[Bug 36023] Need For Speed Porsche Unleashed (NFS5) running in Win9X mode crashes on startup (SafeDisc v1.x patches div0 exception handler code pointed by IDT entry 0)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Apr 21 15:19:46 CDT 2014 

http://bugs.winehq.org/show_bug.cgi?id=36023

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |focht at gmx.net
            Version|unspecified                 |1.7.17
         Resolution|---                         |WONTFIX
            Summary|Need For Speed Porsche      |Need For Speed Porsche
                   |Unleashed (NFS5) fails to   |Unleashed (NFS5) running in
                   |launch after installing.    |Win9X mode crashes on
                   |                            |startup (SafeDisc v1.x
                   |                            |patches div0 exception
                   |                            |handler code pointed by IDT
                   |                            |entry 0)

--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

the game is protected by SafeDisc v1.4

Running games with that protection scheme/version in Win9X mode is not going to
work/supported because the driver implements certain anti-debugging measures
specifically crafted for Win9X that can't work with NT-based systems.

You need to run the game in 'Windows 2000' mode.
SafeDisc 1.x can't work with 'Windows XP' and higher by design, see bug 27503 

Also make sure you've read the appdb entry:
http://appdb.winehq.org/objectManager.php?sClass=version&iId=3404

Don't forget to pass 'driver=dx7z' when you run the executable.

--- snip ---
Unhandled exception: page fault on read access to 0x00000000 in 32-bit code
(0x004262a2).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:004262a2 ESP:0032d9e4 EBP:0032da30 EFLAGS:00010246(  R- --  I  Z- -P- )
 EAX:c17c7000 EBX:00000001 ECX:0032da58 EDX:0032d9c8
 ESI:00000000 EDI:00400000
...
Backtrace:
=>0 0x004262a2 in porsche (+0x262a2) (0x0032da30)
  1 0x0042641f in porsche (+0x2641e) (0x0032daf4)
  2 0x00422d9c in porsche (+0x22d9b) (0x0032dba4)
  3 0x00421e56 in porsche (+0x21e55) (0x0032dbc4)
  4 0x0042111e in porsche (+0x2111d) (0x0032dc08)
  5 0x00420bea in porsche (+0x20be9) (0x0032fc64)
  6 0x0042087e in porsche (+0x2087d) (0x0032fcbc)
  7 0x00422506 in porsche (+0x22505) (0x0032fcf4)
  8 0x0040e279 in porsche (+0xe278) (0x0032fdd4)
  9 0x004169b2 in porsche (+0x169b1) (0x0032fe60)
  10 0x7b861d8c call_process_entry+0xb() in kernel32 (0x0032fe78)
  11 0x7b86588b in kernel32 (+0x5588a) (0x0032feb8)
  12 0x7bc7d970 call_thread_func_wrapper+0xb() in ntdll (0x0032fed8)
  13 0x7bc7dbcd call_thread_func+0x7c() in ntdll (0x0032ffa8)
  14 0x7bc7d94e RtlRaiseException+0x21() in ntdll (0x0032ffc8)
  15 0x7bc53ebe in ntdll (+0x43ebd) (0x0032ffe8)
0x004262a2: movl    0x0(%esi),%edi
Modules:
Module    Address            Debug info    Name (52 modules)
PE      400000-  444000    Export          porsche
...
Threads:
process  tid      prio (all id:s are in hex)
00000008 (D) C:\Program Files\Electronic Arts\Need For Speed - Porsche
Unleashed\Porsche.exe
    00000009    0 <==
...
--- snip ---

Protection scan:

--- snip ---
-=[ ProtectionID v0.6.5.5 OCTOBER]=-
(c) 2003-2013 CDKiLLER & TippeX
Build 31/10/13-21:09:09
Ready...

