http://bugs.winehq.org/show_bug.cgi?id=21917
Summary: LazyLaunch raises unable to dispatch exception Product: Wine Version: 1.1.39 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: ntdll AssignedTo: wine-bugs@winehq.org ReportedBy: lubosz@gmail.com
Created an attachment (id=26590) --> (http://bugs.winehq.org/attachment.cgi?id=26590) Lazylaunch execution in winedbg
Lazylaunch does only output one line: err:seh:raise_exception Exception frame is not in stack limits => unable to dispatch exception.
When i run it in winedbg it raises a exception before running: 0x7bc4b130 call_tls_callbacks+0x130(module=<is not available>, reason=<is not available>) [/home/bmonkey/Apps/System/wine-git/dlls/ntdll/loader.c:927] in ntdll (0x0033fcc0)
You can find lazylaunch here: http://teknogods.com/phpbb/viewtopic.php?f=13&t=2036
Lazylaunch is used to surpass the login screen and run unofficial AI single player games in SC2.exe.
http://bugs.winehq.org/show_bug.cgi?id=21917
--- Comment #1 from lubosz lubosz@gmail.com 2010-03-04 03:47:29 --- Created an attachment (id=26591) --> (http://bugs.winehq.org/attachment.cgi?id=26591) Running with WINEDEBUG=all
http://bugs.winehq.org/show_bug.cgi?id=21917
Vitaliy Margolen vitaliy@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|ntdll |-unknown
http://bugs.winehq.org/show_bug.cgi?id=21917
pat2man@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pat2man@gmail.com
--- Comment #2 from pat2man@gmail.com 2010-03-04 17:15:33 --- Experiencing the same issue using latest git on Mac OS X.
http://bugs.winehq.org/show_bug.cgi?id=21917
Wylda wylda@volny.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |wylda@volny.cz
--- Comment #3 from Wylda wylda@volny.cz 2010-03-06 04:08:45 ---
Confirming. All the following versions fails the same way:
* 1.0.1, 1.1.5, 1.1.10, 1.1.15, 1.1.20, 1.1.25, 1.1.30, 1.1.35, 1.1.40
http://bugs.winehq.org/show_bug.cgi?id=21917
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #4 from Austin English austinenglish@gmail.com 2010-03-06 04:26:33 --- Confirming per comment #3.
http://bugs.winehq.org/show_bug.cgi?id=21917
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download
http://bugs.winehq.org/show_bug.cgi?id=21917
qwerty8034@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |qwerty8034@hotmail.com
--- Comment #5 from qwerty8034@hotmail.com 2010-05-05 17:06:53 --- Still active on 1.1.43! Would be good to know what that "stack limit" is...
http://bugs.winehq.org/show_bug.cgi?id=21917
nE0sIghT update.microsoft@mail.ru changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |update.microsoft@mail.ru
--- Comment #6 from nE0sIghT update.microsoft@mail.ru 2010-05-15 05:28:15 --- Same with 1.1.44
http://bugs.winehq.org/show_bug.cgi?id=21917
--- Comment #7 from Wylda wylda@volny.cz 2012-05-12 16:00:09 CDT ---
Still present in wine-1.5.4.
http://bugs.winehq.org/show_bug.cgi?id=21917
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |http://www.sc2win.com/starc | |raft-2-downloads/lazy-launc | |her-v2-0-download/ CC| |focht@gmx.net Component|-unknown |ntdll Summary|LazyLaunch raises unable to |LazyLaunch raises unable to |dispatch exception |dispatch exception (TLS | |callbacks can taint EBP, | |needs assembly wrapper)
--- Comment #8 from Anastasius Focht focht@gmx.net 2012-05-12 17:59:42 CDT --- Hello,
confirming.
--- quote --- ... Unhandled exception: page fault on read access to 0x00000004, invalid program stack in 32-bit code (0x7bc4de3d). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7bc4de3d ESP:0033fcd0 EBP:0033fcb0 EFLAGS:00010202( R- -- I - - - ) EAX:00000004 EBX:7bcbf544 ECX:cc56933b EDX:00504152 ESI:ffd46df4 EDI:00000000 Stack dump: 0x0033fcd0: 0033fbd8 00400000 7bc4dcf3 0033fda0 0x0033fce0: ffffffff 7bcbf544 0033fe58 7e9d56aa 0x0033fcf0: ffffffff 7bc91c4a 00000003 7bcbf544 0x0033fd00: ffd46df4 00000000 0033fdc8 2215b5cc 0x0033fd10: cc56933b 00000000 00000001 7bc91c4a 0x0033fd20: 00000000 7bcbf544 ffd46df4 00000001 000c: sel=0067 base=00000000 limit=00000000 32-bit --x Backtrace: =>0 0x7bc4de3d call_tls_callbacks+0x240(module=0x5d3d25, reason=0x7bc4dcf3) [/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:964] in ntdll (0x0033fcb0) 1 0x00000246 (0x5184a24a) 0x7bc4de3d call_tls_callbacks+0x240 [/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:964] in ntdll: movl 0x0(%eax),%eax 964 for (callback = (const PIMAGE_TLS_CALLBACK *)dir->AddressOfCallBacks; *callback; callback++) ... --- quote ---
Unfortunately it's currently not possible without patching Wine to set breakpoint on TLS callback which makes this inconvenient to analyse.
Side note: Some debuggers advertise a feature to break on TLS callbacks (before app entry). I have to figure out what mechanism is used so Wine can support this too.
Using a patched version we can actually see what happens...
