http://bugs.winehq.org/show_bug.cgi?id=23999

Dan Kegel dank@kegel.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |dank@kegel.com

--- Comment #1 from Dan Kegel dank@kegel.com 2010-08-14 16:53:26 --- Running on a system with debug symbols shows

=>0 0x7e92e655 MessageBoxA+0x5(hWnd=(nil), text="Most probably you are using illegally modified software and may be held liable under criminal and civil law. The application will be closed. If you are sure that you are using the licensed product and it has not been modified, please contact us via e-mail: support@sqlmanager.net or via the form at our web-site: https://secure.sqlmanager.net/member/support", title="Piracy prevention system warning", type=0x0010) [dlls/user32/msgbox.c:396] in user32 (0x03bfea68) ... 0x7e92e655 MessageBoxA+0x5 [dlls/user32/msgbox.c:396] in user32: inb %dx,%al

So it's a copy-protection system going crazy.

Why it think's there's an 'inb' instruction there is a bit hard to imagine, but copy-protection schemes do all sorts of crazy things, might have poked holes in us.

(Does this also happen with the paid version, or if you select the 30 day trial?)

http://bugs.winehq.org/show_bug.cgi?id=23999

--- Comment #3 from Dan Kegel dank@kegel.com 2010-08-14 17:55:06 --- At this point, you may want to ask the vendor for help, but they'll probably laugh at you.

Or hope that one of the really good app troubleshooters (hello, AF) takes an interest.

http://bugs.winehq.org/show_bug.cgi?id=23999

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation CC| |focht@gmx.net Component|-unknown |ntdll Summary|EMS SQL Manager 2010 Lite |EMS SQL Manager 2010 Lite |for PostgreSQL crashes |for PostgreSQL crashes |after 10 min |after 10 min (needs | |NtQueryVirtualMemory with | |MemorySectionName info | |class)

--- Comment #4 from Anastasius Focht focht@gmx.net 2010-08-17 14:16:19 --- Hello,

although that app seems to be protected by a commercial protection system it might be possible that "home-grown" code is the culprit here.

--- snip --- Scanning -> C:\Program Files\EMS\SQL Manager Lite for PostgreSQL\PgManager.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 6485952 (062F7C0h) Byte(s) -> File Appears to be Digitally Signed @ Offset 062E200h, size : 015C0h / 05568 byte(s) -> File has 512 (0200h) bytes of appended data starting at offset 062E000h [File Heuristics] -> Flag : 00000000000001001100000000100110 (0x0004C026) [!] ASProtect SKE v2.3 - v2.5 detected ! --- snip ---

There is more than one bug present ... The first bug is an ntdll.NtQueryVirtualMemory(), MemorySectionName info class insufficiency (lookup image name by address).

There is a watch-guard thread (0x2d) that verifies that parts of the in-memory app PE image have not been modified (patched) by looking at disk image. Due to non-implemented MemorySectionName info class, it fails to do so hence another (error reporting) thread is spawned that goes haywire (which is in theory another bug).

--- snip --- ... 002b:Call KERNEL32.CreateThread(00000000,00000000,033d0000,03370000,00000000,00000000) ret=0336c015 002b:Ret KERNEL32.CreateThread() retval=00000078 ret=0336c015 ... 002d:Call ntdll.ZwDelayExecution(00000000,035de240) ret=033d1cab ... 002d:Ret ntdll.ZwDelayExecution() retval=00000000 ret=033d1cab 002d:Call KERNEL32.VirtualAlloc(00000000,00000014,00003000,00000004) ret=033d1cbc 002d:Ret KERNEL32.VirtualAlloc() retval=038e0000 ret=033d1cbc 002d:Call ntdll.RtlAllocateHeap(00110000,00000000,00000620) ret=033d2e65 002d:Ret ntdll.RtlAllocateHeap() retval=001c3128 ret=033d2e65 002d:Call ntdll.ZwQueryVirtualMemory(ffffffff,00400000,00000002,001c3128,0000030c,00000000) ret=033d2ea4 002d:fixme:virtual:NtQueryVirtualMemory (process=0xffffffff,addr=0x400000) Unimplemented information class: MemorySectionName 002d:Ret ntdll.ZwQueryVirtualMemory() retval=c0000003 ret=033d2ea4 002d:Call ntdll.RtlFreeHeap(00110000,00000000,001c3128) ret=033d3b85 002d:Ret ntdll.RtlFreeHeap() retval=00000001 ret=033d3b85 002d:Call KERNEL32.OpenThread(0000005a,00000000,0000002b) ret=033b3799 002d:Ret KERNEL32.OpenThread() retval=00000094 ret=033b3799 002d:Call KERNEL32.SuspendThread(00000094) ret=033b37bc 002d:Ret KERNEL32.SuspendThread() retval=00000000 ret=033b37bc 002d:Call KERNEL32.GetThreadContext(00000094,035dcf34) ret=033b37f3 002d:Ret KERNEL32.GetThreadContext() retval=00000001 ret=033b37f3 002d:Call KERNEL32.VirtualAlloc(00000000,0000000c,00003000,00000040) ret=033b3827 002d:Ret KERNEL32.VirtualAlloc() retval=038f0000 ret=033b3827 002d:Call KERNEL32.CreateThread(00000000,00000000,033c0000,038e0000,00000000,00000000) ret=033b387c 002d:Ret KERNEL32.CreateThread() retval=000000a4 ret=033b387c ... 002e:Starting thread proc 0x33c0000 (arg=0x38e0000) 002e:trace:seh:raise_exception code=c0000096 flags=0 addr=0x683f43cb ip=683f43cb tid=002e --- snip ---

If that MemorySectionName stuff gets implemented one day it could also be of help to psapi (GetMappedFileName).

