[Bug 37356] New: Multiple software protection/DRM schemes need ntoskrnl 'IoGetDeviceObjectPointer' implementation (Tages v5.x, ProtectDISC 6.x)
https://bugs.winehq.org/show_bug.cgi?id=37356
Bug ID: 37356 Summary: Multiple software protection/DRM schemes need ntoskrnl 'IoGetDeviceObjectPointer' implementation (Tages v5.x, ProtectDISC 6.x) Product: Wine Version: 1.7.27 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net
Hello folks,
split off from bug 9484 and also mentioned here: https://github.com/compholio/wine-compholio/issues/80
Can be reproduced with Tagès drivers version 5.x alone (two stacked/layered drivers). Also needed for other DRM schemes, such as ProtectDISC 6.x
--- snip --- ... 0016:Call KERNEL32.CreateProcessW(00000000,00119fa8 L"C:\windows\system32\winedevice.exe lirsgt",00000000,00000000,00000000,00000400,00540000,00000000,0084e4c8,0084e50c) ret=7edb5d3f ... 0038:Call KERNEL32.__wine_kernel_init() ret=7bc5a00d 0016:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7edb5d3f ... 003c:Starting thread proc 0x7ed9b77b (arg=0x119670) ... 003c:Call advapi32.RegisterServiceCtrlHandlerExW(001152aa L"lirsgt",7edfc61f,00000000) ret=7edfc86c 003c:Ret advapi32.RegisterServiceCtrlHandlerExW() retval=0011a968 ret=7edfc86c ... 0009:Call KERNEL32.CreateFileW(0033c4d0 L"\\.\lirsgt",c0000000,00000000,00000000,00000003,40000000,00000000) ret=0040108f ... 0009:Ret KERNEL32.CreateFileW() retval=00000064 ret=0040108f ... 0009:Call KERNEL32.DeviceIoControl(00000064,0022e013,0033c6fc,00000000,0033c6fc,00000000,0033c6f8,00000000) ret=00401ac3 ... 003c:Call driver dispatch 0x542140 (device=0x11aeb0,irp=0x53e780) 003c:Call ntoskrnl.exe.IoAllocateMdl(0011b4c0,00000005,00000000,00000000,00000000) ret=005416bd 003c:Call ntdll.RtlAllocateHeap(00110000,00000008,00000020) ret=7ed2eb34 003c:Ret ntdll.RtlAllocateHeap() retval=0011b0e0 ret=7ed2eb34 003c:fixme:ntoskrnl:IoGetCurrentProcess () stub 003c:Ret ntoskrnl.exe.IoAllocateMdl() retval=0011b0e0 ret=005416bd 003c:Call ntoskrnl.exe.MmProbeAndLockPages(0011b0e0,00000001,00000001) ret=005416d9 003c:fixme:ntoskrnl:MmProbeAndLockPages (0x11b0e0, 1, 1): stub 003c:Ret ntoskrnl.exe.MmProbeAndLockPages() retval=0000003f ret=005416d9 003c:Call ntoskrnl.exe.MmMapLockedPagesSpecifyCache(0011b0e0,00000000,00000001,00000000,00000000,00000020) ret=005429c4 003c:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x11b0e0, 0, 1, (nil), 0, 32): stub 003c:Ret ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=00000000 ret=005429c4 003c:Call ntdll.RtlInitUnicodeString(0053e640,0053e648 L"\Device\atksgt") ret=00540387 003c:Ret ntdll.RtlInitUnicodeString() retval=0053e640 ret=00540387 003c:Call ntoskrnl.exe.IoGetDeviceObjectPointer(0053e640,00020000,0053e63c,0053e638) ret=005403a1 003c:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\Device\atksgt" 20000 0x53e63c 0x53e638 003c:Ret ntoskrnl.exe.IoGetDeviceObjectPointer() retval=c0000002 ret=005403a1 003c:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5403c1 ip=005403c1 tid=003c 003c:trace:seh:raise_exception info[0]=00000001 003c:trace:seh:raise_exception info[1]=00000000 003c:trace:seh:raise_exception eax=00000000 ebx=7ed47000 ecx=0053e640 edx=0053ef8c esi=0011af68 edi=0053e944 003c:trace:seh:raise_exception ebp=00000000 esp=0053e638 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010282 003c:trace:seh:call_vectored_handlers calling handler at 0x7ed2d73c code=c0000005 flags=0 003c:trace:seh:call_vectored_handlers handler at 0x7ed2d73c returned 0 003c:trace:seh:call_stack_handlers calling handler at 0x7bc9de37 code=c0000005 flags=0 003c:Call KERNEL32.UnhandledExceptionFilter(0053e104) ret=7bc9de71 wine: Unhandled page fault on write access to 0x00000000 at address 0x5403c1 (thread 003c), starting debugger... ... --- snip ---
