[Bug 41469] 'Ski Racing 2005 featuring Hermann Maier' crashes on startup (JoWood X-Prot v1.5.9.49 protection scheme)

https://bugs.winehq.org/show_bug.cgi?id=41469

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.gamepressure.com |https://web.archive.org/web |/download.asp?ID=6526 |/20210116162035/https://ds. | |thqnordic.com/skiracing/Ski | |Racing2005-Demo-Setup1.exe

--- Comment #26 from Anastasius Focht focht@gmx.net --- Hello folks,

native msvcr71 override from comment #5 and comment #6 is a secondary issue which is likely fixed by now.

The crash everyone observes happens has nothing to do with it. It happens in the first process instance, during decryption. MSVC++ runtime only gets mapped in the second instance of the process that is spawned.

Trace with Wine 6.0

--- snip --- ... 0024:trace:seh:NtGetContextThread 0xfffffffe: dr0=0069f839 dr1=0069f839 dr2=0069f839 dr3=0069f839 dr6=0000000f dr7=00000155 0024:trace:seh:dispatch_exception code=80000004 flags=0 addr=0069F839 ip=0069f839 tid=0024 0024:trace:seh:dispatch_exception eax=0f28d5f8 ebx=7ffde000 ecx=000001ff edx=5dcdea49 esi=0069e857 edi=006a0323 0024:trace:seh:dispatch_exception ebp=4243484b esp=0031fed4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0024:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=80000004 flags=0 0024:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0 0024:trace:seh:call_stack_handlers calling handler at 0069EAA2 code=80000004 flags=0 0024:trace:seh:call_stack_handlers handler at 0069EAA2 returned 0 0024:trace:seh:NtGetContextThread 0xfffffffe: dr0=00401234 dr1=00401234 dr2=00401234 dr3=00401234 dr6=00004000 dr7=00000155

0024:trace:seh:dispatch_exception code=80000004 flags=0 addr=006A0D75 ip=006a0d75 tid=0024 0024:trace:seh:dispatch_exception eax=e60ff5fe ebx=7ffde000 ecx=00000000 edx=5dcdea49 esi=0069e857 edi=006a0323 0024:trace:seh:dispatch_exception ebp=002177bb esp=0031fed4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00000246 0024:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=80000004 flags=0 0024:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0 0024:trace:seh:call_stack_handlers calling handler at 0069EAA2 code=80000004 flags=0 0024:trace:seh:call_stack_handlers handler at 0069EAA2 returned 0

0024:trace:seh:dispatch_exception code=c0000005 flags=0 addr=006A1200 ip=006a1200 tid=0024 0024:trace:seh:dispatch_exception info[0]=00000001 0024:trace:seh:dispatch_exception info[1]=a71233f8 0024:trace:seh:dispatch_exception eax=00000090 ebx=7ffde000 ecx=00000090 edx=ffe98e60 esi=0069e857 edi=006a1200 0024:trace:seh:dispatch_exception ebp=002177bb esp=0031fefc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0024:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=c0000005 flags=0 0024:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0 0024:trace:seh:call_stack_handlers calling handler at 7BC52730 code=c0000005 flags=0 --- snip ---

vs. Louis' "working" from Wine 2.5 (Staging?):

--- snip --- ... 0009:trace:seh:raise_exception code=80000004 flags=0 addr=0x69f839 ip=0069f839 tid=0009 0009:trace:seh:raise_exception eax=0f28d5f8 ebx=7ffdf000 ecx=000001ff edx=5dcdea49 esi=0069e857 edi=006a0323 0009:trace:seh:raise_exception ebp=4243484b esp=0033fdbc cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00010202 0009:trace:seh:call_stack_handlers calling handler at 0x69eaa2 code=80000004 flags=0 0009:trace:seh:call_stack_handlers handler at 0x69eaa2 returned 0

0009:trace:seh:raise_exception code=80000004 flags=0 addr=0x6a0d75 ip=006a0d75 tid=0009 0009:trace:seh:raise_exception eax=e60ff5fe ebx=7ffdf000 ecx=00000000 edx=5dcdea49 esi=0069e857 edi=006a0323 0009:trace:seh:raise_exception ebp=002177bb esp=0033fdbc cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00000246 0009:trace:seh:call_stack_handlers calling handler at 0x69eaa2 code=80000004 flags=0 0009:trace:seh:call_stack_handlers handler at 0x69eaa2 returned 0 0009:Call KERNEL32.VirtualAlloc(00000000,00003000,00001000,00000040) ret=006a3784 0009:Ret KERNEL32.VirtualAlloc() retval=00340000 ret=006a3784 0009:Call KERNEL32.VirtualAlloc(00000000,00003000,00001000,00000040) ret=006a3c9d 0009:Ret KERNEL32.VirtualAlloc() retval=00350000 ret=006a3c9d 0009:Call KERNEL32.VirtualAlloc(00000000,00001000,00001000,00000040) ret=006a41c6 0009:Ret KERNEL32.VirtualAlloc() retval=00220000 ret=006a41c6 0009:Call KERNEL32.LoadLibraryA(006a649e "kernel32.dll") ret=006a659a 0009:Ret KERNEL32.LoadLibraryA() retval=7b410000 ret=006a659a 0009:Call KERNEL32.LoadLibraryA(006a70d9 "user32.dll") ret=006a70ea ... 0009:Ret KERNEL32.LoadLibraryA() retval=7ec70000 ret=006a70ea 0009:Call KERNEL32.GetUserDefaultLangID() ret=006a7aaf 0009:Ret KERNEL32.GetUserDefaultLangID() retval=00000409 ret=006a7aaf 0009:Call KERNEL32.CreateFileA(006a872e "\\.\SICE",80000000,00000001,00000000,00000003,00000080,00000000) ret=006a7af7 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7 0009:Call KERNEL32.CreateFileA(006a873e "\\.\NTICE",80000000,00000001,00000000,00000003,00000080,00000000) ret=006a7af7 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7 0009:Call KERNEL32.CreateFileA(006a874e "\\.\SIWVID",80000000,00000001,00000000,00000003,00000080,00000000) ret=006a7af7 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7 0009:Call KERNEL32.CreateFileA(006a875e "\\.\REGMON",80000000,00000001,00000000,00000003,00000080,00000000) ret=006a7af7 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7 0009:Call KERNEL32.CreateFileA(006a876e "\\.\FILEMON",80000000,00000001,00000000,00000003,00000080,00000000) ret=006a7af7 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7 0009:Call KERNEL32.CreateFileA(006a877e "\\.\SIWDEBUG",80000000,00000001,00000000,00000003,00000080,00000000) ret=006a7af7 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7 0009:Call KERNEL32.CreateFileA(006a878e "\\.\SIWVIDSTART",80000000,00000001,00000000,00000003,00000080,00000000) ret=006a7af7 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=006a7af7 ... --- snip ---

I've rebuilt Wine-Staging 2.5 (comment #23) as well and it crashes in the same way. In fact I ran the demo against all Wine 2.x, 3.x, 4.x, 5.x and 6.0 releases and it always crashes with same crash pattern.

gcc version 10.2.1 20201125 (Red Hat 10.2.1-9)

WINEPREFIX is wiped each time, demo install directory is reused.

--- snip --- for ver in 2.{0..22} 3.{0..21} 4.{0..21} 5.{0..22} 6.0 ; do echo "#####" export WINEPREFIX=~/wineprefix-bug41469 && rm -rf $WINEPREFIX export WINEARCH=win32 wine_register_path $ver winetricks nocrashdialog &> /dev/null wine ./SR2005_Demo.exe 2>&1 | egrep "(debugger|overflow)" wineserver -w done --- snip ---

Output:

