http://bugs.winehq.org/show_bug.cgi?id=30220
Bug #: 30220 Summary: Unhandled Priveleged instruction when starting Minitab 16 Product: Wine Version: 1.4 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: prabhjotsbhatia@gmail.com Classification: Unclassified
The following error is printed to the terminal when I startup Minitab 16. However, there is no effect on the GUI and the application continues to work as normal. Bug 30219 could be related.
$ env WINEPREFIX=/home/prabhjot/.myWineBottles/Minitab16/ wine "C:\Program Files\Minitab\Minitab 16\Mtb.exe" fixme:ntoskrnl:KeInitializeMutex stub: 0x5b4a80, 0 fixme:ntoskrnl:KeWaitForSingleObject stub: 0x5b4a80, 0, 0, 0, (nil) wine: Unhandled privileged instruction at address 0x5adf59 (thread 0019), starting debugger... err:ole:CoRegisterClassObject object already registered for class {03e42d3f-a029-4137-b411-244c669f3fbd} fixme:richedit:IRichEditOle_fnSetHostNames stub 0x2894338 Minitab Mtb fixme:richedit:IRichEditOle_fnSetHostNames stub 0x2894338 Minitab Project Manager fixme:richedit:ME_HandleMessage EM_SETTARGETDEVICE doesn't use non-NULL target devices fixme:process:GetProcessWorkingSetSize (0xffffffff,0x32f9d8,0x32f9dc): stub fixme:shell:SHGetFileInfoW set icon to shell size, stub fixme:shell:SHGetFileInfoW set icon to shell size, stub fixme:ole:CoResumeClassObjects stub
http://bugs.winehq.org/show_bug.cgi?id=30220
Prabhjot Bhatia prabhjotsbhatia@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |prabhjotsbhatia@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=30220
Vitaliy Margolen vitaliy-bugzilla@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|major |minor
--- Comment #1 from Vitaliy Margolen vitaliy-bugzilla@kievinfo.com 2012-03-19 00:18:19 CDT --- Was it a clean wineprefix? Does this program use any sort of copy protection?
Minor - does not affect running the program.
http://bugs.winehq.org/show_bug.cgi?id=30220
Prabhjot Bhatia prabhjotsbhatia@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|1.4 |1.5.0
--- Comment #2 from Prabhjot Bhatia prabhjotsbhatia@gmail.com 2012-03-20 14:19:03 CDT --- Yes, It is a clean prefix. I found that the program does use a Sentinel HASP copy protection.
However, after installing the program, even winecfg generates the same error.
Persists in wine 1.5.0 too.
http://bugs.winehq.org/show_bug.cgi?id=30220
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |hardware, obfuscation Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |ntoskrnl Summary|Unhandled Priveleged |Unhandled privileged |instruction when starting |instruction when starting |Minitab 16 |Minitab 16 (Sentinel HASP | |hardlock.sys kernel driver | |tries to write to CR4/not | |handled in ntoskrnl | |emulate_instruction) Ever Confirmed|0 |1
--- Comment #3 from Anastasius Focht focht@gmx.net 2012-03-20 15:21:04 CDT --- Hello,
confirming.
The kernel driver tries to write to CR4 which is a privileged instruction and not (yet) emulated by Wine.
