[Bug 45249] Zockinger Facilitator (TFFT) v1.15 crashes on startup
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Jul 16 10:51:24 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=45249
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
CC| |focht at gmx.net
Summary|page fault on read access - |Zockinger Facilitator
|Zockinger Facilitator |(TFFT) v1.15 crashes on
| |startup
--- Comment #5 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
the app contains various anti-debug measures.
The first layer is PE Compact v2.x:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> Z:\home\focht\Downloads\zocfft\ZOCFFT.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1898824 (01CF948h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x5A008BA1 -> Mon 06th Nov 2017 16:19:45 (GMT)
[TimeStamp] 0x5A008BA1 -> Mon 06th Nov 2017 16:19:45 (GMT) | PE Header | - |
Offset: 0x00000088 | VA: 0x00400088 | -
-> File Appears to be Digitally Signed @ Offset 01CD850h, size : 020F8h / 08440
byte(s)
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000001011100000000100110 (0x0005C026)
[Entrypoint Section Entropy] : 8.00 (section #0) ".text " | Size : 0x1CC000
(1884160) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 3 (0x3) | ImageSize 0x2E8000 (3047424) byte(s)
[VersionInfo] Company Name : Zockinger Technologies
[VersionInfo] Product Name : The Facilitator for TSM
[VersionInfo] Product Version : 1.15.0.555
[VersionInfo] File Description : The Facilitator for TSM
[VersionInfo] File Version : 555
[VersionInfo] Original FileName : ZOCFFT.exe
[VersionInfo] Internal Name : TFFT
[VersionInfo] Legal Copyrights : (C) 2017 Zockinger Technologies
[ModuleReport] [IAT] Modules -> kernel32.dll
[!] PE Compact v20352 (internal version) compressed !
- Scan Took : 0.488 Second(s) [0000001E8h (488) tick(s)] [506 of 580 scan(s)
done]
--- snip ---
Unwrapping the first layer until OEP is fairly easy. There is another
protection scheme though, which seems custom. The app uses custom imports
resolver and relay thunks don't work here.
* kernel32.dll
* user32.dll
* advapi32.dll
* comctl32.dll
--- snip ---
...
002f:Call KERNEL32.VirtualProtect(00503000,001e2000,00000040,0033fe04)
ret=00401244
002f:Ret KERNEL32.VirtualProtect() retval=00000001 ret=00401244
002f:Call KERNEL32.VirtualAlloc(00000000,00334930,00003000,00000040)
ret=0051cfbf
002f:Ret KERNEL32.VirtualAlloc() retval=00b00000 ret=0051cfbf
002f:Call KERNEL32.VirtualAlloc(00000000,00003700,00003000,00000040)
ret=00b2e4f9
002f:Ret KERNEL32.VirtualAlloc() retval=00360000 ret=00b2e4f9
002f:Call KERNEL32.VirtualAlloc(00000000,00003700,00003000,00000040)
ret=00b2e4f9
002f:Ret KERNEL32.VirtualAlloc() retval=00370000 ret=00b2e4f9
002f:Call KERNEL32.VirtualAlloc(00000000,00003700,00003000,00000040)
ret=00b2e4f9
002f:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=00b2e4f9
002f:Call KERNEL32.VirtualFree(00360000,00000000,00008000) ret=00b174b8
002f:Ret KERNEL32.VirtualFree() retval=00000001 ret=00b174b8
002f:Call KERNEL32.VirtualFree(00370000,00000000,00008000) ret=00b174b8
002f:Ret KERNEL32.VirtualFree() retval=00000001 ret=00b174b8
002f:Call KERNEL32.LoadLibraryA(00b0038e "KERNEL32.dll") ret=00b1c0b7
002f:Ret KERNEL32.LoadLibraryA() retval=7b420000 ret=00b1c0b7
002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x836d0cd9
ip=836d0cd9 tid=002f
002f:trace:seh:raise_exception info[0]=00000008
002f:trace:seh:raise_exception info[1]=836d0cd9
002f:trace:seh:raise_exception eax=0059ceff ebx=00b002b2 ecx=00000083
edx=00000000 esi=00b00014 edi=0033fbb8
002f:trace:seh:raise_exception ebp=0033fb98 esp=0033fb78 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210293
002f:trace:seh:call_stack_handlers calling handler at 0x7b490024 code=c0000005
flags=0
wine: Unhandled page fault on execute access to 0x836d0cd9 at address
0x836d0cd9 (thread 002f), starting debugger...
