[Bug 42716] 64-bit MetaTrader5 refuses to start, reports ' A debugger has been found running in your system' (Denuvo Anti-Tamper x64)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Jan 29 07:16:15 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=42716

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Fixed by SHA1|                            |a1b563f41c2246f94467b17d67a
                   |                            |369cfbe144a2d
          Component|-unknown                    |ntdll
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #23 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

--- quote ---
MetaTrader 5 bild 1702 is RUNNING! to 08.12.2017
--- quote ---

interesting.

Latest ProtectionID version doesn't detect Denuvo software protection scheme on
these newer binaries though:

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> Z:\home\focht\Downloads\wine64\drive_c\Program Files\MetaTrader
5\terminal64.exe
File Type : 64-Bit Exe (Subsystem : Win GUI / 2), Size : 45739592 (02B9EE48h)
Byte(s) | Machine: 0x8664 (AMD64)
[!] Warning : File is 64 Bit, this os is NOT
Compilation TimeStamp : 0x02B2AE00 -> Tue 08th Jun 1971 21:26:24 (GMT)
[TimeStamp] 0x02B2AE00 -> Tue 08th Jun 1971 21:26:24 (GMT) | PE Header | - |
Offset: 0x00000000:00000130 | VA: 0x00000001:40000130 | -
[TimeStamp] 0x5A6110C2 -> Thu 18th Jan 2018 21:25:22 (GMT) | DebugDirectory | -
| Offset: 0x00000000:00B9F6D4 | VA: 0x00000001:40BA04D4 | -
[TimeStamp] 0x5A6110C2 -> Thu 18th Jan 2018 21:25:22 (GMT) | DebugDirectory | -
| Offset: 0x00000000:00B9F6F0 | VA: 0x00000001:40BA04F0 | -
[TimeStamp] 0x5A6110C2 -> Thu 18th Jan 2018 21:25:22 (GMT) | DebugDirectory | -
| Offset: 0x00000000:00B9F70C | VA: 0x00000001:40BA050C | -
-> File Appears to be Digitally Signed @ Offset 02B9D450h, size : 019F8h /
06648 byte(s)
-> File has 468560 (072650h) bytes of appended data starting at offset
02B2AE00h
[!] Executable uses TLS callbacks (3 total... 0 invalid addresses)
[LoadConfig] Struct determined as v8 (Expected size 232 | Actual size 256)
[LoadConfig] CFG (/Guard) - Handler @ 0x1:40A0DFF0
[LoadConfig] CFG Table @ 0x0:00000000 | 0x00 (00) entries
[LoadConfig] CFG Flags : 0x100
[LoadConfig] CodeIntegrity -> Flags 0x0 | Catalog 0x0 (0) | Catalog Offset 0x0
| Reserved 0x0
[LoadConfig] GuardAddressTakenIatEntryTable 0x0:00000000 | Count 0x000000000
(00)
[LoadConfig] GuardLongJumpTargetTable 0x0:00000000 | Count 0x000000000 (00)
[LoadConfig] HybridMetadataPointer 0x1:00000000 | DynamicValueRelocTable
0x0:00000000
[LoadConfig] FailFastIndirectProc 0x0:00000000 | FailFastPointer 0x0:00000000
[LoadConfig] UnknownZero1 0x0       0
[LoadConfig] CFG Data Present, yet setting is not present in the
DllCharacteristics.. patched out?
[File Heuristics] -> Flag #1 : 00000100000001001101000000000101 (0x0404D005)
[Entrypoint Section Entropy] : 7.56 (section #5) ".cod1   " | Size : 0x37DF9C
(3661724) byte(s)
[DllCharacteristics] -> Flag : (0x8160) -> HEVA | ASLR | DEP | TSA
[SectionCount] 8 (0x8) | ImageSize 0x2BB0000 (45809664) byte(s)
[VersionInfo] Company Name : MetaQuotes Software Corp.
[VersionInfo] Product Name : MetaTrader 5 Client Terminal
[VersionInfo] Product Version : 5.0.0.1755
[VersionInfo] File Description : MetaTrader 5 Client Terminal
[VersionInfo] File Version : 5.0.0.1755
[VersionInfo] Original FileName : terminal.exe
[VersionInfo] Internal Name : terminal.exe
[VersionInfo] Version Comments : https://www.metaquotes.net
[VersionInfo] Legal Trademarks : MetaTrader
[VersionInfo] Legal Copyrights : © 2001-2018. MetaQuotes Software Corp.
[ModuleReport] [IAT] Modules -> CRYPT32.dll | WINMM.dll | VERSION.dll |
NETAPI32.dll | WINHTTP.dll | gdiplus.dll | UxTheme.dll | KERNEL32.dll |
USER32.dll | GDI32.dll | MSIMG32.dll | WINSPOOL.DRV | ADVAPI32.dll |
SHELL32.dll | COMCTL32.dll | SHLWAPI.dll | ole32.dll | OLEAUT32.dll |
oledlg.dll | urlmon.dll | IPHLPAPI.DLL | dbghelp.dll | WS2_32.dll | Secur32.dll
| OLEACC.dll | IMM32.dll | WTSAPI32.dll | KERNEL32.dll | USER32.dll |
KERNEL32.dll | USER32.dll
[Debug Info] (record 1 of 3) (file offset 0xB9F6D0)
Characteristics : 0x0 | TimeDateStamp : 0x5A6110C2 (Thu 18th Jan 2018 21:25:22
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x5B (91) 
AddressOfRawData : 0xBB0CAC | PointerToRawData : 0xBAFEAC
CvSig : 0x53445352 | SigGuid 2C4D8F0E-AD9F-41D8-8A44C97DD6BDC20C
Age : 0x1 (1) | Pdb :
E:\MetaTrader5\Client\MetaTrader5Terminal\Release64\terminal64.pdb
[Debug Info] (record 2 of 3) (file offset 0xB9F6EC)
Characteristics : 0x0 | TimeDateStamp : 0x5A6110C2 (Thu 18th Jan 2018 21:25:22
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 12 (0xC) -> Undocumented | Size : 0x14 (20) 
AddressOfRawData : 0xBB0D08 | PointerToRawData : 0xBAFF08
[Debug Info] (record 3 of 3) (file offset 0xB9F708)
Characteristics : 0x0 | TimeDateStamp : 0x5A6110C2 (Thu 18th Jan 2018 21:25:22
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 13 (0xD) -> Undocumented | Size : 0x3EC (1004) 
AddressOfRawData : 0xBB0D1C | PointerToRawData : 0xBAFF1C
[CompilerDetect] -> Borland Delphi (unknown version) - 20% probability
[CompilerDetect] -> Visual C/C++
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 6.486 Second(s) [000001972h (6514) tick(s)] [234 of 580 scan(s)
done]
--- snip ---

