[Bug 38792] Crossfire BR HGWC (Hacking GateWay Client) crashes on startup (needs NtQueryVirtualMemory 'MemorySectionName' info class support)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Jun 21 14:12:33 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=38792
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download, obfuscation
Status|UNCONFIRMED |RESOLVED
URL| |http://br.cfpatch.z8games.c
| |om/download/CrossFireBR_Set
| |up.exe
CC| |focht at gmx.net
Version|unspecified |1.6.2
Resolution|--- |DUPLICATE
Summary|Error at trying to open |Crossfire BR HGWC (Hacking
|CROSSFIRE (HGWC) |GateWay Client) crashes on
| |startup (needs
| |NtQueryVirtualMemory
| |'MemorySectionName' info
| |class support)
--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello "hacker"/cheater,
your Wine version is outdated, upgrade to recent 1.7.x series, preferably Wine
1.7.45
If you don't know how to do that, visit WineHQ user forums.
--- snip ---
00000042 (D) Z:\media\gabriel\44BC2783BC276F1C\Jogos\CrossFire BR\HGWC.exe
--- snip ---
I searched using 'CrossFire BR' and 'HGWC' and found this site:
http://br.crossfire.z8games.com/
Download link: http://br.crossfire.z8games.com/download.html
It seems you're trying to run some Brazilian variant of some cheating tool?
HGWC = 'Hacking GateWay Client'?
Your crash log shows you're trying to run this app off another partition,
potentially from Windows install/FAT32?
Don't do that!
Please install each app/game in their own 32-bit WINEPREFIX!
I tried to start this 'HGWC.exe' tool after installation in new 32-bit
WINEPREFIX and it refused, complaining it can't be started stand-alone.
ProtectionID info:
--- snip ---
-=[ ProtectionID v0.6.6.7 DECEMBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 24/12/14-22:48:13
Ready...
Scanning -> C:\Program Files\Z8Games\CrossFire BR\HGWC.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1190152 (0122908h)
Byte(s)
Compilation TimeStamp : 0x5551ADC5 -> Tue 12th May 2015 07:37:41 (GMT)
[TimeStamp] 0x5551ADC5 -> Tue 12th May 2015 07:37:41 (GMT) | PE Header | - |
Offset: 0x00000100 | VA: 0x00400100 | -
-> File Appears to be Digitally Signed @ Offset 0121000h, size : 01908h / 06408
byte(s)
[File Heuristics] -> Flag #1 : 00000000000000001100000000100110 (0x0000C026)
[Entrypoint Section Entropy] : 7.99 (section #0) ".text " | Size : 0x61000
(397312) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 6 (0x6) | ImageSize 0x2AA000 (2793472) byte(s)
[VersionInfo] Company Name : Smilegate Games Inc.
[VersionInfo] Product Name : HGWC
[VersionInfo] Product Version : 1.8.3.2
[VersionInfo] File Description : Hacking GateWay Client
[VersionInfo] File Version : 1.8.3.91
[VersionInfo] Original FileName : HGWC.exe
[VersionInfo] Internal Name : HGWC.exe
[VersionInfo] Legal Copyrights : Smilegate Games Inc.
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
- Scan Took : 0.637 Second(s) [00000027Dh (637) tick(s)] [499 of 573 scan(s)
done]
--- snip ---
There is a 'launcher' app in the installation directory:
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Z8Games/CrossFire BR
$ ./cfPT_launcher.exe
--- snip ---
The launcher app brought up some IE browser-based user interface with
everything Brazilian.
I clicked something that appeared to trigger some update mechanism.
It downloaded some files and updated CrossFire and XTrap.
With the update succeeding, the launcher started 'HGWC.exe' which indeed
crashed.
The tool was started an overly long command line:
--- snip --
$ cat /proc/22723/cmdline
C:\Program Files\Z8Games\CrossFire
BR\HGWC.exeD300A64C4383DD2D096AF7DC88D9DB7D1B192A904760458DB04D64AF2DEA894E38FACB6603E54C0D4514783E8E1FEE94035397151C07708ECE6FC7EFEDBFDF5934D7F5650AE4296A80330BFCD146BBDFF01F94333FEEA72C080A5E08131D9EA98A26E30F224ED5B61FFE3F14D7112EDEF4C561D800841FA59FA30B91EA2D0D822E60AF8A0BADF0B45F88A830C3AF5717340C3414530362646032E59CB4EC4B4DF7A65F84C56166F136B0862CA33B2743D4C7F0EE0A8B8FFAF5284E3A287291C638040A7908152DDCAADDBEEAD0E48EE2FA2AA29FB2D4C2E12949094885D1F4C9F23AD21F25035290A05DC8D7CF8C6265C4FF339EAD9E5BACE4680F2888E397788DA643100F5FC644AE9635DFFA7C3CE3787FD56921070F28DEFC5101DB81C17FA0A786BFF8E15D0E748CCA6369F585F080AE23B3E8DBC2AFD40908C59A98D70902CA27676D73F5631FBF50B7C196B458E7AB4C9316FAD2E63A66F423C61A5F4F6A47B14D381BCC2C9990AC0B676F16D216407392116D79BA6A73AA343EB26C202AE3A73692B4B0CD1F4DACF345819404A0041CE11F67DD57E50185D703778EB809B927BA0ED1AED7D5951F3BB17B9FF3FB53EC243740E9C601F4A4275344FB7C54E57E26257D5811C8B1EFFF7FF5CBA6A928CDD9A1541C009C61219F93579E1CB3CF58699E49E324F8F5D6AFF731560E
--- snip ---
With that information in place I managed to run this tool stand-alone to
reproduce the crash:
--- snip ---
...
0026:Call KERNEL32.GetModuleHandleW(004bb238 L"ntdll.dll") ret=0041fff1
0026:Ret KERNEL32.GetModuleHandleW() retval=7bc20000 ret=0041fff1
0026:Call KERNEL32.GetProcAddress(7bc20000,004bbb64 "ZwQueryVirtualMemory")
ret=0041fff8
0026:Ret KERNEL32.GetProcAddress() retval=7bc3605c ret=0041fff8
0026:Call
ntdll.ZwQueryVirtualMemory(ffffffff,00400000,00000002,0032bfe8,0000020c,00000000)
ret=0042002b
0026:fixme:virtual:NtQueryVirtualMemory (process=0xffffffff,addr=0x400000)
Unimplemented information class: MemorySectionName
0026:Ret ntdll.ZwQueryVirtualMemory() retval=c0000003 ret=0042002b
0026:Call KERNEL32.GetLastError() ret=00420035
0026:Ret KERNEL32.GetLastError() retval=00000000 ret=00420035
0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x420150 ip=00420150
tid=0026
0026:trace:seh:raise_exception info[0]=00000000
0026:trace:seh:raise_exception info[1]=00000000
0026:trace:seh:raise_exception eax=00000000 ebx=ffffffff ecx=51756c8c
edx=00000002 esi=0032c28c edi=00000000
0026:trace:seh:raise_exception ebp=004ea674 esp=0032bfdc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210246
0026:trace:seh:call_stack_handlers calling handler at 0x4a8b06 code=c0000005
flags=0
...
wine: Unhandled page fault on read access to 0x00000000 at address 0x420150
(thread 0026), starting debugger...
...
Backtrace:
=>0 0x00420150 in hgwc (+0x20150) (0x004ea674)
0x00420150: movw 0x0(%eax),%cx
Modules:
Module Address Debug info Name (123 modules)
PE 400000- 6aa000 Export hgwc
...
Threads:
process tid prio (all id:s are in hex)
...
00000025 (D) C:\Program Files\Z8Games\CrossFire BR\HGWC.exe
0000002f 0
0000002e 0
0000002d 0
0000002c 0
0000002b 0
0000002a 0
00000029 0
00000028 0
00000026 0 <==
--- snip ---
The app is protected with 'Themida' protection scheme (see ProtectionID dump
earlier).
Themida is also widely used in malware/hacking scene for protecting "IP".
There is various anti-debugging, anti-VM trickery present which Wine deals
nicely, also partially related to the fact that Oreans (vendor of 'Themida')
made it more Wine compatible :-)
Anyway, I made a clean dump with code section properly decrypted and imports
restored to a usable state.
The problem is indeed missing support for 'MemorySectionName' info class in
'NtQueryVirtualMemory'.
The app checks 'NtQueryVirtualMemory' NTSTATUS return value and calls
'GetLastError' which *whoops* returns zero -> success.
The rest is obvious ... section name (out parameter) PUNICODE_STRING access
*boom*.
Anyway, long story short ... dupe of bug 23999
I generally don't care what apps/games/malware/crapware people are trying to
run as I'm purely interested on the technical side - solving riddles.
This of course also involves providing solutions to make Wine more compatible
with malware and viruses.
I can't really speak up here as I'm morally guilty too ... but: consider to not
use those apps.
Read: "Don't cheat" ;-)
$ sha1sum CrossFireBR_Setup.exe
b69af2b59e7da66066ed054a173f9f324b3ecd69 CrossFireBR_Setup.exe
$ du -sh CrossFireBR_Setup.exe
1.7G CrossFireBR_Setup.exe
$ wine --version
wine-1.7.45-146-gaf55ae1
Regards
*** This bug has been marked as a duplicate of bug 23999 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list