[Bug 43548] Enigma Protector 4.x-5.x protected apps crash on startup, native API sandbox scheme needs syscall thunks in ntdll.dll (Enigma Virtual Box 7.x)
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Nov 10 04:54:18 CST 2019
https://bugs.winehq.org/show_bug.cgi?id=43548
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|-unknown |ntdll
Status|NEW |RESOLVED
CC| |focht at gmx.net
Staged patchset| |https://github.com/wine-sta
| |ging/wine-staging/tree/mast
| |er/patches/winebuild-Fake_D
| |lls
Resolution|--- |DUPLICATE
Summary|Enigma Virtual Box crashes |Enigma Protector 4.x-5.x
|on start (protected with |protected apps crash on
|Enigma Protector) |startup, native API sandbox
| |scheme needs syscall thunks
| |in ntdll.dll (Enigma
| |Virtual Box 7.x)
URL|http://enigmaprotector.com/ |https://web.archive.org/web
|assets/files/enigmavb.exe |/20170703085231/http://enig
| |maprotector.com/assets/file
| |s/enigmavb.exe
Keywords| |obfuscation
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
well, the protection/sandbox scheme hooks native API and can't cope with Wine's
standard API entry layout in ntdll.
Running with +relay works around because there is enough padding with NOPs in
relay thunks.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/Enigma Virtual Box
$ WINEDEBUG=+seh,+server,+loaddll,+process,+ntdll wine ./enigmavb.exe >>log.txt
2>&1
...
0009: create_event( access=001f0003, manual_reset=0, initial_state=0,
objattr={rootdir=0020,attributes=00000080,sd={},name=L"EVB_555FA5C66290D8E3_00000008"}
)
0009: create_event() = 0 { handle=00d8 }
0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc97365
ip=7bc97365 tid=0009
0009:trace:seh:raise_exception info[0]=00000000
0009:trace:seh:raise_exception info[1]=ffffffff
0009:trace:seh:raise_exception eax=006fe10a ebx=0032fd01 ecx=0032fb88
edx=00020019 esi=0032fc10 edi=0032fc08
0009:trace:seh:raise_exception ebp=0032fbb8 esp=0032fb80 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0009:trace:seh:call_stack_handlers calling handler at 0xbb81c5 code=c0000005
flags=0
0009:trace:seh:call_stack_handlers handler at 0xbb81c5 returned 1
0009:trace:seh:call_stack_handlers calling handler at 0x6f026d code=c0000005
flags=0
0009:trace:seh:__regs_RtlUnwind code=c0000005 flags=2
0009:trace:seh:__regs_RtlUnwind eax=00000000 ebx=0032f7a0 ecx=7bc97365
edx=0032fe74 esi=0032f85c edi=0032fe74
0009:trace:seh:__regs_RtlUnwind ebp=0032f7b8 esp=0032f76c eip=0066f614 cs=0023
ds=002b fs=0063 gs=006b flags=00000246
0009:trace:seh:__regs_RtlUnwind calling handler at 0x7bcac5f0 code=c0000005
flags=2
0009:trace:seh:__regs_RtlUnwind handler at 0x7bcac5f0 returned 1
0009:trace:seh:__regs_RtlUnwind calling handler at 0xbb81c5 code=c0000005
flags=2
0009:trace:seh:__regs_RtlUnwind handler at 0x66f820 returned 1
0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc977c5
ip=7bc977c5 tid=0009
0009:trace:seh:raise_exception info[0]=00000000
0009:trace:seh:raise_exception info[1]=ffffffff
0009:trace:seh:raise_exception eax=006fe152 ebx=00000001 ecx=0032eb1c
edx=00000002 esi=00000100 edi=0032ebbc
0009:trace:seh:raise_exception ebp=0032eb38 esp=0032eb10 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0009:trace:seh:call_stack_handlers calling handler at 0x66f640 code=c0000005
flags=0
0009:trace:seh:call_stack_handlers handler at 0x66f640 returned 1
0009:trace:seh:call_stack_handlers calling handler at 0x6f037a code=c0000005
flags=0
0009:trace:seh:call_stack_handlers handler at 0x6f037a returned 1
0009:trace:seh:call_stack_handlers calling handler at 0x7b483580 code=c0000005
flags=0
0009: create_event( access=001f0003, manual_reset=1, initial_state=0,
objattr={rootdir=0000,attributes=00000002,sd={},name=L""} )
0009: create_event() = 0 { handle=00dc }
0009:trace:ntdll:pf_vsnprintf format is L"Unhandled page fault on %s access to
%p"
0009:trace:ntdll:pf_vsnprintf format is L" at address %p"
0009:trace:ntdll:pf_vsnprintf format is L"wine: %s (thread %04x), starting
debugger...\n"
--- snip ---
'ntdll.NtOpenKey':
--- snip ---
7BC97360 8D4C24 04 LEA ECX,[ESP+4]
7BC97364 83E4 F0 AND ESP,FFFFFFF0
7BC97367 FF71 FC PUSH DWORD PTR DS:[ECX-4]
7BC9736A 55 PUSH EBP
7BC9736B 89E5 MOV EBP,ESP
7BC9736D 51 PUSH ECX
7BC9736E 83EC 10 SUB ESP,10
7BC97371 8B01 MOV EAX,DWORD PTR DS:[ECX]
7BC97373 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
7BC97376 8B49 08 MOV ECX,DWORD PTR DS:[ECX+8]
7BC97379 6A 00 PUSH 0
7BC9737B E8 20FAFFFF CALL 7BC96DA0
7BC97380 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
7BC97383 C9 LEAVE
7BC97384 8D61 FC LEA ESP,[ECX-4]
7BC97387 C2 0C00 RETN 0C
--- snip ---
Hooked 'ntdll.NtOpenKey':
--- snip ---
7BC97360 E9 9FC9A384 JMP 006D3D04
7BC97365 E4 F0 IN AL,0F0
7BC97367 FF71 FC PUSH DWORD PTR DS:[ECX-4]
7BC9736A 55 PUSH EBP
--- snip ---
This is obviously not going to work.
Wine-Staging ntdll syscall thunk:
--- snip ---
7BC51560 B8 56000000 MOV EAX,56
7BC51565 64:FF15 C0000000 CALL DWORD PTR FS:[0C0]
7BC5156C C2 0C00 RETN 0C
--- snip ---
Resolving as dupe of bug 21232
$ sha1sum enigmavb.exe
c968a2344bfde24e2e12b3a3b435b5a15dd634c3 enigmavb.exe
$ du -sh enigmavb.exe
7.5M enigmavb.exe
$ wine-4.19-182-g070cfc358c
Regards
*** This bug has been marked as a duplicate of bug 21232 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list