[Bug 49221] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs instruction emulation for querying VMX capabilities via MSR 0x480..0x490
https://bugs.winehq.org/show_bug.cgi?id=49221
Bug ID: 49221 Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs instruction emulation for querying VMX capabilities via MSR 0x480..0x490 Product: Wine Version: 5.8 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 49219 (split out from bug 49194).
--- snip --- $ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll wine net start "Denuvo Anti-Cheat" >>log.txt 2>&1 ... 00d0:Call driver init 0000000000C81184 (obj=000000000078EE10,str=L"\Registry\Machine\System\CurrentControlSet\Services\Denuvo Anti-Cheat") ... 00d0:Call ntoskrnl.exe.KeQueryActiveProcessorCountEx(0000ffff) ret=00c83d3a 00d0:fixme:ntoskrnl:KeQueryActiveProcessorCountEx GroupNumber 65535 semi-stub. 00d0:Call KERNEL32.GetSystemInfo(00b5f2f0) ret=00232926 00d0:Call ntdll.NtQuerySystemInformation(00000000,00b5f200,00000040,00000000) ret=7b02c721 00d0:trace:ntdll:NtQuerySystemInformation (0x00000000,0xb5f200,0x00000040,(nil)) 00d0:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7b02c721 00d0:Call ntdll.NtQuerySystemInformation(00000001,00b5f1f0,0000000c,00000000) ret=7b02c751 00d0:trace:ntdll:NtQuerySystemInformation (0x00000001,0xb5f1f0,0x0000000c,(nil)) 00d0:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7b02c751 00d0:Ret KERNEL32.GetSystemInfo() retval=00000006 ret=00232926 00d0:Ret ntoskrnl.exe.KeQueryActiveProcessorCountEx() retval=00000008 ret=00c83d3a 00d0:Call ntoskrnl.exe.KeSetSystemAffinityThreadEx(ffffffffffffffff) ret=00c83d56 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx (0xffffffff) semi-stub 00d0:Call ntdll.NtQueryInformationThread(fffffffffffffffe,0000001e,00b5f300,00000010,00000000) ret=00232aa8 00d0:Ret ntdll.NtQueryInformationThread() retval=00000000 ret=00232aa8 00d0:Call ntdll.NtSetInformationThread(fffffffffffffffe,0000001e,00b5f310,00000010) ret=00232b00 00d0:Ret ntdll.NtSetInformationThread() retval=c000000d ret=00232b00 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx Set affinity, status 0xc000000d. 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx old.Group 0, old.Mask 0xff. 00d0:Ret ntoskrnl.exe.KeSetSystemAffinityThreadEx() retval=000000ff ret=00c83d56 00d0:Call ntoskrnl.exe.KeSetSystemAffinityThreadEx(00000001) ret=00c83d86 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx (0x1) semi-stub 00d0:Call ntdll.NtQueryInformationThread(fffffffffffffffe,0000001e,00b5f300,00000010,00000000) ret=00232aa8 00d0:Ret ntdll.NtQueryInformationThread() retval=00000000 ret=00232aa8 00d0:Call ntdll.NtSetInformationThread(fffffffffffffffe,0000001e,00b5f310,00000010) ret=00232b00 00d0:Ret ntdll.NtSetInformationThread() retval=00000000 ret=00232b00 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx old.Group 0, old.Mask 0xff. 00d0:Ret ntoskrnl.exe.KeSetSystemAffinityThreadEx() retval=000000ff ret=00c83d86 00d0:trace:seh:raise_exception code=c0000096 flags=0 addr=0xc88ac3 ip=c88ac3 tid=00d0 00d0:trace:seh:raise_exception rax=0000000000000000 rbx=0000000000000000 rcx=00000000008e0370 rdx=000000009c000400 00d0:trace:seh:raise_exception rsi=00000000008e1f70 