https://bugs.winehq.org/show_bug.cgi?id=36736
Bug ID: 36736 Summary: Tucows Download Manager 2014 crashes on startup (decryption scheme relies on 'kernel32.dll.SetFilePointer' hotpatch signature) Product: Wine Version: 1.7.20 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: kernel32 Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net
Hello folks,
example download: http://www.tucows.com/preview/609375/Intuit-QuickBooks-Simple-Start-Edition-...
The download manager/installer uncompresses a secondary installer from bootstrapper.
Before that the app decrypts parts of itself and this is done incorrectly, leading to strange results/code paths later.
--- snip --- $ WINEDEBUG=+tid,+seh,+relay wine ./Setup_QuickBooks_SimpleStart_Intel_2009.exe
log.txt 2>&1
... 0023:Starting process L"Z:\home\focht\Downloads\Setup_QuickBooks_SimpleStart_Intel_2009.exe" (entryproc=0x409c40) 0023:Call KERNEL32.GetModuleHandleA(00000000) ret=004030e8 0023:Ret KERNEL32.GetModuleHandleA() retval=00400000 ret=004030e8 0023:Call KERNEL32.GetCommandLineA() ret=004030f3 0023:Ret KERNEL32.GetCommandLineA() retval=00134078 ret=004030f3 ... 0023:Call KERNEL32.CreateFileA(004203cc "Z:\home\focht\Downloads\Setup_QuickBooks_SimpleStart_Intel_2009.exe",80000000,00000001,00000000,00000003,00000080,00000000) ret=004075bd 0023:Ret KERNEL32.CreateFileA() retval=00000050 ret=004075bd 0023:Call KERNEL32.FindResourceA(00000000,00002b67,0000000a) ret=00409bfb 0023:Ret KERNEL32.FindResourceA() retval=004112c8 ret=00409bfb 0023:Call KERNEL32.SizeofResource(00000000,004112c8) ret=00409c0e 0023:Ret KERNEL32.SizeofResource() retval=0000002c ret=00409c0e 0023:Call KERNEL32.LoadResource(00000000,004112c8) ret=00409c20 0023:Ret KERNEL32.LoadResource() retval=00419a88 ret=00409c20 0023:Call KERNEL32.LockResource(00419a88) ret=00409c31 0023:Ret KERNEL32.LockResource() retval=00419a88 ret=00409c31 ... 0023:Call KERNEL32.CreateFileA(00437a5c "C:\users\focht\Temp\is-RJFDD.tmp\Setup_QuickBooks_SimpleStart_Intel_2009.tmp",40000000,00000000,00000000,00000002,00000080,00000000) ret=004075bd 0023:Ret KERNEL32.CreateFileA() retval=00000054 ret=004075bd ... 0023:Call KERNEL32.SetFilePointer(00000050,00000000,0033fd78,00000001) ret=004075e0 0023:Ret KERNEL32.SetFilePointer() retval=000b9b03 ret=004075e0 0023:Call KERNEL32.SetFilePointer(00000050,000b9b03,0033fd60,00000000) ret=00407690 0023:Ret KERNEL32.SetFilePointer() retval=000b9b03 ret=00407690 0023:Call KERNEL32.SetFilePointer(00000054,00002a72,0033fd7c,00000000) ret=00407690 0023:Ret KERNEL32.SetFilePointer() retval=00002a72 ret=00407690 0023:Call KERNEL32.SetEndOfFile(00000054) ret=004076b8 0023:Ret KERNEL32.SetEndOfFile() retval=00000001 ret=004076b8 0023:Call KERNEL32.SetFilePointer(00000054,00000000,0033fd7c,00000000) ret=00407690 0023:Ret KERNEL32.SetFilePointer() retval=00000000 ret=00407690 0023:Call KERNEL32.WriteFile(00000054,00420424,00002a72,0033fd88,00000000) ret=004076e4 0023:Ret KERNEL32.WriteFile() retval=00000001 ret=004076e4 0023:Call KERNEL32.CloseHandle(00000054) ret=0040755d 0023:Ret KERNEL32.CloseHandle() retval=00000001 ret=0040755d 0023:Call KERNEL32.CloseHandle(00000050) ret=0040755d 0023:Ret KERNEL32.CloseHandle() retval=00000001 ret=0040755d 0023:Call user32.CreateWindowExA(00000000,0040a334 "STATIC",0040a320 "InnoSetupLdrWindow",00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000) ret=0040a136 ... 0023:Call KERNEL32.CreateProcessA(00000000,00420488 ""C:\users\focht\Temp\is-RJFDD.tmp\Setup_QuickBooks_SimpleStart_Intel_2009.tmp" /SL5="$10066,747501,80384,Z:\home\focht\Downloads\Setup_QuickBooks_SimpleStart_Intel_2009.exe" ",00000000,00000000,00000000,00000000,00000000,00000000,0033fd64,0033fd54) ret=00409a19 0023:Ret KERNEL32.CreateProcessA() retval=00000000 ret=00409a19 0023:Call KERNEL32.GetLastError() ret=00409671 0023:Ret KERNEL32.GetLastError() retval=00000005 ret=00409671 0023:Call KERNEL32.FormatMessageA(00003200,00000000,00000005,00000000,0033f8f8,00000400,00000000) ret=004072a8 0023:Ret KERNEL32.FormatMessageA() retval=00000010 ret=004072a8 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x402eb4 ip=00402eb4 tid=0023 0023:trace:seh:raise_exception info[0]=00000000 0023:trace:seh:raise_exception info[1]=0000fd38 0023:trace:seh:raise_exception eax=00420654 ebx=00000069 ecx=00000002 edx=00000000 esi=00000005 edi=0040b240 0023:trace:seh:raise_exception ebp=0033fd34 esp=0033fd00 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010212 0023:trace:seh:call_stack_handlers calling handler at 0x4096eb code=c0000005 flags=0 ... 0023:trace:seh:call_stack_handlers handler at 0x7bc825c1 returned 2 0023:trace:seh:call_stack_handlers calling handler at 0x4096eb code=c00000fd flags=10 0023:err:seh:setup_exception_record stack overflow 992 bytes in thread 0023 eip f73e796b esp 00240f50 stack 0x240000-0x241000-0x340000 --- snip ---
What is not seen (debugging): the app uses the entry point signature of 'kernel32.dll.SetFilePointer' as seed for further decryption.
