[Bug 34618] bleem! demo thinks that Wine is a debugger and doesn't run (expects Win9x TEB field 'DebugContext' instead of NT Process ID)

28 Sep 2013


      http://bugs.winehq.org/show_bug.cgi?id=34618
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
                 CC|                            |focht@gmx.net
            Summary|bleem! demo thinks that     |bleem! demo thinks that
                   |Wine is a debugger and      |Wine is a debugger and
                   |doesn't run                 |doesn't run (expects Win9x
                   |                            |TEB field 'DebugContext'
                   |                            |instead of NT Process ID)
--- Comment #2 from Anastasius Focht focht@gmx.net 2013-09-28 15:32:48 CDT ---
Hello folks,
trace log doesn't reveal much, you have to debug the actual code...
--- snip ---
...
0025:Starting process L"C:\Program Files\bleem\bleem!\bleem!.exe"
(entryproc=0x401000)
0025:Call KERNEL32.GetVersionExA(00401134) ret=0040102b
0025:Ret  KERNEL32.GetVersionExA() retval=00000001 ret=0040102b
0025:Call KERNEL32.GetModuleFileNameA(00000000,004011e0,00000104) ret=00401058
0025:Ret  KERNEL32.GetModuleFileNameA() retval=00000028 ret=00401058
0025:Call KERNEL32.CreateFileA(004011e0 "C:\Program
Files\bleem\bleem!\bleem!.exe",80000000,00000001,00000000,00000003,00000080,00000000)
ret=0040107c
0025:Ret  KERNEL32.CreateFileA() retval=00000064 ret=0040107c
0025:Call
KERNEL32.CreateFileMappingA(00000064,00000000,00000002,00000000,00000000,00000000)
ret=00401096
0025:Ret  KERNEL32.CreateFileMappingA() retval=00000068 ret=00401096
0025:Call KERNEL32.MapViewOfFile(00000068,00000004,00000000,00000000,00000000)
ret=004010ad
0025:Ret  KERNEL32.MapViewOfFile() retval=00530000 ret=004010ad
0025:Call KERNEL32.UnmapViewOfFile(00530000) ret=004010d6
0025:Ret  KERNEL32.UnmapViewOfFile() retval=00000001 ret=004010d6
0025:Call KERNEL32.CloseHandle(00000068) ret=004010e1
0025:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004010e1
0025:Call KERNEL32.CloseHandle(00000064) ret=004010ec
0025:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004010ec
0025:Call user32.MessageBeep(00000010) ret=004010ff
0025:Ret  user32.MessageBeep() retval=00000001 ret=004010ff
0025:Call user32.MessageBoxA(00000000,0040142d "This program is not designed to
operate with a debugger!\n\nPlease disable or exit the debugger and try
again.",004012e5 "bleem, llc.",00011010) ret=0040111c
--- snip ---
The code in question:
--- snip ---
00585586    C74424 24 06000000  MOV DWORD PTR SS:[ESP+24],6
0058558E    64:A1 20000000      MOV EAX,DWORD PTR FS:[20]
00585594    85C0                TEST EAX,EAX
00585596    C3                  RETN
--- snip ---
On Win9x systems the TEB field FS:[0x20] is also known as 'DebugContext'.
Wine implements the NT behaviour for this TEB field ->
"teb->ClientId.UniqueProcess"
I doubt it's worth to mess up Wine code just for this app...
As workaround patch the executable to foil the debugger check.
--- snip ---
$ printf '\x30' | dd of=bleem!.exe bs=1 seek=349588 count=1 conv=notrunc
--- snip ---
What does it do?
It changes the opcode 0x85,0xC0 (test eax,eax) at file offset 0x55594 to
0x30,0xC0 (xor eax,eax), faking success.
This lets the app run into next Wine bug ...
Regards
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 34618] bleem! demo thinks that Wine is a debugger and doesn't run (expects Win9x TEB field 'DebugContext' instead of NT Process ID)