[Bug 2770] powerbullet.dll fails to register (armadillo protection fails at checkpoint L5, error 0x17)
wine-bugs at winehq.org
wine-bugs at winehq.org
Wed Apr 27 08:20:57 CDT 2011
http://bugs.winehq.org/show_bug.cgi?id=2770
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |Installer, obfuscation
URL|http://powerbullet.com/down |http://wareseeker.com/downl
|load.html |oad/powerbullet-presenter-1
| |.44.rar/332339
CC| |focht at gmx.net
Summary|powerbullet.dll fails to |powerbullet.dll fails to
|register |register (armadillo
| |protection fails at
| |checkpoint L5, error 0x17)
--- Comment #18 from Anastasius Focht <focht at gmx.net> 2011-04-27 08:20:54 CDT ---
Hello,
the "Powerbullet.dll" file in question is wrapped with Armadillo protection:
--- snip ---
Scanning -> H:\.wine\drive_c\Program Files\Powerbullet\Powerbullet.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1736704 (01A8000h)
Byte(s)
[File Heuristics] -> Flag : 00000000000000001100001100100001 (0x0000C321)
[!] Armadillo v4.00 - v4.42 detected !
[CompilerDetect] -> Visual C/C++
- Scan Took : 0.439 Second(s)
--- snip ---
Trace log reveals not very much, various anti-debugging trickery, virtual
machine/emlulator detection and the like...
--- snip ---
...
0023:Call KERNEL32.OutputDebugStringA(0033f06c
"%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s")
ret=10022111
0023:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=10022111
--- snip ---
Interesting tidebit: That OutputDebugStringA() call is actually a known
vulnerability to trash some OllyDbg (debugger) versions ;-)
Hardware-id gathering before the error:
--- snip ---
...
0023:Call rpcrt4.UuidCreateSequential(0033e718) ret=10008be5
...
0023:Call iphlpapi.GetAdaptersInfo(001b28e0,0033e624) ret=6857e046
...
0023:Ret iphlpapi.GetAdaptersInfo() retval=0000006f ret=6857e046
...
0023:Call iphlpapi.GetAdaptersInfo(001b28e0,0033e624) ret=6857e0b9
...
0023:Ret iphlpapi.GetAdaptersInfo() retval=00000000 ret=6857e0b9
...
0023:Ret rpcrt4.UuidCreateSequential() retval=00000000 ret=10008be5
...
0023:Call KERNEL32.MultiByteToWideChar(00000000,00000000,10038050
"InvalidKey",ffffffff,00dc8038,00010000) ret=1002f0ec
...
0023:Call KERNEL32.WideCharToMultiByte(00000000,00000000,00db4030 L"This
program has been damaged, possibly by a bad sector of the hard drive or a
virus. Please reinstall it.",ffffffff,0032e424,00010000,00000000,00000000)
ret=1002f0ba
--- snip ---
Anything bogus from UuidCreateSequential() is most likely not the cause for the
error.
The code following checks the first 3 bytes of uuid->Data4 for constant values
(0x00,0x03,0xFF) probably to detect some virtual network adapters from PC
emulators (like VirtualPC).
After that it processes internal data and calculates something like a checksum.
Prelimary debugging though the code mess pinpoints the validation failure
between checkpoint LP5 and LP6.
The internal error code is 0x17 - it is never printed but one can see it in
debugger data/code string references.
CCx,LPx = some Armadillo internal mechanism to track the stage of protector
initialization.
Will revisit later ...
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list