[Bug 32515] Steam games protected with Valve's CEG ( Custom Executable Generation) DRM scheme fail game cache validation

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Feb 5 19:00:07 CST 2017 

https://bugs.winehq.org/show_bug.cgi?id=32515

--- Comment #50 from Christian Inci <chris.pcguy.inci at gmail.com> ---
This CEG issue seems to be the result of some rarely used CEG features.

There seem to be multiple (Wine code) bugs involved, some when creating the CEG
file and some others when running it. The Valve support, when asking for at
least some CEG test cases and telling them that more and more people are
complaining about the bug, is basically telling me: "Go fuck yourself!" (In
"nicer" words, but anyway.)
I don't have much time to spend on this, but I'm trying to do what I can.

The bugs seems to be in File/Directory/Volume/Exception/SectionTable-handling
functions.

When creating the CEG file, something in steamservice.dll is writing 1028 (this
stands for C:\WINDOWS\system32\1028) in xor'ed form to the executable. Under
Wine, it'll write garbage to it.
This seems to be a remainder in/of the stack. It seems like Wine's kernel32.dll
needs to be somewhat stack compatible.

When running the CEG file, some int3 calls with a custom TEB are working, but
others seems to be silently ignored. Even when it works, there are e.g. some
differences in the EXCEPTION_RECORD and CONTEXT structures.
Some members of Wine's TEB (struct in the header) doesn't seem to be in the
right place and some of Wine's private members doesn't seem to be used at all.

Valve did some great work there. e.g. some multiple KiB big functions, are
basically just one extremely simple and tiny loop, because 99 percent of the
functions aren't used at all.

CEG seems to be actually very simple, but the hard things are e.g. to filter
the irrelevant/unused parts, to circumvent the anti-debug code, the obfuscation
and the code designed to distract.

This reminds me more and more of malware analysis. What are those CEG features
designed to work against? Is it specific anti-Wine/anti-ReactOS code?

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list