0042:Call wintrust.WinVerifyTrust(ffffffff,0033fc4c,0033fc5c) ret=00b1d98c
0042:trace:wintrust:WinVerifyTrust (0xffffffff, {00aac56b-cd44-11d0-8cc2-00c04fc295ee}, 0x33fc5c)
0042:trace:wintrust:dump_wintrust_data 0x33fc5c
0042:trace:wintrust:dump_wintrust_data cbStruct: 64
0042:trace:wintrust:dump_wintrust_data pPolicyCallbackData: (nil)
0042:trace:wintrust:dump_wintrust_data pSIPClientData: (nil)
0042:trace:wintrust:dump_wintrust_data dwUIChoice: 2
0042:trace:wintrust:dump_wintrust_data fdwRevocationChecks: 00000000
0042:trace:wintrust:dump_wintrust_data dwUnionChoice: 1
0042:trace:wintrust:dump_file_info 0x33fc3c
0042:trace:wintrust:dump_file_info cbStruct: 16
0042:trace:wintrust:dump_file_info pcwszFilePath: L"C:\\Program Files\\Yummy Interactive\\SoftwareShield 4.5\\IronWrapper.exe"
0042:trace:wintrust:dump_file_info hFile: (nil)
0042:trace:wintrust:dump_file_info pgKnownSubject: (null)
0042:trace:wintrust:dump_wintrust_data dwStateAction: 11655724
0042:trace:wintrust:dump_wintrust_data hWVTStateData: 0x33fcac
0042:trace:wintrust:dump_wintrust_data pwszURLReference: L"\61e9\fb25\ebff\8bef\fc45\5e5f\8b5b\5de5\00c3\6957\546e\7572\7473\642e\6c6c"
0042:trace:wintrust:dump_wintrust_data dwProvFlags: 0033fca4
0042:trace:wintrust:dump_wintrust_data dwUIContext: 0
0042:fixme:wintrust:WinVerifyTrust unimplemented for 11655724
0042:trace:wintrust:WinVerifyTrust returning 00000000
0042:Ret  wintrust.WinVerifyTrust() retval=00000000 ret=00b1d98c
0042:Call oleaut32.SysFreeString(0013d294 L"C:\\Program Files\\Yummy Interactive\\SoftwareShield 4.5\\IronWrapper.exe") ret=00ad0e5f

WINEDEBUG=relay,seh,tid,wintrust,cryptasn,crypt attached.

Created attachment 38129 [details]
WINEDEBUG=relay,seh,tid,wintrust,cryptasn,crypt

Is there a possibility that SS uses protection methods that just won't work because of Wine's architecture? I've encountered stuff like GameGuard which had issues with early builds of Windows 7, but idk if the same goes for GameShield.

(In reply to comment #3)
> Is there a possibility that SS uses protection methods that just won't work
> because of Wine's architecture? I've encountered stuff like GameGuard which had
> issues with early builds of Windows 7, but idk if the same goes for GameShield.

Of course it's possible, but that's hard to say without someone debugging it in more detail ;).

Does running with +heap change anything?

warn+heap doesn't visibly change anything, and adds a few of these to the log:

0009:Call KERNEL32.GlobalHandle(001790f0) ret=011423fe
0009:warn:heap:HEAP_ValidateInUseArena Heap 0x110000: invalid in-use arena magic 00555555 for 0x1790e8
0009:Ret  KERNEL32.GlobalHandle() retval=00144532 ret=011423fe

but those are benign according to http://bugs.winehq.org/show_bug.cgi?id=10179

Seems somewhat like a heap corruption, doesn't it?  What's up with the access violations prior to WinVerifyTrust?  e.g.:

0042:Ret  KERNEL32.InterlockedDecrement() retval=00000002 ret=00ad2509
0042:trace:seh:raise_exception code=c0000005 flags=0 addr=0xaf1bf2 ip=00af1bf2 tid=0042
0042:trace:seh:raise_exception  info[0]=00000001
0042:trace:seh:raise_exception  info[1]=00000000
0042:trace:seh:raise_exception  eax=00000000 ebx=00dac4d0 ecx=00dac9bc edx=00000001 esi=00137f11 edi=00401004
0042:trace:seh:raise_exception  ebp=0033fd34 esp=0033fd1c cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00210246
0042:trace:seh:call_vectored_handlers calling handler at 0x7ec08ee0 code=c0000005 flags=0
0042:trace:seh:call_vectored_handlers handler at 0x7ec08ee0 returned 0
0042:trace:seh:call_stack_handlers calling handler at 0xaf1bf4 code=c0000005 flags=0
0042:trace:seh:call_stack_handlers handler at 0xaf1bf4 returned 0
0042:Call KERNEL32.InterlockedDecrement(00daca2c) ret=00ad2499

