https://bugs.winehq.org/show_bug.cgi?id=18119
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation CC| |focht@gmx.net Summary|SmartDraw aborts after |SmartDraw 2009/2010/CI |displaying trial window |aborts after displaying | |trial window
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
The latest version from the website, 'SmartDraw CI' is infested with some intrusive DRM scheme.
--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09
Scanning -> Z:\home\focht.wine\drive_c\SmartDraw CI\SmartDraw.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 6050784 (05C53E0h) Byte(s) -> File Appears to be Digitally Signed @ Offset 05C3A00h, size : 01960h / 06496 byte(s) -> File has 1928832 (01D6E80h) bytes of appended data starting at offset 03ECC00h [File Heuristics] -> Flag : 00000000000001001100001000100111 (0x0004C227) [Entrypoint Section Entropy] : 5.88 [!] LiCENSE - CrypKey Instant v7.x Wrapperdetected ! [CompilerDetect] -> Visual C++ 9.0 (Visual Studio 2008) - Scan Took : 0.346 Second(s) [00000015Ah tick(s)] [533 scan(s) done] --- snip ---
When you run the trial, a second process is started which "protects" the first process by acting as debugger. Besides standard anti-debugging measures, some 'Nanomite' mechanism is used to decrypt pages on the fly (first employed by Armadillo DRM scheme).
Fortunately I found older SmartDraw 2010 demo here: http://download.cnet.com/SmartDraw-2009/3000-2075_4-10898880.html
This version has less intrusive anti-debugging checks which can be bypassed quickly (only 'IsDebuggerPresent' and 'NtQueryInformationProcess' 'DebugPort' info class).
--- snip --- ... 0023:Call PE DLL (proc=0x2cd50b9,module=0x2c90000 L"SDC.dll",reason=PROCESS_ATTACH,res=(nil)) ... 0023:Call user32.CreatePopupMenu() ret=02c9bbc7 0023:trace:menu:CreateMenu return 0x10152 0023:Ret user32.CreatePopupMenu() retval=00010152 ret=02c9bbc7 ... 0023:Call user32.AppendMenuA(00010152,00000110,000075cd,02d39b20) ret=02c9ce48 0023:trace:menu:InsertMenuW hMenu 0x10152, pos -1, flags 00000510, id 75cd, str 0x2d39b20 (not a string) 0023:trace:menu:MENU_InsertItem inserting at 0 flags 510 0023:trace:menu:do_debug_print_menuitem SetMenuItemInfo_common from: { ID=0x0 } 0023:warn:menu:MENU_GetMenu other process menu 0x75cd? 0023:trace:menu:RemoveMenu (menu=0x10152 pos=ffffffff flags=0510) 0023:Ret user32.AppendMenuA() retval=00000000 ret=02c9ce48 ... 0023:Call user32.DestroyMenu(00010152) ret=02cbc110 0023:Ret user32.DestroyMenu() retval=00000001 ret=02cbc110 ... 0023:Call user32.MessageBoxA(000200e2,00cad248 "Unable to load SmartDraw. Perhaps too many instances are open.",00cad140 "SmartDraw",00002030) ret=0045310c --- snip ---
After some debugging I came to conclusion that id '0x75cd' is _not_ a menu handle but some menu item id. Unlike the other popup menus, this popup menu is created through some helper dll call -> SDC.SDC_CreateSDMenuFromBIN() (internal resource called 'PROPERTIESMENU').
The parent is a popup menu, created through 'CreatePopupMenu'.
This is either an application bug with 'MF_POPUP' flag being passed on this menu item ('MF_OWNERDRAW | MF_POPUP') or valid code and MSDN is incorrect (wouldn't be the first time).
I made a quick hack, not interpreting this item as menu handle and it allowed 'SmartDraw 2010' to start. This also allows 'SmartDraw CI' (infested with intrusive DRM scheme) to start - although it takes quite long.
I suggest add such cases to existing user32/menu test suite to figure out how Windows behaves.
$ sha1sum smartdraw_setup_CNET.exe 5b5e15d4204bb6c43aabbe4c15f62ec7b7300aaa smartdraw_setup_CNET.exe
$ du -sh smartdraw_setup_CNET.exe 24M smartdraw_setup_CNET.exe
$ wine --version wine-1.7.16-199-ga6e53ea
Regards