https://bugs.winehq.org/show_bug.cgi?id=44617
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello,
--- quote --- Is it possible to enhance wines debug output so that future games that use this kind of hidden imports get them automatically translated to cleartext? --- quote ---
I'm not sure if I can further "ELI5" my comment #0
These type of apps/games/malware implement their own custom imports resolver. The win32/64 API function resolving is done on the application side with no visible API calls - it's walking/processing of in-memory data structures (tables/lists). Even if you would be able to trap memory accesses to the export table (outside of Wine's scope) .. you wouldn't even know which API the code is trying to lookup in case of Wine missing APIs (= reads until the end of list). One could certainly trace the access and record the "index" of the API the hash was generated for and later translate it back to real API in case of match ... but that requires debugging and deep understanding of the code, along with some fancy tracing. There is no way Wine could be of help here.
To make things more difficult it doesn't decrypt the encrypted (obfuscated) module/API name strings to compare "cleartext" against data from the loader linked lists/export tables. Instead it encrypts all the names and compares against precomputed encrypted ones. That's a much more effective way to hide all your doing - one is essentially forced to debug to see what's going on.
In short: No.
Regards