https://bugs.winehq.org/show_bug.cgi?id=45249
Bug ID: 45249 Summary: page fault on read access - Zockinger Facilitator Product: Wine Version: 3.8 Hardware: x86 OS: Mac OS X Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: winehq@sboldt.de
Created attachment 61492 --> https://bugs.winehq.org/attachment.cgi?id=61492 Backtrace
I'm trying to start the "Zockinger Facilitator" (TFFT) v115 with Wine on MacOS Sierra. The software can be downloaded for free here: http://www.zockinger.com/downloads. The start fails (with both stable and development version of Wine) with the error message attached. I reported this error to the forum and others confirmed this problem:
https://forum.winehq.org/viewtopic.php?f=9&t=30543&sid=095083ea82c58...
https://bugs.winehq.org/show_bug.cgi?id=45249
Louis Lenders xerox.xerox2000x@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |http://www.zockinger.com/do | |wnloads Ever confirmed|0 |1 CC| |xerox.xerox2000x@gmail.com Keywords| |download Status|UNCONFIRMED |NEW
--- Comment #1 from Louis Lenders xerox.xerox2000x@gmail.com --- yes, confirmed for example by me
No idea why the program crashed really, probably needs someone more experienced to look into ;)
https://bugs.winehq.org/show_bug.cgi?id=45249
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #2 from Fabian Maurer dark.shadow4@web.de --- The download link doesn't work for me:
www.zockinger.com points to the site "sd" which does not exist. Please contact the domain administrator.
https://bugs.winehq.org/show_bug.cgi?id=45249
--- Comment #3 from Louis Lenders xerox.xerox2000x@gmail.com --- Created attachment 61495 --> https://bugs.winehq.org/attachment.cgi?id=61495 part of +relay,+seh,+tid log
The download link doesn't work for me:
Yes, dont know why. I still have it here as i tested it a few weeks ago. Attached last part of debuglog
sha1sum ~/Downloads/ZOCFFT.exe 6a4e4242a6e75b6fcf8cb841ef6677c5b27426dc /home/louis/Downloads/ZOCFFT.exe
https://bugs.winehq.org/show_bug.cgi?id=45249
tokktokk fdsfgs@krutt.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org
https://bugs.winehq.org/show_bug.cgi?id=45249
Zhiyi Zhang zzhang@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |zzhang@codeweavers.com
--- Comment #4 from Zhiyi Zhang zzhang@codeweavers.com --- Ehh, weird, looks like the application is trying to execute at a address where the whole page is full of zeros.
https://bugs.winehq.org/show_bug.cgi?id=45249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation CC| |focht@gmx.net Summary|page fault on read access - |Zockinger Facilitator |Zockinger Facilitator |(TFFT) v1.15 crashes on | |startup
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
the app contains various anti-debug measures. The first layer is PE Compact v2.x:
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> Z:\home\focht\Downloads\zocfft\ZOCFFT.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1898824 (01CF948h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5A008BA1 -> Mon 06th Nov 2017 16:19:45 (GMT) [TimeStamp] 0x5A008BA1 -> Mon 06th Nov 2017 16:19:45 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x00400088 | - -> File Appears to be Digitally Signed @ Offset 01CD850h, size : 020F8h / 08440 byte(s) [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000001011100000000100110 (0x0005C026) [Entrypoint Section Entropy] : 8.00 (section #0) ".text " | Size : 0x1CC000 (1884160) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 3 (0x3) | ImageSize 0x2E8000 (3047424) byte(s) [VersionInfo] Company Name : Zockinger Technologies [VersionInfo] Product Name : The Facilitator for TSM [VersionInfo] Product Version : 1.15.0.555 [VersionInfo] File Description : The Facilitator for TSM [VersionInfo] File Version : 555 [VersionInfo] Original FileName : ZOCFFT.exe [VersionInfo] Internal Name : TFFT [VersionInfo] Legal Copyrights : (C) 2017 Zockinger Technologies [ModuleReport] [IAT] Modules -> kernel32.dll [!] PE Compact v20352 (internal version) compressed ! - Scan Took : 0.488 Second(s) [0000001E8h (488) tick(s)] [506 of 580 scan(s) done] --- snip ---
Unwrapping the first layer until OEP is fairly easy. There is another protection scheme though, which seems custom. The app uses custom imports resolver and relay thunks don't work here.
