[Bug 4666] Many games bundled with HackShield anti-cheat system abort on startup with Hackshield error 108 (copy of system dlls, native vs. Wine placeholder)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Dec 18 11:29:18 CST 2012 

http://bugs.winehq.org/show_bug.cgi?id=4666

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|HackShield anti-cheat       |Many games bundled with
                   |system doesn't work         |HackShield anti-cheat
                   |(Themida software           |system abort on startup
                   |protection used as wrapper  |with Hackshield error 108
                   |incompatible with Wine)     |(copy of system dlls,
                   |                            |native vs. Wine
                   |                            |placeholder)

--- Comment #52 from Anastasius Focht <focht at gmx.net> 2012-12-18 11:29:18 CST ---
Hello Florian,

--- quote ---
Hm, I tried to get wine to compile this, but it seems to break things.
Maybe worth to know where to add this, better to have a patch altering this for
current wine (1.5.19)
--- quote ---

This was most likely fixed on their side in newer versions of client.
If you don't get "error 110" then the PIC prolog code is no longer a problem.

A rough check for Themida software protection version is to run app with
"WINEDEBUG=+debugstr".
The output will contain a copyright string like this:

--- snip ---
0046:warn:debugstr:OutputDebugStringA
"\r\n\n\n%s------------------------------------------------\n\r---         
Themida Professional            ---\n\r---      (c)2012 Oreans Technologies    
    ---\n\r------------------------------------------------\r\n\n\n"
--- snip ---

A detailed version check (major/minor) can only be made by signature analysis
or debugging.

Anyway, that "error 108" is about system DLL copies (kernel32.dll and friends)
in temp folder (native vs. builtin/placeholder).
The copy in temp folder has "SLLX" magic at the end of file (last DWORD ->
0x53,0x4C,0x4C,0x58).

Adjusting summary accordingly.

Internal error:

--- snip ---
00300B94  00884868 ; |Format = "%s GameCode = %d Li = %s, option = 0x%X return
=%d"
00300B98  00300BC0 ; ASCII "C:\Program
Files\Gameforge4D\AirRivals\HShield\EhSvc.dll"
00300B9C  00001268
00300BA0  008848A0 ; ASCII "2025A0437939566CC1DCF4B1"
00300BA4  06483DBE
00300BA8  00000108
--- snip ---

(game code differs between games)

Log before being obfuscated and written to "hshield.log":

--- snip ---
{FC684AE4-F5B0-48B7-889E-F43FCDBF13E8} 7b810000 0 126
[C:\users\focht\Temp\d114c46949c6.tmp]
C:\users\focht\Temp\d114c46949c6.tmp
C:\windows\system32\KERNEL32.dll
...
{EE0E19A5-99002FE730  92-4B80-BA7D-FD1647ACD846} e1012004
C:\windows\system32\Kernel32.dll 1
--- snip ---

I've not looked that deep into HackShield but it might be possible to come up
with a Wine builtin "Ehsvc.dll" that avoids all the mess (similar to
PunkBuster).
"Ehsvc.dll" serves as interface between HackShield and the secured process.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list