rdi=00000000008e0370 rbp=0000000000b5f370 rsp=0000000000b5f2f8 00d0:trace:seh:raise_exception r8=000000000027efb1 r9=00000000008e0370 r10=0000000000000000 r11=0000000000000000 00d0:trace:seh:raise_exception r12=0000000000000000 r13=00007fffffea4000 r14=0000000000000000 r15=0000000080000008 00d0:trace:seh:call_vectored_handlers calling handler at 0x22cfa0 code=c0000096 flags=0 00d0:trace:int:emulate_instruction mov cr4,rax at c88ac3 00d0:trace:int:vectored_handler next instruction rip=c88ac6 00d0:trace:int:vectored_handler rax=0000000000000000 rbx=0000000000000000 rcx=00000000008e0370 rdx=000000009c000400 00d0:trace:int:vectored_handler rsi=00000000008e1f70 rdi=00000000008e0370 rbp=0000000000b5f370 rsp=0000000000b5f2f8 00d0:trace:int:vectored_handler r8=000000000027efb1 r9=00000000008e0370 r10=0000000000000000 r11=0000000000000000 00d0:trace:int:vectored_handler r12=0000000000000000 r13=00000000ffea4000 r14=0000000000000000 r15=0000000080000008 00d0:trace:seh:call_vectored_handlers handler at 0x22cfa0 returned ffffffff 00d0:trace:seh:raise_exception code=c0000005 flags=0 addr=0xc88ad4 ip=c88ad4 tid=00d0 00d0:trace:seh:raise_exception info[0]=0000000000000000 00d0:trace:seh:raise_exception info[1]=ffffffffffffffff 00d0:trace:seh:raise_exception rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000480 rdx=000000009c000400 00d0:trace:seh:raise_exception rsi=00000000008e1f70 rdi=00000000008e0370 rbp=0000000000b5f370 rsp=0000000000b5f2f8 00d0:trace:seh:raise_exception r8=000000000027efb1 r9=00000000008e0370 r10=0000000000000000 r11=0000000000000000 00d0:trace:seh:raise_exception r12=0000000000000000 r13=00007fffffea4000 r14=0000000000000000 r15=0000000080000008 00d0:trace:seh:call_vectored_handlers calling handler at 0x22cfa0 code=c0000005 flags=0 00d0:trace:int:emulate_instruction rdmsr CR 0x00000480 00d0:trace:seh:call_vectored_handlers handler at 0x22cfa0 returned 0 00d0:warn:seh:virtual_unwind exception data not found in L"denuvo-anti-cheat.sys" --- snip ---
Relevant disassembly snippet of driver:
--- snip --- 0000000140008AC0 | 4C:8BC9 | mov r9,rcx | 0000000140008AC3 | 0F20E0 | mov rax,cr4 | 0000000140008AC6 | 48:C1E8 0D | shr rax,D | 0000000140008ACA | 24 01 | and al,1 | 0000000140008ACC | 8841 51 | mov byte ptr ds:[rcx+51],al | --- snip ---
CR4 -> bit 13 set -> VMXE
--- snip --- 0000000140008ACF | B9 80040000 | mov ecx,480 | 0000000140008AD4 | 0F32 | rdmsr | 0000000140008AD6 | 48:C1E2 20 | shl rdx,20 | 0000000140008ADA | B9 81040000 | mov ecx,481 | 0000000140008ADF | 48:0BC2 | or rax,rdx | 0000000140008AE2 | 49:8941 58 | mov qword ptr ds:[r9+58],rax | 0000000140008AE6 | 0F32 | rdmsr | 0000000140008AE8 | 48:C1E2 20 | shl rdx,20 | 0000000140008AEC | B9 82040000 | mov ecx,482 | 0000000140008AF1 | 48:0BC2 | or rax,rdx | 0000000140008AF4 | 49:8941 60 | mov qword ptr ds:[r9+60],rax | 0000000140008AF8 | 0F32 | rdmsr | 0000000140008AFA | 48:C1E2 20 | shl rdx,20 | 0000000140008AFE | B9 83040000 | mov ecx,483 | 0000000140008B03 | 48:0BC2 | or rax,rdx | 0000000140008B06 | 4C:8BC0 | mov r8,rax | 0000000140008B09 | 49:8941 68 | mov qword ptr ds:[r9+68],rax | 0000000140008B0D | 0F32 | rdmsr | 0000000140008B0F | 48:C1E2 20 | shl rdx,20 | 0000000140008B13 | B9 84040000 | mov ecx,484 | 0000000140008B18 | 48:0BC2 | or rax,rdx | 0000000140008B1B | 49:8941 70 | mov qword ptr ds:[r9+70],rax | 0000000140008B1F | 0F32 | rdmsr | 0000000140008B21 | 48:C1E2 20 | shl rdx,20 | 0000000140008B25 | B9 85040000 | mov ecx,485 | 0000000140008B2A | 48:0BC2 | or rax,rdx | 0000000140008B2D | 49:8941 78 | mov qword ptr ds:[r9+78],rax | 0000000140008B31 | 0F32 | rdmsr | 0000000140008B33 | 48:C1E2 20 | shl rdx,20 | 0000000140008B37 | B9 86040000 | mov ecx,486 | 0000000140008B3C | 48:0BC2 | or rax,rdx | 0000000140008B3F | 49:8981 80000000 | mov qword ptr ds:[r9+80],rax | 0000000140008B46 | 0F32 | rdmsr | 0000000140008B48 | 48:C1E2 20 | shl rdx,20 | 0000000140008B4C | B9 87040000 | mov ecx,487 | 0000000140008B51 | 48:0BC2 | or rax,rdx | 0000000140008B54 | 49:8981 88000000 | mov qword ptr ds:[r9+88],rax | 0000000140008B5B | 0F32 | rdmsr | 0000000140008B5D | 48:C1E2 20 | shl rdx,20 | 0000000140008B61 | B9 88040000 | mov ecx,488 | 0000000140008B66 | 48:0BC2 | or rax,rdx | 0000000140008B69 | 49:8981 90000000 | mov qword ptr ds:[r9+90],rax | 0000000140008B70 | 0F32 | rdmsr | 0000000140008B72 | 48:C1E2 20 | shl rdx,20 | 0000000140008B76 | B9 89040000 | mov ecx,489 | 0000000140008B7B | 48:0BC2 | or rax,rdx | 0000000140008B7E | 49:8981 98000000 | mov qword ptr ds:[r9+98],rax | 0000000140008B85 | 0F32 | rdmsr | 0000000140008B87 | 48:C1E2 20 | shl rdx,20 | 0000000140008B8B | B9 8A040000 | mov ecx,48A | 0000000140008B90 | 48:0BC2 | or rax,rdx | 0000000140008B93 | 49:8981 A0000000 | mov qword ptr ds:[r9+A0],rax | 0000000140008B9A | 0F32 | rdmsr | 0000000140008B9C | 48:C1E2 20 | shl rdx,20 | 0000000140008BA0 | 45:33D2 | xor r10d,r10d | 0000000140008BA3 | 48:0BC2 | or rax,rdx | 0000000140008BA6 | 49:8981 A8000000 | mov qword ptr ds:[r9+A8],rax | 0000000140008BAD | 4D:85C0 | test r8,r8 | 0000000140008BB0 | 79 3B | jns denuvo-anti-cheat.140008BED | 0000000140008BB2 | B9 8B040000 | mov ecx,48B | 0000000140008BB7 | 0F32 | rdmsr | 0000000140008BB9 | 48:C1E2 20 | shl rdx,20 | 0000000140008BBD | 48:B9 0000000022000000 | mov rcx,2200000000 | 0000000140008BC7 | 48:0BC2 | or rax,rdx | 0000000140008BCA | 49:8981 B0000000 | mov qword ptr ds:[r9+B0],rax | 0000000140008BD1 | 48:85C1 | test rcx,rax | 0000000140008BD4 | 74 1E | je denuvo-anti-cheat.140008BF4 | 0000000140008BD6 | B9 8C040000 | mov ecx,48C | 0000000140008BDB | 0F32 | rdmsr | 0000000140008BDD | 48:C1E2 20 | shl rdx,20 | 0000000140008BE1 | 48:0BC2 | or rax,rdx | 0000000140008BE4 | 49:8981 B8000000 | mov qword ptr ds:[r9+B8],rax | 0000000140008BEB | EB 0E | jmp denuvo-anti-cheat.140008BFB | 0000000140008BED | 4D:8991 B0000000 | mov qword ptr ds:[r9+B0],r10 | 0000000140008BF4 | 4D:8991 B8000000 | mov qword ptr ds:[r9+B8],r10 | 0000000140008BFB | 48:B9 0000000000008000 | mov rcx,80000000000000 | 0000000140008C05 | 49:8549 58 | test qword ptr ds:[r9+58],rcx | 0000000140008C09 | 74 5D | je denuvo-anti-cheat.140008C68 | 0000000140008C0B | B9 8D040000 | mov ecx,48D | 0000000140008C10 | 0F32 | rdmsr | 0000000140008C12 | 48:C1E2 20 | shl rdx,20 | 0000000140008C16 | B9 8E040000 | mov ecx,48E | 0000000140008C1B | 48:0BC2 | or rax,rdx | 0000000140008C1E | 49:8981 C0000000 | mov qword ptr