[Bug 48988] New: Riot Vanguard (Riot Games) 'vgk.sys' needs KSHARED_USER_DATA access instruction emulation for 'CMP r/m16/32/64, r16/32/64'
https://bugs.winehq.org/show_bug.cgi?id=48988
Bug ID: 48988 Summary: Riot Vanguard (Riot Games) 'vgk.sys' needs KSHARED_USER_DATA access instruction emulation for 'CMP r/m16/32/64, r16/32/64' Product: Wine Version: 5.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says. Wine's instruction emulation for KSHARED_USER_DATA handles most of the 'MOV' (copy) instruction flavours but no 'CMP r/m16/32/64, r16/32/64' cases.
--- snip --- ... 002f:Call ntdll.NtFlushBuffersFile(00000044,00d4f2e0) ret=7bca1f9f 002f: flush( async={handle=0044,event=0000,iosb=00d4f2e0,user=00728c00,apc=00000000,apc_context=00000000} ) 002f: flush() = 0 { event=0048 } 002f: select( flags=2, cookie=00d4e5cc, timeout=infinite, size=8, prev_apc=0000, result={}, data={WAIT_ALL,handles={0048}}, context={} ) 002f: select() = 0 { call={APC_NONE}, apc_handle=0000, context={} } 002f:Ret ntdll.NtFlushBuffersFile() retval=00000000 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ZwFlushBuffersFile() retval=00000000 ret=0115f5ac 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0bc0,656e6f4e) ret=0115fd31 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0BC0 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0bc0) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=0115fd31 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0b40,656e6f4e) ret=00e73ad4 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0B40 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0b40) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4 002f:Call ntoskrnl.exe.ExFreePoolWithTag(008a0330,656e6f4e) ret=00e73ad4 002f:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0330 002f:Call KERNEL32.HeapFree(008a0000,00000000,008a0330) ret=7bca1f9f 002f:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca1f9f 002f:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbbd ip=115cbbd tid=002f 002f:trace:seh:raise_exception info[0]=0000000000000000 002f:trace:seh:raise_exception info[1]=fffff7800000026c 002f:trace:seh:raise_exception rax=0000000001000001 rbx=0000000000728bb8 rcx=0000000000000000 rdx=0000000000000048 002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8 rbp=0000000000727788 rsp=0000000000d4f6a0 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12 r10=0000000000000000 r11=0000000000000000 002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000 r14=0000000000728bb8 r15=0000000000000000 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0 code=c0000005 flags=0 002f:Call KERNEL32.GetTickCount64() ret=18000bccc 002f:Ret KERNEL32.GetTickCount64() retval=01920417 ret=18000bccc 002f:Call msvcrt.memcpy(00d4f108,7ffe026c,00000004) ret=18000bcf8 002f:Ret msvcrt.memcpy() retval=00d4f108 ret=18000bcf8 002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned ffffffff 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x115cbff ip=115cbff tid=002f 002f:trace:seh:raise_exception info[0]=0000000000000000 002f:trace:seh:raise_exception info[1]=fffff78000000270 002f:trace:seh:raise_exception rax=0000000000000001 rbx=0000000000728bb8 rcx=0000000000000006 rdx=fffff78000000270 002f:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000728bb8 rbp=0000000000727788 rsp=0000000000d4f6a0 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000d4ec12 r10=0000000000000000 r11=0000000000000000 002f:trace:seh:raise_exception r12=0000000000728a50 r13=00007fffffea4000 r14=0000000000728bb8 r15=0000000000000000 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9c0 code=c0000005 flags=0 002f:trace:seh:call_vectored_handlers handler at 0x18000b9c0 returned 0 --- snip ---
