[Bug 33242] Panzer Elite Action Demo crashes randomly on startup (custom protection/DRM scheme by JoWooD)

wine-bugs at winehq.org wine-bugs at winehq.org
Wed Apr 23 16:28:09 CDT 2014 

http://bugs.winehq.org/show_bug.cgi?id=33242

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
            Summary|Panzer Elite Action Demo -  |Panzer Elite Action Demo
                   |Exception frame is not in   |crashes randomly on startup
                   |stack limits                |(custom protection/DRM
                   |                            |scheme by JoWooD)
     Ever confirmed|0                           |1

--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

Looks like a custom protection/DRM scheme (PEiD and ExeInfoPE fail to identify
it).

https://www.virustotal.com/en/file/fb44686840f005edecbcf7db52ec078e4fe10635cae05ea1ae3a2fc3a5447d64/analysis/

The vendor is Jowood so it's likely they "invented" their own protection/DRM
scheme.

The main executable imports only one API explicitly and has strange section
layouts.

--- snip ---
->Import Table
   1. ImageImportDescriptor:
    OriginalFirstThunk:  0x00000000
    TimeDateStamp:       0x00000000  (GMT: Thu Jan 01 00:00:00 1970)
    ForwarderChain:      0x00000000
    Name:                0x0004E034  ("kernel32.dll")
    FirstThunk:          0x0004E028

    Ordinal/Hint API name
    ------------ ---------------------------------------
    0x0000       "VirtualProtect"
--- snip ---

It uses some unwrapper/resolver/loader with various anti-debugging trickery.

--- snip ---
0024:Call KERNEL32.__wine_kernel_init() ret=7bc5a402
0024:Call PE DLL (proc=0x7bc9ea28,module=0x7bc10000
L"ntdll.dll",reason=PROCESS_ATTACH,res=0x1)
0024:Ret  PE DLL (proc=0x7bc9ea28,module=0x7bc10000
L"ntdll.dll",reason=PROCESS_ATTACH,res=0x1) retval=1
0024:Call PE DLL (proc=0x7b889e6c,module=0x7b810000
L"KERNEL32.dll",reason=PROCESS_ATTACH,res=0x1)
0024:Ret  PE DLL (proc=0x7b889e6c,module=0x7b810000
L"KERNEL32.dll",reason=PROCESS_ATTACH,res=0x1) retval=1
0024:Starting process L"C:\\Program Files\\Panzer Elite Action\\Panzer Elite
Action Demo\\pea.exe" (entryproc=0x44e077)
0024:Call KERNEL32.VirtualProtect(00f8ec11,000011f3,00000040,0044e056)
ret=0044fd2a
0024:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=0044fd2a
0024:trace:seh:raise_exception code=c000001d flags=0 addr=0x452f8f ip=00452f8f
tid=0024
0024:trace:seh:raise_exception  eax=f394f15b ebx=7b8bb000 ecx=000dfc00
edx=12345678 esi=0045134f edi=00454168
0024:trace:seh:raise_exception  ebp=fff63272 esp=00f8fddc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0024:trace:seh:call_stack_handlers calling handler at 0x451651 code=c000001d
flags=0
0024:trace:seh:call_stack_handlers handler at 0x451651 returned 0
0024:trace:seh:raise_exception code=80000004 flags=0 addr=0x452dea ip=00452dea
tid=0024
0024:trace:seh:raise_exception  eax=c2e01bdb ebx=7b8bb000 ecx=000dfbff
edx=4faf616c esi=0045134f edi=00454168
0024:trace:seh:raise_exception  ebp=4243484b esp=00f8fddc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0024:trace:seh:call_stack_handlers calling handler at 0x451651 code=80000004
flags=0
0024:trace:seh:call_stack_handlers handler at 0x451651 returned 0
0024:trace:seh:raise_exception code=c000001d flags=0 addr=0x452f8f ip=00452f8f
tid=0024
0024:trace:seh:raise_exception  eax=1756c9e1 ebx=7b8bb000 ecx=000dfa00
edx=4faf616c esi=0045134f edi=00454168
0024:trace:seh:raise_exception  ebp=fff63272 esp=00f8fddc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0024:trace:seh:call_stack_handlers calling handler at 0x451651 code=c000001d
flags=0
0024:trace:seh:call_stack_handlers handler at 0x451651 returned 0 
...
0024:Call KERNEL32.CreateFileA(00464d41
"\\\\.\\SICE",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0046410a
0024:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0046410a
0024:Call KERNEL32.CreateFileA(00464d51
"\\\\.\\NTICE",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0046410a
0024:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0046410a
0024:Call KERNEL32.CreateFileA(00464d61
"\\\\.\\SIWVID",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0046410a
0024:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0046410a
0024:Call KERNEL32.CreateFileA(00464d71
"\\\\.\\REGMON",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0046410a
0024:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0046410a
0024:Call KERNEL32.CreateFileA(00464d81
"\\\\.\\FILEMON",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0046410a
0024:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0046410a
0024:Call KERNEL32.CreateFileA(00464d91
"\\\\.\\SIWDEBUG",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0046410a
0024:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0046410a
0024:Call KERNEL32.CreateFileA(00464da1
"\\\\.\\SIWVIDSTART",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0046410a
0024:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0046410a 
...
0024:Call KERNEL32.LoadLibraryA(0042e2ce "core.dll") ret=00536004
...
0024:Ret  PE DLL (proc=0x1004ff2a,module=0x10000000
L"core.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
0024:Ret  KERNEL32.LoadLibraryA() retval=10000000 ret=00536004 
...
0024:trace:seh:raise_exception code=c000001d flags=0 addr=0x15a94c23
ip=15a94c23 tid=0024
0024:trace:seh:raise_exception  eax=00000000 ebx=00000000 ecx=00000000
edx=00400000 esi=0042c210 edi=00426078
0024:trace:seh:raise_exception  ebp=15525759 esp=00f8fddc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210246
0024:trace:seh:call_stack_handlers calling handler at 0x15a3055b code=c000001d
flags=0
0024:trace:seh:call_stack_handlers handler at 0x15a3055b returned 0 
...
0025:Ret  KERNEL32.SleepEx() retval=00000000 ret=10048ccd
0025:Call KERNEL32.SleepEx(00000001,00000001) ret=10048ccd
0026:Ret  KERNEL32.SleepEx() retval=00000000 ret=10048ccd
0026:Call KERNEL32.SleepEx(00000001,00000001) ret=10048ccd
0024:trace:seh:raise_exception code=c00000fd flags=0 addr=0x15ad15c7
ip=15ad15c7 tid=0024
0024:trace:seh:raise_exception  eax=15ad14b9 ebx=00000059 ecx=00000176
edx=00000080 esi=03d00aea edi=15ad14b9
0024:trace:seh:raise_exception  ebp=15525759 esp=00602000 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210202
0024:err:seh:raise_exception Exception frame is not in stack limits => unable
to dispatch exception.
0024:Call KERNEL32.FreeLibrary(7e1e0000) ret=7e64942a
0024:err:seh:setup_exception_record stack overflow 864 bytes in thread 0024 eip
f73a196b esp 00600fd0 stack 0x600000-0x601000-0xf90000 
...
--- snip ---

The crashes are a bit random, sometimes triggering 'winedbg' JIT handler.
Anyway the game doesn't come very far, regardless of type of crash.

I'm a bit surprised you get a black screen which means some graphics has
already been initialized.

$ sha1sum PEA_Demo.zip 
419306ec19901e416e5ca2d416de9568ebb00ab2  PEA_Demo.zip

$ du -sh PEA_Demo.zip 
339M    PEA_Demo.zip

$ wine --version
wine-1.7.17-53-g5d31c1e

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list