[Bug 44040] Video Win Movie Maker 2016 (Win32/Hoax.MovieMaker) crashes on startup
WineHQ Bugzilla
wine-bugs at winehq.org
Tue Dec 29 04:45:16 CST 2020
https://bugs.winehq.org/show_bug.cgi?id=44040
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |focht at gmx.net
URL|http://www.windows-movie-ma |https://web.archive.org/web
|ker.org/download/windows-mo |/20170220224238/http://www.
|vie-maker-2016-full.exe |windows-movie-maker.org/dow
| |nload/windows-movie-maker-2
| |016-full.exe
Resolution|--- |INVALID
Status|NEW |RESOLVED
Summary|Win Movie Maker crashes. |Video Win Movie Maker 2016
| |(Win32/Hoax.MovieMaker)
| |crashes on startup
--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
adding stable download link via Internet Archive (old one was already broken):
https://web.archive.org/web/20170220224238/http://www.windows-movie-maker.org/download/windows-movie-maker-2016-full.exe
I had a look at this. The first thing that made me suspicious was that the
installer contains a fully repackaged Microsoft Movie Maker 2012 build
16.4.3528.0331 and some dependencies (VC++ runtimes etc.). Additionally a VB6
(*eeek*) app which is supposedly the "main" app.
Microsoft usually doesn't permit such repackaging/rebundling of their software.
The website 'www.windows-movie-maker.org' existed for a few years:
https://web.archive.org/web/*/http://www.windows-movie-maker.org/windows-movie-maker.html
https://web.archive.org/web/20111228111943/http://www.windows-movie-maker.org/
--- quote ---
Windows-Movie-Maker.org is the Official Site to download Windows Movie Maker
for XP, Vista, Windows 7. Test Compatible for Windows XP, Vista, 7.
--- quote ---
It now exists as:
https://www.topwin-movie-maker.com/
https://www.videowinsoft.com/about.html
It gets even better. With further research I found this:
https://www.welivesecurity.com/2017/11/09/eset-detected-windows-movie-maker-scam-2017/
Well ... as I suspected. Always be curious about things ;-)
Scan of installer:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> Z:\home\focht\Downloads\windows-movie-maker-2016-full.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 26703372 (0197760Ch)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT)
[TimeStamp] 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT) | PE Header | - |
Offset: 0x00000108 | VA: 0x00400108 | -
-> File has 26625548 (0196460Ch) bytes of appended data starting at offset
013000h
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000001001100000000100100 (0x0004C024)
[Entrypoint Section Entropy] : 6.65 (section #0) "CODE " | Size : 0x9D30
(40240) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 8 (0x8) | ImageSize 0x19000 (102400) byte(s)
[VersionInfo] Company Name : videowinsoft.com
[VersionInfo] Product Name : Video Win Movie Maker
[VersionInfo] File Description : Video Win Movie Maker Setup
[VersionInfo] Version Comments : This installation was built with Inno Setup.
[ModuleReport] [IAT] Modules -> kernel32.dll | user32.dll | oleaut32.dll |
advapi32.dll | kernel32.dll | user32.dll | comctl32.dll | advapi32.dll
[-= Installer =-] Inno Setup v5.5.6 Module
[CompilerDetect] -> Borland Delphi (unknown version) - 40% probability
- Scan Took : 0.245 Second(s) [0000000F5h (245) tick(s)] [566 of 580 scan(s)
done]
--- snip ---
Scan of executable in question:
--- snip ---
Scanning -> C:\Program Files\Windows Live\Photo Gallery\MovieMaker.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 122048 (01DCC0h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x533A401B -> Tue 01st Apr 2014 04:27:07 (GMT)
[TimeStamp] 0x533A401B -> Tue 01st Apr 2014 04:27:07 (GMT) | PE Header | - |
Offset: 0x000000F8 | VA: 0x004000F8 | -
[TimeStamp] 0x533A401B -> Tue 01st Apr 2014 04:27:07 (GMT) | DebugDirectory | -
| Offset: 0x000004E4 | VA: 0x004010E4 | -
[TimeStamp] 0x533A401B -> Tue 01st Apr 2014 04:27:07 (GMT) | DebugDirectory | -
| Offset: 0x00000500 | VA: 0x00401100 | -
-> File Appears to be Digitally Signed @ Offset 019E00h, size : 03EC0h / 016064
byte(s)
[LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64)
[!] Executable uses SEH Tables (/SAFESEH) (1 calculated 1 recorded... 0 invalid
addresses)
[LoadConfig] CodeIntegrity -> Flags 0x1 | Catalog 0x0 (0) | Catalog Offset
0x69766F4D | Reserved 0x6B614D65
[LoadConfig] GuardAddressTakenIatEntryTable 0x702E7265 | Count 0x6264 (25188)
[LoadConfig] GuardLongJumpTargetTable 0x0 | Count 0x0 (0)
[LoadConfig] HybridMetadataPointer 0x0 | DynamicValueRelocTable 0x0
[LoadConfig] FailFastIndirectProc 0x0 | FailFastPointer 0x0
[LoadConfig] UnknownZero1 0x0
[File Heuristics] -> Flag #1 : 00000100000001001101000000000100 (0x0404D004)
[Entrypoint Section Entropy] : 5.95 (section #0) ".text " | Size : 0x12F0
(4848) byte(s)
[DllCharacteristics] -> Flag : (0x8140) -> ASLR | DEP | TSA
[SectionCount] 4 (0x4) | ImageSize 0x1D000 (118784) byte(s)
[VersionInfo] Company Name : Microsoft Corporation
[VersionInfo] Product Name : Movie Maker
[VersionInfo] Product Version : 16.4.3528.0331
[VersionInfo] File Description : Movie Maker
[VersionInfo] File Version : 16.4.3528.0331_ship.client.main.w5m4 (ship)
[VersionInfo] Original FileName : MovieMaker.EXE
[VersionInfo] Internal Name : Movie Maker
[VersionInfo] Legal Copyrights : © 2012 Microsoft Corporation. All rights
reserved.
