Before 1.1, I had the VM error but now, I have this error :
The procedure entry point StartThreadpoolIo could not be located in the dynamic link library KERNEL32.dll
I'm a macOS user and I'm using Crossover 20 (with Big Sur support),
but I thought that Linux patches could help me (so if my message is not appropriate here, feel free to delete it).
Patches doesn't work (the one from UnknownCheats) and I don't really know how to patch it myself..
I've checked the md5 from my UnityPlayer.dll so it's supposed to work.
Another reason can be that Wine doesn't emulate its own Windows kernel, but it doesn't explain why it does work for other Linux users.
Thanks for reading ^^
(sorry for my english, it's not my native language)
Hello everyone,
Before 1.1, I had the VM error but now, I have this error :
The procedure entry point StartThreadpoolIo could not be located in the dynamic link library KERNEL32.dll
I'm a macOS user and I'm using Crossover 20 (with Big Sur support),
but I thought that Linux patches could help me (so if my message is not appropriate here, feel free to delete it).
Patches doesn't work (the one from UnknownCheats) and I don't really know how to patch it myself..
I've checked the md5 from my UnityPlayer.dll so it's supposed to work.
Another reason can be that Wine doesn't emulate its own Windows kernel, but it doesn't explain why it does work for other Linux users.
Thanks for reading ^^
(sorry for my english, it's not my native language)
The game worked only from 23 Oct (1.0.1 release) to 28 Oct (1.0.1 patch day).
Currently all Linux users are stuck with the error code "31 - 4302" when connecting to the game server.
CrossOver 20 includes Wine 5.0, with 3,400 improvements, and selected patches from recent Wine with benefits to many popular applications.
StartThreadpoolIo was implemented in this commit - BAD. Needs Wine 5.3 or newer
Please wait for Crossover 21 or a patched version that includes this function. Wine 5.0 is too old to run Genshin Impact in general.
I probably have the skills write a patch to get it working with Crossover 20. But the game cannot be played on Linux anyway, thus it's kinda pointless.
The game worked **only** from 23 Oct (1.0.1 release) to 28 Oct (1.0.1 patch day).
Currently all Linux users are stuck with the error code "31 - 4302" when connecting to the game server.
> CrossOver 20 includes **Wine 5.0**, with 3,400 improvements, and selected patches from recent Wine with benefits to many popular applications.
([Information source, Changelog](https://www.codeweavers.com/crossover/changelog))
Looking at the current Wine status:
* `StartThreadpoolIO` is contained in [kernel32.dll](https://source.winehq.org/WineAPI/kernel32.html) - GOOD
* .. and redirected to [`TpStartAsyncIoOperation`, ntdll](https://source.winehq.org/WineAPI/ntdll.html) - GOOD
* `StartThreadpoolIo` was implemented [in this commit](https://github.com/wine-mirror/wine/commit/480d8b8253) - BAD. Needs Wine 5.3 or newer
Please wait for Crossover 21 or a patched version that includes this function. Wine 5.0 is too old to run Genshin Impact in general.
I probably have the skills write a patch to get it working with Crossover 20. But the game cannot be played on Linux anyway, thus it's kinda pointless.
Wow, thanks a lot for your fast response! ^^
I understand, I’ll try to find (or create) a patch for Crossover or try to install Wine 5.3, and continue to learn about that stuff, so I can contribute (at least a little bit)
Have a great day ^^ (and thanks again)
Wow, thanks a lot for your fast response! ^^
I understand, I’ll try to find (or create) a patch for Crossover or try to install Wine 5.3, and continue to learn about that stuff, so I can contribute (at least a little bit)
Have a great day ^^ (and thanks again)
Hello everyone!
First, thank u all for this huge work!!
That's super impressive!
I'm still blocked with this error (sorry for reopening this issue)
I've compiled myself Wine 6.0 rc2 (with 64bit support) on Big Sur, bc I didn't found any alternatives and I can't patch myself GI to work on Wine 5.0...
(This post helped me > https://apple.stackexchange.com/a/376427)
I'm stuck with this error when trying to run Wine (6.0):
% ./wine start
002c:err:seh:call_stack_handlers invalid frame 00007FFF889A81F8 (0000000000122000-0000000000220000)
002c:err:seh:NtRaiseException Exception frame is not in stack limits => unable to dispatch exception.
0024:err:virtual:virtual_setup_exception stack overflow 240 bytes in thread 0024 addr 0x7fff203154cb stack 0x120f10 (0x120000-0x121000-0x220000)
If anyone knows how to make working GI on CrossOver or compiling Wine correctly (on Mac), that would be awesome! (or if someone can give me hints so I can patch myself)
Hello everyone!
First, thank u all for this huge work!!
That's super impressive!
I'm still blocked with this error (sorry for reopening this issue)
I've compiled myself Wine 6.0 rc2 (with 64bit support) on Big Sur, bc I didn't found any alternatives and I can't patch myself GI to work on Wine 5.0...
(This post helped me > https://apple.stackexchange.com/a/376427)
I'm stuck with this error when trying to run Wine (6.0):
```
% ./wine start
002c:err:seh:call_stack_handlers invalid frame 00007FFF889A81F8 (0000000000122000-0000000000220000)
002c:err:seh:NtRaiseException Exception frame is not in stack limits => unable to dispatch exception.
0024:err:virtual:virtual_setup_exception stack overflow 240 bytes in thread 0024 addr 0x7fff203154cb stack 0x120f10 (0x120000-0x121000-0x220000)
```
If anyone knows how to make working GI on CrossOver or compiling Wine correctly (on Mac), that would be awesome! (or if someone can give me hints so I can patch myself)
Does the same error appear when you run wine64 cmd?
If yes: Wine setup issue. Check whether Wine32 and Wine64 are installed properly. run wineclean ; ./wine64 winecfg to check whether a clean Win64 instance works
If no: Graphics issue. Create a new WINEPREFIX and run winetricks ddr=gdi ( ddr=opengl to revert)
EDIT: Perhaps PlayOnMac has a Wine version that works.
> Also, note that obviously wine on macOS Catalina will be able to run only some 64-bit windows apps and all 32-bit windows app will not work.
Searching for `virtual:virtual_setup_exception stack overflow` led me to the following articles: https://forum.winehq.org/viewtopic.php?t=32412 and https://bugs.freedesktop.org/show_bug.cgi?id=108662 (dxvk only)
Does the same error appear when you run `wine64 cmd`?
