[Bug 45083] 64-bit MetaTrader 5 hangs on exit (VMProtect 3.x, exception in TLS callback under macOS)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue May 1 07:05:48 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45083

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|NEEDINFO                    |NEW
            Summary|64-bit MetaTrader 5 hangs   |64-bit MetaTrader 5 hangs
                   |on exit                     |on exit (VMProtect 3.x,
                   |                            |exception in TLS callback
                   |                            |under macOS)

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello Amin,

the app is protected with a very recent version of VMProtect (virtual machine +
obfuscation + anti-debug), probably some 3.x version.
VMProtect is some state-of-the art software protection scheme (Denuvo uses it
too -> http://vmpsoft.com/blog/).

I've tried to find the exact version but it seems all the detectors failed or
incorrectly identify it as 1.x.

https://www.virustotal.com/#/file/9135933cf76fb0cd3b1ced462559dfd6915e715ed1dbcffff08b341d9c6dd482/details

https://www.reverse.it/sample/9135933cf76fb0cd3b1ced462559dfd6915e715ed1dbcffff08b341d9c6dd482

The PE has two VM segments '.cod0', '.cod1' (usually the segments are named
'.vmp0', '.vmp1'). Various patterns strongly hint at VMProtect (heavy use of
virtual machine code).

It seems there might be an incompatibility of the software protection scheme
with Wine on macOS. Does the app itself work for you with all features, except
for the process exit issue?

There are 3 TLS callbacks in the app:

--- snip ---
(proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
(proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
(proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
--- snip ---

Your log shows the second TLS callback (0x140305790) causes an exception:

