https://bugs.winehq.org/show_bug.cgi?id=36934
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Installer, obfuscation Status|UNCONFIRMED |RESOLVED CC| |focht@gmx.net Resolution|--- |WONTFIX Summary|Command and Conquer: Red |C&C Red Alert 2 installer |Alert 2 - Installation |reports "A debugger has |won't start and complains |been detected. Unload the |about debugger |debugger and try again." | |when run in Win9x mode | |(SafeDisc v2.05.030)
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
The game is protected by Safedisc v2.05.030 which uses different code paths when detecting it is being run on Win9X systems.
Setting 'WinVer' to Win9X is usually a _bad_ choice when it comes to emulating copy protection/DRM schemes. Certain stuff that works on Win9X can't be properly supported by design.
You are better off leaving the WINEPREFIX Windows version at *default* setting unless you know what it really means/implies.
Unfortunately in NT/2K/XP+ mode, Safedisc v2.05.030 runs into bug 30155 which is still valid.
--- snip --- $ pwd /home/focht/.wine/drive_c/Westwood/RA2 ... 0009:Call KERNEL32.LoadLibraryA(0033f9c0 "C:\users\focht\Temp\~ef87a1\~df394b.tmp") ret=0041cf4b 0009:trace:loaddll:load_native_dll Loaded L"C:\users\focht\Temp\~ef87a1\~df394b.tmp" at 0x10000000: native 0009:Call PE DLL (proc=0x1002ce40,module=0x10000000 L"~df394b.tmp",reason=PROCESS_ATTACH,res=(nil)) ... 0009:Ret PE DLL (proc=0x1002ce40,module=0x10000000 L"~df394b.tmp",reason=PROCESS_ATTACH,res=(nil)) retval=1 0009:Ret KERNEL32.LoadLibraryA() retval=10000000 ret=0041cf4b ... 0009:Call KERNEL32.GetProcAddress(10000000,00148e70 "Ox12121212") ret=0041ccd8 0009:Ret KERNEL32.GetProcAddress() retval=1000520c ret=0041ccd8 ... 0009:Call KERNEL32.GetModuleHandleA(00641180 "Kernel32") ret=1001ea98 0009:Ret KERNEL32.GetModuleHandleA() retval=7b810000 ret=1001ea98 0009:Call KERNEL32.LoadLibraryA(00641280 "Kernel32.dll") ret=10025692 0009:Ret KERNEL32.LoadLibraryA() retval=7b810000 ret=10025692 0009:Call KERNEL32.GetProcAddress(7b810000,00641290 "ReadProcessMemory") ret=10025758 0009:Ret KERNEL32.GetProcAddress() retval=7b824c7c ret=10025758 0009:Call KERNEL32.GetProcAddress(7b810000,006412b0 "WriteProcessMemory") ret=10025758 0009:Ret KERNEL32.GetProcAddress() retval=7b825f54 ret=10025758 0009:Call KERNEL32.GetProcAddress(7b810000,006412d0 "VirtualProtect") ret=10025758 0009:Ret KERNEL32.GetProcAddress() retval=7b825b64 ret=10025758 0009:Call KERNEL32.VirtualProtect(10001000,000155e6,00000004,0033fad0) ret=10006831 0009:Ret KERNEL32.VirtualProtect() retval=00000001 ret=10006831 0009:Call KERNEL32.VirtualProtect(10017000,000041e7,00000004,0033fad0) ret=10006831 0009:Ret KERNEL32.VirtualProtect() retval=00000001 ret=10006831 0009:Call KERNEL32.VirtualProtect(1001c000,0001ba4a,00000004,0033fad0) ret=10006831 0009:Ret KERNEL32.VirtualProtect() retval=00000001 ret=10006831 0009:Call KERNEL32.GetVersionExA(0033fa10) ret=1000804b 0009:Ret KERNEL32.GetVersionExA() retval=00000001 ret=1000804b 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x10008218 