[Bug 44217] Designsoft Tina 11.2 Demo hangs while simulating some examples (Themida/ WinLicense 2.2-2.4 software protection)

https://bugs.winehq.org/show_bug.cgi?id=44217

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|Designsoft Tina 11.2 Demo |Designsoft Tina 11.2 Demo |hangs while simulating some |hangs while simulating some |examples |examples | |(Themida/WinLicense 2.2-2.4 | |software protection) URL| |http://demo.designsoft.biz/ | |tina/Tina110en.exe CC| |focht@gmx.net Keywords| |download, obfuscation

--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,

that app is protected with Themida/WinLicense software protection scheme which is likely the culprit here.

ProtectionID scan:

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files (x86)\DesignSoft\Tina 11 - Demo\tina.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 9322968 (08E41D8h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5A33EDE6 -> Fri 15th Dec 2017 15:44:38 (GMT) [DigSig] ** ERROR ** -> digital signature does not seem to be valid (0x0 / 0) (GLE: 0x80092009 / 2148081673) [TimeStamp] 0x5A33EDE6 -> Fri 15th Dec 2017 15:44:38 (GMT) | PE Header | - | Offset: 0x00000108 | VA: 0x00400108 | - -> File Appears to be Digitally Signed @ Offset 08E2600h, size : 01BD8h / 07128 byte(s) [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000001001100000100110111 (0x0004C137) [Entrypoint Section Entropy] : 3.24 (section #5) "xwhdsibw" | Size : 0x200 (512) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 6 (0x6) | ImageSize 0x3292000 (53026816) byte(s) [Export] 0% of function(s) (0 of 3) are in file | 0 are forwarded | 3 code | 0 data | 0 uninit data | 0 unknown | [VersionInfo] Company Name : DesignSoft [VersionInfo] Product Name : Tina 11.0 [VersionInfo] Product Version : 11.0.0.0 [VersionInfo] File Description : Tina 11.0 [VersionInfo] File Version : 11.2.0.349DT-DS [VersionInfo] Original FileName : tina.exe [VersionInfo] Internal Name : Tina [VersionInfo] Version Comments : 43084.6951398958 [VersionInfo] Legal Copyrights : DesignSoft 1993-2017 [ModuleReport] [IAT] Modules -> kernel32.dll | comctl32.dll [!] Themida/Winlicense detected ! [CompilerDetect] -> Borland Delphi (unknown version) - 60% probability - Scan Took : 1.494 Second(s) [0000005E2h (1506) tick(s)] [506 of 580 scan(s) done] --- snip ---

It seems the vendor wiped/hide the exact Themida version so all the tools failed on determining the base version.

Using the "standard" Themida version search recipe, courtesy of:

https://github.com/dubuqingfeng/ollydbg-script/blob/master/Themida/detect%20...

One doesn't need that script, only the essence. Wait for first 'invalid instruction' exception in debugger.

#457863657074696F6E20496E666F726D6174696F6E# -> "Exception Information"

search with pattern #000000000000000000000000000000000000# (pad)

--- snip --- Address Hex dump ASCII 02C2D831 30 02 89 30|5E E9 1A D5|FF FF 52 89|34 24 89 EE| 02C2D841 89 F2 E9 8C|D0 FF FF E9|70 01 00 00|04 00 00 00| 02C2D851 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| 02C2D861 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| 02C2D871 B4 0F 64 F7|8B 1F AC DC|96 02 70 F7|88 96 CC 91| 02C2D881 45 78 63 65|70 74 69 6F|6E 20 49 6E|66 6F 72 6D| Exception Inform 02C2D891 61 74 69 6F|6E 00 50 6C|65 61 73 65|2C 20 63 6F| ation Please, co --- snip ---

version area around 0x02C2D851 is zero-wiped.

The dll was built Fri 15th Dec 2017 and the Oreans Themida copyright string says year 2012.

--- snip --- 0030:Call KERNEL32.OutputDebugStringA(02c4ed30 "\r\n\n\n%s------------------------------------------------\n\r--- WinLicense Professional ---\n\r--- (c)2012 Oreans Technologies ---\n\r------------------------------------------------\r\n\n\n") ret=02c50e9b ... 0030:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=02c50e9b --- snip ---

https://www.oreans.com/ThemidaAllWhatsNew.php

The earliest 2012 release was: Themida [2.2.0.0] (20-Feb-2012) The latest release before the dll build date: Themida [2.4.6.0] (17-Feb-2017)

Hard to tell from quick glance as this version of Themida doesn't like relay thunks. My bet would be on some exception tickery and/or partial thread context modifications. There were some rewrite/improvements in this area in the past. They also make use of a lot of anti-debugger watcher threads (findwindow, remote attach, thread notification hooks) which introduces additional runtime timing behaviour.

Does the app output something in the console when it hangs (or prior)?

Regards