[Bug 34618] bleem! demo thinks that Wine is a debugger and doesn't run (expects Win9x TEB field 'DebugContext' instead of NT Process ID)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Sep 28 15:32:48 CDT 2013 

http://bugs.winehq.org/show_bug.cgi?id=34618

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
                 CC|                            |focht at gmx.net
            Summary|bleem! demo thinks that     |bleem! demo thinks that
                   |Wine is a debugger and      |Wine is a debugger and
                   |doesn't run                 |doesn't run (expects Win9x
                   |                            |TEB field 'DebugContext'
                   |                            |instead of NT Process ID)

--- Comment #2 from Anastasius Focht <focht at gmx.net> 2013-09-28 15:32:48 CDT ---
Hello folks,

trace log doesn't reveal much, you have to debug the actual code...

--- snip ---
...
0025:Starting process L"C:\\Program Files\\bleem\\bleem!\\bleem!.exe"
(entryproc=0x401000)
0025:Call KERNEL32.GetVersionExA(00401134) ret=0040102b
0025:Ret  KERNEL32.GetVersionExA() retval=00000001 ret=0040102b
0025:Call KERNEL32.GetModuleFileNameA(00000000,004011e0,00000104) ret=00401058
0025:Ret  KERNEL32.GetModuleFileNameA() retval=00000028 ret=00401058
0025:Call KERNEL32.CreateFileA(004011e0 "C:\\Program
Files\\bleem\\bleem!\\bleem!.exe",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0040107c
0025:Ret  KERNEL32.CreateFileA() retval=00000064 ret=0040107c
0025:Call
KERNEL32.CreateFileMappingA(00000064,00000000,00000002,00000000,00000000,00000000)
ret=00401096
0025:Ret  KERNEL32.CreateFileMappingA() retval=00000068 ret=00401096
0025:Call KERNEL32.MapViewOfFile(00000068,00000004,00000000,00000000,00000000)
ret=004010ad
0025:Ret  KERNEL32.MapViewOfFile() retval=00530000 ret=004010ad
0025:Call KERNEL32.UnmapViewOfFile(00530000) ret=004010d6
0025:Ret  KERNEL32.UnmapViewOfFile() retval=00000001 ret=004010d6
0025:Call KERNEL32.CloseHandle(00000068) ret=004010e1
0025:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004010e1
0025:Call KERNEL32.CloseHandle(00000064) ret=004010ec
0025:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004010ec
0025:Call user32.MessageBeep(00000010) ret=004010ff
0025:Ret  user32.MessageBeep() retval=00000001 ret=004010ff
0025:Call user32.MessageBoxA(00000000,0040142d "This program is not designed to
operate with a debugger!\n\nPlease disable or exit the debugger and try
again.",004012e5 "bleem, llc.",00011010) ret=0040111c
--- snip ---

The code in question:

--- snip ---
00585586    C74424 24 06000000  MOV DWORD PTR SS:[ESP+24],6
0058558E    64:A1 20000000      MOV EAX,DWORD PTR FS:[20]
00585594    85C0                TEST EAX,EAX
00585596    C3                  RETN
--- snip ---

On Win9x systems the TEB field FS:[0x20] is also known as 'DebugContext'.

Wine implements the NT behaviour for this TEB field ->
"teb->ClientId.UniqueProcess"

I doubt it's worth to mess up Wine code just for this app...

As workaround patch the executable to foil the debugger check.

--- snip ---
$ printf '\x30' | dd of=bleem\!.exe bs=1 seek=349588 count=1 conv=notrunc
--- snip ---

What does it do?

It changes the opcode 0x85,0xC0 (test eax,eax) at file offset 0x55594 to
0x30,0xC0 (xor eax,eax), faking success.

This lets the app run into next Wine bug ...

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list