oliverthered Posted June 15, 2005 Report Posted June 15, 2005 Hi, My name is Oliver Stieber and I currently working on the wine project www.winehq.org adding support for DirectX 9 direct 3d so that modern games can be played on Linux. I have had a number of requests to add support for continuum, I had a look and everything should work ok except for that fact that the loader has some debugger protection inplace that prevents it from loading under wine. If you are the developer of continuum and are interested in looking at making a version available that works under wine then please send me a private email. (If you are not the developer of continuum but have information on the loader that continuum uses I would also be keen to hear from you).
Paine Posted June 15, 2005 Report Posted June 15, 2005 Priitk (the developer) is very... inactive... although I'm sure a select few people around here have the ability to get in touch with him.
»SOS Posted June 15, 2005 Report Posted June 15, 2005 That's cool I have no idea how to reach him... but I'll let some people who probably can reach him a bit more easily know about this.
»i88gerbils Posted June 16, 2005 Report Posted June 16, 2005 It would be best to attempt complete SubSpace wine implementation as it's very buggy. I know that sknox was working on this on and off for the past year or so.
»SOS Posted June 16, 2005 Report Posted June 16, 2005 Subspace? Nobody uses that, why should anyone care about Subspace?Anyway, I don't really understand what you said
50% Packetloss Posted June 16, 2005 Report Posted June 16, 2005 I asked Ekted about this, so I would probably regard it as the official answer. PriitK uses a custom anti-debug executable packer to prevent standard debuggers from being able to load it. The only things that work on Cont are kernel-level debuggers like SoftIce. Removing this protection would allow more people to attempt hacks, deadlisting !@#$%^&*embly, patching the code, etc. I doubt PriitK would give in even IF he was active. There's pretty much nothing that I can do. So I suggest giving up, the linux thing won't happen unless prittk makes it happen himself.
protoman.exe Posted June 16, 2005 Report Posted June 16, 2005 Send him your work and let him do the rest himself?
Smong Posted June 17, 2005 Report Posted June 17, 2005 I think wine support would make it easier for people to evade bans too.
oliverthered Posted June 17, 2005 Author Report Posted June 17, 2005 I asked Ekted about this, so I would probably regard it as the official answer. PriitK uses a custom anti-debug executable packer to prevent standard debuggers from being able to load it. The only things that work on Cont are kernel-level debuggers like SoftIce. Removing this protection would allow more people to attempt hacks, deadlisting !@#$%^&*embly, patching the code, etc. I doubt PriitK would give in even IF he was active. There's pretty much nothing that I can do. So I suggest giving up, the linux thing won't happen unless prittk makes it happen himself.<{POST_SNAPBACK}> a: If you can use softice then there's no point in protecting the exe from other debuggers, all 'protecting' the exe is doing is preventing it from running on wine. b: It may be possible to get wine to load the exe properly without making it more suseptable to hackers if the features in windows that allowed the application to run under windows could be implemented in wine, and I can [probably] do this reasonably confidentially give the information.
Dr Brain Posted June 17, 2005 Report Posted June 17, 2005 Thanks, oliverthered, for looking in to this. This game is just about the only thing keeping me from moving my primary OS to Linux. It would be really really great news for Continuum to be able to run under Linux. Keep us posted, even if you find that you can't make it work.
»SOS Posted June 18, 2005 Report Posted June 18, 2005 Why exactly is Wine triggering Continuum's anti-debugger protection?
oliverthered Posted June 20, 2005 Author Report Posted June 20, 2005 Why exactly is Wine triggering Continuum's anti-debugger protection?<{POST_SNAPBACK}> That's what I'd like to know. unfortunately I don't have a copy of softice to even start looking at the problem from a kernel level. It may be the way some of the registers or the vm is setup prior to calling the entry point for the application, hopefully it shouldn't be too hard to fix with some additional information about what protection is in place. I've already done some goggling to find out what copy-protection techniques are in common use and Continuum didn't seem to match anything (which is not that surprising if it's using custom anti-debugger protection). This is why I'm keen to get intouch with the developer (or someone who knows a little more about the copy protection inplace), we should be able to make wine behave like windows without compromising the copy-protection.