* kernel32.dll * user32.dll * advapi32.dll * comctl32.dll
--- snip --- ... 002f:Call KERNEL32.VirtualProtect(00503000,001e2000,00000040,0033fe04) ret=00401244 002f:Ret KERNEL32.VirtualProtect() retval=00000001 ret=00401244 002f:Call KERNEL32.VirtualAlloc(00000000,00334930,00003000,00000040) ret=0051cfbf 002f:Ret KERNEL32.VirtualAlloc() retval=00b00000 ret=0051cfbf 002f:Call KERNEL32.VirtualAlloc(00000000,00003700,00003000,00000040) ret=00b2e4f9 002f:Ret KERNEL32.VirtualAlloc() retval=00360000 ret=00b2e4f9 002f:Call KERNEL32.VirtualAlloc(00000000,00003700,00003000,00000040) ret=00b2e4f9 002f:Ret KERNEL32.VirtualAlloc() retval=00370000 ret=00b2e4f9 002f:Call KERNEL32.VirtualAlloc(00000000,00003700,00003000,00000040) ret=00b2e4f9 002f:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=00b2e4f9 002f:Call KERNEL32.VirtualFree(00360000,00000000,00008000) ret=00b174b8 002f:Ret KERNEL32.VirtualFree() retval=00000001 ret=00b174b8 002f:Call KERNEL32.VirtualFree(00370000,00000000,00008000) ret=00b174b8 002f:Ret KERNEL32.VirtualFree() retval=00000001 ret=00b174b8 002f:Call KERNEL32.LoadLibraryA(00b0038e "KERNEL32.dll") ret=00b1c0b7 002f:Ret KERNEL32.LoadLibraryA() retval=7b420000 ret=00b1c0b7 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x836d0cd9 ip=836d0cd9 tid=002f 002f:trace:seh:raise_exception info[0]=00000008 002f:trace:seh:raise_exception info[1]=836d0cd9 002f:trace:seh:raise_exception eax=0059ceff ebx=00b002b2 ecx=00000083 edx=00000000 esi=00b00014 edi=0033fbb8 002f:trace:seh:raise_exception ebp=0033fb98 esp=0033fb78 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210293 002f:trace:seh:call_stack_handlers calling handler at 0x7b490024 code=c0000005 flags=0 wine: Unhandled page fault on execute access to 0x836d0cd9 at address 0x836d0cd9 (thread 002f), starting debugger... 002f:trace:seh:start_debugger Starting debugger "winedbg --auto 46 136" 002f:trace:seh:call_stack_handlers handler at 0x7b490024 returned 1 Unhandled exception: page fault on execute access to 0x836d0cd9 in 32-bit code (0x836d0cd9). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:836d0cd9 ESP:0033fb78 EBP:0033fb98 EFLAGS:00210293( R- -- I S -A- -C) EAX:0059ceff EBX:00b002b2 ECX:00000083 EDX:00000000 ESI:00b00014 EDI:0033fbb8 Stack dump: 0x0033fb78: 7b4313c0 0059ceff 00a40248 00b0af2d 0x0033fb88: 0033fbb8 7b420000 7b64ce3d 00b00014 0x0033fb98: 0033fcf4 00b2091c 00b00014 0033fbb8 0x0033fba8: 00000000 0033fd84 0033fd24 00b00014 0x0033fbb8: 6c64746e 7bd0006c 7bd0f2d6 7bd0f388 0x0033fbc8: 7bd0f2c1 7bd0f388 00000000 00000000 Backtrace: =>0 0x836d0cd9 (0x0033fb98) 1 0x00b2091c (0x0033fcf4) 2 0x00b062be (0x0033fd9c) 3 0x00b1c5f3 (0x0033fdc8) 4 0x00b00f36 (0x00503104) 5 0x7b432ad4 in kernel32 (+0x12ad3) (0x7b431754) --- snip ---
--- snip --- 002f:Call KERNEL32.VirtualAlloc(00000000,00334930,00003000,00000040) ret=0051cfbf 002f:Ret KERNEL32.VirtualAlloc() retval=00b00000 ret=0051cfbf --- snip ---
