https://bugs.winehq.org/show_bug.cgi?id=37449
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello Sebastian,
the patch is fine, a PE is unpacked in memory (later started as process).
--- quote --- The weird thing is the return address, the application seems to mess around manually with the TEB (in this case modifying the TlsBitmap) instead of using API calls?! --- quote ---
Yes, the code messes with loader/internal data structures. In this case it reads/writes to TLS slots, bypassing native API.
Lexware uses 'Promon Shield SDK' to protect their app:
--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> C:\Program Files\Lexware\Quicken\2014\HmgShield.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 282480 (044F70h) Byte(s) -> File Appears to be Digitally Signed @ Offset 043800h, size : 01770h / 06000 byte(s) [File Heuristics] -> Flag : 00000100000001001001000100000100 (0x04049104) [Entrypoint Section Entropy] : 6.56 [Debug Info] Characteristics : 0x0 | TimeDateStamp : 0x503F76CD | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 -> CodeView | Size : 0x60 (96) AddressOfRawData : 0xFAD0 | PointerToRawData : 0xEED0 CvSig : 0x53445352 | SigGuid 94848F81-2D3F-4915-9D4EBAB4605DCADB Age : 0x1 | Pdb : d:\dev\shield\2.3-win8\src\shield-sdk-dll\release\promon-shield-sdk.pdb ---- snip ---
Anyway, those are different issues.
Regards