New subject: [Bug 50599] Game Protect Kit (GPK) 'SDGame32.sys' kernel driver crashes on unimplemented function 'ntoskrnl.exe.KdDisableDebugger' (Dragon Nest)

31 Jan 2021


      https://bugs.winehq.org/show_bug.cgi?id=50599
Bug ID: 50599
           Summary: Game Protect Kit (GPK) 'SDGame32.sys' kernel driver
                    crashes on unimplemented function
                    'ntoskrnl.exe.KdDisableDebugger' (Dragon Nest)
           Product: Wine
           Version: 6.1
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
continuation of bug 50417 ("Multiple game launchers protected by Game Protect
Kit (GPK) crash on startup (dummy PEB->KernelCallbackTable needed)(Dragon Nest,
Age of Wushu)").
Download links:
Small "web" downloader:
https://web.archive.org/web/20201228204714/http://dn.clientdown.sdo.com.sd.q...
Full client:
http://dn.clientdown.sdo.com/Ver.407Full/DragonNest_v407_Setup.exe
http://dn.clientdown.sdo.com/Ver.407Full/DragonNest_v407.7z.001
http://dn.clientdown.sdo.com/Ver.407Full/DragonNest_v407.7z.002
http://dn.clientdown.sdo.com/Ver.407Full/DragonNest_v407.7z.003
Relevant part of trace log:
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/DragonNest
$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl,+service wine ./DNLauncher.exe
...
...
log.txt 2>&1
...
003c:trace:service:load_service_config Image path           = L"C:\Program
Files\DragonNest\GPK\SDGame32.sys"
003c:trace:service:load_service_config Group                = (null)
003c:trace:service:load_service_config Service account name = L"LocalSystem"
003c:trace:service:load_service_config Display name         = L"SDGame32"
003c:trace:service:load_service_config Service dependencies : (none)
003c:trace:service:load_service_config Group dependencies   : (none)
...
0024:Call advapi32.CreateServiceW(001f1f40,02e6fe00 L"SDGame32",02e6fe00
L"SDGame32",000f01ff,00000001,00000003,00000001,0121c8fc L"C:\Program
Files\DragonNest\GPK\SDGame32.sys",00000000,00000000,00000000,00000000,00000000)
ret=02fa6372 
...
0024:trace:service:CreateServiceW 001F1F40 L"SDGame32" L"SDGame32" 
...
0110:trace:service:svcctl_CreateServiceWOW64W (L"SDGame32", L"SDGame32",
0xf01ff, L"C:\Program Files\DragonNest\GPK\SDGame32.sys")
0110:trace:service:create_serviceW (L"SDGame32", L"SDGame32", 0xf01ff,
L"C:\Program Files\DragonNest\GPK\SDGame32.sys") 
...
0130:trace:ntoskrnl:load_driver loading driver L"C:\Program
Files\DragonNest\GPK\SDGame32.sys"
0130:Call KERNEL32.LoadLibraryW(00043f40 L"C:\Program
Files\DragonNest\GPK\SDGame32.sys") ret=0032606e
...
0130:trace:loaddll:build_module Loaded L"C:\Program
Files\DragonNest\GPK\SDGame32.sys" at 0000000000D60000: native
0130:Call LDR notification callback
(proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000)
....
0130:trace:ntoskrnl:ldr_notify_callback loading L"SDGame32.sys"
...
0130:trace:ntoskrnl:ldr_notify_callback relocating from
0000000140000000-0000000140232000 to 0000000000D60000-0000000000F92000 
...
0130:Ret  LDR notification callback
(proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000)
...
0130:Ret  KERNEL32.LoadLibraryW() retval=00d60000 ret=0032606e
...
0130:Call driver init 0000000000D70A60
(obj=0000000000043D90,str=L"\Registry\Machine\System\CurrentControlSet\Services\SDGame32") 
...
0130:Call ntoskrnl.exe.MmGetSystemRoutineAddress(00c3f790) ret=00f8e5b3
....