The stack overflow doesn't appear in your +relay et al log:

0042:fixme:wintrust:WinVerifyTrust unimplemented for 11655724
0042:trace:wintrust:WinVerifyTrust returning 00000000
0042:Ret  wintrust.WinVerifyTrust() retval=00000000 ret=00b1d98c

So I think that's a red herring.  I think you want to look for memory corruption.

any news?..

The download is behind a flaky registration page now, so it might be a while before I can test again.

(In reply to comment #9)
> The download is behind a flaky registration page now, so it might be a while
> before I can test again.

Sorry for being impatient, but... any news?

Created attachment 45018 [details]
+relay,+tid,+seh,+heap log

You can download Software Shield demo 5.0 without to register into her website.
I gave my email and the link to download the demo : 
http://s3.amazonaws.com/softwareshield.com/download/IDE/SoftwareShield_ISV_Setup.exe

Software Shield 5 needs Framework.Net 4 to work. Install it into clean wineprefix with winetricks.

When i launch it, i have this message in ouput console :
berillions@debian64:~/.wine/drive_c/Program Files/Yummy Interactive/SoftwareShield 5 ISV Edition$ /home/berillions/Desktop/1.6-rc3-32/usr/local/bin/wine iw4win.exe 
fixme:heap:HeapSetInformation (nil) 1 (nil) 0
fixme:process:SetProcessDEPPolicy (1): stub
fixme:heap:HeapSetInformation (nil) 1 (nil) 0
fixme:process:SetProcessShutdownParameters (00000380, 00000000): partial stub.

I attach the +relay,+tid,+seh,+heap too.

Hello folks,

encountered this problem with "Louisiana Adventure Demo" (bug 34275) which is protected by GameShield.

A common symptom is the message:

--- snip ---
err:seh:setup_exception_record stack overflow 832 bytes in thread 002c eip 0049fdcf esp 00240ff0 stack 0x240000-0x241000-0x340000
--- snip ---

The protection hooks (detours) a number of win32 API.
Example dump from memory:

