http://bugs.winehq.org/show_bug.cgi?id=28254
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |http://www.rmcproject.com/s | |upport/PMP/v7/download-demo | |.aspx CC| |focht@gmx.net Summary|Problem with activation |PM FASTrack for the PMP |program pm_fastrack-pmp.exe |Exam Version 7 CrypKey | |device driver crashes | |during load/relocation | |(relocation entry crosses | |page boundary)
--- Comment #4 from Anastasius Focht focht@gmx.net 2012-01-31 16:08:07 CST --- Hello,
there are at least two problems here.
One is the main application and one is the crashing device driver.
I debugged the main application and found "madCodeHook" signatures/code. Basically that code reads Wine core dlls (placeholders) into memory and verifies it with the already loaded in-memory images (PE structures).
--- snip --- ... 0045:Call KERNEL32.CreateFileW(00175b68 L"C:\windows\system32\KERNEL32.dll",80000000,00000001,00000000,00000003,00000000,00000000) ret=003dfa8a 0045:Ret KERNEL32.CreateFileW() retval=000000bc ret=003dfa8a ... 0045:Call KERNEL32.CreateFileMappingW(000000bc,00000000,00000002,00000000,00000000,00000000) ret=003dfae6 0045:Ret KERNEL32.CreateFileMappingW() retval=000000c0 ret=003dfae6 0045:Call KERNEL32.MapViewOfFile(000000c0,00000004,00000000,00000000,00000000) ret=003dfb0e 0045:Ret KERNEL32.MapViewOfFile() retval=03000000 ret=003dfb0e 0045:Call KERNEL32.CloseHandle(000000c0) ret=003dfb16 0045:Ret KERNEL32.CloseHandle() retval=00000001 ret=003dfb16 0045:Call KERNEL32.CloseHandle(000000bc) ret=003dfb1c 0045:Ret KERNEL32.CloseHandle() retval=00000001 ret=003dfb1c ... 0045:trace:seh:raise_exception code=c0000005 flags=0 addr=0x3dfc5a ip=003dfc5a tid=0045 0045:trace:seh:raise_exception info[0]=00000000 0045:trace:seh:raise_exception info[1]=03099994 0045:trace:seh:raise_exception eax=03099978 ebx=7b810000 ecx=00000001 edx=00099978 esi=7b810040 edi=03000000 0045:trace:seh:raise_exception ebp=03099978 esp=0032f520 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0045:trace:seh:call_stack_handlers calling handler at 0x3eb605 code=c0000005 flags=0 0045:trace:seh:call_stack_handlers handler at 0x3eb605 returned 1 0045:trace:seh:call_stack_handlers calling handler at 0x3c3db8 code=c0000005 flags=0 0045:Call KERNEL32.UnhandledExceptionFilter(0032f014) ret=003c3ddc wine: Unhandled page fault on read access to 0x03099994 at address 0x0000:0x003dfc5a (thread 0045), starting debugger... ... --- snip ---
This obviously can't work due to the nature of Wine core dlls -> bug 15437
The driver crash can be fixed = making this bug about. Though it won't help much in the end.
--- snip --- 002d:trace:winedevice:ServiceMain starting service L"NetworkX" ... 002d:trace:winedevice:load_driver loading driver L"C:\windows\System32\ckldrv.sys" 002d:Call KERNEL32.LoadLibraryW(0011aaa0 L"C:\windows\System32\ckldrv.sys") ret=7effc926 ... 002d:trace:module:map_image mapped PE file at 0x540000-0x54a000 002d:trace:module:map_image mapping section .text at 0x541000 off 400 size 3200 virt 3004 flags 68000020 002d:trace:module:map_image clearing 0x544200 - 0x545000 002d:trace:module:map_image mapping section .rdata at 0x545000 off 3600 size 200 virt 12d flags 48000040 002d:trace:module:map_image clearing 0x545200 - 0x546000 002d:trace:module:map_image mapping section .data at 0x546000 off 3800 size 200 virt 1150 flags c8000040 002d:trace:module:map_image clearing 0x546200 - 0x547000 002d:trace:module:map_image mapping section INIT at 0x548000 off 3a00 size 800 virt 758 flags e2000020 002d:trace:module:map_image clearing 0x548800 - 0x549000 002d:trace:module:map_image mapping section .reloc at 0x549000 off 4200 size 400 virt 37c flags 42000040 002d:trace:module:map_image clearing 0x549400 - 0x54a000 ... 002d:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=7effc926 ... 002d:Call ntdll.RtlImageNtHeader(00540000) ret=7effc947 002d:Ret ntdll.RtlImageNtHeader() retval=005400d0 ret=7effc947 002d:Call ntdll.RtlImageDirectoryEntryToData(00540000,00000001,00000005,0053e638) ret=7effc9b1 002d:Ret ntdll.RtlImageDirectoryEntryToData() retval=00549000 ret=7effc9b1 002d:trace:winedevice:load_driver_module L"C:\windows\System32\ckldrv.sys": relocating from 0x10000 to 0x540000 002d:Call KERNEL32.VirtualProtect(00541000,00001000,00000040,0053e634) ret=7effca68 002d:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x541000 00001000 00000040 002d:trace:virtual:VIRTUAL_SetProt 0x541000-0x541fff c-rWx 002d:trace:virtual:VIRTUAL_DumpView View: 0x540000 - 0x549fff 0x44 002d:trace:virtual:VIRTUAL_DumpView 0x540000 - 0x540fff c-r-- 002d:trace:virtual:VIRTUAL_DumpView 