[Bug 36736] New: Tucows Download Manager 2014 crashes on startup (decryption scheme relies on 'kernel32.dll.SetFilePointer' hotpatch signature)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jun 15 07:04:28 CDT 2014


https://bugs.winehq.org/show_bug.cgi?id=36736

            Bug ID: 36736
           Summary: Tucows Download Manager 2014 crashes on startup
                    (decryption scheme relies on
                    'kernel32.dll.SetFilePointer' hotpatch signature)
           Product: Wine
           Version: 1.7.20
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: kernel32
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net

Hello folks,

example download:
http://www.tucows.com/preview/609375/Intuit-QuickBooks-Simple-Start-Edition-2009?q=QuickBooks+2009

The download manager/installer uncompresses a secondary installer from
bootstrapper.

Before that the app decrypts parts of itself and this is done incorrectly,
leading to strange results/code paths later.

--- snip ---
$ WINEDEBUG=+tid,+seh,+relay wine ./Setup_QuickBooks_SimpleStart_Intel_2009.exe
>>log.txt 2>&1
...
0023:Starting process
L"Z:\\home\\focht\\Downloads\\Setup_QuickBooks_SimpleStart_Intel_2009.exe"
(entryproc=0x409c40)
0023:Call KERNEL32.GetModuleHandleA(00000000) ret=004030e8
0023:Ret  KERNEL32.GetModuleHandleA() retval=00400000 ret=004030e8
0023:Call KERNEL32.GetCommandLineA() ret=004030f3
0023:Ret  KERNEL32.GetCommandLineA() retval=00134078 ret=004030f3 
...
0023:Call KERNEL32.CreateFileA(004203cc
"Z:\\home\\focht\\Downloads\\Setup_QuickBooks_SimpleStart_Intel_2009.exe",80000000,00000001,00000000,00000003,00000080,00000000)
ret=004075bd
0023:Ret  KERNEL32.CreateFileA() retval=00000050 ret=004075bd
0023:Call KERNEL32.FindResourceA(00000000,00002b67,0000000a) ret=00409bfb
0023:Ret  KERNEL32.FindResourceA() retval=004112c8 ret=00409bfb
0023:Call KERNEL32.SizeofResource(00000000,004112c8) ret=00409c0e
0023:Ret  KERNEL32.SizeofResource() retval=0000002c ret=00409c0e
0023:Call KERNEL32.LoadResource(00000000,004112c8) ret=00409c20
0023:Ret  KERNEL32.LoadResource() retval=00419a88 ret=00409c20
0023:Call KERNEL32.LockResource(00419a88) ret=00409c31
0023:Ret  KERNEL32.LockResource() retval=00419a88 ret=00409c31
...
0023:Call KERNEL32.CreateFileA(00437a5c
"C:\\users\\focht\\Temp\\is-RJFDD.tmp\\Setup_QuickBooks_SimpleStart_Intel_2009.tmp",40000000,00000000,00000000,00000002,00000080,00000000)
ret=004075bd
0023:Ret  KERNEL32.CreateFileA() retval=00000054 ret=004075bd
...
0023:Call KERNEL32.SetFilePointer(00000050,00000000,0033fd78,00000001)
ret=004075e0
0023:Ret  KERNEL32.SetFilePointer() retval=000b9b03 ret=004075e0
0023:Call KERNEL32.SetFilePointer(00000050,000b9b03,0033fd60,00000000)
ret=00407690
0023:Ret  KERNEL32.SetFilePointer() retval=000b9b03 ret=00407690
0023:Call KERNEL32.SetFilePointer(00000054,00002a72,0033fd7c,00000000)
ret=00407690
0023:Ret  KERNEL32.SetFilePointer() retval=00002a72 ret=00407690
0023:Call KERNEL32.SetEndOfFile(00000054) ret=004076b8
0023:Ret  KERNEL32.SetEndOfFile() retval=00000001 ret=004076b8
0023:Call KERNEL32.SetFilePointer(00000054,00000000,0033fd7c,00000000)
ret=00407690
0023:Ret  KERNEL32.SetFilePointer() retval=00000000 ret=00407690
0023:Call KERNEL32.WriteFile(00000054,00420424,00002a72,0033fd88,00000000)
ret=004076e4
0023:Ret  KERNEL32.WriteFile() retval=00000001 ret=004076e4
0023:Call KERNEL32.CloseHandle(00000054) ret=0040755d
0023:Ret  KERNEL32.CloseHandle() retval=00000001 ret=0040755d
0023:Call KERNEL32.CloseHandle(00000050) ret=0040755d
0023:Ret  KERNEL32.CloseHandle() retval=00000001 ret=0040755d 
0023:Call user32.CreateWindowExA(00000000,0040a334 "STATIC",0040a320
"InnoSetupLdrWindow",00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000)
ret=0040a136 
...
0023:Call KERNEL32.CreateProcessA(00000000,00420488
"\"C:\\users\\focht\\Temp\\is-RJFDD.tmp\\Setup_QuickBooks_SimpleStart_Intel_2009.tmp\"
/SL5=\"$10066,747501,80384,Z:\\home\\focht\\Downloads\\Setup_QuickBooks_SimpleStart_Intel_2009.exe\"
",00000000,00000000,00000000,00000000,00000000,00000000,0033fd64,0033fd54)
ret=00409a19
0023:Ret  KERNEL32.CreateProcessA() retval=00000000 ret=00409a19
0023:Call KERNEL32.GetLastError() ret=00409671
0023:Ret  KERNEL32.GetLastError() retval=00000005 ret=00409671
0023:Call
KERNEL32.FormatMessageA(00003200,00000000,00000005,00000000,0033f8f8,00000400,00000000)
ret=004072a8
0023:Ret  KERNEL32.FormatMessageA() retval=00000010 ret=004072a8
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x402eb4 ip=00402eb4
tid=0023
0023:trace:seh:raise_exception  info[0]=00000000
0023:trace:seh:raise_exception  info[1]=0000fd38
0023:trace:seh:raise_exception  eax=00420654 ebx=00000069 ecx=00000002
edx=00000000 esi=00000005 edi=0040b240
0023:trace:seh:raise_exception  ebp=0033fd34 esp=0033fd00 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010212
0023:trace:seh:call_stack_handlers calling handler at 0x4096eb code=c0000005
flags=0 
...
0023:trace:seh:call_stack_handlers handler at 0x7bc825c1 returned 2
0023:trace:seh:call_stack_handlers calling handler at 0x4096eb code=c00000fd
flags=10
0023:err:seh:setup_exception_record stack overflow 992 bytes in thread 0023 eip
f73e796b esp 00240f50 stack 0x240000-0x241000-0x340000 
--- snip ---

