http://bugs.winehq.org/show_bug.cgi?id=29688 --- Comment #1 from Austin English <austinenglish(a)gmail.com> --- This is your friendly reminder that there has been no bug activity for 2 years. Is this still an issue in current (1.7.18 or newer) wine? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=29688 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|UNCONFIRMED |NEW CC| |focht(a)gmx.net Summary|CHAOS;HEAD crashes on start |CHAOS;HEAD crashes on start | |(in-memory PE image of Wine | |builtins vs. placeholder | |image on disk) Ever confirmed|0 |1 --- Comment #3 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, confirming. The game uses some custom anti-debugging/reversing protection scheme, probably created by vendor (not detected by 'ProtectionID' or 'ExeInfoPE' tools). --- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Nitroplus/CHAOS;HEAD $ LANG=ja_JP.UTF-8 WINEDEBUG=+tid,+seh,+relay wine ./ChaosHead.exe >>log.txt 2>&1 ... 0023:Call KERNEL32.IsDebuggerPresent() ret=00584cbf 0023:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=00584cbf ... 0023:Call KERNEL32._lopen(00676b7c "\\\\.\\NTICE",00000000) ret=00584eb3 0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584eb3 0023:Call KERNEL32.lstrlenA(00676bcc "__ANTICRACK__") ret=006310d7 0023:Ret KERNEL32.lstrlenA() retval=0000000d ret=006310d7 ... 0023:Call KERNEL32._lopen(00676b64 "\\\\.\\SICE",00000000) ret=00584f41 0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584f41 ... 0023:Call KERNEL32._lopen(00676b58 "\\\\.\\TRW",00000000) ret=00584f71 0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584f71 ... 0023:Call KERNEL32._lopen(00676b48 "\\\\.\\SIWVID",00000000) ret=00584fa1 0023:Ret KERNEL32._lopen() retval=ffffffff ret=00584fa1 ... 0023:trace:seh:raise_exception code=80000003 flags=0 addr=0x587fe0 ip=00587fe1 tid=0023 0023:trace:seh:raise_exception eax=0033fe10 ebx=ffffffff ecx=00781308 edx=00000011 esi=00676bc1 edi=0033fd69 0023:trace:seh:raise_exception ebp=0033f968 esp=0033f93c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00200207 0023:trace:seh:call_stack_handlers calling handler at 0x613830 code=80000003 flags=0 0023:Call ntdll.RtlUnwind(0033f958,0061343c,00000000,00000000) ret=0061343c 0023: eax=00000001 ebx=0033f958 ecx=00000000 edx=7bc825c1 esi=00000000 edi=0064e208 ebp=0033f404 esp=0033f3f4 ds=002b es=002b fs=0063 gs=006b flags=00200202 0023:trace:seh:__regs_RtlUnwind code=c0000027 flags=2 0023:trace:seh:__regs_RtlUnwind calling handler at 0x7bc825c1 code=c0000027 flags=2 0023:trace:seh:__regs_RtlUnwind handler at 0x7bc825c1 returned 1 ... 0023:Call KERNEL32.CreateFileA(008bb410 "C:\\windows\\system32\\Kernel32.dll",80000000,00000003,00000000,00000003,08000000,00000000) ret=005dd078 0023:Ret KERNEL32.CreateFileA() retval=0000005c ret=005dd078 0023:Call KERNEL32.CreateFileA(008bb460 "C:\\windows\\system32\\User32.dll",80000000,00000003,00000000,00000003,08000000,00000000) ret=005dd598 0023:Ret KERNEL32.CreateFileA() retval=00000060 ret=005dd598 0023:Call KERNEL32.CreateFileA(008bb5a0 "C:\\windows\\system32\\Imagehlp.dll",80000000,00000003,00000000,00000003,08000000,00000000) ret=005dd5bd 0023:Ret KERNEL32.CreateFileA() retval=00000064 ret=005dd5bd 0023:Call KERNEL32.CreateFileMappingA(0000005c,00000000,01000002,00000000,00000000,00000000) ret=005dd612 0023:Ret KERNEL32.CreateFileMappingA() retval=00000068 ret=005dd612 0023:Call KERNEL32.CreateFileMappingA(00000060,00000000,01000002,00000000,00000000,00000000) ret=005dd637 0023:Ret KERNEL32.CreateFileMappingA() retval=0000006c ret=005dd637 0023:Call KERNEL32.CreateFileMappingA(00000064,00000000,01000002,00000000,00000000,00000000) ret=005ddabf 0023:Ret KERNEL32.CreateFileMappingA() retval=00000070 ret=005ddabf 0023:Call KERNEL32.MapViewOfFile(00000068,00000004,00000000,00000000,00000000) ret=005ddb09 0023:Ret KERNEL32.MapViewOfFile() retval=10000000 ret=005ddb09 0023:Call KERNEL32.MapViewOfFile(0000006c,00000004,00000000,00000000,00000000) ret=005ddb2a 0023:Ret KERNEL32.MapViewOfFile() retval=00340000 ret=005ddb2a 0023:Call KERNEL32.MapViewOfFile(00000070,00000004,00000000,00000000,00000000) ret=005ddb4b 0023:Ret KERNEL32.MapViewOfFile() retval=00380000 ret=005ddb4b ... 0023:Call KERNEL32.lstrlenA(006894a8 "ANTICRACK_RESOURCE_STRING") ret=006310d7 0023:Ret KERNEL32.lstrlenA() retval=00000019 ret=006310d7 ... 0023:Call KERNEL32.lstrlenA(00689520 "__ANTICRACK_EXPRESSION__") ret=006310d7 0023:Ret KERNEL32.lstrlenA() retval=00000018 ret=006310d7 ... 0023:Call KERNEL32.lstrlenA(0077f8a8 "") ret=006310d7 0023:Ret KERNEL32.lstrlenA() retval=00000000 ret=006310d7 0023:Call KERNEL32.lstrlenA(00689468 "\xa4\xb8\xa4\xa9\xb4\xf5\xb4\xfa\xa4\xb8\xb4\xd9\xb7\xb1\xa4\xb7\xb7\xaf\xa4\xd3\xa4\xbb") ret=006310d7 0023:Ret KERNEL32.lstrlenA() retval=00000016 ret=006310d7 0023:Call KERNEL32.lstrlenA(008bc828 "%\n\x04%\x0b\x08%\n\x04%\n\t%\x0b\x04%\x0f\x05%\x0b\x04%\x0f\n%\n\x04%\x0b\x08%\x0b\x04%\r\t%\x0b\x07%\x0b\x01%\n\x04%\x0b\x07%\x0b\x07%\n\x0f%\n\x04%\r\x03%\n\x04%\x0b\x0b") ret=006314d1 0023:Ret KERNEL32.lstrlenA() retval=00000042 ret=006314d1 0023:Call KERNEL32.lstrlenA(008bb4b0 "\xa4\xb8\xa4\xa9\xb4\xf5\xb4\xfa\xa4\xb8\xb4\xd9\xb7\xb1\xa4\xb7\xb7\xaf\xa4\xd3\xa4\xbb") ret=006314d1 0023:Ret KERNEL32.lstrlenA() retval=00000016 ret=006314d1 0023:Call KERNEL32.InterlockedDecrement(008bb4a4) ret=00631053 0023:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=00631053 0023:Call KERNEL32.InterlockedDecrement(008bc81c) ret=00631053 0023:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=00631053 0023:Call KERNEL32.lstrlenA(008bb550 "User32.dll") ret=006314d1 0023:Ret KERNEL32.lstrlenA() retval=0000000a ret=006314d1 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x10012ed8 ip=10012ed8 tid=0023 0023:trace:seh:raise_exception info[0]=00000000 0023:trace:seh:raise_exception info[1]=ffffffff 0023:trace:seh:raise_exception eax=00000000 ebx=0033fd69 ecx=008bb550 edx=00781310 esi=00002fff edi=005ddbe2 0023:trace:seh:raise_exception ebp=0033f53c esp=0033f2ec cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210202 0023:trace:seh:call_stack_handlers calling handler at 0x64b5f6 code=c0000005 flags=0 0023:Call KERNEL32.GetLastError() ret=0061883c 0023:Ret KERNEL32.GetLastError() retval=00000000 ret=0061883c 0023:trace:seh:call_stack_handlers handler at 0x64b5f6 returned 1 0023:trace:seh:call_stack_handlers calling handler at 0x613830 code=c0000005 flags=0 ... Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:10012ed8 ESP:0033f2ec EBP:0033f53c EFLAGS:00210202( R- -- I - - - ) EAX:00000000 EBX:0033fd69 ECX:008bb550 EDX:00781310 ESI:00002fff EDI:005ddbe2 ... Backtrace: =>0 0x10012ed8 (0x0033f53c) 1 0x005d55c4 in chaoshead (+0x1d55c3) (0x0033f558) 2 0x005cfa3e in chaoshead (+0x1cfa3d) (0x0033f658) 3 0x005cbdb0 in chaoshead (+0x1cbdaf) (0x0033f670) 4 0x005c91f9 in chaoshead (+0x1c91f8) (0x0033f688) 5 0x005efc9b in chaoshead (+0x1efc9a) (0x0033f6a0) 6 0x00587a9c in chaoshead (+0x187a9b) (0x0033f968) 7 0x00584ffb in chaoshead (+0x184ffa) (0x0033fd70) 8 0x0063879f in chaoshead (+0x23879e) (0x0033fe20) 9 0x7b8643b0 call_process_entry+0xb() in kernel32 (0x0033fe38) ... 0x10012ed8: pop %es Modules: Module Address Debug info Name (78 modules) PE 400000- 79b000 Export chaoshead ELF 7b800000-7ba61000 Dwarf kernel32<elf> \-PE 7b810000-7ba61000 \ kernel32 ... Threads: process tid prio (all id:s are in hex) ... 00000022 (D) C:\Program Files\Nitroplus\CHAOS;HEAD\ChaosHead.exe 00000023 0 <== --- snip --- The protection scheme populates the PE export directory of the in-memory core dlls ('kernel32.dll', 'user32.dll', ...) to calculate API entry offsets. It then maps the on-disk core dlls into memory and uses the calculated offsets to retrieve the API entry points from the newly mapped files. This obviously can't work with Wine. Bug 15437 is about a similar problem which can be worked around - unlike this one. $ wine --version wine-1.7.20-102-g889cce4 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

https://bugs.winehq.org/show_bug.cgi?id=29688 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Austin English <austinenglish(a)gmail.com> --- Closing. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.