[Bug 53078] Star Stable Online: GameGuard execute error 114 when launching the game

WineHQ Bugzilla wine-bugs at winehq.org
Tue Jun 14 04:14:09 CDT 2022 

https://bugs.winehq.org/show_bug.cgi?id=53078

Bernhard Übelacker <bernhardu at mailbox.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bernhardu at mailbox.org

--- Comment #1 from Bernhard Übelacker <bernhardu at mailbox.org> ---
Created attachment 72590
  --> https://bugs.winehq.org/attachment.cgi?id=72590
hack to workaround second-ntdll and trigger driver startup

This is what I found while trying to investigate loading the game in wine.

The "Star Stable Online.exe" is just the launcher and updater.
When pressing the play button it spawns a "SSOClient.exe".
This is now also spawning processes "GameGuard.des" and "GameMon.des".
The latter detects a 64-Bit system and spawns then "GameMon64.des".
This last process then calls NtLoadDriver for loading "dump_wmimmc.sys".


The first issue is "GameMon.des" doing a LoadLibraryEx for ntdll.dll,
and calling from this copy NtSetInformationThread(ThreadHideFromDebugger),
which fails because in the second ntdll __wine_syscall_dispatcher never
gets set, which usually takes place in ntdll_init_syscalls.

Second issue is the function NtLoadDriver is currently just a stub.
And for obfuscation reasons "dump_wmimmc.sys" gets deleted.

Then the third inside ZwLoadDriver/IoCreateDriver
in "dump_wmimmc.sys" calls:
  IoCreateDevice, IoCreateSymbolicLink("\\??\\dump_wmimmc"),
  PsGetVersion, ZwQueryValueKey("...\Windows NT\CurrentVersion\UBR"),
  IoGetCurrentProcess and PsGetCurrentProcessId.
I guess something of this makes it upset and causes
IoDeleteSymbolicLink("\\??\\dump_wmimmc") and IoDeleteDevice,
finally returning 0xc0000001(STATUS_UNSUCCESSFUL).

But because of the obfuscation I could not see what exactly
what went wrong in dump_wmimmc.sys.


Attached are some ugly hacks to try to workaround the first two issues.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list