https://bugs.winehq.org/show_bug.cgi?id=48161
Paul Gofman gofmanp@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp@gmail.com
--- Comment #1 from Paul Gofman gofmanp@gmail.com --- Created attachment 65863 --> https://bugs.winehq.org/attachment.cgi?id=65863 partial proof of concept patch
It works for me with with the local build (default compiler options) and does not (with crashes similar to the one in this bug reports) with a prebuilt Wine binary I tested with.
The critical option in the prebuilt Wine is -fcf-protection flag. I could reproduce the crashes with it and avoid the crash by replacing 2-3 dlls compiled without the flag, otherwise the same.
-fcf-protection flag effectively results in adding endbr32 instructions to the code, in particular, at the beginning of each function. The game's anticheat seems to do a lot of trickery interpreting and rearranging API functions code. It doesn't understand endbr32 and that results in broken instructions execution. DECLSPEC_HOTPATCH (ms_hook_prologue) does not help here, as with it in place gcc still injects endbr32 right after hook prologue, and it still breaks things. I am attaching the patch as a proof of concept, which disables cf-protection for a few functions which are excluded from relay debugging. With this patch I could start the 32 bit game client with -fcf-protection build with WINEDEBUG=+relay. There are much more functions which the game wants to interpret, but relay thunks are good for it. Please note that using ms_hook_prologue instead of nocf_check doesn't help.
IMO the only solution is not to build Wine with -fcf-protection option. The option makes no sense anyway with Wine. Adding CET branch instrumentation does nothing by itself. In a CET-enabled environment indirect branching (jump, call, ret using some stored address) to any location not starting with enbdr will be denied. Out of CET environment endbr's are just no-ops.
If someone will try to run Wine with CET enabled it won't work anyway. ms_hook_prologue before endbr32 violates the CET requirement right away. I. e., "hot patchable" functions are simply incompatible with CET, or, in other words, ms_hook_prologue and cf_protection attributes are mutually exclusive. This is the most evident case, Wine use cases are probably incompatible with CET on deeper level. -fcf-protection added to Wine build is just adding no-op instructions which breaks some anti-cheats / DRMs.