https://bugs.winehq.org/show_bug.cgi?id=43548
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |ntdll Status|NEW |RESOLVED CC| |focht@gmx.net Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/winebuild-Fake_D | |lls Resolution|--- |DUPLICATE Summary|Enigma Virtual Box crashes |Enigma Protector 4.x-5.x |on start (protected with |protected apps crash on |Enigma Protector) |startup, native API sandbox | |scheme needs syscall thunks | |in ntdll.dll (Enigma | |Virtual Box 7.x) URL|http://enigmaprotector.com/ |https://web.archive.org/web |assets/files/enigmavb.exe |/20170703085231/http://enig | |maprotector.com/assets/file | |s/enigmavb.exe Keywords| |obfuscation
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
well, the protection/sandbox scheme hooks native API and can't cope with Wine's standard API entry layout in ntdll.
Running with +relay works around because there is enough padding with NOPs in relay thunks.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/Enigma Virtual Box
$ WINEDEBUG=+seh,+server,+loaddll,+process,+ntdll wine ./enigmavb.exe >>log.txt 2>&1 ... 0009: create_event( access=001f0003, manual_reset=0, initial_state=0, objattr={rootdir=0020,attributes=00000080,sd={},name=L"EVB_555FA5C66290D8E3_00000008"} ) 0009: create_event() = 0 { handle=00d8 } 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc97365 ip=7bc97365 tid=0009 0009:trace:seh:raise_exception info[0]=00000000 0009:trace:seh:raise_exception info[1]=ffffffff 0009:trace:seh:raise_exception eax=006fe10a ebx=0032fd01 ecx=0032fb88 edx=00020019 esi=0032fc10 edi=0032fc08 0009:trace:seh:raise_exception ebp=0032fbb8 esp=0032fb80 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0009:trace:seh:call_stack_handlers calling handler at 0xbb81c5 code=c0000005 flags=0 0009:trace:seh:call_stack_handlers handler at 0xbb81c5 returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x6f026d code=c0000005 flags=0 0009:trace:seh:__regs_RtlUnwind code=c0000005 flags=2 0009:trace:seh:__regs_RtlUnwind eax=00000000 ebx=0032f7a0 ecx=7bc97365 edx=0032fe74 esi=0032f85c edi=0032fe74 0009:trace:seh:__regs_RtlUnwind ebp=0032f7b8 esp=0032f76c eip=0066f614 cs=0023 ds=002b fs=0063 gs=006b flags=00000246 0009:trace:seh:__regs_RtlUnwind calling handler at 0x7bcac5f0 code=c0000005 flags=2 0009:trace:seh:__regs_RtlUnwind handler at 0x7bcac5f0 returned 1 0009:trace:seh:__regs_RtlUnwind calling handler at 0xbb81c5 code=c0000005 flags=2 0009:trace:seh:__regs_RtlUnwind handler at 0x66f820 returned 1 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc977c5 ip=7bc977c5 tid=0009 0009:trace:seh:raise_exception info[0]=00000000 0009:trace:seh:raise_exception info[1]=ffffffff 0009:trace:seh:raise_exception eax=006fe152 ebx=00000001 ecx=0032eb1c edx=00000002 esi=00000100 edi=0032ebbc 0009:trace:seh:raise_exception ebp=0032eb38 esp=0032eb10 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0009:trace:seh:call_stack_handlers calling handler at 0x66f640 code=c0000005 flags=0 0009:trace:seh:call_stack_handlers handler at 0x66f640 returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x6f037a code=c0000005 flags=0 0009:trace:seh:call_stack_handlers handler at 0x6f037a returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x7b483580 code=c0000005 flags=0 0009: create_event( access=001f0003, manual_reset=1, initial_state=0, objattr={rootdir=0000,attributes=00000002,sd={},name=L""} ) 0009: create_event() = 0 { handle=00dc } 0009:trace:ntdll:pf_vsnprintf format is L"Unhandled page fault on %s access to %p" 0009:trace:ntdll:pf_vsnprintf format is L" at address %p" 0009:trace:ntdll:pf_vsnprintf format is L"wine: %s (thread %04x), starting debugger...\n" --- snip ---
'ntdll.NtOpenKey':
--- snip --- 7BC97360 8D4C24 04 LEA ECX,[ESP+4] 7BC97364 83E4 F0 AND ESP,FFFFFFF0 7BC97367 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7BC9736A 55 PUSH EBP 7BC9736B 89E5 MOV EBP,ESP 7BC9736D 51 PUSH ECX 7BC9736E 83EC 10 SUB ESP,10 7BC97371 8B01 MOV EAX,DWORD PTR DS:[ECX] 7BC97373 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] 7BC97376 8B49 08 MOV ECX,DWORD PTR DS:[ECX+8] 7BC97379 6A 00 PUSH 0 7BC9737B E8 20FAFFFF CALL 7BC96DA0 7BC97380 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 7BC97383 C9 LEAVE 7BC97384 8D61 FC LEA ESP,[ECX-4] 7BC97387 C2 0C00 RETN 0C --- snip ---
Hooked 'ntdll.NtOpenKey':
--- snip --- 7BC97360 E9 9FC9A384 JMP 006D3D04 7BC97365 E4 F0 IN AL,0F0 7BC97367 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7BC9736A 55 PUSH EBP --- snip ---
This is obviously not going to work.
Wine-Staging ntdll syscall thunk:
--- snip --- 7BC51560 B8 56000000 MOV EAX,56 7BC51565 64:FF15 C0000000 CALL DWORD PTR FS:[0C0] 7BC5156C C2 0C00 RETN 0C --- snip ---
Resolving as dupe of bug 21232
$ sha1sum enigmavb.exe c968a2344bfde24e2e12b3a3b435b5a15dd634c3 enigmavb.exe
$ du -sh enigmavb.exe 7.5M enigmavb.exe
$ wine-4.19-182-g070cfc358c
Regards
*** This bug has been marked as a duplicate of bug 21232 ***