http://bugs.winehq.org/show_bug.cgi?id=25853
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|UNCONFIRMED |NEW CC| |focht@gmx.net Summary|Dead Space 2 with SecuROM |Dead Space 2 crashes on |protection crashes on start |start (SecuROM Data File | |Activation 2.x/SecuROM SLL | |1.x - Release Date | |Verification) Ever Confirmed|0 |1
--- Comment #10 from Anastasius Focht focht@gmx.net 2011-06-13 04:09:29 CDT --- Hello,
some info (not an in-depth analysis): "RYG News: Analysing SecuROM In Dead Space 2" -> http://reclaimyourgame.com/content/739-RYG-News-Analysing-SecuROM-In-Dead-Sp...
--- snip --- -=[ ProtectionID v0.6.4.0 JULY]=- (c) 2003-2010 CDKiLLER & TippeX Build 07/08/10-17:57:05 Ready...
Scanning -> H:.wine\drive_c\Program Files\EA Games\ds2_temp_unpacked\deadspace_f_activation.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 7570776 (0738558h) Byte(s) -> File Appears to be Digitally Signed @ Offset 0737000h, size : 01558h / 05464 byte(s) [File Heuristics] -> Flag : 00000000000000000000000000000101 (0x00000005) [!] SecuROM Detected - Version 07.42.0001 [!] Possible CD/DVD-Key or Serial Check -> Invalid serial [CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003) - Scan Took : 0.389 Second(s)
Scanning -> H:.wine\drive_c\Program Files\EA Games\ds2_temp_unpacked\DFA.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 6280680 (05FD5E8h) Byte(s) -> File Appears to be Digitally Signed @ Offset 05FC088h, size : 01560h / 05472 byte(s) -> File has 136 (088h) bytes of appended data starting at offset 05FC000h [File Heuristics] -> Flag : 00000000000000000001000000000111 (0x00001007) [!] SecuROM SLL v 1.6.1 Protected (For SecuROM v 7.42.1) [i] SecuROM Data File Activation Core Module - version 2.2.0 [CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003) - Scan Took : 0.281 Second(s) --- snip ---
--- quote --- Well, ok, that's not about FT_Thunk, just another check. --- quote ---
The FT_Thunk check is just part of SecuROM prerequisite code which is to determine exact OS version. It is executed before every in-depth security check because the checks are tailored to specific Windows versions.
--- quote --- But strange, that UnhandledExceptionFilter() returned NULL, while it was given non-NULL value just few lines above. Is it normal? --- quote ---
The SEH chain has already been populated at this point and no handler felt responsible so it's ok to bail and pass this unexpected failure to OS crash handler (hence EXCEPTION_CONTINUE_SEARCH).
It seems the crash is located in some kind of obfuscation wrapper for API calls (stack is specially prepared). I've seen this somewhere but can't remember ... maybe I'll look into that later in detail. The problem is if you don't know which API it is be called in the end, you miss essential information to determine where things started to go wrong (these wrappers are pure obfuscated code).
Regards