http://bugs.winehq.org/show_bug.cgi?id=29792

Bug #: 29792 Summary: Gothic 2 (JoWood Productions) installer fails due to media validation tool failing (don't add FILE_ATTRIBUTE_ARCHIVE by default to file entries) Product: Wine Version: 1.4-rc1 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified

Hello,

I first wanted to investigate bug 22515 hence i bought the game for a few bucks and looked into it...

Well, it seems there exist different editions of the game and the problems might not be connected at all.

Although this is related to copy protection it's not the SecuROM 4.x tests failing here - that part of protection works fine.

I have the 3 CD set by JoWood Productions released on November 29, 2002.

Near the end of installation process there is a tool "g2setup.exe" launched which verifies the authenticity of install media. That process returns a specific exit code (0x777 -> 1911) which basically says: "all checks passed". Any different exit code will roll back the whole installation!

Current workaround: kill the installer from another terminal when this verification process starts.

Everything has already been copied up to this point so just wait until the disc spins up and execute 'wineserver -k'.

--- snip --- 0024:Starting process L"C:\Program Files\Jowood\Gothic II\g2setup.exe" (entryproc=0x4c6929) --- snip ---

--- snip --- -=[ ProtectionID v0.6.4.0 JULY]=- (c) 2003-2010 CDKiLLER & TippeX Build 07/08/10-17:57:05 ... Scanning -> Z:\home\focht.wine\drive_c\Program Files\Jowood\Gothic II\g2setup.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 229376 (038000h) Byte(s) [File Heuristics] -> Flag : 00000000000000001100001100000001 (0x0000C301) [!] Armadillo v2.xx - v3.xx detected ! [i] Splash Setting (0x0) -> NONE / Duration : 00 second(s) [CompilerDetect] -> Visual C/C++ - Scan Took : 0.560 Second(s) --- snip ---

Various anti-debugging/hacking trickery which of course can be bypassed ;-)

Additionally to physical media analysis of GOTHIC2_CD3 (part of SecuROM) there are "custom" checks present. Most of them are simple ones like comparing disc serial against hard coded value.

The directory structure is read from disc and CRC32 checksums are calculated for specific files.

--- snip --- ATTRIBS SIZE CRC32 NAME ____________________________________________________________

A R 362,789,836 5f4cb098 Gothic2-Setup.W03 A R 123 JoWooD Homepage.url A R 14,816 Readme.txt A R 289 Register.url A R 5,569 eula.txt A R 766 gothic2.ico (DIR) 168,146,318 ArxDemo A R 31,744 1d31e5c6 ArxDemo\Setup.exe A R 877 ArxDemo\Setup.ini A R 1,304,064 ArxDemo\Setup.msi A R 101,581,207 ArxDemo\Setup1.cab A R 23,103,162 ArxDemo\Setup2.cab A R 31,150,491 ArxDemo\Setup3.cab A R 1,309,184 ArxDemo\Setup_Deutsch.msi A R 1,708,856 34ec21c0 ArxDemo\instmsi.exe A R 1,822,520 e5563f20 ArxDemo\instmsiw.exe ... Scan time.............[ 551.80] Seconds (551801 ms) Total files...........[ 35] Files Total size............[ 558,468,227] Bytes Dirlist Text CRC32....[ 0032ED44] ____________________________________________________________ ... --- snip ---

Forget the scan time, I was debugging at this place ;-)

What makes things complicated is that additionally to per-file CRC32 checksums there is also a CRC32 for the whole in-memory folder listing content generated (see snippet) -> "Dirlist Text CRC32" (in snippet the address is printed, not the value itself).

That overall checksum didn't match the internal hard-coded one.

One problem is that Wine adds FILE_ATTRIBUTE_ARCHIVE by default to each file info entry.

Source: http://source.winehq.org/git/wine.git/blob/c7cb3e6cb21598281cf2b00b2ccd83235...

This is breaks the overall checksum (file entries get "A" added). The file entries have to have only FILE_ATTRIBUTE_READONLY set -> "R" (reside on CDROM).

If FILE_ATTRIBUTE_ARCHIVE is omitted (and a second bug is worked around) the verification process exits with exit code 0x777 which allows the main installer to successfully finish.

---

There is another problem, a bug in the verification tool that unfortunately prevents a "full" fix for this installer.

One of the file CRC32 on CD3 gets miscalculated ... It took me some hours to find out this brain damage after successfully pinning down the first problem and wondering why the overall checksum still didn't match.

