Windows program detects debugger and quits
rizsanyi at myrealbox.com
Fri Oct 25 16:05:35 CDT 2002
On Friday 25 October 2002 19:31, Peter Andersson wrote:
> Maybe this program checks the debugging processor registers
> Wine Gurus out there: Could this be the explanation?
> The ptrace syscall which Wine uses,setup the process in debug mode
> (thus using the debug registers). Probably some kind of copy
> protection in the ACR program checks the debug registers somehow.
> I believe wine is heavily dependent of the ptrace call (correct me if Im
> wrong, Wine gurus), for example for catching DOS interupts.
> Unless there is a way to turn off ptrace calls in Wine, or you hack your
> app to not do these checks, you wont be able to run your program.
You could try set winver to nt40.
Programs usually use different methods to detect if they are debugged when
they detect that they run on NT.
Eg. the programs guarded with safedisc also checked for debug registers, but
when you set winver to nt40 much less checks are done.
> On Thursday 24 October 2002 01.49, Paul wrote:
> > I am trying to run a windows program called ACR with Wine on a Mandrake
> > system. The install goes beautifully (thanks to all of those hardworking
> > programmers!). But when I try to run ACR it complains that Windows is
> > being run in Debug mode and quits.
Maybe your program is guarded with safedisc, or some similar guard mechanism.
If it is safedisc, then by patching wine you could enable it to run your
You can check if it is safedisc protected by following the FAQ sent by Laurent
Pinchart to the wine-devel list. You should search the archives.
Hmm. I tried to search the archives, and it seems, that it is not searchable.
So I'm attaching the faq. Though maybe there is an updated version somewhere.
> > This is also what happened when trying to run ACR on Win4Lin. Does this
> > make running ACR hopeless on any emmulator or is there a way around this?
No. Longman Dictionary of Contemporary English did not run under VMWare. But
now it works under wine + safedisc patch.
So surely there IS hope :).
-------------- next part --------------
What is SafeDisc ?
SafeDisc is a CD copy protection system designed for Microsoft Windows. It is
widely used, especially to protect games. There are currently 2 main versions
of SafeDisc around: SafeDisc 1 and SafeDisc 2.
Is my program protected by SafeDisc ?
Look at the root directory of the program CD. The following files are present
on SafeDisc 1 protected programs:
dplayerx.dll (not present on the very first version of SafeDisc)
In addition to these files, a .icd file contains the encrypted binary, while
the main executable (usually game.exe) is only a wrapper used to load and
decrypt the .icd file.
For SafeDisc 2, only secdrv.sys and drvmgt.dll can be found on the CD. The
encrypted binary and dplayerx.dll are now stored inside the wrapper (usually
How do I run SafeDisc protected programs with Wine ?
If your version of SafeDisc is supported (see below), your program will run
out-of-the-box (at least for SafeDisc related code :-) if you use NT mode
(--winver nt40, --winver win2k or --winver winxp). Pick the version of NT that
your program is the most likely to support (winxp with a 5 years old program
isn't a good idea).
How do I find out which version of SafeDisc my program uses ?
There is no publicaly available version numbering for SafeDisc. However, it
seems that the version number is stored in the executable as 3 unsigned 32-bit
integers. Using an hexadecimal editor, locate the following byte pattern in
the wrapper (game.exe)
> 426f475f 202a3930 2e302621 21202059 BoG_ *90.0&!! Y
> 793e0000 y>..
There should be 3 unsigned integers right after that, which are respectively
the version, subversion an revision number.
On some versions of SafeDisc there are 3 null integers following the pattern,
before the version number. You'll then have to look at the 3 unsigned 32-bit
integers right after
> 426f475f 202a3930 2e302621 21202059 BoG_ *90.0&!! Y
> 793e0000 00000000 00000000 00000000 y>..............
Don't forget to convert the version number from hexadecimal to decimal.
For SafeDisc 1 you can alternatively check the size of the dplayerx.dll file.
dplayerx.dll size SafeDisc version number
165.888 bytes 1.35.0
Another very important information is the secdrv.sys version number.
secdrv.sys size secdrv.sys version number
14.368 bytes 1.3.0 (SafeDisc 1.35.0)
18.768 bytes 2.2.0 (SafeDisc 2.5.30)
(If you have another version of SafeDisc please contribute to these tables).
Which version of SafeDisc are currently supported ?
This hasn't been determined yet. SafeDisc support for Wine has been developped
using a game protected with SafeDisc 1.35.0. SafeDisc versions which use
secdrv.sys 1.3.0 or lower might work. Some other versions might work too.
SafeDisc 2 is not supported yet.
How does SafeDisc 1 work ?
SafeDisc encrypts the real executable into a .icd file, and uses a wrapper to
decrypt the executable.
The wrapper contains 3 code sections: `.text', `.txt' and `.txt2'. `.txt' is
The wrapper starts by decrypting itself, using the checksum of `.text', the
binary content of `.txt2' and some values which depend on debugger detection
tests. If a debugger is loaded, if a software breakpoint is set in the first 8
bytes of any of the kernel32.dll functions, or if the `.text' and `.txt2'
sections have been modified (this includes setting a software breakpoint in
the code), the `.txt' section won't be decrypted correctly and a crash will
On NT, the process of detecting a debugger involves loading the kernel-space
driver secdrv.sys, which I implemented as a user-space code for Wine. On
Windows 95, 98 or Me, it involves executing arbitrary code in ring 0 mode
(kernel mode). This is not supported by Wine (as the underlying OS isn't as
broken as win9x), so that's why you have to use NT mode.
When the `.txt' section has been decrypted, the wrapper will then check for
the CD key using direct SCSI operations on the CD driver. If the CD key
doesn't match the expected value, a message box pops up to ask you to insert
the original CD in the drive.
The wrapper then loads and starts clokspl.exe for a still unknown purpose.
The last stage consists in creating the game.icd in a suspended state. The
suspended process memory is then written with some initialization code, and
SetThreadContext is called to jump to that code. The initialization code will
load dplayerx.dll (which is encrypted in the same way as the wrapper, with 3
code sections), and will decrypt the main executable. Control is then
transfered to the main executable, and the game starts.
Have you ever tried to rename game.icd to game.exe, and run it ? It will
crash, because WinMain is encrypted. It needs to be decrypted by the
initialization code, which is found in the wrapper and in dplayerx.dll.
That's pretty much all I know about SafeDisc. Don't ask me how to remove
SafeDisc from a game. I don't know how to do so.
If you have more information, especially about debugger detection and
secdrv.sys, please let me know.
My version of SafeDisc is not supported. What should I do ?
Implement support for it :-)
For unsupported SafeDisc 1 versions you will probably 'only' need to implement
the secdrv.sys that comes with your program. For SafeDisc 2 things could be
more difficult as I haven't tried any SafeDisc 2 protected program yet.
More information about the wine-users