$ sha1sum TagesSetup.exe b360bfc82b0c807c1caa7e423dfa4bc6515830a9 TagesSetup.exe
$ du -sh TagesSetup.exe 204K TagesSetup.exe
$ wine --version wine-1.7.27-113-g5afbb6b
Regards
https://bugs.winehq.org/show_bug.cgi?id=37356
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation URL| |http://www.tagesprotection. | |com/5.5/TagesSetup.exe
https://bugs.winehq.org/show_bug.cgi?id=37356
Marc Bessières marc.bessieres@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |marc.bessieres@gmail.com
--- Comment #1 from Marc Bessières marc.bessieres@gmail.com --- Hello,
For reference french retail version of Helldorado also suffers from this.
--- snip ---
pwd
/home/guest/wine32/Helldorado/drive_c/Program Files/Spellbound/Helldorado
WINEDEBUG=+relay,+tid,+seh wine Helldorado.exe >> log 2>&1
001e:Call ntoskrnl.exe.MmMapLockedPagesSpecifyCache(0011b150,00000000,00000001,00000000,00000000,00000020) ret=0054292c 001e:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x11b150, 0, 1, (nil), 0, 32): stub 001e:Ret ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=00000000 ret=0054292c 001e:Call ntdll.RtlInitUnicodeString(0053e69c,0053e6a4 L"\Device\atksgt") ret=00540388 001e:Ret ntdll.RtlInitUnicodeString() retval=0000001e ret=00540388 001e:Call ntoskrnl.exe.IoGetDeviceObjectPointer(0053e69c,00020000,0053e698,0053e694) ret=005403a2 001e:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\Device\atksgt" 20000 0x53e698 0x53e694 001e:Ret ntoskrnl.exe.IoGetDeviceObjectPointer() retval=00000000 ret=005403a2 001e:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5403aa ip=005403aa tid=001e 001e:trace:seh:raise_exception info[0]=00000000 001e:trace:seh:raise_exception info[1]=00000028 001e:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=0053e69c edx=00000000 esi=0011afd8 edi=00000003 001e:trace:seh:raise_exception ebp=00000000 esp=0053e690 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 001e:trace:seh:call_vectored_handlers calling handler at 0x7ed61d80 code=c0000005 flags=0 001e:trace:seh:call_vectored_handlers handler at 0x7ed61d80 returned 0 001e:trace:seh:call_stack_handlers calling handler at 0x7bc98960 code=c0000005 flags=0 001e:Call KERNEL32.UnhandledExceptionFilter(0053e1e8) ret=7bc989a5 wine: Unhandled page fault on read access to 0x00000028 at address 0x5403aa (thread 001e), starting debugger... --- snip ---
sha1sum Helldorado.exe
dce25747637a85e33dbe1ceb02ca29617f0bae17 Helldorado.exe
du -hs Helldorado.exe
5,7M Helldorado.exe
wine --version
wine-1.7.35
Cheers, Marc
https://bugs.winehq.org/show_bug.cgi?id=37356
Gijs Vermeulen acescopezz@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |acescopezz@gmail.com
--- Comment #2 from Gijs Vermeulen acescopezz@gmail.com --- Is this still an issue in Wine2.4? Maybe this commit helped: https://source.winehq.org/git/wine.git/commitdiff/68f23a1138ed697257c348011d...
