[Bug 28123] Mu Argentina (MMORPG) protection driver crashes on startup (Oreans x32 kernel driver expects Windows page directory self-map and page tables present)

http://bugs.winehq.org/show_bug.cgi?id=28123

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation Status|UNCONFIRMED |RESOLVED URL|http://www.fileserve.com/fi |http://inferno.muargentina. |le/pZXsQKS |com/index.php?page_id=downl | |oads CC| |focht@gmx.net Resolution|--- |WONTFIX Summary|Mu Argentina. Muguard |Mu Argentina (MMORPG) |crashes when it start |protection driver crashes | |on startup (Oreans x32 | |kernel driver expects | |Windows page directory | |self-map and page tables | |present)

--- Comment #7 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming.

It seems whatever "MuGuard" was, is now some Oreans garbage (creator of infamous 'Themida/WinLicense' protection).

--- snip --- 000f:Call KERNEL32.CreateProcessW(00000000,001196c8 L"C:\windows\system32\winedevice.exe oreans32",00000000,00000000,00000000,00000400,00540000,00000000,0033fc48,0033fc8c) ret=7edb5d3f ... 001f:Call KERNEL32.LoadLibraryW(0011aea0 L"C:\windows\system32\drivers\oreans32.sys") ret=7edfb9b9 ... 001f:Ret PE DLL (proc=0xf7592068,module=0xf7580000 L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 001f:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=7edfb9b9 ... 001f:Call driver init 0x547c4b (obj=0x7edff4c0,str=L"\Registry\Machine\System\CurrentControlSet\Services\oreans32") DbgPrint says: Oreans x32 driver loaded in memory (v1.52) ... 001f:Call ntdll.RtlInitUnicodeString(0053e640,00547de0 L"\Device\oreans32") ret=00547cd6 001f:Ret ntdll.RtlInitUnicodeString() retval=0053e640 ret=00547cd6 001f:Call ntoskrnl.exe.IoCreateDevice(7edff4c0,00000000,0053e640,00000015,00000000,00000000,00547eb8) ret=00547cef 001f:Call ntdll.RtlAllocateHeap(00110000,00000008,000000b8) ret=7ed2e138 001f:Ret ntdll.RtlAllocateHeap() retval=0011aea0 ret=7ed2e138 001f:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00547cef 001f:Call ntdll.RtlInitUnicodeString(0053e638,00547e02 L"\DosDevices\oreans32") ret=00547d10 001f:Ret ntdll.RtlInitUnicodeString() retval=0053e638 ret=00547d10 001f:Call ntoskrnl.exe.IoCreateSymbolicLink(0053e638,0053e640) ret=00547d1d 001f:Call ntdll.NtCreateSymbolicLinkObject(0053e5b4,000f0001,0053e59c,0053e640) ret=7ed2e4e6 001f:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ed2e4e6 001f:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=00547d1d 001f:Ret driver init 0x547c4b (obj=0x7edff4c0,str=L"\Registry\Machine\System\CurrentControlSet\Services\oreans32") retval=00000000 ... 001f:Call ntoskrnl.exe.wine_ntoskrnl_main_loop(00000038) ret=7edfc909 001f:Call ntdll.RtlAllocateHeap(00110000,00000000,00001000) ret=7ed2cf69 001f:Ret ntdll.RtlAllocateHeap() retval=0011b4d8 ret=7ed2cf69 001f:Call KERNEL32.WaitForMultipleObjects(00000002,0053e894,00000000,ffffffff) ret=7ed2d227 ... 0021:Call KERNEL32.__wine_kernel_init() ret=7bc59dbc 000f:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7edb5d3f ... 001f:Call driver dispatch 0x540280 (device=0x11aea0,irp=0x53e760) 001f:Call ntoskrnl.exe.MmIsAddressValid(7ed20000) ret=00546de6 001f:Call KERNEL32.IsBadWritePtr(7ed20000,00000001) ret=7ed306e4 001f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b882f64 ip=7b882f64 tid=001f 001f:trace:seh:raise_exception info[0]=00000001 001f:trace:seh:raise_exception info[1]=7ed20000 001f:trace:seh:raise_exception eax=7ed20000 ebx=7b8be000 ecx=6c5ac569 edx=00000000 esi=0053e628 edi=0053e5f8 001f:trace:seh:raise_exception ebp=0053e5e8 esp=0053e4f0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010216 001f:trace:seh:call_vectored_handlers calling handler at 0x7ed2c637 code=c0000005 flags=0 001f:trace:seh:call_vectored_handlers handler at 0x7ed2c637 returned 0 001f:trace:seh:call_stack_handlers calling handler at 0x7b88a093 code=c0000005 flags=0 001f:trace:seh:__regs_RtlUnwind code=c0000005 flags=2 001f:trace:seh:__regs_RtlUnwind calling handler at 0x7bc81679 code=c0000005 flags=2 001f:trace:seh:__regs_RtlUnwind handler at 0x7bc81679 returned 1 001f:trace:seh:IsBadWritePtr 0x7ed20000 caused page fault during write 001f:Ret KERNEL32.IsBadWritePtr() retval=00000001 ret=7ed306e4 001f:Ret ntoskrnl.exe.MmIsAddressValid() retval=00000000 ret=00546de6 ... 