[Bug 31279] Age of Empires II SafeDisc v1.x driver crashes in IDT check (INT1/3 hooks)

http://bugs.winehq.org/show_bug.cgi?id=31279

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|SafeDisc: driver crashes |Age of Empires II SafeDisc |under certain circumstances |v1.x driver crashes in IDT | |check (INT1/3 hooks)

--- Comment #6 from Anastasius Focht focht@gmx.net 2012-07-22 17:24:59 CDT --- Hello,

let's target "Age of Empires II" series with SafeDisc 1.x driver otherwise this gets really messed up mixing different versions/games.

The internal driver version seems to be 1.6.0

--- snip --- in_buff: 00000001 00000006 00000000 0000003d db8ce543 4f190d3a a82e94fd 3cbb7c84 --- snip ---

--- snip --- typedef struct _SECDRV_IOC_IN_BUFFER { DWORD dwVersionMajor; DWORD dwVersionMinor; DWORD dwVersionPatch;

DWORD dwCommand; BYTE bVerificationData[0x400];

DWORD cbUserData; BYTE bUserData[0x100]; } SECDRV_IOC_IN_BUFFER, *PSECDRV_IOC_IN_BUFFER; --- snip ---

The command code is 0x3d -> SECDRV_CMD_INFO_IDT

--- snip --- 003e:Call driver dispatch 0x546328 (device=0x11ad80,irp=0x53f14c) 003e:trace:seh:raise_exception code=c0000005 flags=0 addr=0x54287f ip=0054287f tid=003e 003e:trace:seh:raise_exception info[0]=00000000 003e:trace:seh:raise_exception info[1]=7c2f0008 003e:trace:seh:raise_exception eax=7c2f0008 ebx=404a1fdc ecx=00000000 edx=0011ad80 esi=00000145 edi=0053f14c 003e:trace:seh:raise_exception ebp=0053efec esp=0053efac cs=0017 ds=001f es=001f fs=1017 gs=0037 flags=00010202 003e:trace:seh:call_vectored_handlers calling handler at 0x4049db30 code=c0000005 flags=0 003e:trace:int:emulate_instruction Opcode bytes: 8b 18 83 c0 10 8b 003e:err:int:emulate_instruction cannot emulate instruction at 0x54287f: 8b 003e:trace:seh:call_vectored_handlers handler at 0x4049db30 returned 0 003e:trace:seh:call_stack_handlers calling handler at 0x7bc7c450 code=c0000005 flags=0 --- snip ---

Opcodes translated to assembly snippet:

--- snip --- 8B18 MOV EBX,DWORD PTR DS:[EAX] 83C0 10 ADD EAX,10 8B?? MOV EAX,??? --- snip ---

The referenced memory address 0x7c2f0008 is most likely the address that ought to be the INT1 IDT entry (idtbase+8 = INT1).

SafeDisc checks the distance between INT1 and INT3 vectors to find kernel debuggers like SoftICE that hook them (subtracts base addresses specified in INT1 and INT3 descriptors without selectors and checks the difference against specific value).

Can you add more trace output to: http://source.winehq.org/git/wine.git/blob/57e4e608dcd73b36f1084e0cfcb7cf092...

(dump of values like "addr", "idtr.base", "idtr.limit")

Regards