[Bug 44217] Designsoft Tina 11.2 Demo hangs while simulating some examples (Themida/ WinLicense 2.2-2.4 software protection)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat May 12 06:00:48 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=44217

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Designsoft Tina 11.2 Demo   |Designsoft Tina 11.2 Demo
                   |hangs while simulating some |hangs while simulating some
                   |examples                    |examples
                   |                            |(Themida/WinLicense 2.2-2.4
                   |                            |software protection)
                URL|                            |http://demo.designsoft.biz/
                   |                            |tina/Tina110en.exe
                 CC|                            |focht at gmx.net
           Keywords|                            |download, obfuscation

--- Comment #6 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

that app is protected with Themida/WinLicense software protection scheme which
is likely the culprit here.

ProtectionID scan:

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\Program Files (x86)\DesignSoft\Tina 11 - Demo\tina.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 9322968 (08E41D8h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x5A33EDE6 -> Fri 15th Dec 2017 15:44:38 (GMT)
[DigSig] ** ERROR ** -> digital signature does not seem to be valid (0x0 / 0)
(GLE: 0x80092009 / 2148081673)
[TimeStamp] 0x5A33EDE6 -> Fri 15th Dec 2017 15:44:38 (GMT) | PE Header | - |
Offset: 0x00000108 | VA: 0x00400108 | -
-> File Appears to be Digitally Signed @ Offset 08E2600h, size : 01BD8h / 07128
byte(s)
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000001001100000100110111 (0x0004C137)
[Entrypoint Section Entropy] : 3.24 (section #5) "xwhdsibw" | Size : 0x200
(512) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 6 (0x6) | ImageSize 0x3292000 (53026816) byte(s)
[Export] 0% of function(s) (0 of 3) are in file | 0 are forwarded | 3 code | 0
data | 0 uninit data | 0 unknown | 
[VersionInfo] Company Name : DesignSoft
[VersionInfo] Product Name : Tina 11.0
[VersionInfo] Product Version : 11.0.0.0
[VersionInfo] File Description : Tina 11.0
[VersionInfo] File Version : 11.2.0.349DT-DS
[VersionInfo] Original FileName : tina.exe
[VersionInfo] Internal Name : Tina
[VersionInfo] Version Comments : 43084.6951398958
[VersionInfo] Legal Copyrights : DesignSoft 1993-2017
[ModuleReport] [IAT] Modules -> kernel32.dll | comctl32.dll
[!] Themida/Winlicense detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 60% probability
- Scan Took : 1.494 Second(s) [0000005E2h (1506) tick(s)] [506 of 580 scan(s)
done]
--- snip ---

It seems the vendor wiped/hide the exact Themida version so all the tools
failed on determining the base version.

Using the "standard" Themida version search recipe, courtesy of:

https://github.com/dubuqingfeng/ollydbg-script/blob/master/Themida/detect%20Themida:WinLicense%20version(1.1.0.0%7E2.0.5.0%20dll%20supported).txt

One doesn't need that script, only the essence.
Wait for first 'invalid instruction' exception in debugger.

#457863657074696F6E20496E666F726D6174696F6E# -> "Exception Information"

search with pattern #000000000000000000000000000000000000# (pad)

--- snip ---
Address   Hex dump                                         ASCII
02C2D831  30 02 89 30|5E E9 1A D5|FF FF 52 89|34 24 89 EE| 
02C2D841  89 F2 E9 8C|D0 FF FF E9|70 01 00 00|04 00 00 00|
02C2D851  00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00|
02C2D861  00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00|
02C2D871  B4 0F 64 F7|8B 1F AC DC|96 02 70 F7|88 96 CC 91|
02C2D881  45 78 63 65|70 74 69 6F|6E 20 49 6E|66 6F 72 6D| Exception Inform
02C2D891  61 74 69 6F|6E 00 50 6C|65 61 73 65|2C 20 63 6F| ation Please, co
--- snip ---

version area around 0x02C2D851 is zero-wiped.

The dll was built Fri 15th Dec 2017 and the Oreans Themida copyright string
says year 2012.

--- snip ---
0030:Call KERNEL32.OutputDebugStringA(02c4ed30
"\r\n\n\n%s------------------------------------------------\n\r---       
WinLicense Professional           ---\n\r---      (c)2012 Oreans Technologies  
      ---\n\r------------------------------------------------\r\n\n\n")
ret=02c50e9b
...
0030:Ret  KERNEL32.OutputDebugStringA() retval=00000000 ret=02c50e9b 
--- snip ---

https://www.oreans.com/ThemidaAllWhatsNew.php

The earliest 2012 release was: Themida [2.2.0.0] (20-Feb-2012)
The latest release before the dll build date: Themida [2.4.6.0] (17-Feb-2017)

Hard to tell from quick glance as this version of Themida doesn't like relay
thunks. My bet would be on some exception tickery and/or partial thread context
modifications. There were some rewrite/improvements in this area in the past.
They also make use of a lot of anti-debugger watcher threads (findwindow,
remote attach, thread notification hooks) which introduces additional runtime
timing behaviour.

Does the app output something in the console when it hangs (or prior)?

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list