--- snip ---
...
003a:Call KERNEL32.GetFileAttributesW(004f5478 L"C:\\Program Files\\MetaTrader
5\\config\\certificates") ret=140056a92
003a:Ret  KERNEL32.GetFileAttributesW() retval=00000010 ret=140056a92
003a:Call ntdll.RtlAllocateHeap(00010000,00000000,00000da8) ret=1402d2b54
003a:Ret  ntdll.RtlAllocateHeap() retval=00510d00 ret=1402d2b54
003a:Call KERNEL32.InitializeCriticalSection(00510d38) ret=140962b9f
003a:Ret  KERNEL32.InitializeCriticalSection() retval=00000000 ret=140962b9f
003a:Call KERNEL32.GetSystemTimeAsFileTime(0022d580) ret=140962cf0
003a:Ret  KERNEL32.GetSystemTimeAsFileTime() retval=01d3e04e ret=140962cf0
003a:Call KERNEL32.GetSystemTimeAsFileTime(0022d588) ret=140962d1f
003a:Ret  KERNEL32.GetSystemTimeAsFileTime() retval=01d3e04e ret=140962d1f
003a:Call ntdll.RtlAllocateHeap(00010000,00000008,00000028) ret=1402d2bcb
003a:Ret  ntdll.RtlAllocateHeap() retval=00511b00 ret=1402d2bcb
003a:Call KERNEL32.GetModuleHandleExW(00000004,140966480,00511b18)
ret=1402bc3c2
003a:Ret  KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2
003a:Call
KERNEL32.CreateThread(00000000,00100000,1402bc234,00511b00,00010000,0022d4e0)
ret=1402bc513
003b:trace:seh:mac_thread_gsbase pthread_self() 0xb0002000 + offset 0x000000e0
-> gsbase 0xb00020e0
003a:Ret  KERNEL32.CreateThread() retval=00000250 ret=1402bc513
003a:Call KERNEL32.GetSystemInfo(0022d540) ret=14096694e
003a:Ret  KERNEL32.GetSystemInfo() retval=00004601 ret=14096694e
003a:Call
KERNEL32.CreateIoCompletionPort(ffffffffffffffff,00000000,00000000,00000000)
ret=140093c40
003a:Ret  KERNEL32.CreateIoCompletionPort() retval=00000254 ret=140093c40
003b:Call PE DLL (proc=0x4523feb0,module=0x45190000
L"user32.dll",reason=THREAD_ATTACH,res=0x0)
...
003b:Ret  PE DLL (proc=0x4523feb0,module=0x45190000
L"user32.dll",reason=THREAD_ATTACH,res=0x0) retval=1
...
003b:Ret  PE DLL (proc=0x463e1d60,module=0x463a0000
L"wininet.dll",reason=THREAD_ATTACH,res=0x0) retval=1
003b:Call TLS callback
(proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
003b:Ret  TLS callback
(proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
003b:Call TLS callback
(proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
003b:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x14182994a
ip=14182994a tid=003b
003b:trace:seh:NtRaiseException  info[0]=0000000000000000
003b:trace:seh:NtRaiseException  info[1]=0000000000000120
003b:trace:seh:NtRaiseException  rax=000000000000ffb0 rbx=00000001bfa11b40
rcx=fffffffffffffdf9 rdx=0000000000000120
003b:trace:seh:NtRaiseException  rsi=0000000140efbfac rdi=000000000003f5cc
rbp=fffffffffffb4ba9 rsp=000000000071e570
003b:trace:seh:NtRaiseException   r8=0000000000000058  r9=000000000071e786
r10=000000000081e20b r11=0000000141829945
003b:trace:seh:NtRaiseException  r12=0000000000000202 r13=0000000000000000
r14=0000000000000040 r15=0000000000000120
...
003b:trace:seh:call_stack_handlers found wine frame 0x71e7e8 rsp 71e930 handler
0x7bc9eb80
003b:trace:seh:call_teb_handler calling TEB handler 0x7bc9eb80 (rec=0x71e430,
frame=0x71e7e8 context=0x71d950, dispatch=0x71d828)
003b:trace:seh:RtlUnwindEx code=c0000005 flags=2 end_frame=0x71e7e8
target_ip=0x7bc9ea60 rip=000000007bc78c17
003b:trace:seh:RtlUnwindEx  info[0]=0000000000000000
003b:trace:seh:RtlUnwindEx  info[1]=0000000000000120
003b:trace:seh:RtlUnwindEx  rax=000000000071e7e8 rbx=000000000071e430
rcx=000000000071d1a0 rdx=000000007bc9ea60
003b:trace:seh:RtlUnwindEx  rsi=6d0ee98053420061 rdi=000000000071e7e8
rbp=000000000071d160 rsp=000000000071c9e0
003b:trace:seh:RtlUnwindEx   r8=000000000071e430  r9=000000007bc9ebf0
r10=0000000000721b50 r11=ffffffffffffff7e
003b:trace:seh:RtlUnwindEx  r12=000000000071df60 r13=000000000071d950
r14=000000000071d1a0 r15=000000000071e7e8
...
003b:trace:seh:RtlRestoreContext returning to 7bc9ea60 stack 71e7a0
003b:exception in TLS callback
(proc=0x141ad1f68,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
003b:Starting thread proc 0x1402bc234 (arg=0x511b00)
003a:Ret  KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2
003a:Call
KERNEL32.CreateThread(00000000,00100000,1402bc234,00511c80,00010000,0022d4c0)
ret=1402bc513
003b:Call KERNEL32.GetLastError() ret=1402d2f70
003b:Ret  KERNEL32.GetLastError() retval=00000000 ret=1402d2f70
...
003b:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x1402d5d06
ip=1402d5d06 tid=003b
003b:trace:seh:NtRaiseException  info[0]=0000000000000000
003b:trace:seh:NtRaiseException  info[1]=0000000000000020
003c:trace:seh:mac_thread_gsbase pthread_self() 0xb0004000 + offset 0x000000e0
-> gsbase 0xb00040e0
003b:trace:seh:NtRaiseException  rax=0000000000000000 rbx=0000000000000001
rcx=0000000000000000 rdx=0000000140cb1a78
003a:Ret  KERNEL32.CreateThread() retval=00000258 ret=1402bc513
... 
003c:err:ntdll:RtlpWaitForCriticalSection section 0x140d7ad40 "?" wait timed
out in thread 003c, blocked by 003b, retrying (60 sec) 
--- snip ---

The exception causes the thread to die while holding a lock.
All other threads depending/using it will block too, preventing clean exit.

Same TLS callback sequence on my system (Linux x86_64, Fedora 27):

