[Bug 45998] New: 64-bit FACEIT Anti-cheat client claims " Your system is out of date, you are missing important Windows updates!" ( needs 'wintrust.CryptCATAdminAcquireContext2' stub)

https://bugs.winehq.org/show_bug.cgi?id=45998

Bug ID: 45998 Summary: 64-bit FACEIT Anti-cheat client claims "Your system is out of date, you are missing important Windows updates!" (needs 'wintrust.CryptCATAdminAcquireContext2' stub) Product: Wine Version: 3.18 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: wintrust Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

as it says.

Download: https://anticheat-client.faceit.com/FACEITInstaller_64.exe

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/FACEIT AC

$ WINEDEBUG=+seh,+relay wine ./faceitclient.exe >>log.txt 2>&1 ... 002c:Call KERNEL32.LoadLibraryA(141215440 "wintrust.dll") ret=1400b1653 002c:Ret KERNEL32.LoadLibraryA() retval=7fd071b90000 ret=1400b1653 002c:Call KERNEL32.GetProcAddress(7fd071b90000,141215450 "CryptCATAdminAcquireContext2") ret=1400b1670 002c:Ret KERNEL32.GetProcAddress() retval=00000000 ret=1400b1670 002c:Call KERNEL32.FreeLibrary(7fd071b90000) ret=1400b167c 002c:Ret KERNEL32.FreeLibrary() retval=00000001 ret=1400b167c 002c:Call ntdll.RtlAllocateHeap(00010000,00000000,00000050) ret=1411adc3c 002c:Ret ntdll.RtlAllocateHeap() retval=000b09e0 ret=1411adc3c 002c:Call user32.MessageBoxA(00000000,000b09e0 "Your system is out of date, you are missing important Windows updates!",00000000,00000010) ret=1400edd5d ... --- snip ---

Microsoft Docs:

https://docs.microsoft.com/en-us/windows/desktop/api/mscat/nf-mscat-cryptcat...

--- quote --- The CryptCATAdminAcquireContext2 function acquires a handle to a catalog administrator context for a given hash algorithm and hash policy.

You can use this handle in subsequent calls to the following functions:

CryptCATAdminAddCatalog CryptCATAdminEnumCatalogFromHash CryptCATAdminRemoveCatalog

This function has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Wintrust.dll. Syntax

BOOL CryptCATAdminAcquireContext2( HCATADMIN *phCatAdmin, const GUID *pgSubsystem, PCWSTR pwszHashAlgorithm, PCCERT_STRONG_SIGN_PARA pStrongHashPolicy, DWORD dwFlags );

--- quote ---

It's Windows 8+ API.

With a FIXME stub that prints parameters, returning FALSE:

--- snip --- ... 0064:Call KERNEL32.LoadLibraryA(141215440 "wintrust.dll") ret=1400b1653 0064:Ret KERNEL32.LoadLibraryA() retval=7f9b71860000 ret=1400b1653 0064:Call KERNEL32.GetProcAddress(7f9b71860000,141215450 "CryptCATAdminAcquireContext2") ret=1400b1670 0064:Ret KERNEL32.GetProcAddress() retval=7f9b718680d0 ret=1400b1670 0064:Call KERNEL32.FreeLibrary(7f9b71860000) ret=1400b167c 0064:Ret KERNEL32.FreeLibrary() retval=00000001 ret=1400b167c --- snip ---

I didn't see any call to the stub, so one might get away even with auto-generated unimplemented stub.

The client executable has some anti-debug trickery and custom obfuscation scheme. Crashes later due to other insufficiencies though.

$ sha1sum FACEITInstaller_64.exe ed8f8c2f6ec2d113bed882faa9d8b8a7a3b56a3c FACEITInstaller_64.exe

$ du -sh FACEITInstaller_64.exe 85M FACEITInstaller_64.exe

$ wine --version wine-3.18

Regards