https://bugs.winehq.org/show_bug.cgi?id=38792
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation Status|UNCONFIRMED |RESOLVED URL| |http://br.cfpatch.z8games.c | |om/download/CrossFireBR_Set | |up.exe CC| |focht@gmx.net Version|unspecified |1.6.2 Resolution|--- |DUPLICATE Summary|Error at trying to open |Crossfire BR HGWC (Hacking |CROSSFIRE (HGWC) |GateWay Client) crashes on | |startup (needs | |NtQueryVirtualMemory | |'MemorySectionName' info | |class support)
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello "hacker"/cheater,
your Wine version is outdated, upgrade to recent 1.7.x series, preferably Wine 1.7.45 If you don't know how to do that, visit WineHQ user forums.
--- snip --- 00000042 (D) Z:\media\gabriel\44BC2783BC276F1C\Jogos\CrossFire BR\HGWC.exe --- snip ---
I searched using 'CrossFire BR' and 'HGWC' and found this site:
http://br.crossfire.z8games.com/
Download link: http://br.crossfire.z8games.com/download.html
It seems you're trying to run some Brazilian variant of some cheating tool? HGWC = 'Hacking GateWay Client'?
Your crash log shows you're trying to run this app off another partition, potentially from Windows install/FAT32? Don't do that! Please install each app/game in their own 32-bit WINEPREFIX!
I tried to start this 'HGWC.exe' tool after installation in new 32-bit WINEPREFIX and it refused, complaining it can't be started stand-alone.
ProtectionID info:
--- snip --- -=[ ProtectionID v0.6.6.7 DECEMBER]=- (c) 2003-2015 CDKiLLER & TippeX Build 24/12/14-22:48:13 Ready... Scanning -> C:\Program Files\Z8Games\CrossFire BR\HGWC.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1190152 (0122908h) Byte(s) Compilation TimeStamp : 0x5551ADC5 -> Tue 12th May 2015 07:37:41 (GMT) [TimeStamp] 0x5551ADC5 -> Tue 12th May 2015 07:37:41 (GMT) | PE Header | - | Offset: 0x00000100 | VA: 0x00400100 | - -> File Appears to be Digitally Signed @ Offset 0121000h, size : 01908h / 06408 byte(s) [File Heuristics] -> Flag #1 : 00000000000000001100000000100110 (0x0000C026) [Entrypoint Section Entropy] : 7.99 (section #0) ".text " | Size : 0x61000 (397312) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 6 (0x6) | ImageSize 0x2AA000 (2793472) byte(s) [VersionInfo] Company Name : Smilegate Games Inc. [VersionInfo] Product Name : HGWC [VersionInfo] Product Version : 1.8.3.2 [VersionInfo] File Description : Hacking GateWay Client [VersionInfo] File Version : 1.8.3.91 [VersionInfo] Original FileName : HGWC.exe [VersionInfo] Internal Name : HGWC.exe [VersionInfo] Legal Copyrights : Smilegate Games Inc. [!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected ! [i] Hide PE Scanner Option used - Scan Took : 0.637 Second(s) [00000027Dh (637) tick(s)] [499 of 573 scan(s) done] --- snip ---
There is a 'launcher' app in the installation directory:
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Z8Games/CrossFire BR
$ ./cfPT_launcher.exe --- snip ---
The launcher app brought up some IE browser-based user interface with everything Brazilian. I clicked something that appeared to trigger some update mechanism. It downloaded some files and updated CrossFire and XTrap.
With the update succeeding, the launcher started 'HGWC.exe' which indeed crashed.