--- snip ---
...
0031:Call KERNEL32.GetFileAttributesW(0053e268 L"C:\\Program Files\\MetaTrader
5\\config\\certificates") ret=140056a92
0031:Ret  KERNEL32.GetFileAttributesW() retval=00000010 ret=140056a92
...
0031:Call KERNEL32.InitializeCriticalSection(005658e8) ret=140962b9f
0031:Ret  KERNEL32.InitializeCriticalSection() retval=00000001 ret=140962b9f
0031:Call KERNEL32.GetSystemTimeAsFileTime(0022d4f0) ret=140962cf0
0031:Ret  KERNEL32.GetSystemTimeAsFileTime() retval=0022d4f0 ret=140962cf0
0031:Call KERNEL32.GetSystemTimeAsFileTime(0022d4f8) ret=140962d1f
0031:Ret  KERNEL32.GetSystemTimeAsFileTime() retval=0022d4f8 ret=140962d1f
...
0031:Call KERNEL32.GetModuleHandleExW(00000004,140966480,0055a2a8)
ret=1402bc3c2
0031:Ret  KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2
0031:Call
KERNEL32.CreateThread(00000000,00100000,1402bc234,0055a290,00010000,0022d450)
ret=1402bc513
0031:Ret  KERNEL32.CreateThread() retval=00000250 ret=1402bc513
0031:Call KERNEL32.GetSystemInfo(0022d4b0) ret=14096694e
0031:Ret  KERNEL32.GetSystemInfo() retval=0022d4b0 ret=14096694e
0031:Call
KERNEL32.CreateIoCompletionPort(ffffffffffffffff,00000000,00000000,00000000)
ret=140093c40
0031:Ret  KERNEL32.CreateIoCompletionPort() retval=00000254 ret=140093c40
0031:Call ntdll.RtlAllocateHeap(00010000,00000008,00000028) ret=1402d2bcb
0031:Ret  ntdll.RtlAllocateHeap() retval=0055a2d0 ret=1402d2bcb
0031:Call KERNEL32.GetModuleHandleExW(00000004,140965fb0,0055a2e8)
ret=1402bc3c2
0031:Ret  KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2
0031:Call
KERNEL32.CreateThread(00000000,00100000,1402bc234,0055a2d0,00010000,0022d430)
ret=1402bc513
0032:Call PE DLL (proc=0x7faddb1dbe6a,module=0x7faddb0e0000
L"user32.dll",reason=THREAD_ATTACH,res=(nil))
...
0032:Ret  PE DLL (proc=0x7fadd969692e,module=0x7fadd9640000
L"wininet.dll",reason=THREAD_ATTACH,res=(nil)) retval=1
0032:Call TLS callback
(proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0031:Ret  KERNEL32.CreateThread() retval=00000258 ret=1402bc513
0031:Call ntdll.RtlAllocateHeap(00010000,00000008,00000028) ret=1402d2bcb
0031:Ret  ntdll.RtlAllocateHeap() retval=0055a420 ret=1402d2bcb
0031:Call KERNEL32.GetModuleHandleExW(00000004,140965fb0,0055a438)
ret=1402bc3c2
0032:Ret  TLS callback
(proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0032:Call TLS callback
(proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0032:Ret  TLS callback
(proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0032:Call TLS callback
(proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0032:Call ntdll.RtlAllocateHeap(00360000,00000000,00000018) ret=140e12c83
0032:Ret  ntdll.RtlAllocateHeap() retval=00364d60 ret=140e12c83
0032:Call ntdll.RtlAllocateHeap(00360000,00000000,00000018) ret=140e12c83
0032:Ret  ntdll.RtlAllocateHeap() retval=00364d90 ret=140e12c83 
0032:Call ntdll.LdrGetProcedureAddress(7b460000,0070e360,00000000,0070e398)
ret=14193d460
0032:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=14193d460
...
0032:Ret  TLS callback
(proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0031:Ret  KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2
0031:Call
KERNEL32.CreateThread(00000000,00100000,1402bc234,0055a420,00010000,0022d430)
ret=1402bc513
0032:Starting thread proc 0x1402bc234 (arg=0x55a290)
0033:Call PE DLL (proc=0x7faddb1dbe6a,module=0x7faddb0e0000
L"user32.dll",reason=THREAD_ATTACH,res=(nil))
0032:Call KERNEL32.GetLastError() ret=1402d2f70
0033:Ret  PE DLL (proc=0x7faddb1dbe6a,module=0x7faddb0e0000
L"user32.dll",reason=THREAD_ATTACH,res=(nil)) retval=1
0032:Ret  KERNEL32.GetLastError() retval=00000000 ret=1402d2f70
...
0033:Call PE DLL (proc=0x7fadda5aa963,module=0x7fadda580000
L"ws2_32.dll",reason=THREAD_ATTACH,res=(nil))
0032:Call KERNEL32.LoadLibraryExW(140a76db0
L"api-ms-win-appmodel-runtime-l1-1-2",00000000,00000800) ret=1402d336d
0033:Ret  PE DLL (proc=0x7fadda5aa963,module=0x7fadda580000
L"ws2_32.dll",reason=THREAD_ATTACH,res=(nil)) retval=1
0033:Call PE DLL (proc=0x7fadd969692e,module=0x7fadd9640000
L"wininet.dll",reason=THREAD_ATTACH,res=(nil))
0033:Ret  PE DLL (proc=0x7fadd969692e,module=0x7fadd9640000
L"wininet.dll",reason=THREAD_ATTACH,res=(nil)) retval=1
0033:Call TLS callback
(proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0031:Ret  KERNEL32.CreateThread() retval=0000025c ret=1402bc513
...
0031:Call KERNEL32.GetModuleHandleExW(00000004,140965fb0,0055a4e8)
ret=1402bc3c2
0033:Ret  TLS callback
(proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0033:Call TLS callback
(proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0033:Ret  TLS callback
(proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0033:Call TLS callback
(proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
...
0033:Call ntdll.LdrGetProcedureAddress(7b460000,0081e360,00000000,0081e398)
ret=14193d460
0033:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=14193d460
...
0033:Ret  TLS callback
(proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0)
0033:Starting thread proc 0x1402bc234 (arg=0x55a2d0)
--- snip ---

