PROT_EXEC mmap/mprotect, i386 PAE + NX broken, x86-64 2.6.17-rc2
Alistair John Strachan
s0348365 at sms.ed.ac.uk
Sat Apr 22 05:12:06 CDT 2006
On Saturday 22 April 2006 10:09, Marcus Meissner wrote:
> > > > [alistair] 11:17 [~/.wine/drive_c/Program Files/Warcraft III] wine
> > > > war3.exe -opengl wine: Unhandled page fault on write access to
> > > > 0x00495000 at address 0x495000 (thread 0009), starting debugger...
> > > >
> > > > =>1 0x00495000 EntryPoint in war3 (0x00495000)
> > > > 2 0xf7f763ab wine_switch_to_stack+0x17 in libwine.so.1 (0xf7f763ab)
> > > > 0x00495000 EntryPoint in war3: pushl %eax
> > >
> > > Please run with:
> > > WINEDEBUG=+virtual wine war3.exe -opengl
> > > And look for the virtual entries in the vicinity of 495000.
> > Can't see anything obvious. Here's the entire trace:
> > http://devzero.co.uk/~alistair/wine/virtual.log
> Here is the culprit:
> trace:virtual:VIRTUAL_SetProt 0x462000-0x4e7fff c-rW-
> trace:virtual:VIRTUAL_DumpView View: 0x400000 - 0x57bfff (anonymous)
> trace:virtual:VIRTUAL_DumpView 0x400000 - 0x400fff c-r--
> trace:virtual:VIRTUAL_DumpView 0x401000 - 0x449fff c-r-x
> trace:virtual:VIRTUAL_DumpView 0x44a000 - 0x57bfff c-rW-
> This covers the 0x00495000 address. Note that the area lacks the x-bit.
> What is happening is likely the copy protection. The original loader is
> likely executable, but the copyprotection decrypts the code in a
> datasection and then executes it.
Well, I'm using a "modified" game executable which does not check for the
presence of a CD. However, it hooks into the original game executable so that
the game can validate itself. Alas, it's probably not the more pure win32
application known to man..
> Could you please do:
> winedump dump -x war3.exe
> and put it somewhere/attach it here?
Certainly, find it here (261K):
Third year Computer Science undergraduate.
1F2 55 South Clerk Street, Edinburgh, UK.
More information about the wine-devel