0130:trace:ntoskrnl:MmGetSystemRoutineAddress L"PsReferenceProcessFilePointer"
-> 00000000003184B0
0130:Ret  ntoskrnl.exe.MmGetSystemRoutineAddress() retval=003184b0 ret=00f8e5b3
...
0130:Call ntoskrnl.exe.ObGetFilterVersion() ret=00f8ce82
0130:fixme:ntoskrnl:ObGetFilterVersion stub:
0130:Ret  ntoskrnl.exe.ObGetFilterVersion() retval=00000100 ret=00f8ce82
0130:Call ntoskrnl.exe.RtlInitUnicodeString(00c3f6b0,00d6c4a0 L"SD321000-2015")
ret=00f8cec3
...
0130:Ret  ntoskrnl.exe.RtlInitUnicodeString() retval=0000001c ret=00f8cec3
0130:Call ntoskrnl.exe.ObRegisterCallbacks(00c3f6c0,00d6e0b0) ret=00f8ceeb
0130:fixme:ntoskrnl:ObRegisterCallbacks callback 0000000000C3F6C0, handle
0000000000D6E0B0.
0130:Ret  ntoskrnl.exe.ObRegisterCallbacks() retval=00000000 ret=00f8ceeb
...
0130:Call
ntoskrnl.exe.PsCreateSystemThread(00c3f7f0,00000000,00000000,00000000,00000000,00d632f0,00042610)
ret=00f8e5df
0130:Call
ntdll.RtlCreateUserThread(ffffffffffffffff,00000000,00000000,00000000,00000000,00000000,00d632f0,00042610,00c3f7f0,00000000)
ret=0032464d
0130:Ret  ntdll.RtlCreateUserThread() retval=00000000 ret=0032464d
0130:Ret  ntoskrnl.exe.PsCreateSystemThread() retval=00000000 ret=00f8e5df
...
0130:Call
ntoskrnl.exe.IoCreateDevice(00043d90,00000000,00c3f780,00008303,00000000,6f725000,00c3f7f8)
ret=00f8e658
0130:Ret  KERNEL32.IsBadStringPtrW() retval=00000000 ret=003277c8
0130:trace:ntoskrnl:IoCreateDevice (0000000000043D90, 0,
L"\Device\SDGGameLoader", 33539, 0, 0, 0000000000C3F7F8)
...
0130:Ret  ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00f8e658
...
0130:Call ntoskrnl.exe.PsSetCreateProcessNotifyRoutine(00d62340,00000000)
ret=00f8e743
0130:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutine stub: 0000000000D62340 0
0130:Ret  ntoskrnl.exe.PsSetCreateProcessNotifyRoutine() retval=00000000
ret=00f8e743
0130:Call ntoskrnl.exe.PsGetCurrentProcessId() ret=00f8e74e
0130:Ret  ntoskrnl.exe.PsGetCurrentProcessId() retval=00000120 ret=00f8e74e
...
0130:trace:ntoskrnl:IoCreateSymbolicLink L"\DosDevices\SDGGameLoader" ->
L"\Device\SDGGameLoader" 
...
0130:Ret  driver init 0000000000D70A60
(obj=0000000000043D90,str=L"\Registry\Machine\System\CurrentControlSet\Services\SDGame32")
retval=00000000
...
0130:trace:ntoskrnl:init_driver init done for L"SDGame32" obj 0000000000043D90
0130:trace:ntoskrnl:init_driver - DriverInit = 0000000000D70A60
0130:trace:ntoskrnl:init_driver - DriverStartIo = 0000000000000000
0130:trace:ntoskrnl:init_driver - DriverUnload = 0000000000D63710
0130:trace:ntoskrnl:init_driver - MajorFunction[0] = 0000000000D626A0
0130:trace:ntoskrnl:init_driver - MajorFunction[1] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[2] = 0000000000D626A0
0130:trace:ntoskrnl:init_driver - MajorFunction[3] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[4] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[5] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[6] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[7] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[8] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[9] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[10] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[11] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[12] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[13] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[14] = 0000000000D626A0
0130:trace:ntoskrnl:init_driver - MajorFunction[15] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[16] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[17] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[18] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[19] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[20] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[21] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[22] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[23] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[24] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[25] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[26] = 0000000000320FA0
0130:trace:ntoskrnl:init_driver - MajorFunction[27] = 0000000000320FA0
....
