http://bugs.winehq.org/show_bug.cgi?id=2770
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Installer, obfuscation URL|http://powerbullet.com/down |http://wareseeker.com/downl |load.html |oad/powerbullet-presenter-1 | |.44.rar/332339 CC| |focht@gmx.net Summary|powerbullet.dll fails to |powerbullet.dll fails to |register |register (armadillo | |protection fails at | |checkpoint L5, error 0x17)
--- Comment #18 from Anastasius Focht focht@gmx.net 2011-04-27 08:20:54 CDT --- Hello,
the "Powerbullet.dll" file in question is wrapped with Armadillo protection:
--- snip --- Scanning -> H:.wine\drive_c\Program Files\Powerbullet\Powerbullet.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1736704 (01A8000h) Byte(s) [File Heuristics] -> Flag : 00000000000000001100001100100001 (0x0000C321) [!] Armadillo v4.00 - v4.42 detected ! [CompilerDetect] -> Visual C/C++ - Scan Took : 0.439 Second(s) --- snip ---
Trace log reveals not very much, various anti-debugging trickery, virtual machine/emlulator detection and the like...
--- snip --- ... 0023:Call KERNEL32.OutputDebugStringA(0033f06c "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s") ret=10022111 0023:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=10022111 --- snip ---
Interesting tidebit: That OutputDebugStringA() call is actually a known vulnerability to trash some OllyDbg (debugger) versions ;-)
Hardware-id gathering before the error:
--- snip --- ... 0023:Call rpcrt4.UuidCreateSequential(0033e718) ret=10008be5 ... 0023:Call iphlpapi.GetAdaptersInfo(001b28e0,0033e624) ret=6857e046 ... 0023:Ret iphlpapi.GetAdaptersInfo() retval=0000006f ret=6857e046 ... 0023:Call iphlpapi.GetAdaptersInfo(001b28e0,0033e624) ret=6857e0b9 ... 0023:Ret iphlpapi.GetAdaptersInfo() retval=00000000 ret=6857e0b9 ... 0023:Ret rpcrt4.UuidCreateSequential() retval=00000000 ret=10008be5 ... 0023:Call KERNEL32.MultiByteToWideChar(00000000,00000000,10038050 "InvalidKey",ffffffff,00dc8038,00010000) ret=1002f0ec ... 0023:Call KERNEL32.WideCharToMultiByte(00000000,00000000,00db4030 L"This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.",ffffffff,0032e424,00010000,00000000,00000000) ret=1002f0ba --- snip ---
Anything bogus from UuidCreateSequential() is most likely not the cause for the error. The code following checks the first 3 bytes of uuid->Data4 for constant values (0x00,0x03,0xFF) probably to detect some virtual network adapters from PC emulators (like VirtualPC). After that it processes internal data and calculates something like a checksum. Prelimary debugging though the code mess pinpoints the validation failure between checkpoint LP5 and LP6. The internal error code is 0x17 - it is never printed but one can see it in debugger data/code string references. CCx,LPx = some Armadillo internal mechanism to track the stage of protector initialization.
Will revisit later ...
Regards