--- snip --- 00B00000 E8 00000000 CALL 00B00005 00B00005 5B POP EBX 00B00006 8DB3 5F430000 LEA ESI,[EBX+435F] 00B0000C E9 C7040000 JMP 00B004D8 --- snip ---
Another debugging tidbit: the app protection stores state data past the current ESP which makes single stepping painful. You have to recognize those sequences and *not* single step nearby -> bug 28089 ("exception handling code touches stack for exceptions handled by the debugger")
Examples:
--- snip --- 0051D033 F0:DB2B LOCK FLD TBYTE PTR DS:[EBX] 0051D036 83EC 04 SUB ESP,4 0051D039 890424 MOV DWORD PTR SS:[ESP],EAX 0051D03C C1F8 00 SAR EAX,0 0051D03F 897424 FC MOV DWORD PTR SS:[ESP-4],ESI ; taint if single stepped 0051D043 83EC 04 SUB ESP,4 0051D046 83EC 04 SUB ESP,4 0051D049 890C24 MOV DWORD PTR SS:[ESP],ECX 0051D04C 894424 FC MOV DWORD PTR SS:[ESP-4],EAX ; taint if single stepped 0051D050 83EC 04 SUB ESP,4 0051D053 60 PUSHAD --- snip ---
--- snip --- 00B1D0F3 5F POP EDI 00B1D0F4 894424 FC MOV DWORD PTR SS:[ESP-4],EAX ; taint if single stepped 00B1D0F8 F3:EB 02 REP JMP SHORT 00B1D0FD 00B1D0FB D15CE9 B1 RCR DWORD PTR DS:[EBP*8+ECX-4F],1 00B1D0FF E4 FF IN AL,0FF 00B1D101 FFC3 INC EBX 00B1D103 E9 02000000 JMP 00B1D10A --- snip ---
Additionally various threads check for hardware breakpoints being used which is expected as most of the (obfuscated) protection code unwraps dynamically -> you don't want to use softbp here.
--- snip --- 0147:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000 dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000 016b:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000 dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000 01b1:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000 dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000 01db:warn:process:SetProcessWorkingSetSize (0xffffffff,-1,-1): stub - harmless 01de:trace:seh:__regs_NtGetContextThread 0xfffffffe: dr0=00000000 dr1=00000000 dr2=00000000 dr3=00000000 dr6=00000000 dr7=00000000 --- snip ---
TFFT v1.15 doesn't crash with Wine 3.12 for me but just exits after considerable number of seconds (maybe because I run a no-PIC build by default).
Interestingly the author published a new version TFFT v1.16 which seems to run fine for me (shows GUI).
--- quote --- TFFT V1.16 released posted 10 Jul 2018, 11:28 by Good old Zockinger
TFFT V1.16 contains a lot of bug fixes and brings improved ISP 8.x support --- quote ---
Maybe some of the bugfixes are Windows compatibility issues. Things that just worked by chance on certain Windows versions and the fixes helped Wine too.
It would be still interesting to figure out what makes FFT V1.15 unhappy with Wine since it is reported to work on Windows. By chance or depending on some internals/implementation details of Windows binaries/loader.
