[Bug 18844] Neuro-Programmer v2.5 fails to map registry entries (XenoCode Virtual Application Studio 2010 registry virtualization fails to intercept Wine's root key handles)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Sep 14 15:34:09 CDT 2015 

https://bugs.winehq.org/show_bug.cgi?id=18844

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|NEW                         |RESOLVED
                 CC|                            |focht at gmx.net
          Component|-unknown                    |advapi32
         Resolution|---                         |DUPLICATE
            Summary|Neuro-Programmer v2.5 fails |Neuro-Programmer v2.5 fails
                   |to map registry entries     |to map registry entries
                   |                            |(XenoCode Virtual
                   |                            |Application Studio 2010
                   |                            |registry virtualization
                   |                            |fails to intercept Wine's
                   |                            |root key handles)

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

the problem the special root key handle interception which Xenocode registry
virtualization relies on.

I described the problem in bug 38956
I'm resolving this as dupe since the analysis is there.

--- snip ---
$ WINEDEBUG=+tid,+seh,+loaddll,+process,+reg,+msgbox wine ./Neuro-Programmer\
2.exe >>log.txt 2>&1
...
0027:trace:loaddll:load_native_dll Loaded L"C:\\windows\\system32\\mscoree.dll"
at 0x79000000: native
0027:trace:reg:GetSystemInfo si=0x0x33ecd8
0027:trace:reg:GetSystemInfo si=0x0x33ea3c
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33dfe0)
0027:trace:reg:NtOpenKey <- (nil)
...
0027:trace:loaddll:load_native_dll Loaded
L"C:\\windows\\system32\\MUI\\0409\\mscorees.dll" at 0x63ef0000: native
...
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33c4a8)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33c868)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33bf94)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x50,L"Software\\Microsoft\\.NETFramework\\Policy\\Upgrades",20019,0x33c860)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework\\Policy\\Upgrades",20019,0x33c860)
0027:trace:reg:NtOpenKey <- (nil)
0027:trace:reg:NtOpenKey
(0x2c,L"Software\\Microsoft\\.NETFramework",20019,0x33bf94)
0027:trace:reg:NtOpenKey <- (nil)
...
0027:trace:msgbox:MSGBOX_OnInit L"Please set registry key
HKLM\\Software\\Microsoft\\.NETFramework\\InstallRoot to point \nto the .NET
Framework install location" 
--- snip ---

ProtectionID scan:

--- snip ---
-=[ ProtectionID v0.6.6.7 DECEMBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 24/12/14-22:48:13
Ready...
Scanning -> C:\Program Files\Neuro-Programmer 2\Neuro-Programmer 2.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 27265025 (01A00801h)
Byte(s)
Compilation TimeStamp : 0x0000002B -> Thu 01st Jan 1970 00:00:43 (GMT)
[TimeStamp] 0x0000002B -> Thu 01st Jan 1970 00:00:43 (GMT) | PE Header | - |
Offset: 0x00000088 | VA: 0x00400088 | -
-> File has 27240961 (019FAA01h) bytes of appended data starting at offset
05E00h
[File Heuristics] -> Flag #1 : 00000000000001001000000000000100 (0x00048004)
[Entrypoint Section Entropy] : 6.30 (section #0) ".text   " | Size : 0x3C54
(15444) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 6 (0x6) | ImageSize 0x290000 (2686976) byte(s)
[VersionInfo] Company Name : Transparent Corporation. www.transparentcorp.com
[VersionInfo] Product Name : Neuro-Programmer 2
[VersionInfo] Product Version : 2.5.4.0
[VersionInfo] File Description : Neuro-Programmer 2
[VersionInfo] File Version : 2.5.4.0
[VersionInfo] Original FileName : Neuro-Programmer 2.exe
[VersionInfo] Internal Name : Neuro-Programmer 2.exe
[VersionInfo] Version Comments : An advanced self-help application. utilizing
brainwave entrainment. hypnosis and psychological techniques.
[VersionInfo] Legal Trademarks : Neuro-Programmer
[VersionInfo] Legal Copyrights : Copyright 2003-2010 Transparent Corporation
All Rights Reserved
[!] XenoCode Virtual Application Studio 2010 detected !
[CdKeySerial] found "Invalid code" @ VA: 0x00001EE0 / Offset: 0x000012E0
- Scan Took : 0.349 Second(s) [00000015Dh (349) tick(s)] [558 of 573 scan(s)
done]
--- snip ---

$ sha1sum NP2_Installer.exe 
74724b836908dd4ef5efad9833fe933eeef57d82  NP2_Installer.exe

$ du -sh NP2_Installer.exe 
44M    NP2_Installer.exe

$ wine --version
wine-1.7.51-102-ga7e294c

Regards

*** This bug has been marked as a duplicate of bug 38956 ***

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list