[Bug 41469] 'Ski Racing 2005 featuring Hermann Maier' crashes on startup (JoWood X-Prot v1.5.9.49 protection scheme)
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Jan 17 06:51:23 CST 2021
https://bugs.winehq.org/show_bug.cgi?id=41469
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL|http://www.gamepressure.com |https://web.archive.org/web
|/download.asp?ID=6526 |/20210116162035/https://ds.
| |thqnordic.com/skiracing/Ski
| |Racing2005-Demo-Setup1.exe
--- Comment #26 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
native msvcr71 override from comment #5 and comment #6 is a secondary issue
which is likely fixed by now.
The crash everyone observes happens has nothing to do with it. It happens in
the first process instance, during decryption.
MSVC++ runtime only gets mapped in the second instance of the process that is
spawned.
Trace with Wine 6.0
--- snip ---
...
0024:trace:seh:NtGetContextThread 0xfffffffe: dr0=0069f839 dr1=0069f839
dr2=0069f839 dr3=0069f839 dr6=0000000f dr7=00000155
0024:trace:seh:dispatch_exception code=80000004 flags=0 addr=0069F839
ip=0069f839 tid=0024
0024:trace:seh:dispatch_exception eax=0f28d5f8 ebx=7ffde000 ecx=000001ff
edx=5dcdea49 esi=0069e857 edi=006a0323
0024:trace:seh:dispatch_exception ebp=4243484b esp=0031fed4 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0024:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=80000004
flags=0
0024:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0
0024:trace:seh:call_stack_handlers calling handler at 0069EAA2 code=80000004
flags=0
0024:trace:seh:call_stack_handlers handler at 0069EAA2 returned 0
0024:trace:seh:NtGetContextThread 0xfffffffe: dr0=00401234 dr1=00401234
dr2=00401234 dr3=00401234 dr6=00004000 dr7=00000155
0024:trace:seh:dispatch_exception code=80000004 flags=0 addr=006A0D75
ip=006a0d75 tid=0024
0024:trace:seh:dispatch_exception eax=e60ff5fe ebx=7ffde000 ecx=00000000
edx=5dcdea49 esi=0069e857 edi=006a0323
0024:trace:seh:dispatch_exception ebp=002177bb esp=0031fed4 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00000246
0024:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=80000004
flags=0
0024:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0
0024:trace:seh:call_stack_handlers calling handler at 0069EAA2 code=80000004
flags=0
0024:trace:seh:call_stack_handlers handler at 0069EAA2 returned 0
0024:trace:seh:dispatch_exception code=c0000005 flags=0 addr=006A1200
ip=006a1200 tid=0024
0024:trace:seh:dispatch_exception info[0]=00000001
0024:trace:seh:dispatch_exception info[1]=a71233f8
0024:trace:seh:dispatch_exception eax=00000090 ebx=7ffde000 ecx=00000090
edx=ffe98e60 esi=0069e857 edi=006a1200
0024:trace:seh:dispatch_exception ebp=002177bb esp=0031fefc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0024:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=c0000005
flags=0
0024:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0
0024:trace:seh:call_stack_handlers calling handler at 7BC52730 code=c0000005
flags=0
--- snip ---
vs. Louis' "working" from Wine 2.5 (Staging?):
--- snip ---
...
