As we all know, some (kinda worthless) "copy protection" software exist out there that doesn't work under Wine. Some of these work under win9x and winNT by using a different set of techniques for each OS. The winNT code installs a kernel driver, so I'm mainly interested in the win95 code, which only messes with Win95 internals to check that no debugger is snooping, before proceeding.

I know of two Wine architecture issues that must be resolved before the anti-debugger check can succeed in win95 mode.

1. it checks that teb->debug_context (TEB offset 0x20) is zero. In Wine, it isn't (the NT pid is stored there), so this check fails.

Is it possible to change Wine's TEB structure to fix this?

2. it messes with the IDT. It uses the sidt instruction and tries to change the INT5 vector (BOUND exception vector), later to try to execute a BOUND and expect this vector to be branched to, all protected with exception handlers. Now, this would actually be possible for Wine to emulate, even though sidt is not a privileged instruction. The idea is that sidt returns an address to kernel space, where all access is prohibited, hence causing page faults. Wine could trap these, and then emulate the faulting instruction by operating on a fake IDT instead. And then the segfault caused by BOUND could then look up the fake IDT entry, and call the vector therein.

But to emulate an instruction from Wine's pre-exception page fault handler (VIRTUAL_HandleFault()), the current context must be passed along to it, so VIRTUAL_HandleFault and all Wine handlers that can be registered with VIRTUAL_SetFaultHandler must get an extra parameter. Is this too objectionable to do?

Alexandre?