[Bug 43366] Harry Potter: Quidditch World Cup crashes at startup (SafeDisc v2.90.40)

WineHQ Bugzilla wine-bugs at winehq.org
Mon Dec 30 18:40:05 CST 2019 

https://bugs.winehq.org/show_bug.cgi?id=43366

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
         Resolution|---                         |FIXED
            Summary|Harry Potter: Quidditch     |Harry Potter: Quidditch
                   |World Cup crashes at        |World Cup crashes at
                   |startup                     |startup (SafeDisc v2.90.40)
             Status|UNCONFIRMED                 |RESOLVED
           Keywords|                            |obfuscation

--- Comment #9 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

resolving 'fixed' based on last comment, thanks Oleg!

But sadly, I don't have the original media to play with to check which commit
fixed it (also if this is a dupe of existing SafeDisc bugs). I found a
distributed "backup" but that one has the main executable 'QWC.exe' already
"no-cd fixed" with no original/backup.

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...

Scanning -> Z:\home\focht\Downloads\hp\DrvMgt.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 41472 (0A200h) Byte(s)
| Machine: 0x14C (I386)
Compilation TimeStamp : 0x3E4CB773 -> Fri 14th Feb 2003 09:31:31 (GMT)
[TimeStamp] 0x3E4CB773 -> Fri 14th Feb 2003 09:31:31 (GMT) | PE Header | - |
Offset: 0x000000E0 | VA: 0x100000E0 | -
[TimeStamp] 0x3E4CB773 -> Fri 14th Feb 2003 09:31:31 (GMT) | Export | - |
Offset: 0x00006694 | VA: 0x10007E94 | -
[File Heuristics] -> Flag #1 : 00000000000001001100000100000000 (0x0004C100)
[Entrypoint Section Entropy] : 6.65 (section #0) ".text   " | Size : 0x524A
(21066) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 4 (0x4) | ImageSize 0xD000 (53248) byte(s)
[Export] 100% of function(s) (3 of 3) are in file | 0 are forwarded | 3 code |
0 data | 0 uninit data | 0 unknown | 
[ModuleReport] [IAT] Modules -> KERNEL32.dll | USER32.dll | ADVAPI32.dll
[!] Safedisc driver managment dll (drvmgt.dll) detected!
[CompilerDetect] -> Visual C++ 6.0
- Scan Took : 0.166 Second(s) [0000000A6h (166) tick(s)] [246 of 580 scan(s)
done]

Scanning -> Z:\home\focht\Downloads\hp\QWC.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2588672 (0278000h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x3F832428 -> Tue 07th Oct 2003 20:38:00 (GMT)
[TimeStamp] 0x3F832428 -> Tue 07th Oct 2003 20:38:00 (GMT) | PE Header | - |
Offset: 0x00000120 | VA: 0x00400120 | -
[File Heuristics] -> Flag #1 : 00000000000000100100000000000000 (0x00024000)
[Entrypoint Section Entropy] : 6.63 (section #0) ".text   " | Size : 0x198F68
(1675112) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 6 (0x6) | ImageSize 0xC7E086 (13099142) byte(s)
[ModuleReport] [IAT] Modules -> DINPUT8.dll | WINMM.dll | d3d8.dll | DSOUND.dll
| KERNEL32.dll | USER32.dll | GDI32.dll | ADVAPI32.dll | SHELL32.dll
<scene signature here>
[CdKeySerial] found "Invalid code" @ VA: 0x0019D5F0 / Offset: 0x0019D5F0
[CdKeySerial] found "Unregistered" @ VA: 0x001A96F1 / Offset: 0x001A96F1
[CompilerDetect] -> Visual C++ 7.0 (Visual Studio 2002)
- Scan Took : 0.629 Second(s) [000000275h (629) tick(s)] [506 of 580 scan(s)
done]

