[Bug 31279] Age of Empires II SafeDisc v1.x driver crashes in IDT check (INT1/3 hooks)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jul 22 17:24:59 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=31279

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|SafeDisc: driver crashes    |Age of Empires II SafeDisc
                   |under certain circumstances |v1.x driver crashes in IDT
                   |                            |check (INT1/3 hooks)

--- Comment #6 from Anastasius Focht <focht at gmx.net> 2012-07-22 17:24:59 CDT ---
Hello,

let's target "Age of Empires II" series with SafeDisc 1.x driver otherwise this
gets really messed up mixing different versions/games.

The internal driver version seems to be 1.6.0

--- snip ---
in_buff: 00000001 00000006 00000000 0000003d 
         db8ce543 4f190d3a a82e94fd 3cbb7c84  
--- snip ---

--- snip ---
typedef struct _SECDRV_IOC_IN_BUFFER
{
    DWORD dwVersionMajor;
    DWORD dwVersionMinor;
    DWORD dwVersionPatch;

    DWORD dwCommand;
    BYTE bVerificationData[0x400];

    DWORD cbUserData;
    BYTE  bUserData[0x100];
} SECDRV_IOC_IN_BUFFER, *PSECDRV_IOC_IN_BUFFER;
--- snip ---

The command code is 0x3d -> SECDRV_CMD_INFO_IDT

--- snip ---
003e:Call driver dispatch 0x546328 (device=0x11ad80,irp=0x53f14c)
003e:trace:seh:raise_exception code=c0000005 flags=0 addr=0x54287f ip=0054287f
tid=003e
003e:trace:seh:raise_exception  info[0]=00000000
003e:trace:seh:raise_exception  info[1]=7c2f0008
003e:trace:seh:raise_exception  eax=7c2f0008 ebx=404a1fdc ecx=00000000
edx=0011ad80 esi=00000145 edi=0053f14c
003e:trace:seh:raise_exception  ebp=0053efec esp=0053efac cs=0017 ds=001f
es=001f fs=1017 gs=0037 flags=00010202
003e:trace:seh:call_vectored_handlers calling handler at 0x4049db30
code=c0000005 flags=0
003e:trace:int:emulate_instruction Opcode bytes: 8b 18 83 c0 10 8b
003e:err:int:emulate_instruction cannot emulate instruction at 0x54287f: 8b
003e:trace:seh:call_vectored_handlers handler at 0x4049db30 returned 0
003e:trace:seh:call_stack_handlers calling handler at 0x7bc7c450 code=c0000005
flags=0 
--- snip ---

Opcodes translated to assembly snippet:

--- snip ---
8B18          MOV EBX,DWORD PTR DS:[EAX]
83C0 10       ADD EAX,10
8B??          MOV EAX,???
--- snip ---

The referenced memory address 0x7c2f0008 is most likely the address that ought
to be the INT1 IDT entry (idtbase+8 = INT1).

SafeDisc checks the distance between INT1 and INT3 vectors to find kernel
debuggers like SoftICE that hook them (subtracts base addresses specified in
INT1 and INT3 descriptors without selectors and checks the difference against
specific value).

Can you add more trace output to:
http://source.winehq.org/git/wine.git/blob/57e4e608dcd73b36f1084e0cfcb7cf0929363c38:/dlls/ntoskrnl.exe/instr.c#l386

(dump of values like "addr", "idtr.base", "idtr.limit")

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list