Regards

http://bugs.winehq.org/show_bug.cgi?id=23999

--- Comment #5 from Adam Bartoszewicz adamb@info-s.pl 2012-06-03 12:37:31 CDT --- I have tested EMS SQL Manager v5.1.1.4 Lite for PostgreSQL (wine 1.4 and Ubuntu 12.04) and it works fine with only minor problems. There is no bug described here.

https://bugs.winehq.org/show_bug.cgi?id=23999

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW URL|http://www.sqlmanager.net/e |http://us3cdn.ausgamers.com |n/products/postgresql/manag |/downloads/1404038335/Knigh |er/download/5/134 |tOnlineSetup_v2025.exe Summary|EMS SQL Manager 2010 Lite |Multiple applications with |for PostgreSQL crashes |DRM schemes need |after 10 min (needs |NtQueryVirtualMemory |NtQueryVirtualMemory with |'MemorySectionName' info |MemorySectionName info |class (EMS SQL Manager 2010 |class) |Lite for PostgreSQL | |v.4.7.08, Knight Online | |client) Ever confirmed|0 |1

--- Comment #7 from Anastasius Focht focht@gmx.net --- Hello folks,

--- quote --- I have tested EMS SQL Manager v5.1.1.4 Lite for PostgreSQL (wine 1.4 and Ubuntu 12.04) and it works fine with only minor problems. There is no bug described here. --- quote ---

that's because you're using a newer app version than the one you reported the bug with. The newer one is wrapped with a different protection scheme:

--- quote --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> C:\Program Files\EMS\SQL Manager Lite for PostgreSQL\PgManager.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 12368840 (0BCBBC8h) Byte(s) -> File Appears to be Digitally Signed @ Offset 0BCA200h, size : 019C8h / 06600 byte(s) -> File has 512 (0200h) bytes of appended data starting at offset 0BCA000h [File Heuristics] -> Flag : 00000000000000001100001000000111 (0x0000C207) [Entrypoint Section Entropy] : 6.53 [!] Armadillo *Unknown Version* detected ! - Scan Took : 0.702 Second(s) [0000002BEh tick(s)] [533 scan(s) done] --- quote ---

The bug is obviously still present with the old version hence nothing was fixed. The problem is getting the old version - all 3rd party sites link to the vendor main download site which kept getting updated.

I searched for other EMS products with the same date range (~ 2010) and protection type/version and found 'EMS SQL Manager Lite 2010 for InterBase/Firebird'

Download: http://download.cnet.com/SQL-Manager-Lite-2010-for-InterBase-Firebird/3000-2...

$ sha1sum ibmanager_lite.zip 03d423bc48653382a354aa7a79f64bbbb90c740e ibmanager_lite.zip

$ du -sh ibmanager_lite.zip 42M ibmanager_lite.zip

--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> C:\Program Files\EMS\SQL Manager Lite for InterBase & Firebird\IBManager.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 6616528 (064F5D0h) Byte(s) -> File Appears to be Digitally Signed @ Offset 064E000h, size : 015D0h / 05584 byte(s) -> File has 512 (0200h) bytes of appended data starting at offset 064DE00h [File Heuristics] -> Flag : 00000000000001001100000000100110 (0x0004C026) [Entrypoint Section Entropy] : 8.00 [!] ASProtect SKE v2.3 - v2.5 detected ! - Scan Took : 0.623 Second(s) [00000026Fh tick(s)] [533 scan(s) done] --- snip ---

Unfortunately this app doesn't exhibit the same behaviour (no watcher thread created).

'Knight Online World' client v2.025 (MMORPG), wrapped with Themida 2.x also makes use of this (stub doesn't seem to be critical here):

--- snip --- $ pwd /home/focht/.wine/drive_c/NTTGame/KnightOnlineEn

$ wine ./KnightOnLine.exe fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot fixme:virtual:NtQueryVirtualMemory (process=0x17c,addr=0x400000) Unimplemented information class: MemorySectionName fixme:virtual:NtQueryVirtualMemory (process=0x17c,addr=0x3010000) Unimplemented information class: MemorySectionName fixme:virtual:NtQueryVirtualMemory (process=0x17c,addr=0x10000000) Unimplemented information class: MemorySectionName fixme:virtual:NtQueryVirtualMemory (process=0x17c,addr=0x7b810000) Unimplemented information class: MemorySectionName fixme:virtual:NtQueryVirtualMemory (process=0x17c,addr=0x7bc10000) Unimplemented information class: MemorySectionName fixme:virtual:NtQueryVirtualMemory (process=0x17c,addr=0x7d6d0000) Unimplemented information class: MemorySectionName fixme:virtual:NtQueryVirtualMemory (process=0x17c,addr=0x7d840000) Unimplemented information class: MemorySectionName ... --- snip ---

