[Bug 30528] New: Tibia bot crashes when connecting to tibia process. K32EnumProcessModules+0x31() in kernel32
http://bugs.winehq.org/show_bug.cgi?id=30528
Bug #: 30528 Summary: Tibia bot crashes when connecting to tibia process. K32EnumProcessModules+0x31() in kernel32 Product: Wine Version: 1.5.2 Platform: x86-64 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: kernel32 AssignedTo: wine-bugs@winehq.org ReportedBy: treaw@o2.pl Classification: Unclassified
On clean wineprefix: winetricks vcrun6 wine start Downloads/python-2.4.4.msi wine Downloads/tibia952.exe wine Downloads/TibiaAutoSetup_2_19_2.exe
wine ./drive_c/Program\ Files/Tibia\ Auto/tibiaauto.exe wine ./drive_c/Program\ Files/Tibia/Tibia.exe
After that tibiaauto.exe crashes, with error attached.
http://www.python.org/download/releases/2.4.4/ - installed using .msi file http://sourceforge.net/projects/tibiaauto/ https://secure.tibia.com/account/?subtopic=downloadclient
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #1 from treaw@o2.pl 2012-04-27 10:59:18 CDT --- Created attachment 39935 --> http://bugs.winehq.org/attachment.cgi?id=39935 Backtrace.txt
http://bugs.winehq.org/show_bug.cgi?id=30528
Vitaliy Margolen vitaliy-bugzilla@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|kernel32 |-unknown
--- Comment #2 from Vitaliy Margolen vitaliy-bugzilla@kievinfo.com 2012-04-27 20:03:53 CDT --- Please install Wine debug symbols (wine*-dbg package from your distro) and attach complete terminal output as described here: http://wiki.winehq.org/FAQ#get_log
wine ./drive_c/Program\ Files/Tibia\ Auto/tibiaauto.exe wine ./drive_c/Program\ Files/Tibia/Tibia.exe
This is a wrong way to run programs. See this for a correct way: http://wiki.winehq.org/FAQ#run_from_terminal
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #3 from treaw@o2.pl 2012-04-30 03:44:20 CDT --- Created attachment 39967 --> http://bugs.winehq.org/attachment.cgi?id=39967 Same log with debug symbols.
Had to install ubuntu on the second hard drive. Did not managed to do that under gentoo.
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #4 from treaw@o2.pl 2012-04-30 03:52:22 CDT --- Because of that platform where error occurs changes a bit. Now it is x86. Also wine version is now different: 1.3.28-0ubuntu2~oneiric1 (from package wine1.3-dbg) Anyway same error.
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #5 from Vitaliy Margolen vitaliy-bugzilla@kievinfo.com 2012-04-30 08:02:32 CDT --- Please use recent Wine version. You can do it on gentoo - just run Wine from source directory without installing it.
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #6 from treaw@o2.pl 2012-04-30 14:25:42 CDT --- Created attachment 39973 --> http://bugs.winehq.org/attachment.cgi?id=39973 Wine 1.5.2 x86_64 with debug symbols+
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #6 from treaw@o2.pl 2012-04-30 14:25:42 CDT --- Created attachment 39973 --> http://bugs.winehq.org/attachment.cgi?id=39973 Wine 1.5.2 x86_64 with debug symbols+
--- Comment #7 from treaw@o2.pl 2012-04-30 14:25:46 CDT --- Created attachment 39975 --> http://bugs.winehq.org/attachment.cgi?id=39975 Wine 1.5.2 x86_64 with debug symbols+
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #6 from treaw@o2.pl 2012-04-30 14:25:42 CDT --- Created attachment 39973 --> http://bugs.winehq.org/attachment.cgi?id=39973 Wine 1.5.2 x86_64 with debug symbols+
--- Comment #7 from treaw@o2.pl 2012-04-30 14:25:46 CDT --- Created attachment 39975 --> http://bugs.winehq.org/attachment.cgi?id=39975 Wine 1.5.2 x86_64 with debug symbols+
--- Comment #8 from treaw@o2.pl 2012-04-30 14:25:46 CDT --- Created attachment 39980 --> http://bugs.winehq.org/attachment.cgi?id=39980 Wine 1.5.2 x86_64 with debug symbols+
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #9 from treaw@o2.pl 2012-04-30 14:44:30 CDT --- Nah, 1.5.3 - Leaned on keyboard and posted 3-times with mistake... sorry
http://bugs.winehq.org/show_bug.cgi?id=30528
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Status|UNCONFIRMED |NEW URL| |http://sourceforge.net/proj | |ects/tibiaauto/ CC| |focht@gmx.net Component|-unknown |kernel32 Summary|Tibia bot crashes when |Tibia bot crashes when |connecting to tibia |connecting to tibia process |process. |(kernel32 |K32EnumProcessModules+0x31( |K32EnumProcessModules() |) in kernel32 |'needed' out parameter | |needs a check for NULL) Ever Confirmed|0 |1
--- Comment #10 from Anastasius Focht focht@gmx.net 2012-04-30 15:03:19 CDT --- Hello,
confirming. It seems the app deliberately passes NULL pointer as "out" parameter to K32EnumProcessModules().
