[Bug 10273] New: satisfy SafeDisc 2.x heuristic API analyzer by "adjusting" API exports/entry statistics of wine builtins
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Nov 1 19:22:19 CDT 2007
http://bugs.winehq.org/show_bug.cgi?id=10273
Summary: satisfy SafeDisc 2.x heuristic API analyzer by
"adjusting" API exports/entry statistics of wine
builtins
Product: Wine
Version: CVS/GIT
Platform: PC
OS/Version: Linux
Status: UNCONFIRMED
Severity: enhancement
Priority: P2
Component: wine-kernel
AssignedTo: wine-bugs at winehq.org
ReportedBy: focht at gmx.net
Created an attachment (id=8924)
--> (http://bugs.winehq.org/attachment.cgi?id=8924)
Patch which should fix SafeDisc 2.x copy protection api analyzer issue
Hello,
if not interested in technical details goto (2) ;-)
I made this a separate bug report like
http://bugs.winehq.org/show_bug.cgi?id=9925 (SafeDisc 1.x stopper) because
SafeDisc has many flavors that differ in various technical ways and can't be
discussed/handled in a single SafeDisc "metabug" like
http://bugs.winehq.org/show_bug.cgi?id=219
SafeDisc Major version based separation allows better tracking of "completion"
state (1.x/2.x/3.x/4.x).
-----------
(1)
It took me a couple of days to get an idea what SafeDisc 2.x really does with
the API exports and to find a way to cope with it...
Various anti-debugging techniques and nasty runtime code obfuscation made this
journey somewhat challenging.
Parts of SafeDisc 2.x analyze the API code of the following system libraries:
kernel32.dll (wine builtin)
user32.dll (wine builtin)
gdi32.dll (wine builtin)
cdasdtst.dll (developer backdoor?)
The latter one is probably a "developer backdoor", used to verify their
code/algorithms (not needed to be present).
For each of these libraries all named exports are taken into account.
A number of API entry opcode sequences are read and used for statistical
analysis (number depends on type of encountered opcodes).
More information about the wine-bugs
mailing list