[ModuleReport] [IAT] Modules -> KERNEL32.dll | MSVCR110.dll | WLXPhotoBase.dll
[ModuleReport] [DelayImport] Modules -> MovieMakerCore.dll
[Debug Info] (record 1 of 2) (file offset 0x4E0)
Characteristics : 0x0 | TimeDateStamp : 0x533A401B (Tue 01st Apr 2014 04:27:07
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x27 (39)
AddressOfRawData : 0x1180 | PointerToRawData : 0x580
CvSig : 0x53445352 | SigGuid 47558454-9C62-4123-96E991A66E8F4D87
Age : 0x1 (1) | Pdb : MovieMaker.pdb
[Debug Info] (record 2 of 2) (file offset 0x4FC)
Characteristics : 0x0 | TimeDateStamp : 0x533A401B (Tue 01st Apr 2014 04:27:07
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 12 (0xC) -> Undocumented | Size : 0x10 (16)
AddressOfRawData : 0x11E8 | PointerToRawData : 0x5E8
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.334 Second(s) [00000014Eh (334) tick(s)] [506 of 580 scan(s)
done]
--- snip ---
Scan of the main (VB6!) executable which obviously isn't of Microsoft origin:
--- snip ---
Scanning -> C:\Program Files\Windows Live\Photo Gallery\WinMovieMaker.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 307200 (04B000h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x575FDD10 -> Tue 14th Jun 2016 10:31:44 (GMT)
[TimeStamp] 0x575FDD10 -> Tue 14th Jun 2016 10:31:44 (GMT) | PE Header | - |
Offset: 0x000000C0 | VA: 0x004000C0 | -
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000000000000000000000000 (0x00000000)
[Entrypoint Section Entropy] : 7.25 (section #0) ".text " | Size : 0x30BC0
(199616) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 3 (0x3) | ImageSize 0x4B000 (307200) byte(s)
[VersionInfo] Company Name : Windows-Movie-Maker.org
[VersionInfo] Product Name : vb6_program_loader
[VersionInfo] Product Version : 6.01
[VersionInfo] File Version : 6.01
[VersionInfo] Original FileName : WinMovieMaker.exe
[VersionInfo] Internal Name : WinMovieMaker
[ModuleReport] [IAT] Modules -> MSVBVM60.DLL
[CdKeySerial] found "Trial version" @ VA: 0x00003318 / Offset: 0x00003318
[CdKeySerial] found "Evaluation copy" @ VA: 0x0001A64E / Offset: 0x0001A64E
[CdKeySerial] found "Registration Code" @ VA: 0x0002F001 / Offset: 0x0002F001
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.300 Second(s) [00000012Ch (300) tick(s)] [506 of 580 scan(s)
done]
--- snip ---
I've ran virustotal.com on the download:
https://www.virustotal.com/gui/file/5313624fe47a38cd065079fe465f8ce763949b02213c14a04c2e7146f1039644/detection
Win32.Application.Hoax-MovieMaker.A
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Windows Live/Photo Gallery
$ wine ./WinMovieMaker.exe
...
0024:err:module:import_dll Library MSVBVM60.DLL (which is needed by
L"C:\\Program Files\\Windows Live\\Photo Gallery\\WinMovieMaker.exe") not found
0024:err:module:LdrInitializeThunk Importing dlls for L"C:\\Program
Files\\Windows Live\\Photo Gallery\\WinMovieMaker.exe" failed, status c0000135
--- snip ---
-> 'winetricks -q vb6run'
With that in place, the app displays a dialog which asks for license key.
Pressing 'Later' crashes the app with the missing 'wlidcli.dll' error.
Ethics and moral aside, how is the app supposed to work? Did you test this with
Windows?
Unless we run out of interesting bugs or you find a less questionable
application that exhibits the same problem I resolve as 'INVALID' here.
$ sha1sum windows-movie-maker-2016-full.exe
32b76fa257d7680d53edac2beaed896d2b96828b windows-movie-maker-2016-full.exe
$ du -sh windows-movie-maker-2016-full.exe
26M windows-movie-maker-2016-full.exe
$ wine --version
wine-6.0-rc4
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list