* If yes: Wine setup issue. Check whether Wine32 and Wine64 are installed properly. run `wineclean ; ./wine64 winecfg` to check whether a clean Win64 instance works
* If no: Graphics issue. Create a new WINEPREFIX and run `winetricks ddr=gdi` ( `ddr=opengl` to revert)
EDIT: Perhaps PlayOnMac has a Wine version that works.
Wine is not "installed", I'm running it from its folder (where I've compiled it) so wineclean will return command not found and ./wine64 winecfg will return the same error as ./wine cmd or ./wine64 cmd. So I'm thinking that I've forgotten some step when compiling or smth else...
I've reinstalled POM but I can't choose another version of Wine when installing (There's only 'system', maybe I have to install Wine first), and when launching GI it will say that I'm running it in a 32bit drive, which is false (I've created a 64bit bottle)
I've also checked the Wine version, it was 4.12.1
I'm a bit out of clue...
Edit: You said that it can be possible to patch CrossOver to work with GI, how could it be done?
Wine is not "installed", I'm running it from its folder (where I've compiled it) so `wineclean` will return `command not found` and `./wine64 winecfg` will return the same error as `./wine cmd` or `./wine64 cmd`. So I'm thinking that I've forgotten some step when compiling or smth else...
I've reinstalled POM but I can't choose another version of Wine when installing (There's only 'system', maybe I have to install Wine first), and when launching GI it will say that I'm running it in a 32bit drive, which is false (I've created a 64bit bottle)
I've also checked the Wine version, it was 4.12.1
I'm a bit out of clue...
Edit: You said that it can be possible to patch CrossOver to work with GI, how could it be done?
Little update, I installed Wine 5.22 from https://github.com/Gcenx/homebrew-wine and I can run the GI launcher fine, but when I launch the game (already patched) it return the same good old error: Sorry, this application cannot run under a Virtual Machine
I'll retry to patch the game and see if it works
Edit: if needed, the md5 of the patched UnityPlayer.dll: d4f72aa9ae7af39580bb1124d5b74914
Edit2: bc patch.sh doesn't work on macOS, I manually entered all commands (the first time and now) but it doesn't work at all. Maybe I'll have to reinstall all the game again, but it's like 18Gb of files, so idk
Little update, I installed Wine 5.22 from https://github.com/Gcenx/homebrew-wine and I can run the GI launcher fine, but when I launch the game (already patched) it return the same good old error:
`Sorry, this application cannot run under a Virtual Machine`
I'll retry to patch the game and see if it works
Edit: if needed, the md5 of the patched UnityPlayer.dll: `d4f72aa9ae7af39580bb1124d5b74914`
Edit2: bc patch.sh doesn't work on macOS, I manually entered all commands (the first time and now) but it doesn't work at all. Maybe I'll have to reinstall all the game again, but it's like 18Gb of files, so idk
This means VMprotect within GI somehow thinks that it's a virtual machine. Downloading the game again won't make a difference there. To get around this message box, I'd need a setup to analyze and patch out VMprotect. That however goes kinda deep into the Windows internals, and I'm not so motivated to spend time on that. Perhaps cheaters/hackers on Windows could provide some information on how to do that.
The md5 hash of the patched binary is d4f72aa9ae7af39580bb1124d5b74914, but this mismatch does not have any influence on your error.
About CrossOver: This is basically Wine, thus it is very likely that you'll get the same error message when the game starts up.
Sorry, I cannot help you with that issue.
This means VMprotect within GI somehow thinks that it's a virtual machine. Downloading the game again won't make a difference there. To get around this message box, I'd need a setup to analyze and patch out VMprotect. That however goes kinda deep into the Windows internals, and I'm not so motivated to spend time on that. Perhaps cheaters/hackers on Windows could provide some information on how to do that.
The md5 hash of the patched binary is `d4f72aa9ae7af39580bb1124d5b74914`, but this mismatch does not have any influence on your error.
About CrossOver: This is basically Wine, thus it is very likely that you'll get the same error message when the game starts up.
Sorry, I cannot help you with that issue.
But isn't their own anticheat who makes that verification? Before 1.1, I saw Linux users getting this error, so I thought that your patch is getting rid of that error too (sorry if I'm wrong)
But isn't their own anticheat who makes that verification? Before 1.1, I saw Linux users getting this error, so I thought that your patch is getting rid of that error too (sorry if I'm wrong)
No sorry. I don't know the origins of the Virtual Machine error. That's an anti-debugger and anti-VM system provided by Unity. What I did is to patch their anticheat, which is a separate part.
I'd really like to know which Linux users were affected by this error. Perhaps we could compare system specs to figure out possible causes.
All I can tell is that nVIDIA (proprietary driver) + Ubuntu 20.04 + Wine 5.17+ in combination with Intel CPUs work well.
No sorry. I don't know the origins of the Virtual Machine error. That's an anti-debugger and anti-VM system provided by Unity. What I did is to patch their anticheat, which is a separate part.
I'd really like to know which Linux users were affected by this error. Perhaps we could compare system specs to figure out possible causes.
All I can tell is that nVIDIA (proprietary driver) + Ubuntu 20.04 + Wine 5.17+ in combination with Intel CPUs work well.
My bad, I think I've misremembered when I saw posts of linux users with VM (not on Wine), sorry (so linux users doesn't get that error on Wine after all)
I can't understand why the anti-VM detect Wine on Mac, but not on Linux, so I'll have to search a bit more
Do you know where the anti-VM is located or called?
My bad, I think I've misremembered when I saw posts of linux users with VM (not on Wine), sorry (so linux users doesn't get that error on Wine after all)
I can't understand why the anti-VM detect Wine on Mac, but not on Linux, so I'll have to search a bit more
Do you know where the anti-VM is located or called?
It's called VMprotect and is pretty common among commercial Unity games.
According to https://github.com/Marc-Pierre-Barbier/Genshin-Impact-on-linux it might be related to `cpuid` instructions/bitfields that are responsible for detecting a "virtual machine". Perhaps MacOS handles them differently?
Maybe macOS doesn't allow the cpuid instruction but that seems weird
Is there a way for Wine to "fake" (or disable) hypervisor cpuid like in VMware ?
Edit: I checked "regedit" and I found my cpu, so I don't know why VMprotect return an error (cpuid should return a real cpu, not a "vm" one I think)
Maybe macOS doesn't allow the cpuid instruction but that seems weird
Is there a way for Wine to "fake" (or disable) hypervisor cpuid like in VMware ?
Edit: I checked "regedit" and I found my cpu, so I don't know why VMprotect return an error (`cpuid` should return a real cpu, not a "vm" one I think)
Little update, I found that we can hide the Wine version with Wine-staging (https://www.reddit.com/r/wine_gaming/comments/fuzql8/wine_registry_key_to_hide_wine_version_from/) but it seems to do nothing with GI (not really surprising)
A few more inputs, gathered from `"application cannot run under a Virtual Machine"` search results.
1. [Does your computer name contain "DESKTOP"?](https://www.reddit.com/r/treeofsavior/comments/5kj8ye)
2. [Change the BIOS information](https://www.youtube.com/watch?v=NeJB4YTdJeM&feature=emb_title)
3. Change the graphics identifier (method 1)
1. regedit -> `HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEO`
2. Navigate to the value inside that key (Machine = HKLM)
3. Change `DriverDesc` to `GeForce GTX 1070` or whatever matches your specs well
3. Change the graphics identifier (method 2)
1. Change the DeviceID (and VendorID) according to https://wiki.winehq.org/Useful_Registry_Keys
VideoBiosVersion (in HKLM>Hardware>Description>System) was not here, so I created a new multi-strings value with no value in, but it didn't worked
The value of DriverDesc is already my gpu's name, but am I supposed to change the value's name? (change DriverDesc to IntelIrisPlusGraphics645) (It seems weird so no I suppose)
DeviceID and VendorID were in HKCU>Software>Wine>Direct3D, and there's no Direct3D (or even Direct2D)... So I can't change that
1. Nope (It uses my computer's name)
2. `VideoBiosVersion` (in `HKLM>Hardware>Description>System`) was not here, so I created a new multi-strings value with no value in, but it didn't worked
3. The value of `DriverDesc` is already my gpu's name, but am I supposed to change the value's name? (change `DriverDesc` to `IntelIrisPlusGraphics645`) (It seems weird so no I suppose)
4. `DeviceID` and `VendorID` were in `HKCU>Software>Wine>Direct3D`, and there's no `Direct3D` (or even `Direct2D`)... So I can't change that
Edit: I found that: https://kb.vmware.com/s/article/1009458, but idk how to access this "bit" and change its value, maybe macOS handles it differently so GI considers it as a VM
Edit2: I also found: https://github.com/jslegendre/macOS-CPUID,
I built the file and executed it:
```
% cpuid
CPUID: 0x0806EA
Largest basic function number implemented: 0x16
Vendor ID: GenuineIntel
```
If that can be helpful...
Edit3: I was thinking about changing (or reading) that bit with some assembly, but I don't know assembly, so I'll try to learn a bit of it (but if someone knows assembly and wants to help, that would be really cool)
Edit4: it's mentioned in the github page of the 2nd edit, but I put it here if needed: https://en.wikipedia.org/wiki/CPUID
Edit5: I found this: https://blog.cubieserver.de/2018/query-cpuid-with-inline-assembly/, could be helpful to read bit 31 (for VM detection)
Edit6: `sysctl -a` shows all kernel parameters, and `sysctl -w name=value` set the variable (https://www.oreilly.com/library/view/mac-os-x/0596003560/ch08s02s03.html)
Maybe I can find that value here
Edit7: also maybe this can help: https://opensource.apple.com/source/xnu/xnu-1228/osfmk/i386/cpuid.c but that would be cool if I can get the raw data of `cpuid` directly from cmd like here: https://unix.stackexchange.com/questions/349968/how-to-check-if-the-hypervisor-present-bit-is-set-using-cpuid
Edit8: This library can be helpful: https://github.com/anrieff/libcpuid and I found this issue: https://github.com/anrieff/libcpuid/issues/90
One more idea: Could you please download al-khaser and run it as follows?
WINEDEBUG=-all wine al-khaser_wine_patched.exe
The executable does not terminate on its own, but you should see the sections Generic Sandboxe/VM Detection until (and including) QEMU Detection. Could you please upload these five sections to pastebin/hastebin/here?
One more idea: Could you please download [al-khaser](https://notabug.org/Krock/GI-on-Linux/issues/7#issuecomment-22335) and run it as follows?
WINEDEBUG=-all wine al-khaser_wine_patched.exe
The executable does not terminate on its own, but you should see the sections `Generic Sandboxe/VM Detection` until (and including) `QEMU Detection`. Could you please upload these *five sections* to pastebin/hastebin/here?
EDIT: Reference output, Linux: https://pastebin.com/raw/H0Y1LhD0
% WINEDEBUG=-all wine64 al-khaser_wine_patched.exe
[al-khaser version 0.80]
-------------------------[Initialisation]-------------------------
[*] You are running: Microsoft Windows 7 Service Pack 1 (build 7601) 64-bit
[*] Warning: API ntdll.dll!CsrGetProcessId was expected to exist but was not found.
[*] Warning: API kernel32.dll!EnumProcessModulesEx was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtCreateDebugObject was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtWow64QueryVirtualMemory64 was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsAnyDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsKernelDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsUserDebuggerPresent was expected to exist but was not found.
<snip, irrelevant>
[*] Checking Interupt 1 [ GOOD ]
[*] Checking trap flag wine: Unhandled exception 0x80000003 in thread 128 at address 0000000140002104 (thread 0128), starting debugger...
0x0000000140002104 main+0x10f4 in al-khaser_wine_patched: enter $0x15ff,$0x35
Modules:
<snip, irrelevant>
zsh: killed WINEDEBUG=-all wine64 al-khaser_wine_patched.exe
Maybe it can be solved easily?
Edit: I'm running Wine 5.22 (Staging)
Edit2: It does the same with al-khaser.exe
I did run it, but it stops with a wine error :
<details>
<summary>Log</summary>
<p>
```zsh
% WINEDEBUG=-all wine64 al-khaser_wine_patched.exe
[al-khaser version 0.80]
-------------------------[Initialisation]-------------------------
[*] You are running: Microsoft Windows 7 Service Pack 1 (build 7601) 64-bit
[*] Warning: API ntdll.dll!CsrGetProcessId was expected to exist but was not found.