The tool was started an overly long command line:
--- snip -- $ cat /proc/22723/cmdline
C:\Program Files\Z8Games\CrossFire BR\HGWC.exeD300A64C4383DD2D096AF7DC88D9DB7D1B192A904760458DB04D64AF2DEA894E38FACB6603E54C0D4514783E8E1FEE94035397151C07708ECE6FC7EFEDBFDF5934D7F5650AE4296A80330BFCD146BBDFF01F94333FEEA72C080A5E08131D9EA98A26E30F224ED5B61FFE3F14D7112EDEF4C561D800841FA59FA30B91EA2D0D822E60AF8A0BADF0B45F88A830C3AF5717340C3414530362646032E59CB4EC4B4DF7A65F84C56166F136B0862CA33B2743D4C7F0EE0A8B8FFAF5284E3A287291C638040A7908152DDCAADDBEEAD0E48EE2FA2AA29FB2D4C2E12949094885D1F4C9F23AD21F25035290A05DC8D7CF8C6265C4FF339EAD9E5BACE4680F2888E397788DA643100F5FC644AE9635DFFA7C3CE3787FD56921070F28DEFC5101DB81C17FA0A786BFF8E15D0E748CCA6369F585F080AE23B3E8DBC2AFD40908C59A98D70902CA27676D73F5631FBF50B7C196B458E7AB4C9316FAD2E63A66F423C61A5F4F6A47B14D381BCC2C9990AC0B676F16D216407392116D79BA6A73AA343EB26C202AE3A73692B4B0CD1F4DACF345819404A0041CE11F67DD57E50185D703778EB809B927BA0ED1AED7D5951F3BB17B9FF3FB53EC243740E9C601F4A4275344FB7C54E57E26257D5811C8B1EFFF7FF5CBA6A928CDD9A1541C009C61219F93579E1CB3CF58699E49E324F8F5D6AFF731560E --- snip ---
With that information in place I managed to run this tool stand-alone to reproduce the crash:
--- snip --- ... 0026:Call KERNEL32.GetModuleHandleW(004bb238 L"ntdll.dll") ret=0041fff1 0026:Ret KERNEL32.GetModuleHandleW() retval=7bc20000 ret=0041fff1 0026:Call KERNEL32.GetProcAddress(7bc20000,004bbb64 "ZwQueryVirtualMemory") ret=0041fff8 0026:Ret KERNEL32.GetProcAddress() retval=7bc3605c ret=0041fff8 0026:Call ntdll.ZwQueryVirtualMemory(ffffffff,00400000,00000002,0032bfe8,0000020c,00000000) ret=0042002b 0026:fixme:virtual:NtQueryVirtualMemory (process=0xffffffff,addr=0x400000) Unimplemented information class: MemorySectionName 0026:Ret ntdll.ZwQueryVirtualMemory() retval=c0000003 ret=0042002b 0026:Call KERNEL32.GetLastError() ret=00420035 0026:Ret KERNEL32.GetLastError() retval=00000000 ret=00420035 0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x420150 ip=00420150 tid=0026 0026:trace:seh:raise_exception info[0]=00000000 0026:trace:seh:raise_exception info[1]=00000000 0026:trace:seh:raise_exception eax=00000000 ebx=ffffffff ecx=51756c8c edx=00000002 esi=0032c28c edi=00000000 0026:trace:seh:raise_exception ebp=004ea674 esp=0032bfdc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210246 0026:trace:seh:call_stack_handlers calling handler at 0x4a8b06 code=c0000005 flags=0 ... wine: Unhandled page fault on read access to 0x00000000 at address 0x420150 (thread 0026), starting debugger... ... Backtrace: =>0 0x00420150 in hgwc (+0x20150) (0x004ea674) 0x00420150: movw 0x0(%eax),%cx Modules: Module Address Debug info Name (123 modules) PE 400000- 6aa000 Export hgwc ... Threads: process tid prio (all id:s are in hex) ... 00000025 (D) C:\Program Files\Z8Games\CrossFire BR\HGWC.exe 0000002f 0 0000002e 0 0000002d 0 0000002c 0 0000002b 0 0000002a 0 00000029 0 00000028 0 00000026 0 <== --- snip ---
The app is protected with 'Themida' protection scheme (see ProtectionID dump earlier). Themida is also widely used in malware/hacking scene for protecting "IP".
There is various anti-debugging, anti-VM trickery present which Wine deals nicely, also partially related to the fact that Oreans (vendor of 'Themida') made it more Wine compatible :-)
Anyway, I made a clean dump with code section properly decrypted and imports restored to a usable state.
The problem is indeed missing support for 'MemorySectionName' info class in 'NtQueryVirtualMemory'. The app checks 'NtQueryVirtualMemory' NTSTATUS return value and calls 'GetLastError' which *whoops* returns zero -> success. The rest is obvious ... section name (out parameter) PUNICODE_STRING access *boom*.
Anyway, long story short ... dupe of bug 23999
I generally don't care what apps/games/malware/crapware people are trying to run as I'm purely interested on the technical side - solving riddles. This of course also involves providing solutions to make Wine more compatible with malware and viruses. I can't really speak up here as I'm morally guilty too ... but: consider to not use those apps. Read: "Don't cheat" ;-)
$ sha1sum CrossFireBR_Setup.exe b69af2b59e7da66066ed054a173f9f324b3ecd69 CrossFireBR_Setup.exe
$ du -sh CrossFireBR_Setup.exe 1.7G CrossFireBR_Setup.exe
$ wine --version wine-1.7.45-146-gaf55ae1
Regards
*** This bug has been marked as a duplicate of bug 23999 ***