https://bugs.winehq.org/show_bug.cgi?id=40479
--- Comment #8 from Dmitriy dim0n-error@narod.ru --- (In reply to Ker noa from comment #7)
They are even going after people that try to remove the obfuscation and encryption layer, so it is not much of a surprise that the debugger gets confused. It is "working as intended".
Actually, all protection magic happens in TLS callbacks. Unfortunately winedbg cannot set breakpoints before entry point, AFAIK, but some windows native debuggers able to do that. My attempts to understand the problem in TLS callback were unsuccessful due to code obfuscation (there were many meaningless (or not?) "mov" operations) I found that there are two TLS callbacks before entry point execution. First one decrypts content of second one and perhaps entry point. Debugger detection may be included to first callback, and it prevents to see decryption itself. In my opinion, the problem is in false alert of debugger detection mechanism when wine trying to run first TLS callback.