0009:trace:seh:raise_exception code=80000004 flags=0 addr=0x69f839 ip=0069f839
tid=0009
0009:trace:seh:raise_exception eax=0f28d5f8 ebx=7ffdf000 ecx=000001ff
edx=5dcdea49 esi=0069e857 edi=006a0323
0009:trace:seh:raise_exception ebp=4243484b esp=0033fdbc cs=0073 ds=007b
es=007b fs=0033 gs=003b flags=00010202
0009:trace:seh:call_stack_handlers calling handler at 0x69eaa2 code=80000004
flags=0
0009:trace:seh:call_stack_handlers handler at 0x69eaa2 returned 0
0009:trace:seh:raise_exception code=80000004 flags=0 addr=0x6a0d75 ip=006a0d75
tid=0009
0009:trace:seh:raise_exception eax=e60ff5fe ebx=7ffdf000 ecx=00000000
edx=5dcdea49 esi=0069e857 edi=006a0323
0009:trace:seh:raise_exception ebp=002177bb esp=0033fdbc cs=0073 ds=007b
es=007b fs=0033 gs=003b flags=00000246
0009:trace:seh:call_stack_handlers calling handler at 0x69eaa2 code=80000004
flags=0
0009:trace:seh:call_stack_handlers handler at 0x69eaa2 returned 0
0009:Call KERNEL32.VirtualAlloc(00000000,00003000,00001000,00000040)
ret=006a3784
0009:Ret KERNEL32.VirtualAlloc() retval=00340000 ret=006a3784
0009:Call KERNEL32.VirtualAlloc(00000000,00003000,00001000,00000040)
ret=006a3c9d
0009:Ret KERNEL32.VirtualAlloc() retval=00350000 ret=006a3c9d
0009:Call KERNEL32.VirtualAlloc(00000000,00001000,00001000,00000040)
ret=006a41c6
0009:Ret KERNEL32.VirtualAlloc() retval=00220000 ret=006a41c6
0009:Call KERNEL32.LoadLibraryA(006a649e "kernel32.dll") ret=006a659a
0009:Ret KERNEL32.LoadLibraryA() retval=7b410000 ret=006a659a
0009:Call KERNEL32.LoadLibraryA(006a70d9 "user32.dll") ret=006a70ea
...
0009:Ret KERNEL32.LoadLibraryA() retval=7ec70000 ret=006a70ea
0009:Call KERNEL32.GetUserDefaultLangID() ret=006a7aaf
0009:Ret KERNEL32.GetUserDefaultLangID() retval=00000409 ret=006a7aaf
0009:Call KERNEL32.CreateFileA(006a872e
"\\\\.\\SICE",80000000,00000001,00000000,00000003,00000080,00000000)
ret=006a7af7
0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7
0009:Call KERNEL32.CreateFileA(006a873e
"\\\\.\\NTICE",80000000,00000001,00000000,00000003,00000080,00000000)
ret=006a7af7
0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7
0009:Call KERNEL32.CreateFileA(006a874e
"\\\\.\\SIWVID",80000000,00000001,00000000,00000003,00000080,00000000)
ret=006a7af7
0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7
0009:Call KERNEL32.CreateFileA(006a875e
"\\\\.\\REGMON",80000000,00000001,00000000,00000003,00000080,00000000)
ret=006a7af7
0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7
0009:Call KERNEL32.CreateFileA(006a876e
"\\\\.\\FILEMON",80000000,00000001,00000000,00000003,00000080,00000000)
ret=006a7af7
0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7
0009:Call KERNEL32.CreateFileA(006a877e
"\\\\.\\SIWDEBUG",80000000,00000001,00000000,00000003,00000080,00000000)
ret=006a7af7
0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7
0009:Call KERNEL32.CreateFileA(006a878e
"\\\\.\\SIWVIDSTART",80000000,00000001,00000000,00000003,00000080,00000000)
ret=006a7af7
0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7
...
--- snip ---
I've rebuilt Wine-Staging 2.5 (comment #23) as well and it crashes in the same
way. In fact I ran the demo against all Wine 2.x, 3.x, 4.x, 5.x and 6.0
releases and it always crashes with same crash pattern.
gcc version 10.2.1 20201125 (Red Hat 10.2.1-9)
WINEPREFIX is wiped each time, demo install directory is reused.
--- snip ---
for ver in 2.{0..22} 3.{0..21} 4.{0..21} 5.{0..22} 6.0 ; do
echo "#####"
export WINEPREFIX=~/wineprefix-bug41469 && rm -rf $WINEPREFIX
export WINEARCH=win32
wine_register_path $ver
winetricks nocrashdialog &> /dev/null
wine ./SR2005_Demo.exe 2>&1 | egrep "(debugger|overflow)"
wineserver -w
done
--- snip ---
Output:
--- snip ---
#####
Active Wine version: wine-2.0
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 003e), starting debugger...
#####
Active Wine version: wine-2.1
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0047), starting debugger...
