[Bug 37087] New: Gothic 2 english Demo still fails with > "Conflict: a hook process was found. ..."
https://bugs.winehq.org/show_bug.cgi?id=37087
Bug ID: 37087 Summary: Gothic 2 english Demo still fails with > "Conflict: a hook process was found. ..." Product: Wine Version: 1.7.24 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net
Hello folks,
split off from bug 9216
https://bugs.winehq.org/show_bug.cgi?id=9216#c9
https://bugs.winehq.org/show_bug.cgi?id=9216#c11
--- quote --- The German Demo version works fine but the English Demo still fails with "Conflict: a hook process was found. ...". Someone reported this in the AppDB. I tested this with 1.2-rc5 and 1.7.24, both show the same error, so maybe Austin/James/Mat used the German Demo? I wanted to test 1.1.29 as well but it didn't compile.
AppDB entry: http://appdb.winehq.org/objectManager.php?sClass=version&iId=21455&i...
I'll also attach a log with +relay,+seh,+tid without having any idea if it's helpful. Console is without any output otherwise.
I think this is not an issue in any full version of the game. --- quote ---
https://bugs.winehq.org/show_bug.cgi?id=37087
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation URL| |http://www.fileplanet.com/1 | |51400/150000/fileinfo/Gothi | |c-II-Demo- Summary|Gothic 2 english Demo still |Gothic 2 english demo fails |fails with > "Conflict: a |with 'Conflict: a hook |hook process was found. |process was found. Please |..." |deactivate all Antivirus | |and Anti-Trojan programs | |and debuggers.'
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
whoops, I hit submit too early - but here it goes...
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/JoWooD/Gothic II Demo/system
$ WINEDEBUG=+tid,+seh,+relay,+server wine ./Gothic2.exe >>log.txt 2>&1 ... wineserver: starting (pid=22736) 0008: *fd* 01c8 -> 20 0009: *fd* 6 <- 20 0009: init_thread( unix_pid=22733, unix_tid=22733, debug_level=1, teb=7ffd8000, entry=7ffdf000, reply_fd=6, wait_fd=8, cpu=x86 ) 0009: *fd* 8 <- 21 0009: init_thread() = 0 { pid=0008, tid=0009, server_start=1cfb4be9e26f010 (-0.0001500), info_size=0, version=456, all_cpus=00000001 } 0009: *fd* 1 <- 22 ... 0009:Call KERNEL32.CreateProcessA(00000000,01560000 ""C:\Program Files\JoWooD\Gothic II Demo\system\Gothic2.exe" \t",00000000,00000000,00000000,00000004,00000000,00000000,4f8aee2f,4f8aee2b) ret=00a7b004 ... 0009: new_process( inherit_all=0, create_flags=00000004, socket_fd=12, exe_file=003c, process_access=001fffff, process_attr=00000000, thread_access=001fffff, thread_attr=00000000, cpu=x86, info_size=838, info={debug_flags=0,console_flags=0,console=0000,hstdin=0018,hstdout=0004,hstderr=0008, ... ) 0009: *fd* 01c8 -> 95 0009: new_process() = 0 { info=0044, pid=0022, phandle=0048, tid=0023, thandle=004c } 0009: get_handle_fd( handle=0004 ) 0009: *fd* 0004 -> 22 0009: get_handle_fd() = 0 { type=1, cacheable=1, access=00120116, options=00000020 } 0009: select( flags=2, cookie=0134f2bc, timeout=infinite, prev_apc=0000, result={}, data={WAIT,handles={0044}} ) 0009: select() = PENDING { timeout=infinite, call={APC_NONE}, apc_handle=0000 } 0023: *fd* 5 <- 29 0023: init_thread( unix_pid=22762, unix_tid=22762, debug_level=1, teb=7ffd8000, entry=7ffdf000, reply_fd=5, wait_fd=7, cpu=x86 ) 0023: *fd* 7 <- 95 0023: init_thread() = 0 { pid=0022, tid=0023, server_start=1cfb4be9e26f010 (-1.3682260), info_size=9818, version=456, all_cpus=00000001 } ... 0023:Call KERNEL32.__wine_kernel_init() ret=7bc59dbc ... 