The driver code is obfuscated but that doesn't prevent analysis/debugging ;-)
Relevant part of driver disassembly:
--- snip --- ... 01402ECBAF | 8D82 5A4A900F | lea eax,qword ptr ds:[rdx+F904A5A] 01402ECBB5 | C0ED D2 | shr ch,D2 01402ECBB8 | ED | in eax,dx 01402ECBB9 | 44:0FABF0 | bts eax,r14d 01402ECBBD | A1 6C02000080F7FFFF | mov eax,dword ptr ds:[FFFFF7800000026C] 01402ECBC6 | 40:22CF | and cl,dil 01402ECBC9 | 66:D3F9 | sar cx,cl 01402ECBCC | 8BC8 | mov ecx,eax 01402ECBCE | 66:C1E0 26 | shl ax,26 01402ECBD2 | 66:0FC1C0 | xadd ax,ax 01402ECBD6 | B8 01000000 | mov eax,1 01402ECBDB | 45:84D2 | test r10b,r10b 01402ECBDE | 66:81FF 905B | cmp di,5B90 01402ECBE3 | 83F9 06 | cmp ecx,6 01402ECBE6 | E9 00000000 | jmp vgk.1402ECBEB 01402ECBEB | 0F82 1B000000 | jb vgk.1402ECC0C 01402ECBF1 | 48:BA 7002000080F7FFFF | mov rdx,FFFFF78000000270 01402ECBFB | 80FB 2E | cmp bl,2E 01402ECBFE | F5 | cmc 01402ECBFF | 3902 | cmp dword ptr ds:[rdx],eax ; problem 01402ECC01 | E9 00000000 | jmp vgk.1402ECC06 01402ECC06 | 0F83 17000000 | jae vgk.1402ECC23 01402ECC0C | 83F9 0A | cmp ecx,A 01402ECC0F | E9 00000000 | jmp vgk.1402ECC14 01402ECC14 | 0F83 09000000 | jae vgk.1402ECC23 01402ECC1A | 2AC0 | sub al,al 01402ECC1C | 45:3AE3 | cmp r12b,r11b 01402ECC1F | 41:80F9 65 | cmp r9b,65 01402ECC23 | 48:83C4 28 | add rsp,28 01402ECC27 | E9 00000000 | jmp vgk.1402ECC2C 01402ECC2C | C3 | ret ... --- snip ---
'cmp dword ptr ds:[rdx],eax' -> 0x39,0x02
The driver checks 'KSHARED_USER_DATA' 'NtMajorVersion' and 'NtMinorVersion' fields if the OS is supported.
(http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_share...)
In case it encounters something below 'Windows 7', the driver entry point will return code 0xC000A004 which translates to 'STATUS_INVALID_KERNEL_INFO_VERSION'.
Wine source:
https://source.winehq.org/git/wine.git/blob/f31a29b8d1ea478af28f14cdaf3db151...
$ sha1sum setup.exe 08deca4c0b46a3481e706926c0217d1c944d22a3 setup.exe
$ du -sh setup.exe 15M setup.exe
$ wine --version wine-5.6-258-gf31a29b8d1
Regards
https://bugs.winehq.org/show_bug.cgi?id=48988
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation URL| |https://riot-client.secure. | |dyn.riotcdn.net/channels/pu | |blic/rccontent/vanguard/0.3 | |.2.2/setup.exe
https://bugs.winehq.org/show_bug.cgi?id=48988
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://riot-client.secure. |https://web.archive.org/web |dyn.riotcdn.net/channels/pu |/20200421165713/https://rio |blic/rccontent/vanguard/0.3 |t-client.secure.dyn.riotcdn |.2.2/setup.exe |.net/channels/public/rccont | |ent/vanguard/0.3.2.2/setup. | |exe
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present. Also encountered with Vanguard v1.0.x.x versions.
https://web.archive.org/web/20211026070447/https://riot-client.secure.dyn.ri...
v1.0.x.x needs bug 51939 to be worked around to come to this place.