#####
Active Wine version: wine-2.2
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0047), starting debugger...
#####
Active Wine version: wine-2.3
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0047), starting debugger...
...
#####
Active Wine version: wine-2.21
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0042), starting debugger...
#####
Active Wine version: wine-2.22
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0042), starting debugger...
#####
Active Wine version: wine-3.0
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0042), starting debugger...
#####
Active Wine version: wine-3.1
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0043), starting debugger...
...
#####
Active Wine version: wine-3.19
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 003e), starting debugger...
#####
Active Wine version: wine-3.20
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 003e), starting debugger...
#####
Active Wine version: wine-3.21
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 003f), starting debugger...
#####
Active Wine version: wine-4.0
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 003e), starting debugger...
#####
Active Wine version: wine-4.1
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0040), starting debugger...
...
#####
Active Wine version: wine-4.20
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 003f), starting debugger...
#####
Active Wine version: wine-4.21
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 0040), starting debugger...
...
#####
Active Wine version: wine-5.0
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 003f), starting debugger...
#####
Active Wine version: wine-5.1
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 003f), starting debugger...
#####
Active Wine version: wine-5.2
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 003f), starting debugger...
#####
...
Active Wine version: wine-5.6
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 003f), starting debugger...
#####
Active Wine version: wine-5.7
#####
Active Wine version: wine-5.8
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 00f8), starting debugger...
#####
Active Wine version: wine-5.9
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 00f8), starting debugger...
...
#####
Active Wine version: wine-5.21
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 019c), starting debugger...
#####
Active Wine version: wine-5.22
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 01a0), starting debugger...
#####
Active Wine version: wine-6.0
wine: Unhandled page fault on write access to A71233F8 at address 006A1200
(thread 019c), starting debugger...
--- snip ---
The only exception is Wine 5.7:
--- snip ---
0009:Starting process L"Z:\\home\\focht\\Downloads\\JoWooD\\Ski Racing 2005
Demo\\SR2005_Demo.exe" (entryproc=0x69d080)
0009:Call
ntdll.NtQueryInformationProcess(ffffffff,00000007,0032ff40,00000004,00000000)
ret=7b00d224
0009:Ret ntdll.NtQueryInformationProcess() retval=00000000 ret=7b00d224
0009:Call KERNEL32.VirtualProtect(0032f654,000008c0,00000040,0069d056)
ret=0069dd30
0009:Call
ntdll.NtProtectVirtualMemory(ffffffff,0032f5dc,0032f5e0,00000040,0069d056)
ret=7b0231ce
0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=7b0231ce
0009:Ret KERNEL32.VirtualProtect() retval=00000001 ret=0069dd30
0009:trace:seh:raise_exception code=c000001d flags=0 addr=0x69f927 ip=0069f927
tid=0009
0009:trace:seh:raise_exception eax=73a70193 ebx=7ffdf000 ecx=00063a00
edx=12345678 esi=0069e857 edi=006a0323
0009:trace:seh:raise_exception ebp=002177bb esp=0032feec cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0009:trace:seh:call_stack_handlers calling handler at 0x69eaa2 code=c000001d
flags=0
0009:trace:seh:call_stack_handlers handler at 0x69eaa2 returned 0
--- snip ---
That's due to bug 49011 ("Multiple games and applications cause wineserver
crash in Wine 5.7") which broke Wine 5.7 release for quite a number of apps and
games.
I even installed Ubuntu 16.04.1 LTS in a VirtualBox VM and used the original
Wine 2.5 and Wine-Staging 2.5 packages from WineHQ, trying to replicate Louis'
setup from comment #23. It still crashes in the same way.
--- snip ---
$ wine ./SR2005_Demo.exe
wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200
(thread 0037), starting debugger...