--- snip --- ##### Active Wine version: wine-2.0 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 003e), starting debugger... ##### Active Wine version: wine-2.1 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0047), starting debugger... ##### Active Wine version: wine-2.2 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0047), starting debugger... ##### Active Wine version: wine-2.3 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0047), starting debugger... ... ##### Active Wine version: wine-2.21 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0042), starting debugger... ##### Active Wine version: wine-2.22 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0042), starting debugger... ##### Active Wine version: wine-3.0 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0042), starting debugger... ##### Active Wine version: wine-3.1 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0043), starting debugger... ... ##### Active Wine version: wine-3.19 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 003e), starting debugger... ##### Active Wine version: wine-3.20 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 003e), starting debugger... ##### Active Wine version: wine-3.21 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 003f), starting debugger... ##### Active Wine version: wine-4.0 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 003e), starting debugger... ##### Active Wine version: wine-4.1 wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0040), starting debugger... ... ##### Active Wine version: wine-4.20 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 003f), starting debugger... ##### Active Wine version: wine-4.21 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 0040), starting debugger... ... ##### Active Wine version: wine-5.0 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 003f), starting debugger... ##### Active Wine version: wine-5.1 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 003f), starting debugger... ##### Active Wine version: wine-5.2 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 003f), starting debugger... ##### ... Active Wine version: wine-5.6 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 003f), starting debugger... ##### Active Wine version: wine-5.7 ##### Active Wine version: wine-5.8 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 00f8), starting debugger... ##### Active Wine version: wine-5.9 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 00f8), starting debugger... ... ##### Active Wine version: wine-5.21 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 019c), starting debugger... ##### Active Wine version: wine-5.22 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 01a0), starting debugger... ##### Active Wine version: wine-6.0 wine: Unhandled page fault on write access to A71233F8 at address 006A1200 (thread 019c), starting debugger... --- snip ---

The only exception is Wine 5.7:

--- snip --- 0009:Starting process L"Z:\home\focht\Downloads\JoWooD\Ski Racing 2005 Demo\SR2005_Demo.exe" (entryproc=0x69d080) 0009:Call ntdll.NtQueryInformationProcess(ffffffff,00000007,0032ff40,00000004,00000000) ret=7b00d224 0009:Ret ntdll.NtQueryInformationProcess() retval=00000000 ret=7b00d224 0009:Call KERNEL32.VirtualProtect(0032f654,000008c0,00000040,0069d056) ret=0069dd30 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,0032f5dc,0032f5e0,00000040,0069d056) ret=7b0231ce 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=7b0231ce 0009:Ret KERNEL32.VirtualProtect() retval=00000001 ret=0069dd30 0009:trace:seh:raise_exception code=c000001d flags=0 addr=0x69f927 ip=0069f927 tid=0009 0009:trace:seh:raise_exception eax=73a70193 ebx=7ffdf000 ecx=00063a00 edx=12345678 esi=0069e857 edi=006a0323 0009:trace:seh:raise_exception ebp=002177bb esp=0032feec cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0009:trace:seh:call_stack_handlers calling handler at 0x69eaa2 code=c000001d flags=0 0009:trace:seh:call_stack_handlers handler at 0x69eaa2 returned 0 --- snip ---

That's due to bug 49011 ("Multiple games and applications cause wineserver crash in Wine 5.7") which broke Wine 5.7 release for quite a number of apps and games.

I even installed Ubuntu 16.04.1 LTS in a VirtualBox VM and used the original Wine 2.5 and Wine-Staging 2.5 packages from WineHQ, trying to replicate Louis' setup from comment #23. It still crashes in the same way.

