Hallo,
some programm refuses to start. First it checks for the usual suspects: Call kernel32.CreateFileA(0040a89e "\\.\SICE" Ret kernel32.CreateFileA() retval=ffffffff Call kernel32.CreateFileA(0040a8a7 "\\.\NTICE" Ret kernel32.CreateFileA() retval=ffffffff Call advapi32.RegOpenKeyExA(80000002,0040a24e "Software\NuMega\SoftIce" Ret advapi32.RegOpenKeyExA() retval=00000002 Call kernel32.CreateFileA(0040a5a3 "\\.\CMAPIENG" Ret kernel32.CreateFileA() retval=ffffffff
Then it checks for GetModuleHandle and GetProcAddres
Call kernel32.GetModuleHandleA(0040a572 "Kernel32.dll") Ret kernel32.GetModuleHandleA() retval=40450000 Call kernel32.GetProcAddress(40450000,0040a57f "LoadLibraryA") Ret kernel32.GetProcAddress() retval=40517bd0 ret=0040a60b
and immediate hits an exception, which is handled:
trace:seh:EXC_RtlRaiseException code=c0000005 flags=0 addr=0x4123a1 trace:seh:EXC_RtlRaiseException info[0]=00000001 trace:seh:EXC_RtlRaiseException info[1]=00000000 trace:seh:EXC_RtlRaiseException eax=00000000 ebx=405294ac ecx=00400000 edx=00400000 esi=ffffffa8 edi=00405000 trace:seh:EXC_RtlRaiseException ebp=0000a000 esp=4067ff10 cs=0073 ds=007b es=007b fs=003b gs=0033 flags=00010212 trace:seh:EXC_CallHandler calling handler at 0x410bcc code=c0000005 flags=0 trace:seh:EXC_CallHandler handler returned 0 0009:Call user32.MessageBoxA(00000000,004c6142 "Incompatible Systemanalyzer detected!\n(#2000)",004c5ac0 "Sparbuch 2004",00010010) ret=004c95eb
Similar failure on the net also come up with an additional message: "Kernel32 call does not point into Kernel32.dll"
Is this an misbehavoiur of wine we can (want) to fix?
Bye
On Sat, 04 Sep 2004 17:23:47 +0200, Uwe Bonnes wrote:
Call kernel32.GetModuleHandleA(0040a572 "Kernel32.dll") Ret kernel32.GetModuleHandleA() retval=40450000 Call kernel32.GetProcAddress(40450000,0040a57f "LoadLibraryA") Ret kernel32.GetProcAddress() retval=40517bd0 ret=0040a60b
and immediate hits an exception, which is handled:
trace:seh:EXC_RtlRaiseException code=c0000005 flags=0 addr=0x4123a1
0x0040a60b and 0x004123a1 are some way apart so I wouldn't say it's immediate.
Similar failure on the net also come up with an additional message: "Kernel32 call does not point into Kernel32.dll"
I suspect it's checking for a redirection of LoadLibrary to shim code by checking if the returned address of the call is within the boundaries described by the PE headers of kernel32.dll
Random guess: winebuild outputs 0 and 0 for SizeOfCode and BaseOfCode, maybe it's taking the address from GetProcAddress, casting the return of GetModuleHandleA to an IMAGE_NT_HEADERS structure then saying
if (( address_of_loadlibrary < headers->BaseOfCode + headers->SizeOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); }
Not sure how you could verify this except by disassembling the app though.
thanks -mike
On Sat, 04 Sep 2004 17:22:09 +0100, Mike Hearn wrote:
if (( address_of_loadlibrary < headers->BaseOfCode + headers->SizeOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); }
Uh ... obviously I meant:
if (( address_of_loadlibrary < headers->BaseOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); }
It might be cleverer than that of course, checking individual sections and stuff. Anyway, it's just a theory.
Uwe Bonnes wrote:
some programm refuses to start. First it checks for the usual suspects:
Which application? Can I download it from somewhere? Did you try it on the CVS tip as of today? It seems to be some kind of copy protection/activation scheme...
Mike
-
Mike Hearn -
Mike McCormack -
Uwe Bonnes