Unhandled exception: page fault on write access to 0xa71233f8 in 32-bit code
(0x006a1200).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:006a1200 ESP:0033fde4 EBP:002177bb EFLAGS:00010202( R- -- I - - - )
EAX:00000090 EBX:7ffdf000 ECX:00000090 EDX:ffeb8d48
ESI:0069e857 EDI:006a1200
Stack dump:
0x0033fde4: 7ffdf000 0069d080 0033fe28 0033fe04
0x0033fdf4: 7ffdf000 7b42943d 7b4629fe 00000000
0x0033fe04: 7b4616d9 7ffdf000 7b4629bc 7b4629bc
0x0033fe14: 7b4629bc 0033fe78 7b46299c 00000002
0x0033fe24: 7b63c000 0033fe78 7b4629bc 7ffdf000
0x0033fe34: 0069d080 7b42943d 7b4629fe 00000000
000c: sel=0067 base=00000000 limit=00000000 32-bit r-x
Backtrace:
=>0 0x006a1200 in sr2005_demo (+0x2a1200) (0x002177bb)
0x006a1200: rorb %cl,0xa6f0bc3d(%ebp)
Modules:
Module Address Debug info Name (19 modules)
PE 400000- 76c000 Export sr2005_demo
ELF 7b400000-7b7ec000 Deferred kernel32<elf>
\-PE 7b410000-7b7ec000 \ kernel32
ELF 7bc00000-7bd01000 Deferred ntdll<elf>
\-PE 7bc10000-7bd01000 \ ntdll
ELF 7c000000-7c004000 Deferred <wine-loader>
ELF 7ebd8000-7ebfb000 Deferred libtinfo.so.5
ELF 7ebfb000-7ec21000 Deferred libncurses.so.5
ELF 7ef51000-7ef64000 Deferred libnss_files.so.2
ELF 7ef64000-7ef71000 Deferred libnss_nis.so.2
ELF 7ef71000-7ef8c000 Deferred libnsl.so.1
ELF 7ef8c000-7efe1000 Deferred libm.so.6
ELF f73e4000-f73e9000 Deferred libdl.so.2
ELF f73e9000-f75a0000 Deferred libc.so.6
ELF f75a0000-f75bd000 Deferred libpthread.so.0
ELF f75d2000-f75dc000 Deferred libnss_compat.so.2
ELF f75dc000-f77ab000 Dwarf libwine.so.1
ELF f77ac000-f77d1000 Deferred ld-linux.so.2
ELF f77d3000-f77d4000 Deferred [vdso].so
Threads:
process tid prio (all id:s are in hex)
...
00000036 (D) Z:\home\vboxuser\Downloads\JoWooD\Ski Racing 2005
Demo\SR2005_Demo.exe
["Z:\home\vboxuser\Downloads\JoWooD\Ski Racing 2005 Demo\SR2005_Demo.exe"]
00000037 0 <==
...
System information:
Wine build: wine-2.5 (Staging)
Platform: i386
Version: Windows XP
Host system: Linux
Host version: 4.4.0-200-generic
--- snip ---
To rule out corruption issues with the installer/unpacking process I've checked
multiple download sites but they all ended up with same sha1 of the installer.
'SkiRacing2005-Demo-Setup1.exe':
https://www.virustotal.com/gui/file/a0ba5bfd6337e5257123969da783fac32991bac1e80dbe7a839ce013ea78ad04/details
Installed main binary 'SR2005_Demo.exe':
https://www.virustotal.com/gui/file/2b8cb8a5fcc7388ec6a6f50c8afc9103287c26dfc74c63366ec2da2652ced5d0/details
The protection code uses various obfuscation and anti-debugging tricks that
work even on older Wine versions.
Some techniques are incompatible with modern Windows OS though. For example it
writes/executes decryption routines on the stack which is a no-go for DEP
enabled systems. It also places code in "invisible" area above current top ESP,
a technique which in the past caused problems with Wine's signal stack /
exception context saving.
--- snip ---
decrypt_timing_calc_routine:
...
