http://bugs.winehq.org/show_bug.cgi?id=34698

--- Comment #1 from lizhenbo litimetal@gmail.com 2013-10-14 23:39:09 CDT --- winetricks -q ie7 seems to workaround this bug, but QQGame crashed after that. I'm wondering if it is another bug.

http://bugs.winehq.org/show_bug.cgi?id=34698

Qian Hong fracting@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |fracting@gmail.com

--- Comment #2 from Qian Hong fracting@gmail.com 2013-12-01 10:49:42 CST --- It looks strange that winetricks ie7 could work around this bug, for me with wine-1.7.7, native msvcrt works around the bug.

Zhenbo, could you double check that if native ie7 works around the bug for you?

http://bugs.winehq.org/show_bug.cgi?id=34698

--- Comment #4 from Qian Hong fracting@gmail.com 2013-12-02 23:48:16 CST --- (In reply to comment #3)

(In reply to comment #2)

...

It looks strange that winetricks ie7 could work around this bug, for me with wine-1.7.7, native msvcrt works around the bug.

Zhenbo, could you double check that if native ie7 works around the bug for you?

I'm not sure. native ie7 changes the terminal output, but I don't know if it is a workaround

Changing the terminal output is not a workaround.

http://bugs.winehq.org/show_bug.cgi?id=34698

Qian Hong fracting@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |msvcrt

--- Comment #6 from Qian Hong fracting@gmail.com 2013-12-03 00:07:18 CST --- Assume component msvcrt, workaround by native msvcrt.

Related logs: 002c:warn:module:load_dll Failed to load module L"BugTrace.dll"; status=c0000135 002c:Ret KERNEL32.LoadLibraryA() retval=00000000 ret=101796fe 002c:Call msvcrt.??2@YAPAXI@Z(00000164) ret=1013ac2e 002c:Call ntdll.RtlAllocateHeap(00110000,00000000,00000164) ret=7eb53b66 002c:Ret ntdll.RtlAllocateHeap() retval=00162420 ret=7eb53b66 002c:trace:msvcrt:MSVCRT_operator_new (356) returning 0x162420 002c:Ret msvcrt.??2@YAPAXI@Z() retval=00162420 ret=1013ac2e 002c:trace:seh:raise_exception code=c0000005 flags=0 addr=0x1000c886 ip=1000c886 tid=002c 002c:trace:seh:raise_exception info[0]=00000000 002c:trace:seh:raise_exception info[1]=00000000 002c:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00160dd4 edx=1009af34 esi=00162420 edi=00160dd0 002c:trace:seh:raise_exception ebp=00000000 esp=0032fb98 cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00210206 002c:trace:seh:call_stack_handlers calling handler at 0x10098763 code=c0000005 flags=0 002c:trace:seh:call_stack_handlers handler at 0x10098763 returned 1 002c:trace:seh:call_stack_handlers calling handler at 0x7bca3d06 code=c0000005 flags=0 002c:trace:seh:__regs_RtlUnwind code=c0000005 flags=2 002c:trace:seh:__regs_RtlUnwind calling handler at 0x7bc85e6b code=c0000005 flags=2 002c:trace:seh:__regs_RtlUnwind handler at 0x7bc85e6b returned 1 002c:trace:seh:__regs_RtlUnwind calling handler at 0x10098763 code=c0000005 flags=2 002c:trace:seh:cxx_local_unwind calling unwind handler 0x10098750 trylevel 0 last -1 ebp 0x32fbf4 002c:Call msvcrt.??3@YAXPAX@Z(00000000) ret=10035181 002c:trace:msvcrt:MSVCRT_operator_delete ((nil)) 002c:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7eb53d30 002c:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7eb53d30 002c:Ret msvcrt.??3@YAXPAX@Z() retval=00000001 ret=10035181 002c:trace:seh:__regs_RtlUnwind handler at 0x10098763 returned 1 002c:exception in PE entry point (proc=0x100782e7,module=0x10000000,reason=PROCESS_ATTACH,res=0x1) 002c:Ret PE DLL (proc=0x100782e7,module=0x10000000 L"TenSLX.dll",reason=PROCESS_ATTACH,res=0x1) retval=0 002c:Call PE DLL (proc=0x100782e7,module=0x10000000 L"TenSLX.dll",reason=PROCESS_DETACH,res=0x1) 002c:Call msvcrt.free(00160cd8) ret=100782d8 002c:Call ntdll.RtlFreeHeap(00110000,00000000,00160cd8) ret=7eb543db 002c:Ret ntdll.RtlFreeHeap() retval=00000000 ret=7eb543db 002c:Ret msvcrt.free() retval=00000000 ret=100782d8 002c:Ret PE DLL (proc=0x100782e7,module=0x10000000 L"TenSLX.dll",reason=PROCESS_DETACH,res=0x1) retval=1 002c:warn:module:process_attach Initialization of L"TenSLX.dll" failed 002c:trace:module:process_attach (L"TenSLX.dll",0x1) - END 002c:trace:module:process_attach (L"QQGame.exe",0x1) - END 002c:err:module:attach_process_dlls "TenSLX.dll" failed to initialize, aborting

http://bugs.winehq.org/show_bug.cgi?id=34698

--- Comment #8 from Qian Hong fracting@gmail.com 2013-12-03 09:24:42 CST --- (In reply to comment #7)

(In reply to comment #6)

...

Assume component msvcrt, workaround by native msvcrt.

To be more specific, I need to winetricks -q vcrun6, then set msvcrt to native in winecfg to workaround it Is it the same to you?

Right :)

http://bugs.winehq.org/show_bug.cgi?id=34698

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Ever confirmed|0 |1

--- Comment #10 from Anastasius Focht focht@gmx.net --- Hello folks,

--- quote --- Piotr:

The application allocates movable memory. Later it accesses it without call to LocalLock function.

Native msvcrt hides the bug (the application still sometimes crashes) because it uses different heap in malloc implementation --- quote ---

yep, that's the problem.

The memory block returned by LocalAlloc() is a small heap management structure (GLOBAL32_INTERN) but the application abuses it as direct buffer.

The heap management block is located near (before) the important buffer which contains class members/data, allocated early in dll init. GetFileVersionInfoA() data size overlaps with adjacent buffer(s), thus destroying this data during retrieval.

It also destroys the adjacent 'Flags' and 'LockCount' members of the GLOBAL32_INTERN management block itself because they live after the 'Pointer' member which is returned as handle (at least Wine has this structure layout).

Possible solutions:

* GlobalAlloc() allocator gets a different (private) heap * maybe even separating the pointer and handle based allocators with their own heaps * have GLOBAL32_INTERN heap management structure layout changed with 'Pointer' being the last member

There is still the possibility of breakage because the adjacent GLOBAL32_INTERN blocks would be still susceptible to overwrites when being abused as direct memory block.

Tidbit: The dll in question and others are wrapped with 'VMProtect v.1.25 - 1.x (demo) 2003-2006 PolyTech - www.polytech.ural.ru' software protection scheme probably in attempt to hide the horrible code but Wine reveals everything ;-)

Regards

http://bugs.winehq.org/show_bug.cgi?id=34698

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |d48314c8a50a69538985a8ce273 | |fba1611585fbe Status|NEW |RESOLVED Resolution|--- |FIXED Summary|QQGame 2011 can't load |QQGame 2011 can't load | |(broken app uses LocalAlloc | |handle as direct buffer | |without prior locking)

--- Comment #11 from Anastasius Focht focht@gmx.net --- Hello folks,

this is fixed (or rather "worked around") by commit http://source.winehq.org/git/wine.git/commitdiff/d48314c8a50a69538985a8ce273...

Thanks Piotr

'TenSLX.dll' (wrapped with VMProtect) successfully initializes now.

Regards