50% Packetloss Posted June 20, 2005 Report Posted June 20, 2005 Well here is his forum account over at skype.http://forum.skype.com/profile.php?mode=viewprofile&u=758 I believe he still works for them but I'm not sure if he even looks at that forum. But if you forum-PM him, Im sure that the forum will send an email to him notifying him of his message. But other than that, I wouldn't now how to contact him other than talking to Mr. Ekted. Ekted can be found in SSCX Powerball and on http://forums.minegoboom.com
»SOS Posted June 20, 2005 Report Posted June 20, 2005 Might the VM be messing with INT3? Continuum itself uses the debugging interrupt for normal execution, so if the VM tries to override or disable it, Continuum won't run. Also, how does Continuum terminate? At what address? Does it simply not load? Or does it give an error?
oliverthered Posted June 20, 2005 Author Report Posted June 20, 2005 Might the VM be messing with INT3? Continuum itself uses the debugging interrupt for normal execution, so if the VM tries to override or disable it, Continuum won't run. Also, how does Continuum terminate? At what address? Does it simply not load? Or does it give an error?<{POST_SNAPBACK}> Continuum loads ok, all the dlls upto ddraw are loaded, and then it exits probably via a ret (without calling ddraw, or apparently ExitProcess) Unfortunately exitprocess under wine doesn't dump a stack trace, so I don't know what the exit point is. I'll see if I can find a kernel level debugger for Linux that also supports windows symbols, so I can break on exitprocess. I'm fairly sure that wine doesn't hook INT3 during normal operation, I'll have a chat with the rest of the wine guys.
»SOS Posted June 21, 2005 Report Posted June 21, 2005 Hmm... if it gets as far as loading the DLLs, I think it already passed the first INT3 check, so that's probably out. Well, I'm out of ideas
tandernam Posted July 4, 2005 Report Posted July 4, 2005 Continuum loads ok, all the dlls upto ddraw are loaded, and then it exits probably via a ret (without calling ddraw, or apparently ExitProcess) Unfortunately exitprocess under wine doesn't dump a stack trace, so I don't know what the exit point is. I'll see if I can find a kernel level debugger for Linux that also supports windows symbols, so I can break on exitprocess. <{POST_SNAPBACK}> Continuum opens another process of itself and runs that, then closes the original process. I don't have any debuggers installed on this machine unfortunately but I'll look at it next time I'm on my pc.
tandernam Posted July 5, 2005 Report Posted July 5, 2005 Continuum opens another process of itself and runs that, then closes the original process. I don't have any debuggers installed on this machine unfortunately but I'll look at it next time I'm on my pc.<{POST_SNAPBACK}> Cont uses several methods to confuse debuggers and decompilers, including jumping to "unaligned" addresses and changing stack location to execute bytes which are pushed onto it. I don't really feel I should be doing this...You should probably just get in touch with Priitk and he might help you tweak it to run.
CommieCausey Posted July 8, 2005 Report Posted July 8, 2005 there is a tool called PEid that can identify which packer was used. then google the name... i am pretty bummed that i can't use wine because i am using linux on an old mac but i think wine is awesome and best of luck to you! CC
CommieCausey Posted July 8, 2005 Report Posted July 8, 2005 oops it posted twice sry connection problems
50% Packetloss Posted July 9, 2005 Report Posted July 9, 2005 Maybe you didn't see where I said that continuum uses a CUSTOM PACKER. That program returns a packer called PEX, which is wrong, or priitk completely changed how it packed the executable (PEX is open source).
CommieCausey Posted July 9, 2005 Report Posted July 9, 2005 Maybe you didn't see where I said that continuum uses a CUSTOM PACKER. That program returns a packer called PEX, which is wrong, or priitk completely changed how it packed the executable (PEX is open source).<{POST_SNAPBACK}> i am positive it is packed & compressed with pex written by "bart". priitk just changed a few bytes to ruin the signature and fool dex, the unpacker. i used a tutorial written by bart to manually unpack continuum but i cant find an active link. i also used ollydbg, a user-level debugger. you dont need softice. CC
50% Packetloss Posted July 9, 2005 Report Posted July 9, 2005 And it worked? I use ollydbg aswell, but always got that packing error. Link me to the tutorial you speak of.
CommieCausey Posted July 12, 2005 Report Posted July 12, 2005 it used to be on exetools next to the pex download but like i said its long gone. someone named codeinside also made a tutorial but his page is also gone. oliver, if you need help with it feel free to send me an email.
CommieCausey Posted July 12, 2005 Report Posted July 12, 2005 i just remembered, if it closes after starting the createprocess infinite loop that is not the packer's fault. that is custom made to stop debuggers and annoy you! i didnt examine what caused it to happen. CC
Recommended Posts