https://bugs.winehq.org/show_bug.cgi?id=46155
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Hardware|aarch64 |x86-64 Summary|Windows PowerShell Core 6.1 |Multiple applications need |for ARM64 crashes on |KERNEL32.dll.RaiseFailFastE |unimplemented function |xception (RoyalTS v5, |KERNEL32.dll.RaiseFailFastE |Windows PowerShell Core 6.1 |xception |for ARM64) URL|https://web.archive.org//we |https://web.archive.org/web |b/20210219203340/https://gi |/20211209205844/https://dow |thub.com/PowerShell/PowerSh |nload.royalapplications.com |ell/releases/download/v6.1. |/RoyalTS/RoyalTS_5.04.60415 |1/PowerShell-6.1.1-win-arm6 |.0.zip |4.zip |
--- Comment #19 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download link for Louis' app and refining summary. Using RoyalTS as primary test case here because it actually requires a stub.
Replacing:
https://web.archive.org/web/20210219203340/https://github.com/PowerShell/Pow...
with:
https://web.archive.org/web/20211209205844/https://download.royalapplication...
$ sha1sum RoyalTS_5.04.60415.0.zip 7786d03517b4423a26859a719bae073867f873c6 RoyalTS_5.04.60415.0.zip
$ du -sh RoyalTS_5.04.60415.0.zip 146M RoyalTS_5.04.60415.0.zip
The culprit seems to be a browser helper process based on Chromium browser by 'Essential Objects'.
There is a custom imports resolver at work. The 'RaiseFailFastException' export is required even though no error condition is present at that time.
--- snip --- $ WINEDEBUG=+pid,+seh,+process,+relay wine ./RoyalTS.exe >>log.txt 2>&1 ... 0198:0298:trace:process:CreateProcessInternalW app L"C:\users\focht\Temp\Royal TS V5\Plugins\f008c2f0-5fb3-4c5e-a8eb-8072c1183088\RoyalTS_Chromium_WP.exe" cmdline L""C:\users\focht\Temp\Royal TS V5\Plugins\f008c2f0-5fb3-4c5e-a8eb-8072c1183088\RoyalTS_Chromium_WP.exe" --enable-speech-input --enable-media-stream --no-sandbox --eo_init_data=eo.ipc.temp.21.0.85.0.408.1.5" ... 0198:0298:trace:process:CreateProcessInternalW started process pid 02b8 tid 02bc ... 0198:0298:Ret KERNEL32.CreateProcessW() retval=00000001 ret=2c727ce7 ... 02b8:02bc:Call ntdll.strlen(004dfc68 "After CodeModule::Init") ret=7b021e30 ... 02b8:02bc:Call ntdll.strlen(004e7978 "CodeModule::LoadLibrary: swiftshader/libEGL.dll succeeded.") ret=7b021e30 ... 02b8:02bc:Call ntdll.strlen(004e7978 "CodeModule::LoadMemoryModule. dllName = C:\users\focht\Temp\libcef.dll") ret=7b021e30 ... 02b8:02bc:Call ntdll.strlen(004e7978 "Try fix import table for KERNEL32.dll") ret=7b021e30 ... 02b8:02bc:Call ntdll.strlen(004e7978 "PEFile::FixupIAT resolves IAT for module KERNEL32.dll") ret=7b021e30 ... 02b8:02bc:Call KERNEL32.GetProcAddress(7b600000,165e4b38 "RaiseException") ret=02a13615 ... 02b8:02bc:Ret KERNEL32.GetProcAddress() retval=7b607ff0 ret=02a13615 ... 02b8:02bc:Call KERNEL32.GetProcAddress(7b600000,165e4b4a "RaiseFailFastException") ret=02a13615 ... 02b8:02bc:Ret KERNEL32.GetProcAddress() retval=00000000 ret=02a13615 ... 02b8:02bc:Call user32.MessageBoxA(00000000,0032e43c "Failed to resolve function RaiseFailFastException in KERNEL32.dll",02a20928 "Error",00000000) ret=02a1716c --- snip ---
ProtectionID scan:
