007FFA9AF3C942 | E9 59FFFFFF | jmp ntdll.7FFA9AF3C8A0 | ```
It faults at 00007FFA9AF3C93A, writing to `[rsi]` which is in `.idata` ``` 00007FF7757F0000 0000000000001000 regedit.exe IMG -R---
ERWC- 00007FF7757F1000 0000000000010000 ".text" IMG ER---
ERWC- 00007FF775801000 0000000000001000 ".data" IMG -RW--
ERWC- 00007FF775802000 0000000000001000 ".rodata" IMG -RWC-
ERWC- 00007FF775803000 0000000000002000 ".rdata" IMG -R---
ERWC- 00007FF775805000 0000000000001000 ".pdata" IMG -R---
ERWC- 00007FF775806000 0000000000001000 ".xdata" IMG -R---
ERWC- 00007FF775807000 0000000000001000 ".bss" IMG -RWC-
ERWC- 00007FF775808000 0000000000002000 ".idata" IMG -R---
ERWC- 00007FF77580A000 0000000000094000 ".rsrc" IMG -R---
ERWC- 00007FF77589E000 0000000000001000 ".reloc" IMG -R---
ERWC- ```
Also please be advised this happens in the main function, so it's Wine regedit that bugs. It must unprotect the `.idata` section before overwriting that pointer.