[Bug 36736] New: Tucows Download Manager 2014 crashes on startup (decryption scheme relies on 'kernel32.dll.SetFilePointer' hotpatch signature)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Jun 15 07:04:28 CDT 2014
https://bugs.winehq.org/show_bug.cgi?id=36736
Bug ID: 36736
Summary: Tucows Download Manager 2014 crashes on startup
(decryption scheme relies on
'kernel32.dll.SetFilePointer' hotpatch signature)
Product: Wine
Version: 1.7.20
Hardware: x86
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: kernel32
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Hello folks,
example download:
http://www.tucows.com/preview/609375/Intuit-QuickBooks-Simple-Start-Edition-2009?q=QuickBooks+2009
The download manager/installer uncompresses a secondary installer from
bootstrapper.
Before that the app decrypts parts of itself and this is done incorrectly,
leading to strange results/code paths later.
--- snip ---
$ WINEDEBUG=+tid,+seh,+relay wine ./Setup_QuickBooks_SimpleStart_Intel_2009.exe
>>log.txt 2>&1
...
0023:Starting process
L"Z:\\home\\focht\\Downloads\\Setup_QuickBooks_SimpleStart_Intel_2009.exe"
(entryproc=0x409c40)
0023:Call KERNEL32.GetModuleHandleA(00000000) ret=004030e8
0023:Ret KERNEL32.GetModuleHandleA() retval=00400000 ret=004030e8
0023:Call KERNEL32.GetCommandLineA() ret=004030f3
0023:Ret KERNEL32.GetCommandLineA() retval=00134078 ret=004030f3
...
0023:Call KERNEL32.CreateFileA(004203cc
"Z:\\home\\focht\\Downloads\\Setup_QuickBooks_SimpleStart_Intel_2009.exe",80000000,00000001,00000000,00000003,00000080,00000000)
ret=004075bd
0023:Ret KERNEL32.CreateFileA() retval=00000050 ret=004075bd
0023:Call KERNEL32.FindResourceA(00000000,00002b67,0000000a) ret=00409bfb
0023:Ret KERNEL32.FindResourceA() retval=004112c8 ret=00409bfb
0023:Call KERNEL32.SizeofResource(00000000,004112c8) ret=00409c0e
0023:Ret KERNEL32.SizeofResource() retval=0000002c ret=00409c0e
0023:Call KERNEL32.LoadResource(00000000,004112c8) ret=00409c20
0023:Ret KERNEL32.LoadResource() retval=00419a88 ret=00409c20
0023:Call KERNEL32.LockResource(00419a88) ret=00409c31
0023:Ret KERNEL32.LockResource() retval=00419a88 ret=00409c31
...
0023:Call KERNEL32.CreateFileA(00437a5c
"C:\\users\\focht\\Temp\\is-RJFDD.tmp\\Setup_QuickBooks_SimpleStart_Intel_2009.tmp",40000000,00000000,00000000,00000002,00000080,00000000)
ret=004075bd
0023:Ret KERNEL32.CreateFileA() retval=00000054 ret=004075bd
...
0023:Call KERNEL32.SetFilePointer(00000050,00000000,0033fd78,00000001)
ret=004075e0
0023:Ret KERNEL32.SetFilePointer() retval=000b9b03 ret=004075e0
0023:Call KERNEL32.SetFilePointer(00000050,000b9b03,0033fd60,00000000)
ret=00407690
0023:Ret KERNEL32.SetFilePointer() retval=000b9b03 ret=00407690
0023:Call KERNEL32.SetFilePointer(00000054,00002a72,0033fd7c,00000000)
ret=00407690
0023:Ret KERNEL32.SetFilePointer() retval=00002a72 ret=00407690
0023:Call KERNEL32.SetEndOfFile(00000054) ret=004076b8
0023:Ret KERNEL32.SetEndOfFile() retval=00000001 ret=004076b8
0023:Call KERNEL32.SetFilePointer(00000054,00000000,0033fd7c,00000000)
ret=00407690
0023:Ret KERNEL32.SetFilePointer() retval=00000000 ret=00407690
0023:Call KERNEL32.WriteFile(00000054,00420424,00002a72,0033fd88,00000000)
ret=004076e4
0023:Ret KERNEL32.WriteFile() retval=00000001 ret=004076e4
0023:Call KERNEL32.CloseHandle(00000054) ret=0040755d
0023:Ret KERNEL32.CloseHandle() retval=00000001 ret=0040755d
0023:Call KERNEL32.CloseHandle(00000050) ret=0040755d
0023:Ret KERNEL32.CloseHandle() retval=00000001 ret=0040755d
0023:Call user32.CreateWindowExA(00000000,0040a334 "STATIC",0040a320
"InnoSetupLdrWindow",00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000)
ret=0040a136
...
