[Bug 10249] New: Battlefield2/SafeDisc 4. x and Punkbuster services cause lockup: child processes debugging misconception
http://bugs.winehq.org/show_bug.cgi?id=10249
Summary: Battlefield2/SafeDisc 4.x and Punkbuster services cause lockup: child processes debugging misconception Product: Wine Version: CVS/GIT Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wine-kernel AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net
Created an attachment (id=8876) --> (http://bugs.winehq.org/attachment.cgi?id=8876) WINEDEBUG=-all,+server,+tid,+loaddll,+seh wine ./BF2.exe +fullscreen 0 +szx 800 +szy 600 &>/tmp/debug_pipe
Hello,
while testing some PunkBuster stuff on popular games, I came across Battlefield 2 which employs SafeDisc 4.x It seems there is a problem with debuggers in chained child processes.
Consider following scenario:
--- snip process list --- pid threads parent executable (all id:s are in hex) 0000001b 1 00000008 'PnkBstrA.exe' 0000000c 2 00000008 'explorer.exe' 0000000a 2 00000008 '~e5.0001' 00000008 4 00000000 'BF2.exe' --- snip process list ---
--- snip thread list --- process tid prio (all id:s are in hex) 0000001b 0000001c 0 0000000c 00000010 0 0000000d 0 0000000a 00000012 0 0000000b 0 00000008 0000001a 1 00000014 15 00000013 0 00000009 0 --- snip thread list ---
"BF2.exe" = parent (game) "~e5.0001" = 1st child = SafeDisc 4.x process = "debugger" "PnkBstrA.exe" = 2nd child = PunkBuster Update Service
The 1st child acts as debugger for the parent "BF2.exe" and receives all debug events (process, thread creation, dll load/unload...) There are lots of breakpoint events triggered from parent. This is part of SafeDisc 4.x and used for on-the-fly decryption of code sections (child decrypts code of father).
When PunkBuster is initialized (loading of pbcl = client, pbag = agent), the following services should get started: PnkBstrA.exe, PnkBstrB.exe and finally the kmode driver PnkBstrK.exe The service process "PnkBstrA.exe" is started from main process "BF2.exe" (which is a debuggee itself). No debug flags (DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS) are specified in process creation flags. The debugger (child of parent, receives the process creation event) does not make debugger_attach() to the newly created child process.
The child process seems to inherit the state of being a "debuggee": wine server -> new_process -> set_process_debugger( process, parent->debugger ); The parent got its process->debugger from debugger_attach().
This leads to a problem in child process startup code: "dlls/kernel32/process.c:start_process()" checks the PEB->BeingDebugged field and if set, a system breakpoint is encountered before the entry code is called. This breakpoint results in debug event - seen by debugger. Unfortunately this event is _not_ expected by debugger because it didn't expect another debuggee (child) to be created.
Ok, long story short solution: If you debug a process by attaching to an already created process, you _must_ treat default debugging flags as if the process has been created with DEBUG_ONLY_THIS_PROCESS, meaning that all childs created by debuggee will NOT automagically become debuggees.
Short and (hopefully) acceptable patch snippet:
--- snip ---
diff --git a/server/debugger.c b/server/debugger.c index a64a17a..c59f3a0 100644 --- a/server/debugger.c +++ b/server/debugger.c @@ -444,6 +444,7 @@ static int debugger_attach( struct process *process, struct thread *debugger ) resume_process( process ); return 0; } + process->create_flags |= DEBUG_ONLY_THIS_PROCESS; return 1;
error:
--- snip ---
And yes, the patch (snippet) works as intended (tm) ;-)
Attached for sake of completeness is relevant server trace. Search for "001c:trace:seh:raise_exception code=80000003 flags=0 addr=0x7b870ed8 " to the point where the entry system breakpoint is triggered.
Regards
http://bugs.winehq.org/show_bug.cgi?id=10249
killertux killertux@suomi24.fi changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation
http://bugs.winehq.org/show_bug.cgi?id=10249
--- Comment #1 from Austin English austinenglish@gmail.com 2008-10-23 15:13:32 --- Is this still an issue in current (1.1.6 or newer) wine?
http://bugs.winehq.org/show_bug.cgi?id=10249
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #8876|text/plain |application/x-bzip2 mime type| |
http://bugs.winehq.org/show_bug.cgi?id=10249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Battlefield2/SafeDisc 4.x |childs must not inherit |and Punkbuster services |debuggee state when created |cause lockup: child |by attach-to-process |processes debugging |"debuggee" |misconception |
--- Comment #2 from Anastasius Focht focht@gmx.net 2008-12-17 09:27:09 --- Hello,
--- quote --- Is this still an issue in current (1.1.6 or newer) wine? --- quote ---
It doesn't apply to Battlefield2/SafeDisc 4.x and Punkbuster services anymore but its still a valid bug. I changed the summary accordingly.
There were architectural changes in early 2008 which changed the way how services are spawned/managed (services.exe). Spawned services don't suffer from this problem unless services.exe itself is being debugged.
