[Bug 28123] Mu Argentina (MMORPG) protection driver crashes on startup (Oreans x32 kernel driver expects Windows page directory self-map and page tables present)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Jul 27 11:31:01 CDT 2014
http://bugs.winehq.org/show_bug.cgi?id=28123
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download, obfuscation
Status|UNCONFIRMED |RESOLVED
URL|http://www.fileserve.com/fi |http://inferno.muargentina.
|le/pZXsQKS |com/index.php?page_id=downl
| |oads
CC| |focht at gmx.net
Resolution|--- |WONTFIX
Summary|Mu Argentina. Muguard |Mu Argentina (MMORPG)
|crashes when it start |protection driver crashes
| |on startup (Oreans x32
| |kernel driver expects
| |Windows page directory
| |self-map and page tables
| |present)
--- Comment #7 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
It seems whatever "MuGuard" was, is now some Oreans garbage (creator of
infamous 'Themida/WinLicense' protection).
--- snip ---
000f:Call KERNEL32.CreateProcessW(00000000,001196c8
L"C:\\windows\\system32\\winedevice.exe
oreans32",00000000,00000000,00000000,00000400,00540000,00000000,0033fc48,0033fc8c)
ret=7edb5d3f
...
001f:Call KERNEL32.LoadLibraryW(0011aea0
L"C:\\windows\\system32\\drivers\\oreans32.sys") ret=7edfb9b9
...
001f:Ret PE DLL (proc=0xf7592068,module=0xf7580000
L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
001f:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=7edfb9b9
...
001f:Call driver init 0x547c4b
(obj=0x7edff4c0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\oreans32")
DbgPrint says: Oreans x32 driver loaded in memory (v1.52)
...
001f:Call ntdll.RtlInitUnicodeString(0053e640,00547de0 L"\\Device\\oreans32")
ret=00547cd6
001f:Ret ntdll.RtlInitUnicodeString() retval=0053e640 ret=00547cd6
001f:Call
ntoskrnl.exe.IoCreateDevice(7edff4c0,00000000,0053e640,00000015,00000000,00000000,00547eb8)
ret=00547cef
001f:Call ntdll.RtlAllocateHeap(00110000,00000008,000000b8) ret=7ed2e138
001f:Ret ntdll.RtlAllocateHeap() retval=0011aea0 ret=7ed2e138
001f:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00547cef
001f:Call ntdll.RtlInitUnicodeString(0053e638,00547e02
L"\\DosDevices\\oreans32") ret=00547d10
001f:Ret ntdll.RtlInitUnicodeString() retval=0053e638 ret=00547d10
001f:Call ntoskrnl.exe.IoCreateSymbolicLink(0053e638,0053e640) ret=00547d1d
001f:Call ntdll.NtCreateSymbolicLinkObject(0053e5b4,000f0001,0053e59c,0053e640)
ret=7ed2e4e6
001f:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ed2e4e6
001f:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=00547d1d
001f:Ret driver init 0x547c4b
(obj=0x7edff4c0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\oreans32")
retval=00000000
...
001f:Call ntoskrnl.exe.wine_ntoskrnl_main_loop(00000038) ret=7edfc909
001f:Call ntdll.RtlAllocateHeap(00110000,00000000,00001000) ret=7ed2cf69
001f:Ret ntdll.RtlAllocateHeap() retval=0011b4d8 ret=7ed2cf69
001f:Call KERNEL32.WaitForMultipleObjects(00000002,0053e894,00000000,ffffffff)
ret=7ed2d227
...
0021:Call KERNEL32.__wine_kernel_init() ret=7bc59dbc
000f:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7edb5d3f
...
001f:Call driver dispatch 0x540280 (device=0x11aea0,irp=0x53e760)
001f:Call ntoskrnl.exe.MmIsAddressValid(7ed20000) ret=00546de6
001f:Call KERNEL32.IsBadWritePtr(7ed20000,00000001) ret=7ed306e4
001f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b882f64
ip=7b882f64 tid=001f
001f:trace:seh:raise_exception info[0]=00000001
001f:trace:seh:raise_exception info[1]=7ed20000
001f:trace:seh:raise_exception eax=7ed20000 ebx=7b8be000 ecx=6c5ac569
edx=00000000 esi=0053e628 edi=0053e5f8
001f:trace:seh:raise_exception ebp=0053e5e8 esp=0053e4f0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010216
001f:trace:seh:call_vectored_handlers calling handler at 0x7ed2c637
code=c0000005 flags=0
001f:trace:seh:call_vectored_handlers handler at 0x7ed2c637 returned 0
001f:trace:seh:call_stack_handlers calling handler at 0x7b88a093 code=c0000005
flags=0
001f:trace:seh:__regs_RtlUnwind code=c0000005 flags=2
001f:trace:seh:__regs_RtlUnwind calling handler at 0x7bc81679 code=c0000005
flags=2
001f:trace:seh:__regs_RtlUnwind handler at 0x7bc81679 returned 1
001f:trace:seh:IsBadWritePtr 0x7ed20000 caused page fault during write
001f:Ret KERNEL32.IsBadWritePtr() retval=00000001 ret=7ed306e4
001f:Ret ntoskrnl.exe.MmIsAddressValid() retval=00000000 ret=00546de6
...
