[Bug 29688] CHAOS;HEAD crashes on start (in-memory PE image of Wine builtins vs. placeholder image on disk)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Jun 22 15:56:51 CDT 2014
http://bugs.winehq.org/show_bug.cgi?id=29688
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
Status|UNCONFIRMED |NEW
CC| |focht at gmx.net
Summary|CHAOS;HEAD crashes on start |CHAOS;HEAD crashes on start
| |(in-memory PE image of Wine
| |builtins vs. placeholder
| |image on disk)
Ever confirmed|0 |1
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
The game uses some custom anti-debugging/reversing protection scheme, probably
created by vendor (not detected by 'ProtectionID' or 'ExeInfoPE' tools).
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Nitroplus/CHAOS;HEAD
$ LANG=ja_JP.UTF-8 WINEDEBUG=+tid,+seh,+relay wine ./ChaosHead.exe >>log.txt
2>&1
...
0023:Call KERNEL32.IsDebuggerPresent() ret=00584cbf
0023:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=00584cbf
...
0023:Call KERNEL32._lopen(00676b7c "\\\\.\\NTICE",00000000) ret=00584eb3
0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584eb3
0023:Call KERNEL32.lstrlenA(00676bcc "__ANTICRACK__") ret=006310d7
0023:Ret KERNEL32.lstrlenA() retval=0000000d ret=006310d7
...
0023:Call KERNEL32._lopen(00676b64 "\\\\.\\SICE",00000000) ret=00584f41
0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584f41
...
0023:Call KERNEL32._lopen(00676b58 "\\\\.\\TRW",00000000) ret=00584f71
0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584f71
...
0023:Call KERNEL32._lopen(00676b48 "\\\\.\\SIWVID",00000000) ret=00584fa1
0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584fa1
...
0023:trace:seh:raise_exception code=80000003 flags=0 addr=0x587fe0 ip=00587fe1
tid=0023
0023:trace:seh:raise_exception eax=0033fe10 ebx=ffffffff ecx=00781308
edx=00000011 esi=00676bc1 edi=0033fd69
0023:trace:seh:raise_exception ebp=0033f968 esp=0033f93c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00200207
0023:trace:seh:call_stack_handlers calling handler at 0x613830 code=80000003
flags=0
0023:Call ntdll.RtlUnwind(0033f958,0061343c,00000000,00000000) ret=0061343c
0023: eax=00000001 ebx=0033f958 ecx=00000000 edx=7bc825c1 esi=00000000
edi=0064e208 ebp=0033f404 esp=0033f3f4 ds=002b es=002b fs=0063 gs=006b
flags=00200202
0023:trace:seh:__regs_RtlUnwind code=c0000027 flags=2
0023:trace:seh:__regs_RtlUnwind calling handler at 0x7bc825c1 code=c0000027
flags=2
0023:trace:seh:__regs_RtlUnwind handler at 0x7bc825c1 returned 1
...
0023:Call KERNEL32.CreateFileA(008bb410
"C:\\windows\\system32\\Kernel32.dll",80000000,00000003,00000000,00000003,08000000,00000000)
ret=005dd078
0023:Ret KERNEL32.CreateFileA() retval=0000005c ret=005dd078
0023:Call KERNEL32.CreateFileA(008bb460
"C:\\windows\\system32\\User32.dll",80000000,00000003,00000000,00000003,08000000,00000000)
ret=005dd598
0023:Ret KERNEL32.CreateFileA() retval=00000060 ret=005dd598
0023:Call KERNEL32.CreateFileA(008bb5a0
"C:\\windows\\system32\\Imagehlp.dll",80000000,00000003,00000000,00000003,08000000,00000000)
ret=005dd5bd
0023:Ret KERNEL32.CreateFileA() retval=00000064 ret=005dd5bd
0023:Call
KERNEL32.CreateFileMappingA(0000005c,00000000,01000002,00000000,00000000,00000000)
ret=005dd612
0023:Ret KERNEL32.CreateFileMappingA() retval=00000068 ret=005dd612
0023:Call
KERNEL32.CreateFileMappingA(00000060,00000000,01000002,00000000,00000000,00000000)
ret=005dd637
0023:Ret KERNEL32.CreateFileMappingA() retval=0000006c ret=005dd637
0023:Call
KERNEL32.CreateFileMappingA(00000064,00000000,01000002,00000000,00000000,00000000)
ret=005ddabf
0023:Ret KERNEL32.CreateFileMappingA() retval=00000070 ret=005ddabf
0023:Call KERNEL32.MapViewOfFile(00000068,00000004,00000000,00000000,00000000)
ret=005ddb09
0023:Ret KERNEL32.MapViewOfFile() retval=10000000 ret=005ddb09
0023:Call KERNEL32.MapViewOfFile(0000006c,00000004,00000000,00000000,00000000)
ret=005ddb2a
0023:Ret KERNEL32.MapViewOfFile() retval=00340000 ret=005ddb2a
0023:Call KERNEL32.MapViewOfFile(00000070,00000004,00000000,00000000,00000000)
ret=005ddb4b
0023:Ret KERNEL32.MapViewOfFile() retval=00380000 ret=005ddb4b
...