Scanning -> Z:\home\focht\.wine\drive_c\Program Files\Electronic Arts\Need For
Speed - Porsche Unleashed\dplayerx.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 173568 (02A600h)
Byte(s)
[File Heuristics] -> Flag : 00000000000001001100000000000001 (0x0004C001)
[Entrypoint Section Entropy] : 6.51
[!] Safedisc core dll (dplayerx.dll) detected!
[CompilerDetect] -> Visual C++ 5.0
- Scan Took : 0.291 Second(s) [000000123h tick(s)] [229 scan(s) done]

Scanning -> Z:\home\focht\.wine\drive_c\Program Files\Electronic Arts\Need For
Speed - Porsche Unleashed\drvmgt.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 31744 (07C00h) Byte(s)
[File Heuristics] -> Flag : 00000000000001001100000000000000 (0x0004C000)
[Entrypoint Section Entropy] : 6.35
[!] Safedisc driver managment dll (drvmgt.dll) detected!
[CompilerDetect] -> Visual C++ 5.0
- Scan Took : 0.268 Second(s) [00000010Ch tick(s)] [229 scan(s) done]

Scanning -> Z:\home\focht\.wine\drive_c\Program Files\Electronic Arts\Need For
Speed - Porsche Unleashed\Porsche.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 249119 (03CD1Fh)
Byte(s)
-> File has 1311 (051Fh) bytes of appended data starting at offset 03C800h
[File Heuristics] -> Flag : 00000000000001001100000000000101 (0x0004C005)
[Entrypoint Section Entropy] : 6.56
[!] Safedisc v1.41.000 detected !
[CompilerDetect] -> Visual C++ 5.0
- Scan Took : 0.316 Second(s) [00000013Ch tick(s)] [533 scan(s) done]

Scanning -> Z:\home\focht\.wine\drive_c\Program Files\Electronic Arts\Need For
Speed - Porsche Unleashed\secdrv.sys
File Type : 32-Bit Driver (good checksum) (Subsystem : Native / 1), Size :
10848 (02A60h) Byte(s)
-> File has 2368 (0940h) bytes of appended data starting at offset 02120h
[File Heuristics] -> Flag : 00000100000000000000000000000111 (0x04000007)
[Entrypoint Section Entropy] : 5.26
[Debug Info]
Characteristics : 0x0 | TimeDateStamp : 0x37FB7638 | MajorVer : 0 / MinorVer :
0 -> (0.0)
Type : 1 -> Coff | Size : 0x74B (1867)
AddressOfRawData : 0x0 | PointerToRawData : 0x2120
[!] Safedisc protection driver (secdrv.sys) detected!
- Scan Took : 0.289 Second(s) [000000121h tick(s)] [128 scan(s) done]
--- snip ---

Code in question (see you fault address 0x004262a2):

--- snip ---
.txt2:00426290   pusha
.txt2:00426291   mov     word ptr [ebp-1Ch], cs
.txt2:00426295   sidt    fword ptr [ebp-14h] ; get contents of IDTR
.txt2:00426299   mov     eax, [ebp-12h]      ; IDT linear base address
.txt2:0042629C   mov     esi, [eax+4]        ; int 0 vector address (trap 0)
.txt2:0042629F   mov     si, [eax]
.txt2:004262A2   mov     edi, [esi]
.txt2:004262A4   mov     [ebp-4], edi        ; save old handler entry opcodes
.txt2:004262A7   mov     edi, [esi+4]
.txt2:004262AA   mov     [ebp-8], edi
.txt2:004262AD   mov     dword ptr [esi+1], 0CF530E58h ; write out new opcodes
.txt2:004262B4   mov     byte ptr [esi], 58h
.txt2:004262B7   lea     ebx, loc_4262C1     ; int 0 continuation
.txt2:004262BD   xor     eax, eax
.txt2:004262BF   div     eax              ; trigger division-by-zero exception
...
--- snip ---

Int 0 handler patched to new code:

--- snip ---
$+0  58    POP EAX
$+1  58    POP EAX
$+2  0E    PUSH CS
$+3  53    PUSH EBX
$+4  CF    IRETD
--- snip ---

To start with, directly trapping and emulating the 'sidt' instruction is only
possible with a VMM/hypervisor.
IDT accesses can be detected by examining the address range in page fault
handler.
The code to implement this - that is handling of various load/store
combinations and additionally emulating IDT trap/handler code in userspace is
not really worth the hassle.

Another SafeDisc bug dealing with IDT -> bug 31279

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list