[Bug 2770] powerbullet.dll fails to register (armadillo protection fails at checkpoint L5, error 0x17)

wine-bugs at winehq.org wine-bugs at winehq.org
Wed Apr 27 08:20:57 CDT 2011 

http://bugs.winehq.org/show_bug.cgi?id=2770

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |Installer, obfuscation
                URL|http://powerbullet.com/down |http://wareseeker.com/downl
                   |load.html                   |oad/powerbullet-presenter-1
                   |                            |.44.rar/332339
                 CC|                            |focht at gmx.net
            Summary|powerbullet.dll fails to    |powerbullet.dll fails to
                   |register                    |register (armadillo
                   |                            |protection fails at
                   |                            |checkpoint L5, error 0x17)

--- Comment #18 from Anastasius Focht <focht at gmx.net> 2011-04-27 08:20:54 CDT ---
Hello,

the "Powerbullet.dll" file in question is wrapped with Armadillo protection:

--- snip ---
Scanning -> H:\.wine\drive_c\Program Files\Powerbullet\Powerbullet.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1736704 (01A8000h)
Byte(s)
[File Heuristics] -> Flag : 00000000000000001100001100100001 (0x0000C321)
[!] Armadillo v4.00 - v4.42 detected !
[CompilerDetect] -> Visual C/C++
- Scan Took : 0.439 Second(s)
--- snip ---

Trace log reveals not very much, various anti-debugging trickery, virtual
machine/emlulator detection and the like... 

--- snip ---
...
0023:Call KERNEL32.OutputDebugStringA(0033f06c
"%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s")
ret=10022111
0023:Ret  KERNEL32.OutputDebugStringA() retval=00000000 ret=10022111 
--- snip ---

Interesting tidebit: That OutputDebugStringA() call is actually a known
vulnerability to trash some OllyDbg (debugger) versions ;-)

Hardware-id gathering before the error:

--- snip ---
...
0023:Call rpcrt4.UuidCreateSequential(0033e718) ret=10008be5 
...
0023:Call iphlpapi.GetAdaptersInfo(001b28e0,0033e624) ret=6857e046 
...
0023:Ret  iphlpapi.GetAdaptersInfo() retval=0000006f ret=6857e046 
...
0023:Call iphlpapi.GetAdaptersInfo(001b28e0,0033e624) ret=6857e0b9 
...
0023:Ret  iphlpapi.GetAdaptersInfo() retval=00000000 ret=6857e0b9 
...
0023:Ret  rpcrt4.UuidCreateSequential() retval=00000000 ret=10008be5 
...
0023:Call KERNEL32.MultiByteToWideChar(00000000,00000000,10038050
"InvalidKey",ffffffff,00dc8038,00010000) ret=1002f0ec 
...
0023:Call KERNEL32.WideCharToMultiByte(00000000,00000000,00db4030 L"This
program has been damaged, possibly by a bad sector of the hard drive or a
virus. Please reinstall it.",ffffffff,0032e424,00010000,00000000,00000000)
ret=1002f0ba
--- snip ---

Anything bogus from UuidCreateSequential() is most likely not the cause for the
error.
The code following checks the first 3 bytes of uuid->Data4 for constant values
(0x00,0x03,0xFF) probably to detect some virtual network adapters from PC
emulators (like VirtualPC).
After that it processes internal data and calculates something like a checksum.
Prelimary debugging though the code mess pinpoints the validation failure
between checkpoint LP5 and LP6.
The internal error code is 0x17 - it is never printed but one can see it in
debugger data/code string references.
CCx,LPx = some Armadillo internal mechanism to track the stage of protector
initialization.

Will revisit later ...

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list