0138:Starting thread proc 0000000000D632F0 (arg=0000000000042610)
0138:Call KERNEL32.BaseThreadInitThunk(00000000,00d632f0,00042610) ret=7bc57a22
0138:Call ntoskrnl.exe.KeDelayExecutionThread(00000000,00000000,0109fcb0)
ret=00f8cfbd
0138:trace:ntoskrnl:KeDelayExecutionThread mode 0, alertable 0, timeout
000000000109FCB0.
0138:Call ntdll.NtDelayExecution(00000000,0109fcb0) ret=0032c924
0138:Ret  ntdll.NtDelayExecution() retval=00000000 ret=0032c924
0138:Ret  ntoskrnl.exe.KeDelayExecutionThread() retval=00000000 ret=00f8cfbd 
0138:trace:seh:dispatch_exception code=80000100 flags=1 addr=000000007B012AF2
ip=000000007B012AF2 tid=0138
0138:trace:seh:dispatch_exception  info[0]=000000000034f000
0138:trace:seh:dispatch_exception  info[1]=0000000000351090
wine: Call from 000000007B012AF2 to unimplemented function
ntoskrnl.exe.KdDisableDebugger, aborting
0138:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0
code=80000100 flags=1
0138:trace:seh:call_vectored_handlers handler at 000000000031D2F0 returned 0
0138:trace:seh:call_vectored_handlers calling handler at 000000007B011BA0
code=80000100 flags=1
0138:trace:seh:call_vectored_handlers handler at 000000007B011BA0 returned 0 
...
wine: Unimplemented function ntoskrnl.exe.KdDisableDebugger called at address
000000007B012AF2 (thread 0138), starting debugger... 
--- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-kdd...
Wine source:
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2...
--- snip ---
 518 @ stub KdDisableDebugger
--- snip ---
I think returning 'STATUS_DEBUGGER_INACTIVE' is the most sensible thing:
--- snip ---
...
0138:Call ntoskrnl.exe.KdDisableDebugger() ret=00f8cfd3
0138:trace:ntoskrnl:KdDisableDebugger .
0138:Ret  ntoskrnl.exe.KdDisableDebugger() retval=c0000354 ret=00f8cfd3
...
0138:Call
ntoskrnl.exe.ObOpenObjectByName(0109fc80,0034d0d0,00000000,00000000,00000000,00000000,0109fcb8)
ret=00f8d006
...
0138:trace:ntoskrnl:ObOpenObjectByName attr(0000000000000000 L"\Driver\NtIce"
40) 000000000034D0D0 0 0000000000000000 0 0000000000000000 000000000109FCB8
...
0138:trace:ntoskrnl:ObReferenceObjectByName mostly-stub:L"\Driver\NtIce" 64
0000000000000000 0 000000000034D0D0 0 0000000000000000 000000000109FB68
0138:fixme:ntoskrnl:ObReferenceObjectByName Unhandled ObjectType
...
0138:fixme:ntoskrnl:ObReferenceObjectByName Object (L"\Driver\NtIce") not
found, may not be tracked.
0138:Ret  ntoskrnl.exe.ObOpenObjectByName() retval=c0000002 ret=00f8d006
...
0138:Call
ntoskrnl.exe.ObOpenObjectByName(0109fc80,0034d0d0,00000000,00000000,00000000,00000000,0109fcc0)
ret=00f8d081
...
0138:trace:ntoskrnl:ObOpenObjectByName attr(0000000000000000 L"\Driver\Syser"
40) 000000000034D0D0 0 0000000000000000 0 0000000000000000 000000000109FCC0
...