ds:[r9+C0],rax | 0000000140008C25 | 0F32 | rdmsr | 0000000140008C27 | 48:C1E2 20 | shl rdx,20 | 0000000140008C2B | B9 8F040000 | mov ecx,48F | 0000000140008C30 | 48:0BC2 | or rax,rdx | 0000000140008C33 | 49:8981 C8000000 | mov qword ptr ds:[r9+C8],rax | 0000000140008C3A | 0F32 | rdmsr | 0000000140008C3C | 48:C1E2 20 | shl rdx,20 | 0000000140008C40 | B9 90040000 | mov ecx,490 | 0000000140008C45 | 48:0BC2 | or rax,rdx | 0000000140008C48 | 49:8981 D0000000 | mov qword ptr ds:[r9+D0],rax | 0000000140008C4F | 0F32 | rdmsr | 0000000140008C51 | 48:C1E2 20 | shl rdx,20 | 0000000140008C55 | 48:0BC2 | or rax,rdx | 0000000140008C58 | 49:8981 D8000000 | mov qword ptr ds:[r9+D8],rax | 0000000140008C5F | 41:C741 54 11000000 | mov dword ptr ds:[r9+54],11 | 0000000140008C67 | C3 | ret | 0000000140008C68 | 4D:8991 D8000000 | mov qword ptr ds:[r9+D8],r10 | 0000000140008C6F | 4D:8991 D0000000 | mov qword ptr ds:[r9+D0],r10 | 0000000140008C76 | 4D:8991 C8000000 | mov qword ptr ds:[r9+C8],r10 | 0000000140008C7D | 4D:8991 C0000000 | mov qword ptr ds:[r9+C0],r10 | 0000000140008C84 | 41:C741 54 11000000 | mov dword ptr ds:[r9+54],11 | 0000000140008C8C | C3 | ret | --- snip ---
The patch (hack) from https://bugs.winehq.org/show_bug.cgi?id=49194#c1 returns zero rax and rdx for any MSR which isn't recognized in 'emulate_instruction()'
Wine source:
https://source.winehq.org/git/wine.git/blob/b65ca133052ed9053e48c571155a764d...
--- snip --- 769 case 0x32: /* rdmsr */ 770 { 771 ULONG reg = context->Rcx; 772 TRACE("rdmsr CR 0x%08x\n", reg); 773 switch (reg) 774 { 775 case MSR_LSTAR: 776 { 777 ULONG_PTR syscall_address = (ULONG_PTR)fake_syscall_function; 778 context->Rdx = (ULONG)(syscall_address >> 32); 779 context->Rax = (ULONG)syscall_address; 780 break; 781 } 782 default: return ExceptionContinueSearch; 783 } 784 context->Rip += prefixlen + 2; 785 return ExceptionContinueExecution; 786 } --- snip ---
Since the VMX MSR range is well known there could be a default handler for these regs, returning fake (0) values.
---
Tidbits:
Python app to dump VMX capabilities from userspace:
https://github.com/qemu/qemu/blob/master/scripts/kvm/vmxcap
--- snip --- $ sudo ./vmxcap.py
Basic VMX Information Hex: 0xda040000000012 Revision 18 VMCS size 1024 VMCS restricted to 32 bit addresses no Dual-monitor support yes VMCS memory type 6 INS/OUTS instruction information yes IA32_VMX_TRUE_*_CTLS support yes pin-based controls External interrupt exiting yes NMI exiting yes Virtual NMIs yes Activate VMX-preemption timer yes Process posted interrupts no primary processor-based controls Interrupt window exiting yes Use TSC offsetting yes HLT exiting yes INVLPG exiting yes MWAIT exiting yes RDPMC exiting yes RDTSC exiting yes CR3-load exiting default CR3-store exiting default CR8-load exiting yes CR8-store exiting yes Use TPR shadow yes NMI-window exiting yes MOV-DR exiting yes Unconditional I/O exiting yes Use I/O bitmaps yes Monitor trap flag yes Use MSR bitmaps yes MONITOR exiting yes PAUSE exiting yes Activate secondary control yes secondary processor-based controls Virtualize APIC accesses yes Enable EPT yes Descriptor-table exiting yes Enable RDTSCP yes Virtualize x2APIC mode yes Enable VPID yes