virustotal.com scan:

https://www.virustotal.com/#/file/0c35cfa4458f4c07b6cae1d88b3c58b3c44cb9eb8cd36eac1b83f23fe0747909/details

Tracing/debugging reveals it still has the same anti-debugging code:

--- snip ---
...
002e:Call KERNEL32.GetModuleHandleA(0023dd70 "kernel32.dll",) ret=141aa6c88
002e:Ret  KERNEL32.GetModuleHandleA() retval=7b460000 ret=141aa6c88
002e:Call KERNEL32.GetModuleHandleA(0023dd70 "ntdll.dll",) ret=141aa6c88
002e:Ret  KERNEL32.GetModuleHandleA() retval=7bc80000 ret=141aa6c88
002e:Call KERNEL32.IsDebuggerPresent() ret=141bb3358
002e:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=141bb3358
002e:Call KERNEL32.CheckRemoteDebuggerPresent(ffffffffffffffff,0023dff4,)
ret=141bf4512
002e:Ret  KERNEL32.CheckRemoteDebuggerPresent() retval=00000001 ret=141bf4512
002e:Call
ntdll.NtQueryInformationProcess(ffffffffffffffff,0000001e,0023e278,00000008,00000000,)
ret=141b8d5e6
002e:Ret  ntdll.NtQueryInformationProcess() retval=c0000353 ret=141b8d5e6
002e:Call
ntdll.NtSetInformationThread(fffffffffffffffe,00000011,00000000,00000000,)
ret=141b1cbbb
002e:Ret  ntdll.NtSetInformationThread() retval=00000000 ret=141b1cbbb
002e:Call ntdll.NtQuerySystemInformation(00000023,0023e580,00000002,00000000,)
ret=141b7f723
002e:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=141b7f723
002e:Call ntdll.NtQuerySystemInformation(0000000b,0023df68,00000000,0023df40,)
ret=141c45332
002e:Ret  ntdll.NtQuerySystemInformation() retval=c0000004 ret=141c45332
002e:Call KERNEL32.LocalAlloc(00000000,00005348,) ret=141badf30
002e:Ret  KERNEL32.LocalAlloc() retval=00075730 ret=141badf30
002e:Call ntdll.NtQuerySystemInformation(0000000b,00075730,00005348,00000000,)
ret=141be95f0
002e:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=141be95f0
002e:Call KERNEL32.LocalFree(00075730,) ret=141bca348
002e:Ret  KERNEL32.LocalFree() retval=00000000 ret=141bca348
002e:Call
ntdll.NtProtectVirtualMemory(ffffffffffffffff,0023dfe0,0023e1c0,00000040,0023dfc0,)
ret=141bd42d0
002e:Ret  ntdll.NtProtectVirtualMemory() retval=00000000 ret=141bd42d0
002e:Call
ntdll.NtProtectVirtualMemory(ffffffffffffffff,0023dfe0,0023e1c0,00000004,0023dfc0,)
ret=141bd42d0
002e:Ret  ntdll.NtProtectVirtualMemory() retval=00000000 ret=141bd42d0
002e:Call
ntdll.NtProtectVirtualMemory(ffffffffffffffff,0023dfe0,0023e1c0,00000004,0023dfc0,)
ret=141bd42d0
002e:Ret  ntdll.NtProtectVirtualMemory() retval=00000000 ret=141bd42d0
002e:Call KERNEL32.CloseHandle(deadc0de,) ret=141b7896a
002e:Ret  KERNEL32.CloseHandle() retval=00000000 ret=141b7896a
002e:trace:seh:NtRaiseException code=80000004 flags=0 addr=0x141ac6a77