--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl,+module,+imports wine net start vgk >>log.txt 2>&1 ... 0118:trace:seh:dispatch_exception code=c0000005 flags=0 addr=00000000012F45B8 ip=00000000012F45B8 tid=0118 0118:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception (code=c0000005) raised 0118:trace:seh:dispatch_exception rax=0000000000000001 rbx=0000000000173aa8 rcx=0000000000000006 rdx=fffff78000000270 0118:trace:seh:dispatch_exception rsi=0000000000173810 rdi=0000000000173aa8 rbp=0000000000c6f8b0 rsp=0000000000c6f760 0118:trace:seh:dispatch_exception r8=0000000000000000 r9=0000000000000040 r10=00007f3d604ff6a0 r11=0000000000000000 0118:trace:seh:dispatch_exception r12=0000000000173940 r13=0000000000173aa8 r14=0000000067fd0000 r15=0000000000000000 0118:trace:seh:call_vectored_handlers calling handler at 00000000003ED430 code=c0000005 flags=0 0118:trace:seh:call_vectored_handlers handler at 00000000003ED430 returned 0 0118:trace:seh:call_stack_handlers found wine frame 0000000000C6FE80 rsp 0000000000C6FFE0 handler 000000007BC61270 0118:trace:seh:call_teb_handler calling TEB handler 000000007BC61270 (rec=0000000000C6F560, frame=0000000000C6FE80 context=0000000000C6EB50, dispatch=0000000000C6EA28) 0118:Call ntdll.NtCreateEvent(00c6e6d0,001f0003,00c6e7b0,00000000,00c6e600) ret=7b013093 0118:Ret ntdll.NtCreateEvent() retval=00000000 ret=7b013093 0118:Call ntdll.RtlInitUnicodeString(00c6e6e0,7b070a96 L"\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug") ret=7b01311a 0118:Ret ntdll.RtlInitUnicodeString() retval=0000008e ret=7b01311a ... --- snip ---
--- snip --- ... 012F4577 | A1 6C02000080F7FFFF | mov eax,dword ptr ds:[FFFFF7800000026C] 012F4580 | E9 09000000 | jmp vgk.12F458E 012F4585 | 6641:0F43CF | cmovae cx,r15w 012F458A | 48:0FB7CC | movzx rcx,sp 012F458E | 8BC8 | mov ecx,eax 012F4590 | D3D8 | rcr eax,cl 012F4592 | D3D0 | rcl eax,cl 012F4594 | D3F0 | shl eax,cl 012F4596 | B8 01000000 | mov eax,1 012F459B | 83F9 06 | cmp ecx,6 012F459E | E9 00000000 | jmp vgk.12F45A3 012F45A3 | 0F82 1C000000 | jb vgk.12F45C5 012F45A9 | 48:BA 7002000080F7FFFF | mov rdx,FFFFF78000000270 012F45B3 | 66:F7C6 9468 | test si,6894 012F45B8 | 3902 | cmp dword ptr ds:[rdx],eax ; *boom* 012F45BA | E9 00000000 | jmp vgk.12F45BF 012F45BF | 0F83 13000000 | jae vgk.12F45D8 012F45C5 | 83F9 0A | cmp ecx,A 012F45C8 | E9 00000000 | jmp vgk.12F45CD 012F45CD | 0F83 05000000 | jae vgk.12F45D8 ... --- snip ---
$ sha1sum setup.exe b8ff7192073b701557354f75e9232e8e237e5814 setup.exe
$ du -sh setup.exe 17M setup.exe
$ wine --version wine-6.20-159-g80a30625a70
Regards
https://bugs.winehq.org/show_bug.cgi?id=48988
Tareque Md Hanif tarequemd.hanif@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |tarequemd.hanif@yahoo.com
https://bugs.winehq.org/show_bug.cgi?id=48988
Ker noa blue-t@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |blue-t@web.de
https://bugs.winehq.org/show_bug.cgi?id=48988
etaash.mathamsetty@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |etaash.mathamsetty@gmail.co | |m
--- Comment #2 from etaash.mathamsetty@gmail.com --- I am no expert on assembly, but mov rdx,FFFFF78000000270 where does adress FFFFF78000000270 point to, im stumped on this (and btw it still does not work in wine 7.9)
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #3 from etaash.mathamsetty@gmail.com --- oh I get it now, FFFFF78000000270 points to NT version minor right?