0031FD6C | F2:89EA | mov edx,ebp |
0031FD6F | C6C2 FB | mov dl,FB |
0031FD72 | 2E64:89FB | mov ebx,edi |
0031FD76 | 61 | popad |
0031FD77 | 304C31 FF | xor byte ptr ds:[ecx+esi-1],cl |
0031FD7B | E2 FA | loop 31FD77 |
0031FD7D | 60 | pushad |
0031FD7E | B2 0A | mov dl,A |
0031FD80 | 88EB | mov bl,ch |
0031FD82 | 8D0D 72C17C07 | lea ecx,dword ptr ds:[77CC172] |
0031FD88 | 8D35 3191D74E | lea esi,dword ptr ds:[4ED79131] |
0031FD8E | C7C0 5AA8488F | mov eax,8F48A85A |
0031FD94 | B1 F9 | mov cl,F9 |
0031FD96 | F2:88E2 | mov dl,ah |
0031FD99 | 64:C6C2 8A | mov dl,8A |
0031FD9D | C7C0 0B830329 | mov eax,2903830B |
0031FDA3 | 64:8D05 6F7853C7 | lea eax,dword ptr ds:[C753786F] |
0031FDAA | C6C6 18 | mov dh,18 |
0031FDAD | 8D05 CB71DD34 | lea eax,dword ptr ds:[34DD71CB] |
0031FDB3 | F22E:B5 91 | mov ch,91 |
0031FDB7 | C6C5 36 | mov ch,36 |
0031FDBA | F2:88E7 | mov bh,ah |
0031FDBD | 2664:BA 0A1C6679 | mov edx,79661C0A |
0031FDC4 | EB 01 | jmp 31FDC7 |
...
0031FE59 | B3 1F | mov bl,1F |
0031FE5B | 89EF | mov edi,ebp |
0031FE5D | B3 15 | mov bl,15 |
0031FE5F | 61 | popad |
0031FE60 | FFE6 | jmp esi | 0x0069E857
...
do_execution_timing_checks:
0069E857 | 60 | pushad |
0069E858 | B8 22527CF4 | mov eax,F47C5222 |
0069E85D | BB 0C3EAEF1 | mov ebx,F1AE3E0C |
0069E862 | BA C655E8EE | mov edx,EEE855C6 |
0069E867 | E8 07000000 | call sr2005_demo.69E873 |
0069E86C | E8 02000000 | call sr2005_demo.69E873 |
0069E871 | FF25 60B90500 | jmp dword ptr ds:[5B960] |
...
--- snip ---
--- snip ---
EAX : 7FFDE030
EBX : 7FFDE000
ECX : 00000155
EDX : FFE98E98
EBP : 002177BB
ESP : 0031FF34
ESI : 0069E857 sr2005_demo.0069E857
EDI : 0031FBE3
EIP : 0031FD77
EFLAGS : 00010202
ZF : 0
OF : 0
CF : 0
PF : 0
SF : 0
TF : 0
AF : 0
DF : 0
IF : 1
LastError : 80000001
LastStatus : 80000001
GS : 006B sr2005_demo.63006B
ES : 002B
CS : 0023
FS : 0063
DS : 002B
SS : 002B
--- snip ---
EIP = 0031FD77
ESP = 0031FF34 (current top)
Bug 28089 ("exception handling code touches stack for exceptions handled by the
debugger"). Interestingly there was still enough space between the context save
and the bottom part of the decryption routine to not get corrupted.
---
There are also instruction execution timing related checks but the threshold
seems sufficiently large enough to not trigger misbehaviour when being run
without debuggers.
Anti-debug timing measurements:
--- snip ---
0069E85D | mov ebx,F1AE3E0C |
0069E862 | mov edx,EEE855C6 |
0069E867 | call sr2005_demo.69E873 |
0069E86C | call sr2005_demo.69E873 |
0069E871 | jmp dword ptr ds:[5B960] | *boom*
...
0069E873 | pushad |
0069E874 | mov ecx,5 | timing loop_count = 5
0069E879 | call sr2005_demo.69E87F |
...
0069E87F | add dword ptr ss:[esp],7 |
0069E883 | ret |
...
timing_loop:
0069E885 | rdtsc | start
0069E887 | call sr2005_demo.69E88D |
...
0069E88D | add dword ptr ss:[esp],7 | continuation
0069E891 | ret |
...
0069E893 | mov ebx,eax | Start.LowPart
0069E895 | call sr2005_demo.69E89B |
...
0069E89B | add dword ptr ss:[esp],7 | continuation
0069E89F | ret |
...