0x541000 - 0x541fff c-rWx 002d:trace:virtual:VIRTUAL_DumpView 0x542000 - 0x544fff c-r-x 002d:trace:virtual:VIRTUAL_DumpView 0x545000 - 0x545fff c-r-- 002d:trace:virtual:VIRTUAL_DumpView 0x546000 - 0x547fff c-rW- 002d:trace:virtual:VIRTUAL_DumpView 0x548000 - 0x548fff c-rWx 002d:trace:virtual:VIRTUAL_DumpView 0x549000 - 0x549fff c-r-- 002d:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effca68 002d:Call ntdll.LdrProcessRelocationBlock(00541000,00000096,00549008,00530000) ret=7effca98 002d:Ret ntdll.LdrProcessRelocationBlock() retval=00549134 ret=7effca98 002d:Call KERNEL32.VirtualProtect(00541000,00001000,00000020,00000000) ret=7effcac7 002d:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x541000 00001000 00000020 002d:trace:virtual:VIRTUAL_SetProt 0x541000-0x541fff c-r-x 002d:trace:virtual:VIRTUAL_DumpView View: 0x540000 - 0x549fff 0x44 002d:trace:virtual:VIRTUAL_DumpView 0x540000 - 0x540fff c-r-- 002d:trace:virtual:VIRTUAL_DumpView 0x541000 - 0x544fff c-r-x 002d:trace:virtual:VIRTUAL_DumpView 0x545000 - 0x545fff c-r-- 002d:trace:virtual:VIRTUAL_DumpView 0x546000 - 0x547fff c-rW- 002d:trace:virtual:VIRTUAL_DumpView 0x548000 - 0x548fff c-rWx 002d:trace:virtual:VIRTUAL_DumpView 0x549000 - 0x549fff c-r-- 002d:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effcac7 002d:Call KERNEL32.VirtualProtect(00542000,00001000,00000040,0053e634) ret=7effca68 002d:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x542000 00001000 00000040 002d:trace:virtual:VIRTUAL_SetProt 0x542000-0x542fff c-rWx 002d:trace:virtual:VIRTUAL_DumpView View: 0x540000 - 0x549fff 0x44 002d:trace:virtual:VIRTUAL_DumpView 0x540000 - 0x540fff c-r-- 002d:trace:virtual:VIRTUAL_DumpView 0x541000 - 0x541fff c-r-x 002d:trace:virtual:VIRTUAL_DumpView 0x542000 - 0x542fff c-rWx 002d:trace:virtual:VIRTUAL_DumpView 0x543000 - 0x544fff c-r-x 002d:trace:virtual:VIRTUAL_DumpView 0x545000 - 0x545fff c-r-- 002d:trace:virtual:VIRTUAL_DumpView 0x546000 - 0x547fff c-rW- 002d:trace:virtual:VIRTUAL_DumpView 0x548000 - 0x548fff c-rWx 002d:trace:virtual:VIRTUAL_DumpView 0x549000 - 0x549fff c-r-- 002d:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effca68 002d:Call ntdll.LdrProcessRelocationBlock(00542000,0000009c,0054913c,00530000) ret=7effca98 002d:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc51367 ip=7bc51367 tid=002d 002d:trace:seh:raise_exception info[0]=00000001 002d:trace:seh:raise_exception info[1]=00543000 002d:trace:seh:raise_exception eax=00542ffd ebx=7bcc0204 ecx=00000000 edx=00543158 esi=0053e5e0 edi=0053e560 002d:trace:seh:raise_exception ebp=0053e548 esp=0053e510 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 002d:trace:seh:call_vectored_handlers calling handler at 0x7ed13486 code=c0000005 flags=0 --- snip ---
The problem is the second relocation block of the device driver PE binary:
--- snip --- ... 2. Relocation Block: VirtualAddress: 0x00002000 (".text") SizeOfBlock: 0x00000140 (0x009C block entries)
RVA Type ---------- ----------------- 0x0000201A HIGHLOW 0x0000201F HIGHLOW 0x00002031 HIGHLOW 0x0000203D HIGHLOW ... 0x00002FF3 HIGHLOW 0x00002FFD HIGHLOW --- snip ---
The last entry of block 2 (rva 0x2ffd) crosses page boundary, triggering write fault.
Source: http://source.winehq.org/git/wine.git/blob/6840a9273c92875c551e669b00d48c294...
--- snip --- 64 /* load the driver module file */ 65 static HMODULE load_driver_module( const WCHAR *name ) 66 { ... 89 if ((rel = RtlImageDirectoryEntryToData( module, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &size ))) 90 { 91 WINE_TRACE( "%s: relocating from %p to %p\n", 92 wine_dbgstr_w(name), (char *)module - delta, module ); 93 end = (IMAGE_BASE_RELOCATION *)((char *)rel + size); 94 while (rel < end && rel->SizeOfBlock) 95 { 96 void *page = (char *)module + rel->VirtualAddress; 97 VirtualProtect( page, page_size, PAGE_EXECUTE_READWRITE, &old ); 98 rel = LdrProcessRelocationBlock( page, (rel->SizeOfBlock - sizeof(*rel)) / sizeof(USHORT), 99 (USHORT *)(rel + 1), delta ); 100 if (old != PAGE_EXECUTE_READWRITE) VirtualProtect( page, page_size, old, NULL ); 101 if (!rel) goto error; 102 } 103 /* make sure we don't try again */ 104 size = FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + nt->FileHeader.SizeOfOptionalHeader; 105 VirtualProtect( nt, size, PAGE_READWRITE, &old ); 106 nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = 0; 107 VirtualProtect( nt, size, old, NULL ); 108 } --- snip ---
$ sha1sum pm_fastrack-pmp_setup.exe 6dcc7720df9ef9b440722373addf7fd7d8de15af pm_fastrack-pmp_setup.exe
$ wine --version wine-1.4-rc1-57-g6847e88
Regards