http://bugs.winehq.org/show_bug.cgi?id=15999

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net

--- Comment #1 from Anastasius Focht focht@gmx.net 2008-11-10 17:13:46 --- Hello,

Anycount 5.0 is wrapped with an old Themida version 1.2.0.1. Early Themida versions are known to produce compatibility issues with API wrappers under wine.

--- snip --- ... 0009:Call KERNEL32.VirtualProtect(00400000,00001000,00000002,ff40496d) ret=00c98b26 0009:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x400000 00001000 00000002 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc84445 0009:trace:seh:raise_exception info[0]=00000001 0009:trace:seh:raise_exception info[1]=ff40496d 0009:trace:seh:raise_exception eax=ff40496d ebx=7bc995b8 ecx=7bc995b8 edx=00000004 esi=0032fe9c edi=0032fe10 0009:trace:seh:raise_exception ebp=0032fda8 esp=0032fc90 cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00010246 0009:trace:seh:call_stack_handlers calling handler at 0xc481e4 code=c0000005 flags=0 0009:trace:seh:call_stack_handlers handler at 0xc481e4 returned 0 0009:Call KERNEL32.GetEnvironmentVariableA(00b7937a "WLNumDLLsProt",00b7938a,00000005) ret=00b79b29 0009:Ret KERNEL32.GetEnvironmentVariableA() retval=00000001 ret=00b79b29 0009:Call user32.MessageBoxExA(00000000,00b75e23 "An internal exception occured (Address: 0x7bc84445)\n\rPlease, contact support. Thank you!",00b7528a "AIT Protection System",00000010,00000000) ret=00c362f5 .. --- snip ---

NtProtectVirtualMemory's old_prot ptr arg is invalid, hence it crashes when dereferencing:

if (old_prot) *old_prot = VIRTUAL_GetWin32Prot( vprot );

If you ask me - not fixable, the problem is in code virtualizer/themida virtual machine instruction sequence for the API wrapper.

Either persuade the vendor to repackage their stuff with newer - wine compatible - versions of themida brain damage or just don't buy/use that stuff.

Regards

http://bugs.winehq.org/show_bug.cgi?id=15999

--- Comment #2 from Austin English austinenglish@gmail.com 2009-05-11 09:45:20 --- Is this still an issue in current (1.1.21 or newer) wine?

http://bugs.winehq.org/show_bug.cgi?id=15999

foobard jens@porup.com changed:

What |Removed |Added ---------------------------------------------------------------------------- URL| |http://www.anycount.com/word | |count/wordcounting_software/ | |word_count_software_download | |.html

http://bugs.winehq.org/show_bug.cgi?id=15999

--- Comment #5 from foobard jens@porup.com 2009-11-20 11:00:12 --- in wine-1.1.32, identical error message.

http://bugs.winehq.org/show_bug.cgi?id=15999

Louis Lenders xerox_xerox2000@yahoo.co.uk changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |locki@l0x.in

--- Comment #7 from Louis Lenders xerox_xerox2000@yahoo.co.uk 2010-03-05 13:10:53 --- *** Bug 21916 has been marked as a duplicate of this bug. ***

http://bugs.winehq.org/show_bug.cgi?id=15999

Austin English austinenglish@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX

--- Comment #9 from Austin English austinenglish@gmail.com 2013-01-23 14:48:58 CST --- http://download.anycount.com/AnyCount5Setup.exe

fails with: austin@aw25 ~/.wine/drive_c/Program Files/AnyCount 5.0 $ wine AnyCount.exe fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot err:ntdll:RtlpWaitForCriticalSection section 0x7bcb5f80 "virtual.c: csVirtual" wait timed out in thread 0025, blocked by 0009, retrying (60 sec)

however, http://download.anycount.com/AnyCount8Setup.exe

runs fine in current wine. I'm going to mark this WONTFIX, per comment #1.

https://bugs.winehq.org/show_bug.cgi?id=15999

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|Anycount 5.0 does not run |Anycount 5.0 does not run |(Themida protected) |(Themida v1.8.1.0 | |protection scheme) Hardware|Other |x86-64 Keywords| |obfuscation

--- Comment #11 from Anastasius Focht focht@gmx.net --- Hello folks,

revisiting.

Just refreshing some old information, the overall status is still 'WONTFIX'.

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files (x86)\AnyCount 5.0\AnyCount.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 3688960 (0384A00h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT) [TimeStamp] 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT) | PE Header | - | Offset: 0x00000108 | VA: 0x00400108 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000001001100000100000001 (0x0004C101) [Entrypoint Section Entropy] : 7.76 (section #3) "irtue " | Size : 0x139E00 (1285632) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 4 (0x4) | ImageSize 0x8D6000 (9265152) byte(s) [Export] 100% of function(s) (1 of 1) are in file | 0 are forwarded | 0 code | 1 data | 0 uninit data | 0 unknown | [VersionInfo] Company Name : Advanced International Translations [VersionInfo] Product Name : AnyCount [VersionInfo] Product Version : 5.0.0.548 [VersionInfo] File Description : AnyCount [VersionInfo] File Version : 5.0.0.548 [VersionInfo] Original FileName : AnyCount.exe [VersionInfo] Internal Name : AnyCount [VersionInfo] Legal Trademarks : Advanced International Translations [VersionInfo] Legal Copyrights : Advanced International Translations [ModuleReport] [IAT] Modules -> KERNEL32.dll | COMCTL32.dll [!] Themida v1.0.0.0 - v1.8.1.0 detected ! [!] EmbedPE detected [CompilerDetect] -> Borland Delphi (unknown version) - 60% probability - Scan Took : 0.903 Second(s) [000000387h (903) tick(s)] [506 of 580 scan(s) done] --- snip ---

From debugger dump after unwrapping (the "1.8" part).

--- snip --- 00C3F276 38 01 00 00 04 00 00 00 8....... 00C3F27E 31 2E 38 00 00 00 00 00 1.8..... 00C3F286 00 00 00 00 00 00 00 00 ........ 00C3F28E 00 00 00 00 00 00 00 00 ........ 00C3F296 00 00 00 00 00 00 00 00 ........ 00C3F29E 45 78 63 65 70 74 69 6F Exceptio 00C3F2A6 6E 20 49 6E 66 6F 72 6D n Inform 00C3F2AE 61 74 69 6F 6E 00 50 6C ation.Pl 00C3F2B6 65 61 73 65 2C 20 73 65 ease, se --- snip ---

https://www.oreans.com/ThemidaAllWhatsNew.php

--- quote --- Themida [1.8.1.0] (12-Sep-2006) [+] Added support with .NET XenoCode applications [+] Added support for DLLs with shared PE sections for API-Hooking [+] Support to load dependant DLLs when registering a protected DLL from a external directory [+] Displaying CodeReplace macros virtualization while protecting application [+] Displaying Virtual API-Wrapper status while protecting application [!] Fixed compatibility issue with anti-Monitor under Windows Vista x64 [!] Fixed compatibility issue emulating some instructions with mutable CISC processors [!] Fixed problem with corrupted project files [!] Fixed compatibility issue with high percent of dynamic opcodes in mutable CISC processors [!] XBundler: Fixed compatibility with GetPrivateProfile in UNICODE systems

Themida [1.8.0.0] (05-Sep-2006) [+] Added CPU customization for virtual machine [+] Added new mutable RISC-128 processor (virtual machine) [+] Added new mutable CISC processor (virtual machine) [+] Multiprocessor option for CISC virtual machine [+] Added stats (complexity, size, speed) for selected processor [+] Added hour glass icon in splash screen if displaying splash by number of seconds [+] Exact displaying time of splash screen (independently of computer speed) [+] Added compatibility with new API-Hooking in Kaspersky antivirus (from update 01-Sep-06) [!] Fixed compatibility issue with anti-debugger technique under Windows NT 4.0 [!] Fixed exception compressing already compressed resources for some applications --- quote ---

Fixes relevant for Wine went few versions later:

--- snip --- Themida [1.8.4.0] (06-Nov-2006) [+] Added compatibility with Wine [+] Added anti File Patching option (Protection Options panel) [+] Added support to protect applications with invalid relocations directory [+] Added internal option to stop merging sections (SecureEngineConfig.ini) [!] Fixed compatibility issue protecting APIs in applications with side-by-side assemblies [!] Fixed memory leak unloading protected DLLs when Resources compression was enabled [!] Correct displaying of different UNICODE character sets in User Interface [!] Fixed compatibility with null TLS array for some protected ActiveX controls [!] XBundler: Fixed interaction with .NET assemblies protection in some applications --- snip ---

and

--- snip --- Themida [1.8.9.0] (28-Mar-2007) [+] XBundler: Improved UNICODE support in CreateFileW [!] Fixed random bug which produced invalid PE headers for some applications [!] Wine: Fixed compatibility issue with antidebug under Wine [!] Wine: Fixed compatibility issue with API-Wrapper under Wine for some applications --- snip ---

and

--- snip --- Themida [1.9.3.0] (02-Aug-2007) [+] Added support for VS2007 applications [+] Added File Patching option to support signed files [+] Added support to protect DLLs with empty relocation table [+] Improved compatibility with some .NET applicatins under Vista [!] Fixed compatibility wrapping ICMP.IcmpCreateFile [!] Fixed compatibility in some applicatons with API-Wrapper enabled and running under Wine [!] .NET: fixed compatibility issue loading libraries as image resource [!] Fixed compatibility with some DLLs protected with Code Virtualizer + Themida/WinLicense [!] Minor bugs fixed --- snip ---

Regards