[Bug 49198] Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes in entry point (incorrect page protection restored during relocation processing)
WineHQ Bugzilla
wine-bugs at winehq.org
Tue May 19 06:17:42 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=49198
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL| |https://store.steampowered.
| |com/app/782330/
Regression SHA1| |22dfb0df10b44d1c21b3d04b593
| |12670c2318431
CC| |z.figura12 at gmail.com
Keywords| |obfuscation, regression
--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
filling more fields.
Also adding disassembly in case it's not that obvious.
--- snip ---
...
0000000000C81060 | mov qword ptr ss:[rsp+8],rbx |
0000000000C81065 | mov qword ptr ss:[rsp+10],rbp |
0000000000C8106A | mov qword ptr ss:[rsp+18],rsi |
0000000000C8106F | push rdi |
0000000000C81070 | sub rsp,20 |
0000000000C81074 | xor ebp,ebp |
0000000000C81076 | mov rsi,rdx |
0000000000C81079 | mov rdi,rcx |
0000000000C8107C | cmp rcx,rbp |
0000000000C8107F | jne denuvo-anti-cheat.C8108D |
0000000000C81081 | xor ecx,ecx |
0000000000C81083 | call denuvo-anti-cheat.CBAE20 |
0000000000C81088 | jmp denuvo-anti-cheat.C8116D |
0000000000C8108D | mov eax,208 |
0000000000C81092 | mov qword ptr ds:[D2B9B0],rcx |
0000000000C81099 | lea rcx,qword ptr ds:[D2B988] |
0000000000C810A0 | mov word ptr ds:[D2B98A],ax |
0000000000C810A7 | lea rax,qword ptr ds:[D2B9C0] |
0000000000C810AE | mov word ptr ds:[D2B988],bp |
0000000000C810B5 | mov qword ptr ds:[D2B990],rax |
0000000000C810BC | call qword ptr ds:[<&JMP.&RtlCopyUnicodeString>] |
0000000000C810C2 | lea r9,qword ptr ds:[D2B9A8] |
0000000000C810C9 | lea r8,qword ptr ds:[D27060] |
...
0000000000DFE000 | jmp qword ptr ds:[<&WskCaptureProviderNPI>] |
0000000000DFE006 | nop word ptr cs:[rax+rax],ax |
0000000000DFE010 | jmp qword ptr ds:[<&WskReleaseProviderNPI>] |
0000000000DFE016 | nop word ptr cs:[rax+rax],ax |
...
0000000000DFE5C0 | jmp qword ptr ds:[<&PsSetLoadImageNotifyRoutine>] |
0000000000DFE5C6 | nop word ptr cs:[rax+rax],ax |
0000000000DFE5D0 | jmp qword ptr ds:[<&PsRemoveLoadImageNotifyRoutine>] |
0000000000DFE5D6 | nop word ptr cs:[rax+rax],ax |
0000000000DFE5E0 | jmp qword ptr ds:[<&RtlCopyUnicodeString>] | boom
0000000000DFE5E6 | nop word ptr cs:[rax+rax],ax |
0000000000DFE5F0 | jmp qword ptr ds:[<&MmGetSystemRoutineAddress>] |
0000000000DFE5F6 | nop word ptr cs:[rax+rax],ax |
--- snip ---
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list