(last comment on this bug was 02/2015 and that commit was in 06/2015)
https://bugs.winehq.org/show_bug.cgi?id=37356
mirh mirh@protonmail.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mirh@protonmail.ch
https://bugs.winehq.org/show_bug.cgi?id=37356
Adam Bolte abolte@systemsaviour.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |abolte@systemsaviour.com
https://bugs.winehq.org/show_bug.cgi?id=37356
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
--- Comment #3 from Zebediah Figura z.figura12@gmail.com --- (In reply to Gijs Vermeulen from comment #2)
Is this still an issue in Wine2.4? Maybe this commit helped: https://source.winehq.org/git/wine.git/commitdiff/ 68f23a1138ed697257c348011d77ec8519b44294
(last comment on this bug was 02/2015 and that commit was in 06/2015)
Still present in Wine 3.5.
https://bugs.winehq.org/show_bug.cgi?id=37356
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Multiple software |Multiple software |protection/DRM schemes need |protection/DRM schemes need |ntoskrnl |ntoskrnl |'IoGetDeviceObjectPointer' |'MmMapLockedPagesSpecifyCac |implementation (Tages v5.x, |he' implementation (Tages |ProtectDISC 6.x) |v5.x, ProtectDISC 6.x)
--- Comment #4 from Zebediah Figura z.figura12@gmail.com --- The bug isn't actually with IoGetDeviceObjectPointer (at least for Tages), but rather with MmMapLockedPagesSpecifyCache() returning a NULL pointer:
29be: ff 15 38 1f 01 00 call [00011F38h] ; <MmMapLockedPagesSpecifyCache> 29c4: 50 push eax 29c5: 56 push esi 29c6: e8 35 d9 ff ff call 0300
300: 83 ec 30 sub esp, 30h ... 3bd: 8b 44 24 38 mov eax, [esp+38h] 3c1: 66 c7 00 05 00 mov word [eax], 0005h
https://bugs.winehq.org/show_bug.cgi?id=37356
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE Fixed by SHA1| |68f23a1138ed697257c348011d7 | |7ec8519b44294 Summary|Multiple software |Multiple software |protection/DRM schemes need |protection/DRM schemes |ntoskrnl |crash due to |'MmMapLockedPagesSpecifyCac |'ntoskrnl.MmMapLockedPagesS |he' implementation (Tages |pecifyCache' returning NULL |v5.x, ProtectDISC 6.x) |(Tages v5.x, ProtectDISC | |6.x)
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
yes, I've noticed it now too.
It's a dupe of bug 37355 ("Multiple software protection schemes need ntoskrnl 'MmMapLockedPagesSpecifyCache' implementation (Tages Protection v5.x, BattleEye's 'bedaisy.sys')")
--- snip --- ... 0034:Call ntdll.RtlInitUnicodeString(0054fb50,0054fb58 L"\Device\atksgt") ret=7bc7f49b 0034:Ret ntdll.RtlInitUnicodeString() retval=0054fb50 ret=7bc7f49b 0034:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0054fb50 ret=00780387 0034:Call ntoskrnl.exe.IoGetDeviceObjectPointer(0054fb50,00020000,0054fb4c,0054fb48) ret=007803a1 0034:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\Device\atksgt" 20000 0x54fb4c 0x54fb48 0034:Ret ntoskrnl.exe.IoGetDeviceObjectPointer() retval=00000000 ret=007803a1 0034:trace:ntoskrnl:ObDereferenceObject ((nil)): stub 0034:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7803c1 ip=007803c1 tid=0034 0034:trace:seh:raise_exception info[0]=00000001 0034:trace:seh:raise_exception info[1]=00000000 0034:trace:seh:raise_exception eax=00000000 ebx=0054fc70 ecx=0054fb44 edx=00552f44 esi=0011cd18 edi=0054fe14 0034:trace:seh:raise_exception ebp=00000000 esp=0054fb48 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010216 0034:trace:seh:call_vectored_handlers calling handler at 0x7ec112b1 code=c0000005 flags=0 0034:trace:seh:call_vectored_handlers handler at 0x7ec112b1 returned 0 0034:trace:seh:call_stack_handlers calling handler at 0x7bcb1a8e code=c0000005 flags=0 0034:Call KERNEL32.UnhandledExceptionFilter(0054f644) ret=7bcb1ac9 wine: Unhandled page fault on write access to 0x00000000 at address 0x7803c1 (thread 0034), starting debugger... --- snip ---
The current stub:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl...
