[Bug 45573] New: League of Legends 8.12+ fails to start a game ( anticheat engine, hooking of syscall return instructions)
https://bugs.winehq.org/show_bug.cgi?id=45573
Bug ID: 45573 Summary: League of Legends 8.12+ fails to start a game (anticheat engine, hooking of syscall return instructions) Product: Wine Version: 3.13 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: z.figura12@gmail.com Distribution: ---
Diagnosed by Andrew Wesie; partially split off from bug 45327.
The game expects to be able to hook both the first instruction of the syscall and the last (return) instruction. The current staged implementation of the syscall dispatcher does not return to the syscall thunk but rather directly to its caller, which causes the game to fail.
https://bugs.winehq.org/show_bug.cgi?id=45573
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on| |21232 Keywords| |download, obfuscation
https://bugs.winehq.org/show_bug.cgi?id=45573
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #1 from Fabian Maurer dark.shadow4@web.de --- Do you know what exactly the game does with the return instruction? How does it want the hooked function to look like?
https://bugs.winehq.org/show_bug.cgi?id=45573
Andrew Wesie awesie@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |awesie@gmail.com
--- Comment #2 from Andrew Wesie awesie@gmail.com --- (In reply to Fabian Maurer from comment #1)
Do you know what exactly the game does with the return instruction? How does it want the hooked function to look like?
It is flexible. The current __syscall_Nt* exports are good enough, the problem is that __wine_syscall_dispatcher does not use the ret instruction in the __syscall_Nt* exports.
I'll attach a test I wrote to demonstrate the issue along with my patches from the other thread that make the test pass.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #3 from Andrew Wesie awesie@gmail.com --- Created attachment 62008 --> https://bugs.winehq.org/attachment.cgi?id=62008 Unit test and required patches
Apply the patches on top of wine-staging patches. Adds a "hooks" test to ntdll. Only is applicable to a 32-bit wine build.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #4 from Fabian Maurer dark.shadow4@web.de --- Does league of legends also set a breakpoint for the "ret" hook?
Also, do you plan to get those patches into wine-staging? Because I probably also should rewrite by patch for hookable x64 thunks to work like that.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #5 from Andrew Wesie awesie@gmail.com --- (In reply to Fabian Maurer from comment #4)
Does league of legends also set a breakpoint for the "ret" hook?
The game will replace the ret instruction of a Nt* syscall export with an int3 in some cases. And expects its vectored exception handlers to handle it.
Also, do you plan to get those patches into wine-staging? Because I probably also should rewrite by patch for hookable x64 thunks to work like that.
Since they are required for LoL some variant of them should probably be committed. I am waiting to make sure they don't break Wine in some way for people.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #6 from Fabian Maurer dark.shadow4@web.de --- Okay, then I guess I'll wait for you to get it approved. Did you plan on adding a x64 test, too? If not, I can build on top of your code and add the needed hooking code to make an x64 test.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #7 from Andrew Wesie awesie@gmail.com --- (In reply to Fabian Maurer from comment #6)
Okay, then I guess I'll wait for you to get it approved. Did you plan on adding a x64 test, too? If not, I can build on top of your code and add the needed hooking code to make an x64 test.
I did not have any plans to adapt it to x64. Feel free to that on.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #8 from Zebediah Figura z.figura12@gmail.com --- (In reply to Fabian Maurer from comment #4)
Also, do you plan to get those patches into wine-staging? Because I probably also should rewrite by patch for hookable x64 thunks to work like that.
Yes, we plan to. We're trying to tweak some of the patches to make them cleaner, since what Andrew gave us was basically just proof-of-concept. For example, this patch as given just blindly copies 64 bytes of stack, and that should at least be dynamic based on the number of arguments.
https://bugs.winehq.org/show_bug.cgi?id=45573
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/winebuild-Fake_D | |lls Status|NEW |STAGED
--- Comment #9 from Zebediah Figura z.figura12@gmail.com --- Since this was basically a shortcoming of the existing patches, I've elected to squash the changes into patch 0003 rather than add a new patch. I'm marking this bug STAGED, although DUPLICATE may be a better resolution, if anyone feels strongly about it.
https://bugs.winehq.org/show_bug.cgi?id=45573
winetaste@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |winetaste@gmx.net
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #10 from Fabian Maurer dark.shadow4@web.de --- You already merged this into staging, right? Are the tests also in there? Because I can't find them.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #11 from Zebediah Figura z.figura12@gmail.com --- (In reply to Fabian Maurer from comment #10)
You already merged this into staging, right? Are the tests also in there? Because I can't find them.
They are not, no.
https://bugs.winehq.org/show_bug.cgi?id=45573
--- Comment #12 from Fabian Maurer dark.shadow4@web.de ---
You already merged this into staging, right? Are the tests also in there? Because I can't find them.
They are not, no.
Isn't this something we'd also like staged then? I'd guess it would be useful to document it and prevent regressions.
https://bugs.winehq.org/show_bug.cgi?id=45573
Paul Gofman gofmanp@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=45573
Olivier F. R. Dierick o.dierick@piezo-forte.be changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |o.dierick@piezo-forte.be
--- Comment #13 from Olivier F. R. Dierick o.dierick@piezo-forte.be --- Hello,
Following the splitting of the staged patchset to winebuild-pe_syscall_thunks, here is some feedback from bug 49412 related to this bug.
(In reply to Matías Zúñiga from comment #5)
Now when trying to run Lol with an updated alternative-patch (attached), wine end execution with a `0024:err:seh:setup_exception_record stack overflow 104 bytes in thread 0024 eip 00000000 esp 002212c4 stack 0x220000-0x221000-0x320000` message.
I don't know it this is a new bug, or a re-manifestation of a previous one because of the re-write (maybe Bug 45573, which is said to be fixed by the re-written winebuild-pe_syscall_thunks patchset. That one was debugged by Andrew Wesie, but I don't know how he did it)
Regards.
https://bugs.winehq.org/show_bug.cgi?id=45573 Bug 45573 depends on bug 21232, which changed state.
Bug 21232 Summary: Multiple games and applications (Chromium-based browser engines, Blizzard games, League of Legends) crash due to hooking/anticheat validation (needs syscall thunks in ntdll.dll) https://bugs.winehq.org/show_bug.cgi?id=21232
What |Removed |Added ---------------------------------------------------------------------------- Status|STAGED |RESOLVED Resolution|--- |FIXED
https://bugs.winehq.org/show_bug.cgi?id=45573
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|STAGED |RESOLVED Fixed by SHA1| |917a206b01c82170a862e8497cb | |e26b6f1bfade0
--- Comment #14 from Zebediah Figura z.figura12@gmail.com --- Fixed by 917a206b01c82170a862e8497cbe26b6f1bfade0, broadly speaking.
https://bugs.winehq.org/show_bug.cgi?id=45573
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #15 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.18.
-
wine-bugs@winehq.org -
WineHQ Bugzilla