ip=10008218 tid=0009 0009:trace:seh:raise_exception info[0]=00000000 0009:trace:seh:raise_exception info[1]=ff569028 0009:trace:seh:raise_exception eax=0033fa00 ebx=ff569028 ecx=00000028 edx=0033faa4 esi=ff569028 edi=0033fa00 0009:trace:seh:raise_exception ebp=0033fad0 esp=0033f9c8 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010286 0009:trace:seh:call_vectored_handlers calling handler at 0x7ea21bd4 code=c0000005 flags=0 0009:trace:seh:call_vectored_handlers handler at 0x7ea21bd4 returned 0 0009:trace:seh:call_vectored_handlers calling handler at 0x7ea1707b code=c0000005 flags=0 0009:trace:seh:call_vectored_handlers handler at 0x7ea1707b returned 0 0009:trace:seh:call_stack_handlers calling handler at 0x1002d1d8 code=c0000005 flags=0 0009:Call ntdll.RtlUnwind(0033fac0,1002d0f8,00000000,00000000) ret=1002d0f8 0009: eax=00000001 ebx=0033fac0 ecx=00000000 edx=7bc814fd esi=00000000 edi=100381e0 ebp=0033f484 esp=0033f474 ds=002b es=002b fs=0063 gs=006b flags=00000202 0009:trace:seh:__regs_RtlUnwind code=c0000027 flags=2 0009:trace:seh:__regs_RtlUnwind calling handler at 0x7bc814fd code=c0000027 flags=2 0009:trace:seh:__regs_RtlUnwind handler at 0x7bc814fd returned 1 0009:Ret ntdll.RtlUnwind() retval=00000000 ret=1002d0f8 0009: eax=00000000 ebx=0033fac0 ecx=00000000 edx=7bc814fd esi=00000000 edi=100381e0 ebp=0033f484 esp=0033f474 ds=002b es=002b fs=0063 gs=006b flags=00000202 0009:Call KERNEL32.VirtualProtect(100204f6,00000020,00000004,0033f994) ret=1001c6b0 0009:Ret KERNEL32.VirtualProtect() retval=00000001 ret=1001c6b0 ... 0009:Call KERNEL32.LoadLibraryA(1004f198 "C:\users\focht\Temp\~ef87a1\~de50cd.tmp") ret=100019cd 0009:trace:loaddll:load_native_dll Loaded L"C:\users\focht\Temp\~ef87a1\~de50cd.tmp" at 0x340000: native ... 0009:Call KERNEL32.GetProfileIntA(0036a158 "C-DILLA",0036a160 "TESTMESSAGES",00000000) ret=0034e4b7 0009:Ret KERNEL32.GetProfileIntA() retval=00000000 ret=0034e4b7 0009:Call KERNEL32.GetVersionExA(0033f8c4) ret=0034e58e 0009:Ret KERNEL32.GetVersionExA() retval=00000001 ret=0034e58e 0009:Call KERNEL32.GetProfileIntA(0036a158 "C-DILLA",0036a14c "INTERACTIVE",00000000) ret=0034e60b 0009:Ret KERNEL32.GetProfileIntA() retval=00000000 ret=0034e60b 0009:Call KERNEL32.GetModuleHandleA(1004b048 "~de50cd.tmp") ret=0034e020 0009:Ret KERNEL32.GetModuleHandleA() retval=00340000 ret=0034e020 0009:Call KERNEL32.LoadLibraryA(00b51220 "C:\users\focht\Temp\~ef87a1\~df394b.tmp") ret=00362ef0 0009:Ret KERNEL32.LoadLibraryA() retval=10000000 ret=00362ef0 0009:Call KERNEL32.GetProcAddress(10000000,00370d70 "Ox12345678") ret=00362f2b 0009:Ret KERNEL32.GetProcAddress() retval=10023900 ret=00362f2b ... 0009:Call KERNEL32.OpenFileMappingA(00000002,00000000,0033ed14 "SAFEDISC_ERROR_00000008") ret=00354032 0009:Ret KERNEL32.OpenFileMappingA() retval=00000000 ret=00354032 ... 0009:Call user32.MessageBoxA(00010020,00b51d90 "Unload the debugger and try again",00b51cb0 "A debugger has been detected",00040010) ret=00353217 ... --- snip ---
Code sequence in question, in between obfuscated code.