Scanning -> Z:\home\focht\Downloads\hp\SECDRV.SYS
File Type : 32-Bit Driver (good checksum) (Subsystem : Native / 1), Size :
12400 (03070h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x3DD38E7E -> Thu 14th Nov 2002 11:52:30 (GMT)
[TimeStamp] 0x3DD38E7E -> Thu 14th Nov 2002 11:52:30 (GMT) | PE Header | - |
Offset: 0x000000B8 | VA: 0x000100B8 | -
[TimeStamp] 0x3DD38E7E -> Thu 14th Nov 2002 11:52:30 (GMT) | DebugDirectory | -
| Offset: 0x000002C4 | VA: 0x000102C4 | -
[TimeStamp] 0x3DD38E7E -> Thu 14th Nov 2002 11:52:30 (GMT) | DebugDirectory | -
| Offset: 0x000002E0 | VA: 0x000102E0 | -
-> File has 1264 (04F0h) bytes of appended data starting at offset 02B80h
[File Heuristics] -> Flag #1 : 00000100000000000000000000000111 (0x04000007)
[Entrypoint Section Entropy] : 5.34 (section #2) "INIT    " | Size : 0x1F2
(498) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 5 (0x5) | ImageSize 0x2B80 (11136) byte(s)
[VersionInfo] Company Name : Macrovision Europe Ltd
[VersionInfo] Product Name : Security Windows NT
[VersionInfo] Product Version : 3.18.000 Windows NT 2002/11/14
[VersionInfo] File Description : Macrovision SECURITY Driver
[VersionInfo] File Version : 3.18.000
[VersionInfo] Original FileName : SECDRV.SYS
[VersionInfo] Internal Name : SECDRV
[VersionInfo] Version Comments : StringFileInfo: U.S. English
[VersionInfo] Legal Copyrights : Copyright (c) 1998-2002 Macrovision Corp.
[ModuleReport] [IAT] Modules -> ntoskrnl.exe
[Debug Info] (record 1 of 2) (file offset 0x2C0)
Characteristics : 0x0 | TimeDateStamp : 0x3DD38E7E (Thu 14th Nov 2002 11:52:30
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 4 (0x4) -> Misc | Size : 0x110 (272) 
AddressOfRawData : 0x0 | PointerToRawData : 0x2B80
[Debug Info] (record 2 of 2) (file offset 0x2DC)
Characteristics : 0x0 | TimeDateStamp : 0x3DD38E7E (Thu 14th Nov 2002 11:52:30
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 3 (0x3) -> FPO | Size : 0x3E0 (992) 
AddressOfRawData : 0x0 | PointerToRawData : 0x2C90
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.197 Second(s) [0000000C5h (197) tick(s)] [135 of 580 scan(s)
done]
--- snip ---

There is a distinct signature in the main executable when being protected with
SafeDisc v2. It can be used to determine the exact version. The 'secdrv.sys'
driver version can't be reliably used for this.

--- snip ---
$ ll
total 3172
-rw-rw-r--.  1 focht focht   60118 Oct  7  2003 00000000.016
-rw-rw-r--.  1 focht focht  121080 Oct  7  2003 00000000.256
drwxrwxr-x.  7 focht focht    4096 Sep 16  2018 Audio
-rw-rw-r--.  1 focht focht   10784 Oct  8  2003 datastr.ccd
-rw-rw-r--.  1 focht focht   41472 Oct  7  2003 DrvMgt.dll
-rw-rw-r--.  1 focht focht  290816 Oct  8  2003 eauninstall.exe
-rw-rw-r--.  1 focht focht   17532 Feb 15  2009 filelist.txt
drwxrwxr-x. 19 focht focht    4096 Sep 30  2015 frontend
drwxrwxr-x.  2 focht focht    4096 Sep 30  2015 language
-rw-rw-r--.  1 focht focht   19199 Oct  8  2003 language.ccd
drwxrwxr-x.  2 focht focht    4096 Sep 30  2015 Locale
drwxrwxr-x.  2 focht focht    4096 Sep 30  2015 match
drwxrwxr-x. 11 focht focht    4096 Sep 30  2015 movies
-rw-rw-r--.  1 focht focht 2588672 Nov 16  2003 QWC.exe
-rw-rw-r--.  1 focht focht   25214 Jul  4  2003 qwc.ico
drwxrwxr-x.  7 focht focht    4096 Sep 30  2015 root
-rw-rw-r--.  1 focht focht   12400 Oct  7  2003 SECDRV.SYS
drwxrwxr-x. 27 focht focht    4096 Sep 30  2015 stadium
drwxrwxr-x.  2 focht focht    4096 Sep 30  2015 Support
drwxrwxr-x. 16 focht focht    4096 Sep 30  2015 teams
--- snip ---

--- snip ---
$ xxd -g 4 QWC.exe | grep "BoG_" -A 2

00000fd0: 00000000 426f475f 202a3930 2e302621  ....BoG_ *90.0&!
00000fe0: 21202059 793e0000 00000000 00000000  !  Yy>..........
00000ff0: 00000000 02000000 5a000000 28000000  ........Z...(...
--- snip ---

The three dwords for version are zero after the pattern, hence the next three
dwords have to be used.

0x00000002,0x0000005a,0x00000028 = SafeDisc v2.90.40

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list