[Bug 31910] anti-cheat software Battleye 1.176 expects call to KiUserExceptionDispatcher during exception handling (user mode SEH dispatcher)(Arma2, DayZ)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat May 12 04:53:00 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=31910

--- Comment #25 from Anastasius Focht <focht at gmx.net> ---
Hello Jan,

--- quote ---
I hope there is what you need. If not, I will try capture another log. What
strings are you looking for btw?
--- quote ---

well, for a start you go for 'beclient' pattern.
Since the app is heavily multi-threaded you go like this:

1) figure out the thread that first loads 'BEClient.dll':

--- snip ---
$ egrep -i "LoadLibrary.*beclient.*" arma2oa_+relay.strip-tail 

00da:Call KERNEL32.LoadLibraryA(00c4bf9c "Expansion\\BattlEye\\BEClient.dll")
ret=004bae0f
00da:Call KERNEL32.LoadLibraryA(018ccae8 "C:\\users\\f_wine\\Local
Settings\\Application Data\\ArmA 2 OA\\BattlEye\\BEClient.dll") ret=004bae63
--- snip ---

2) Get all trace messages from that thread ('00da'):

--- snip ---
$ grep 00da: arma2oa_+relay.strip-tail > 00da.txt
--- snip ---

With this the noisy multi-threaded interleaving is gone.
Now your check for any suspicious stuff such as exceptions (':seh:') etc. that
causes a process/thread exit.
If not present "normal exit" one just forward searches for 'PROCESS_DETACH'
pattern which yields this:

--- snip ---
...
00da:Ret  PE DLL (proc=0x9566bdb,module=0x94b0000
L"BEClient.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
00da:Ret  KERNEL32.LoadLibraryA() retval=094b0000 ret=004bae0f
00da:Call KERNEL32.GetProcAddress(094b0000,00c4a148 "GetVer") ret=004d62f9
00da:Ret  KERNEL32.GetProcAddress() retval=094c7ab0 ret=004d62f9
00da:Call KERNEL32.FreeLibrary(094b0000) ret=004bae27
00da:Call PE DLL (proc=0x9566bdb,module=0x94b0000
L"BEClient.dll",reason=PROCESS_DETACH,res=(nil))
00da:Call KERNEL32.GetModuleFileNameW(094b0000,018cc60c,00000104) ret=094c9d81
00da:Ret  KERNEL32.GetModuleFileNameW() retval=0000005f ret=094c9d81 
...
--- snip ---

Looks like it doesn't like the client version which causes process exit.
The version/comparison is hard-coded in the app code hence not visible in trace
log. You need to ensure that the binaries/versions match ('arma2oa.exe' +
'BEClient.dll').

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list