New subject: [Bug 27550] SafeDisc 4.x: first opcode byte of kernel32.DebugBreak() API entry must not be "int 3" (0xCC) (Rainbow Six: Vegas 2 fails on startup)

20 Jun 2011


      http://bugs.winehq.org/show_bug.cgi?id=27550
Summary: SafeDisc 4.x: first opcode byte of
                    kernel32.DebugBreak() API entry must not be "int 3"
                    (0xCC) (Rainbow Six: Vegas 2 fails on startup)
           Product: Wine
           Version: 1.3.22
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: kernel32
        AssignedTo: wine-bugs@winehq.org
        ReportedBy: focht@gmx.net
Hello,
"Rainbow Six: Vegas 2" complains about a debugger being present. 
The game shows a message box on startup:
"A debugger has been detected"
"Unload the debugger and try again"
--- snip ---
=[ ProtectionID v0.6.4.0 JULY]=-
(c) 2003-2010 CDKiLLER & TippeX
Build 07/08/10-17:57:05
Ready...
Scanning -> Z:\home\focht.wine\drive_c\Program Files\Ubisoft\Tom Clancy's
Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 30277768 (01CE0088h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 01CDEE00h, size : 01288h /
04744 byte(s)
-> File has 1449472 (0161E00h) bytes of appended data starting at offset
01B7D000h
[File Heuristics] -> Flag : 00000000000000000100000000000111 (0x00004007)
[!] Safedisc v4.85.000 detected !
[i] Appended data contents....
   [.] o: 0x01B7D028  / t: <0xA8726B03> <0xEF01996C> <0x00000001> / s: 00302963
byte(s) -> ~deaa13.tmp
   [.] o: 0x01BC6FC2  / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00015887
byte(s) -> clcd32.dll
   [.] o: 0x01BCADF8  / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00004122
byte(s) -> clcd16.dll
   [.] o: 0x01BCBE36  / t: <0xA8726B03> <0xEF01996C> <0x0000044D> / s: 00037971
byte(s) -> mcp.dll
   [.] o: 0x01BD52B2  / t: <0xA8726B03> <0xEF01996C> <0x0000000B> / s: 00005446
byte(s) -> SecDrv04.VxD
   [.] o: 0x01BD681D  / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00072192
byte(s) -> ~e5.0001
   [.] o: 0x01BE8244  / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00045056
byte(s) -> PfdRun.pfd
   [.] o: 0x01BF326C  / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00965148
byte(s) -> ~df394b.tmp
[CompilerDetect] -> Visual C++ 8.0 (Visual Studio 2005)
- Scan Took : 1.569 Second(s) 
--- snip ---
I debugged the protection through various anti-debugging checks and found out a
specific check failed.
SafeDisc 4.x checks all kernel32 exports and specifically looks for
soft-breakpoints (0xcc) on API entries.
This fails now for kernel32.DebugBreak() because AJ used an inline asm int 3
(0xcc) to fix bug 24157
The protection treats this as "malicious" soft breakpoint and flags this entry
as "bad".
bug 24157 ->
http://source.winehq.org/git/wine.git/commitdiff/5f06809ab3339e2001de57f18be...
- technically a regression.
Fortunately SafeDisc only checks the first opcode byte so one could prepend a
simple "HOTPATCH" instruction to work around that.
Though I'm not sure if this is a "safe" long term solution (in this case it's
sufficient).
Another way could be forwarding kernel32.DebugBreak to ntdll.DbgBreakPoint
I only tested both methods, they work.
Though the copy protection later fails for DVD media validation but this is
another bug.
Regards
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

[Bug 27550] New: SafeDisc 4.x: first opcode byte of kernel32.DebugBreak() API entry must not be "int 3" (0xCC) (Rainbow Six: Vegas 2 fails on startup)