[Bug 47061] New: Multiple E-Banking applications by KOBIL Systems GmbH crash on startup or report 'Security issue code: 0x03938745 (60000069)' (MigrosBank EBanking 8.2.x, Sparda Bank SecureApp 1.x)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Apr 22 10:41:56 CDT 2019 

https://bugs.winehq.org/show_bug.cgi?id=47061

            Bug ID: 47061
           Summary: Multiple E-Banking applications by KOBIL Systems GmbH
                    crash on startup or report 'Security issue code:
                    0x03938745 (60000069)' (MigrosBank EBanking 8.2.x,
                    Sparda Bank SecureApp 1.x)
           Product: Wine
           Version: 4.6
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: kernel32
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

continuation of bug 42391

Stable links for current installers:

Sparda Bank SecureApp:

https://web.archive.org/web/20190422125056/https://www.sparda.de/secureapp-pc/medien/spardasecureapp_p.exe

Corresponding VirusTotal scan:

https://www.virustotal.com/gui/file/444c501236d5704e43ff5238a03b2c66a08eeba046ac246613d605256f9d50db/details

---

MigrosBank EBanking app:

https://web.archive.org/web/20190422124354/https://download.migrosbank.ch/mid/MigrosBank-EBanking-Win-8.2.2205.exe

Corresponding VirusTotal scan:

https://www.virustotal.com/gui/file/9cd93cc70c6a8b24dbf47a3d20c9a1ed5f6341405b194eea008ded3e0b168b16/details

---

Trace log:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/users/focht/Application Data/Sparda/AST-Client

$ WINEDEBUG=+seh,+relay wine ./SpardaSecureApp.exe >>log.txt 2>&1
...
003a:Ret  KERNEL32.__wine_kernel_init() retval=7b472944 ret=7bc668b7
...
003a:Call TLS callback
(proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0)
003a:Call KERNEL32.VirtualAlloc(00000000,00000006,00003000,00000004)
ret=2001256a
003a:Ret  KERNEL32.VirtualAlloc() retval=00340000 ret=2001256a
003a:Call KERNEL32.VirtualAlloc(00000000,00000017,00003000,00000004)
ret=2001258d
003a:Ret  KERNEL32.VirtualAlloc() retval=00350000 ret=2001258d
003a:Call KERNEL32.GetModuleHandleA(00340000 "ntdll") ret=20012652
003a:Ret  KERNEL32.GetModuleHandleA() retval=7bc10000 ret=20012652
003a:Call KERNEL32.GetProcAddress(7bc10000,00350000 "NtSetInformationThread")
ret=20012659
003a:Ret  KERNEL32.GetProcAddress() retval=7bc24870 ret=20012659
003a:Call KERNEL32.VirtualFree(00340000,00000000,00008000) ret=2001266a
003a:Ret  KERNEL32.VirtualFree() retval=00000001 ret=2001266a
003a:Call KERNEL32.VirtualFree(00350000,00000000,00008000) ret=20012688
003a:Ret  KERNEL32.VirtualFree() retval=00000001 ret=20012688
003a:Call ntdll.NtSetInformationThread(fffffffe,00000011,00000000,00000000)
ret=200126c8
003a:Ret  ntdll.NtSetInformationThread() retval=00000000 ret=200126c8
003a:Call
ntdll.NtReadVirtualMemory(ffffffff,20000028,0033e434,00000002,0033e42c)
ret=2001277b
003a:Ret  ntdll.NtReadVirtualMemory() retval=00000000 ret=2001277b 
...
003a:Call KERNEL32.VirtualProtect(1ffb0000,00000005,00000020,0033e384)
ret=20014840
003a:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=20014840
003a:Call KERNEL32.VirtualProtect(1ffa0000,0000000a,00000020,0033e380)
ret=2001484f
003a:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=2001484f
003a:Call KERNEL32.FlushInstructionCache(ffffffff,1ffa0000,0000000a)
ret=20014860
003a:Ret  KERNEL32.FlushInstructionCache() retval=00000001 ret=20014860
003a:Call KERNEL32.VirtualProtect(7bc206ac,00000005,00000040,0033e40c)
ret=20014997
003a:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=20014997
003a:Call ntdll.RtlMoveMemory(7bc206ac,00360021,00000005) ret=200149a4
003a:Ret  ntdll.RtlMoveMemory() retval=7bc206ac ret=200149a4
003a:Call KERNEL32.VirtualProtect(7bc206ac,00000005,00000020,0033e40c)
ret=200149b4
003a:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=200149b4
003a:Call KERNEL32.FlushInstructionCache(ffffffff,7bc206ac,00000005)
ret=200149c4
003a:Ret  KERNEL32.FlushInstructionCache() retval=00000001 ret=200149c4
003a:Call ntdll.LdrRegisterDllNotification(00000000,20010d80,00000000,20076e5c)
ret=2001116a
003a:Ret  ntdll.LdrRegisterDllNotification() retval=00000000 ret=2001116a
003a:Call KERNEL32.TlsAlloc() ret=200111dc
003a:Ret  KERNEL32.TlsAlloc() retval=00000002 ret=200111dc
003a:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004)
ret=20011217
003a:Ret  KERNEL32.VirtualAlloc() retval=00370000 ret=20011217
003a:Call KERNEL32.VirtualFree(00370000,00000000,00008000) ret=2001129d
003a:Ret  KERNEL32.VirtualFree() retval=00000001 ret=2001129d
003a:Call KERNEL32.VirtualAlloc(00000000,00000030,00001000,00000004)
ret=20014b0b
003a:Ret  KERNEL32.VirtualAlloc() retval=00370000 ret=20014b0b
003a:Call KERNEL32.VirtualFree(00370000,00000000,00008000) ret=20014ab4
003a:Ret  KERNEL32.VirtualFree() retval=00000001 ret=20014ab4
003a:Call KERNEL32.GetProcAddress(7bc10000,2006cc74 "_snwprintf") ret=200136f7
003a:Ret  KERNEL32.GetProcAddress() retval=7bc78380 ret=200136f7
003a:Call KERNEL32.GetProcAddress(7b420000,2006cd44 "FatalAppExitW")
ret=2001374a
003a:Ret  KERNEL32.GetProcAddress() retval=7b42575c ret=2001374a
003a:Call KERNEL32.GetModuleHandleW(00000000) ret=2000a477
003a:Ret  KERNEL32.GetModuleHandleW() retval=20000000 ret=2000a477
003a:Call
KERNEL32.ReadProcessMemory(ffffffff,2000002e,0033dfa8,00000004,0033dfa4)
ret=2000a49d
003a:Ret  KERNEL32.ReadProcessMemory() retval=00000001 ret=2000a49d
003a:Call KERNEL32.GetModuleHandleW(00000000) ret=2000a4ba
003a:Ret  KERNEL32.GetModuleHandleW() retval=20000000 ret=2000a4ba
003a:Call
KERNEL32.ReadProcessMemory(ffffffff,20000024,0033dfa4,00000004,0033dfa0)
ret=2000a4d4
003a:Ret  KERNEL32.ReadProcessMemory() retval=00000001 ret=2000a4d4
003a:Call
KERNEL32.ReadProcessMemory(ffffffff,0000002e,0033dfa8,00000004,0033dfa0)
ret=2000a4f5
003a:Ret  KERNEL32.ReadProcessMemory() retval=00000000 ret=2000a4f5
003a:Call KERNEL32.VirtualAlloc(00000000,00000064,00001000,00000004)
ret=2001376f
003a:Ret  KERNEL32.VirtualAlloc() retval=00370000 ret=2001376f
003a:Call KERNEL32.FatalAppExitW(00000000,0033dfc8 L"Security issue code:
0x03938745 (60000069)") ret=2001379b
003a:warn:seh:FatalAppExitW AppExit
003a:err:seh:FatalAppExitW L"Security issue code: 0x03938745 (60000069)" 
...
--- snip ---

The protection code doesn't use Win32 API to resolve functions hence one needs
to debug here.

--- snip ---
...
20011276 | E8 9592FFFF   | call spardasecureapp.2000A510   | find kernel32.dll
2001127B | A3 EC6D0720   | mov dword ptr ds:[20076DEC],eax | via PEB_LDR_DATA
20011280 | 8B55 FC       | mov edx,dword ptr ss:[ebp-4]    | "LoadAppInitDlls"
20011283 | 8BC8          | mov ecx,eax                     |
20011285 | E8 E694FFFF   | call spardasecureapp.2000A770   | resolve API
2001128A | 68 00800000   | push 8000                       |
2001128F | 6A 00         | push 0                          |
20011291 | 57            | push edi                        |
20011292 | A3 AC6E0720   | mov dword ptr ds:[20076EAC],eax |
20011297 | FF15 CCD00420 | call dword ptr ds:[2004D0CC]    | VirtualFree()
2001129D | 6A 01         | push 1                          |
...
--- snip ---

-> it wants 'kernel32.LoadAppInitDlls'

Bunch of API it wants to resolve and hook:

--- snip ---
...
00360000  4B 69 55 73 65 72 41 70 63 44 69 73 70 61 74 63  KiUserApcDispatc
00360010  68 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00  her.............
00360020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00360030  00 00 4E 74 43 6F 6E 74 69 6E 75 65 00 00 00 00  ..NtContinue....
00360040  00 00 00 00 00 00 00 00 00 00 00 00 4C 64 72 4C  ............LdrL
00360050  6F 61 64 44 6C 6C 00 00 00 00 00 00 00 00 00 00  oadDll..........
00360060  00 00 00 00 00 00 52 74 6C 4E 74 53 74 61 74 75  ......RtlNtStatu
00360070  73 54 6F 44 6F 73 45 72 72 6F 72 00 00 00 00 00  sToDosError.....
00360080  00 00 00 00 00 00 00 4C 6F 61 64 41 70 70 49 6E  .......LoadAppIn
00360090  69 74 44 6C 6C 73 00 00 00 00 00 00 00 00 00 00  itDlls..........
003600A0  00 00 00 00 00 00 00 00 00 00 00 00 00 4C 64 72  .............Ldr
003600B0  52 65 67 69 73 74 65 72 44 6C 6C 4E 6F 74 69 66  RegisterDllNotif
003600C0  69 63 61 74 69 6F 6E 00 00 00 00 00 00 00 00 00  ication.........
003600D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003600E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C 64  ..............Ld
003600F0  72 55 6E 72 65 67 69 73 74 65 72 44 6C 6C 4E 6F  rUnregisterDllNo
00360100  74 69 66 69 63 61 74 69 6F 6E 00 00 00 00 00 00  tification......
00360110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
...
--- snip ---

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/kernel32/kernel32.spec#l1044

--- snip ---
1044 # @ stub LoadAppInitDlls
--- snip ---

With an empty stub added, the app successfully executes the TLS callback and
the real entry point is executed - only to run into next problem ;-)

Tidbit: The 'AppInit_DLLs' feature is described here:

https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dlls-registry-value

That's another way of having dlls automatically injected into every process.
Most likely introduced by MS to support the malware industry ... j/k (or not?)
;-)

$ sha1sum spardasecureapp_p.exe 
d579216a3a61555c68a75636893216b8a4233737  spardasecureapp_p.exe

$ du -sh spardasecureapp_p.exe 
9.6M    spardasecureapp_p.exe

$ wine --version
wine-4.6-108-g9d7d68747b

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list