What is not seen (debugging): the app uses the entry point signature of
'kernel32.dll.SetFilePointer' as seed for further decryption.

--- snip ---
...
0040400C   8B73 01          MOV ESI,DWORD PTR DS:[EBX+1] ; SetFilePointer 
0040400F   89F7             MOV EDI,ESI ; 
00404011   4F               DEC EDI
00404012   8B57 01          MOV EDX,DWORD PTR DS:[EDI+1] ; *(DWORD*)entry
00404015   BB 6319F033      MOV EBX,33F01963
0040401A   31DA             XOR EDX,EBX
0040401C   89D3             MOV EBX,EDX
0040401E   53               PUSH EBX
0040401F   5E               POP ESI
00404020   89F0             MOV EAX,ESI
00404022   BA A6AA2938      MOV EDX,3829AAA6
00404027   81F2 A2AA2938    XOR EDX,3829AAA2
0040402D   29D4             SUB ESP,EDX
0040402F   890424           MOV DWORD PTR SS:[ESP],EAX
00404032   68 22778D73      PUSH 738D7722
00404037   B9 E9E37802      MOV ECX,278E3E9
0040403C   58               POP EAX
0040403D   31C1             XOR ECX,EAX
0040403F   BF 7325BB99      MOV EDI,99BB2573
00404044   31F9             XOR ECX,EDI
00404046   81F1 5057EB50    XOR ECX,50EB5750
0040404C   31CE             XOR ESI,ECX
--- snip ---

Wine's 'kernel32.dll.SetFilePointer' entry signature:

--- snip ---
7B83EE7E   8D4C24 04        LEA ECX,DWORD PTR SS:[ESP+4]
7B83EE82   83E4 F0          AND ESP,FFFFFFF0
7B83EE85   FF71 FC          PUSH DWORD PTR DS:[ECX-4]
7B83EE88   55               PUSH EBP
7B83EE89   89E5             MOV EBP,ESP
7B83EE8B   56               PUSH ESI
7B83EE8C   53               PUSH EBX
7B83EE8D   51               PUSH ECX
7B83EE8E   83EC 4C          SUB ESP,4C
7B83EE91   E8 FA07FEFF      CALL KERNEL32.__x86.get_pc_thunk.bx
7B83EE96   81C3 6AC10700    ADD EBX,7C16A
--- snip ---

The app expects a hotpatch-type entry which gives proper seed.

With 'DECLSPEC_HOTPATCH':

--- snip ----
7B83EE8E   8BFF             MOV EDI,EDI
7B83EE90   55               PUSH EBP
7B83EE91   8BEC             MOV EBP,ESP
7B83EE93   5D               POP EBP
7B83EE94   8D4C24 04        LEA ECX,DWORD PTR SS:[ESP+4]
7B83EE98   83E4 F0          AND ESP,FFFFFFF0
7B83EE9B   FF71 FC          PUSH DWORD PTR DS:[ECX-4]
7B83EE9E   55               PUSH EBP
7B83EE9F   89E5             MOV EBP,ESP
...
--- snip ----

With that part fixed the installer runs into next (known) mshtml/ieframe bug.

A DRM/protection scan on the installer doesn't show suspicious schemes (might
be custom).

--- snip ---
-=[ ProtectionID v0.6.5.5 OCTOBER]=-
(c) 2003-2013 CDKiLLER & TippeX
Build 31/10/13-21:09:09
Ready...
Scanning -> Z:\home\focht\Downloads\Setup_QuickBooks_SimpleStart_Intel_2009.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 768984 (0BBBD8h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 0B9B08h, size : 020D0h / 08400
byte(s)
-> File has 680200 (0A6108h) bytes of appended data starting at offset 013A00h
[File Heuristics] -> Flag : 00000000000001001100000000100100 (0x0004C024)
[Entrypoint Section Entropy] : 6.66
[-= Installer =-] Inno Setup v5.5.0 Module
- Scan Took : 0.261 Second(s) [000000105h tick(s)] [533 scan(s) done]
--- snip ---

$ du -sh Setup_QuickBooks_SimpleStart_Intel_2009.exe 
752K    Setup_QuickBooks_SimpleStart_Intel_2009.exe

$ sha1sum Setup_QuickBooks_SimpleStart_Intel_2009.exe 
d2f213e1d05845897c9dae891a73d6be62283206 
Setup_QuickBooks_SimpleStart_Intel_2009.exe

$ wine --version
wine-1.7.20

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.



More information about the wine-bugs mailing list