--- snip --- 1211 NTSTATUS WINAPI IoGetDeviceObjectPointer( UNICODE_STRING *name, ACCESS_MASK access, PFILE_OBJECT *file, PDEVICE_OBJECT *device ) 1212 { 1213 static DEVICE_OBJECT stub_device; 1214 static DRIVER_OBJECT stub_driver; 1215 1216 FIXME( "stub: %s %x %p %p\n", debugstr_us(name), access, file, device ); 1217 1218 stub_device.StackSize = 0x80; /* minimum value to appease SecuROM 5.x */ 1219 stub_device.DriverObject = &stub_driver; 1220 1221 *file = NULL; 1222 *device = &stub_device; 1223 1224 return STATUS_SUCCESS; 1225 } --- snip ---
'ObDereferenceObject(NULL)' in trace log is the result of 'IoGetDeviceObjectPointer()' returning NULL file object. This is expected, the driver doesn't need the file object.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/attaching-the-... ("Attaching the Filter Device Object to the Target Device Object")
Driver disassembly:
--- snip --- 00780300 SUB ESP,30 00780303 XOR EAX,EAX 00780305 MOV ECX,65 0078030A MOV WORD PTR SS:[ESP+14],CX 0078030F MOV WORD PTR SS:[ESP+1C],CX ... 00780381 CALL DWORD PTR DS:[<&ntoskrnl.RtlInitUnicodeString>] 00780387 LEA EDX,DWORD PTR SS:[ESP] 0078038B PUSH EDX 0078038C LEA EAX,DWORD PTR SS:[ESP+8] 00780390 PUSH EAX 00780391 PUSH 20000 00780396 LEA ECX,DWORD PTR SS:[ESP+14] 0078039A PUSH ECX 0078039B CALL DWORD PTR DS:[<&ntoskrnl.IoGetDeviceObjectPointer>] 007803A1 TEST EAX,EAX 007803A3 JL SHORT lirsgt.007803BD 007803A5 MOV EDX,DWORD PTR SS:[ESP] ; stub_device 007803A9 MOV EAX,DWORD PTR DS:[EDX+28] ; _DEVICE_OBJECT.Timer 007803AC MOV ECX,DWORD PTR SS:[ESP+34] ; arg1 007803B0 MOV DWORD PTR DS:[ECX+30],EAX 007803B3 MOV ECX,DWORD PTR SS:[ESP+4] 007803B7 CALL DWORD PTR DS:[<&ntoskrnl.ObfDereferenceObject>] 007803BD MOV EAX,DWORD PTR SS:[ESP+38] 007803C1 MOV WORD PTR DS:[EAX],5 ; arg2 == NULL *boom* 007803C6 MOV WORD PTR DS:[EAX+2],5 007803CC MOV BYTE PTR DS:[EAX+4],2 007803D0 ADD ESP,30 007803D3 RETN 8 --- snip ---
The problem here is the caller supplying NULL arg2 (ptr) to this function. Looking at the caller:
--- snip --- ... 007829B3 PUSH 20 ; Priority 007829B5 PUSH 0 ; BugCheckOnFailure 007829B7 PUSH 0 ; BaseAddress 007829B9 PUSH 1 ; CacheType 007829BB PUSH 0 ; AccessMode 007829BD PUSH EAX ; MemoryDescriptorList 007829BE CALL DWORD PTR DS:[<&ntoskrnl.MmMapLockedPagesSpecifyCache>] 007829C4 PUSH EAX ; arg2 -> address of mapped pages 007829C5 PUSH ESI ; arg1 007829C6 CALL lirsgt.00780300 ; see above snippet 007829CB JMP lirsgt.00783F5E ... --- snip ---
arg2 == NULL -> bug 37355 ("Multiple software protection schemes need ntoskrnl 'MmMapLockedPagesSpecifyCache' implementation (Tages Protection v5.x, BattleEye's 'bedaisy.sys')")
$ wine --version wine-3.5-91-g3263d51a1f
Regards
*** This bug has been marked as a duplicate of bug 37355 ***
https://bugs.winehq.org/show_bug.cgi?id=37356
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #6 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Closing Duplicate
-
wine-bugs@winehq.org