https://bugs.winehq.org/show_bug.cgi?id=47061
Bug ID: 47061 Summary: Multiple E-Banking applications by KOBIL Systems GmbH crash on startup or report 'Security issue code: 0x03938745 (60000069)' (MigrosBank EBanking 8.2.x, Sparda Bank SecureApp 1.x) Product: Wine Version: 4.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: kernel32 Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 42391
Stable links for current installers:
Sparda Bank SecureApp:
https://web.archive.org/web/20190422125056/https://www.sparda.de/secureapp-p...
Corresponding VirusTotal scan:
https://www.virustotal.com/gui/file/444c501236d5704e43ff5238a03b2c66a08eeba0...
---
MigrosBank EBanking app:
https://web.archive.org/web/20190422124354/https://download.migrosbank.ch/mi...
Corresponding VirusTotal scan:
https://www.virustotal.com/gui/file/9cd93cc70c6a8b24dbf47a3d20c9a1ed5f634140...
---
Trace log:
--- snip --- $ pwd /home/focht/.wine/drive_c/users/focht/Application Data/Sparda/AST-Client
$ WINEDEBUG=+seh,+relay wine ./SpardaSecureApp.exe >>log.txt 2>&1 ... 003a:Ret KERNEL32.__wine_kernel_init() retval=7b472944 ret=7bc668b7 ... 003a:Call TLS callback (proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0) 003a:Call KERNEL32.VirtualAlloc(00000000,00000006,00003000,00000004) ret=2001256a 003a:Ret KERNEL32.VirtualAlloc() retval=00340000 ret=2001256a 003a:Call KERNEL32.VirtualAlloc(00000000,00000017,00003000,00000004) ret=2001258d 003a:Ret KERNEL32.VirtualAlloc() retval=00350000 ret=2001258d 003a:Call KERNEL32.GetModuleHandleA(00340000 "ntdll") ret=20012652 003a:Ret KERNEL32.GetModuleHandleA() retval=7bc10000 ret=20012652 003a:Call KERNEL32.GetProcAddress(7bc10000,00350000 "NtSetInformationThread") ret=20012659 003a:Ret KERNEL32.GetProcAddress() retval=7bc24870 ret=20012659 003a:Call KERNEL32.VirtualFree(00340000,00000000,00008000) ret=2001266a 003a:Ret KERNEL32.VirtualFree() retval=00000001 ret=2001266a 003a:Call KERNEL32.VirtualFree(00350000,00000000,00008000) ret=20012688 003a:Ret KERNEL32.VirtualFree() retval=00000001 ret=20012688 003a:Call ntdll.NtSetInformationThread(fffffffe,00000011,00000000,00000000) ret=200126c8 003a:Ret ntdll.NtSetInformationThread() retval=00000000 ret=200126c8 003a:Call ntdll.NtReadVirtualMemory(ffffffff,20000028,0033e434,00000002,0033e42c) ret=2001277b 003a:Ret ntdll.NtReadVirtualMemory() retval=00000000 ret=2001277b ... 003a:Call KERNEL32.VirtualProtect(1ffb0000,00000005,00000020,0033e384) ret=20014840 003a:Ret KERNEL32.VirtualProtect() retval=00000001 ret=20014840 003a:Call KERNEL32.VirtualProtect(1ffa0000,0000000a,00000020,0033e380) ret=2001484f 003a:Ret KERNEL32.VirtualProtect() retval=00000001 ret=2001484f 003a:Call KERNEL32.FlushInstructionCache(ffffffff,1ffa0000,0000000a) ret=20014860 003a:Ret KERNEL32.FlushInstructionCache() retval=00000001 ret=20014860 003a:Call KERNEL32.VirtualProtect(7bc206ac,00000005,00000040,0033e40c) ret=20014997 003a:Ret KERNEL32.VirtualProtect() retval=00000001 ret=20014997 003a:Call ntdll.RtlMoveMemory(7bc206ac,00360021,00000005) ret=200149a4 003a:Ret ntdll.RtlMoveMemory() retval=7bc206ac ret=200149a4 003a:Call KERNEL32.VirtualProtect(7bc206ac,00000005,00000020,0033e40c) ret=200149b4 003a:Ret KERNEL32.VirtualProtect() retval=00000001 ret=200149b4 003a:Call KERNEL32.FlushInstructionCache(ffffffff,7bc206ac,00000005) ret=200149c4 003a:Ret KERNEL32.FlushInstructionCache() retval=00000001 ret=200149c4 003a:Call ntdll.LdrRegisterDllNotification(00000000,20010d80,00000000,20076e5c) ret=2001116a 003a:Ret ntdll.LdrRegisterDllNotification() retval=00000000 ret=2001116a 003a:Call KERNEL32.TlsAlloc() ret=200111dc 003a:Ret KERNEL32.TlsAlloc() retval=00000002 ret=200111dc 003a:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004) ret=20011217 003a:Ret KERNEL32.VirtualAlloc() retval=00370000 ret=20011217 003a:Call KERNEL32.VirtualFree(00370000,00000000,00008000) ret=2001129d 003a:Ret KERNEL32.VirtualFree() retval=00000001 ret=2001129d 003a:Call KERNEL32.VirtualAlloc(00000000,00000030,00001000,00000004) ret=20014b0b 003a:Ret KERNEL32.VirtualAlloc() retval=00370000 ret=20014b0b 003a:Call KERNEL32.VirtualFree(00370000,00000000,00008000) ret=20014ab4 003a:Ret KERNEL32.VirtualFree() retval=00000001 ret=20014ab4 003a:Call KERNEL32.GetProcAddress(7bc10000,2006cc74 "_snwprintf") ret=200136f7 003a:Ret KERNEL32.GetProcAddress() retval=7bc78380 ret=200136f7 003a:Call KERNEL32.GetProcAddress(7b420000,2006cd44 "FatalAppExitW") ret=2001374a 003a:Ret KERNEL32.GetProcAddress() retval=7b42575c ret=2001374a 003a:Call KERNEL32.GetModuleHandleW(00000000) ret=2000a477 003a:Ret KERNEL32.GetModuleHandleW() retval=20000000 ret=2000a477 003a:Call KERNEL32.ReadProcessMemory(ffffffff,2000002e,0033dfa8,00000004,0033dfa4) ret=2000a49d 003a:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=2000a49d 003a:Call KERNEL32.GetModuleHandleW(00000000) ret=2000a4ba 003a:Ret KERNEL32.GetModuleHandleW() retval=20000000 ret=2000a4ba 003a:Call KERNEL32.ReadProcessMemory(ffffffff,20000024,0033dfa4,00000004,0033dfa0) ret=2000a4d4 003a:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=2000a4d4 003a:Call KERNEL32.ReadProcessMemory(ffffffff,0000002e,0033dfa8,00000004,0033dfa0) ret=2000a4f5 003a:Ret KERNEL32.ReadProcessMemory() retval=00000000 ret=2000a4f5 003a:Call KERNEL32.VirtualAlloc(00000000,00000064,00001000,00000004) ret=2001376f 003a:Ret KERNEL32.VirtualAlloc() retval=00370000 ret=2001376f 003a:Call KERNEL32.FatalAppExitW(00000000,0033dfc8 L"Security issue code: 0x03938745 (60000069)") ret=2001379b 003a:warn:seh:FatalAppExitW AppExit 003a:err:seh:FatalAppExitW L"Security issue code: 0x03938745 (60000069)" ... --- snip ---
The protection code doesn't use Win32 API to resolve functions hence one needs to debug here.
--- snip --- ... 20011276 | E8 9592FFFF | call spardasecureapp.2000A510 | find kernel32.dll 2001127B | A3 EC6D0720 | mov dword ptr ds:[20076DEC],eax | via PEB_LDR_DATA 20011280 | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | "LoadAppInitDlls" 20011283 | 8BC8 | mov ecx,eax | 20011285 | E8 E694FFFF | call spardasecureapp.2000A770 | resolve API 2001128A | 68 00800000 | push 8000 | 2001128F | 6A 00 | push 0 | 20011291 | 57 | push edi | 20011292 | A3 AC6E0720 | mov dword ptr ds:[20076EAC],eax | 20011297 | FF15 CCD00420 | call dword ptr ds:[2004D0CC] | VirtualFree() 2001129D | 6A 01 | push 1 | ... --- snip ---
-> it wants 'kernel32.LoadAppInitDlls'
Bunch of API it wants to resolve and hook:
--- snip --- ... 00360000 4B 69 55 73 65 72 41 70 63 44 69 73 70 61 74 63 KiUserApcDispatc 00360010 68 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 her............. 00360020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00360030 00 00 4E 74 43 6F 6E 74 69 6E 75 65 00 00 00 00 ..NtContinue.... 00360040 00 00 00 00 00 00 00 00 00 00 00 00 4C 64 72 4C ............LdrL 00360050 6F 61 64 44 6C 6C 00 00 00 00 00 00 00 00 00 00 oadDll.......... 00360060 00 00 00 00 00 00 52 74 6C 4E 74 53 74 61 74 75 ......RtlNtStatu 00360070 73 54 6F 44 6F 73 45 72 72 6F 72 00 00 00 00 00 sToDosError..... 00360080 00 00 00 00 00 00 00 4C 6F 61 64 41 70 70 49 6E .......LoadAppIn 00360090 69 74 44 6C 6C 73 00 00 00 00 00 00 00 00 00 00 itDlls.......... 003600A0 00 00 00 00 00 00 00 00 00 00 00 00 00 4C 64 72 .............Ldr 003600B0 52 65 67 69 73 74 65 72 44 6C 6C 4E 6F 74 69 66 RegisterDllNotif 003600C0 69 63 61 74 69 6F 6E 00 00 00 00 00 00 00 00 00 ication......... 003600D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003600E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C 64 ..............Ld 003600F0 72 55 6E 72 65 67 69 73 74 65 72 44 6C 6C 4E 6F rUnregisterDllNo 00360100 74 69 66 69 63 61 74 69 6F 6E 00 00 00 00 00 00 tification...... 00360110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... --- snip ---
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/kernel32/kernel32.spe...
--- snip --- 1044 # @ stub LoadAppInitDlls --- snip ---
With an empty stub added, the app successfully executes the TLS callback and the real entry point is executed - only to run into next problem ;-)
Tidbit: The 'AppInit_DLLs' feature is described here:
https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dll...
That's another way of having dlls automatically injected into every process. Most likely introduced by MS to support the malware industry ... j/k (or not?) ;-)
$ sha1sum spardasecureapp_p.exe d579216a3a61555c68a75636893216b8a4233737 spardasecureapp_p.exe
$ du -sh spardasecureapp_p.exe 9.6M spardasecureapp_p.exe
$ wine --version wine-4.6-108-g9d7d68747b
Regards