[Bug 48268] New: ESEA Client - anti-cheat software detects system monitor (debugger) and refuses to start.
https://bugs.winehq.org/show_bug.cgi?id=48268 Bug ID: 48268 Summary: ESEA Client - anti-cheat software detects system monitor (debugger) and refuses to start. Product: Wine Version: 4.21 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: o.dierick(a)piezo-forte.be Distribution: --- Created attachment 65933 --> https://bugs.winehq.org/attachment.cgi?id=65933 wine 4.21 terminal output Hello, While revisiting bug 24125 I stumbled on this application: ESEA client is an anti-cheat software for an eponymous community of online games players. Running the client fails with this error dialog: "Error #1006: A system monitor program has been found running in you system. After closing the program please relaunch the ESEA Client." That error blocks testing this application for bug 24125. Also tested with wine-staging 4.21 in a separated prefix. Using option 'Hide Wine version from applications' doesn't make a difference. There is an article related to this error on the publisher's website: https://support.esea.net/hc/en-us/articles/360008741974-Error-1006-1008-114-... Downloading the client requires a (free) registered account on the website, linked to a Steam account. $ sha1sum ESEAClientInstall.exe 321cc5e5aa77e58de3f71ed406214ce13472ee01 ESEAClientInstall.exe $ du -b ESEAClientInstall.exe 165862120 ESEAClientInstall.exe Debian 8 Jessie 64-bit. Tested on clean 32-bit wineprefixes with wine and wine-staging 4.21. Regards. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48268 Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |https://play.esea.net/index | |.php?s=downloads Distribution|--- |Debian -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48268 Paul Gofman <gofmanp(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp(a)gmail.com --- Comment #1 from Paul Gofman <gofmanp(a)gmail.com> --- Created attachment 65941 --> https://bugs.winehq.org/attachment.cgi?id=65941 PoC patch At this point it wants K32QueryWorkingSetEx() implementation, or, otherwise, NtQueryVirtualMemory(... MemoryWorkingSetList) which K32QueryWorkingSetEx() calls for actual work. As far as I could guess, MemoryWorkingSetList is similar to MemoryWorkingSetExInformation stubbed in staging, but the stub return value which is currently there is not enough. I am attaching the patch which seems to make Esea client happy at this stage. But it fails later when its rootkit driver ESEADriver2.sys fails to initialize. Maybe that is be due to a bunch of functions it is calling being a stub:
... 003d:fixme:ntoskrnl:MmProbeAndLockPages (00000000005C4CD0, 0, 1): stub 003d:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (00000000005C4CD0, 0, 1, 0000000000000000, 0, 32): stub 003d:fixme:ntoskrnl:MmUnlockPages (00000000005C4CD0): stub 003d:trace:ntoskrnl:IoFreeMdl 00000000005C4CD0 DbgPrint says: Initialization error 1
Please note that Esea client was some (rather long) time ago spotted mining bitcoins on client's computers [1], so it used to be basically a malware. So I would recommend to always keep it in a separate Wine prefix and take other reasonable precautions when using it, like running at least as a separate user without the access to sensible data and so it is easy to kill the potentially leftover processes. 1. https://www.reddit.com/r/GlobalOffensive/comments/1dgad2/esea_client_basical... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=48268 Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla