[Bug 45573] New: League of Legends 8.12+ fails to start a game ( anticheat engine, hooking of syscall return instructions)
https://bugs.winehq.org/show_bug.cgi?id=45573 Bug ID: 45573 Summary: League of Legends 8.12+ fails to start a game (anticheat engine, hooking of syscall return instructions) Product: Wine Version: 3.13 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs(a)winehq.org Reporter: z.figura12(a)gmail.com Distribution: --- Diagnosed by Andrew Wesie; partially split off from bug 45327. The game expects to be able to hook both the first instruction of the syscall and the last (return) instruction. The current staged implementation of the syscall dispatcher does not return to the syscall thunk but rather directly to its caller, which causes the game to fail. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Zebediah Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |21232 Keywords| |download, obfuscation -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Fabian Maurer <dark.shadow4(a)web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4(a)web.de --- Comment #1 from Fabian Maurer <dark.shadow4(a)web.de> --- Do you know what exactly the game does with the return instruction? How does it want the hooked function to look like? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Andrew Wesie <awesie(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |awesie(a)gmail.com --- Comment #2 from Andrew Wesie <awesie(a)gmail.com> --- (In reply to Fabian Maurer from comment #1)
Do you know what exactly the game does with the return instruction? How does it want the hooked function to look like?
It is flexible. The current __syscall_Nt* exports are good enough, the problem is that __wine_syscall_dispatcher does not use the ret instruction in the __syscall_Nt* exports. I'll attach a test I wrote to demonstrate the issue along with my patches from the other thread that make the test pass. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #3 from Andrew Wesie <awesie(a)gmail.com> --- Created attachment 62008 --> https://bugs.winehq.org/attachment.cgi?id=62008 Unit test and required patches Apply the patches on top of wine-staging patches. Adds a "hooks" test to ntdll. Only is applicable to a 32-bit wine build. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #4 from Fabian Maurer <dark.shadow4(a)web.de> --- Does league of legends also set a breakpoint for the "ret" hook? Also, do you plan to get those patches into wine-staging? Because I probably also should rewrite by patch for hookable x64 thunks to work like that. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #5 from Andrew Wesie <awesie(a)gmail.com> --- (In reply to Fabian Maurer from comment #4)
Does league of legends also set a breakpoint for the "ret" hook?
The game will replace the ret instruction of a Nt* syscall export with an int3 in some cases. And expects its vectored exception handlers to handle it.
Also, do you plan to get those patches into wine-staging? Because I probably also should rewrite by patch for hookable x64 thunks to work like that.
Since they are required for LoL some variant of them should probably be committed. I am waiting to make sure they don't break Wine in some way for people. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #6 from Fabian Maurer <dark.shadow4(a)web.de> --- Okay, then I guess I'll wait for you to get it approved. Did you plan on adding a x64 test, too? If not, I can build on top of your code and add the needed hooking code to make an x64 test. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #7 from Andrew Wesie <awesie(a)gmail.com> --- (In reply to Fabian Maurer from comment #6)
Okay, then I guess I'll wait for you to get it approved. Did you plan on adding a x64 test, too? If not, I can build on top of your code and add the needed hooking code to make an x64 test.
I did not have any plans to adapt it to x64. Feel free to that on. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #8 from Zebediah Figura <z.figura12(a)gmail.com> --- (In reply to Fabian Maurer from comment #4)
Also, do you plan to get those patches into wine-staging? Because I probably also should rewrite by patch for hookable x64 thunks to work like that.
Yes, we plan to. We're trying to tweak some of the patches to make them cleaner, since what Andrew gave us was basically just proof-of-concept. For example, this patch as given just blindly copies 64 bytes of stack, and that should at least be dynamic based on the number of arguments. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Zebediah Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/winebuild-Fake_D | |lls Status|NEW |STAGED --- Comment #9 from Zebediah Figura <z.figura12(a)gmail.com> --- Since this was basically a shortcoming of the existing patches, I've elected to squash the changes into patch 0003 rather than add a new patch. I'm marking this bug STAGED, although DUPLICATE may be a better resolution, if anyone feels strongly about it. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 winetaste(a)gmx.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |winetaste(a)gmx.net -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #10 from Fabian Maurer <dark.shadow4(a)web.de> --- You already merged this into staging, right? Are the tests also in there? Because I can't find them. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #11 from Zebediah Figura <z.figura12(a)gmail.com> --- (In reply to Fabian Maurer from comment #10)
You already merged this into staging, right? Are the tests also in there? Because I can't find them.
They are not, no. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 --- Comment #12 from Fabian Maurer <dark.shadow4(a)web.de> ---
You already merged this into staging, right? Are the tests also in there? Because I can't find them.
They are not, no.
Isn't this something we'd also like staged then? I'd guess it would be useful to document it and prevent regressions. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Paul Gofman <gofmanp(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |o.dierick(a)piezo-forte.be --- Comment #13 from Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> --- Hello, Following the splitting of the staged patchset to winebuild-pe_syscall_thunks, here is some feedback from bug 49412 related to this bug. (In reply to Matías Zúñiga from comment #5)
Now when trying to run Lol with an updated alternative-patch (attached), wine end execution with a `0024:err:seh:setup_exception_record stack overflow 104 bytes in thread 0024 eip 00000000 esp 002212c4 stack 0x220000-0x221000-0x320000` message.
I don't know it this is a new bug, or a re-manifestation of a previous one because of the re-write (maybe Bug 45573, which is said to be fixed by the re-written winebuild-pe_syscall_thunks patchset. That one was debugged by Andrew Wesie, but I don't know how he did it)
Regards. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Bug 45573 depends on bug 21232, which changed state. Bug 21232 Summary: Multiple games and applications (Chromium-based browser engines, Blizzard games, League of Legends) crash due to hooking/anticheat validation (needs syscall thunks in ntdll.dll) https://bugs.winehq.org/show_bug.cgi?id=21232 What |Removed |Added ---------------------------------------------------------------------------- Status|STAGED |RESOLVED Resolution|--- |FIXED -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Zebediah Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|STAGED |RESOLVED Fixed by SHA1| |917a206b01c82170a862e8497cb | |e26b6f1bfade0 --- Comment #14 from Zebediah Figura <z.figura12(a)gmail.com> --- Fixed by 917a206b01c82170a862e8497cbe26b6f1bfade0, broadly speaking. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45573 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #15 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 5.18. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla