[Bug 44803] New: Age of Empires II Forgotten Empires crashes " Unhandled privileged instruction"
https://bugs.winehq.org/show_bug.cgi?id=44803
Bug ID: 44803 Summary: Age of Empires II Forgotten Empires crashes "Unhandled privileged instruction" Product: Wine Version: 3.4 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: raphael.nestler@gmail.com Distribution: ---
Created attachment 60841 --> https://bugs.winehq.org/attachment.cgi?id=60841 Log from the console
Since a day Age of Empires II Forgotten Empires crashes on startup with the message "wine: Unhandled privileged instruction at address 0x7e2c5895 (thread 00ce), starting debugger...". See the attached log for more details.
https://bugs.winehq.org/show_bug.cgi?id=44803
--- Comment #1 from Raphael raphael.nestler@gmail.com --- It doesn't happen anymore. The only thing that I could imagine was the reason is because of the connected WiFi network, which had an SSID which contained some special characters. But I couldn't reproduce this issue with setting up a hot-spot with a similar SSID.
https://bugs.winehq.org/show_bug.cgi?id=44803
tokktokk fdsfgs@krutt.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org
https://bugs.winehq.org/show_bug.cgi?id=44803
--- Comment #2 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- At a guess install DirectPlay.
https://bugs.winehq.org/show_bug.cgi?id=44803
Raphael raphael.nestler@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #60841|0 |1 is obsolete| |
--- Comment #3 from Raphael raphael.nestler@gmail.com --- Created attachment 61350 --> https://bugs.winehq.org/attachment.cgi?id=61350 Log win wine 3.7
The crash happend again, this time I tested with wine 3.7
https://bugs.winehq.org/show_bug.cgi?id=44803
--- Comment #4 from Raphael raphael.nestler@gmail.com --- (In reply to Alistair Leslie-Hughes from comment #2)
At a guess install DirectPlay.
I have DirectPlay installed with winetricks.
https://bugs.winehq.org/show_bug.cgi?id=44803
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
I can't reproduce this. Multi-player games work fine with:
* Wine 3.4 (initially reported for) * Wine 3.7 * Wine 4.5 (most recent)
In your attached log it looks like that 'ws2_32.dll.WS_Bind' entry point has been corrupted. I've checked with my setup and don't see a reason why such thing could happen. That API entry doesn't get hooked by the game.
Are you sure the WINEPREFIX hasn't been reused with other software installations, or even worse infected with malware? Most malware (trojans) love to hook 'ws2_32.dll' .. for reasons ;-)
I run a special build which makes hooking of API entry points easier in case of no explicit hotpatch prolog. Various app/game hook engines struggle with Wine's default '-fPIC' entry code or (distro) Gcc settings such as '-fcf-protection' (ENDBR32).
Started multi-player game (Internet) and attached debugger:
--- snip --- $ winedbg Wine-dbg>info process pid threads executable (all id:s are in hex) 00000027 4 'explorer.exe' 0000000e 5 'services.exe' 00000020 4 _ 'winedevice.exe' 0000001b 3 _ 'plugplay.exe' 00000011 4 _ 'winedevice.exe' 00000008 15 'age2_x2.exe' 00000043 5 _ 'dplaysvr.exe'
Wine-dbg>attach 0x8
Wine-dbg>info thread process tid prio (all id:s are in hex) 00000008 (D) C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\age2_x2.exe 0000004c 15 0000004b 0 00000049 0 00000042 1 00000041 1 00000040 0 0000003f 0 0000003e 15 0000003d 1 00000035 0 00000034 0 00000032 15 00000031 0 00000030 0 00000009 0 <==
Wine-dbg>info share Module Address Debug info Name (173 modules) PE 3b0000- 3bb000 Deferred dpnhpast PE 400000- 7e6000 Export age2_x2 PE f40000- ffa000 Deferred language_x1_p1 PE 9cb0000- 9d2a000 Deferred language PE 10000000-10053000 Deferred language_x1 PE 5df00000-5df16000 Deferred dpwsockx PE 5e080000-5e0bb000 Deferred dplayx ELF 7994a000-79a27000 Deferred crypt32<elf> -PE 79960000-79a27000 \ crypt32 ELF 79a27000-79ae2000 Deferred msvcrt<elf> -PE 79a50000-79ae2000 \ msvcrt ELF 79ae2000-79c00000 Deferred quartz<elf> -PE 79b10000-79c00000 \ quartz ELF 79db8000-7a800000 Deferred i965_dri.so ELF 7a800000-7a949000 Deferred opengl32<elf> -PE 7a840000-7a949000 \ opengl32 ...