0023: init_process_done( gui=1, module=00400000, ldt_copy=f7706620, entry=009b9080 ) 0009: *wakeup* signaled=0 0023: *sent signal* signal=10 0023: init_process_done() = 0 0009: get_new_process_info( info=0044 ) 0009: get_new_process_info() = 0 { success=1, exit_code=259 } 0009: close_handle( handle=0044 ) 0009: close_handle() = 0 0009: close_handle( handle=003c ) 0009: close_handle() = 0 0009:Ret KERNEL32.CreateProcessA() retval=00000001 ret=00a7b004 ... 0023: set_suspend_context( context={cpu=x86,eip=f773b430,esp=0134ff14,ebp=0134ffe8,eflags=00000296,cs=0023,ss=002b,ds=002b,es=002b,fs=0063,gs=006b,eax=00000000,ebx=00000001,ecx=7bced260,edx=00000000,esi=00000008,edi=7bcd1000,dr0=00000000,dr1=00000000,dr2=00000000,dr3=00000000,dr6=00000000,dr7=00000000,fp.ctrl=ffff027f,fp.status=ffff0000,fp.tag=ffffffff,fp.err_off=00000000,fp.err_sel=00000023,fp.data_off=00000000,fp.data_sel=ffff002b,fp.cr0npx=00000000,fp.reg0=0,fp.reg1=0,fp.reg2=0,fp.reg3=0,fp.reg4=0,fp.reg5=0,fp.reg6=0,fp.reg7=0,extended=...} ) 0023: set_suspend_context() = 0 0023: select( flags=2, cookie=7ffdb33c, timeout=0, prev_apc=0000, result={}, data={} ) 0023: select() = PENDING { timeout=1cfb4be9ef9cc74 (+0.0000000), call={APC_NONE}, apc_handle=0000 } 0009:Call KERNEL32.VirtualAlloc(00000000,00020000,00001000,00000040) ret=00a7b004 0009:Ret KERNEL32.VirtualAlloc() retval=01570000 ret=00a7b004 0009:Call KERNEL32.ReadProcessMemory(00000048,00400000,01570000,00001000,00000000) ret=4f8167fc 0009: read_process_memory( handle=0048, addr=00400000 ) 0023: *signal* signal=19 0009: read_process_memory() = 0 { data={4d,5a,90,...(total 4096)} } 0009:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=4f8167fc 0009:Call KERNEL32.ReadProcessMemory(00000048,009b9000,01570000,000021e4,00000000) ret=4f818849 0009: read_process_memory( handle=0048, addr=009b9000 ) 0023: *signal* signal=19 0009: read_process_memory() = 0 { data={00,00,00,00,...(total 8676)} } 0009:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=4f818849 0009:Call KERNEL32.WriteProcessMemory(00000048,009b9052,4f819576,00000001,00000000) ret=4f81957c 0009: write_process_memory( handle=0048, addr=009b9052, data={ff} ) 0023: *signal* signal=19 0009: write_process_memory() = 0 0009:Ret KERNEL32.WriteProcessMemory() retval=00000001 ret=4f81957c 0009:Call KERNEL32.ResumeThread(0000004c) ret=002c0000 0009: resume_thread( handle=004c ) 0023: *wakeup* signaled=258 0009: resume_thread() = 0 { count=1 } 0009:Ret KERNEL32.ResumeThread() retval=00000001 ret=002c0000 0023: get_suspend_context( ) 0009:Call KERNEL32.ExitProcess(00a78be3) ret=4f8ae895 0023: get_suspend_context() = 0 { context={cpu=x86,eip=f773b430,esp=0134ff14,ebp=0134ffe8,eflags=00000296,cs=0023,ss=002b,ds=002b,es=002b,fs=0063,gs=006b,eax=00000000,ebx=00000001,ecx=7bced260,edx=00000000,esi=00000008,edi=7bcd1000,dr0=00000000,dr1=00000000,dr2=00000000,dr3=00000000,dr6=00000000,dr7=00000000,fp.ctrl=ffff027f,fp.status=ffff0000,fp.tag=ffffffff,fp.err_off=00000000,fp.err_sel=00000023,fp.data_off=00000000,fp.data_sel=ffff002b,fp.cr0npx=00000000,fp.reg0=0,fp.reg1=0,fp.reg2=0,fp.reg3=0,fp.reg4=0,fp.reg5=0,fp.reg6=0,fp.reg7=0,extended={...}} } 0009: terminate_process( handle=0000, exit_code=10980323 ) 0009: terminate_process() = 0 { self=1 } ... 0009: terminate_process( handle=ffffffff, exit_code=10980323 ) 0009: terminate_process() = 0 { self=1 } ... 0009: *killed* exit_code=10980323 0008: *process killed* ... --- snip ---
After bringing up the child and patching it at runtime the parent terminates itself by design.
The child does lots of anti-debugging trickery (which works).
