[Bug 34558] Multiple applications and games wrapped with ASProtect 1.4 protection scheme fail to start after registration (Farm Frenzy 2, Alawar, FL Studio 11.x VSTi 'Slayer2' plugin, FORScan)

wine-bugs at winehq.org wine-bugs at winehq.org
Wed Sep 23 14:42:23 CDT 2015 

https://bugs.winehq.org/show_bug.cgi?id=34558

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|UNCONFIRMED                 |NEW
          Component|-unknown                    |ntdll
            Summary|Alawar launcher fails to    |Multiple applications and
                   |start after game has been   |games wrapped with
                   |registered                  |ASProtect 1.4 protection
                   |                            |scheme fail to start after
                   |                            |registration (Farm Frenzy
                   |                            |2, Alawar, FL Studio 11.x
                   |                            |VSTi 'Slayer2' plugin,
                   |                            |FORScan)
     Ever confirmed|0                           |1

--- Comment #15 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming. I spent a good day on this nasty thing.
Debugging thunks/continuations is not really fun.

In essence ASProtect employs some SEH trickery that suffers from different
runtime stack usage by Wine's win32 implementation.
Bug 28089 (design problem how Wine implements exception handling/signal stack)
is potentially also present here but not the real blocker.

The protection sets up various SEH chains at runtime which work fine.
Unfortunately there is a case when the protection code sets up an SEH
registration record along with additional metadata at ~ 1KB on stack top (ESP -
0x400).
After that, a few calls to win32/native API are made until the new SEH record
is made active (fs:[0]).

The problem arises with Wine's 'KERNEL32.VirtualAllocEx' (->
'ntdll.RtlAllocateHeap') which I traced to consume more than 0x400 bytes until
all leaf functions have been executed.
One of the leaf calls overwrites/corrupts the previously initialized SEH
registration record with local variables, leaving a destroyed SEH chain when
the new SEH chain head is installed via 'fs:[0]'.

--- snip ---
-=[ ProtectionID v0.6.6.7 DECEMBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 24/12/14-22:48:13
Ready...
Scanning -> C:\Program Files\FORScan\FORScan.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 980992 (0EF800h)
Byte(s)
Compilation TimeStamp : 0x55FF57F8 -> Mon 21st Sep 2015 01:06:00 (GMT)
[TimeStamp] 0x55FF57F8 -> Mon 21st Sep 2015 01:06:00 (GMT) | PE Header | - |
Offset: 0x00000100 | VA: 0x00400100 | -
[File Heuristics] -> Flag #1 : 00000000000000001100000000100010 (0x0000C022)
[Entrypoint Section Entropy] : 8.00 (section #0) "        " | Size : 0x80C00
(527360) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 7 (0x7) | ImageSize 0x2A7000 (2781184) byte(s)
[!] ASProtect SKE v2.72 or higher detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 20% probability
- Scan Took : 0.721 Second(s) [0000002D1h (721) tick(s)] [499 of 573 scan(s)
done]
--- snip ---

$ sha1sum FORScanSetup2.2.7.beta.exe 
ddeda5bfed7f6875c90a2dbf1397701e2678ca53  FORScanSetup2.2.7.beta.exe

$ du -sh FORScanSetup2.2.7.beta.exe 
15M    FORScanSetup2.2.7.beta.exe

$ wine --version
wine-1.7.51-202-g14dc7e0

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list