[Bug 4666] Many games bundled with HackShield anti-cheat system abort on startup with Hackshield error 108 (copy of system dlls, native vs. Wine placeholder)

http://bugs.winehq.org/show_bug.cgi?id=4666

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|HackShield anti-cheat |Many games bundled with |system doesn't work |HackShield anti-cheat |(Themida software |system abort on startup |protection used as wrapper |with Hackshield error 108 |incompatible with Wine) |(copy of system dlls, | |native vs. Wine | |placeholder)

--- Comment #52 from Anastasius Focht focht@gmx.net 2012-12-18 11:29:18 CST --- Hello Florian,

--- quote --- Hm, I tried to get wine to compile this, but it seems to break things. Maybe worth to know where to add this, better to have a patch altering this for current wine (1.5.19) --- quote ---

This was most likely fixed on their side in newer versions of client. If you don't get "error 110" then the PIC prolog code is no longer a problem.

A rough check for Themida software protection version is to run app with "WINEDEBUG=+debugstr". The output will contain a copyright string like this:

--- snip --- 0046:warn:debugstr:OutputDebugStringA "\r\n\n\n%s------------------------------------------------\n\r--- Themida Professional ---\n\r--- (c)2012 Oreans Technologies ---\n\r------------------------------------------------\r\n\n\n" --- snip ---

A detailed version check (major/minor) can only be made by signature analysis or debugging.

Anyway, that "error 108" is about system DLL copies (kernel32.dll and friends) in temp folder (native vs. builtin/placeholder). The copy in temp folder has "SLLX" magic at the end of file (last DWORD -> 0x53,0x4C,0x4C,0x58).

Adjusting summary accordingly.

Internal error:

--- snip --- 00300B94 00884868 ; |Format = "%s GameCode = %d Li = %s, option = 0x%X return =%d" 00300B98 00300BC0 ; ASCII "C:\Program Files\Gameforge4D\AirRivals\HShield\EhSvc.dll" 00300B9C 00001268 00300BA0 008848A0 ; ASCII "2025A0437939566CC1DCF4B1" 00300BA4 06483DBE 00300BA8 00000108 --- snip ---

(game code differs between games)

Log before being obfuscated and written to "hshield.log":

--- snip --- {FC684AE4-F5B0-48B7-889E-F43FCDBF13E8} 7b810000 0 126 [C:\users\focht\Temp\d114c46949c6.tmp] C:\users\focht\Temp\d114c46949c6.tmp C:\windows\system32\KERNEL32.dll ... {EE0E19A5-99002FE730 92-4B80-BA7D-FD1647ACD846} e1012004 C:\windows\system32\Kernel32.dll 1 --- snip ---

I've not looked that deep into HackShield but it might be possible to come up with a Wine builtin "Ehsvc.dll" that avoids all the mess (similar to PunkBuster). "Ehsvc.dll" serves as interface between HackShield and the secured process.

Regards