--- snip --- ... 0024:Call KERNEL32.CreateFileA(0032d734 "D:\arxdemo\setup.exe",80000000,00000001,00000000,00000003,00000080,00000000) ret=00d86dfe 0024:Ret KERNEL32.CreateFileA() retval=000000a0 ret=00d86dfe 0024:Call KERNEL32.GetFileSize(000000a0,00000000) ret=00d87385 0024:Ret KERNEL32.GetFileSize() retval=00007c00 ret=00d87385 0024:Call ntdll.RtlAllocateHeap(00fc0000,00000000,00010010) ret=00be379b 0024:Ret ntdll.RtlAllocateHeap() retval=00fc5238 ret=00be379b 0024:Call KERNEL32.ReadFile(000000a0,00fc5238,00010000,00bfd464,00000000) ret=00d8725a 0024:Ret KERNEL32.ReadFile() retval=00000001 ret=00d8725a 0024:Call ntdll.RtlFreeHeap(00fc0000,00000000,00fc5238) ret=00be3cea 0024:Ret ntdll.RtlFreeHeap() retval=00000001 ret=00be3cea 0024:Call KERNEL32.CloseHandle(000000a0) ret=00d8743a 0024:Ret KERNEL32.CloseHandle() retval=00000001 ret=00d8743a --- snip ---

"D:\arxdemo\setup.exe" is the culprit. The file size is 31744 bytes. The tool allocates a fixed 65552 byte buffer to read file content in and calculate checksum on (actually 65536 bytes are used for checksumming).

Prior to calculating file CRC32 for "D:\arxdemo\setup.exe", the 350 MiB "D:\gothic2-setup.w03" was checksummed in 0x10000 byte chunks.

It had the same heap chunk address 0x00fc5238 which was later reused for "D:\arxdemo\setup.exe" checksum calculation.

--- snip --- 0024:Call KERNEL32.CreateFileA(0032dd20 "D:\gothic2-setup.w03",80000000,00000001,00000000,00000003,00000080,00000000) ret=00d86dfe 0024:Ret KERNEL32.CreateFileA() retval=0000009c ret=00d86dfe 0024:Call KERNEL32.GetFileSize(0000009c,00000000) ret=00d87385 0024:Ret KERNEL32.GetFileSize() retval=159fbbcc ret=00d87385 0024:Call ntdll.RtlAllocateHeap(00fc0000,00000000,00010010) ret=00be379b 0024:Ret ntdll.RtlAllocateHeap() retval=00fc5238 ret=00be379b 0024:Call KERNEL32.ReadFile(0000009c,00fc5238,00010000,00bfd464,00000000) ret=00d8725a 0024:Ret KERNEL32.ReadFile() retval=00000001 ret=00d8725a ... 0024:Call KERNEL32.ReadFile(0000009c,00fc5238,00010000,00bfd464,00000000) ret=00d8725a 0024:Ret KERNEL32.ReadFile() retval=00000001 ret=00d8725a 0024:Call KERNEL32.ReadFile(0000009c,00fc5238,00008480,00bfd464,00000000) ret=00d8725a 0024:Ret KERNEL32.ReadFile() retval=00000001 ret=00d8725a 0024:Call KERNEL32.ReadFile(0000009c,00fc5238,00008480,00bfd464,00000000) ret=00d8725a 0024:Ret KERNEL32.ReadFile() retval=00000001 ret=00d8725a 0024:Call ntdll.RtlFreeHeap(00fc0000,00000000,00fc5238) ret=00be3cea 0024:Ret ntdll.RtlFreeHeap() retval=00000001 ret=00be3cea ... --- snip ---

Because the heap chunk was reused and the buffer was fully filled from previous run, the read file operation for "D:\arxdemo\setup.exe" only initialized the first 31744 bytes. The checksum is done on 65536 bytes of buffer which includes garbage/leftover already present.

Well, the developers didn't bother to pass HEAP_ZERO_MEMORY to RtlAllocateHeap() or explicit memset(ptr, 0, nbytes).

The tool "works" in Windows most likely due to different heap manager implementation/usage or maybe application shims.

They put some effort into anti-debugging/hacking/copying and rambled about piracy in hidden messages (found while debugging) ... and yet managed to put in such bugs.

You can hack/patch ntdll.dll RtlAllocateHeap() -> forcing flags |= HEAP_ZERO_MEMORY to verify the installer really works after fixing the first problem.

Regards