https://bugs.winehq.org/show_bug.cgi?id=48997
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello Fabian,
--- quote --- Do you know what they do with that value from CR0? I mean, what's the point when it's always the same? --- quote ---
well in case of CR0 only basic checks are done. If CR0 contains nonsense values like in case Wine one can be sure something is fishy and refuse to run further. Things like not being in protected mode, paging disabled, write protect disabled (no traps of ring0 access to read-only ring3 pages) etc.
For me it looks like the code is part of a "suite" they might have copied from some anti-debug cookbook or general RCE whitepapers to check if Windows runs under control of a Hypervisor/VMM. There are multiple checks of special function/system register values.
Regards