--- snip --- $ wine ./SR2005_Demo.exe wine: Unhandled page fault on write access to 0xa71233f8 at address 0x6a1200 (thread 0037), starting debugger... Unhandled exception: page fault on write access to 0xa71233f8 in 32-bit code (0x006a1200). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:006a1200 ESP:0033fde4 EBP:002177bb EFLAGS:00010202( R- -- I - - - ) EAX:00000090 EBX:7ffdf000 ECX:00000090 EDX:ffeb8d48 ESI:0069e857 EDI:006a1200 Stack dump: 0x0033fde4: 7ffdf000 0069d080 0033fe28 0033fe04 0x0033fdf4: 7ffdf000 7b42943d 7b4629fe 00000000 0x0033fe04: 7b4616d9 7ffdf000 7b4629bc 7b4629bc 0x0033fe14: 7b4629bc 0033fe78 7b46299c 00000002 0x0033fe24: 7b63c000 0033fe78 7b4629bc 7ffdf000 0x0033fe34: 0069d080 7b42943d 7b4629fe 00000000 000c: sel=0067 base=00000000 limit=00000000 32-bit r-x Backtrace: =>0 0x006a1200 in sr2005_demo (+0x2a1200) (0x002177bb) 0x006a1200: rorb %cl,0xa6f0bc3d(%ebp) Modules: Module Address Debug info Name (19 modules) PE 400000- 76c000 Export sr2005_demo ELF 7b400000-7b7ec000 Deferred kernel32<elf> -PE 7b410000-7b7ec000 \ kernel32 ELF 7bc00000-7bd01000 Deferred ntdll<elf> -PE 7bc10000-7bd01000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ELF 7ebd8000-7ebfb000 Deferred libtinfo.so.5 ELF 7ebfb000-7ec21000 Deferred libncurses.so.5 ELF 7ef51000-7ef64000 Deferred libnss_files.so.2 ELF 7ef64000-7ef71000 Deferred libnss_nis.so.2 ELF 7ef71000-7ef8c000 Deferred libnsl.so.1 ELF 7ef8c000-7efe1000 Deferred libm.so.6 ELF f73e4000-f73e9000 Deferred libdl.so.2 ELF f73e9000-f75a0000 Deferred libc.so.6 ELF f75a0000-f75bd000 Deferred libpthread.so.0 ELF f75d2000-f75dc000 Deferred libnss_compat.so.2 ELF f75dc000-f77ab000 Dwarf libwine.so.1 ELF f77ac000-f77d1000 Deferred ld-linux.so.2 ELF f77d3000-f77d4000 Deferred [vdso].so Threads: process tid prio (all id:s are in hex) ... 00000036 (D) Z:\home\vboxuser\Downloads\JoWooD\Ski Racing 2005 Demo\SR2005_Demo.exe ["Z:\home\vboxuser\Downloads\JoWooD\Ski Racing 2005 Demo\SR2005_Demo.exe"] 00000037 0 <== ... System information: Wine build: wine-2.5 (Staging) Platform: i386 Version: Windows XP Host system: Linux Host version: 4.4.0-200-generic --- snip ---

To rule out corruption issues with the installer/unpacking process I've checked multiple download sites but they all ended up with same sha1 of the installer.

'SkiRacing2005-Demo-Setup1.exe':

https://www.virustotal.com/gui/file/a0ba5bfd6337e5257123969da783fac32991bac1...

Installed main binary 'SR2005_Demo.exe':

https://www.virustotal.com/gui/file/2b8cb8a5fcc7388ec6a6f50c8afc9103287c26df...

The protection code uses various obfuscation and anti-debugging tricks that work even on older Wine versions.

Some techniques are incompatible with modern Windows OS though. For example it writes/executes decryption routines on the stack which is a no-go for DEP enabled systems. It also places code in "invisible" area above current top ESP, a technique which in the past caused problems with Wine's signal stack / exception context saving.

