[Bug 27221] Full Spectrum Warrior crashes on start (SoftWrap DRM scheme, Wine must not send window object creation event/call notify event hook for fake D3D window)

wine-bugs at winehq.org wine-bugs at winehq.org
Wed Jan 29 14:40:50 CST 2014 

https://bugs.winehq.org/show_bug.cgi?id=27221

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
                URL|http://www.joystiq.com/game |http://www.gamershell.com/d
                   |/full-spectrum-warrior/down |ownload_33784.shtml
                   |load/full-spectrum-warrior- |
                   |full-free-game              |
                 CC|                            |focht at gmx.net
            Summary|Full Spectrum Warrior       |Full Spectrum Warrior
                   |crashes on start            |crashes on start (SoftWrap
                   |                            |DRM scheme, Wine must not
                   |                            |send window object creation
                   |                            |event/call notify event
                   |                            |hook for fake D3D window)

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming, still present.
Adjusting download link.
The game is protected by SoftWrap DRM scheme.

--- snip ---
-=[ ProtectionID v0.6.5.5 OCTOBER]=-
(c) 2003-2013 CDKiLLER & TippeX
Build 31/10/13-21:09:09
Ready...
Scanning -> Z:\home\focht\.wine\drive_c\Program Files\THQ\Pandemic Studios\Full
Spectrum Warrior\Launcher.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1445888 (0161000h)
Byte(s)
[File Heuristics] -> Flag : 00000000000000000100000000100011 (0x00004023)
[Entrypoint Section Entropy] : 7.63
[!] SoftWrap detected !
[!] Possible License Protection String -> License Activation
- Scan Took : 0.323 Second(s) [000000143h tick(s)] [533 scan(s) done]
--- snip ---

Some info: http://www.softwrap.com/page.aspx?page_id=109

It seems the company dissolved itself in 2013.

The recursion is basically the result of the way the DRM scheme hooks API and
the Wine-specific creation of internal WineD3D fake window.
The game hooks a huge amount of API, not limited to DirectX/DirectSound .. many
win32 core functionality.

The following graphics API are considered for hooking by the engine
(DFRTIEngine.dll):

* OpenGL
* DirectDraw
* DirectDraw7
* DirectX8
* DirectX9
* DirectX10
* GDI

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/THQ/Pandemic Studios/Full Spectrum
Warrior

$ WINEDEBUG=+tid,+seh,+relay,+d3d wine ./Launcher.exe >>log.txt 2>&1
...
0025:Call KERNEL32.CreateProcessA(00000000,0058f618 "\"C:\\Program
Files\\THQ\\Pandemic Studios\\Full Spectrum
Warrior\\Launcher.locked\"",00000000,00000000,00000000,00000004,00000000,00000000,0033d260,0033d820)
ret=004284d9
...
0028:Call KERNEL32.__wine_kernel_init() ret=7bc5a326
0025:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=004284d9 
...
0028:Call KERNEL32.LoadLibraryW(10040250 L"C:\\Program Files\\THQ\\Pandemic
Studios\\Full Spectrum Warrior\\DFRTIEngine.dll") ret=10001541 
...
0028:Call PE DLL (proc=0x70cc2d,module=0x630000
L"DFRTIEngine.dll",reason=PROCESS_ATTACH,res=(nil)) 
...
0028:Call
user32.SetWinEventHook(00000001,7fffffff,00630000,00633310,00000027,00000000,00000004)
ret=006333e0
0028:Ret  user32.SetWinEventHook() retval=0002006a ret=006333e0
...
0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8
0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8
0028:Call KERNEL32.GetModuleHandleA(0074b104 "d3d8.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8
0028:Call KERNEL32.GetModuleHandleA(0074b6c0 "d3d9.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=7ed60000 ret=0067cba8
0028:Call KERNEL32.GetProcAddress(7ed60000,0074b7b4 "Direct3DCreate9")
ret=0066dc8a
0028:Ret  KERNEL32.GetProcAddress() retval=7ed6962c ret=0066dc8a
...
0028:Call d3d9.Direct3DCreate9(00000020) ret=0066dc92
0028:trace:d3d9:Direct3DCreate9 sdk_version 0x20.
...
0028:trace:d3d:wined3d_init Initializing adapters.
0028:trace:d3d:wined3d_adapter_init adapter 0x13dc38, ordinal 0. 
...
0028:Call user32.CreateWindowExA(00000000,7ed12203 "WineD3D_OpenGL",7ed121ef
"WineD3D fake
window",00cf0000,0000000a,0000000a,0000000a,0000000a,00000000,00000000,00000000,00000000)
ret=7ec47d1b 
...
0028:Call window proc 0x7ebff9e8
(hwnd=0x20064,msg=WM_CREATE,wp=00000000,lp=0033e710)
0028:Call user32.DefWindowProcA(00020064,00000001,00000000,0033e710)
ret=7e885f2a
0028:Ret  user32.DefWindowProcA() retval=00000000 ret=7e885f2a
0028:Ret  window proc 0x7ebff9e8
(hwnd=0x20064,msg=WM_CREATE,wp=00000000,lp=0033e710) retval=00000000
0028:Call winex11.drv.CreateWindow(00020064) ret=7e877875
0028:Ret  winex11.drv.CreateWindow() retval=00000001 ret=7e877875
0028:Call winevent hook proc 0x633310
(hhook=0x2006a,event=8000,hwnd=0x20064,object_id=0,child_id=0,tid=0028,time=b2fe56)