--- snip --- 000f:Call KERNEL32.CreateProcessW(00000000,00118968 L"C:\windows\system32\winedevice.exe hardlock",00000000,00000000,00000000,00000400,00540000,00000000,0033fc58,0033fc9c) ret=7eda060b ... 000f:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eda060b ... 0019:Call KERNEL32.LoadLibraryW(0011ab48 L"C:\windows\system32\drivers\hardlock.sys") ret=7effc932 ... 0019:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=7effc932 ... 0019:Call driver init 0x5cac20 (obj=0x7efff9a0,str=L"\Registry\Machine\System\CurrentControlSet\Services\hardlock") ... 0019:Ret ntoskrnl.exe.KeInitializeMutex() retval=00000038 ret=00556cff 0019:Call ntoskrnl.exe.KeWaitForSingleObject(005b4a80,00000000,00000000,00000000,00000000) ret=005c1707 0019:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x5b4a80, 0, 0, 0, (nil) 0019:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005c1707 0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf51 ip=005adf51 tid=0019 0019:trace:seh:raise_exception eax=00000001 ebx=00000000 ecx=00000000 edx=0053ef48 esi=00000019 edi=0053e5e4 0019:trace:seh:raise_exception ebp=0053e608 esp=0053e530 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496 code=c0000096 flags=0 0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned ffffffff 0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf59 ip=005adf59 tid=0019 0019:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000 edx=0053ef48 esi=00000019 edi=0053e5e4 0019:trace:seh:raise_exception ebp=0053e608 esp=0053e530 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496 code=c0000096 flags=0 0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned 0 0019:trace:seh:call_stack_handlers calling handler at 0x7bc92029 code=c0000096 flags=0 0019:Call KERNEL32.UnhandledExceptionFilter(0053e008) ret=7bc92063 wine: Unhandled privileged instruction at address 0x5adf59 (thread 0019), starting debugger... --- snip ---
The driver contains mostly obfuscated code, debugging reveals:
--- snip --- 005ADF50 50 PUSH EAX 005ADF51 0F20E0 MOV EAX,CR4 ; privileged instruction (emulated) 005ADF54 25 F7FFFFFF AND EAX,FFFFFFF7 005ADF59 0F22E0 MOV CR4,EAX ; privileged instruction (not handled) 005ADF5C 58 POP EAX 005ADF5D C3 RETN --- snip ---
The read of CR4 is trapped/emulated by Wine - CR4 write not, causing unhandled exception.
It seems the kernel driver tries to cancel out CR4.DE (bit 3) which is "Debugging Extensions".
--- quote --- I/O breakpoints, including the CR4.DE bit for enabling debug extensions and optional trapping of access to the DR4 and DR5 registers. --- quote ---
Code: http://source.winehq.org/git/wine.git/blob/57e4e608dcd73b36f1084e0cfcb7cf092...
--- snip --- 249 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context ) 250 { ... 310 switch(*instr) 311 { 312 case 0x0f: /* extended instruction */ 313 switch(instr[1]) 314 { 315 case 0x22: /* mov eax, crX */ 316 switch (instr[2]) 317 { 318 case 0xc0: 319 TRACE("mov eax,cr0 at 0x%08x, EAX=0x%08x\n", context->Eip,context->Eax ); 320 context->Eip += prefixlen+3; 321 return ExceptionContinueExecution; 322 default: 323 break; /*fallthrough to bad instruction handling */ 324 } 325 break; /*fallthrough to bad instruction handling */ ... 409 } 410 return ExceptionContinueSearch; /* Unable to emulate it */ 411 } 412 --- snip ---
$ du -sh mtben1610su.exe 93M mtben1610su.exe
$ sha1sum mtben1610su.exe 3d4d2ead508e6f930583701a335e5db8f9d40b17 mtben1610su.exe
$ wine --version wine-1.5.0
Regards
http://bugs.winehq.org/show_bug.cgi?id=30220
Vitaliy Margolen vitaliy-bugzilla@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|1.5.0 |1.4
http://bugs.winehq.org/show_bug.cgi?id=30220
Saulius K. saulius2@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |saulius2@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=30220
--- Comment #4 from Stefan Leichter Stefan.Leichter@camLine.com 2012-06-17 03:49:25 CDT --- Created attachment 40574 --> http://bugs.winehq.org/attachment.cgi?id=40574 emulate write to CR4
Does the patch help?
