https://bugs.winehq.org/show_bug.cgi?id=42716
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |a1b563f41c2246f94467b17d67a | |369cfbe144a2d Component|-unknown |ntdll Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #23 from Anastasius Focht focht@gmx.net --- Hello folks,
--- quote --- MetaTrader 5 bild 1702 is RUNNING! to 08.12.2017 --- quote ---
interesting.
Latest ProtectionID version doesn't detect Denuvo software protection scheme on these newer binaries though:
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> Z:\home\focht\Downloads\wine64\drive_c\Program Files\MetaTrader 5\terminal64.exe File Type : 64-Bit Exe (Subsystem : Win GUI / 2), Size : 45739592 (02B9EE48h) Byte(s) | Machine: 0x8664 (AMD64) [!] Warning : File is 64 Bit, this os is NOT Compilation TimeStamp : 0x02B2AE00 -> Tue 08th Jun 1971 21:26:24 (GMT) [TimeStamp] 0x02B2AE00 -> Tue 08th Jun 1971 21:26:24 (GMT) | PE Header | - | Offset: 0x00000000:00000130 | VA: 0x00000001:40000130 | - [TimeStamp] 0x5A6110C2 -> Thu 18th Jan 2018 21:25:22 (GMT) | DebugDirectory | - | Offset: 0x00000000:00B9F6D4 | VA: 0x00000001:40BA04D4 | - [TimeStamp] 0x5A6110C2 -> Thu 18th Jan 2018 21:25:22 (GMT) | DebugDirectory | - | Offset: 0x00000000:00B9F6F0 | VA: 0x00000001:40BA04F0 | - [TimeStamp] 0x5A6110C2 -> Thu 18th Jan 2018 21:25:22 (GMT) | DebugDirectory | - | Offset: 0x00000000:00B9F70C | VA: 0x00000001:40BA050C | - -> File Appears to be Digitally Signed @ Offset 02B9D450h, size : 019F8h / 06648 byte(s) -> File has 468560 (072650h) bytes of appended data starting at offset 02B2AE00h [!] Executable uses TLS callbacks (3 total... 0 invalid addresses) [LoadConfig] Struct determined as v8 (Expected size 232 | Actual size 256) [LoadConfig] CFG (/Guard) - Handler @ 0x1:40A0DFF0 [LoadConfig] CFG Table @ 0x0:00000000 | 0x00 (00) entries [LoadConfig] CFG Flags : 0x100 [LoadConfig] CodeIntegrity -> Flags 0x0 | Catalog 0x0 (0) | Catalog Offset 0x0 | Reserved 0x0 [LoadConfig] GuardAddressTakenIatEntryTable 0x0:00000000 | Count 0x000000000 (00) [LoadConfig] GuardLongJumpTargetTable 0x0:00000000 | Count 0x000000000 (00) [LoadConfig] HybridMetadataPointer 0x1:00000000 | DynamicValueRelocTable 0x0:00000000 [LoadConfig] FailFastIndirectProc 0x0:00000000 | FailFastPointer 0x0:00000000 [LoadConfig] UnknownZero1 0x0 0 [LoadConfig] CFG Data Present, yet setting is not present in the DllCharacteristics.. patched out? [File Heuristics] -> Flag #1 : 00000100000001001101000000000101 (0x0404D005) [Entrypoint Section Entropy] : 7.56 (section #5) ".cod1 " | Size : 0x37DF9C (3661724) byte(s) [DllCharacteristics] -> Flag : (0x8160) -> HEVA | ASLR | DEP | TSA [SectionCount] 8 (0x8) | ImageSize 0x2BB0000 (45809664) byte(s) [VersionInfo] Company Name : MetaQuotes Software Corp. [VersionInfo] Product Name : MetaTrader 5 Client Terminal [VersionInfo] Product Version : 5.0.0.1755 [VersionInfo] File Description : MetaTrader 5 Client Terminal [VersionInfo] File Version : 5.0.0.1755 [VersionInfo] Original FileName : terminal.exe [VersionInfo] Internal Name : terminal.exe [VersionInfo] Version Comments : https://www.metaquotes.net [VersionInfo] Legal Trademarks : MetaTrader [VersionInfo] Legal Copyrights : © 2001-2018. MetaQuotes Software Corp. [ModuleReport] [IAT] Modules -> CRYPT32.dll | WINMM.dll | VERSION.dll | NETAPI32.dll | WINHTTP.dll | gdiplus.dll | UxTheme.dll | KERNEL32.dll | USER32.dll | GDI32.dll | MSIMG32.dll | WINSPOOL.DRV | ADVAPI32.dll | SHELL32.dll | COMCTL32.dll | SHLWAPI.dll | ole32.dll | OLEAUT32.dll | oledlg.dll | urlmon.dll | IPHLPAPI.DLL | dbghelp.dll | WS2_32.dll | Secur32.dll | OLEACC.dll | IMM32.dll | WTSAPI32.dll | KERNEL32.dll | USER32.dll | KERNEL32.dll | USER32.dll [Debug Info] (record 1 of 3) (file offset 0xB9F6D0) Characteristics : 0x0 | TimeDateStamp : 0x5A6110C2 (Thu 18th Jan 2018 21:25:22 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x5B (91) AddressOfRawData : 0xBB0CAC | PointerToRawData : 0xBAFEAC CvSig : 0x53445352 | SigGuid 2C4D8F0E-AD9F-41D8-8A44C97DD6BDC20C Age : 0x1 (1) | Pdb : E:\MetaTrader5\Client\MetaTrader5Terminal\Release64\terminal64.pdb [Debug Info] (record 2 of 3) (file offset 0xB9F6EC) Characteristics : 0x0 | TimeDateStamp : 0x5A6110C2 (Thu 18th Jan 2018 21:25:22 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 12 (0xC) -> Undocumented | Size : 0x14 (20) AddressOfRawData : 0xBB0D08 | PointerToRawData : 0xBAFF08 [Debug Info] (record 3 of 3) (file offset 0xB9F708) Characteristics : 0x0 | TimeDateStamp : 0x5A6110C2 (Thu 18th Jan 2018 21:25:22 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 13 (0xD) -> Undocumented | Size : 0x3EC (1004) AddressOfRawData : 0xBB0D1C | PointerToRawData : 0xBAFF1C [CompilerDetect] -> Borland Delphi (unknown version) - 20% probability [CompilerDetect] -> Visual C/C++ [!] File appears to have no protection or is using an unknown protection - Scan Took : 6.486 Second(s) [000001972h (6514) tick(s)] [234 of 580 scan(s) done] --- snip ---
virustotal.com scan:
https://www.virustotal.com/#/file/0c35cfa4458f4c07b6cae1d88b3c58b3c44cb9eb8c...
Tracing/debugging reveals it still has the same anti-debugging code:
--- snip --- ... 002e:Call KERNEL32.GetModuleHandleA(0023dd70 "kernel32.dll",) ret=141aa6c88 002e:Ret KERNEL32.GetModuleHandleA() retval=7b460000 ret=141aa6c88 002e:Call KERNEL32.GetModuleHandleA(0023dd70 "ntdll.dll",) ret=141aa6c88 002e:Ret KERNEL32.GetModuleHandleA() retval=7bc80000 ret=141aa6c88 002e:Call KERNEL32.IsDebuggerPresent() ret=141bb3358 002e:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=141bb3358 002e:Call KERNEL32.CheckRemoteDebuggerPresent(ffffffffffffffff,0023dff4,) ret=141bf4512 002e:Ret KERNEL32.CheckRemoteDebuggerPresent() retval=00000001 ret=141bf4512 002e:Call ntdll.NtQueryInformationProcess(ffffffffffffffff,0000001e,0023e278,00000008,00000000,) ret=141b8d5e6 002e:Ret ntdll.NtQueryInformationProcess() retval=c0000353 ret=141b8d5e6 002e:Call ntdll.NtSetInformationThread(fffffffffffffffe,00000011,00000000,00000000,) ret=141b1cbbb 002e:Ret ntdll.NtSetInformationThread() retval=00000000 ret=141b1cbbb 002e:Call ntdll.NtQuerySystemInformation(00000023,0023e580,00000002,00000000,) ret=141b7f723 002e:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=141b7f723 002e:Call ntdll.NtQuerySystemInformation(0000000b,0023df68,00000000,0023df40,) ret=141c45332 002e:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=141c45332 002e:Call KERNEL32.LocalAlloc(00000000,00005348,) ret=141badf30 002e:Ret KERNEL32.LocalAlloc() retval=00075730 ret=141badf30 002e:Call ntdll.NtQuerySystemInformation(0000000b,00075730,00005348,00000000,) ret=141be95f0 