001f:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5414a0 ip=005414a0
tid=001f
001f:trace:seh:raise_exception eax=0011c4e0 ebx=e137e760 ecx=00000000
edx=0053ef8c esi=00548035 edi=0053e760
001f:trace:seh:raise_exception ebp=0053e6e8 esp=0053e6bc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010283
001f:trace:seh:call_vectored_handlers calling handler at 0x7ed2c637
code=c0000096 flags=0
001f:trace:seh:call_vectored_handlers handler at 0x7ed2c637 returned ffffffff
001f:Call ntoskrnl.exe.MmAllocateNonCachedMemory(00002000) ret=00541506
001f:Call KERNEL32.VirtualAlloc(00000000,00002000,00003000,00000204)
ret=7ed3038c
001f:Ret KERNEL32.VirtualAlloc() retval=00550000 ret=7ed3038c
001f:Ret ntoskrnl.exe.MmAllocateNonCachedMemory() retval=00550000 ret=00541506
001f:Call ntdll.RtlZeroMemory(00550000,00002000) ret=0054152a
001f:Ret ntdll.RtlZeroMemory() retval=00550000 ret=0054152a
001f:Call ntoskrnl.exe.MmAllocateNonCachedMemory(000007d0) ret=0054163b
001f:Call KERNEL32.VirtualAlloc(00000000,000007d0,00003000,00000204)
ret=7ed3038c
001f:Ret KERNEL32.VirtualAlloc() retval=00560000 ret=7ed3038c
001f:Ret ntoskrnl.exe.MmAllocateNonCachedMemory() retval=00560000 ret=0054163b
001f:Call ntdll.RtlZeroMemory(00560000,000007d0) ret=0054175f
001f:Ret ntdll.RtlZeroMemory() retval=00560000 ret=0054175f
001f:Call ntoskrnl.exe.MmAllocateNonCachedMemory(00001000) ret=00541870
001f:Call KERNEL32.VirtualAlloc(00000000,00001000,00003000,00000204)
ret=7ed3038c
001f:Ret KERNEL32.VirtualAlloc() retval=00570000 ret=7ed3038c
001f:Ret ntoskrnl.exe.MmAllocateNonCachedMemory() retval=00570000 ret=00541870
001f:Call ntdll.RtlZeroMemory(00570000,00001000) ret=00541990
001f:Ret ntdll.RtlZeroMemory() retval=00570000 ret=00541990
001f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5462d7 ip=005462d7
tid=001f
001f:trace:seh:raise_exception info[0]=00000000
001f:trace:seh:raise_exception info[1]=c0300004
001f:trace:seh:raise_exception eax=00000004 ebx=52b97b3b ecx=00570000
edx=00571000 esi=00570000 edi=c0300000
001f:trace:seh:raise_exception ebp=0053e6cc esp=0053e6ac cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010287
001f:trace:seh:call_vectored_handlers calling handler at 0x7ed2c637
code=c0000005 flags=0
001f:trace:seh:call_vectored_handlers handler at 0x7ed2c637 returned 0
001f:trace:seh:call_stack_handlers calling handler at 0x7bc9dbe3 code=c0000005
flags=0
001f:Call KERNEL32.UnhandledExceptionFilter(0053e174) ret=7bc9dc1d
001f:trace:seh:start_debugger Starting debugger "winedbg --auto 25 84"
001f:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9dc1d
001f:trace:seh:call_stack_handlers handler at 0x7bc9dbe3 returned 1
--- snip ---
Tidbit: the kernel driver is heavily obfuscated (though not a problem here)
The last (unhandled) exception results from the driver trying to access
self-mapping PDE/PTE from "kernel" space.
GetPdeAddress(va) -> 0xc0300000[va>>20] ; see EDI in exception context
GetPteAddress(va) -> 0xc0000000[va>>10]
It expects many things from Windows kernel being present that Wine can't
support by design - at least not without major re-architecturing towards
emulation of "kernel space" along with many system (kernel) data structures.
Try VirtualBox or Reactos if you really need to run this stuff.
$ sha1sum Instalador\ Muargentina\ eX702.exe
847948f9f6e5411757407bdbd8dc5fcef97fca95 Instalador Muargentina eX702.exe
$ du -sh Instalador\ Muargentina\ eX702.exe
708M Instalador Muargentina eX702.exe
$ wine --version
wine-1.7.23
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list