[*] Warning: API kernel32.dll!EnumProcessModulesEx was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtCreateDebugObject was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtWow64QueryVirtualMemory64 was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsAnyDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsKernelDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsUserDebuggerPresent was expected to exist but was not found.
<snip, irrelevant>
[*] Checking Interupt 1 [ GOOD ]
[*] Checking trap flag wine: Unhandled exception 0x80000003 in thread 128 at address 0000000140002104 (thread 0128), starting debugger...
0x0000000140002104 main+0x10f4 in al-khaser_wine_patched: enter $0x15ff,$0x35
Modules:
<snip, irrelevant>
zsh: killed WINEDEBUG=-all wine64 al-khaser_wine_patched.exe
```
</p>
</details>
Maybe it can be solved easily?
Edit: I'm running Wine 5.22 (Staging)
Edit2: It does the same with `al-khaser.exe`
EDIT: That error is a MacOS specific wine bug. The exception register is not read out, whereas it is on Linux here.
Interesting. That error means that MacOS' KERNEL32.dll does not process VEH exception callbacks *(EDIT, removed)*.
Anyway, I removed that check too. Hopefully [this updated binary](https://drive.google.com/file/d/1gLhiclBCCBFB1HxrzdWionUj3HqV1iq2/view?usp=sharing) will work.
* md5: 55480b60c4a08dc18c864bf6107eaddb
EDIT: That error is a MacOS specific wine bug. The exception register is not read out, whereas it is on Linux [here](https://github.com/wine-mirror/wine/blob/4ac05afd39aff3030e3379ee06e32d6544ef5d62/dlls/ntdll/unix/signal_x86_64.c#L1309).
% WINEDEBUG=-all wine64 al-khaser_wine_patched_no_trap_check.exe
[al-khaser version 0.80]
-------------------------[Initialisation]-------------------------
[*] You are running: Microsoft Windows 7 Service Pack 1 (build 7601) 64-bit
[*] Warning: API ntdll.dll!CsrGetProcessId was expected to exist but was not found.
[*] Warning: API kernel32.dll!EnumProcessModulesEx was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtCreateDebugObject was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtWow64QueryVirtualMemory64 was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsAnyDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsKernelDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsUserDebuggerPresent was expected to exist but was not found.
-------------------------[TLS Callbacks]-------------------------
[*] TLS process attach callback [ GOOD ]
[*] TLS thread attach callback [ GOOD ]
-------------------------[Debugger Detection]-------------------------
[*] Checking IsDebuggerPresent API [ GOOD ]
[*] Checking PEB.BeingDebugged [ GOOD ]
[*] Checking CheckRemoteDebuggerPresent API [ GOOD ]
[*] Checking PEB.NtGlobalFlag [ GOOD ]
[*] Checking ProcessHeap.Flags [ GOOD ]
[*] Checking ProcessHeap.ForceFlags [ GOOD ]
[*] Checking Low Fragmentation Heap [ GOOD ]
[*] Checking NtQueryInformationProcess with ProcessDebugPort [ GOOD ]
[*] Checking NtQueryInformationProcess with ProcessDebugFlags [ GOOD ]
[*] Checking NtQueryInformationProcess with ProcessDebugObject [ GOOD ]
[*] Checking WudfIsAnyDebuggerPresent API [ GOOD ]
[*] Checking WudfIsKernelDebuggerPresent API [ GOOD ]
[*] Checking WudfIsUserDebuggerPresent API [ GOOD ]
[*] Checking NtSetInformationThread with ThreadHideFromDebugger [ GOOD ]
[*] Checking CloseHandle with an invalide handle [ GOOD ]
[*] Checking UnhandledExcepFilterTest [ GOOD ]
[*] Checking OutputDebugString [ GOOD ]
[*] Checking Hardware Breakpoints [ GOOD ]
[*] Checking Software Breakpoints [ GOOD ]
[*] Checking Interupt 0x2d [ GOOD ]
[*] Checking Interupt 1 [ GOOD ]
[*] Checking Memory Breakpoints PAGE GUARD [ GOOD ]
[*] Checking If Parent Process is explorer.exe [ GOOD ]
[*] Checking SeDebugPrivilege [ GOOD ]
[*] Checking NtYieldExecution [ BAD ]
[*] Checking CloseHandle protected handle trick [ GOOD ]
[*] Checking NtQuerySystemInformation with SystemKernelDebuggerInformation [ GOOD ]
[*] Checking SharedUserData->KdDebuggerEnabled [ GOOD ]
[*] Checking if process is in a job [ GOOD ]
[*] Checking VirtualAlloc write watch (buffer only) [ GOOD ]
[*] Checking VirtualAlloc write watch (API calls) ReadProcessMemory succeeded when it should've failed... not sure what happened!
Write watch API check skipped, ignore the result as it is inconclusive.
[ GOOD ]
[*] Checking VirtualAlloc write watch (IsDebuggerPresent) [ GOOD ]
[*] Checking VirtualAlloc write watch (code write) [ GOOD ]
[*] Checking for page exception breakpoints [ GOOD ]
[*] Checking for API hooks outside module bounds [ GOOD ]
-------------------------[DLL Injection Detection]-------------------------
[*] Enumerating modules with EnumProcessModulesEx [32-bit] [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating modules with EnumProcessModulesEx [64-bit] [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating modules with EnumProcessModulesEx [ALL] [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating modules with ToolHelp32 [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating the process LDR via LdrEnumerateLoadedModules [ BAD ]
[*] Enumerating the process LDR directly [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
-------------------------[Generic Sandboxe/VM Detection]-------------------------
[*] Checking if process loaded modules contains: avghookx.dll [ GOOD ]
[*] Checking if process loaded modules contains: avghooka.dll [ GOOD ]
[*] Checking if process loaded modules contains: snxhk.dll [ GOOD ]
[*] Checking if process loaded modules contains: sbiedll.dll [ GOOD ]
[*] Checking if process loaded modules contains: dbghelp.dll [ GOOD ]
[*] Checking if process loaded modules contains: api_log.dll [ GOOD ]
[*] Checking if process loaded modules contains: dir_watch.dll [ GOOD ]
[*] Checking if process loaded modules contains: pstorec.dll [ GOOD ]
[*] Checking if process loaded modules contains: vmcheck.dll [ GOOD ]
[*] Checking if process loaded modules contains: wpespy.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt64.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt32.dll [ GOOD ]
wine: Unhandled page fault on read access to FFFFFFFFFFFFFFFF at address 000000014000AEA0 (thread 0240), starting debugger...