Of course you can reproduce this issue anytime. Attach to some process and spawn processes from the debuggee with standard process create flags. Intelligent debuggers will usually complain about seeing (unexpected) debug events from different process ids (childs).
Regards
http://bugs.winehq.org/show_bug.cgi?id=10249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|obfuscation | Version|CVS/GIT |0.9.48.
--- Comment #3 from Anastasius Focht focht@gmx.net 2009-01-17 05:35:05 --- Hello,
corrected version tag. Also removed "obfuscation" keyword because it's about standard debugging behaviour and not limited to copy protection, anti-debugging techniques.
Regards
http://bugs.winehq.org/show_bug.cgi?id=10249
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|childs must not inherit |children must not inherit |debuggee state when created |debuggee state when created |by attach-to-process |by attach-to-process |"debuggee" |"debuggee"
http://bugs.winehq.org/show_bug.cgi?id=10249
--- Comment #4 from Austin English austinenglish@gmail.com 2009-07-21 13:47:19 --- Is this still an issue in current (1.1.26 or newer) wine?
http://bugs.winehq.org/show_bug.cgi?id=10249
EA Durbin ead1234@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ead1234@hotmail.com
--- Comment #5 from EA Durbin ead1234@hotmail.com 2009-08-12 13:13:40 --- (In reply to comment #4)
Is this still an issue in current (1.1.26 or newer) wine?
The function debugger_attach in server/debugger.c hasn't been modified since Dec. 28th of 2008, so it probably hasn't been addressed yet.
http://bugs.winehq.org/show_bug.cgi?id=10249
--- Comment #6 from Austin English austinenglish@gmail.com 2010-04-29 18:14:00 --- A couple related commits: http://source.winehq.org/git/wine.git/?a=commitdiff;h=6c0ecd0955bc85c51802ef... http://source.winehq.org/git/wine.git/?a=commitdiff;h=1970fb35d40240448a311c...
still an issue?
http://bugs.winehq.org/show_bug.cgi?id=10249
Richard shiningarcanine@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #7 from Richard shiningarcanine@gmail.com 2010-05-26 18:16:40 --- *** This bug has been confirmed by popular vote. ***
http://bugs.winehq.org/show_bug.cgi?id=10249
--- Comment #8 from Anastasius Focht focht@gmx.net 2010-05-27 03:14:52 --- Hello,
--- quote --- A couple related commits: ...
still an issue? --- quote ---
sure, bug still present, analysis still applies ;-)
Regards
http://bugs.winehq.org/show_bug.cgi?id=10249
Richard shiningarcanine@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |shiningarcanine@gmail.com
--- Comment #9 from Richard shiningarcanine@gmail.com 2010-05-27 08:50:22 --- (In reply to comment #7)
*** This bug has been confirmed by popular vote. ***
I know this is off-topic, but I do not recall posting this comment. Why did it appear?
http://bugs.winehq.org/show_bug.cgi?id=10249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|major |normal
--- Comment #10 from Anastasius Focht focht@gmx.net 2011-04-27 03:51:12 CDT --- Hello,
still present. Revising severity.
Can be reproduced by using debuggers that verify process id of debug events (like ollydbg). Attach to an application that spawns other win32 processes on request, for example "Total Commander" (my favorite file manager). Start a child process from the debuggee, e.g. "notepad" (click toolbar button). Debugger will complain/spam in log:
--- snip --- Message = Event 00000001 from different process (ID 00000029) --- snip ---
$ wine --version wine-1.3.18-233-gcff8753
Regards
http://bugs.winehq.org/show_bug.cgi?id=10249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |e7ec00d22cfcaedbccad499f503 | |c50efc8125117 Status|NEW |RESOLVED URL| |http://www.ollydbg.de/odbg1 | |10.zip Component|kernel32 |wineserver Resolution| |FIXED Summary|children must not inherit |ollydbg complains about |debuggee state when created |unexpected debug events |by attach-to-process |from child processes after |"debuggee" |attaching to the debuggee
--- Comment #11 from Anastasius Focht focht@gmx.net 2011-10-10 14:15:32 CDT --- Hello,
fixed by commit e7ec00d22cfcaedbccad499f503c50efc8125117 Thanks Bernhard.
Regards
http://bugs.winehq.org/show_bug.cgi?id=10249
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #12 from Alexandre Julliard julliard@winehq.org 2011-10-21 13:49:21 CDT --- Closing bugs fixed in 1.3.31.
http://bugs.winehq.org/show_bug.cgi?id=10249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download
https://bugs.winehq.org/show_bug.cgi?id=10249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.ollydbg.de/odbg1 |https://web.archive.org/web |10.zip |/20060127002930/http://www. | |ollydbg.de/odbg110.zip Summary|ollydbg complains about |OllyDbg 1.x complains about |unexpected debug events |unexpected debug events |from child processes after |from child processes after |attaching to the debuggee |attaching to the debuggee
-
wine-bugs@winehq.org -
WineHQ Bugzilla