--- snip --- decrypt_timing_calc_routine: ... 0031FD6C | F2:89EA | mov edx,ebp | 0031FD6F | C6C2 FB | mov dl,FB | 0031FD72 | 2E64:89FB | mov ebx,edi | 0031FD76 | 61 | popad | 0031FD77 | 304C31 FF | xor byte ptr ds:[ecx+esi-1],cl | 0031FD7B | E2 FA | loop 31FD77 | 0031FD7D | 60 | pushad | 0031FD7E | B2 0A | mov dl,A | 0031FD80 | 88EB | mov bl,ch | 0031FD82 | 8D0D 72C17C07 | lea ecx,dword ptr ds:[77CC172] | 0031FD88 | 8D35 3191D74E | lea esi,dword ptr ds:[4ED79131] | 0031FD8E | C7C0 5AA8488F | mov eax,8F48A85A | 0031FD94 | B1 F9 | mov cl,F9 | 0031FD96 | F2:88E2 | mov dl,ah | 0031FD99 | 64:C6C2 8A | mov dl,8A | 0031FD9D | C7C0 0B830329 | mov eax,2903830B | 0031FDA3 | 64:8D05 6F7853C7 | lea eax,dword ptr ds:[C753786F] | 0031FDAA | C6C6 18 | mov dh,18 | 0031FDAD | 8D05 CB71DD34 | lea eax,dword ptr ds:[34DD71CB] | 0031FDB3 | F22E:B5 91 | mov ch,91 | 0031FDB7 | C6C5 36 | mov ch,36 | 0031FDBA | F2:88E7 | mov bh,ah | 0031FDBD | 2664:BA 0A1C6679 | mov edx,79661C0A | 0031FDC4 | EB 01 | jmp 31FDC7 | ... 0031FE59 | B3 1F | mov bl,1F | 0031FE5B | 89EF | mov edi,ebp | 0031FE5D | B3 15 | mov bl,15 | 0031FE5F | 61 | popad | 0031FE60 | FFE6 | jmp esi | 0x0069E857 ... do_execution_timing_checks: 0069E857 | 60 | pushad | 0069E858 | B8 22527CF4 | mov eax,F47C5222 | 0069E85D | BB 0C3EAEF1 | mov ebx,F1AE3E0C | 0069E862 | BA C655E8EE | mov edx,EEE855C6 | 0069E867 | E8 07000000 | call sr2005_demo.69E873 | 0069E86C | E8 02000000 | call sr2005_demo.69E873 | 0069E871 | FF25 60B90500 | jmp dword ptr ds:[5B960] | ... --- snip ---

--- snip --- EAX : 7FFDE030 EBX : 7FFDE000 ECX : 00000155 EDX : FFE98E98 EBP : 002177BB ESP : 0031FF34 ESI : 0069E857 sr2005_demo.0069E857 EDI : 0031FBE3 EIP : 0031FD77 EFLAGS : 00010202 ZF : 0 OF : 0 CF : 0 PF : 0 SF : 0 TF : 0 AF : 0 DF : 0 IF : 1 LastError : 80000001 LastStatus : 80000001 GS : 006B sr2005_demo.63006B ES : 002B CS : 0023 FS : 0063 DS : 002B SS : 002B --- snip ---

EIP = 0031FD77 ESP = 0031FF34 (current top)

Bug 28089 ("exception handling code touches stack for exceptions handled by the debugger"). Interestingly there was still enough space between the context save and the bottom part of the decryption routine to not get corrupted.

---

There are also instruction execution timing related checks but the threshold seems sufficiently large enough to not trigger misbehaviour when being run without debuggers.

Anti-debug timing measurements:

