http://bugs.winehq.org/show_bug.cgi?id=19743
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|NEW |RESOLVED CC| |focht@gmx.net Resolution| |WONTFIX Summary|Acrobat Reader 5 page fault |Acrobat Reader 5 page fault |on load |on load (docbox.api plugin | |uses custom imports | |resolver verifying/using | |on-disk image of Windows | |core dlls)
--- Comment #4 from Anastasius Focht focht@gmx.net 2012-01-16 15:55:02 CST --- Hello,
this is a WONTFIX. The docbox.api plugin guys from "InterTrust" tried to be very "clever". The plugin has it's own internal imports resolver that verifies/uses on-disk PE images of Windows core dlls (kernel32.dll, ...) in conjunction with in-memory mapped PE image.
--- snip --- ... 0024:Call KERNEL32.CreateFileA(01301e20 "C:\windows\system32\kernel32.dll",80000000,00000001,00000000,00000003,00000080,00000000) ret=37043b3e 0024:Ret KERNEL32.CreateFileA() retval=0000000c ret=37043b3e 0024:Call KERNEL32.GetFileSize(0000000c,0032e14c) ret=3703f725 0024:Ret KERNEL32.GetFileSize() retval=00053094 ret=3703f725 0024:Call ntdll.RtlAllocateHeap(011e1000,00000000,000530a0) ret=37033ebe 0024:Ret ntdll.RtlAllocateHeap() retval=011e6de8 ret=37033ebe 0024:Call KERNEL32.GetCurrentThreadId() ret=37032aa5 0024:Ret KERNEL32.GetCurrentThreadId() retval=00000024 ret=37032aa5 0024:Call KERNEL32.SetFilePointer(0000000c,00000000,0032e134,00000000) ret=37026d43 0024:Ret KERNEL32.SetFilePointer() retval=00000000 ret=37026d43 0024:Call KERNEL32.ReadFile(0000000c,011e6de8,00053094,0032e128,00000000) ret=37026d9d 0024:Ret KERNEL32.ReadFile() retval=00000001 ret=37026d9d ... <build custom import verification structures from PE disk image> ... 0024:Call KERNEL32.LoadLibraryA(0032ec14 "C:\windows\system32\kernel32.dll") ret=3702e5b5 0024:Ret KERNEL32.LoadLibraryA() retval=7b810000 ret=3702e5b5 ... <resolve imports using own loader, cross check> ... 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x3702e6cb ip=3702e6cb tid=0024 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=00000008 0024:trace:seh:raise_exception eax=00000000 ebx=0000000b ecx=01301c40 edx=00000000 esi=00dcfe58 edi=00000000 0024:trace:seh:raise_exception ebp=0032f064 esp=0032e2c8 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0024:trace:seh:call_stack_handlers calling handler at 0x37022d08 code=c0000005 flags=0 0024:trace:seh:call_stack_handlers handler at 0x37022d08 returned 1 0024:trace:seh:call_stack_handlers calling handler at 0x6172f0 code=c0000005 flags=0 ... --- snip ---
They also try hide stuff while resolving imports, destroying original lookup data. Additionally anti debugging trickery is pulled at later state.
There is little to no value in this plugin and still they managed to make whole product incompatible with certain Windows versions. Good job. Only a brain damaged soul could have done this.
Acrobat 5.0 is officially reported incompatible with newer Windows versions by Microsoft/Adobe due to this plugin (not even application shims can fix this).
Just get rid of this plugin or don't use this version at all.
--- snip --- rm ~/.wine/drive_c/Program Files/Adobe/Acrobat 5.0/Reader/plug_ins/InterTrust/DocBox.api --- snip ---
Regards