--- snip --- ... 0040400C 8B73 01 MOV ESI,DWORD PTR DS:[EBX+1] ; SetFilePointer 0040400F 89F7 MOV EDI,ESI ; 00404011 4F DEC EDI 00404012 8B57 01 MOV EDX,DWORD PTR DS:[EDI+1] ; *(DWORD*)entry 00404015 BB 6319F033 MOV EBX,33F01963 0040401A 31DA XOR EDX,EBX 0040401C 89D3 MOV EBX,EDX 0040401E 53 PUSH EBX 0040401F 5E POP ESI 00404020 89F0 MOV EAX,ESI 00404022 BA A6AA2938 MOV EDX,3829AAA6 00404027 81F2 A2AA2938 XOR EDX,3829AAA2 0040402D 29D4 SUB ESP,EDX 0040402F 890424 MOV DWORD PTR SS:[ESP],EAX 00404032 68 22778D73 PUSH 738D7722 00404037 B9 E9E37802 MOV ECX,278E3E9 0040403C 58 POP EAX 0040403D 31C1 XOR ECX,EAX 0040403F BF 7325BB99 MOV EDI,99BB2573 00404044 31F9 XOR ECX,EDI 00404046 81F1 5057EB50 XOR ECX,50EB5750 0040404C 31CE XOR ESI,ECX --- snip ---
Wine's 'kernel32.dll.SetFilePointer' entry signature:
--- snip --- 7B83EE7E 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4] 7B83EE82 83E4 F0 AND ESP,FFFFFFF0 7B83EE85 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7B83EE88 55 PUSH EBP 7B83EE89 89E5 MOV EBP,ESP 7B83EE8B 56 PUSH ESI 7B83EE8C 53 PUSH EBX 7B83EE8D 51 PUSH ECX 7B83EE8E 83EC 4C SUB ESP,4C 7B83EE91 E8 FA07FEFF CALL KERNEL32.__x86.get_pc_thunk.bx 7B83EE96 81C3 6AC10700 ADD EBX,7C16A --- snip ---
The app expects a hotpatch-type entry which gives proper seed.
With 'DECLSPEC_HOTPATCH':
--- snip ---- 7B83EE8E 8BFF MOV EDI,EDI 7B83EE90 55 PUSH EBP 7B83EE91 8BEC MOV EBP,ESP 7B83EE93 5D POP EBP 7B83EE94 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4] 7B83EE98 83E4 F0 AND ESP,FFFFFFF0 7B83EE9B FF71 FC PUSH DWORD PTR DS:[ECX-4] 7B83EE9E 55 PUSH EBP 7B83EE9F 89E5 MOV EBP,ESP ... --- snip ----
With that part fixed the installer runs into next (known) mshtml/ieframe bug.
A DRM/protection scan on the installer doesn't show suspicious schemes (might be custom).
--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> Z:\home\focht\Downloads\Setup_QuickBooks_SimpleStart_Intel_2009.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 768984 (0BBBD8h) Byte(s) -> File Appears to be Digitally Signed @ Offset 0B9B08h, size : 020D0h / 08400 byte(s) -> File has 680200 (0A6108h) bytes of appended data starting at offset 013A00h [File Heuristics] -> Flag : 00000000000001001100000000100100 (0x0004C024) [Entrypoint Section Entropy] : 6.66 [-= Installer =-] Inno Setup v5.5.0 Module - Scan Took : 0.261 Second(s) [000000105h tick(s)] [533 scan(s) done] --- snip ---
$ du -sh Setup_QuickBooks_SimpleStart_Intel_2009.exe 752K Setup_QuickBooks_SimpleStart_Intel_2009.exe
$ sha1sum Setup_QuickBooks_SimpleStart_Intel_2009.exe d2f213e1d05845897c9dae891a73d6be62283206 Setup_QuickBooks_SimpleStart_Intel_2009.exe
$ wine --version wine-1.7.20
Regards