https://bugs.winehq.org/show_bug.cgi?id=38714
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello André,
I've seen your patch on mailing list.
https://source.winehq.org/patches/data/112108
Although the bug is about 64-bit ARM, apps targeting Windows 8.x x64 and Windows 10 x64 will require the same mechanism.
You are not free to chose any "magic" cookie value when you do the security cookie initialization in loader.
Example application, targeting newer 64-bit Windows x64:
http://files.emeditor.com/emed64_15.1.4_portable.zip
The app crashes with your patch. Unfortunately through some fast exit path, without winedbg/debugger being able to attach (bug 24038)
"init cookie" function at entry point:
--- snip --- ... 0000000140103CA0 mov [rsp+20h], rbx 0000000140103CA5 push rbp 0000000140103CA6 mov rbp, rsp 0000000140103CA9 sub rsp, 20h 0000000140103CAD mov rax, cs:qword_140135540 ; security cookie 0000000140103CB4 and qword ptr [rbp+18h], 0 0000000140103CB9 mov rbx, 2B992DDFA232h ; default init value for x64? 0000000140103CC3 cmp rax, rbx 0000000140103CC6 jnz short 140103D37 ; no? init already done by loader 0000000140103CC8 lea rcx, [rbp+18h] 0000000140103CCC call cs:GetSystemTimeAsFileTime 0000000140103CD2 mov rax, qword ptr [rbp+18h] 0000000140103CD6 mov [rbp+10h], rax 0000000140103CDA call cs:GetCurrentThreadId 0000000140103CE0 mov eax, eax 0000000140103CE2 xor [rbp+10h], rax 0000000140103CE6 call cs:GetCurrentProcessId 0000000140103CEC lea rcx, [rbp+20h] 0000000140103CF0 mov eax, eax 0000000140103CF2 xor [rbp+10h], rax 0000000140103CF6 call cs:QueryPerformanceCounter 0000000140103CFC mov eax, dword ptr [rbp+20h] 0000000140103CFF shl rax, 20h 0000000140103D03 lea rcx, [rbp+10h] 0000000140103D07 xor rax, qword ptr [rbp+20h] 0000000140103D0B xor rax, [rbp+10h] 0000000140103D0F xor rax, rcx 0000000140103D12 mov rcx, 0FFFFFFFFFFFFh ; highest word = zero! 0000000140103D1C and rax, rcx 0000000140103D1F mov rcx, 2B992DDFA233h 0000000140103D29 cmp rax, rbx 0000000140103D2C cmovz rax, rcx 0000000140103D30 mov cs:qword_140135540, rax ; newly randomized cookie 0000000140103D37 mov rbx, [rsp+48h] 0000000140103D3C not rax 0000000140103D3F mov cs:qword_140135548, rax 0000000140103D46 add rsp, 20h 0000000140103D4A pop rbp 0000000140103D4B retn ... --- snip ---
Runtime check for proper security cookie value:
--- snip --- 00000001400FB080 cmp rcx, cs:qword_140135540 ; security cookie 00000001400FB087 jnz short 1400FB09A 00000001400FB089 rol rcx, 10h ; get highest word 00000001400FB08D test cx, 0FFFFh ; highest word == zero? 00000001400FB092 jnz short 1400FB096 00000001400FB094 rep retn ; yes, oki 00000001400FB096 ror rcx, 10h ; restore highest word 00000001400FB09A jmp 1400FAE5C ; problem -> bail! --- snip ---
--- snip --- .data ... 0000000140135540 qword_140135540 dq 2B992DDFA232h ; default cookie magic x64 --- snip ---
Debugger:
ECX = 0x5ec0617fc0041eb9 = your "magic" value set in loader
--- snip --- Wine-dbg>info reg
Register dump: rip:00000001400fb087 rsp:000000000023f2e8 rbp:000000000023f530 eflags:00000346 ( - -- IT Z- -P- ) rax:0000000000000001 rbx:000000000023f330 rcx:5ec0617fc0041eb9 rdx:00000000ffffffff rsi:0000000000000100 rdi:0000000000000001 r8:0000000000000100 r9:000000000023f950 r10:0000000000000001 r11:000000000023f330 r12:000000000023f650 r13:0000000000000001 r14:00000000000004e4 r15:0000000000000100
Wine-dbg>si 0x00000001400fb089: rolq $0x10,%rcx
Wine-dbg>si 0x00000001400fb08d: testw $0xffff,%cx
Wine-dbg>info reg Register dump: rip:00000001400fb08d rsp:000000000023f2e8 rbp:000000000023f530 eflags:00000346 ( - -- IT Z- -P- ) rax:0000000000000001 rbx:000000000023f330 rcx:617fc0041eb95ec0 rdx:00000000ffffffff rsi:0000000000000100 rdi:0000000000000001 r8:0000000000000100 r9:000000000023f950 r10:0000000000000001 r11:000000000023f330 r12:000000000023f650 r13:0000000000000001 r14:00000000000004e4 r15:0000000000000100
Wine-dbg>si 0x00000001400fb092: jnz 0x00000001400fb096
Wine-dbg>si 0x00000001400fb096: rorq $0x10,%rcx
<process termination> --- snip ---
Regards