$ sha1sum TFFT11* b0c1af725743ff48f7b37c8c6ce5e04443d85d2d TFFT115.ZIP 2c4660f0cbf6f65ce29724aac809fed746dec342 TFFT116.ZIP
$ du -sh TFFT11* 2.1M TFFT115.ZIP 2.2M TFFT116.ZIP
$ wine --version wine-3.12-111-g8ae98cfdc3
Regards
https://bugs.winehq.org/show_bug.cgi?id=45249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |build-env Summary|Zockinger Facilitator |Multiple applications |(TFFT) v1.15 crashes on |wrapped with PE Compact |startup |v2.x protection scheme | |crash on startup (GOT/PIC | |code emitted at Win32 API | |entries)(Zockinger | |Facilitator TFFT v1.1x) Resolution|--- |FIXED Fixed by SHA1| |8f732c66ab37b54c30d63c74f78 | |22ba1d4f04996 Status|NEW |RESOLVED
--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,
it seems the original "Zockinger Facilitator" (TFFT) v1.15 is no longer available.
Unfortunately there exist no old snapshots of the v1.15 download because the vendor uses some weird redirect+auth scheme that prevents snapshots via Internet Archive.
https://web.archive.org/web/20180422191916/http://www.zockinger.com/download...
Latest: TFFT v1.17 (21 Aug 2020)
http://www.zockinger.com/downloads/TFFT117.ZIP?attredirects=0&d=1
The newest version v1.17 is still wrapped with same protection scheme though:
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> Z:\home\focht\Downloads\tfft117\ZOCFFT.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1921032 (01D5008h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5EA953AE -> Wed 29th Apr 2020 10:15:10 (GMT) [TimeStamp] 0x5EA953AE -> Wed 29th Apr 2020 10:15:10 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x00400088 | - -> File Appears to be Digitally Signed @ Offset 01D1A50h, size : 035B8h / 013752 byte(s) [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000001011100000000100110 (0x0005C026) [Entrypoint Section Entropy] : 8.00 (section #0) ".text " | Size : 0x1D0200 (1901056) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 3 (0x3) | ImageSize 0x2E4000 (3031040) byte(s) [VersionInfo] Company Name : Zockinger Technologies [VersionInfo] Product Name : The Facilitator for TSM [VersionInfo] Product Version : 1.17.0.609 [VersionInfo] File Description : The Facilitator for TSM [VersionInfo] File Version : 609 [VersionInfo] Original FileName : ZOCFFT.exe [VersionInfo] Internal Name : TFFT117 [VersionInfo] Legal Copyrights : (C) 2020 Zockinger Technologies [ModuleReport] [IAT] Modules -> kernel32.dll [!] PE Compact v20352 (internal version) compressed ! - Scan Took : 1.868 Second(s) [00000046Ch (1132) tick(s)] [506 of 580 scan(s) done] --- snip ---
From my comment #3
--- quote --- TFFT v1.15 doesn't crash with Wine 3.12 for me but just exits after considerable number of seconds (maybe because I run a no-PIC build by default). --- quote ---
Well, "no-PIC build" was actually spot on. I recently rebuilt all old Wine releases with modern GCC 10.x and default compiler settings hence I could reproduce the crash with Wine 3.x. I had no-PIC as default long before the time which helped to debug various other issues but it disguised this type of issue as well.
It was indeed fixed by commit https://source.winehq.org/git/wine.git/commitdiff/8f732c66ab37b54c30d63c74f7... ("makefiles: Build with -fno-PIC on i386."), part of Wine 4.8 release.
Thanks Zebediah
More bug references for the same fix-commit:
https://bugs.winehq.org/buglist.cgi?bug_status=CLOSED&f1=cf_fixedby_sha1...
I'm refining the summary in anticipation of more dupes for same protection scheme. I prefer to keep this one separate from other DRM/protection schemes which are covered by multiple collector bugs (see above list).
$ sha1sum TFFT117.ZIP d14358db38f6fb6f50a73c9be86e1f2169fad095 TFFT117.ZIP
$ du -sh TFFT117.ZIP 4.2M TFFT117.ZIP
$ wine --version wine-6.0-rc1
Regards
https://bugs.winehq.org/show_bug.cgi?id=45249
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.0-rc2.
-
wine-bugs@winehq.org -
WineHQ Bugzilla