001f:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5414a0 ip=005414a0 tid=001f 001f:trace:seh:raise_exception eax=0011c4e0 ebx=e137e760 ecx=00000000 edx=0053ef8c esi=00548035 edi=0053e760 001f:trace:seh:raise_exception ebp=0053e6e8 esp=0053e6bc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010283 001f:trace:seh:call_vectored_handlers calling handler at 0x7ed2c637 code=c0000096 flags=0 001f:trace:seh:call_vectored_handlers handler at 0x7ed2c637 returned ffffffff 001f:Call ntoskrnl.exe.MmAllocateNonCachedMemory(00002000) ret=00541506 001f:Call KERNEL32.VirtualAlloc(00000000,00002000,00003000,00000204) ret=7ed3038c 001f:Ret KERNEL32.VirtualAlloc() retval=00550000 ret=7ed3038c 001f:Ret ntoskrnl.exe.MmAllocateNonCachedMemory() retval=00550000 ret=00541506 001f:Call ntdll.RtlZeroMemory(00550000,00002000) ret=0054152a 001f:Ret ntdll.RtlZeroMemory() retval=00550000 ret=0054152a 001f:Call ntoskrnl.exe.MmAllocateNonCachedMemory(000007d0) ret=0054163b 001f:Call KERNEL32.VirtualAlloc(00000000,000007d0,00003000,00000204) ret=7ed3038c 001f:Ret KERNEL32.VirtualAlloc() retval=00560000 ret=7ed3038c 001f:Ret ntoskrnl.exe.MmAllocateNonCachedMemory() retval=00560000 ret=0054163b 001f:Call ntdll.RtlZeroMemory(00560000,000007d0) ret=0054175f 001f:Ret ntdll.RtlZeroMemory() retval=00560000 ret=0054175f 001f:Call ntoskrnl.exe.MmAllocateNonCachedMemory(00001000) ret=00541870 001f:Call KERNEL32.VirtualAlloc(00000000,00001000,00003000,00000204) ret=7ed3038c 001f:Ret KERNEL32.VirtualAlloc() retval=00570000 ret=7ed3038c 001f:Ret ntoskrnl.exe.MmAllocateNonCachedMemory() retval=00570000 ret=00541870 001f:Call ntdll.RtlZeroMemory(00570000,00001000) ret=00541990 001f:Ret ntdll.RtlZeroMemory() retval=00570000 ret=00541990 001f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5462d7 ip=005462d7 tid=001f 001f:trace:seh:raise_exception info[0]=00000000 001f:trace:seh:raise_exception info[1]=c0300004 001f:trace:seh:raise_exception eax=00000004 ebx=52b97b3b ecx=00570000 edx=00571000 esi=00570000 edi=c0300000 001f:trace:seh:raise_exception ebp=0053e6cc esp=0053e6ac cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010287 001f:trace:seh:call_vectored_handlers calling handler at 0x7ed2c637 code=c0000005 flags=0 001f:trace:seh:call_vectored_handlers handler at 0x7ed2c637 returned 0 001f:trace:seh:call_stack_handlers calling handler at 0x7bc9dbe3 code=c0000005 flags=0 001f:Call KERNEL32.UnhandledExceptionFilter(0053e174) ret=7bc9dc1d 001f:trace:seh:start_debugger Starting debugger "winedbg --auto 25 84" 001f:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9dc1d 001f:trace:seh:call_stack_handlers handler at 0x7bc9dbe3 returned 1 --- snip ---

Tidbit: the kernel driver is heavily obfuscated (though not a problem here)

The last (unhandled) exception results from the driver trying to access self-mapping PDE/PTE from "kernel" space.

GetPdeAddress(va) -> 0xc0300000[va>>20] ; see EDI in exception context GetPteAddress(va) -> 0xc0000000[va>>10]

It expects many things from Windows kernel being present that Wine can't support by design - at least not without major re-architecturing towards emulation of "kernel space" along with many system (kernel) data structures.

Try VirtualBox or Reactos if you really need to run this stuff.

$ sha1sum Instalador\ Muargentina\ eX702.exe 847948f9f6e5411757407bdbd8dc5fcef97fca95 Instalador Muargentina eX702.exe

$ du -sh Instalador\ Muargentina\ eX702.exe 708M Instalador Muargentina eX702.exe

$ wine --version wine-1.7.23

Regards