<recursion here>

0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8
0028:Call KERNEL32.GetModuleHandleA(0074ad90 "ddraw.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8
0028:Call KERNEL32.GetModuleHandleA(0074b104 "d3d8.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=00000000 ret=0067cba8
0028:Call KERNEL32.GetModuleHandleA(0074b6c0 "d3d9.dll") ret=0067cba8
0028:Ret  KERNEL32.GetModuleHandleA() retval=7ed60000 ret=0067cba8
0028:Call KERNEL32.GetProcAddress(7ed60000,0074b7b4 "Direct3DCreate9")
ret=0066dc8a
0028:Ret  KERNEL32.GetProcAddress() retval=7ed6962c ret=0066dc8a
0028:Call d3d9.Direct3DCreate9(00000020) ret=0066dc92 
...
--- snip ---

The game installs an event handler via SetWinEventHook() before doing any
serious stuff.
The handler is used to create further API hooks (via patching of API entries).

Wine creates a window object (fake D3D window, Wine-specific) during creation
of IDirect3D9 object which triggers the event hook.

Source:
http://source.winehq.org/git/wine.git/blob/6bf64f0ac278b826b526504d69f384dfce598bc8:/dlls/user32/win.c#l1620

--- snip ---
1304 HWND WIN_CreateWindowEx( CREATESTRUCTW *cs, LPCWSTR className, HINSTANCE
module, BOOL unicode )
1305 {
...
1620     /* call the driver */
1621
1622     if (!USER_Driver->pCreateWindow( hwnd )) goto failed;
1623
1624     NotifyWinEvent(EVENT_OBJECT_CREATE, hwnd, OBJID_WINDOW, 0);
1625
1626     /* send the size messages */
...
--- snip ---

This is something the hook code doesn't anticipate/handle well.

I disabled the propagation of window object creation during fake D3D window
creation and it allowed the game successfully hook D3D9.

Trace log with fix applied:

--- snip ---
...
0028:Call KERNEL32.GetProcAddress(7ed60000,0074b7b4 "Direct3DCreate9")
ret=0066dc8a
0028:Ret  KERNEL32.GetProcAddress() retval=7ed6962c ret=0066dc8a
0028:Call d3d9.Direct3DCreate9(00000020) ret=0066dc92
...
0028:Call wined3d.wined3d_create(00000009,00000004) ret=7ed7a717
...
0028:trace:d3d:wined3d_init Initializing adapters.
0028:trace:d3d:wined3d_adapter_init adapter 0x13dc48, ordinal 0.
...
0028:trace:d3d:wined3d_adapter_init Allocated LUID 00000000:000003f4 for
adapter 0x13dc48.
0028:trace:d3d:wined3d_caps_gl_ctx_create getting context...
...
0028:Call user32.CreateWindowExA(00000000,7ed12203 "WineD3D_OpenGL",7ed121ef
"WineD3D fake
window",00cf0000,0000000a,0000000a,0000000a,0000000a,00000000,00000000,00000000,00000000)
ret=7ec47d1b
..
0028:Ret  window proc 0x7ebff9e8
(hwnd=0x20064,msg=WM_CREATE,wp=00000000,lp=0033e600) retval=00000000
0028:Call winex11.drv.CreateWindow(00020064) ret=7e87787b
0028:Ret  winex11.drv.CreateWindow() retval=00000001 ret=7e87787b
0028:Ret  user32.CreateWindowExA() retval=00020064 ret=7ec47d1b
...
0028:Call gdi32.ChoosePixelFormat(000f002b,0033e6fc) ret=7ec47e41
0028:Call opengl32.wglChoosePixelFormat(000f002b,0033e6fc) ret=7ea35d4a 
...
0028:Ret  opengl32.wglChoosePixelFormat() retval=00000001 ret=7ea35d4a
...
0028:Call opengl32.wglCreateContext(000f002b) ret=7ec47ef1
...
0028:Ret  opengl32.wglCreateContext() retval=00010000 ret=7ec47ef1
0028:Call opengl32.wglMakeCurrent(000f002b,00010000) ret=00655da2
0028:Ret  opengl32.wglMakeCurrent() retval=00000001 ret=00655da2
0028:Call KERNEL32.VirtualProtect(7eaf11cc,00000008,00000040,0033e678)
ret=0069e4f7
0028:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=0069e4f7
0028:Call KERNEL32.IsBadWritePtr(7eaf11cc,00000005) ret=0069e507
0028:Ret  KERNEL32.IsBadWritePtr() retval=00000000 ret=0069e507
0028:Call KERNEL32.VirtualProtect(7eaf11cc,00000008,00000020,0033e67c)
ret=0069e52b
0028:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=0069e52b
0028:Call KERNEL32.FlushInstructionCache(ffffffff,7eaf11cc,00000005)
ret=0069e541
0028:Ret  KERNEL32.FlushInstructionCache() retval=00000001 ret=0069e541
...
--- snip ---

The game runs fine, albeit slow on my machine.

$ sha1sum thq_fsw_free.zip
780c485bb5097434c38d3d632d775ecd9b5d599a  thq_fsw_free.zip

$ du -sh thq_fsw_free.zip 
1.7G    thq_fsw_free.zip

$ wine --version
wine-1.7.11-115-gdb8dc30

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list