[Bug 48268] New: ESEA Client - anti-cheat software detects system monitor (debugger) and refuses to start.
https://bugs.winehq.org/show_bug.cgi?id=48268
Bug ID: 48268 Summary: ESEA Client - anti-cheat software detects system monitor (debugger) and refuses to start. Product: Wine Version: 4.21 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: o.dierick@piezo-forte.be Distribution: ---
Created attachment 65933 --> https://bugs.winehq.org/attachment.cgi?id=65933 wine 4.21 terminal output
Hello,
While revisiting bug 24125 I stumbled on this application: ESEA client is an anti-cheat software for an eponymous community of online games players.
Running the client fails with this error dialog: "Error #1006: A system monitor program has been found running in you system. After closing the program please relaunch the ESEA Client."
That error blocks testing this application for bug 24125.
Also tested with wine-staging 4.21 in a separated prefix. Using option 'Hide Wine version from applications' doesn't make a difference.
There is an article related to this error on the publisher's website: https://support.esea.net/hc/en-us/articles/360008741974-Error-1006-1008-114-...
Downloading the client requires a (free) registered account on the website, linked to a Steam account.
$ sha1sum ESEAClientInstall.exe 321cc5e5aa77e58de3f71ed406214ce13472ee01 ESEAClientInstall.exe
$ du -b ESEAClientInstall.exe 165862120 ESEAClientInstall.exe
Debian 8 Jessie 64-bit. Tested on clean 32-bit wineprefixes with wine and wine-staging 4.21.
Regards.
https://bugs.winehq.org/show_bug.cgi?id=48268
Olivier F. R. Dierick o.dierick@piezo-forte.be changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |https://play.esea.net/index | |.php?s=downloads Distribution|--- |Debian
https://bugs.winehq.org/show_bug.cgi?id=48268
Paul Gofman gofmanp@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp@gmail.com
--- Comment #1 from Paul Gofman gofmanp@gmail.com --- Created attachment 65941 --> https://bugs.winehq.org/attachment.cgi?id=65941 PoC patch
At this point it wants K32QueryWorkingSetEx() implementation, or, otherwise, NtQueryVirtualMemory(... MemoryWorkingSetList) which K32QueryWorkingSetEx() calls for actual work. As far as I could guess, MemoryWorkingSetList is similar to MemoryWorkingSetExInformation stubbed in staging, but the stub return value which is currently there is not enough. I am attaching the patch which seems to make Esea client happy at this stage.
But it fails later when its rootkit driver ESEADriver2.sys fails to initialize. Maybe that is be due to a bunch of functions it is calling being a stub:
... 003d:fixme:ntoskrnl:MmProbeAndLockPages (00000000005C4CD0, 0, 1): stub 003d:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (00000000005C4CD0, 0, 1, 0000000000000000, 0, 32): stub 003d:fixme:ntoskrnl:MmUnlockPages (00000000005C4CD0): stub 003d:trace:ntoskrnl:IoFreeMdl 00000000005C4CD0 DbgPrint says: Initialization error 1
Please note that Esea client was some (rather long) time ago spotted mining bitcoins on client's computers [1], so it used to be basically a malware. So I would recommend to always keep it in a separate Wine prefix and take other reasonable precautions when using it, like running at least as a separate user without the access to sensible data and so it is easy to kill the potentially leftover processes.
1. https://www.reddit.com/r/GlobalOffensive/comments/1dgad2/esea_client_basical...
https://bugs.winehq.org/show_bug.cgi?id=48268
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch
-
WineHQ Bugzilla