http://bugs.winehq.org/show_bug.cgi?id=30220
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |hardware, obfuscation Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |ntoskrnl Summary|Unhandled Priveleged |Unhandled privileged |instruction when starting |instruction when starting |Minitab 16 |Minitab 16 (Sentinel HASP | |hardlock.sys kernel driver | |tries to write to CR4/not | |handled in ntoskrnl | |emulate_instruction) Ever Confirmed|0 |1
--- Comment #3 from Anastasius Focht focht@gmx.net 2012-03-20 15:21:04 CDT --- Hello,
confirming.
The kernel driver tries to write to CR4 which is a privileged instruction and not (yet) emulated by Wine.
--- snip --- 000f:Call KERNEL32.CreateProcessW(00000000,00118968 L"C:\windows\system32\winedevice.exe hardlock",00000000,00000000,00000000,00000400,00540000,00000000,0033fc58,0033fc9c) ret=7eda060b ... 000f:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eda060b ... 0019:Call KERNEL32.LoadLibraryW(0011ab48 L"C:\windows\system32\drivers\hardlock.sys") ret=7effc932 ... 0019:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=7effc932 ... 0019:Call driver init 0x5cac20 (obj=0x7efff9a0,str=L"\Registry\Machine\System\CurrentControlSet\Services\hardlock") ... 0019:Ret ntoskrnl.exe.KeInitializeMutex() retval=00000038 ret=00556cff 0019:Call ntoskrnl.exe.KeWaitForSingleObject(005b4a80,00000000,00000000,00000000,00000000) ret=005c1707 0019:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x5b4a80, 0, 0, 0, (nil) 0019:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005c1707 0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf51 ip=005adf51 tid=0019 0019:trace:seh:raise_exception eax=00000001 ebx=00000000 ecx=00000000 edx=0053ef48 esi=00000019 edi=0053e5e4 0019:trace:seh:raise_exception ebp=0053e608 esp=0053e530 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496 code=c0000096 flags=0 0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned ffffffff 0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf59 ip=005adf59 tid=0019 0019:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000 edx=0053ef48 esi=00000019 edi=0053e5e4 0019:trace:seh:raise_exception ebp=0053e608 esp=0053e530 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496 code=c0000096 flags=0 0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned 0 0019:trace:seh:call_stack_handlers calling handler at 0x7bc92029 code=c0000096 flags=0 0019:Call KERNEL32.UnhandledExceptionFilter(0053e008) ret=7bc92063 wine: Unhandled privileged instruction at address 0x5adf59 (thread 0019), starting debugger... --- snip ---
The driver contains mostly obfuscated code, debugging reveals:
--- snip --- 005ADF50 50 PUSH EAX 005ADF51 0F20E0 MOV EAX,CR4 ; privileged instruction (emulated) 005ADF54 25 F7FFFFFF AND EAX,FFFFFFF7 005ADF59 0F22E0 MOV CR4,EAX ; privileged instruction (not handled) 005ADF5C 58 POP EAX 005ADF5D C3 RETN --- snip ---
The read of CR4 is trapped/emulated by Wine - CR4 write not, causing unhandled exception.
It seems the kernel driver tries to cancel out CR4.DE (bit 3) which is "Debugging Extensions".
--- quote --- I/O breakpoints, including the CR4.DE bit for enabling debug extensions and optional trapping of access to the DR4 and DR5 registers. --- quote ---
Code: http://source.winehq.org/git/wine.git/blob/57e4e608dcd73b36f1084e0cfcb7cf092...
--- snip --- 249 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context ) 250 { ... 310 switch(*instr) 311 { 312 case 0x0f: /* extended instruction */ 313 switch(instr[1]) 314 { 315 case 0x22: /* mov eax, crX */ 316 switch (instr[2]) 317 { 318 case 0xc0: 319 TRACE("mov eax,cr0 at 0x%08x, EAX=0x%08x\n", context->Eip,context->Eax ); 320 context->Eip += prefixlen+3; 321 return ExceptionContinueExecution; 322 default: 323 break; /*fallthrough to bad instruction handling */ 324 } 325 break; /*fallthrough to bad instruction handling */ ... 409 } 410 return ExceptionContinueSearch; /* Unable to emulate it */ 411 } 412 --- snip ---
$ du -sh mtben1610su.exe 93M mtben1610su.exe
$ sha1sum mtben1610su.exe 3d4d2ead508e6f930583701a335e5db8f9d40b17 mtben1610su.exe
$ wine --version wine-1.5.0
Regards