ip=141ac6a77 tid=002e
002e:trace:seh:NtRaiseException  rax=000000005295e074 rbx=0000000141aa97a0
rcx=00000000deadc0de rdx=000000000000036a
002e:trace:seh:NtRaiseException  rsi=0000000000000000 rdi=0000000140e18390
rbp=000000000023dee0 rsp=000000000023de90
002e:trace:seh:NtRaiseException   r8=0000000000265148  r9=000000000000a4a8
r10=00000000c62cf451 r11=0000000000000039
002e:trace:seh:NtRaiseException  r12=00000000286d5aa5 r13=0000000140000000
r14=0000000000000004 r15=aaaaaaaaaaaaaaab 
...
002e:trace:seh:call_handler calling handler 0x140e0dd80 (rec=0x23dd50,
frame=0x23de90 context=0x23d000, dispatch=0x23d4d0)
002e:Call
ntdll.RtlUnwindEx(0023de90,141ac6a82,0023dd50,ffffffff80000004,0023d000,0023d520,)
ret=140e0de85 
...
002e:trace:seh:RtlRestoreContext returning to 141ac6a82 stack 23de90
002e:Call KERNEL32.GetProcessAffinityMask(ffffffffffffffff,0023e0e8,0023dfb8,)
ret=141ba20ee
002e:Ret  KERNEL32.GetProcessAffinityMask() retval=00000001 ret=141ba20ee
002e:Call KERNEL32.SetThreadAffinityMask(fffffffffffffffe,00000001,)
ret=141aca08b
002e:Ret  KERNEL32.SetThreadAffinityMask() retval=000000ff ret=141aca08b
002e:Call KERNEL32.Sleep(00000000,) ret=141ad0deb
002e:Ret  KERNEL32.Sleep() retval=00000000 ret=141ad0deb
002e:Call KERNEL32.SetThreadAffinityMask(fffffffffffffffe,000000ff,)
ret=141c04852
002e:Ret  KERNEL32.SetThreadAffinityMask() retval=00000001 ret=141c04852
002e:Call KERNEL32.SetThreadAffinityMask(fffffffffffffffe,00000002,)
ret=141aca08b
002e:Ret  KERNEL32.SetThreadAffinityMask() retval=000000ff ret=141aca08b
002e:Call KERNEL32.Sleep(00000000,) ret=141ad0deb
002e:Ret  KERNEL32.Sleep() retval=00000000 ret=141ad0deb 
...
--- snip ---

Out of interest I ran the older MetaTrader5 15xx build this bug was reported
against and it also worked with Wine 3.0

Fortunately I had the full install directory of MetaTrader5 snapshotted some
time ago otherwise even old installers would try to bootstrap recent version
from vendor website when being run (no offline install).

I did a reverse regression test and it turns out it was fixed by commit
https://source.winehq.org/git/wine.git/commitdiff/a1b563f41c2246f94467b17d67a369cfbe144a2d
("ntdll: Add support for debug registers in exceptions on x86-64."), included
in Wine 2.13 release.

Thanks to Alexandre.

---

Not directly related: It seems Denuvo has been acquired by some company called
"Irdeto".

https://www.denuvo.com/

https://www.kitguru.net/tech-news/featured-tech-news/matthew-wilson/denuvo-is-about-to-get-tougher-after-joining-forces-with-security-firm-iderto

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list