--- snip --- Unhandled exception: page fault on write access to 0x00000000 in 32-bit code (0x7b857856). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7b857856 ESP:00320aa8 EBP:00320b20 EFLAGS:00010202( R- -- I - - - ) EAX:00000000 EBX:00403ec0 ECX:00000000 EDX:0000009c ESI:00000000 EDI:00320cf6 Stack dump: 0x00320aa8: 00320abc 0000009c 00000000 0000009c 0x00320ab8: 00000000 0000009c 7bcda22c 00110750 0x00320ac8: 7bcda22c 00163b88 00111998 00110160 0x00320ad8: 00163b88 00000000 7dc00000 7dc340d4 0x00320ae8: 00110000 00000070 00111af0 00403ec0 0x00320af8: 00320b28 7ed50482 00110000 0000000a Backtrace: =>0 0x7b857856 K32EnumProcessModules+0x26(process=0x9c, lphModule=0x163b90, cb=0x6c, needed=0x0(nil)) [/home/focht/projects/wine/wine-git/dlls/kernel32/module.c:1178] in kernel32 (0x00320b20) 1 0x006c7f51 in tibiaauto_util (+0x7f50) (0x00320ba8) 2 0x006c7cc4 in tibiaauto_util (+0x7cc3) (0x00320bc4) 3 0x006c805a in tibiaauto_util (+0x8059) (0x00320be0) 4 0x006c3ff4 in tibiaauto_util (+0x3ff3) (0x00320c40) 5 0x006d42c7 in tibiaauto_util (+0x142c6) (0x00320c4c) ... 0x7b857856 K32EnumProcessModules+0x26 [/home/focht/projects/wine/wine-git/dlls/kernel32/module.c:1178] in kernel32: movl $0x0,0x0(%eax) 1178 *needed = 0; Modules: Module Address Debug info Name (95 modules) PE 400000- 49d000 Export tibiaauto PE 6c0000- 717000 Export tibiaauto_util ... Threads: process tid prio (all id:s are in hex) 00000008 (D) C:\Program Files\Tibia Auto\tibiaauto.exe 00000009 0 <== --- snip ---
Injector code (annotated):
--- snip --- 006C7F08 MOV DWORD PTR SS:[LOCAL.5],0 006C7F0F LEA EDX,[LOCAL.5] 006C7F12 PUSH EDX ; arg4 => needed = offset [LOCAL.5] 006C7F13 PUSH 0 ; arg3 => cb = 0 006C7F15 PUSH 0 ; arg2 => lphModule = 0 006C7F17 MOV EAX,DWORD PTR SS:[LOCAL.2] 006C7F1A PUSH EAX ; arg1 => process 006C7F1B CALL <JMP.&PSAPI.EnumProcessModules> 006C7F20 MOV ECX,DWORD PTR SS:[LOCAL.5] 006C7F23 SHR ECX,2 006C7F26 MOV DWORD PTR SS:[LOCAL.5],ECX 006C7F29 PUSH 4 ; elementsize = 4 006C7F2B MOV EDX,DWORD PTR SS:[LOCAL.5] 006C7F2E PUSH EDX 006C7F2F CALL DWORD PTR DS:[<&MSVCRT.calloc>] 006C7F35 ADD ESP,8 006C7F38 MOV DWORD PTR SS:[LOCAL.6],EAX 006C7F3B PUSH 0 ; arg4 => needed = 0 (!) 006C7F3D MOV EAX,DWORD PTR SS:[LOCAL.5] 006C7F40 SHL EAX,2 006C7F43 PUSH EAX ; arg3 => cb 006C7F44 MOV ECX,DWORD PTR SS:[LOCAL.6] 006C7F47 PUSH ECX ; arg2 => lphModule 006C7F48 MOV EDX,DWORD PTR SS:[LOCAL.2] 006C7F4B PUSH EDX ; arg1 => process 006C7F4C CALL <JMP.&PSAPI.EnumProcessModules> 006C7F51 MOV DWORD PTR SS:[LOCAL.4],0 --- snip ---