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #4 from etaash.mathamsetty@gmail.com --- Let me try this on a windows system
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #5 from etaash.mathamsetty@gmail.com --- after lots and lots of digging the real reason it is crashing vgk.sys is looking for the data at 0xFFFFF78000000000, but the only place that KSHARED_USER_DATA is stored is 0x7ffe0000
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #6 from Etaash Mathamsetty etaash.mathamsetty@gmail.com --- ok so after doing a bunch of work, it is an instruction emulation issue lmao, I spent all that time thinking "wine doesn't emulate instructions", but it does lol
https://bugs.winehq.org/show_bug.cgi?id=48988
Zeb Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
--- Comment #7 from Zeb Figura z.figura12@gmail.com --- (In reply to Etaash Mathamsetty from comment #6)
ok so after doing a bunch of work, it is an instruction emulation issue lmao, I spent all that time thinking "wine doesn't emulate instructions", but it does lol
Right, one of the defining features of Wine is that it doesn't emulate *most* instructions, but there are some privileged instructions that we can't allow the host system to handle, and have to deal with ourselves.
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #8 from Etaash Mathamsetty etaash.mathamsetty@gmail.com --- I am using the latest version of vanguard (I have no idea which version), but instead of using mov they are using movabs, which wine doesn't support. (or maybe objdump is doing that)
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #9 from Etaash Mathamsetty etaash.mathamsetty@gmail.com --- well unfortnuately where I am crashing, I haven't reached that yet lol
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #10 from Etaash Mathamsetty etaash.mathamsetty@gmail.com --- I made a probably terrible implementation of this instruction, feedback is appreciated!
case 0x38: case 0x39: {
BYTE *data = INSTR_GetOperandAddr(context, instr + 1, prefixlen + 1, long_addr, rex, segprefix, &len); BYTE* data2 = INSTR_GetOperandAddr(context, instr + 2, prefixlen + 2, long_addr, rex, segprefix, &len); SIZE_T offset = data - user_shared_data; SIZE_T data_size = get_op_size( long_op, rex );
if(offset <= KSHARED_USER_DATA_PAGE_SIZE - data_size) {
FIXME("data 1 = %llx data 2 = %llx\n", data, data2); //clear ZF and CF context->EFlags &= ~(1UL << 6); context->EFlags &= ~(1UL);
if( *(wine_user_shared_data + offset) == *data2) context->EFlags |= (1 << 6); else if(*(wine_user_shared_data + offset) < *data2) context->EFlags |= (1);
context->Rip += prefixlen + len + 1; return ExceptionContinueExecution; } break; }
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #11 from Ker noa blue-t@web.de --- I think gitlab pull requests are more visible than comments on bugs https://gitlab.winehq.org/groups/wine/-/merge_requests
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #12 from Etaash Mathamsetty etaash.mathamsetty@gmail.com --- (In reply to Ker noa from comment #11)
I think gitlab pull requests are more visible than comments on bugs https://gitlab.winehq.org/groups/wine/-/merge_requests
I don't really want to submit a pull request for this since I have no idea if it is a good implementation or not, so I want to have some feedback/testing before submitting it in. This is my literal first time working with the wine source code.
https://bugs.winehq.org/show_bug.cgi?id=48988
--- Comment #13 from Austin English austinenglish@gmail.com --- (In reply to Etaash Mathamsetty from comment #12)
(In reply to Ker noa from comment #11)
I think gitlab pull requests are more visible than comments on bugs https://gitlab.winehq.org/groups/wine/-/merge_requests
I don't really want to submit a pull request for this since I have no idea if it is a good implementation or not, so I want to have some feedback/testing before submitting it in.
FYI you can mark your MR as a draft to note that it's not ready to be merged/that you're requesting feedback.
-
WineHQ Bugzilla