Unhandled exception: page fault on read access to 0xffffffffffffffff in 64-bit code (0x000000014000aea0).
Register dump:
rip:000000014000aea0 rsp:0000000000219730 rbp:0000000000219830 eflags:00010202 ( R- -- I - - - )
rax:000000006820cb00 rbx:0000000000000000 rcx:20746f6e00000000 rdx:00000000709f4740
rsi:0000000000000000 rdi:0000000000219cf0 r8:000000007bc31641 r9:00007ffefe630000 r10:0000000000000000
r11:00000000002199e8 r12:0000000000000000 r13:0000000000000000 r14:0000000000000001 r15:0000000000000000
Stack dump:
0x0000000000219730: 0000000000000000 0000000000219788
0x0000000000219740: 000022cdbab17ddc 0000000000000007
0x0000000000219750: 0000000140017a68 0000000140017a80
0x0000000000219760: 0000000140017a90 0000000140017aa8
0x0000000000219770: 0000000140017ac0 0000000140017ad8
0x0000000000219780: 0000000140017af0 0000000140017b08
0x0000000000219790: 0000000000000000 0000000100000000
0x00000000002197a0: 00400063004100ee 00ed000000000007
0x00000000002197b0: 0000004100ee0040 0000000000010078
0x00000000002197c0: 0020005d002a005b 0063006500680043
0x00000000002197d0: 0067006e0069006b 0020006600690020
0x00000000002197e0: 0063006f00720070 0020007300730065
Backtrace:
=>0 0x000000014000aea0 in al-khaser_wine_patched_no_trap_ (+0xaea0) (0x0000000000219830)
1 0x0000000140003488 in al-khaser_wine_patched_no_trap_ (+0x3487) (0x0000000000219af0)
2 0x00000001400119f8 in al-khaser_wine_patched_no_trap_ (+0x119f7) (0x000000000021fe40)
3 0x000000007b636889 EntryPoint+0xffffffffffffffff() in kernel32 (0x000000000021fe40)
4 0x000000007bc6eeb6 EntryPoint+0xffffffffffffffff() in ntdll (0x000000000021fed0)
0x000000014000aea0: movq 0x0000000000000068(%rcx),%rcx
Modules:
<irrelevant>
zsh: killed WINEDEBUG=-all wine64 al-khaser_wine_patched_no_trap_check.exe
Thanks! it works at little bit better
<details>
<summary>Log</summary>
<p>
```
% WINEDEBUG=-all wine64 al-khaser_wine_patched_no_trap_check.exe
[al-khaser version 0.80]
-------------------------[Initialisation]-------------------------
[*] You are running: Microsoft Windows 7 Service Pack 1 (build 7601) 64-bit
[*] Warning: API ntdll.dll!CsrGetProcessId was expected to exist but was not found.
[*] Warning: API kernel32.dll!EnumProcessModulesEx was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtCreateDebugObject was expected to exist but was not found.
[*] Warning: API ntdll.dll!NtWow64QueryVirtualMemory64 was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsAnyDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsKernelDebuggerPresent was expected to exist but was not found.
[*] Warning: API WUDFPlatform.dll!WudfIsUserDebuggerPresent was expected to exist but was not found.
-------------------------[TLS Callbacks]-------------------------
[*] TLS process attach callback [ GOOD ]
[*] TLS thread attach callback [ GOOD ]
-------------------------[Debugger Detection]-------------------------
[*] Checking IsDebuggerPresent API [ GOOD ]
[*] Checking PEB.BeingDebugged [ GOOD ]
[*] Checking CheckRemoteDebuggerPresent API [ GOOD ]
[*] Checking PEB.NtGlobalFlag [ GOOD ]
[*] Checking ProcessHeap.Flags [ GOOD ]
[*] Checking ProcessHeap.ForceFlags [ GOOD ]
[*] Checking Low Fragmentation Heap [ GOOD ]
[*] Checking NtQueryInformationProcess with ProcessDebugPort [ GOOD ]
[*] Checking NtQueryInformationProcess with ProcessDebugFlags [ GOOD ]
[*] Checking NtQueryInformationProcess with ProcessDebugObject [ GOOD ]
[*] Checking WudfIsAnyDebuggerPresent API [ GOOD ]
[*] Checking WudfIsKernelDebuggerPresent API [ GOOD ]
[*] Checking WudfIsUserDebuggerPresent API [ GOOD ]
[*] Checking NtSetInformationThread with ThreadHideFromDebugger [ GOOD ]
[*] Checking CloseHandle with an invalide handle [ GOOD ]
[*] Checking UnhandledExcepFilterTest [ GOOD ]
[*] Checking OutputDebugString [ GOOD ]
[*] Checking Hardware Breakpoints [ GOOD ]
[*] Checking Software Breakpoints [ GOOD ]
[*] Checking Interupt 0x2d [ GOOD ]
[*] Checking Interupt 1 [ GOOD ]
[*] Checking Memory Breakpoints PAGE GUARD [ GOOD ]
[*] Checking If Parent Process is explorer.exe [ GOOD ]
[*] Checking SeDebugPrivilege [ GOOD ]
[*] Checking NtYieldExecution [ BAD ]
[*] Checking CloseHandle protected handle trick [ GOOD ]
[*] Checking NtQuerySystemInformation with SystemKernelDebuggerInformation [ GOOD ]
[*] Checking SharedUserData->KdDebuggerEnabled [ GOOD ]
[*] Checking if process is in a job [ GOOD ]
[*] Checking VirtualAlloc write watch (buffer only) [ GOOD ]
[*] Checking VirtualAlloc write watch (API calls) ReadProcessMemory succeeded when it should've failed... not sure what happened!
Write watch API check skipped, ignore the result as it is inconclusive.