002e:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=141be95f0 002e:Call KERNEL32.LocalFree(00075730,) ret=141bca348 002e:Ret KERNEL32.LocalFree() retval=00000000 ret=141bca348 002e:Call ntdll.NtProtectVirtualMemory(ffffffffffffffff,0023dfe0,0023e1c0,00000040,0023dfc0,) ret=141bd42d0 002e:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=141bd42d0 002e:Call ntdll.NtProtectVirtualMemory(ffffffffffffffff,0023dfe0,0023e1c0,00000004,0023dfc0,) ret=141bd42d0 002e:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=141bd42d0 002e:Call ntdll.NtProtectVirtualMemory(ffffffffffffffff,0023dfe0,0023e1c0,00000004,0023dfc0,) ret=141bd42d0 002e:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=141bd42d0 002e:Call KERNEL32.CloseHandle(deadc0de,) ret=141b7896a 002e:Ret KERNEL32.CloseHandle() retval=00000000 ret=141b7896a 002e:trace:seh:NtRaiseException code=80000004 flags=0 addr=0x141ac6a77 ip=141ac6a77 tid=002e 002e:trace:seh:NtRaiseException rax=000000005295e074 rbx=0000000141aa97a0 rcx=00000000deadc0de rdx=000000000000036a 002e:trace:seh:NtRaiseException rsi=0000000000000000 rdi=0000000140e18390 rbp=000000000023dee0 rsp=000000000023de90 002e:trace:seh:NtRaiseException r8=0000000000265148 r9=000000000000a4a8 r10=00000000c62cf451 r11=0000000000000039 002e:trace:seh:NtRaiseException r12=00000000286d5aa5 r13=0000000140000000 r14=0000000000000004 r15=aaaaaaaaaaaaaaab ... 002e:trace:seh:call_handler calling handler 0x140e0dd80 (rec=0x23dd50, frame=0x23de90 context=0x23d000, dispatch=0x23d4d0) 002e:Call ntdll.RtlUnwindEx(0023de90,141ac6a82,0023dd50,ffffffff80000004,0023d000,0023d520,) ret=140e0de85 ... 002e:trace:seh:RtlRestoreContext returning to 141ac6a82 stack 23de90 002e:Call KERNEL32.GetProcessAffinityMask(ffffffffffffffff,0023e0e8,0023dfb8,) ret=141ba20ee 002e:Ret KERNEL32.GetProcessAffinityMask() retval=00000001 ret=141ba20ee 002e:Call KERNEL32.SetThreadAffinityMask(fffffffffffffffe,00000001,) ret=141aca08b 002e:Ret KERNEL32.SetThreadAffinityMask() retval=000000ff ret=141aca08b 002e:Call KERNEL32.Sleep(00000000,) ret=141ad0deb 002e:Ret KERNEL32.Sleep() retval=00000000 ret=141ad0deb 002e:Call KERNEL32.SetThreadAffinityMask(fffffffffffffffe,000000ff,) ret=141c04852 002e:Ret KERNEL32.SetThreadAffinityMask() retval=00000001 ret=141c04852 002e:Call KERNEL32.SetThreadAffinityMask(fffffffffffffffe,00000002,) ret=141aca08b 002e:Ret KERNEL32.SetThreadAffinityMask() retval=000000ff ret=141aca08b 002e:Call KERNEL32.Sleep(00000000,) ret=141ad0deb 002e:Ret KERNEL32.Sleep() retval=00000000 ret=141ad0deb ... --- snip ---
Out of interest I ran the older MetaTrader5 15xx build this bug was reported against and it also worked with Wine 3.0
Fortunately I had the full install directory of MetaTrader5 snapshotted some time ago otherwise even old installers would try to bootstrap recent version from vendor website when being run (no offline install).
I did a reverse regression test and it turns out it was fixed by commit https://source.winehq.org/git/wine.git/commitdiff/a1b563f41c2246f94467b17d67... ("ntdll: Add support for debug registers in exceptions on x86-64."), included in Wine 2.13 release.
Thanks to Alexandre.
---
Not directly related: It seems Denuvo has been acquired by some company called "Irdeto".
https://www.kitguru.net/tech-news/featured-tech-news/matthew-wilson/denuvo-i...
Regards