PROT_EXEC mmap/mprotect, i386 PAE + NX broken, x86-64 2.6.17-rc2
Marcus Meissner
marcus at jet.franken.de
Sat Apr 22 07:54:11 CDT 2006
> > > http://devzero.co.uk/~alistair/wine/virtual.log
> >
> > Here is the culprit:
> >
> > trace:virtual:VIRTUAL_SetProt 0x462000-0x4e7fff c-rW-
> > trace:virtual:VIRTUAL_DumpView View: 0x400000 - 0x57bfff (anonymous)
> > trace:virtual:VIRTUAL_DumpView 0x400000 - 0x400fff c-r--
> > trace:virtual:VIRTUAL_DumpView 0x401000 - 0x449fff c-r-x
> > trace:virtual:VIRTUAL_DumpView 0x44a000 - 0x57bfff c-rW-
> >
> > This covers the 0x00495000 address. Note that the area lacks the x-bit.
> >
> > What is happening is likely the copy protection. The original loader is
> > likely executable, but the copyprotection decrypts the code in a
> > datasection and then executes it.
>
> Well, I'm using a "modified" game executable which does not check for the
> presence of a CD. However, it hooks into the original game executable so that
> the game can validate itself. Alas, it's probably not the more pure win32
> application known to man..
>
> > Could you please do:
> > winedump dump -x war3.exe
> > and put it somewhere/attach it here?
>
> Certainly, find it here (261K):
>
> http://devzero.co.uk/~alistair/wine/dump.log
This is the section with the entry point in:
04 .iyhivx VirtSize: 548864 VirtAddr: 401408 0x00062000
raw data offs: 356352 raw data size: 548864
relocation offs: 0 relocations: 0
line # offs: 0 line #'s: 0
characteristics: 0xc0000040
INITIALIZED_DATA MEM_READ MEM_WRITE
It is missing the "MEM_EXECUTE" flag.
Try this patch:
Index: dlls/ntdll/virtual.c
===================================================================
RCS file: /home/wine/wine/dlls/ntdll/virtual.c,v
retrieving revision 1.88
diff -u -r1.88 virtual.c
--- dlls/ntdll/virtual.c 8 Apr 2006 18:13:41 -0000 1.88
+++ dlls/ntdll/virtual.c 22 Apr 2006 12:53:46 -0000
@@ -1072,6 +1072,12 @@
if (sec->Characteristics & IMAGE_SCN_MEM_READ) vprot |= VPROT_READ;
if (sec->Characteristics & IMAGE_SCN_MEM_WRITE) vprot |= VPROT_READ|VPROT_WRITECOPY;
if (sec->Characteristics & IMAGE_SCN_MEM_EXECUTE) vprot |= VPROT_EXEC;
+
+ /* Dumb game crack let the AOEP point into a data section. Adjust. */
+ if ( (nt->OptionalHeader.AddressOfEntryPoint >= sec->VirtualAddress) &&
+ (nt->OptionalHeader.AddressOfEntryPoint < sec->VirtualAddress + size)
+ )
+ vprot |= VPROT_EXEC;
VIRTUAL_SetProt( view, ptr + sec->VirtualAddress, size, vprot );
}
Ciao, Marcus
More information about the wine-devel
mailing list