[ GOOD ]
[*] Checking VirtualAlloc write watch (IsDebuggerPresent) [ GOOD ]
[*] Checking VirtualAlloc write watch (code write) [ GOOD ]
[*] Checking for page exception breakpoints [ GOOD ]
[*] Checking for API hooks outside module bounds [ GOOD ]
-------------------------[DLL Injection Detection]-------------------------
[*] Enumerating modules with EnumProcessModulesEx [32-bit] [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating modules with EnumProcessModulesEx [64-bit] [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating modules with EnumProcessModulesEx [ALL] [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating modules with ToolHelp32 [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
[*] Enumerating the process LDR via LdrEnumerateLoadedModules [ BAD ]
[*] Enumerating the process LDR directly [!] Injected library: Z:\Users\leo\Downloads\al-khaser_wine_patched_no_trap_check.exe
[ BAD ]
-------------------------[Generic Sandboxe/VM Detection]-------------------------
[*] Checking if process loaded modules contains: avghookx.dll [ GOOD ]
[*] Checking if process loaded modules contains: avghooka.dll [ GOOD ]
[*] Checking if process loaded modules contains: snxhk.dll [ GOOD ]
[*] Checking if process loaded modules contains: sbiedll.dll [ GOOD ]
[*] Checking if process loaded modules contains: dbghelp.dll [ GOOD ]
[*] Checking if process loaded modules contains: api_log.dll [ GOOD ]
[*] Checking if process loaded modules contains: dir_watch.dll [ GOOD ]
[*] Checking if process loaded modules contains: pstorec.dll [ GOOD ]
[*] Checking if process loaded modules contains: vmcheck.dll [ GOOD ]
[*] Checking if process loaded modules contains: wpespy.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt64.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt32.dll [ GOOD ]
wine: Unhandled page fault on read access to FFFFFFFFFFFFFFFF at address 000000014000AEA0 (thread 0240), starting debugger...
Unhandled exception: page fault on read access to 0xffffffffffffffff in 64-bit code (0x000000014000aea0).
Register dump:
rip:000000014000aea0 rsp:0000000000219730 rbp:0000000000219830 eflags:00010202 ( R- -- I - - - )
rax:000000006820cb00 rbx:0000000000000000 rcx:20746f6e00000000 rdx:00000000709f4740
rsi:0000000000000000 rdi:0000000000219cf0 r8:000000007bc31641 r9:00007ffefe630000 r10:0000000000000000
r11:00000000002199e8 r12:0000000000000000 r13:0000000000000000 r14:0000000000000001 r15:0000000000000000
Stack dump:
0x0000000000219730: 0000000000000000 0000000000219788
0x0000000000219740: 000022cdbab17ddc 0000000000000007
0x0000000000219750: 0000000140017a68 0000000140017a80
0x0000000000219760: 0000000140017a90 0000000140017aa8
0x0000000000219770: 0000000140017ac0 0000000140017ad8
0x0000000000219780: 0000000140017af0 0000000140017b08
0x0000000000219790: 0000000000000000 0000000100000000
0x00000000002197a0: 00400063004100ee 00ed000000000007
0x00000000002197b0: 0000004100ee0040 0000000000010078
0x00000000002197c0: 0020005d002a005b 0063006500680043
0x00000000002197d0: 0067006e0069006b 0020006600690020
0x00000000002197e0: 0063006f00720070 0020007300730065
Backtrace:
=>0 0x000000014000aea0 in al-khaser_wine_patched_no_trap_ (+0xaea0) (0x0000000000219830)
1 0x0000000140003488 in al-khaser_wine_patched_no_trap_ (+0x3487) (0x0000000000219af0)
2 0x00000001400119f8 in al-khaser_wine_patched_no_trap_ (+0x119f7) (0x000000000021fe40)
3 0x000000007b636889 EntryPoint+0xffffffffffffffff() in kernel32 (0x000000000021fe40)
4 0x000000007bc6eeb6 EntryPoint+0xffffffffffffffff() in ntdll (0x000000000021fed0)
0x000000014000aea0: movq 0x0000000000000068(%rcx),%rcx
Modules:
<irrelevant>
zsh: killed WINEDEBUG=-all wine64 al-khaser_wine_patched_no_trap_check.exe
```
</p>
</details>
Okay. This is really not fun to troubleshoot. Many Windows special cases do not seem to be working well on a sole Wine64 installation. Here's a few conclusions, all of them could be reported as a Wine bug:
NtReadVirtualMemory works differently. I guess this is due to different memory mapping on MacOS (File: wine/dlls/ntdll/unix/virtual.c)
EnumProcessModulesEx in al-khaser is behaving weird. No idea what's up with that. Not relevant for Virtual Machine detection.
Okay. This is really not fun to troubleshoot. Many Windows special cases do not seem to be working well on a sole Wine64 installation. Here's a few conclusions, all of them could be reported as a Wine bug:
* [NtReadVirtualMemory](https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/WriteWatch.cpp#L103) works differently. I guess this is due to different memory mapping on MacOS (File: wine/dlls/ntdll/unix/virtual.c)
* EnumProcessModulesEx in al-khaser is behaving weird. No idea what's up with that. Not relevant for Virtual Machine detection.
* [`__readgsqword(0x60)` returned `ProcessParameters->ImagePathName`](https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L64-L71) is set to -1 (for whatever reason). Not relevant for Virtual Machine detection.