0023:Call KERNEL32.CreateProcessA(00000000,00420488
"\"C:\\users\\focht\\Temp\\is-RJFDD.tmp\\Setup_QuickBooks_SimpleStart_Intel_2009.tmp\"
/SL5=\"$10066,747501,80384,Z:\\home\\focht\\Downloads\\Setup_QuickBooks_SimpleStart_Intel_2009.exe\"
",00000000,00000000,00000000,00000000,00000000,00000000,0033fd64,0033fd54)
ret=00409a19
0023:Ret KERNEL32.CreateProcessA() retval=00000000 ret=00409a19
0023:Call KERNEL32.GetLastError() ret=00409671
0023:Ret KERNEL32.GetLastError() retval=00000005 ret=00409671
0023:Call
KERNEL32.FormatMessageA(00003200,00000000,00000005,00000000,0033f8f8,00000400,00000000)
ret=004072a8
0023:Ret KERNEL32.FormatMessageA() retval=00000010 ret=004072a8
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x402eb4 ip=00402eb4
tid=0023
0023:trace:seh:raise_exception info[0]=00000000
0023:trace:seh:raise_exception info[1]=0000fd38
0023:trace:seh:raise_exception eax=00420654 ebx=00000069 ecx=00000002
edx=00000000 esi=00000005 edi=0040b240
0023:trace:seh:raise_exception ebp=0033fd34 esp=0033fd00 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010212
0023:trace:seh:call_stack_handlers calling handler at 0x4096eb code=c0000005
flags=0
...
0023:trace:seh:call_stack_handlers handler at 0x7bc825c1 returned 2
0023:trace:seh:call_stack_handlers calling handler at 0x4096eb code=c00000fd
flags=10
0023:err:seh:setup_exception_record stack overflow 992 bytes in thread 0023 eip
f73e796b esp 00240f50 stack 0x240000-0x241000-0x340000
--- snip ---
What is not seen (debugging): the app uses the entry point signature of
'kernel32.dll.SetFilePointer' as seed for further decryption.
--- snip ---
...
0040400C 8B73 01 MOV ESI,DWORD PTR DS:[EBX+1] ; SetFilePointer
0040400F 89F7 MOV EDI,ESI ;
00404011 4F DEC EDI
00404012 8B57 01 MOV EDX,DWORD PTR DS:[EDI+1] ; *(DWORD*)entry
00404015 BB 6319F033 MOV EBX,33F01963
0040401A 31DA XOR EDX,EBX
0040401C 89D3 MOV EBX,EDX
0040401E 53 PUSH EBX
0040401F 5E POP ESI
00404020 89F0 MOV EAX,ESI
00404022 BA A6AA2938 MOV EDX,3829AAA6
00404027 81F2 A2AA2938 XOR EDX,3829AAA2
0040402D 29D4 SUB ESP,EDX
0040402F 890424 MOV DWORD PTR SS:[ESP],EAX
00404032 68 22778D73 PUSH 738D7722
00404037 B9 E9E37802 MOV ECX,278E3E9
0040403C 58 POP EAX
0040403D 31C1 XOR ECX,EAX
0040403F BF 7325BB99 MOV EDI,99BB2573
00404044 31F9 XOR ECX,EDI
00404046 81F1 5057EB50 XOR ECX,50EB5750
0040404C 31CE XOR ESI,ECX
--- snip ---
Wine's 'kernel32.dll.SetFilePointer' entry signature:
--- snip ---
7B83EE7E 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
7B83EE82 83E4 F0 AND ESP,FFFFFFF0
7B83EE85 FF71 FC PUSH DWORD PTR DS:[ECX-4]
7B83EE88 55 PUSH EBP
7B83EE89 89E5 MOV EBP,ESP
7B83EE8B 56 PUSH ESI
7B83EE8C 53 PUSH EBX
7B83EE8D 51 PUSH ECX
7B83EE8E 83EC 4C SUB ESP,4C
7B83EE91 E8 FA07FEFF CALL KERNEL32.__x86.get_pc_thunk.bx
7B83EE96 81C3 6AC10700 ADD EBX,7C16A
--- snip ---
The app expects a hotpatch-type entry which gives proper seed.
With 'DECLSPEC_HOTPATCH':
--- snip ----
7B83EE8E 8BFF MOV EDI,EDI
7B83EE90 55 PUSH EBP
7B83EE91 8BEC MOV EBP,ESP
7B83EE93 5D POP EBP
7B83EE94 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
7B83EE98 83E4 F0 AND ESP,FFFFFFF0
7B83EE9B FF71 FC PUSH DWORD PTR DS:[ECX-4]
7B83EE9E 55 PUSH EBP
7B83EE9F 89E5 MOV EBP,ESP
...
--- snip ----
With that part fixed the installer runs into next (known) mshtml/ieframe bug.
A DRM/protection scan on the installer doesn't show suspicious schemes (might
be custom).
--- snip ---
-=[ ProtectionID v0.6.5.5 OCTOBER]=-
(c) 2003-2013 CDKiLLER & TippeX
Build 31/10/13-21:09:09
Ready...
Scanning -> Z:\home\focht\Downloads\Setup_QuickBooks_SimpleStart_Intel_2009.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 768984 (0BBBD8h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 0B9B08h, size : 020D0h / 08400
byte(s)
-> File has 680200 (0A6108h) bytes of appended data starting at offset 013A00h
[File Heuristics] -> Flag : 00000000000001001100000000100100 (0x0004C024)
[Entrypoint Section Entropy] : 6.66
[-= Installer =-] Inno Setup v5.5.0 Module
- Scan Took : 0.261 Second(s) [000000105h tick(s)] [533 scan(s) done]
--- snip ---
$ du -sh Setup_QuickBooks_SimpleStart_Intel_2009.exe
752K Setup_QuickBooks_SimpleStart_Intel_2009.exe
$ sha1sum Setup_QuickBooks_SimpleStart_Intel_2009.exe
d2f213e1d05845897c9dae891a73d6be62283206
Setup_QuickBooks_SimpleStart_Intel_2009.exe
$ wine --version
wine-1.7.20
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list