https://bugs.winehq.org/show_bug.cgi?id=45083
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|NEEDINFO |NEW Summary|64-bit MetaTrader 5 hangs |64-bit MetaTrader 5 hangs |on exit |on exit (VMProtect 3.x, | |exception in TLS callback | |under macOS)
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello Amin,
the app is protected with a very recent version of VMProtect (virtual machine + obfuscation + anti-debug), probably some 3.x version. VMProtect is some state-of-the art software protection scheme (Denuvo uses it too -> http://vmpsoft.com/blog/).
I've tried to find the exact version but it seems all the detectors failed or incorrectly identify it as 1.x.
https://www.virustotal.com/#/file/9135933cf76fb0cd3b1ced462559dfd6915e715ed1...
https://www.reverse.it/sample/9135933cf76fb0cd3b1ced462559dfd6915e715ed1dbcf...
The PE has two VM segments '.cod0', '.cod1' (usually the segments are named '.vmp0', '.vmp1'). Various patterns strongly hint at VMProtect (heavy use of virtual machine code).
It seems there might be an incompatibility of the software protection scheme with Wine on macOS. Does the app itself work for you with all features, except for the process exit issue?
There are 3 TLS callbacks in the app:
--- snip --- (proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0) (proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0) (proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0) --- snip ---
Your log shows the second TLS callback (0x140305790) causes an exception:
--- snip --- ... 003a:Call KERNEL32.GetFileAttributesW(004f5478 L"C:\Program Files\MetaTrader 5\config\certificates") ret=140056a92 003a:Ret KERNEL32.GetFileAttributesW() retval=00000010 ret=140056a92 003a:Call ntdll.RtlAllocateHeap(00010000,00000000,00000da8) ret=1402d2b54 003a:Ret ntdll.RtlAllocateHeap() retval=00510d00 ret=1402d2b54 003a:Call KERNEL32.InitializeCriticalSection(00510d38) ret=140962b9f 003a:Ret KERNEL32.InitializeCriticalSection() retval=00000000 ret=140962b9f 003a:Call KERNEL32.GetSystemTimeAsFileTime(0022d580) ret=140962cf0 003a:Ret KERNEL32.GetSystemTimeAsFileTime() retval=01d3e04e ret=140962cf0 003a:Call KERNEL32.GetSystemTimeAsFileTime(0022d588) ret=140962d1f 003a:Ret KERNEL32.GetSystemTimeAsFileTime() retval=01d3e04e ret=140962d1f 003a:Call ntdll.RtlAllocateHeap(00010000,00000008,00000028) ret=1402d2bcb 003a:Ret ntdll.RtlAllocateHeap() retval=00511b00 ret=1402d2bcb 003a:Call KERNEL32.GetModuleHandleExW(00000004,140966480,00511b18) ret=1402bc3c2 003a:Ret KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2 003a:Call KERNEL32.CreateThread(00000000,00100000,1402bc234,00511b00,00010000,0022d4e0) ret=1402bc513 003b:trace:seh:mac_thread_gsbase pthread_self() 0xb0002000 + offset 0x000000e0 -> gsbase 0xb00020e0 003a:Ret KERNEL32.CreateThread() retval=00000250 ret=1402bc513 003a:Call KERNEL32.GetSystemInfo(0022d540) ret=14096694e 003a:Ret KERNEL32.GetSystemInfo() retval=00004601 ret=14096694e 003a:Call KERNEL32.CreateIoCompletionPort(ffffffffffffffff,00000000,00000000,00000000) ret=140093c40 003a:Ret KERNEL32.CreateIoCompletionPort() retval=00000254 ret=140093c40 003b:Call PE DLL (proc=0x4523feb0,module=0x45190000 L"user32.dll",reason=THREAD_ATTACH,res=0x0) ... 