https://bugs.winehq.org/show_bug.cgi?id=44616

Bug ID: 44616 Summary: Multiple Blizzard games need 'ntdll.NtCreateThreadEx' implementation (Diablo III v2. 6. 1. 49286+) Product: Wine Version: 3.2 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 44585

After ntdll.LdrRegisterDllNotification(), the obfuscated code resolves another bunch of imports. The module and API function names to be resolved are obfuscated using pre-computed hashes. Basically the in-memory export table for 'ntdll, 'kernel32', 'user32' and 'gdi32' modules is walked, all the function names are hashed and compared against the precomputed hashes for matches. There is even a Windows version awareness in this phase. Depending on the WinVer setting (WinXP vs. Win7), few different APIs are resolved.

Tidbit:

If the Windows version is configured to 'Windows XP' in WINEPREFIX, 'kernel32.CreateThread' is resolved instead of 'ntdll.NtCreateThreadEx'. This is a non-default anyway and the game/launcher will complain about Windows XP being no longer unsupported (end-of-life).

Trace log with patches applied:

NOTE: needs another follow-up bug report patchset to come to this far.

--- snip --- $ pwd /home/focht/wine-games/wineprefix64-bnet/drive_c/Program Files (x86)/Diablo III

$ WINEDEBUG=+loaddll,+ntdll,+seh,+process,+relay wine ./Diablo\ III.exe -launch >>log.txt 2>&1 ... 0009:Call ntdll.LdrRegisterDllNotification(00000000,006a0ce0,00000000,0033e628) ret=004db5d0 0009:Ret ntdll.LdrRegisterDllNotification() retval=00000000 ret=004db5d0 0009:Call ntdll.NtCreateFile(0033e3a8,00120089,0033e32c,0033e324,00000000,00000000,00000001,00000001,00000020,00000000,00000000) ret=004e0a5f 0009:trace:ntdll:FILE_CreateFile handle=0x33e3a8 access=00120089 name=L"\??\C:\windows\system32\ntdll.dll" objattr=00000040 root=(nil) sec=(nil) io=0x33e324 alloc_size=(nil) attr=00000000 sharing=00000001 disp=1 options=00000020 ea=(nil).0x00000000 0009:Ret ntdll.NtCreateFile() retval=00000000 ret=004e0a5f 0009:Call ntdll.NtQueryInformationFile(000000ac,0033e31c,0033e304,00000018,00000005) ret=004e0f91 0009:trace:ntdll:NtQueryInformationFile (0xac,0x33e31c,0x33e304,0x00000018,0x00000005) 0009:Ret ntdll.NtQueryInformationFile() retval=00000000 ret=004e0f91 0009:Call ntdll.NtAllocateVirtualMemory(ffffffff,0033e404,00000000,0033e374,00001000,00000040) ret=004e143d 0009:Ret ntdll.NtAllocateVirtualMemory() retval=00000000 ret=004e143d 0009:Call ntdll.NtReadFile(000000ac,00000000,00000000,00000000,0033e324,05070000,00001000,00000000,00000000) ret=004e1786 0009:trace:ntdll:NtReadFile (0xac,(nil),(nil),(nil),0x33e324,0x5070000,0x00001000,(nil),(nil)),partial stub! 0009:trace:ntdll:NtReadFile = SUCCESS (2468) 0009:Ret ntdll.NtReadFile() retval=00000000 ret=004e1786 0009:Call ntdll.NtAllocateVirtualMemory(ffffffff,0033e638,00000000,0033e698,00001000,00000004) ret=004dbcee 0009:Ret ntdll.NtAllocateVirtualMemory() retval=00000000 ret=004dbcee 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,0033e6e4,0033e6e8,00000040,0033e69c) ret=004dcdae 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=004dcdae 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,0033e6e4,0033e6e8,00000020,0033e69c) ret=004dcf8c 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=004dcf8c 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,0033e6e4,0033e6e8,00000040,0033e69c) ret=004dcdae 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=004dcdae 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,0033e6e4,0033e6e8,00000020,0033e69c) ret=004dcf8c 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=004dcf8c 0009:Call ntdll.NtCreateThreadEx(0033e620,001f03ff,00000000,ffffffff,006a3e90,00000000,00000006,00000000,00000000,00000000,00000000) ret=004dd373 0009:fixme:thread:NtCreateThreadEx 0x33e620, 1f03ff, (nil), 0xffffffff, 0x6a3e90, (nil), 6, 0, 0, 0, (nil) semi-stub! 0009:Ret ntdll.NtCreateThreadEx() retval=00000000 ret=004dd373 0029:Call PE DLL (proc=0x7ec4ae82,module=0x7eba0000 L"user32.dll",reason=THREAD_ATTACH,res=(nil)) 0029:Ret PE DLL (proc=0x7ec4ae82,module=0x7eba0000 L"user32.dll",reason=THREAD_ATTACH,res=(nil)) retval=1 0029:Call PE DLL (proc=0x7e7facd4,module=0x7e7f0000 L"imm32.dll",reason=THREAD_ATTACH,res=(nil)) 0029:Ret PE DLL (proc=0x7e7facd4,module=0x7e7f0000 L"imm32.dll",reason=THREAD_ATTACH,res=(nil)) retval=1 0029:Call TLS callback (proc=0x6aa080,module=0x400000,reason=THREAD_ATTACH,reserved=0) 0029:trace:seh:raise_exception code=c000001d flags=0 addr=0x6aa143 ip=006aa143 tid=0029 0029:trace:seh:raise_exception eax=0518e9f0 ebx=f75c5000 ecx=1675b829 edx=0518e9f0 esi=0518e9d8 edi=05193b40 0029:trace:seh:raise_exception ebp=0518e9b8 esp=0518e994 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0029:trace:seh:call_stack_handlers calling handler at 0x111e8c8 code=c000001d flags=0 0029:Call ntdll.NtDuplicateObject(ffffffff,fffffffe,ffffffff,0518e3ec,00000000,00000000,00000006) ret=006a7804 0029:Ret ntdll.NtDuplicateObject() retval=00000000 ret=006a7804 0029:Call ntdll.NtQueryInformationThread(000000b4,00000009,0518e404,00000004,00000000) ret=006a80e9 0029:Ret ntdll.NtQueryInformationThread() retval=00000000 ret=006a80e9 0029:Call ntdll.NtSetInformationThread(000000b4,00000011,00000000,00000000) ret=006a8997 0029:Ret ntdll.NtSetInformationThread() retval=00000000 ret=006a8997 ... --- snip ---