At one point it fetches the process list and tries to open the parent process (NOTE: PID is not from process list):
--- snip --- ... 0023:Call ntdll.NtQuerySystemInformation(00000005,01570000,00050000,00000000) ret=00a7b004 0023: create_snapshot( attributes=00000000, flags=00000003 ) 0023: create_snapshot() = 0 { handle=003c } 0023: next_process( handle=003c, reset=1 ) 0023: next_process() = 0 { count=16, pid=000c, ppid=000a, threads=1, priority=2, handles=64, unix_pid=22740, filename=L"C:\windows\system32\winemenubuilder.exe" } ... 0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0, delta_pri=0 } 0023: next_process( handle=003c, reset=0 ) 0023: next_process() = 0 { count=14, pid=000e, ppid=000a, threads=6, priority=2, handles=64, unix_pid=22742, filename=L"C:\windows\system32\services.exe" } ... 0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0, delta_pri=0 } 0023: next_process( handle=003c, reset=0 ) 0023: next_process() = 0 { count=7, pid=0012, ppid=000e, threads=4, priority=2, handles=64, unix_pid=22746, filename=L"C:\windows\system32\winedevice.exe" } ... 0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0, delta_pri=0 } 0023: next_process( handle=003c, reset=0 ) 0023: next_process() = 0 { count=4, pid=0019, ppid=000e, threads=3, priority=2, handles=32, unix_pid=22753, filename=L"C:\windows\system32\plugplay.exe" } ... 0023: next_thread( handle=003c, reset=0 ) 0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0, delta_pri=0 } 0023: next_process( handle=003c, reset=0 ) 0023: next_process() = 0 { count=19, pid=0020, ppid=000c, threads=1, priority=2, handles=32, unix_pid=22760, filename=L"C:\windows\system32\explorer.exe" } ... 0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0, delta_pri=0 } 0023: next_process( handle=003c, reset=0 ) 0023: next_process() = 0 { count=3, pid=0022, ppid=0008, threads=1, priority=2, handles=32, unix_pid=22762, filename=L"C:\Program Files\JoWooD\Gothic II Demo\system\Gothic2.exe" } 0023: next_thread( handle=003c, reset=1 ) ... 0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0, delta_pri=0 } 0023: next_process( handle=003c, reset=0 ) 0023: next_process() = NO_MORE_FILES { count=0, pid=0000, ppid=0000, threads=0, priority=0, handles=0, unix_pid=0, filename=L"" } 0023: close_handle( handle=003c ) 0023: close_handle() = 0 0023:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=00a7b004 0023:Call KERNEL32.OpenProcess(001f0fff,00000000,00000008) ret=7a07cbd2 0023: open_process( pid=0008, access=001f0fff, attributes=00000000 ) 0023: open_process() = 0 { handle=003c } 0023:Ret KERNEL32.OpenProcess() retval=0000003c ret=7a07cbd2 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7a07cc53 ip=7a07cc53 tid=0023 0023:trace:seh:raise_exception info[0]=00000001 0023:trace:seh:raise_exception info[1]=7a050558 0023:trace:seh:raise_exception eax=00000090 ebx=00000022 ecx=0002c6fd edx=7ec789d0 esi=002c0000 edi=7a050558 0023:trace:seh:raise_exception ebp=79b657c7 esp=0134fdbc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0023:trace:seh:call_stack_handlers calling handler at 0x7a070563 code=c0000005 flags=0 0023:trace:seh:call_stack_handlers handler at 0x7a070563 returned 0 0023:Call user32.MessageBoxA(00000000,7a07d313 "Conflict: a hook process was found. Please deactivate all Antivirus and Anti-Trojan programs and debuggers.",7a07cde5 "Gothic II",00000000) ret=002c0000 ... --- snip ---
It seems the child *expects* that the parent can't be opened anymore.
'wineserver' still keeps the process object around as there are references (handles) to the process object.
Enumeration of processes in contrast doesn't show/list the parent process because there is no single running thread in that process anymore - which is correct behaviour.
I did a quick hack, forcing process object be gone and indeed lets the child run much farther. It still dies in the end - caused by another protection scheme brain damage.
The executable is from year 2000 so this brain damage clearly relies on pre-XP era behaviour with the process object gone after (self)termination (less complex handle management).
Someone could test if the demo runs on Windows XP/7 or can be made work with compat mode (app shim).
$ sha1sum gothic2-demo-setup.exe 3f1ff6d9b1d1ccdd5032caf349e7c0d79c6a9d24 gothic2-demo-setup.exe
$ du -sh gothic2-demo-setup.exe 381M gothic2-demo-setup.exe
$ wine --version wine-1.7.24
Regards
https://bugs.winehq.org/show_bug.cgi?id=37087
Michael B toxatec@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |toxatec@web.de
--- Comment #2 from Michael B toxatec@web.de --- Hi,
thanks for picking this up! Looks like fun what you did. It goes a bit above my knowledge though so I can't really comment on what you found.