0138:trace:ntoskrnl:ObReferenceObjectByName mostly-stub:L"\Driver\Syser" 64
0000000000000000 0 000000000034D0D0 0 0000000000000000 000000000109FB68
0138:fixme:ntoskrnl:ObReferenceObjectByName Unhandled ObjectType
...
0138:fixme:ntoskrnl:ObReferenceObjectByName Object (L"\Driver\Syser") not
found, may not be tracked.
0138:Ret  ntoskrnl.exe.ObOpenObjectByName() retval=c0000002 ret=00f8d081
...
0138:Call
ntoskrnl.exe.ObOpenObjectByName(0109fc80,0034d0d0,00000000,00000000,00000000,00000000,0109fcc8)
ret=00f8d0fc
...
0138:trace:ntoskrnl:ObOpenObjectByName attr(0000000000000000
L"\Driver\FILEMON" 40) 000000000034D0D0 0 0000000000000000 0 0000000000000000
000000000109FCC8
...
0138:trace:ntoskrnl:ObReferenceObjectByName mostly-stub:L"\Driver\FILEMON" 64
0000000000000000 0 000000000034D0D0 0 0000000000000000 000000000109FB68
0138:fixme:ntoskrnl:ObReferenceObjectByName Unhandled ObjectType
...
0138:fixme:ntoskrnl:ObReferenceObjectByName Object (L"\Driver\FILEMON") not
found, may not be tracked.
0138:Ret  ntoskrnl.exe.ObOpenObjectByName() retval=c0000002 ret=00f8d0fc
...
0138:Call
ntoskrnl.exe.ObOpenObjectByName(0109fc80,0034d0d0,00000000,00000000,00000000,00000000,0109fcd0)
ret=00f8d177
...
0138:trace:ntoskrnl:ObOpenObjectByName attr(0000000000000000
L"\Driver\FILEMON701" 40) 000000000034D0D0 0 0000000000000000 0
0000000000000000 000000000109FCD0
...
0138:trace:ntoskrnl:ObReferenceObjectByName mostly-stub:L"\Driver\FILEMON701"
64 0000000000000000 0 000000000034D0D0 0 0000000000000000 000000000109FB68
0138:fixme:ntoskrnl:ObReferenceObjectByName Unhandled ObjectType
...
0138:fixme:ntoskrnl:ObReferenceObjectByName Object (L"\Driver\FILEMON701")
not found, may not be tracked.
0138:Ret  ntoskrnl.exe.ObOpenObjectByName() retval=c0000002 ret=00f8d177
0138:Call ntoskrnl.exe.KeDelayExecutionThread(00000000,00000000,0109fcb0)
ret=00f8cfbd
0138:trace:ntoskrnl:KeDelayExecutionThread mode 0, alertable 0, timeout
000000000109FCB0.
0138:Call ntdll.NtDelayExecution(00000000,0109fcb0) ret=0032c964 
--- snip ---
$ sha1sum DN_407_downloader_signed.exe 
a42ec8020a3301f621806423154eb69153727a48  DN_407_downloader_signed.exe
$ du -sh DN_407_downloader_signed.exe 
3.6M    DN_407_downloader_signed.exe
$ sha1sum DragonNest_v407*
833939e2f029e6ec4b20a1048901742087ac24a2  DragonNest_v407.7z.001
9b94d45f95b3e145f1a370b76d51cee9676395f0  DragonNest_v407.7z.002
f2b46a763099848f8e26253811ebc4caf336c11f  DragonNest_v407.7z.003
4afc1de3968cf4f3c710a11b7be83f18cb0353d8  DragonNest_v407_Setup.exe
$ du -sh DragonNest_v407*
4.0G    DragonNest_v407.7z.001
4.0G    DragonNest_v407.7z.002
2.2G    DragonNest_v407.7z.003
9.5M    DragonNest_v407_Setup.exe
$ wine --version
wine-6.1-1-g2b9a47e827c
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 50599] New: Game Protect Kit (GPK) 'SDGame32.sys' kernel driver crashes on unimplemented function 'ntoskrnl.exe.KdDisableDebugger' (Dragon Nest)