ProtectionID scan for exact version:

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> Z:\home\focht\wine-games\wineprefix64-bnet\drive_c\Program Files (x86)\Diablo III\Diablo III.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 31663592 (01E325E8h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5A839757 -> Wed 14th Feb 2018 01:56:39 (GMT) [TimeStamp] 0x5A839757 -> Wed 14th Feb 2018 01:56:39 (GMT) | PE Header | - | Offset: 0x00000178 | VA: 0x00400178 | - [TimeStamp] 0x5A83974F -> Wed 14th Feb 2018 01:56:31 (GMT) | Export | - | Offset: 0x0176EC84 | VA: 0x01B70484 | - [TimeStamp] 0x5A839757 -> Wed 14th Feb 2018 01:56:39 (GMT) | DebugDirectory | - | Offset: 0x015380D4 | VA: 0x019398D4 | - [TimeStamp] 0x5A839757 -> Wed 14th Feb 2018 01:56:39 (GMT) | DebugDirectory | - | Offset: 0x015380F0 | VA: 0x019398F0 | - [TimeStamp] 0x5A839757 -> Wed 14th Feb 2018 01:56:39 (GMT) | DebugDirectory | - | Offset: 0x0153810C | VA: 0x0193990C | - -> File Appears to be Digitally Signed @ Offset 01E30E00h, size : 017E8h / 06120 byte(s) [!] Executable uses TLS callbacks (3 total... 0 invalid addresses) [LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64) [!] Executable uses SEH Tables (/SAFESEH) (33371 calculated 33199 recorded... 70 invalid addresses) [!] * table may be compressed / encrypted * [LoadConfig] CodeIntegrity -> Flags 0x7C34 | Catalog 0xBFD3 (49107) | Catalog Offset 0x2FE93D5F | Reserved 0x49CB461F [LoadConfig] GuardAddressTakenIatEntryTable 0x4F29FF9C | Count 0x992AA633 (2569709107) [LoadConfig] GuardLongJumpTargetTable 0x12E9CCF3 | Count 0xB9F3D522 (3119764770) [LoadConfig] HybridMetadataPointer 0x21CA7CB6 | DynamicValueRelocTable 0xF1654DDC [LoadConfig] FailFastIndirectProc 0x64AE2974 | FailFastPointer 0xCA03C693 [LoadConfig] UnknownZero1 0x6B52C00 [!] Warning: Imports (+size) goes outside of the file [File Heuristics] -> Flag #1 : 00000100000001001101000100110100 (0x0404D134) [Entrypoint Section Entropy] : 8.00 (section #0) ".text " | Size : 0x132F368 (20116328) byte(s) [DllCharacteristics] -> Flag : (0x8140) -> ASLR | DEP | TSA [SectionCount] 9 (0x9) | ImageSize 0x21D7000 (35483648) byte(s) [Export] 96% of function(s) (357 of 369) are in file | 0 are forwarded | 343 code | 26 data | 0 uninit data | 0 unknown | [VersionInfo] Company Name : Blizzard Entertainment [VersionInfo] Product Name : Diablo III [VersionInfo] Product Version : Version 2.6 [VersionInfo] File Description : Diablo III Retail [VersionInfo] File Version : 2. 6. 1. 49286 [VersionInfo] Original FileName : Diablo III.exe [VersionInfo] Internal Name : Diablo III [VersionInfo] Legal Copyrights : Copyright © 2011-2014 [ModuleReport] [IAT] Modules -> USER32.dll [Debug Info] (record 1 of 3) (file offset 0x15380D0) Characteristics : 0x0 | TimeDateStamp : 0x5A839757 (Wed 14th Feb 2018 01:56:39 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x53 (83) AddressOfRawData : 0x158C96C | PointerToRawData : 0x158B16C CvSig : 0x53445352 | SigGuid E65D58F8-37DC-47BC-B32D251EF458F1F8 Age : 0x1 (1) | Pdb : D:\BuildServer\4\work\code\branches\Release\Diablo III.pdb [Debug Info] (record 2 of 3) (file offset 0x15380EC) Characteristics : 0x0 | TimeDateStamp : 0x5A839757 (Wed 14th Feb 2018 01:56:39 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 12 (0xC) -> Undocumented | Size : 0x14 (20) AddressOfRawData : 0x158C9C0 | PointerToRawData : 0x158B1C0 [Debug Info] (record 3 of 3) (file offset 0x1538108) Characteristics : 0x0 | TimeDateStamp : 0x5A839757 (Wed 14th Feb 2018 01:56:39 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 13 (0xD) -> Undocumented | Size : 0x828 (2088) AddressOfRawData : 0x158C9D4 | PointerToRawData : 0x158B1D4 [CdKeySerial] found "Invalid code" @ VA: 0x0133D078 / Offset: 0x0133B878 [CdKeySerial] found "SerialNumber" @ VA: 0x0147899F / Offset: 0x0147719F [CdKeySerial] found "Invalid code" @ VA: 0x014C7980 / Offset: 0x014C6180 [CompilerDetect] -> Visual C++ 14.0 (Visual Studio 2015) [!] File appears to have no protection or is using an unknown protection - Scan Took : 5.583 Second(s) [000001529h (5417) tick(s)] [506 of 580 scan(s) done] --- snip ---

$ wine --version wine-3.2-173-g7c7aa125bf

Regards