Immediately before calling the first TLS callback:
--- snip --- Wine-dbg> 0x7bc4e123 call_tls_callbacks+0x102 [/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:974] in ntdll: call *%edx 974 (*callback)( module, reason, NULL );
Wine-dbg>info reg Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7bc4e123 ESP:0032fcd0 EBP:0032fdc8 EFLAGS:00000246( - -- I Z- -P- ) EAX:00400000 EBX:7bcc09a4 ECX:2f8b8eaf EDX:00504152 ESI:fffd2a94 EDI:00000000 --- snip ---
After TLS callback:
--- snip --- Wine-dbg>info reg Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7bc4e125 ESP:0032fcdc EBP:0032fcb0 EFLAGS:00000246( - -- I Z- -P- ) EAX:00400000 EBX:7bcc09a4 ECX:2f8b8eaf EDX:00504152 ESI:fffd2a94 EDI:00000000
Wine-dbg>si 0x7bc4e128 call_tls_callbacks+0x107 [/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: leal 0xffffff28(%ebp),%eax 976 __EXCEPT_ALL ... 0x7bc4e12e call_tls_callbacks+0x10d [/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: movl %eax,0x0(%esp) 0x7bc4e131 call_tls_callbacks+0x110 [/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: call 0x7bc4becd __wine_pop_frame [/home/focht/projects/wine/wine-git/include/wine/exception.h:222] in ntdll --- snip ---
EBP has been tainted within the callback and Wine actually *relies* on EBP being preserved. For testing I added a small assembly wrapper to call the TLS callback and it helped.
Source: http://source.winehq.org/git/wine.git/blob/33236819c839f6ac053d724e0930c95bb...
--- snip --- 955 static void call_tls_callbacks( HMODULE module, UINT reason ) 956 { 957 const IMAGE_TLS_DIRECTORY *dir; 958 const PIMAGE_TLS_CALLBACK *callback; 959 ULONG dirsize; 960 961 dir = RtlImageDirectoryEntryToData( module, TRUE, IMAGE_DIRECTORY_ENTRY_TLS, &dirsize ); 962 if (!dir || !dir->AddressOfCallBacks) return; 963 964 for (callback = (const PIMAGE_TLS_CALLBACK *)dir->AddressOfCallBacks; *callback; callback++) 965 { ... 969 __TRY 970 { 971 (*callback)( module, reason, NULL ); 972 } 973 __EXCEPT_ALL 974 { ... 978 return; 979 } 980 __ENDTRY ... 984 } 985 } --- snip ---
$ du -sh lazylaunch2.exe 900K lazylaunch2.exe
$ sha1sum lazylaunch2.exe 9ecd89dece306f5e227081295e0b7c73c6bd5057 lazylaunch2.exe
Regards
https://bugs.winehq.org/show_bug.cgi?id=21917
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation URL|http://www.sc2win.com/starc |http://www.deejayfool.com/f |raft-2-downloads/lazy-launc |iles/games/starcraft2/lazyl |her-v2-0-download/ |aunch2.zip Summary|LazyLaunch raises unable to |SC2 'LazyLaunch' v2.0 fails |dispatch exception (TLS |with 'Exception frame is |callbacks can taint EBP, |not in stack limits => |needs assembly wrapper) |unable to dispatch | |exception.' (TLS callbacks | |can taint EBP, needs | |assembly wrapper)
--- Comment #9 from Anastasius Focht focht@gmx.net --- Hello folks,
still present, adjusting download link.
--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> Z:\home\focht\Downloads\lazylaunch2.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 919552 (0E0800h) Byte(s) [File Heuristics] -> Flag : 00000000000001001101001100000011 (0x0004D303) [Entrypoint Section Entropy] : 7.86 [!] VM Protect v1.60 - v2.05 detected ! - Scan Took : 0.310 Second(s) [000000136h tick(s)] [533 scan(s) done] --- snip ---
$ sha1sum lazylaunch2.zip 38e934f03446990bbe287eb25bc523a24a713815 lazylaunch2.zip
$ du -sh lazylaunch2.zip 876K lazylaunch2.zip
$ wine --version wine-1.7.24-35-g622191f
Regards
https://bugs.winehq.org/show_bug.cgi?id=21917
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sebastian@fds-team.de
--- Comment #10 from Sebastian Lackner sebastian@fds-team.de --- I'm wondering why noone worked on this, although the solution is well-known since two years? Anyway, here are some patches which seem to fix the issue for me:
https://github.com/compholio/wine-compholio/blob/master/patches/ntdll-Save_R...
https://github.com/compholio/wine-compholio/blob/master/patches/ntdll-Save_R...
Will try to get them upstream during the next week(s). I'm still not completely happy about the fact that this code cannot handle when esi is modified, but its probably better than having to rely on the stack pointer. The alternative solution would be to enforce some align before the function call (gcc should already do that, but its probably better to enforce it), and then round esp afterwards to get appropriate pointers to the saved registerss... but there is no guarantee that the Windows code will always use "ret {0,4,8,12}", it could also use a jump or other weird methods ... :/
https://bugs.winehq.org/show_bug.cgi?id=21917
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |636dc013cd45993c35ba00c7ec4 | |5c087aa183b0b Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #11 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit series:
http://source.winehq.org/git/wine.git/commitdiff/b7f77bb1fd75fd065cf0a34abae... ("ntdll: Save more registers in call_dll_entry_point on i386.")
http://source.winehq.org/git/wine.git/commitdiff/636dc013cd45993c35ba00c7ec4... ("ntdll: Use call_dll_entry_point to execute TLS callbacks.")
Thanks Sebastian
Regards
https://bugs.winehq.org/show_bug.cgi?id=21917
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #12 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.27.
-
wine-bugs@winehq.org