Wine-dbg>disas WS_Bind
0x7deb9080 WS_bind [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: leal 0x4(%esp),%ecx 0x7deb9084 WS_bind+0x4 [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: andl $-16,%esp 0x7deb9087 WS_bind+0x7 [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: pushl 0xfffffffc(%ecx) 0x7deb908a WS_bind+0xa [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: pushl %ebp 0x7deb908b WS_bind+0xb [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: movl %esp,%ebp 0x7deb908d WS_bind+0xd [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: pushl %ebx 0x7deb908e WS_bind+0xe [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: pushl %ecx 0x7deb908f WS_bind+0xf [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: subl $0xd0,%esp 0x7deb9095 WS_bind+0x15 [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3299] in ws2_32: movl %ecx,%ebx 0x7deb9097 WS_bind+0x17 [/home/focht/projects/wine/mainline-src-3.7/dlls/ws2_32/socket.c:3300] in ws2_32: subl $4,%esp ... --- snip ---
The entry point is untouched and valid code. And yes, it gets called multiple times.
$ wine --version wine-4.5
Regards
https://bugs.winehq.org/show_bug.cgi?id=44803
--- Comment #6 from Raphael raphael.nestler@gmail.com --- Hi Anastasius,
Are you sure the WINEPREFIX hasn't been reused with other software installations, or even worse infected with malware?
Most malware (trojans) love to hook 'ws2_32.dll' .. for reasons ;-)
I use PlayOnLinux to manage WINEPREFIXes and have a separate one for AoFe. I hope that it wasn't infected by malware ;)
One suspicion I had was that the crash is related to if UPnP (https://en.wikipedia.org/wiki/Universal_Plug_and_Play) is enabled on the router or not. The crash only happen when the router in network hat UPnP enabled.
Could it be that having UPnP enabled could trigger some different code paths?
Regards
https://bugs.winehq.org/show_bug.cgi?id=44803
--- Comment #7 from Anastasius Focht focht@gmx.net --- Hello Raphael,
--- quote --- Could it be that having UPnP enabled could trigger some different code paths? --- quote ---
well, that important information was missing in initial comments.
I checked the modules list from your backtrace again and indeed there is a module 'miniupnpc.dll' mapped into process space that I don't have with a default AOE2/Expanion sets install.
Your backtrace:
--- snip --- ... wine: Unhandled privileged instruction at address 0x7e23f895 (thread 0056), starting debugger... ... Unhandled exception: privileged instruction in 32-bit code (0x7e23f895). 0062:fixme:dbghelp:elf_search_auxv can't find symbol in module Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7e23f895 ESP:00339358 EBP:00339358 EFLAGS:00210206( R- -- I - -P- ) EAX:00000000 EBX:00000128 ECX:003393a0 EDX:00000000 ESI:003393f8 EDI:00000000 Stack dump: 0x00339358: 003393b4 5df0893c 00000128 003393a0 0x00339368: 00000010 00000000 00000000 0033b81c 0x00339378: 003393f0 00000001 003393e8 00000000 0x00339388: 00000000 7bc3cd96 003393a8 00000001 0x00339398: 00000128 00000000 00000002 00000000 0x003393a8: 00000000 00000000 000023e4 0033b804 Backtrace: =>0 0x7e23f895 WS_bind+0x5() in ws2_32 (0x00339358) 1 0x00000000 (0x00339358) 2 0x5df0893c in dpwsockx (+0x893b) (0x003393b4) 3 0x5df084a3 in dpwsockx (+0x84a2) (0x0033b804) 4 0x5e08706e in dplayx (+0x706d) (0x0033b854) 5 0x5e0872fb in dplayx (+0x72fa) (0x0033b8a0) 6 0x5e0873e0 in dplayx (+0x73df) (0x0033b8c0) 7 0x005ccf57 in age2_x2 (+0x1ccf56) (0x0033bb10) 0x7e23f895 WS_bind+0x5 in ws2_32: inb $0xf0,%al Modules: Module Address Debug info Name (138 modules) PE 400000- 7e6000 Export age2_x2 PE 1050000- 110a000 Deferred language_x1_p1 PE 9dc0000- 9e51000 Deferred language PE 10000000-1005e000 Deferred language_x1 PE 5df00000-5df16000 Export dpwsockx PE 5e080000-5e0bb000 Export dplayx PE 6ad80000-6ad95000 Deferred miniupnpc ... --- snip ---
This 'miniupnpc' dll seems to be distributed by some unofficial? game patches/installers. I found one installer here: http://jonathanrooke.co.uk/ror/phpbb/viewtopic.php?f=2&t=177
The original 'MiniUPnP' project seems to be here:
http://miniupnp.free.fr/files/
Even with the dll in place and router (Fritzbox) having UPnP enabled I couldn't reproduce the crash.