0023:Call KERNEL32.lstrlenA(006894a8 "ANTICRACK_RESOURCE_STRING") ret=006310d7
0023:Ret KERNEL32.lstrlenA() retval=00000019 ret=006310d7
...
0023:Call KERNEL32.lstrlenA(00689520 "__ANTICRACK_EXPRESSION__") ret=006310d7
0023:Ret KERNEL32.lstrlenA() retval=00000018 ret=006310d7
...
0023:Call KERNEL32.lstrlenA(0077f8a8 "") ret=006310d7
0023:Ret KERNEL32.lstrlenA() retval=00000000 ret=006310d7
0023:Call KERNEL32.lstrlenA(00689468
"\xa4\xb8\xa4\xa9\xb4\xf5\xb4\xfa\xa4\xb8\xb4\xd9\xb7\xb1\xa4\xb7\xb7\xaf\xa4\xd3\xa4\xbb")
ret=006310d7
0023:Ret KERNEL32.lstrlenA() retval=00000016 ret=006310d7
0023:Call KERNEL32.lstrlenA(008bc828
"%\n\x04%\x0b\x08%\n\x04%\n\t%\x0b\x04%\x0f\x05%\x0b\x04%\x0f\n%\n\x04%\x0b\x08%\x0b\x04%\r\t%\x0b\x07%\x0b\x01%\n\x04%\x0b\x07%\x0b\x07%\n\x0f%\n\x04%\r\x03%\n\x04%\x0b\x0b")
ret=006314d1
0023:Ret KERNEL32.lstrlenA() retval=00000042 ret=006314d1
0023:Call KERNEL32.lstrlenA(008bb4b0
"\xa4\xb8\xa4\xa9\xb4\xf5\xb4\xfa\xa4\xb8\xb4\xd9\xb7\xb1\xa4\xb7\xb7\xaf\xa4\xd3\xa4\xbb")
ret=006314d1
0023:Ret KERNEL32.lstrlenA() retval=00000016 ret=006314d1
0023:Call KERNEL32.InterlockedDecrement(008bb4a4) ret=00631053
0023:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=00631053
0023:Call KERNEL32.InterlockedDecrement(008bc81c) ret=00631053
0023:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=00631053
0023:Call KERNEL32.lstrlenA(008bb550 "User32.dll") ret=006314d1
0023:Ret KERNEL32.lstrlenA() retval=0000000a ret=006314d1
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x10012ed8
ip=10012ed8 tid=0023
0023:trace:seh:raise_exception info[0]=00000000
0023:trace:seh:raise_exception info[1]=ffffffff
0023:trace:seh:raise_exception eax=00000000 ebx=0033fd69 ecx=008bb550
edx=00781310 esi=00002fff edi=005ddbe2
0023:trace:seh:raise_exception ebp=0033f53c esp=0033f2ec cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210202
0023:trace:seh:call_stack_handlers calling handler at 0x64b5f6 code=c0000005
flags=0
0023:Call KERNEL32.GetLastError() ret=0061883c
0023:Ret KERNEL32.GetLastError() retval=00000000 ret=0061883c
0023:trace:seh:call_stack_handlers handler at 0x64b5f6 returned 1
0023:trace:seh:call_stack_handlers calling handler at 0x613830 code=c0000005
flags=0
...
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:10012ed8 ESP:0033f2ec EBP:0033f53c EFLAGS:00210202( R- -- I - - - )
EAX:00000000 EBX:0033fd69 ECX:008bb550 EDX:00781310
ESI:00002fff EDI:005ddbe2
...
Backtrace:
=>0 0x10012ed8 (0x0033f53c)
1 0x005d55c4 in chaoshead (+0x1d55c3) (0x0033f558)
2 0x005cfa3e in chaoshead (+0x1cfa3d) (0x0033f658)
3 0x005cbdb0 in chaoshead (+0x1cbdaf) (0x0033f670)
4 0x005c91f9 in chaoshead (+0x1c91f8) (0x0033f688)
5 0x005efc9b in chaoshead (+0x1efc9a) (0x0033f6a0)
6 0x00587a9c in chaoshead (+0x187a9b) (0x0033f968)
7 0x00584ffb in chaoshead (+0x184ffa) (0x0033fd70)
8 0x0063879f in chaoshead (+0x23879e) (0x0033fe20)
9 0x7b8643b0 call_process_entry+0xb() in kernel32 (0x0033fe38)
...
0x10012ed8: pop %es
Modules:
Module Address Debug info Name (78 modules)
PE 400000- 79b000 Export chaoshead
ELF 7b800000-7ba61000 Dwarf kernel32<elf>
\-PE 7b810000-7ba61000 \ kernel32
...
Threads:
process tid prio (all id:s are in hex)
...
00000022 (D) C:\Program Files\Nitroplus\CHAOS;HEAD\ChaosHead.exe
00000023 0 <==
--- snip ---
The protection scheme populates the PE export directory of the in-memory core
dlls ('kernel32.dll', 'user32.dll', ...) to calculate API entry offsets.
It then maps the on-disk core dlls into memory and uses the calculated offsets
to retrieve the API entry points from the newly mapped files.
This obviously can't work with Wine.
Bug 15437 is about a similar problem which can be worked around - unlike this
one.
$ wine --version
wine-1.7.20-102-g889cce4
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list