003b:Ret PE DLL (proc=0x4523feb0,module=0x45190000 L"user32.dll",reason=THREAD_ATTACH,res=0x0) retval=1 ... 003b:Ret PE DLL (proc=0x463e1d60,module=0x463a0000 L"wininet.dll",reason=THREAD_ATTACH,res=0x0) retval=1 003b:Call TLS callback (proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 003b:Ret TLS callback (proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 003b:Call TLS callback (proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 003b:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x14182994a ip=14182994a tid=003b 003b:trace:seh:NtRaiseException info[0]=0000000000000000 003b:trace:seh:NtRaiseException info[1]=0000000000000120 003b:trace:seh:NtRaiseException rax=000000000000ffb0 rbx=00000001bfa11b40 rcx=fffffffffffffdf9 rdx=0000000000000120 003b:trace:seh:NtRaiseException rsi=0000000140efbfac rdi=000000000003f5cc rbp=fffffffffffb4ba9 rsp=000000000071e570 003b:trace:seh:NtRaiseException r8=0000000000000058 r9=000000000071e786 r10=000000000081e20b r11=0000000141829945 003b:trace:seh:NtRaiseException r12=0000000000000202 r13=0000000000000000 r14=0000000000000040 r15=0000000000000120 ... 003b:trace:seh:call_stack_handlers found wine frame 0x71e7e8 rsp 71e930 handler 0x7bc9eb80 003b:trace:seh:call_teb_handler calling TEB handler 0x7bc9eb80 (rec=0x71e430, frame=0x71e7e8 context=0x71d950, dispatch=0x71d828) 003b:trace:seh:RtlUnwindEx code=c0000005 flags=2 end_frame=0x71e7e8 target_ip=0x7bc9ea60 rip=000000007bc78c17 003b:trace:seh:RtlUnwindEx info[0]=0000000000000000 003b:trace:seh:RtlUnwindEx info[1]=0000000000000120 003b:trace:seh:RtlUnwindEx rax=000000000071e7e8 rbx=000000000071e430 rcx=000000000071d1a0 rdx=000000007bc9ea60 003b:trace:seh:RtlUnwindEx rsi=6d0ee98053420061 rdi=000000000071e7e8 rbp=000000000071d160 rsp=000000000071c9e0 003b:trace:seh:RtlUnwindEx r8=000000000071e430 r9=000000007bc9ebf0 r10=0000000000721b50 r11=ffffffffffffff7e 003b:trace:seh:RtlUnwindEx r12=000000000071df60 r13=000000000071d950 r14=000000000071d1a0 r15=000000000071e7e8 ... 003b:trace:seh:RtlRestoreContext returning to 7bc9ea60 stack 71e7a0 003b:exception in TLS callback (proc=0x141ad1f68,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 003b:Starting thread proc 0x1402bc234 (arg=0x511b00) 003a:Ret KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2 003a:Call KERNEL32.CreateThread(00000000,00100000,1402bc234,00511c80,00010000,0022d4c0) ret=1402bc513 003b:Call KERNEL32.GetLastError() ret=1402d2f70 003b:Ret KERNEL32.GetLastError() retval=00000000 ret=1402d2f70 ... 003b:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x1402d5d06 ip=1402d5d06 tid=003b 003b:trace:seh:NtRaiseException info[0]=0000000000000000 003b:trace:seh:NtRaiseException info[1]=0000000000000020 003c:trace:seh:mac_thread_gsbase pthread_self() 0xb0004000 + offset 0x000000e0 -> gsbase 0xb00040e0 003b:trace:seh:NtRaiseException rax=0000000000000000 rbx=0000000000000001 rcx=0000000000000000 rdx=0000000140cb1a78 003a:Ret KERNEL32.CreateThread() retval=00000258 ret=1402bc513 ... 003c:err:ntdll:RtlpWaitForCriticalSection section 0x140d7ad40 "?" wait timed out in thread 003c, blocked by 003b, retrying (60 sec) --- snip ---
The exception causes the thread to die while holding a lock. All other threads depending/using it will block too, preventing clean exit.
Same TLS callback sequence on my system (Linux x86_64, Fedora 27):
--- snip --- ... 0031:Call KERNEL32.GetFileAttributesW(0053e268 L"C:\Program Files\MetaTrader 5\config\certificates") ret=140056a92 0031:Ret KERNEL32.GetFileAttributesW() retval=00000010 ret=140056a92 ... 0031:Call KERNEL32.InitializeCriticalSection(005658e8) ret=140962b9f 0031:Ret KERNEL32.InitializeCriticalSection() retval=00000001 ret=140962b9f 0031:Call KERNEL32.GetSystemTimeAsFileTime(0022d4f0) ret=140962cf0 0031:Ret KERNEL32.GetSystemTimeAsFileTime() retval=0022d4f0 ret=140962cf0 0031:Call KERNEL32.GetSystemTimeAsFileTime(0022d4f8) ret=140962d1f 0031:Ret KERNEL32.GetSystemTimeAsFileTime() retval=0022d4f8 ret=140962d1f ... 0031:Call KERNEL32.GetModuleHandleExW(00000004,140966480,0055a2a8) ret=1402bc3c2 0031:Ret KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2 0031:Call KERNEL32.CreateThread(00000000,00100000,1402bc234,0055a290,00010000,0022d450) ret=1402bc513 0031:Ret KERNEL32.CreateThread() retval=00000250 ret=1402bc513 0031:Call KERNEL32.GetSystemInfo(0022d4b0) ret=14096694e 0031:Ret KERNEL32.GetSystemInfo() retval=0022d4b0 ret=14096694e 0031:Call KERNEL32.CreateIoCompletionPort(ffffffffffffffff,00000000,00000000,00000000) ret=140093c40 0031:Ret KERNEL32.CreateIoCompletionPort() retval=00000254 ret=140093c40 0031:Call ntdll.RtlAllocateHeap(00010000,00000008,00000028) ret=1402d2bcb 0031:Ret ntdll.RtlAllocateHeap() retval=0055a2d0 ret=1402d2bcb 0031:Call KERNEL32.GetModuleHandleExW(00000004,140965fb0,0055a2e8) ret=1402bc3c2 0031:Ret KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2 0031:Call KERNEL32.CreateThread(00000000,00100000,1402bc234,0055a2d0,00010000,0022d430) ret=1402bc513 0032:Call PE DLL (proc=0x7faddb1dbe6a,module=0x7faddb0e0000 L"user32.dll",reason=THREAD_ATTACH,res=(nil)) ... 0032:Ret PE DLL (proc=0x7fadd969692e,module=0x7fadd9640000 L"wininet.dll",reason=THREAD_ATTACH,res=(nil)) retval=1 0032:Call TLS callback (proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0031:Ret KERNEL32.CreateThread() retval=00000258 ret=1402bc513 0031:Call ntdll.RtlAllocateHeap(00010000,00000008,00000028) ret=1402d2bcb 0031:Ret ntdll.RtlAllocateHeap() retval=0055a420 ret=1402d2bcb 0031:Call KERNEL32.GetModuleHandleExW(00000004,140965fb0,0055a438) ret=1402bc3c2 0032:Ret TLS callback (proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0032:Call TLS callback (proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0032:Ret TLS callback (proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0032:Call TLS callback (proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0032:Call ntdll.RtlAllocateHeap(00360000,00000000,00000018) ret=140e12c83 0032:Ret ntdll.RtlAllocateHeap() retval=00364d60 ret=140e12c83 0032:Call ntdll.RtlAllocateHeap(00360000,00000000,00000018) ret=140e12c83 0032:Ret ntdll.RtlAllocateHeap() retval=00364d90 ret=140e12c83 0032:Call ntdll.LdrGetProcedureAddress(7b460000,0070e360,00000000,0070e398) ret=14193d460 0032:Ret ntdll.LdrGetProcedureAddress() retval=00000000 ret=14193d460 ... 0032:Ret TLS callback (proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0031:Ret KERNEL32.GetModuleHandleExW() retval=00000001 ret=1402bc3c2 0031:Call KERNEL32.CreateThread(00000000,00100000,1402bc234,0055a420,00010000,0022d430) ret=1402bc513 0032:Starting thread proc 0x1402bc234 (arg=0x55a290) 0033:Call PE DLL (proc=0x7faddb1dbe6a,module=0x7faddb0e0000 L"user32.dll",reason=THREAD_ATTACH,res=(nil)) 0032:Call KERNEL32.GetLastError() ret=1402d2f70 0033:Ret PE DLL (proc=0x7faddb1dbe6a,module=0x7faddb0e0000 L"user32.dll",reason=THREAD_ATTACH,res=(nil)) retval=1 0032:Ret KERNEL32.GetLastError() retval=00000000 ret=1402d2f70 ... 0033:Call PE DLL (proc=0x7fadda5aa963,module=0x7fadda580000 L"ws2_32.dll",reason=THREAD_ATTACH,res=(nil)) 0032:Call KERNEL32.LoadLibraryExW(140a76db0 L"api-ms-win-appmodel-runtime-l1-1-2",00000000,00000800) ret=1402d336d 0033:Ret PE DLL (proc=0x7fadda5aa963,module=0x7fadda580000 L"ws2_32.dll",reason=THREAD_ATTACH,res=(nil)) retval=1 0033:Call PE DLL (proc=0x7fadd969692e,module=0x7fadd9640000 L"wininet.dll",reason=THREAD_ATTACH,res=(nil)) 0033:Ret PE DLL (proc=0x7fadd969692e,module=0x7fadd9640000 L"wininet.dll",reason=THREAD_ATTACH,res=(nil)) retval=1 0033:Call TLS callback (proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0031:Ret KERNEL32.CreateThread() retval=0000025c ret=1402bc513 ... 0031:Call KERNEL32.GetModuleHandleExW(00000004,140965fb0,0055a4e8) ret=1402bc3c2 0033:Ret TLS callback (proc=0x141966898,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0033:Call TLS callback (proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0033:Ret TLS callback (proc=0x140305790,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0033:Call TLS callback (proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0) ... 0033:Call ntdll.LdrGetProcedureAddress(7b460000,0081e360,00000000,0081e398) ret=14193d460 0033:Ret ntdll.LdrGetProcedureAddress() retval=00000000 ret=14193d460 ... 0033:Ret TLS callback (proc=0x1402f6290,module=0x140000000,reason=THREAD_ATTACH,reserved=0) 0033:Starting thread proc 0x1402bc234 (arg=0x55a2d0) --- snip ---
The problem seems to occur on your system when the second TLS callback is called the second time (thread creation -> thread attach notification).
The first time (process attach notification) it goes fine on your system too, from your log:
--- snip --- ... 003a:Call TLS callback (proc=0x140305790,module=0x140000000,reason=PROCESS_ATTACH,reserved=0) ... 003a:Call KERNEL32.GetModuleHandleW(003638b0 L"ntdll.dll") ret=14193d4be 003a:Ret KERNEL32.GetModuleHandleW() retval=7bc10000 ret=14193d4be 003a:Call KERNEL32.GetProcAddress(7bc10000,00363910 "wine_get_version") ret=14193d4c9 003a:Ret KERNEL32.GetProcAddress() retval=7bc19728 ret=14193d4c9 ... 003a:Call advapi32.RegOpenKeyExA(ffffffff80000002,0022e2e0 "HARDWARE\ACPI\DSDT\VBOX__",00000000,00020019,0022e338) ret=1403055f1 003a:Ret advapi32.RegOpenKeyExA() retval=00000002 ret=1403055f1 003a:Call KERNEL32.GetModuleHandleW(0022e300 L"VBoxHook.dll") ret=140305653 003a:Ret KERNEL32.GetModuleHandleW() retval=00000000 ret=140305653 ... 003a:Call KERNEL32.GetModuleHandleW(003638b0 L"ntdll.dll") ret=14193d7d5 003a:Ret KERNEL32.GetModuleHandleW() retval=7bc10000 ret=14193d7d5 003a:Call KERNEL32.GetModuleHandleW(00363910 L"kernel32.dll") ret=14193d7f6 003a:Ret KERNEL32.GetModuleHandleW() retval=7b410000 ret=14193d7f6 003a:Call KERNEL32.GetProcAddress(7bc10000,003639d0 "NtQueryInformationProcess") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13780 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363a90 "NtSetInformationThread") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13ee0 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363a30 "NtQuerySystemInformation") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc139cc ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363af0 "NtFreeVirtualMemory") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc1308c ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363b50 "NtQueryVirtualMemory") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13a94 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363bb0 "NtAllocateVirtualMemory") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc12b08 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363c10 "NtProtectVirtualMemory") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc135d8 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363c70 "NtCreateFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc12c6c ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363cd0 "NtReadFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13b44 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363d30 "NtWriteFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc14258 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363d90 "NtWaitForSingleObject") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc14238 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363df0 "NtQueryInformationFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13738 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363e50 "NtSetInformationFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13e2c ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363eb0 "NtQueryFullAttributesFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc136f8 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363f10 "NtRemoveProcessDebug") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=00000000 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00363f70 "NtTerminateProcess") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc14124 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364030 "NtClose") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc12bd4 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364090 "NtDeviceIoControlFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc12f28 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,003640f0 "NtFsControlFile") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc130b0 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364150 "NtWriteVirtualMemory") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc142a0 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,003641b0 "NtFlushInstructionCache") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13030 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364210 "NtReadVirutalMemory") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=00000000 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364270 "NtDelayExecution") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc12ea8 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,003642d0 "NtMapViewOfSection") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc13240 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364330 "NtUnmapViewOfSection") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc141d4 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364390 "NtCreateSection") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc12df4 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,003643f0 "NtCreateDebugObject") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=00000000 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364450 "NtQueryObject") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc138b8 ret=14193d48d 003a:Call KERNEL32.GetProcAddress(7bc10000,00364510 "LdrGetProcedureAddress") ret=14193d48d 003a:Ret KERNEL32.GetProcAddress() retval=7bc12858 ret=14193d48d 003a:Call ntdll.LdrGetProcedureAddress(7bc10000,0022e310,00000000,0022e348) ret=14193d460 003a:Ret ntdll.LdrGetProcedureAddress() retval=00000000 ret=14193d460 ... 003a:Call KERNEL32.GetModuleHandleW(003638b0 L"ntdll.dll") ret=14193d4be 003a:Ret KERNEL32.GetModuleHandleW() retval=7bc10000 ret=14193d4be 003a:Call KERNEL32.GetProcAddress(7bc10000,00364570 "wine_get_version") ret=14193d4c9 003a:Ret KERNEL32.GetProcAddress() retval=7bc19728 ret=14193d4c9 ... 003a:Call KERNEL32.Wow64DisableWow64FsRedirection(0022e108) ret=140043ebe 003a:Ret KERNEL32.Wow64DisableWow64FsRedirection() retval=00000000 ret=140043ebe 003a:Call KERNEL32.GetSystemDirectoryW(0022e110,00000104) ret=14193f3e7 003a:Ret KERNEL32.GetSystemDirectoryW() retval=00000013 ret=14193f3e7 003a:Call KERNEL32.GetFileAttributesW(0022e110 L"C:\windows\system32\drivers\vmmouse.sys") ret=14193d2ac 003a:Ret KERNEL32.GetFileAttributesW() retval=ffffffff ret=14193d2ac 003a:Call KERNEL32.Wow64RevertWow64FsRedirection(00000000) ret=14030576f 003a:Ret KERNEL32.Wow64RevertWow64FsRedirection() retval=00000000 ret=14030576f 003a:Call advapi32.RegOpenKeyExA(ffffffff80000002,0022ded0 "HARDWARE\Description\System",00000000,00020019,0022e340) ret=140301235 003a:Ret advapi32.RegOpenKeyExA() retval=00000000 ret=140301235 003a:Call advapi32.RegQueryValueExA(00000084,0022def0 "SystemBiosVersion",00000000,00000000,0022df10,0022e330) ret=14030127d 003a:Ret advapi32.RegQueryValueExA() retval=00000002 ret=14030127d ... 003a:Ret TLS callback (proc=0x140305790,module=0x140000000,reason=PROCESS_ATTACH,reserved=0) --- snip ---
VMProtect is Wine aware and falls back to more conservative methods of using native API. It would not work otherwise due some advanced/direct usage of syscalls (https://lifeinhex.com/tag/vmprotect/).
The TLS callbacks are like the other code completely virtualized (VM), so there is not much to see. Example:
--- snip --- 0000000140305790 | E9 09 | jmp terminal64.140FE309E ... 0000000140FE309E | 68 39 | push 64A05339 0000000140FE30A3 | E8 DC | call terminal64.1411E9284 0000000140FE30A8 | 66 BB | mov bx, 2033 0000000140FE30AC | 45 0F | movsx r11d, r12w 0000000140FE30B0 | 41 59 | pop r9 0000000140FE30B2 | 41 0F | movsx ebp, r9w 0000000140FE30B6 | 41 5D | pop r13 0000000140FE30B8 | 48 87 | xchg rbp, rbp 0000000140FE30BB | 4C 0F | movzx r11, bp 0000000140FE30BF | 41 5B | pop r11 0000000140FE30C1 | 49 0F | movsx rsi, r11w 0000000140FE30C5 | 41 5F | pop r15 0000000140FE30C7 | 5D | pop rbp 0000000140FE30C8 | 66 44 | movsx r10w, spl 0000000140FE30CD | 41 B2 | mov r10b, E3 0000000140FE30D0 | 66 41 | movzx bx, r9b 0000000140FE30D5 | 5B | pop rbx 0000000140FE30D6 | 40 0F | setl sil 0000000140FE30DA | 4C 0F | movzx r10, cx 0000000140FE30DE | 41 5A | pop r10 0000000140FE30E0 | 48 0F | movsx rsi, cx 0000000140FE30E4 | 66 0F | bswap si 0000000140FE30E7 | 5E | pop rsi 0000000140FE30E8 | E9 C4 | jmp terminal64.1412426B1 ... 00000001412426B1 | C3 | ret --- snip ---
Sadly, the only usable 64-bit GUI debugger x64dbg is also broken in several aspects when it comes to 64-bit Wine, making it rather painful to work with.
I don't see how can I further analyse your problem without debugging the actual target. There are likely pecularities of the underlying host OS -> macOS here that makes the foul play.
Regards