--- snip --- ... 002b:Call ws2_32.WSAStartup(00000101,0033d188) ret=007db0e4 002b:Ret ws2_32.WSAStartup() retval=00000000 ret=007db0e4 002b:Call KERNEL32.LoadLibraryA(007db720 "age2_x1\miniupnpc.dll") ret=007db0f7 002b:trace:snoop:SNOOP_SetupDLL hmod=0x6ad80000, name=miniupnpc.dll ... 002b:Call PE DLL (proc=0x6ad810c0,module=0x6ad80000 L"miniupnpc.dll",reason=PROCESS_ATTACH,res=(nil)) 002b:Call msvcrt.malloc(00000080) ret=6ad8112c 002b:Call ntdll.RtlAllocateHeap(00b10000,00000000,00000080) ret=7d67dd27 002b:Ret ntdll.RtlAllocateHeap() retval=00b11390 ret=7d67dd27 002b:Ret msvcrt.malloc() retval=00b11390 ret=6ad8112c 002b:Call KERNEL32.GetModuleHandleA(6ad8c000 "libgcc_s_dw2-1.dll") ret=6ad811c2 002b:Ret KERNEL32.GetModuleHandleA() retval=00000000 ret=6ad811c2 002b:Call msvcrt.__dllonexit(6ad8123c,6ad8f000,6ad8f010) ret=6ad81051 002b:Call ntdll.RtlReAllocateHeap(00b10000,00000000,00b11390,00000004) ret=7d67de5c 002b:Ret ntdll.RtlReAllocateHeap() retval=00b11390 ret=7d67de5c 002b:Ret msvcrt.__dllonexit() retval=6ad8123c ret=6ad81051 002b:Call msvcrt.__dllonexit(6ad85d60,6ad8f000,6ad8f010) ret=6ad81051 002b:Call ntdll.RtlReAllocateHeap(00b10000,00000000,00b11390,00000008) ret=7d67de5c 002b:Ret ntdll.RtlReAllocateHeap() retval=00b11390 ret=7d67de5c 002b:Ret msvcrt.__dllonexit() retval=6ad85d60 ret=6ad81051 002b:Ret PE DLL (proc=0x6ad810c0,module=0x6ad80000 L"miniupnpc.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 002b:Ret KERNEL32.LoadLibraryA() retval=6ad80000 ret=007db0f7 002b:Call KERNEL32.GetProcAddress(6ad80000,007db736 "upnpDiscover") ret=007db115 002b:Ret KERNEL32.GetProcAddress() retval=00390220 ret=007db115 002b:Call KERNEL32.GetProcAddress(6ad80000,007db743 "UPNP_GetValidIGD") ret=007db11f 002b:Ret KERNEL32.GetProcAddress() retval=003901a9 ret=007db11f 002b:Call KERNEL32.GetProcAddress(6ad80000,007db754 "UPNP_AddPortMapping") ret=007db12b 002b:Ret KERNEL32.GetProcAddress() retval=00390055 ret=007db12b 002b:Call KERNEL32.GetProcAddress(6ad80000,007db768 "UPNP_DeletePortMapping") ret=007db137 002b:Ret KERNEL32.GetProcAddress() retval=00390088 ret=007db137 002b:Call KERNEL32.GetProcAddress(6ad80000,007db77f "UPNP_GetSpecificPortMappingEntry") ret=007db143 002b:Ret KERNEL32.GetProcAddress() retval=00390143 ret=007db143 002b:Call KERNEL32.GetProcAddress(6ad80000,007db7a0 "FreeUPNPUrls") ret=007db14f 002b:Ret KERNEL32.GetProcAddress() retval=00390011 ret=007db14f 002b:Call KERNEL32.GetProcAddress(6ad80000,007db7ad "freeUPNPDevlist") ret=007db15b 002b:Ret KERNEL32.GetProcAddress() retval=003901cb ret=007db15b 002b:CALL miniupnpc.upnpDiscover(<unknown, check return>) ret=007db1d6 002b:Call ws2_32.socket(00000002,00000002,00000011) ret=6ad8289f ... 002b:Ret ws2_32.socket() retval=0000008c ret=6ad8289f 002b:Call ws2_32.inet_addr(6ad8c66a "223.255.255.255") ret=6ad8294c 002b:Ret ws2_32.inet_addr() retval=ffffffdf ret=6ad8294c 002b:Call iphlpapi.GetBestRoute(ffffffdf,00000000,0033d0ac) ret=6ad82967 ... 002b:Ret iphlpapi.GetBestRoute() retval=00000000 ret=6ad82967 ... 002b:Call iphlpapi.GetIpAddrTable(00b113a8,0033d10c,00000000) ret=6ad8299e .... 002b:Ret iphlpapi.GetIpAddrTable() retval=0000007a ret=6ad8299e ... 002b:Call iphlpapi.GetIpAddrTable(00b113a8,0033d10c,00000000) ret=6ad829da ... 002b:Ret iphlpapi.GetIpAddrTable() retval=00000000 ret=6ad829da 002b:Call ws2_32.setsockopt(0000008c,00000000,00000009,0033d108,00000004) ret=6ad82a42 ... 002b:Ret ws2_32.setsockopt() retval=00000000 ret=6ad82a42 ... 