--- snip ---
00FE2A88   0103ACA0  ; PTR to ASCII 10,"THookCreateFileW"
00FE2A8C   0103ACC0  ; PTR to ASCII 0D,"THookReadFile"
00FE2A90   0103ACE0  ; PTR to ASCII 0F,"THookReadFileEx"
00FE2A94   00000000
00FE2A98   00000000
00FE2A9C   0103AD00  ; PTR to ASCII 10,"THookCloseHandle"
00FE2AA0   0103AD20  ; PTR to ASCII 13,"THookSetFilePointer"
00FE2AA4   0103ADA0  ; PTR to ASCII 17,"THookCreateFileMappingW"
00FE2AA8   0103AD60  ; PTR to ASCII 17,"THookCreateFileMappingA"
00FE2AAC   0103ADE0  ; PTR to ASCII 12,"THookMapViewOfFile"
00FE2AB0   0103AE20  ; PTR to ASCII 18,"THookGetOverlappedResult"
00FE2AB4   0103AE60  ; PTR to ASCII 10,"THookGetFileSize"
00FE2AB8   0103AE80  ; PTR to ASCII 12,"THookGetFileSizeEx"
00FE2ABC   0103AEC0  ; PTR to ASCII 14,"THookUnmapViewOfFile"
00FE2AC0   0103AF00  ; PTR to ASCII 14,"THookMapViewOfFileEx"
00FE2AC4   0103AF40  ; PTR to ASCII 0E,"THookCopyFileW"
00FE2AC8   0103AF60  ; PTR to ASCII 10,"THookCopyFileExW"
00FE2ACC   0103AF80  ; PTR to ASCII 13,"THookFindFirstFileW"
00FE2AD0   0103AFC0  ; PTR to ASCII 15,"THookFindFirstFileExW"
00FE2AD4   0103B000  ; PTR to ASCII 12,"THookFindNextFileW"
00FE2AD8   0103B040  ; PTR to ASCII 0E,"THookFindClose"
00FE2ADC   0103B0C0  ; PTR to ASCII 10,"THookSearchPathW"
00FE2AE0   0103B0E0  ; PTR to ASCII 17,"THookGetFileAttributesW"
00FE2AE4   0103B120  ; PTR to ASCII 19,"THookGetFileAttributesExW"
00FE2AE8   0103B8C0  ; PTR to ASCII 17,"THookAddFontResourceExA"
00FE2AEC   0103B900  ; PTR to ASCII 17,"THookAddFontResourceExW"
00FE2AF0   0103B940  ; PTR to ASCII 1A,"THookRemoveFontResourceExW"
00FE2AF4   0103B140  ; PTR to ASCII 10,"THookGetFileType"
00FE2AF8   0103B160  ; PTR to ASCII 10,"THookGetFileTime"
00FE2AFC   0103B180  ; PTR to ASCII 1F,"THookGetFileInformationByHandle"
00FE2B00   0103B1A0  ; PTR to ASCII 19,"THookSetCurrentDirectoryA"
00FE2B04   0103B1C0  ; PTR to ASCII 19,"THookSetCurrentDirectoryW"
00FE2B08   0103B260  ; PTR to ASCII 1D,"THookGetPrivateProfileStringA"
00FE2B0C   0103B280  ; PTR to ASCII 1D,"THookGetPrivateProfileStringW"
00FE2B10   0103B2A0  ; PTR to ASCII 1E,"THookGetPrivateProfileSectionA"
00FE2B14   0103B2C0  ; PTR to ASCII 1E,"THookGetPrivateProfileSectionW"
00FE2B18   0103B060  ; PTR to ASCII 21,"THookFindFirstChangeNotificationW"
00FE2B1C   0103B080  ; PTR to ASCII 1F,"THookFindNextChangeNotification"
00FE2B20   0103B0A0  ; PTR to ASCII 20,"THookFindCloseChangeNotification"
00FE2B24   0103B220  ; PTR to ASCII 15,"THookSetFilePointerEx"
00FE2B28   0103B1E0  ; PTR to ASCII 14,"THookReadFileScatter"
00FE2B2C   00000000
...
--- snip ---

Each API to be detoured has a descriptor.
Example for "SetCurrentDirectoryA":

--- snip ---
0103B1A0   00D6D9F4  ; ASCII 19,"THookSetCurrentDirectoryA"
0103B1A4   01041EE0  ; ASCII "SetCurrentDirectoryA"
0103B1A8   7B810000  ; base
0103B1AC   7FFC04D4  ; detour continuation thunk
0103B1B0   7B8600AB  ; KERNEL32.SetCurrentDirectoryA
0103B1B4   00000001  ; ref
0103B1B8   00000000  ; entry terminator
--- snip ---

The original entry point detoured:

KERNEL32.SetCurrentDirectoryA(Path)

--- snip ---
7B8600AB    E9 13047604     JMP 7FFC04C3
7B8600B0    E4 F0           IN AL,0F0
7B8600B2    FF71 FC         PUSH DWORD PTR DS:[ECX-4]
7B8600B5    55              PUSH EBP
7B8600B6    89E5            MOV EBP,ESP
7B8600B8    53              PUSH EBX
7B8600B9    51              PUSH ECX
7B8600BA    83EC 20         SUB ESP,20
7B8600BD    E8 EEF2FBFF     CALL 7B81F3B0
7B8600C2    81C3 3E8F0500   ADD EBX,58F3E
7B8600C8    89C8            MOV EAX,ECX
7B8600CA    C74424 04 00000 MOV DWORD PTR SS:[ESP+4],0
7B8600D2    8B00            MOV EAX,DWORD PTR DS:[EAX]
7B8600D4    890424          MOV DWORD PTR SS:[ESP],EAX
7B8600D7    E8 12D0FDFF     CALL 7B83D0EE
7B8600DC    8945 F4         MOV DWORD PTR SS:[EBP-0C],EAX
7B8600DF    837D F4 00      CMP DWORD PTR SS:[EBP-0C],0
7B8600E3    75 07           JNE SHORT 7B8600EC
7B8600E5    B8 00000000     MOV EAX,0
7B8600EA    EB 0E           JMP SHORT 7B8600FA
7B8600EC    8B45 F4         MOV EAX,DWORD PTR SS:[EBP-0C]
7B8600EF    890424          MOV DWORD PTR SS:[ESP],EAX
7B8600F2    E8 46FFFFFF     CALL SetCurrentDirectoryW
7B8600F7    83EC 04         SUB ESP,4
7B8600FA    8D65 F8         LEA ESP,[EBP-8]
7B8600FD    59              POP ECX
7B8600FE    5B              POP EBX
7B8600FF    5D              POP EBP
7B860100    8D61 FC         LEA ESP,[ECX-4]
7B860103    C2 0400         RETN 4
--- snip ---