Source: http://source.winehq.org/git/wine.git/blob/d08f34cd8ecd883a0f0c6bd9b150d9240...
--- snip --- 1169 BOOL WINAPI K32EnumProcessModules(HANDLE process, HMODULE *lphModule, 1170 DWORD cb, DWORD *needed) 1171 { 1172 MODULE_ITERATOR iter; 1173 INT ret; 1174 1175 if (!init_module_iterator(&iter, process)) 1176 return FALSE; 1177 1178 *needed = 0; 1179 1180 while ((ret = module_iterator_next(&iter)) > 0) 1181 { 1182 if (cb >= sizeof(HMODULE)) 1183 { 1184 *lphModule++ = iter.ldr_module.BaseAddress; 1185 cb -= sizeof(HMODULE); 1186 } 1187 *needed += sizeof(HMODULE); 1188 } 1189 1190 return ret == 0; 1191 } --- snip ---
$ du -sh python-2.4.4.msi 9.3M python-2.4.4.msi
$ sha1sum python-2.4.4.msi 38fbfd0250a8d72b1557986417f431e482fafdec python-2.4.4.msi
$ du -sh tibia952.exe 30M tibia952.exe
$ sha1sum tibia952.exe f291c573c19beba762484d32c4f249b4487d6fe7 tibia952.exe
$ du -sh TibiaAutoSetup_2_19_2.exe 2.7M TibiaAutoSetup_2_19_2.exe
$ sha1sum TibiaAutoSetup_2_19_2.exe b200340b96adb7a0318653dd9996156d51b634c3 TibiaAutoSetup_2_19_2.exe
$ wine --version wine-1.5.3-39-gd2581e6
Regards
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #11 from Stefan Leichter Stefan.Leichter@camLine.com 2012-05-17 03:56:25 CDT --- http://source.winehq.org/patches/data/86358
http://bugs.winehq.org/show_bug.cgi?id=30528
--- Comment #12 from Stefan Leichter Stefan.Leichter@camLine.com 2012-06-22 11:08:48 CDT --- Shouild be fixed by http://source.winehq.org/git/wine.git/commit/c0e72bb3626a7ba8090ee07cc0aa88c...
http://bugs.winehq.org/show_bug.cgi?id=30528
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |c0e72bb3626a7ba8090ee07cc0a | |a88cd5c8b7f9e Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #13 from Alexandre Julliard julliard@winehq.org 2012-06-22 11:56:20 CDT --- Fixed.
http://bugs.winehq.org/show_bug.cgi?id=30528
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #14 from Alexandre Julliard julliard@winehq.org 2012-06-22 13:30:11 CDT --- Closing bugs fixed in 1.5.7.
http://bugs.winehq.org/show_bug.cgi?id=30528
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation
-
wine-bugs@winehq.org