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> Z:\home\focht\Downloads\rts\RoyalTS.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 23106208 (016092A0h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x6077D831 -> Thu 15th Apr 2021 06:07:45 (GMT) [TimeStamp] 0x6077D831 -> Thu 15th Apr 2021 06:07:45 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x00400088 | - [TimeStamp] 0x6077D831 -> Thu 15th Apr 2021 06:07:45 (GMT) | DebugDirectory | - | Offset: 0x01139A5C | VA: 0x0153B85C | - -> File Appears to be Digitally Signed @ Offset 01604400h, size : 04EA0h / 020128 byte(s) [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000100000001001101000000110100 (0x0404D034) [Entrypoint Section Entropy] : 6.25 (section #0) ".text " | Size : 0x15383A0 (22250400) byte(s) [DllCharacteristics] -> Flag : (0x8560) -> HEVA | ASLR | DEP | NOSEH | TSA [SectionCount] 3 (0x3) | ImageSize 0x160A000 (23109632) byte(s) [VersionInfo] Company Name : Royal Apps GmbH [VersionInfo] Product Name : Royal TS V5 [VersionInfo] Product Version : 5.4.60415 [VersionInfo] File Description : Royal TS V5 [VersionInfo] File Version : 5.4.60415.0 [VersionInfo] Original FileName : RoyalTS.exe [VersionInfo] Internal Name : RoyalTS.exe [VersionInfo] Legal Copyrights : Copyright © 2021. Royal Apps GmbH. Austria [ModuleReport] [IAT] Modules -> mscoree.dll [Debug Info] (record 1 of 1) (file offset 0x1139A58) Characteristics : 0x0 | TimeDateStamp : 0x6077D831 (Thu 15th Apr 2021 06:07:45 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x67 (103) AddressOfRawData : 0x113B874 | PointerToRawData : 0x1139A74 CvSig : 0x53445352 | SigGuid A10F330B-642E-402B-9DF8993FA514F060 Age : 0x1 (1) | Pdb : C:\agent_work\r1\a_Royal TS V5\drop\Working\ObfuscatedAssemblies\RoyalTS.pdb [Raw/Hidden Debug Record] (File Offset 0x5A78F4) CvSig : 0x53445352 | SigGuid 95BA2397-0344-47BD-92D4B96DF61C1496 Age : 0x1 (1) | Pdb : C:\projects\easyhook\Build\netfx4-Release\x86\EasyHook32.pdb [.] .net @ FileOffset 0x1139ADC | MetaData->Version 1.1 (struct version) -> v4.0.30319 (net version required) [.] Flags : 0x0 | Streams : 0x5 (5) -> #~ | #Strings | #GUID | #Blob | #US [COR20] MajorRuntimeVersion 0x2 (2) | MinorRuntimeVersion 0x2 (2) -> 0x2.2 (2.2) [COR20] Flags 0x1 [COR20 Flags] [x] IL_ONLY [ ] 32BITREQUIRED [ ] IL_LIBRARY [COR20 Flags] [ ] STRONGNAME [ ] NATIVE_EP [ ] TRACKDEBUGDATA [COR20 Flags] [ ] 32BITPREFERRED | 0x0 UNKNOWN [COR20 Flags] Assembly is NOT strong name signed [!] Crypto Obfuscator for .NET v5.x detected ! [CdKeySerial] found "License key" @ VA: 0x0057E2CC / Offset: 0x0057C4CC [CdKeySerial] found "License key" @ VA: 0x0057E45B / Offset: 0x0057C65B [CdKeySerial] found "Evaluation period" @ VA: 0x0057E6BA / Offset: 0x0057C8BA [CdKeySerial] found "License key" @ VA: 0x0057E71A / Offset: 0x0057C91A [CdKeySerial] found "License key" @ VA: 0x0057E741 / Offset: 0x0057C941 [CdKeySerial] found "License key" @ VA: 0x0057E83D / Offset: 0x0057CA3D [CdKeySerial] found "License key" @ VA: 0x0057E8BC / Offset: 0x0057CABC [CdKeySerial] found "License key" @ VA: 0x0057E8E3 / Offset: 0x0057CAE3 [CdKeySerial] found "License key" @ VA: 0x0057E9FB / Offset: 0x0057CBFB [CdKeySerial] found "SerialNumber" @ VA: 0x015269A5 / Offset: 0x01524BA5 - Scan Took : 4.584 Second(s) [000001140h (4416) tick(s)] [506 of 580 scan(s) done] --- snip ---
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\users\focht\Temp\Royal TS V5\Plugins\f008c2f0-5fb3-4c5e-a8eb-8072c1183088\RoyalTS_Chromium_WP.exe File Type : 32-Bit Exe (Subsystem : Win CUI / 3), Size : 610240 (094FC0h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x6071FED3 -> Sat 10th Apr 2021 19:38:59 (GMT) [TimeStamp] 0x6071FED3 -> Sat 10th Apr 2021 19:38:59 (GMT) | PE Header | - | Offset: 0x00000118 | VA: 0x00400118 | - [TimeStamp] 0x6071FED3 -> Sat 10th Apr 2021 19:38:59 (GMT) | DebugDirectory | - | Offset: 0x00035450 | VA: 0x00436E50 | - [TimeStamp] 0x6071FED3 -> Sat 10th Apr 2021 19:38:59 (GMT) | DebugDirectory | - | Offset: 0x0003546C | VA: 0x00436E6C | - [TimeStamp] 0x6071FED3 -> Sat 10th Apr 2021 19:38:59 (GMT) | DebugDirectory | - | Offset: 0x00035488 | VA: 0x00436E88 | - [TimeStamp] 0x6071FED3 -> Sat 10th Apr 2021 19:38:59 (GMT) | DebugDirectory | - | Offset: 0x000354A4 | VA: 0x00436EA4 | - -> File Appears to be Digitally Signed @ Offset 093400h, size : 01BC0h / 07104 byte(s) [LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64) [!] Executable uses SEH Tables (/SAFESEH) (23 calculated 4 recorded... 18 invalid addresses) [!] * table may be compressed / encrypted * [LoadConfig] CodeIntegrity -> Flags 0x0 | Catalog 0x0 (0) | Catalog Offset 0x0 | Reserved 0x0 [LoadConfig] GuardAddressTakenIatEntryTable 0x0 | Count 0x0 (0) [LoadConfig] GuardLongJumpTargetTable 0x0 | Count 0x0 (0) [LoadConfig] HybridMetadataPointer 0x0 | DynamicValueRelocTable 0x0 [LoadConfig] FailFastIndirectProc 0x0 | FailFastPointer 0x0 [LoadConfig] UnknownZero1 0x0 [File Heuristics] -> Flag #1 : 00000100000001001100000000000100 (0x0404C004) [Entrypoint Section Entropy] : 6.31 (section #0) ".text " | Size : 0x2C1F3 (180723) byte(s) [DllCharacteristics] -> Flag : (0x8000) -> TSA [SectionCount] 4 (0x4) | ImageSize 0x97000 (618496) byte(s) [VersionInfo] Company Name : Essential Objects. Inc. [VersionInfo] Product Name : EO.Total [VersionInfo] Product Version : 21.0.85.0 [VersionInfo] File Description : Essential Objects Worker Process [VersionInfo] File Version : 21.0.85.0 [VersionInfo] Original FileName : eowp.exe [VersionInfo] Internal Name : eowp.exe [VersionInfo] Legal Copyrights : Copyright (C) 2016 [ModuleReport] [IAT] Modules -> PSAPI.DLL | KERNEL32.dll | USER32.dll [Debug Info] (record 1 of 4) (file offset 0x3544C) Characteristics : 0x0 | TimeDateStamp : 0x6071FED3 (Sat 10th Apr 2021 19:38:59 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x4C (76) AddressOfRawData : 0x36F90 | PointerToRawData : 0x35590 CvSig : 0x53445352 | SigGuid 62848200-1F7D-4E91-87BF2FFC415F7374 Age : 0x1 (1) | Pdb : C:\Development\EO\Products\All\out\Release\eowp.pdb [Debug Info] (record 2 of 4) (file offset 0x35468) Characteristics : 0x0 | TimeDateStamp : 0x6071FED3 (Sat 10th Apr 2021 19:38:59 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 12 (0xC) -> Undocumented | Size : 0x14 (20) AddressOfRawData : 0x36FDC | PointerToRawData : 0x355DC [Debug Info] (record 3 of 4) (file offset 0x35484) Characteristics : 0x0 | TimeDateStamp : 0x6071FED3 (Sat 10th Apr 2021 19:38:59 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 13 (0xD) -> Undocumented | Size : 0x290 (656) AddressOfRawData : 0x36FF0 | PointerToRawData : 0x355F0 [Debug Info] (record 4 of 4) (file offset 0x354A0) Characteristics : 0x0 | TimeDateStamp : 0x6071FED3 (Sat 10th Apr 2021 19:38:59 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 14 (0xE) -> Undocumented | Size : 0x0 (0) AddressOfRawData : 0x0 | PointerToRawData : 0x0 [Raw/Hidden Debug Record] (File Offset 0x8D704) CvSig : 0x53445352 | SigGuid D6016D2F-4805-4F61-A0EE7B755B507544 Age : 0x1 (1) | Pdb : C:\Development\EO\OpenSource\zlib-1.2.11\contrib\vstudio\vc14\x86\ZlibDllReleaseWithoutAsm\zlibwapi.pdb [CdKeySerial] found "Invalid code" @ VA: 0x0008ECC8 / Offset: 0x0008D0C8 [CdKeySerial] found "Invalid code" @ VA: 0x0008ED00 / Offset: 0x0008D100 [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.530 Second(s) [000000212h (530) tick(s)] [506 of 580 scan(s) done] --- snip ---
$ wine --version wine-6.23-79-g316a358b0f7
Regards