0069E8A1 | rdtsc | stop
0069E8A3 | call sr2005_demo.69E8A9 |
...
0069E8A9 | add dword ptr ss:[esp],7 | continuation
0069E8AD | ret |
...
0069E8AF | sub eax,ebx | End.LowPart
0069E8B1 | call sr2005_demo.69E8B7 |
...
0069E8B7 | add dword ptr ss:[esp],7 | continuation
0069E8BB | ret |
...
0069E8BD | and eax,FFFF0000 | elapsed ticks > 0xffff?
0069E8C2 | call sr2005_demo.69E8C8 |
...
0069E8C8 | add dword ptr ss:[esp],7 |
0069E8CC | ret |
...
0069E8CE | cmp eax,0 |
0069E8D1 | je sr2005_demo.69E8F1 | no debug
0069E8D3 | call sr2005_demo.69E8D9 |
...
0069E8D9 | add dword ptr ss:[esp],7 | continuation
0069E8DD | ret |
...
0069E8DF | dec ecx | loop_count
0069E8E0 | jne sr2005_demo.69E885 | timing_loop
0069E8E2 | call sr2005_demo.69E8E8 |
...
0069E8E8 | add dword ptr ss:[esp],7 | continuation
0069E8EC | ret |
...
0069E8EE | popad |
0069E8EF | ret |
...
no_debug:
0069E8F1 | popad |
0069E8F2 | call sr2005_demo.69E8F8 |
...
0069E8F8 | add dword ptr ss:[esp],7 | continuation
0069E8FC | ret |
...
0069E8F8 | add dword ptr ss:[esp],7 | continuation
0069E8FC | ret |
...
0069E8FE | add dword ptr ss:[esp],9A | continuation
0069E905 | ret |
...
0069E906 | call sr2005_demo.69E917 |
...
0069E917 | call sr2005_demo.69E90D |
...
0069E90D | jmp sr2005_demo.69E920 |
...
0069E920 | ret 4 |
...
0069E91C | jmp sr2005_demo.69E911 |
...
0069E911 | jmp sr2005_demo.69E925 |
...
decrypt_next_routine:
0069E925 | mov ecx,65529 |
0069E92A | lea esi,dword ptr ss:[ebp+4871F1] |
0069E930 | call sr2005_demo.69E941 |
0069E935 | jmp E97BD52B |
...
--- snip ---
The decryption uses hardware breakpoints by design.
I've compared the exception context register values up to the crash site from
Louis' "good run" in comment #22 and Wine 6.0. All relevant register "seed"
values seem to match in each decrypt iteration. The crash site contains invalid
opcode indicating something went wrong in the last decryption process or in the
previous chain (different jump destination). Although still obfuscated, the
overall decrypted code doesn't seem systematically wrong. There are still
sequences that resemble previous decryption routines (chained decryption).
Summarizing:
No one except Louis managed to run the demo who at that time used Ubuntu LTS
16.04.1 with prebuilt Wine 2.5 and Wine-Staging 2.5 (comment #23). I couldn't
replicate his observation with same software environment in a VM. The demo
doesn't run on Windows XP and Windows Vista according to comment #18 (albeit in
VM).
I can't completely rule out that a VM might somehow play a role. But from what
I've seen so far, the protection doesn't have code for detecting Virtualization
/ Hypervisor presence (backdoor, timing analysis other than anti-debug, certain
privileged instructions, registry).
If someone has a machine with Windows XP/Windows 7 or old Ubuntu 16.04 LTS not
being run as virtualized guest it would be nice to know if the demo runs there.
Then there might be a chance to figure out what's going on. Although somewhat
challenging I don't want to spend multiple days on this since no other app/game
wrapped with JoWood X-Prot has been reported to be affected as well.
$ sha1sum SkiRacing2005-Demo-Setup1.exe
d7684789b7de45fb909fc11846f5a1f24fd7d7cc SkiRacing2005-Demo-Setup1.exe
$ du -sh SkiRacing2005-Demo-Setup1.exe
42M SkiRacing2005-Demo-Setup1.exe
$ wine --version
wine-6.0-40-g00401d22782
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list