The problem seems to occur on your system when the second TLS callback is
called the second time (thread creation -> thread attach notification).

The first time (process attach notification) it goes fine on your system too,
from your log:

--- snip ---
...
003a:Call TLS callback
(proc=0x140305790,module=0x140000000,reason=PROCESS_ATTACH,reserved=0) 
...
003a:Call KERNEL32.GetModuleHandleW(003638b0 L"ntdll.dll") ret=14193d4be
003a:Ret  KERNEL32.GetModuleHandleW() retval=7bc10000 ret=14193d4be
003a:Call KERNEL32.GetProcAddress(7bc10000,00363910 "wine_get_version")
ret=14193d4c9
003a:Ret  KERNEL32.GetProcAddress() retval=7bc19728 ret=14193d4c9 
...
003a:Call advapi32.RegOpenKeyExA(ffffffff80000002,0022e2e0
"HARDWARE\\ACPI\\DSDT\\VBOX__",00000000,00020019,0022e338) ret=1403055f1
003a:Ret  advapi32.RegOpenKeyExA() retval=00000002 ret=1403055f1
003a:Call KERNEL32.GetModuleHandleW(0022e300 L"VBoxHook.dll") ret=140305653
003a:Ret  KERNEL32.GetModuleHandleW() retval=00000000 ret=140305653 
...
003a:Call KERNEL32.GetModuleHandleW(003638b0 L"ntdll.dll") ret=14193d7d5
003a:Ret  KERNEL32.GetModuleHandleW() retval=7bc10000 ret=14193d7d5
003a:Call KERNEL32.GetModuleHandleW(00363910 L"kernel32.dll") ret=14193d7f6
003a:Ret  KERNEL32.GetModuleHandleW() retval=7b410000 ret=14193d7f6
003a:Call KERNEL32.GetProcAddress(7bc10000,003639d0
"NtQueryInformationProcess") ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13780 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363a90 "NtSetInformationThread")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13ee0 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363a30 "NtQuerySystemInformation")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc139cc ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363af0 "NtFreeVirtualMemory")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc1308c ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363b50 "NtQueryVirtualMemory")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13a94 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363bb0 "NtAllocateVirtualMemory")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc12b08 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363c10 "NtProtectVirtualMemory")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc135d8 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363c70 "NtCreateFile")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc12c6c ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363cd0 "NtReadFile") ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13b44 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363d30 "NtWriteFile")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc14258 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363d90 "NtWaitForSingleObject")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc14238 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363df0 "NtQueryInformationFile")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13738 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363e50 "NtSetInformationFile")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13e2c ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363eb0
"NtQueryFullAttributesFile") ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc136f8 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363f10 "NtRemoveProcessDebug")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=00000000 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00363f70 "NtTerminateProcess")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc14124 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364030 "NtClose") ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc12bd4 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364090 "NtDeviceIoControlFile")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc12f28 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,003640f0 "NtFsControlFile")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc130b0 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364150 "NtWriteVirtualMemory")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc142a0 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,003641b0 "NtFlushInstructionCache")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13030 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364210 "NtReadVirutalMemory")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=00000000 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364270 "NtDelayExecution")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc12ea8 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,003642d0 "NtMapViewOfSection")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc13240 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364330 "NtUnmapViewOfSection")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc141d4 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364390 "NtCreateSection")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc12df4 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,003643f0 "NtCreateDebugObject")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=00000000 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364450 "NtQueryObject")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc138b8 ret=14193d48d
003a:Call KERNEL32.GetProcAddress(7bc10000,00364510 "LdrGetProcedureAddress")
ret=14193d48d
003a:Ret  KERNEL32.GetProcAddress() retval=7bc12858 ret=14193d48d
003a:Call ntdll.LdrGetProcedureAddress(7bc10000,0022e310,00000000,0022e348)
ret=14193d460
003a:Ret  ntdll.LdrGetProcedureAddress() retval=00000000 ret=14193d460
...
003a:Call KERNEL32.GetModuleHandleW(003638b0 L"ntdll.dll") ret=14193d4be
003a:Ret  KERNEL32.GetModuleHandleW() retval=7bc10000 ret=14193d4be
003a:Call KERNEL32.GetProcAddress(7bc10000,00364570 "wine_get_version")
ret=14193d4c9
003a:Ret  KERNEL32.GetProcAddress() retval=7bc19728 ret=14193d4c9
...
003a:Call KERNEL32.Wow64DisableWow64FsRedirection(0022e108) ret=140043ebe
003a:Ret  KERNEL32.Wow64DisableWow64FsRedirection() retval=00000000
ret=140043ebe
003a:Call KERNEL32.GetSystemDirectoryW(0022e110,00000104) ret=14193f3e7
003a:Ret  KERNEL32.GetSystemDirectoryW() retval=00000013 ret=14193f3e7
003a:Call KERNEL32.GetFileAttributesW(0022e110
L"C:\\windows\\system32\\drivers\\vmmouse.sys") ret=14193d2ac
003a:Ret  KERNEL32.GetFileAttributesW() retval=ffffffff ret=14193d2ac
003a:Call KERNEL32.Wow64RevertWow64FsRedirection(00000000) ret=14030576f
003a:Ret  KERNEL32.Wow64RevertWow64FsRedirection() retval=00000000
ret=14030576f
003a:Call advapi32.RegOpenKeyExA(ffffffff80000002,0022ded0
"HARDWARE\\Description\\System",00000000,00020019,0022e340) ret=140301235
003a:Ret  advapi32.RegOpenKeyExA() retval=00000000 ret=140301235
003a:Call advapi32.RegQueryValueExA(00000084,0022def0
"SystemBiosVersion",00000000,00000000,0022df10,0022e330) ret=14030127d
003a:Ret  advapi32.RegQueryValueExA() retval=00000002 ret=14030127d 
...
003a:Ret  TLS callback
(proc=0x140305790,module=0x140000000,reason=PROCESS_ATTACH,reserved=0) 
--- snip ---

