[Bug 27550] New: SafeDisc 4.x: first opcode byte of kernel32.DebugBreak() API entry must not be "int 3" (0xCC) (Rainbow Six: Vegas 2 fails on startup)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Jun 20 18:26:15 CDT 2011
http://bugs.winehq.org/show_bug.cgi?id=27550
Summary: SafeDisc 4.x: first opcode byte of
kernel32.DebugBreak() API entry must not be "int 3"
(0xCC) (Rainbow Six: Vegas 2 fails on startup)
Product: Wine
Version: 1.3.22
Platform: x86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: kernel32
AssignedTo: wine-bugs at winehq.org
ReportedBy: focht at gmx.net
Hello,
"Rainbow Six: Vegas 2" complains about a debugger being present.
The game shows a message box on startup:
"A debugger has been detected"
"Unload the debugger and try again"
--- snip ---
=[ ProtectionID v0.6.4.0 JULY]=-
(c) 2003-2010 CDKiLLER & TippeX
Build 07/08/10-17:57:05
Ready...
Scanning -> Z:\home\focht\.wine\drive_c\Program Files\Ubisoft\Tom Clancy's
Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 30277768 (01CE0088h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 01CDEE00h, size : 01288h /
04744 byte(s)
-> File has 1449472 (0161E00h) bytes of appended data starting at offset
01B7D000h
[File Heuristics] -> Flag : 00000000000000000100000000000111 (0x00004007)
[!] Safedisc v4.85.000 detected !
[i] Appended data contents....
[.] o: 0x01B7D028 / t: <0xA8726B03> <0xEF01996C> <0x00000001> / s: 00302963
byte(s) -> ~deaa13.tmp
[.] o: 0x01BC6FC2 / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00015887
byte(s) -> clcd32.dll
[.] o: 0x01BCADF8 / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00004122
byte(s) -> clcd16.dll
[.] o: 0x01BCBE36 / t: <0xA8726B03> <0xEF01996C> <0x0000044D> / s: 00037971
byte(s) -> mcp.dll
[.] o: 0x01BD52B2 / t: <0xA8726B03> <0xEF01996C> <0x0000000B> / s: 00005446
byte(s) -> SecDrv04.VxD
[.] o: 0x01BD681D / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00072192
byte(s) -> ~e5.0001
[.] o: 0x01BE8244 / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00045056
byte(s) -> PfdRun.pfd
[.] o: 0x01BF326C / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00965148
byte(s) -> ~df394b.tmp
[CompilerDetect] -> Visual C++ 8.0 (Visual Studio 2005)
- Scan Took : 1.569 Second(s)
--- snip ---
I debugged the protection through various anti-debugging checks and found out a
specific check failed.
SafeDisc 4.x checks all kernel32 exports and specifically looks for
soft-breakpoints (0xcc) on API entries.
This fails now for kernel32.DebugBreak() because AJ used an inline asm int 3
(0xcc) to fix bug 24157
The protection treats this as "malicious" soft breakpoint and flags this entry
as "bad".
bug 24157 ->
http://source.winehq.org/git/wine.git/commitdiff/5f06809ab3339e2001de57f18be988146915bb7b
- technically a regression.
Fortunately SafeDisc only checks the first opcode byte so one could prepend a
simple "HOTPATCH" instruction to work around that.
Though I'm not sure if this is a "safe" long term solution (in this case it's
sufficient).
Another way could be forwarding kernel32.DebugBreak to ntdll.DbgBreakPoint
I only tested both methods, they work.
Though the copy protection later fails for DVD media validation but this is
another bug.
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list