Removed the process name check. -> [patched again, version 3](https://drive.google.com/file/d/1uzG81UvTJgZBtC9TI2DOKCMP7xQCxNTd/view?usp=sharing)
* md5sum: 2114e0153d797ecd62dcb37e26ae22ee
Okay, now it works :
Log (Generic Sandbox/VM detection to Qemu detection)
-------------------------[Generic Sandboxe/VM Detection]-------------------------
[*] Checking if process loaded modules contains: avghookx.dll [ GOOD ]
[*] Checking if process loaded modules contains: avghooka.dll [ GOOD ]
[*] Checking if process loaded modules contains: snxhk.dll [ GOOD ]
[*] Checking if process loaded modules contains: sbiedll.dll [ GOOD ]
[*] Checking if process loaded modules contains: dbghelp.dll [ GOOD ]
[*] Checking if process loaded modules contains: api_log.dll [ GOOD ]
[*] Checking if process loaded modules contains: dir_watch.dll [ GOOD ]
[*] Checking if process loaded modules contains: pstorec.dll [ GOOD ]
[*] Checking if process loaded modules contains: vmcheck.dll [ GOOD ]
[*] Checking if process loaded modules contains: wpespy.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt64.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt32.dll [ GOOD ]
[*] Checking if username matches : CurrentUser [ GOOD ]
[*] Checking if username matches : Sandbox [ GOOD ]
[*] Checking if username matches : Emily [ GOOD ]
[*] Checking if username matches : HAPUBWS [ GOOD ]
[*] Checking if username matches : Hong Lee [ GOOD ]
[*] Checking if username matches : IT-ADMIN [ GOOD ]
[*] Checking if username matches : Johnson [ GOOD ]
[*] Checking if username matches : Miller [ GOOD ]
[*] Checking if username matches : milozs [ GOOD ]
[*] Checking if username matches : Peter Wilson [ GOOD ]
[*] Checking if username matches : timmy [ GOOD ]
[*] Checking if username matches : user [ GOOD ]
[*] Checking if username matches : sand box [ GOOD ]
[*] Checking if username matches : malware [ GOOD ]
[*] Checking if username matches : maltest [ GOOD ]
[*] Checking if username matches : test user [ GOOD ]
[*] Checking if username matches : virus [ GOOD ]
[*] Checking if username matches : John Doe [ GOOD ]
[*] Checking if hostname matches : SANDBOX [ GOOD ]
[*] Checking if hostname matches : 7SILVIA [ GOOD ]
[*] Checking if hostname matches : HANSPETER-PC [ GOOD ]
[*] Checking if hostname matches : JOHN-PC [ GOOD ]
[*] Checking if hostname matches : MUELLER-PC [ GOOD ]
[*] Checking if hostname matches : WIN7-TRAPS [ GOOD ]
[*] Checking if hostname matches : FORTINET [ GOOD ]
[*] Checking if hostname matches : TEQUILABOOMBOOM [ GOOD ]
[*] Checking whether username is 'Wilber' and NetBIOS name starts with 'SC' or 'SW' [ GOOD ]
[*] Checking whether username is 'admin' and NetBIOS name is 'SystemIT' [ GOOD ]
[*] Checking whether username is 'admin' and DNS hostname is 'KLONE_X64-PC' [ GOOD ]
[*] Checking whether username is 'John' and two sandbox files exist [ GOOD ]
[*] Checking whether four known sandbox 'email' file paths exist [ GOOD ]
[*] Checking whether three known sandbox 'foobar' files exist [ GOOD ]
[*] Checking Number of processors in machine [ GOOD ]
[*] Checking Interupt Descriptor Table location [ GOOD ]
[*] Checking Local Descriptor Table location [ BAD ]
[*] Checking Global Descriptor Table location [ GOOD ]
[*] Checking Store Task Register [ GOOD ]
[*] Checking Number of cores in machine using WMI [ GOOD ]
[*] Checking hard disk size using WMI wine: Read access denied for device L"\\??\\Z:\\", FS volume label and serial are not available.
wine: Read access denied for device L"\\??\\Z:\\", FS volume label and serial are not available.
wine: Read access denied for device L"\\??\\Z:\\", FS volume label and serial are not available.
[ BAD ]
[*] Checking hard disk size using DeviceIoControl [ BAD ]
[*] Checking SetupDi_diskdrive [ GOOD ]
[*] Checking mouse movement [ GOOD ]
[*] Checking memory space using GlobalMemoryStatusEx [ GOOD ]
[*] Checking disk size using GetDiskFreeSpaceEx [ GOOD ]
[*] Checking if CPU hypervisor field is set using cpuid(0x1) [ GOOD ]
[*] Checking hypervisor vendor using cpuid(0x40000000) [ GOOD ]
[*] VM Driver Services [ GOOD ]
[*] Checking Model from ComputerSystem using WMI [ GOOD ]
[*] Checking Manufacturer from ComputerSystem using WMI [ GOOD ]
[*] Checking Current Temperature using WMI [ GOOD ]
[*] Checking ProcessId using WMI [ GOOD ]
[*] Checking power capabilities [ GOOD ]
[*] Checking CPU fan using WMI [ BAD ]
[*] Checking NtQueryLicenseValue with Kernel-VMDetection-Private [ GOOD ]
[*] Checking Win32_CacheMemory with WMI [ BAD ]
[*] Checking Win32_PhysicalMemory with WMI [ GOOD ]
[*] Checking Win32_MemoryDevice with WMI [ BAD ]
[*] Checking Win32_MemoryArray with WMI [ BAD ]
[*] Checking Win32_VoltageProbe with WMI [ BAD ]
[*] Checking Win32_PortConnector with WMI [ BAD ]
[*] Checking Win32_SMBIOSMemory with WMI [ BAD ]
[*] Checking ThermalZoneInfo performance counters with WMI [ BAD ]
[*] Checking CIM_Memory with WMI [ BAD ]
[*] Checking CIM_Sensor with WMI [ BAD ]
[*] Checking CIM_NumericSensor with WMI [ BAD ]
[*] Checking CIM_TemperatureSensor with WMI [ BAD ]
[*] Checking CIM_VoltageSensor with WMI [ BAD ]
[*] Checking CIM_PhysicalConnector with WMI [ BAD ]
[*] Checking CIM_Slot with WMI [ BAD ]
[*] Checking Services\Disk\Enum entries for VM strings [ GOOD ]
[*] Checking Enum\IDE and Enum\SCSI entries for VM strings [ GOOD ]
-------------------------[VirtualBox Detection]-------------------------
[*] Checking reg key HARDWARE\Description\System - Identifier is set to VBOX [ GOOD ]
[*] Checking reg key HARDWARE\Description\System - SystemBiosVersion is set to VBOX [ GOOD ]
[*] Checking reg key HARDWARE\Description\System - VideoBiosVersion is set to VIRTUALBOX [ GOOD ]
[*] Checking reg key HARDWARE\Description\System - SystemBiosDate is set to 06/23/99 [ GOOD ]
[*] Checking VirtualBox Guest Additions directory [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxMouse.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxGuest.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxSF.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxVideo.sys [ GOOD ]
[*] Checking file C:\windows\System32\vboxdisp.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxhook.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxmrxnp.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxogl.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglarrayspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglcrutil.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglerrorspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglfeedbackspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglpackspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglpassthroughspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxservice.exe [ GOOD ]
