[Bug 49198] Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes in entry point (incorrect page protection restored during relocation processing)

WineHQ Bugzilla wine-bugs at winehq.org
Tue May 19 06:17:42 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=49198

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |https://store.steampowered.
                   |                            |com/app/782330/
    Regression SHA1|                            |22dfb0df10b44d1c21b3d04b593
                   |                            |12670c2318431
                 CC|                            |z.figura12 at gmail.com
           Keywords|                            |obfuscation, regression

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

filling more fields.

Also adding disassembly in case it's not that obvious.

--- snip ---
...
0000000000C81060 | mov qword ptr ss:[rsp+8],rbx                         |
0000000000C81065 | mov qword ptr ss:[rsp+10],rbp                        |
0000000000C8106A | mov qword ptr ss:[rsp+18],rsi                        |
0000000000C8106F | push rdi                                             |
0000000000C81070 | sub rsp,20                                           |
0000000000C81074 | xor ebp,ebp                                          |
0000000000C81076 | mov rsi,rdx                                          |
0000000000C81079 | mov rdi,rcx                                          |
0000000000C8107C | cmp rcx,rbp                                          |
0000000000C8107F | jne denuvo-anti-cheat.C8108D                         |
0000000000C81081 | xor ecx,ecx                                          |
0000000000C81083 | call denuvo-anti-cheat.CBAE20                        |
0000000000C81088 | jmp denuvo-anti-cheat.C8116D                         |
0000000000C8108D | mov eax,208                                          |
0000000000C81092 | mov qword ptr ds:[D2B9B0],rcx                        |
0000000000C81099 | lea rcx,qword ptr ds:[D2B988]                        |
0000000000C810A0 | mov word ptr ds:[D2B98A],ax                          |
0000000000C810A7 | lea rax,qword ptr ds:[D2B9C0]                        |
0000000000C810AE | mov word ptr ds:[D2B988],bp                          |
0000000000C810B5 | mov qword ptr ds:[D2B990],rax                        |
0000000000C810BC | call qword ptr ds:[<&JMP.&RtlCopyUnicodeString>]     |
0000000000C810C2 | lea r9,qword ptr ds:[D2B9A8]                         |
0000000000C810C9 | lea r8,qword ptr ds:[D27060]                         |
...
0000000000DFE000 | jmp qword ptr ds:[<&WskCaptureProviderNPI>]          |
0000000000DFE006 | nop word ptr cs:[rax+rax],ax                         |
0000000000DFE010 | jmp qword ptr ds:[<&WskReleaseProviderNPI>]          |
0000000000DFE016 | nop word ptr cs:[rax+rax],ax                         |
...
0000000000DFE5C0 | jmp qword ptr ds:[<&PsSetLoadImageNotifyRoutine>]    |
0000000000DFE5C6 | nop word ptr cs:[rax+rax],ax                         |
0000000000DFE5D0 | jmp qword ptr ds:[<&PsRemoveLoadImageNotifyRoutine>] |
0000000000DFE5D6 | nop word ptr cs:[rax+rax],ax                         |
0000000000DFE5E0 | jmp qword ptr ds:[<&RtlCopyUnicodeString>]           | boom
0000000000DFE5E6 | nop word ptr cs:[rax+rax],ax                         |
0000000000DFE5F0 | jmp qword ptr ds:[<&MmGetSystemRoutineAddress>]      |
0000000000DFE5F6 | nop word ptr cs:[rax+rax],ax                         |
--- snip ---

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list