002f:trace:seh:start_debugger Starting debugger "winedbg --auto 46 136"
002f:trace:seh:call_stack_handlers handler at 0x7b490024 returned 1
Unhandled exception: page fault on execute access to 0x836d0cd9 in 32-bit code
(0x836d0cd9).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:836d0cd9 ESP:0033fb78 EBP:0033fb98 EFLAGS:00210293( R- -- I S -A- -C)
EAX:0059ceff EBX:00b002b2 ECX:00000083 EDX:00000000
ESI:00b00014 EDI:0033fbb8
Stack dump:
0x0033fb78: 7b4313c0 0059ceff 00a40248 00b0af2d
0x0033fb88: 0033fbb8 7b420000 7b64ce3d 00b00014
0x0033fb98: 0033fcf4 00b2091c 00b00014 0033fbb8
0x0033fba8: 00000000 0033fd84 0033fd24 00b00014
0x0033fbb8: 6c64746e 7bd0006c 7bd0f2d6 7bd0f388
0x0033fbc8: 7bd0f2c1 7bd0f388 00000000 00000000
Backtrace:
=>0 0x836d0cd9 (0x0033fb98)
1 0x00b2091c (0x0033fcf4)
2 0x00b062be (0x0033fd9c)
3 0x00b1c5f3 (0x0033fdc8)
4 0x00b00f36 (0x00503104)
5 0x7b432ad4 in kernel32 (+0x12ad3) (0x7b431754)
--- snip ---
--- snip ---
002f:Call KERNEL32.VirtualAlloc(00000000,00334930,00003000,00000040)
ret=0051cfbf
002f:Ret KERNEL32.VirtualAlloc() retval=00b00000 ret=0051cfbf
--- snip ---
--- snip ---
00B00000 E8 00000000 CALL 00B00005
00B00005 5B POP EBX
00B00006 8DB3 5F430000 LEA ESI,[EBX+435F]
00B0000C E9 C7040000 JMP 00B004D8
--- snip ---
Another debugging tidbit: the app protection stores state data past the current
ESP which makes single stepping painful. You have to recognize those sequences
and *not* single step nearby -> bug 28089 ("exception handling code touches
stack for exceptions handled by the debugger")
Examples:
--- snip ---
0051D033 F0:DB2B LOCK FLD TBYTE PTR DS:[EBX]
0051D036 83EC 04 SUB ESP,4
0051D039 890424 MOV DWORD PTR SS:[ESP],EAX
0051D03C C1F8 00 SAR EAX,0
0051D03F 897424 FC MOV DWORD PTR SS:[ESP-4],ESI ; taint if single stepped
0051D043 83EC 04 SUB ESP,4
0051D046 83EC 04 SUB ESP,4
0051D049 890C24 MOV DWORD PTR SS:[ESP],ECX
0051D04C 894424 FC MOV DWORD PTR SS:[ESP-4],EAX ; taint if single stepped
0051D050 83EC 04 SUB ESP,4
0051D053 60 PUSHAD
--- snip ---
--- snip ---
00B1D0F3 5F POP EDI
00B1D0F4 894424 FC MOV DWORD PTR SS:[ESP-4],EAX ; taint if single stepped
00B1D0F8 F3:EB 02 REP JMP SHORT 00B1D0FD
00B1D0FB D15CE9 B1 RCR DWORD PTR DS:[EBP*8+ECX-4F],1
00B1D0FF E4 FF IN AL,0FF
00B1D101 FFC3 INC EBX
00B1D103 E9 02000000 JMP 00B1D10A
--- snip ---
Additionally various threads check for hardware breakpoints being used which is
expected as most of the (obfuscated) protection code unwraps dynamically -> you
don't want to use softbp here.
--- snip ---
0147:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000
dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000
016b:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000
dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000
01b1:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000
dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000
01db:warn:process:SetProcessWorkingSetSize (0xffffffff,-1,-1): stub - harmless
01de:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000
dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000
--- snip ---
TFFT v1.15 doesn't crash with Wine 3.12 for me but just exits after
considerable number of seconds (maybe because I run a no-PIC build by default).
Interestingly the author published a new version TFFT v1.16 which seems to run
fine for me (shows GUI).
--- quote ---
TFFT V1.16 released
posted 10 Jul 2018, 11:28 by Good old Zockinger
TFFT V1.16 contains a lot of bug fixes and brings improved ISP 8.x support
--- quote ---
Maybe some of the bugfixes are Windows compatibility issues. Things that just
worked by chance on certain Windows versions and the fixes helped Wine too.
It would be still interesting to figure out what makes FFT V1.15 unhappy with
Wine since it is reported to work on Windows. By chance or depending on some
internals/implementation details of Windows binaries/loader.
$ sha1sum TFFT11*
b0c1af725743ff48f7b37c8c6ce5e04443d85d2d TFFT115.ZIP
2c4660f0cbf6f65ce29724aac809fed746dec342 TFFT116.ZIP
$ du -sh TFFT11*
2.1M TFFT115.ZIP
2.2M TFFT116.ZIP
$ wine --version
wine-3.12-111-g8ae98cfdc3
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list