WBINVD exiting yes Unrestricted guest yes APIC register emulation no Virtual interrupt delivery no PAUSE-loop exiting yes RDRAND exiting yes Enable INVPCID yes Enable VM functions yes VMCS shadowing no Enable ENCLS exiting no RDSEED exiting no Enable PML no EPT-violation #VE no Conceal non-root operation from PT no Enable XSAVES/XRSTORS no Mode-based execute control (XS/XU) no Sub-page write permissions no GPA translation for PT no TSC scaling no User wait and pause no ENCLV exiting no VM-Exit controls Save debug controls default Host address-space size yes Load IA32_PERF_GLOBAL_CTRL yes Acknowledge interrupt on exit yes Save IA32_PAT yes Load IA32_PAT yes Save IA32_EFER yes Load IA32_EFER yes Save VMX-preemption timer value yes Clear IA32_BNDCFGS no Conceal VM exits from PT no Clear IA32_RTIT_CTL no VM-Entry controls Load debug controls default IA-32e mode guest yes Entry to SMM yes Deactivate dual-monitor treatment yes Load IA32_PERF_GLOBAL_CTRL yes Load IA32_PAT yes Load IA32_EFER yes Load IA32_BNDCFGS no Conceal VM entries from PT no Load IA32_RTIT_CTL no Miscellaneous data Hex: 0x300481e5 VMX-preemption timer scale (log2) 5 Store EFER.LMA into IA-32e mode guest control yes HLT activity state yes Shutdown activity state yes Wait-for-SIPI activity state yes PT in VMX operation no IA32_SMBASE support yes Number of CR3-target values 4 MSR-load/store count recommendation 0 IA32_SMM_MONITOR_CTL[2] can be set to 1 yes VMWRITE to VM-exit information fields yes Inject event with insn length=0 no MSEG revision identifier 0 VPID and EPT capabilities Hex: 0xf0106334141 Execute-only EPT translations yes Page-walk length 4 yes Paging-structure memory type UC yes Paging-structure memory type WB yes 2MB EPT pages yes 1GB EPT pages yes INVEPT supported yes EPT accessed and dirty flags yes Advanced VM-exit information for EPT violations no Single-context INVEPT yes All-context INVEPT yes INVVPID supported yes Individual-address INVVPID yes Single-context INVVPID yes All-context INVVPID yes Single-context-retaining-globals INVVPID yes VM Functions Hex: 0x1 EPTP Switching yes --- snip ---
Poor man's version (msr-tools):
--- snip --- $ for i in `seq 0x480 0x490` ; do sudo rdmsr -x $i ; done
da040000000012 7f00000016 fff9fffe0401e172 7fffff00036dff ffff000011ff 300481e5 80000021 ffffffff 2000 1727ff 2a 3cff00000000 f0106334141 7f00000016 fff9fffe04006172 7fffff00036dfb ffff000011fb --- snip ---
$ wine --version wine-5.8-321-gf0a8061663
Regards
https://bugs.winehq.org/show_bug.cgi?id=49221
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://store.steampowered. | |com/app/782330/ Keywords| |obfuscation
https://bugs.winehq.org/show_bug.cgi?id=49221
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #1 from Fabian Maurer dark.shadow4@web.de --- I'm assuming this is only for Intel CPUs. Is there a similar issue with AMD?
https://bugs.winehq.org/show_bug.cgi?id=49221
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello Fabian,
--- quote --- I'm assuming this is only for Intel CPUs. Is there a similar issue with AMD? --- quote ---
regarding VMX MSRs one would assume Intel only. I don't have an AMD processor so I can only simulate the code paths in the driver.
--- snip --- <preceding code collects basic cpuid(0), cpuid(1) information> r9b = flag(1) = "GenuineIntel" detected r14b = flag(1) = "AuthenticAMD" detected ... 00000001400088AA | xor ecx,ecx | 00000001400088AC | mov eax,1 | 00000001400088B1 | cpuid | 00000001400088B3 | mov eax,edx | 00000001400088B5 | shr eax,5 | 00000001400088B8 | and al,1 | 00000001400088BA | mov byte ptr ds:[rdi+4C],al | RDMSR/WRMSR support? 00000001400088BD | mov eax,edx | 00000001400088BF | shr eax,C | 00000001400088C2 | and al,1 | 00000001400088C4 | mov byte ptr ds:[rdi+4D],al | MTRR support? 00000001400088C7 | mov eax,edx | 00000001400088C9 | shr eax,6 | 00000001400088CC | and al,1 | 00000001400088CE | mov byte ptr ds:[rdi+4E],al | phys addr extensions? 00000001400088D1 | mov eax,edx | 00000001400088D3 | shr eax,10 | 00000001400088D6 | and al,1 | 00000001400088D8 | shr edx,1C | 00000001400088DB | mov byte ptr ds:[rdi+4B],al | page attribute table? 00000001400088DE | and dl,1 | 00000001400088E1 | mov eax,ecx | 00000001400088E3 | mov byte ptr ds:[rdi+49],dl | hyper-threading? 00000001400088E6 | shr eax,1F | 00000001400088E9 | and al,1 | 00000001400088EB | mov byte ptr ds:[rdi+50],al | hypervisor present? 00000001400088EE | test r9b,r9b | flag for vendor Intel 00000001400088F1 | je denuvo-anti-cheat.1400088F8 | ZF -> not Intel 00000001400088F3 | shr ecx,5 | has msr? 00000001400088F6 | jmp denuvo-anti-cheat.140008909 | 00000001400088F8 | test r14b,r14b | flag for vendor AMD 00000001400088FB | je denuvo-anti-cheat.140008921 | ZF -> not AMD 00000001400088FD | xor ecx,ecx | 00000001400088FF | mov eax,80000001 | Extended Processor Info 0000000140008904 | cpuid | 0000000140008906 | shr ecx,2 | AMD SVM enabled ? 0000000140008909 | and cl,1 | 000000014000890C | mov eax,7 | Extended Features 0000000140008911 | mov byte ptr ds:[rdi+4F],cl | has SVM or MSR support 0000000140008914 | xor ecx,ecx | 0000000140008916 | cpuid | 0000000140008918 | shr ebx,12 | 000000014000891B | and bl,1 | RDSEED support? 000000014000891E | mov byte ptr ds:[rdi+4A],bl | 1 = has RDSEED support 0000000140008921 | cmp byte ptr ds:[rdi+4C],1 | MSR support? 0000000140008925 | jne denuvo-anti-cheat.140008956 | 0000000140008927 | test r9b,r9b | flag for vendor Intel 000000014000892A | je denuvo-anti-cheat.14000893A | ZF -> not Intel 000000014000892C | cmp byte ptr ds:[rdi+4F],1 | SVM or MSR support? 0000000140008930 | jne denuvo-anti-cheat.14000893A | 0000000140008932 | mov rcx,rdi | 0000000140008935 | call denuvo-anti-cheat.140008AC0 | read VMX MSRs 000000014000893A | cmp byte ptr ds:[rdi+4D],1 | ... --- snip ---
If I'm not mistaken it seems possible to enter the code path that reads the VMX MSRs (subroutine 0x140008935) even on AMD cpus.
https://www.amd.com/system/files/TechDocs/25481.pdf
if CPUID Fn0000_0001_EDX Bit 5 = MSR: AMD model-specific registers
_and_
if CPUID Fn8000_0001_ECX Bit 2 = SVM: secure virtual machine.
Not sure how this can work. I know that Hypervisors/VMMs intercept all kinds of instructions, including RDMSR. But it would be strange to advertise VMX features on AMD by emulating these Intel MSRs. Maybe I'm wrong here and the code path can't be entered.
Could someone check what happens on AMD:
--- snip --- $ sudo rdmsr -x 0x480 --- snip ---
Regards
https://bugs.winehq.org/show_bug.cgi?id=49221
--- Comment #3 from Fabian Maurer dark.shadow4@web.de ---
Could someone check what happens on AMD
rdmsr: CPU 0 cannot read MSR 0x00000480
https://bugs.winehq.org/show_bug.cgi?id=49221
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |6ceb6c7f47c225c117dd514ffdb | |15a0cb4317753 Status|NEW |RESOLVED Summary|Denuvo Anti-Cheat |Denuvo Anti-Cheat |'denuvo-anti-cheat.sys' |'denuvo-anti-cheat.sys' |needs instruction emulation |crashes due to unhandled |for querying VMX |emulation of MSR register |capabilities via MSR |reads related to CPU / |0x480..0x490 |virtualization features | |(returning zero value is | |sufficient) Resolution|--- |FIXED
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/6ceb6c7f47c225c117dd514ffd... ("ntoskrnl.exe: Return zero for unknown msr registers.")
Thanks Paul.
$ wine --version wine-5.9-23-gba920246e5
Regards
https://bugs.winehq.org/show_bug.cgi?id=49221
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.10.
https://bugs.winehq.org/show_bug.cgi?id=49221
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |5.0.x
https://bugs.winehq.org/show_bug.cgi?id=49221
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|5.0.x |---
--- Comment #6 from Michael Stefaniuc mstefani@winehq.org --- Removing the 5.0.x milestone from bug fixes included in 5.0.3.
-
WineHQ Bugzilla