[Bug 27550] New: SafeDisc 4.x: first opcode byte of kernel32.DebugBreak() API entry must not be "int 3" (0xCC) (Rainbow Six: Vegas 2 fails on startup)

20 Jun 2011


      http://bugs.winehq.org/show_bug.cgi?id=27550
Summary: SafeDisc 4.x: first opcode byte of
                    kernel32.DebugBreak() API entry must not be "int 3"
                    (0xCC) (Rainbow Six: Vegas 2 fails on startup)
           Product: Wine
           Version: 1.3.22
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: kernel32
        AssignedTo: wine-bugs@winehq.org
        ReportedBy: focht@gmx.net
Hello,
"Rainbow Six: Vegas 2" complains about a debugger being present. 
The game shows a message box on startup:
"A debugger has been detected"
"Unload the debugger and try again"
--- snip ---
=[ ProtectionID v0.6.4.0 JULY]=-
(c) 2003-2010 CDKiLLER & TippeX
Build 07/08/10-17:57:05
Ready...
Scanning -> Z:\home\focht.wine\drive_c\Program Files\Ubisoft\Tom Clancy's
Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 30277768 (01CE0088h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 01CDEE00h, size : 01288h /
04744 byte(s)
-> File has 1449472 (0161E00h) bytes of appended data starting at offset
01B7D000h
[File Heuristics] -> Flag : 00000000000000000100000000000111 (0x00004007)
[!] Safedisc v4.85.000 detected !
[i] Appended data contents....
   [.] o: 0x01B7D028  / t: <0xA8726B03> <0xEF01996C> <0x00000001> / s: 00302963
byte(s) -> ~deaa13.tmp
   [.] o: 0x01BC6FC2  / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00015887
byte(s) -> clcd32.dll
   [.] o: 0x01BCADF8  / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00004122
byte(s) -> clcd16.dll
   [.] o: 0x01BCBE36  / t: <0xA8726B03> <0xEF01996C> <0x0000044D> / s: 00037971
byte(s) -> mcp.dll
   [.] o: 0x01BD52B2  / t: <0xA8726B03> <0xEF01996C> <0x0000000B> / s: 00005446
byte(s) -> SecDrv04.VxD
   [.] o: 0x01BD681D  / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00072192
byte(s) -> ~e5.0001
   [.] o: 0x01BE8244  / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00045056
byte(s) -> PfdRun.pfd
   [.] o: 0x01BF326C  / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00965148
byte(s) -> ~df394b.tmp
[CompilerDetect] -> Visual C++ 8.0 (Visual Studio 2005)
- Scan Took : 1.569 Second(s) 
--- snip ---
I debugged the protection through various anti-debugging checks and found out a
specific check failed.
SafeDisc 4.x checks all kernel32 exports and specifically looks for
soft-breakpoints (0xcc) on API entries.
This fails now for kernel32.DebugBreak() because AJ used an inline asm int 3
(0xcc) to fix bug 24157
The protection treats this as "malicious" soft breakpoint and flags this entry
as "bad".
bug 24157 ->
http://source.winehq.org/git/wine.git/commitdiff/5f06809ab3339e2001de57f18be...
- technically a regression.
Fortunately SafeDisc only checks the first opcode byte so one could prepend a
simple "HOTPATCH" instruction to work around that.
Though I'm not sure if this is a "safe" long term solution (in this case it's
sufficient).
Another way could be forwarding kernel32.DebugBreak to ntdll.DbgBreakPoint
I only tested both methods, they work.
Though the copy protection later fails for DVD media validation but this is
another bug.
Regards
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 27550] New: SafeDisc 4.x: first opcode byte of kernel32.DebugBreak() API entry must not be "int 3" (0xCC) (Rainbow Six: Vegas 2 fails on startup)