Protection scan:

--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> C:\NTTGame\KnightOnlineEn\KnightOnLine.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 4493752 (04491B8h) Byte(s) -> File Appears to be Digitally Signed @ Offset 0447000h, size : 021B8h / 08632 byte(s) [File Heuristics] -> Flag : 00000000000000001100000000110111 (0x0000C037) [Entrypoint Section Entropy] : 7.88 [!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected ! [i] Hide PE Scanner Option used - Scan Took : 0.435 Second(s) [0000001B3h tick(s)] [533 scan(s) done]

Scanning -> C:\NTTGame\KnightOnlineEn\Launcher.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2232320 (0221000h) Byte(s) [File Heuristics] -> Flag : 00000000000000001000000000000000 (0x00008000) [Entrypoint Section Entropy] : 6.66 [CompilerDetect] -> Visual C++ 8.0 (Visual Studio 2005) [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.379 Second(s) [00000017Bh tick(s)] [533 scan(s) done] --- snip ---

Refining summary to not letting this bug go to waste.

As previously mentioned, having this facility will also allow to implement kernel32/psapi 'GetMappedFileName' stub.

$ sha1sum KnightOnlineSetup_v2025.exe 6eaef8f9e4dcd6e205b17ac7af6e664bb16770ec KnightOnlineSetup_v2025.exe

$ du -sh KnightOnlineSetup_v2025.exe 686M KnightOnlineSetup_v2025.exe

$ wine --version wine-1.7.21-1-g47fa54e

Regards

https://bugs.winehq.org/show_bug.cgi?id=23999

t.bussmann@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |t.bussmann@gmx.net

https://bugs.winehq.org/show_bug.cgi?id=23999

--- Comment #10 from Anastasius Focht focht@gmx.net --- *** Bug 38792 has been marked as a duplicate of this bug. ***

https://bugs.winehq.org/show_bug.cgi?id=23999

Kibo steve@scope-media.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |steve@scope-media.com

--- Comment #12 from Kibo steve@scope-media.com --- Created attachment 52353 --> https://bugs.winehq.org/attachment.cgi?id=52353 error log Crossfire Europe

https://bugs.winehq.org/show_bug.cgi?id=23999

Rosanne DiMesio dimesio@earthlink.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |aeraibrooks@gmail.com

--- Comment #14 from Rosanne DiMesio dimesio@earthlink.net --- *** Bug 40263 has been marked as a duplicate of this bug. ***

https://bugs.winehq.org/show_bug.cgi?id=23999

SF shitman71@hotmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |shitman71@hotmail.com

--- Comment #15 from SF shitman71@hotmail.com --- I think this Bug can be marked Critical.

The Anti-Cheating of Black Desert Online is also having problems with it, anti-cheating usually doesn't get added to only one single game.

critical Critical problem that prevents all applications from working

Added Attachments:

BDO_09.05.2017_Wine_Output BDO_09.05.2017_Debug_Log

https://bugs.winehq.org/show_bug.cgi?id=23999

--- Comment #16 from SF shitman71@hotmail.com --- Created attachment 58116 --> https://bugs.winehq.org/attachment.cgi?id=58116 BDO_09.05.2017_Debug_Log

https://bugs.winehq.org/show_bug.cgi?id=23999

--- Comment #18 from SF shitman71@hotmail.com --- Solving Bug 42980 depends upon this bug now.

https://bugs.winehq.org/show_bug.cgi?id=23999

tokktokk fdsfgs@krutt.org changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org

https://bugs.winehq.org/show_bug.cgi?id=23999

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |luca.finizio.mgbx@hotmail.i | |t

--- Comment #19 from Anastasius Focht focht@gmx.net --- *** Bug 45920 has been marked as a duplicate of this bug. ***

https://bugs.winehq.org/show_bug.cgi?id=23999

Andrey andrey.gursky@e-mail.ua changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |andrey.gursky@e-mail.ua

https://bugs.winehq.org/show_bug.cgi?id=23999

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- URL|http://us3cdn.ausgamers.com |https://web.archive.org/web |/downloads/1404038335/Knigh |/20210119095726/https://ido |tOnlineSetup_v2025.exe |wnload.idg.pl/cyberjoy/mmor | |pg/knight_online/KnightOnli | |neSetup_v2025.exe?md5=k75uj | |JVci5AmB2kR0c_q2g&expires=1 | |611050830

https://bugs.winehq.org/show_bug.cgi?id=23999

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |3472387777289f9aa962dabb05f | |c9d55e05ee090