--- snip --- ... 100081FA C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0 10008201 60 PUSHAD 10008202 9C PUSHFD 10008203 0F014D DC SIDT FWORD PTR SS:[EBP-24] 10008207 8B5D DE MOV EBX,DWORD PTR SS:[EBP-22] ; IDTR+2 1000820A 039D 38FFFFFF ADD EBX,DWORD PTR SS:[EBP-0C8] ; +0x28 = INT 5 10008210 8BBD 2CFFFFFF MOV EDI,DWORD PTR SS:[EBP-0D4] ; saved gate 10008216 8BF3 MOV ESI,EBX 10008218 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 10008219 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 1000821A FA CLI 1000821B 8BFB MOV EDI,EBX ; new gate 1000821D 8B75 E4 MOV ESI,DWORD PTR SS:[EBP-1C] 10008220 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 10008221 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 10008222 FB STI 10008223 FA CLI 10008224 8BFB MOV EDI,EBX 10008226 8BB5 2CFFFFFF MOV ESI,DWORD PTR SS:[EBP-0D4] ; old gate 1000822C A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 1000822D A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 1000822E FB STI 1000822F 9D POPFD 10008230 61 POPAD 10008231 C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1 10008238 E9 9E000000 JMP 100082DB 1000823D B8 01000000 MOV EAX,1 10008242 C3 RETN ... --- snip ---
At first glance it looks like the "old" way of getting/testing ring0 privileges by using software interrupt. Basically an IDT entry is patched with a handler containing custom code that ought to be run in ring0. An 'INT' instruction with selected interrupt number is executed to trigger the handler. The IDT entry needs to have DPL3 to allow execution of 'INT' from ring3. Usually INT 1,3,4,5... are suitable for that task (here 'INT 5' is chosen).
But ... the actual 'INT' instruction is missing in between. Also the "handler" misses the 'IRETD' hence it's never meant to be executed. It just restores the IDT entry (gate) again.
IDTR base = 0xff569000
--- snip IDTR --- Address 16-bit hex dump $ ==> 0FFF 9000 FF56 --- snip IDTR ---
I think the idea was to check if the installed userspace SEH gets triggered on NT-based systems in case someone tried to fake Win9X by lying in GetVersionInfo().
Resolving 'WONTFIX'.
--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready...
Scanning -> E:\Setup\drvmgt.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 34304 (08600h) Byte(s) [File Heuristics] -> Flag : 00000000000001001100000000000000 (0x0004C000) [Entrypoint Section Entropy] : 6.45 [!] Safedisc driver managment dll (drvmgt.dll) detected! [CompilerDetect] -> Visual C++ 5.1 - Scan Took : 0.278 Second(s) [000000116h tick(s)] [229 scan(s) done]
Scanning -> E:\Setup\secdrv.sys File Type : 32-Bit Driver (good checksum) (Subsystem : Native / 1), Size : 18768 (04950h) Byte(s) -> File has 592 (0250h) bytes of appended data starting at offset 04700h [File Heuristics] -> Flag : 00000100000000000000000000000111 (0x04000007) [Entrypoint Section Entropy] : 6.13 [Debug Info] Characteristics : 0x0 | TimeDateStamp : 0x398E144A | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 4 -> Misc | Size : 0x110 (272) AddressOfRawData : 0x0 | PointerToRawData : 0x4700 [!] Safedisc protection driver (secdrv.sys) detected! - Scan Took : 0.289 Second(s) [000000121h tick(s)] [128 scan(s) done]
Scanning -> E:\Setup\Setup.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1308863 (013F8BFh) Byte(s) -> File has 733375 (0B30BFh) bytes of appended data starting at offset 08C800h [File Heuristics] -> Flag : 00000000000000000100000000100111 (0x00004027) [Entrypoint Section Entropy] : 6.26 [!] Safedisc v2.05.030 detected ! [i] Appended data contents.... [.] o: 0x0008C828 / t: <0x00000001> <0x00000000> <0x00000001> / s: 00194947 byte(s) -> ~de7bc4.tmp [.] o: 0x000BC1D2 / t: <0x00000001> <0x00000000> <0x0000044C> / s: 00030208 byte(s) -> clcd32.dll [.] o: 0x000C37F9 / t: <0x00000001> <0x00000000> <0x0000044C> / s: 00006784 byte(s) -> clcd16.dll [.] o: 0x000C529D / t: <0x00000001> <0x00000000> <0x0000044D> / s: 00067584 byte(s) -> mcp.dll [.] o: 0x000D5AC5 / t: <0x00000001> <0x00000000> <0x00000000> / s: 00327220 byte(s) -> ~df394b.tmp [.] o: 0x00125920 / t: <0x00000001> <0x00000000> <0x00000002> / s: 00034304 byte(s) -> drvmgt.dll [.] o: 0x0012DF47 / t: <0x00000001> <0x00000000> <0x00000002> / s: 00018768 byte(s) -> secdrv.sys [.] o: 0x001328BF / t: <0x00000001> <0x00000000> <0x00000000> / s: 00053248 byte(s) -> ~ef7194.tmp [CompilerDetect] -> Visual C++ 6.0 - Scan Took : 0.425 Second(s) [0000001A9h tick(s)] [533 scan(s) done] --- snip ---
$ wine --version wine-1.7.26-21-g45c1d7c
Regards