VMProtect is Wine aware and falls back to more conservative methods of using
native API. It would not work otherwise due some advanced/direct usage of
syscalls (https://lifeinhex.com/tag/vmprotect/).

The TLS callbacks are like the other code completely virtualized (VM), so there
is not much to see. Example:

--- snip ---
0000000140305790 | E9 09  | jmp     terminal64.140FE309E
...
0000000140FE309E | 68 39  | push    64A05339
0000000140FE30A3 | E8 DC  | call    terminal64.1411E9284
0000000140FE30A8 | 66 BB  | mov     bx, 2033
0000000140FE30AC | 45 0F  | movsx   r11d, r12w
0000000140FE30B0 | 41 59  | pop     r9
0000000140FE30B2 | 41 0F  | movsx   ebp, r9w
0000000140FE30B6 | 41 5D  | pop     r13
0000000140FE30B8 | 48 87  | xchg    rbp, rbp
0000000140FE30BB | 4C 0F  | movzx   r11, bp
0000000140FE30BF | 41 5B  | pop     r11
0000000140FE30C1 | 49 0F  | movsx   rsi, r11w
0000000140FE30C5 | 41 5F  | pop     r15
0000000140FE30C7 | 5D     | pop     rbp
0000000140FE30C8 | 66 44  | movsx   r10w, spl
0000000140FE30CD | 41 B2  | mov     r10b, E3
0000000140FE30D0 | 66 41  | movzx   bx, r9b
0000000140FE30D5 | 5B     | pop     rbx
0000000140FE30D6 | 40 0F  | setl    sil
0000000140FE30DA | 4C 0F  | movzx   r10, cx
0000000140FE30DE | 41 5A  | pop     r10
0000000140FE30E0 | 48 0F  | movsx   rsi, cx
0000000140FE30E4 | 66 0F  | bswap   si
0000000140FE30E7 | 5E     | pop     rsi
0000000140FE30E8 | E9 C4  | jmp     terminal64.1412426B1
...
00000001412426B1 | C3     | ret
--- snip ---

Sadly, the only usable 64-bit GUI debugger x64dbg is also broken in several
aspects when it comes to 64-bit Wine, making it rather painful to work with.

I don't see how can I further analyse your problem without debugging the actual
target. There are likely pecularities of the underlying host OS -> macOS here
that makes the foul play.

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list