002b:Call ws2_32.setsockopt(0000008c,0000ffff,00000004,0033d114,00000004) ret=6ad82abd 002b:Call ntdll.wine_server_handle_to_fd(0000008c,00000000,0033c7ac,00000000) ret=7deacd7b 002b:Ret ntdll.wine_server_handle_to_fd() retval=00000000 ret=7deacd7b 002b:Call ntdll.wine_server_release_fd(0000008c,0000000f) ret=7deacdbf 002b:Ret ntdll.wine_server_release_fd() retval=00000000 ret=7deacdbf 002b:Ret ws2_32.setsockopt() retval=00000000 ret=6ad82abd 002b:Call ws2_32.bind(0000008c,0033d028,00000010) ret=6ad82bab 002b:Call ntdll.wine_server_handle_to_fd(0000008c,00000000,0033c86c,00000000) ret=7deacd7b 002b:Ret ntdll.wine_server_handle_to_fd() retval=00000000 ret=7deacd7b 002b:Call KERNEL32.LoadLibraryA(7decc998 "iphlpapi.dll") ret=7debfba7 002b:Ret KERNEL32.LoadLibraryA() retval=7de70000 ret=7debfba7 002b:Call KERNEL32.GetProcAddress(7de70000,7decc9b0 "GetAdaptersInfo") ret=7debfbdd 002b:Ret KERNEL32.GetProcAddress() retval=7de7d708 ret=7debfbdd 002b:Call iphlpapi.GetAdaptersInfo(00000000,0033c83c) ret=7deb1374 002b:Ret iphlpapi.GetAdaptersInfo() retval=0000006f ret=7deb1374 ... 002b:Call iphlpapi.GetAdaptersInfo(0016c908,0033c83c) ret=7deb13bd ... 002b:Ret iphlpapi.GetAdaptersInfo() retval=00000000 ret=7deb13bd ... 002b:Ret ws2_32.bind() retval=00000000 ret=6ad82bab 002b:Call ws2_32.getaddrinfo(6ad8c623 "239.255.255.250",6ad8c68a "1900",0033d0e4,0033d110) ret=6ad82cec ... 002b:Ret ws2_32.getaddrinfo() retval=00000000 ret=6ad82cec 002b:RET miniupnpc.upnpDiscover() retval=00000000 ret=007db1d6 002b:Call ws2_32.WSACleanup() ret=007db2c9 002b:Ret ws2_32.WSACleanup() retval=00000000 ret=007db2c9 ... --- snip ---
That 'miniupnpc' doesn't seem to hook Winsock API.
Where exactly did you get your dll from (link)?
Scan of the dlls I found:
----
From: http://jonathanrooke.co.uk/ror/phpbb/viewtopic.php?f=2&t=177
-> https://www.virustotal.com/gui/file/13c18272374f17c2b644b9a4591bf76d466f3f41...
-> https://www.virustotal.com/gui/file/13c18272374f17c2b644b9a4591bf76d466f3f41...
----
From: http://miniupnp.free.fr/files/download.php?file=upnpc-exe-win32-20150918.zip
-> https://www.virustotal.com/gui/file/621e7d728f1de9adc10673da452036fe7c35ce3d...
-> https://www.virustotal.com/gui/file/621e7d728f1de9adc10673da452036fe7c35ce3d...
----
None of them seem suspicous.
Regards
https://bugs.winehq.org/show_bug.cgi?id=44803
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEEDINFO Ever confirmed|0 |1
--- Comment #8 from Anastasius Focht focht@gmx.net --- Hello folks,
please retest with recent Wine 5.x series, preferably Wine 5.6
Regards
https://bugs.winehq.org/show_bug.cgi?id=44803
Linards linards.liepins@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |linards.liepins@gmail.com
--- Comment #9 from Linards linards.liepins@gmail.com --- Is the issue still present?
https://bugs.winehq.org/show_bug.cgi?id=44803
--- Comment #10 from Raphael raphael.nestler@gmail.com ---
Is the issue still present?
I don't have the original Exe around anymore, so I can't reproduce. So I guess we can close it.
https://bugs.winehq.org/show_bug.cgi?id=44803
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ABANDONED Status|NEEDINFO |RESOLVED
--- Comment #11 from Anastasius Focht focht@gmx.net --- Hello folks,
resolving 'abandoned' here since no one, including OP is able to reproduce.
Regards
https://bugs.winehq.org/show_bug.cgi?id=44803
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED CC| |nerv@dawncrow.de
--- Comment #12 from André H. nerv@dawncrow.de --- closing abandoned
-
wine-bugs@winehq.org -
WineHQ Bugzilla