Does wine perform exact same memory allocations than Windows?
Emanuele Oriani
emaentra at ngi.it
Wed May 27 02:00:55 CDT 2020
Hi wine-devels,
I am trying to port a Windows program, SmartHunter, to Linux (port is
https://github.com/Emanem/linux-hunter).
This Windows program is a companion app
(https://github.com/sir-wilhelm/SmartHunter) for a game (Monster Hunter
: World). This companion app relies on scanning memory and finding
precise memory patterns and then, based on such patterns, dereference
pointers (even multiple levels) and access structures in memory.
Made up example:
1. find memory pointer which matches 48 8B 0D ?? ?? ?? ?? E8 (where ??
can be any byte)
2. interpret the four ?? ?? ?? ?? as a 32 bit pointer
3. dereference what pointed as a utf8 string (or a double or int or ...)
or recursively dereference up until you reach desired structure in memory
In terms of porting this program, I have my port running natively on
Linux against a wine process:
- I execute "Monster Hunter : World" via wine/proton
- I run my ported app and then it scans the memory of the wine process
When porting this program I have been able to resolve and navigate some
structures, but some others I can't. I can find some complex patterns
(such as "48 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? E8 ??
?? ?? ?? 48 8B 05 ?? ?? ?? ?? 83 A0 ?? ?? ?? ?? ?? C6 43" or "48 8B 0D
?? ?? ?? ?? B2 01 E8 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? ?? 48 8B 0D"), but
when I start "navigating" those and dereference some alleged pointers I
end up outside of the process memory spaces.
Furthermore I seem to have found that for some types (namely utf8
strings) seems like wine allocates 1 more byte than Windows, hence
somehow deviating from expected memory layout.
Am I correct in thinking that wine allocations may be slightly different
than Windows (i.e. larger)?
This being the case it would change the expected layout.
Thanks in advance,
Emanuele
More information about the wine-devel
mailing list