https://bugs.winehq.org/show_bug.cgi?id=53078
Bernhard Übelacker bernhardu@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu@mailbox.org
--- Comment #1 from Bernhard Übelacker bernhardu@mailbox.org --- Created attachment 72590 --> https://bugs.winehq.org/attachment.cgi?id=72590 hack to workaround second-ntdll and trigger driver startup
This is what I found while trying to investigate loading the game in wine.
The "Star Stable Online.exe" is just the launcher and updater. When pressing the play button it spawns a "SSOClient.exe". This is now also spawning processes "GameGuard.des" and "GameMon.des". The latter detects a 64-Bit system and spawns then "GameMon64.des". This last process then calls NtLoadDriver for loading "dump_wmimmc.sys".
The first issue is "GameMon.des" doing a LoadLibraryEx for ntdll.dll, and calling from this copy NtSetInformationThread(ThreadHideFromDebugger), which fails because in the second ntdll __wine_syscall_dispatcher never gets set, which usually takes place in ntdll_init_syscalls.
Second issue is the function NtLoadDriver is currently just a stub. And for obfuscation reasons "dump_wmimmc.sys" gets deleted.
Then the third inside ZwLoadDriver/IoCreateDriver in "dump_wmimmc.sys" calls: IoCreateDevice, IoCreateSymbolicLink("\??\dump_wmimmc"), PsGetVersion, ZwQueryValueKey("...\Windows NT\CurrentVersion\UBR"), IoGetCurrentProcess and PsGetCurrentProcessId. I guess something of this makes it upset and causes IoDeleteSymbolicLink("\??\dump_wmimmc") and IoDeleteDevice, finally returning 0xc0000001(STATUS_UNSUCCESSFUL).
But because of the obfuscation I could not see what exactly what went wrong in dump_wmimmc.sys.
Attached are some ugly hacks to try to workaround the first two issues.