This is the call sequence leading to failure, gathered from debugging:

--- snip ---
SetCurrentDirectoryA[entry]
 -> THookSetCurrentDirectoryA
   -> SetCurrentDirectoryA[cont]
     -> SetCurrentDirectoryW[entry]
        -> THookSetCurrentDirectoryW
           -> SetCurrentDirectoryA[cont] (bug)
              -> SetCurrentDirectoryW[entry] (recursion)
--- snip ---

The problem appears with nested hooks.
The protection code reads private data from TLS during detour-handling to retrieve the continuation thunk address.
Although per thread the code doesn't handle nesting properly, ending with previous (parent) continuation thunk being called, leading to recursion.

Windows SetCurrentDirectoryA() probably doesn't forward the native API call to W API.

I made a small inline wrapper for SetCurrentDirectoryW() code and had both, SetCurrentDirectoryW() and SetCurrentDirectoryA() call it.
This avoids hitting both hooks with SetCurrentDirectoryA().

With the patch applied, the protection code is happy.
There might be still similar issues for other API left but the game from bug 34275 started to work (only to run into d3dx9 shader compiler bug).

Also "iw4win.exe" (IronWrapper: IronWrap Linker) starts now though I didn't bother to figure out how the thing works.
It seems to require an application xml config file as input for further processing.

Regards

Created attachment 45643 [details]
Draft patch

Something like this?

(Doesn't help LA Noire, can't get as far with current SoftwareShield demo, and Louisiana demo will take another five hours to download.)

Hello Dan,

that will do too.
Though I prefer inlining the helper ('static inline BOOL ...').

Regarding "can't get as far with current SoftwareShield demo" ... what does that mean? I don't have a crystal ball...

I tested the 'iw4win.exe' executable from comment #11 (download, .NET 4.0 required) and it worked for me.
Reverting patch to old behaviour gives the stack overflow/coredump.

There are multiple bugs for sure (even unrelated to protection scheme) and I'm not going to mix them all up here.

Regards

i4win.exe works here with my patch (I was trying the wrong executable).

Since the patch works with either inline or noinline, may as well leave
the specifier off.  Submitted as
http://www.winehq.org/pipermail/wine-patches/2013-August/125894.html

Thanks!

(In reply to comment #13)
> Created attachment 45643 [details]
> Draft patch
> 
> Something like this?
> 
> (Doesn't help LA Noire, can't get as far with current SoftwareShield demo, and
> Louisiana demo will take another five hours to download.)

Hi Dan,

Your patch does not work with LA Noire or you can't try it ?
I have "Max Payne 3" game which has the same protection than LA.Noire so i can try your patch to see if the game allow to run the game.

Max

Hello folks,

the bug was about a specific issue with detours of API entry point (which looks like a protection code bug) and fixing it helped Software Shield/IronWrap command line tool and Louisiana Adventure Demo to run.

NOTE: There are still issues related and unrelated to this software protection that deserve their own bugs or are already tracked by existing bugs

Fixed by commit http://source.winehq.org/git/wine.git/commit/fe64e21e3b6f923c55dee50c866005293fe2a9b8

Thanks Alexandre.

Regards

Closing bugs fixed in 1.7.1.

Removing 1.6.x milestone from bugs included in 1.6.1.

*** Bug 31755 has been marked as a duplicate of this bug. ***