--- snip --- 0069E85D | mov ebx,F1AE3E0C | 0069E862 | mov edx,EEE855C6 | 0069E867 | call sr2005_demo.69E873 | 0069E86C | call sr2005_demo.69E873 | 0069E871 | jmp dword ptr ds:[5B960] | *boom* ... 0069E873 | pushad | 0069E874 | mov ecx,5 | timing loop_count = 5 0069E879 | call sr2005_demo.69E87F | ... 0069E87F | add dword ptr ss:[esp],7 | 0069E883 | ret | ... timing_loop: 0069E885 | rdtsc | start 0069E887 | call sr2005_demo.69E88D | ... 0069E88D | add dword ptr ss:[esp],7 | continuation 0069E891 | ret | ... 0069E893 | mov ebx,eax | Start.LowPart 0069E895 | call sr2005_demo.69E89B | ... 0069E89B | add dword ptr ss:[esp],7 | continuation 0069E89F | ret | ... 0069E8A1 | rdtsc | stop 0069E8A3 | call sr2005_demo.69E8A9 | ... 0069E8A9 | add dword ptr ss:[esp],7 | continuation 0069E8AD | ret | ... 0069E8AF | sub eax,ebx | End.LowPart 0069E8B1 | call sr2005_demo.69E8B7 | ... 0069E8B7 | add dword ptr ss:[esp],7 | continuation 0069E8BB | ret | ... 0069E8BD | and eax,FFFF0000 | elapsed ticks > 0xffff? 0069E8C2 | call sr2005_demo.69E8C8 | ... 0069E8C8 | add dword ptr ss:[esp],7 | 0069E8CC | ret | ... 0069E8CE | cmp eax,0 | 0069E8D1 | je sr2005_demo.69E8F1 | no debug 0069E8D3 | call sr2005_demo.69E8D9 | ... 0069E8D9 | add dword ptr ss:[esp],7 | continuation 0069E8DD | ret | ... 0069E8DF | dec ecx | loop_count 0069E8E0 | jne sr2005_demo.69E885 | timing_loop 0069E8E2 | call sr2005_demo.69E8E8 | ... 0069E8E8 | add dword ptr ss:[esp],7 | continuation 0069E8EC | ret | ... 0069E8EE | popad | 0069E8EF | ret | ... no_debug: 0069E8F1 | popad | 0069E8F2 | call sr2005_demo.69E8F8 | ... 0069E8F8 | add dword ptr ss:[esp],7 | continuation 0069E8FC | ret | ... 0069E8F8 | add dword ptr ss:[esp],7 | continuation 0069E8FC | ret | ... 0069E8FE | add dword ptr ss:[esp],9A | continuation 0069E905 | ret | ... 0069E906 | call sr2005_demo.69E917 | ... 0069E917 | call sr2005_demo.69E90D | ... 0069E90D | jmp sr2005_demo.69E920 | ... 0069E920 | ret 4 | ... 0069E91C | jmp sr2005_demo.69E911 | ... 0069E911 | jmp sr2005_demo.69E925 | ... decrypt_next_routine: 0069E925 | mov ecx,65529 | 0069E92A | lea esi,dword ptr ss:[ebp+4871F1] | 0069E930 | call sr2005_demo.69E941 | 0069E935 | jmp E97BD52B | ... --- snip ---

The decryption uses hardware breakpoints by design.

I've compared the exception context register values up to the crash site from Louis' "good run" in comment #22 and Wine 6.0. All relevant register "seed" values seem to match in each decrypt iteration. The crash site contains invalid opcode indicating something went wrong in the last decryption process or in the previous chain (different jump destination). Although still obfuscated, the overall decrypted code doesn't seem systematically wrong. There are still sequences that resemble previous decryption routines (chained decryption).

Summarizing:

No one except Louis managed to run the demo who at that time used Ubuntu LTS 16.04.1 with prebuilt Wine 2.5 and Wine-Staging 2.5 (comment #23). I couldn't replicate his observation with same software environment in a VM. The demo doesn't run on Windows XP and Windows Vista according to comment #18 (albeit in VM).

I can't completely rule out that a VM might somehow play a role. But from what I've seen so far, the protection doesn't have code for detecting Virtualization / Hypervisor presence (backdoor, timing analysis other than anti-debug, certain privileged instructions, registry).

If someone has a machine with Windows XP/Windows 7 or old Ubuntu 16.04 LTS not being run as virtualized guest it would be nice to know if the demo runs there. Then there might be a chance to figure out what's going on. Although somewhat challenging I don't want to spend multiple days on this since no other app/game wrapped with JoWood X-Prot has been reported to be affected as well.

$ sha1sum SkiRacing2005-Demo-Setup1.exe d7684789b7de45fb909fc11846f5a1f24fd7d7cc SkiRacing2005-Demo-Setup1.exe

$ du -sh SkiRacing2005-Demo-Setup1.exe 42M SkiRacing2005-Demo-Setup1.exe

$ wine --version wine-6.0-40-g00401d22782

Regards