http://bugs.winehq.org/show_bug.cgi?id=30220
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mimotitolindo@gmail.com
--- Comment #5 from Anastasius Focht focht@gmx.net 2013-02-05 15:03:58 CST --- *** Bug 32902 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=30220
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fsandoval@hotmail.com
--- Comment #6 from Anastasius Focht focht@gmx.net 2013-05-25 16:44:44 CDT --- *** Bug 33659 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=30220
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sebastian@fds-team.de
--- Comment #7 from Sebastian Lackner sebastian@fds-team.de --- @Stefan: The attached patch helps (no crash on this instruction anymore), but afterwards the driver immediately hits the next issue (fixmes added to simplify debugging):
``` trace:seh:call_vectored_handlers handler at 0x7ed2fcce returned ffffffff trace:seh:raise_exception code=c0000096 flags=0 addr=0x7ed55181 ip=7ed55181 tid=0018 trace:seh:raise_exception eax=0053e654 ebx=00000000 ecx=0053e594 edx=0053ef4c esi=00000000 edi=0053e654 trace:seh:raise_exception ebp=0053e678 esp=0053e59c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 trace:seh:call_vectored_handlers calling handler at 0x7ed2fcce code=c0000096 flags=0 fixme:int:emulate_instruction emulate_instruction fixme:int:emulate_instruction instr[0] = 6e fixme:int:emulate_instruction instr[1] = 74 fixme:int:emulate_instruction instr[2] = 64 fixme:int:emulate_instruction instr[3] = 6c fixme:int:emulate_instruction instr[4] = 6c fixme:int:emulate_instruction instr[5] = 2e ```
This privileged instruction code corresponds to: ``` .data:0x00000000 6e outs dx,BYTE PTR ds:[esi] .data:0x00000001 7464 je 0x00000067 .data:0x00000003 6c ins BYTE PTR es:[edi],dx .data:0x00000004 6c ins BYTE PTR es:[edi],dx ```
These instructions will also need to be emulated as it seems like the driver tries to directly access IO ports via assembler instructions. Code to emulate outsb/insb already exists in krnl386.exe/instr.c, so a simple stub is pretty easy, but doesn't bring us further:
outsb is supposed to read data from ds:esi, but in this case esi = 0x0 ? Most likely some more things are going wrong here. ;)
$ du -sh mtben1610su.exe 93M mtben1610su.exe
$ sha1sum mtben1610su.exe f457d13475a783a0d2fff5566c0279640ba26bc6
$ git describe origin/master wine-1.7.29-133-g433df0d
https://bugs.winehq.org/show_bug.cgi?id=30220
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Fixed by SHA1| |e729dba55d33adbb7403a03042f | |7637dfcddb980 Status|NEW |RESOLVED URL| |http://www.mesacg.com/Downl | |oads/MTBen1610su.exe Resolution|--- |FIXED
--- Comment #8 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit http://source.winehq.org/git/wine.git/commitdiff/e729dba55d33adbb7403a03042f...
Thanks Stefan
--- snip --- ... 0018:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf51 ip=005adf51 tid=0018 0018:trace:seh:raise_exception eax=00000001 ebx=00000000 ecx=00000000 edx=0053ef8c esi=0053fb40 edi=0053e644 0018:trace:seh:raise_exception ebp=0053e668 esp=0053e590 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0018:trace:seh:call_vectored_handlers calling handler at 0x7ecea8d8 code=c0000096 flags=0 0018:trace:int:emulate_instruction mov cr4,eax at 0x005adf51 0018:trace:seh:call_vectored_handlers handler at 0x7ecea8d8 returned ffffffff ... 0018:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf59 ip=005adf59 tid=0018 0018:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000 edx=0053ef8c esi=0053fb40 edi=0053e644 0018:trace:seh:raise_exception ebp=0053e668 esp=0053e590 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0018:trace:seh:call_vectored_handlers calling handler at 0x7ecea8d8 code=c0000096 flags=0 0018:trace:int:emulate_instruction mov eax,cr4 at 0x005adf59, EAX=0x00000000 0018:trace:seh:call_vectored_handlers handler at 0x7ecea8d8 returned ffffffff ... --- snip ---
Regards
https://bugs.winehq.org/show_bug.cgi?id=30220
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #9 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.34.
https://bugs.winehq.org/show_bug.cgi?id=30220
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.mesacg.com/Downl |https://web.archive.org/web |oads/MTBen1610su.exe |/20210318190949/http://www. | |mesacg.com/Downloads/MTBen1 | |610su.exe
--- Comment #10 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download link via Internet Archive for documentation.
https://web.archive.org/web/20210318190949/http://www.mesacg.com/Downloads/M...
https://www.virustotal.com/gui/file/746d1df6609d0db8b9521861225baf3dfa8ea11e...
$ sha1sum MTBen1610su.exe f457d13475a783a0d2fff5566c0279640ba26bc6 MTBen1610su.exe
$ du -sh MTBen1610su.exe 93M MTBen1610su.exe
Regards