Instead I just tested it on a 64-bit Windows 7, and it worked without any compatibility settings. Setting XP SP3 or 2000 worked as well, 98 didn't. I don't have a real XP machine to test right now..
My setup.exe is the same.
https://bugs.winehq.org/show_bug.cgi?id=37087
Michael Müller michael@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |michael@fds-team.de
--- Comment #3 from Michael Müller michael@fds-team.de --- Hi,
it seems like the URL is not complete and I assume that it should be http://www.fileplanet.com/151400/150000/fileinfo/Gothic-II-Demo-
Anyway, I wrote a small patch that prevents opening a processes which has the terminating flag set. You can find the patch at https://github.com/compholio/wine-compholio/blob/master/patches/server-Proce...
I tried the demo with the patch applied and it does no longer complain about any hooks and starts but errors out because of some problems with dmusic. The AppDB indicates that this is a known and unrelated problem.
Anastasius can you check whether you still encounter any other hook checks with the patch applied?
Michael
https://bugs.winehq.org/show_bug.cgi?id=37087
--- Comment #4 from Michael Müller michael@fds-team.de --- Hi,
I updated the patch since the last one broke some wine tests. The updated version is available at (the url slightly changed):
https://github.com/compholio/wine-compholio/blob/master/patches/server-OpenP...
Michael
https://bugs.winehq.org/show_bug.cgi?id=37087
--- Comment #5 from whatbug n296869@rtrtr.com --- Hello Michael,
I must say wow! The patch works great! Well done!
https://bugs.winehq.org/show_bug.cgi?id=37087
Michael Müller michael@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |STAGED CC| |sebastian@fds-team.de Staged patchset| |https://github.com/wine-com | |pholio/wine-staging/tree/ma | |ster/patches/server-OpenPro | |cess
https://bugs.winehq.org/show_bug.cgi?id=37087
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |wineserver
https://bugs.winehq.org/show_bug.cgi?id=37087
--- Comment #6 from Sebastian Lackner sebastian@fds-team.de --- Still present in wine-1.8-rc3-47-gd29dcec.
The patch fixes the problem, but most likely not in the correct way. At the time of the OpenProcess call, there are exactly two references. Those are caused by the ->parent links of two spawned child processes. However, according to https://blogs.msdn.microsoft.com/oldnewthing/20150403-00/?p=44313/ child-processes should not hold a reference to their parent process. I'll try to prepare an improved patch and replace this one.
https://bugs.winehq.org/show_bug.cgi?id=37087
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |erich.e.hoover@wine-staging | |.com Staged patchset|https://github.com/wine-com |https://github.com/wine-com |pholio/wine-staging/tree/ma |pholio/wine-staging/tree/ma |ster/patches/server-OpenPro |ster/patches/server-Parent_ |cess |Process
https://bugs.winehq.org/show_bug.cgi?id=37087
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch
https://bugs.winehq.org/show_bug.cgi?id=37087
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Fixed by SHA1| |bae3dcc2957683a4e2ca04a75ef | |10f91688300e7 Status|STAGED |RESOLVED
--- Comment #7 from Sebastian Lackner sebastian@fds-team.de --- Fixed with bae3dcc2957683a4e2ca04a75ef10f91688300e7.
https://bugs.winehq.org/show_bug.cgi?id=37087
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.9.9.
https://bugs.winehq.org/show_bug.cgi?id=37087
Michael Stefaniuc mstefani@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mstefani@redhat.com Target Milestone|--- |1.8.x
https://bugs.winehq.org/show_bug.cgi?id=37087
Michael Stefaniuc mstefani@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|1.8.x |---
--- Comment #9 from Michael Stefaniuc mstefani@redhat.com --- Removing 1.8.x milestone from bugs included in 1.8.3.
https://bugs.winehq.org/show_bug.cgi?id=37087
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.fileplanet.com/1 |https://web.archive.org/web |51400/150000/fileinfo/Gothi |/20210725153228/http://down |c-II-Demo- |load.fileplanet.com/ftp1/03 | |2005/gothic2-demo-setup.exe | |?st=2f2g8nsKFYTq8VcX-C_ZWA& | |e=1627237873
--- Comment #10 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download via Internet Archive for documentation.
https://web.archive.org/web/20210725153228/http://download.fileplanet.com/ft...
$ sha1sum gothic2-demo-setup.exe 3f1ff6d9b1d1ccdd5032caf349e7c0d79c6a9d24 gothic2-demo-setup.exe
$ du -sh gothic2-demo-setup.exe 381M gothic2-demo-setup.exe
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla