[Bug 45349] Multiple applications and games crash due to missing support for 64-bit syscall thunks (StreetFighter V)

https://bugs.winehq.org/show_bug.cgi?id=45349

--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello Zebediah,

I made trace logs some time ago and accidentally put the wrong snippet here (had multiple logs from different runs with patches applied).

The 64-bit syscall thunk one is this one here:

--- snip --- ... 0030:Call KERNEL32.GetModuleHandleA(143fd1b80 "Kernel32.dll") ret=143fd20a7 0030:Ret KERNEL32.GetModuleHandleA() retval=7b460000 ret=143fd20a7 0030:Call KERNEL32.GetProcAddress(7b460000,143fd2690 "VirtualFree") ret=143fd21ae 0030:Ret KERNEL32.GetProcAddress() retval=7b473eb8 ret=143fd21ae 0030:Call KERNEL32.VirtualFree(00610000,00000000,00008000) ret=143fd21d4 0030:Ret KERNEL32.VirtualFree() retval=00000001 ret=143fd21d4 0030:trace:seh:NtRaiseException code=c000001d flags=0 addr=0x143fcfaa8 ip=143fcfaa8 tid=0030 0030:trace:seh:NtRaiseException rax=0000000000000000 rbx=ffffffffffffffff rcx=00000001440efe20 rdx=00000000000900cc 0030:trace:seh:NtRaiseException rsi=000000000060fd88 rdi=000000000060fd00 rbp=000000000060fdc0 rsp=000000000060fc88 0030:trace:seh:NtRaiseException r8=000000000060fce0 r9=0000000000000008 r10=0000000000000000 r11=000000000060fce0 0030:trace:seh:NtRaiseException r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 0030:warn:seh:call_stack_handlers exception data not found in L"StreetFighterV.exe" 0030:warn:seh:call_stack_handlers exception data not found in L"StreetFighterV.exe" 0030:warn:seh:call_stack_handlers exception data not found in L"StreetFighterV.exe" 0030:warn:seh:call_stack_handlers exception data not found in L"StreetFighterV.exe" 0030:warn:seh:call_stack_handlers exception data not found in L"StreetFighterV.exe" ... 0030:trace:seh:dwarf_virtual_unwind next function rip=0000000000000000 0030:trace:seh:dwarf_virtual_unwind rax=0000000000000000 rbx=ffffffffffffffff rcx=00000001440efe20 rdx=00000000000900cc 0030:trace:seh:dwarf_virtual_unwind rsi=0000000000000000 rdi=0000000000000000 rbp=0000000000000000 rsp=000000000060ffe0 0030:trace:seh:dwarf_virtual_unwind r8=000000000060fce0 r9=0000000000000008 r10=0000000000000000 r11=000000000060fce0 0030:trace:seh:dwarf_virtual_unwind r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 0030:trace:seh:call_stack_handlers found wine frame 0x60fdf0 rsp 60ffe0 handler 0x7b5121f3 0030:trace:seh:call_teb_handler calling TEB handler 0x7b5121f3 (rec=0x60fb40, frame=0x60fdf0 context=0x60ede0, dispatch=0x60f2b0) wine: Unhandled illegal instruction at address 0x143fcfaa8 (thread 0030), starting debugger... 0030:trace:seh:start_debugger Starting debugger "winedbg --auto 47 28" 0030:trace:seh:call_teb_handler handler at 0x7b5121f3 returned 1 0030:warn:seh:call_stack_handlers exception data not found in L"StreetFighterV.exe" Unhandled exception: illegal instruction in 64-bit code (0x0000000143fcfaa8). winedbg: Internal crash at 0x7f9e448a6b09 --- snip ---

rip = 0x143fcfaa8 (compare with my disassembly from initial comment).

The disassembly snippet you posted in commment #1 which matches my initial trace log snippet is a harmless and gracefully handled VMWare backdoor check:

--- snip --- 0000000143FCA918 | 54 | push rsp 0000000143FCA919 | 50 | push rax 0000000143FCA91A | 51 | push rcx 0000000143FCA91B | 52 | push rdx 0000000143FCA91C | 53 | push rbx 0000000143FCA91D | 55 | push rbp 0000000143FCA91E | 56 | push rsi 0000000143FCA91F | 57 | push rdi 0000000143FCA920 | 41 50 | push r8 0000000143FCA922 | 41 51 | push r9 0000000143FCA924 | 41 52 | push r10 0000000143FCA926 | 41 53 | push r11 0000000143FCA928 | 41 54 | push r12 0000000143FCA92A | 41 55 | push r13 0000000143FCA92C | 41 56 | push r14 0000000143FCA92E | 41 57 | push r15 0000000143FCA930 | 48 8B EC | mov rbp, rsp 0000000143FCA933 | 51 | push rcx 0000000143FCA934 | E8 00 00 00 00 | call streetfighterv.143FCA939 0000000143FCA939 | 48 B9 8D FB A2 19.| mov rcx, 19A2FB8D 0000000143FCA943 | 48 01 0C 24 | add qword ptr ss:[rsp], rcx 0000000143FCA947 | 48 B9 55 FB A2 19.| mov rcx, 19A2FB55 0000000143FCA951 | 48 29 0C 24 | sub qword ptr ss:[rsp], rcx 0000000143FCA955 | B8 68 58 4D 56 | mov eax, 564D5868 0000000143FCA95A | BB 65 D4 85 86 | mov ebx, 8685D465 0000000143FCA95F | B9 0A 00 00 00 | mov ecx, A 0000000143FCA964 | 66 BA 58 56 | mov dx, 5658 0000000143FCA968 | ED | in eax, dx 0000000143FCA969 | 81 FB 68 58 4D 56 | cmp ebx, 564D5868 0000000143FCA96F | 75 00 | jne streetfighterv.143FCA971 0000000143FCA971 | 48 83 C4 10 | add rsp, 10 0000000143FCA975 | 41 5F | pop r15 0000000143FCA977 | 41 5E | pop r14 0000000143FCA979 | 41 5D | pop r13 0000000143FCA97B | 41 5C | pop r12 0000000143FCA97D | 41 5B | pop r11 0000000143FCA97F | 41 5A | pop r10 0000000143FCA981 | 41 59 | pop r9 0000000143FCA983 | 41 58 | pop r8 0000000143FCA985 | 5F | pop rdi 0000000143FCA986 | 5E | pop rsi 0000000143FCA987 | 5D | pop rbp 0000000143FCA988 | 5B | pop rbx 0000000143FCA989 | 5A | pop rdx 0000000143FCA98A | 59 | pop rcx 0000000143FCA98B | 58 | pop rax 0000000143FCA98C | 48 83 C4 08 | add rsp, 8 0000000143FCA990 | C3 | ret --- snip ---

One can find this sequence in various commercial protection/DRM systems as they try to figure out if they are running in a virtualized environment.

Regards