[Bug 18844] Neuro-Programmer v2.5 fails to map registry entries (XenoCode Virtual Application Studio 2010 registry virtualization fails to intercept Wine's root key handles)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Sep 14 15:34:09 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=18844
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
Status|NEW |RESOLVED
CC| |focht at gmx.net
Component|-unknown |advapi32
Resolution|--- |DUPLICATE
Summary|Neuro-Programmer v2.5 fails |Neuro-Programmer v2.5 fails
|to map registry entries |to map registry entries
| |(XenoCode Virtual
| |Application Studio 2010
| |registry virtualization
| |fails to intercept Wine's
| |root key handles)
--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
the problem the special root key handle interception which Xenocode registry
virtualization relies on.
I described the problem in bug 38956
I'm resolving this as dupe since the analysis is there.
--- snip ---
$ WINEDEBUG=+tid,+seh,+loaddll,+process,+reg,+msgbox wine ./Neuro-Programmer\
2.exe >>log.txt 2>&1
...
0027:trace:loaddll:load_native_dll Loaded L"C:\\windows\\system32\\mscoree.dll"
at 0x79000000: native
0027:trace:reg:GetSystemInfo si=0x0x33ecd8
0027:trace:reg:GetSystemInfo si=0x0x33ea3c
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33dfe0)
0027:trace:reg:NtOpenKey <- (nil)
...
0027:trace:loaddll:load_native_dll Loaded
L"C:\\windows\\system32\\MUI\\0409\\mscorees.dll" at 0x63ef0000: native
...
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33c4a8)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33c868)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33bf94)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x50,L"Software\\Microsoft\\.NETFramework\\Policy\\Upgrades",20019,0x33c860)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework\\Policy\\Upgrades",20019,0x33c860)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33bf94)
0027:trace:reg:NtOpenKey <- (nil)
...
0027:trace:msgbox:MSGBOX_OnInit L"Please set registry key
HKLM\\Software\\Microsoft\\.NETFramework\\InstallRoot to point \nto the .NET
Framework install location"
--- snip ---
ProtectionID scan:
--- snip ---
-=[ ProtectionID v0.6.6.7 DECEMBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 24/12/14-22:48:13
Ready...
Scanning -> C:\Program Files\Neuro-Programmer 2\Neuro-Programmer 2.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 27265025 (01A00801h)
Byte(s)
Compilation TimeStamp : 0x0000002B -> Thu 01st Jan 1970 00:00:43 (GMT)
[TimeStamp] 0x0000002B -> Thu 01st Jan 1970 00:00:43 (GMT) | PE Header | - |
Offset: 0x00000088 | VA: 0x00400088 | -
-> File has 27240961 (019FAA01h) bytes of appended data starting at offset
05E00h
[File Heuristics] -> Flag #1 : 00000000000001001000000000000100 (0x00048004)
[Entrypoint Section Entropy] : 6.30 (section #0) ".text " | Size : 0x3C54
(15444) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 6 (0x6) | ImageSize 0x290000 (2686976) byte(s)
[VersionInfo] Company Name : Transparent Corporation. www.transparentcorp.com
[VersionInfo] Product Name : Neuro-Programmer 2
[VersionInfo] Product Version : 2.5.4.0
[VersionInfo] File Description : Neuro-Programmer 2
[VersionInfo] File Version : 2.5.4.0
[VersionInfo] Original FileName : Neuro-Programmer 2.exe
[VersionInfo] Internal Name : Neuro-Programmer 2.exe
[VersionInfo] Version Comments : An advanced self-help application. utilizing
brainwave entrainment. hypnosis and psychological techniques.
[VersionInfo] Legal Trademarks : Neuro-Programmer
[VersionInfo] Legal Copyrights : Copyright 2003-2010 Transparent Corporation
All Rights Reserved
[!] XenoCode Virtual Application Studio 2010 detected !
[CdKeySerial] found "Invalid code" @ VA: 0x00001EE0 / Offset: 0x000012E0
- Scan Took : 0.349 Second(s) [00000015Dh (349) tick(s)] [558 of 573 scan(s)
done]
--- snip ---
$ sha1sum NP2_Installer.exe
74724b836908dd4ef5efad9833fe933eeef57d82 NP2_Installer.exe
$ du -sh NP2_Installer.exe
44M NP2_Installer.exe
$ wine --version
wine-1.7.51-102-ga7e294c
Regards
*** This bug has been marked as a duplicate of bug 38956 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list