[Bug 25853] Dead Space 2 crashes on start (SecuROM Data File Activation 2.x/SecuROM SLL 1.x - Release Date Verification)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Jun 13 04:09:32 CDT 2011 

http://bugs.winehq.org/show_bug.cgi?id=25853

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
            Summary|Dead Space 2 with SecuROM   |Dead Space 2 crashes on
                   |protection crashes on start |start (SecuROM Data File
                   |                            |Activation 2.x/SecuROM SLL
                   |                            |1.x - Release Date
                   |                            |Verification)
     Ever Confirmed|0                           |1

--- Comment #10 from Anastasius Focht <focht at gmx.net> 2011-06-13 04:09:29 CDT ---
Hello,

some info (not an in-depth analysis): "RYG News: Analysing SecuROM In Dead
Space 2" ->
http://reclaimyourgame.com/content/739-RYG-News-Analysing-SecuROM-In-Dead-Space-2

--- snip ---
-=[ ProtectionID v0.6.4.0 JULY]=-
(c) 2003-2010 CDKiLLER & TippeX
Build 07/08/10-17:57:05
Ready...

Scanning -> H:\.wine\drive_c\Program Files\EA
Games\ds2_temp_unpacked\deadspace_f_activation.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 7570776 (0738558h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 0737000h, size : 01558h / 05464
byte(s)
[File Heuristics] -> Flag : 00000000000000000000000000000101 (0x00000005)
[!] SecuROM Detected - Version 07.42.0001
[!] Possible CD/DVD-Key or Serial Check -> Invalid serial
[CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003)
- Scan Took : 0.389 Second(s)

Scanning -> H:\.wine\drive_c\Program Files\EA Games\ds2_temp_unpacked\DFA.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 6280680 (05FD5E8h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 05FC088h, size : 01560h / 05472
byte(s)
-> File has 136 (088h) bytes of appended data starting at offset 05FC000h
[File Heuristics] -> Flag : 00000000000000000001000000000111 (0x00001007)
[!] SecuROM SLL v 1.6.1 Protected (For SecuROM v 7.42.1)
[i] SecuROM Data File Activation Core Module - version 2.2.0
[CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003)
- Scan Took : 0.281 Second(s)
--- snip ---

--- quote ---
Well, ok, that's not about FT_Thunk, just another check. 
--- quote ---

The FT_Thunk check is just part of SecuROM prerequisite code which is to
determine exact OS version.
It is executed before every in-depth security check because the checks are
tailored to specific Windows versions.

--- quote ---
But strange, that UnhandledExceptionFilter() returned
NULL, while it was given non-NULL value just few lines above. Is it normal?
--- quote ---

The SEH chain has already been populated at this point and no handler felt
responsible so it's ok to bail and pass this unexpected failure to OS crash
handler (hence EXCEPTION_CONTINUE_SEARCH).

It seems the crash is located in some kind of obfuscation wrapper for API calls
(stack is specially prepared).
I've seen this somewhere but can't remember ... maybe I'll look into that later
in detail.
The problem is if you don't know which API it is be called in the end, you miss
essential information to determine where things started to go wrong (these
wrappers are pure obfuscated code).

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list