[*] Checking file C:\windows\System32\vboxtray.exe [ GOOD ]
[*] Checking file C:\windows\System32\VBoxControl.exe [ GOOD ]
[*] Checking reg key HARDWARE\ACPI\DSDT\VBOX__ [ GOOD ]
[*] Checking reg key HARDWARE\ACPI\FADT\VBOX__ [ GOOD ]
[*] Checking reg key HARDWARE\ACPI\RSDT\VBOX__ [ GOOD ]
[*] Checking reg key SOFTWARE\Oracle\VirtualBox Guest Additions [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxGuest [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxMouse [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxService [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxSF [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxVideo [ GOOD ]
[*] Checking Mac Address start with 08:00:27 [ GOOD ]
[*] Checking MAC address (Hybrid Analysis) [ GOOD ]
[*] Checking device \\.\VBoxMiniRdrDN [ GOOD ]
[*] Checking device \\.\VBoxGuest [ GOOD ]
[*] Checking device \\.\pipe\VBoxMiniRdDN [ GOOD ]
[*] Checking device \\.\VBoxTrayIPC [ GOOD ]
[*] Checking device \\.\pipe\VBoxTrayIPC [ GOOD ]
[*] Checking VBoxTrayToolWndClass / VBoxTrayToolWnd [ GOOD ]
[*] Checking VirtualBox Shared Folders network provider [ GOOD ]
[*] Checking VirtualBox process vboxservice.exe [ GOOD ]
[*] Checking VirtualBox process vboxtray.exe [ GOOD ]
[*] Checking Win32_PnPDevice DeviceId from WMI for VBox PCI device [ GOOD ]
[*] Checking Win32_PnPDevice Name from WMI for VBox controller hardware [ GOOD ]
[*] Checking Win32_Bus from WMI [ GOOD ]
[*] Checking Win32_BaseBoard from WMI [ GOOD ]
[*] Checking MAC address from WMI [ GOOD ]
[*] Checking NTEventLog from WMI [ GOOD ]
[*] Checking SMBIOS firmware [ GOOD ]
[*] Checking ACPI tables [ BAD ]
-------------------------[VMWare Detection]-------------------------
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation [ GOOD ]
[*] Checking reg key SOFTWARE\VMware, Inc.\VMware Tools [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmnet.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmmouse.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmusb.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vm3dmp.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmci.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmhgfs.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmmemctl.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmx86.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmrawdsk.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmusbmouse.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmkdb.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmnetuserif.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmnetadapter.sys [ GOOD ]
[*] Checking MAC starting with 00:05:69 [ GOOD ]
[*] Checking MAC starting with 00:0c:29 [ GOOD ]
[*] Checking MAC starting with 00:1C:14 [ GOOD ]
[*] Checking MAC starting with 00:50:56 [ GOOD ]
[*] Checking VMWare network adapter name [ GOOD ]
[*] Checking device \\.\HGFS [ GOOD ]
[*] Checking device \\.\vmci [ GOOD ]
[*] Checking VMWare directory [ GOOD ]
[*] Checking SMBIOS firmware [ GOOD ]
[*] Checking ACPI tables [ BAD ]
-------------------------[Virtual PC Detection]-------------------------
[*] Checking Virtual PC processes VMSrvc.exe [ GOOD ]
[*] Checking Virtual PC processes VMUSrvc.exe [ GOOD ]
[*] Checking reg key SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters [ GOOD ]
-------------------------[QEMU Detection]-------------------------
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key HARDWARE\Description\System [ GOOD ]
[*] Checking qemu processes qemu-ga.exe [ GOOD ]
[*] Checking SMBIOS firmware [ GOOD ]
[*] Checking ACPI tables [ BAD ]
Okay, now it works :
<details>
<summary>Log (Generic Sandbox/VM detection to Qemu detection)</summary>
<p>
```
-------------------------[Generic Sandboxe/VM Detection]-------------------------
[*] Checking if process loaded modules contains: avghookx.dll [ GOOD ]
[*] Checking if process loaded modules contains: avghooka.dll [ GOOD ]
[*] Checking if process loaded modules contains: snxhk.dll [ GOOD ]
[*] Checking if process loaded modules contains: sbiedll.dll [ GOOD ]
[*] Checking if process loaded modules contains: dbghelp.dll [ GOOD ]
[*] Checking if process loaded modules contains: api_log.dll [ GOOD ]
[*] Checking if process loaded modules contains: dir_watch.dll [ GOOD ]
[*] Checking if process loaded modules contains: pstorec.dll [ GOOD ]
[*] Checking if process loaded modules contains: vmcheck.dll [ GOOD ]
[*] Checking if process loaded modules contains: wpespy.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt64.dll [ GOOD ]
[*] Checking if process loaded modules contains: cmdvrt32.dll [ GOOD ]
[*] Checking if username matches : CurrentUser [ GOOD ]
[*] Checking if username matches : Sandbox [ GOOD ]
[*] Checking if username matches : Emily [ GOOD ]
[*] Checking if username matches : HAPUBWS [ GOOD ]
[*] Checking if username matches : Hong Lee [ GOOD ]
[*] Checking if username matches : IT-ADMIN [ GOOD ]
[*] Checking if username matches : Johnson [ GOOD ]
[*] Checking if username matches : Miller [ GOOD ]
[*] Checking if username matches : milozs [ GOOD ]
[*] Checking if username matches : Peter Wilson [ GOOD ]
[*] Checking if username matches : timmy [ GOOD ]
[*] Checking if username matches : user [ GOOD ]
[*] Checking if username matches : sand box [ GOOD ]
[*] Checking if username matches : malware [ GOOD ]
[*] Checking if username matches : maltest [ GOOD ]
[*] Checking if username matches : test user [ GOOD ]
[*] Checking if username matches : virus [ GOOD ]
[*] Checking if username matches : John Doe [ GOOD ]
[*] Checking if hostname matches : SANDBOX [ GOOD ]
[*] Checking if hostname matches : 7SILVIA [ GOOD ]
[*] Checking if hostname matches : HANSPETER-PC [ GOOD ]
[*] Checking if hostname matches : JOHN-PC [ GOOD ]
[*] Checking if hostname matches : MUELLER-PC [ GOOD ]
[*] Checking if hostname matches : WIN7-TRAPS [ GOOD ]
[*] Checking if hostname matches : FORTINET [ GOOD ]
[*] Checking if hostname matches : TEQUILABOOMBOOM [ GOOD ]
[*] Checking whether username is 'Wilber' and NetBIOS name starts with 'SC' or 'SW' [ GOOD ]
[*] Checking whether username is 'admin' and NetBIOS name is 'SystemIT' [ GOOD ]
[*] Checking whether username is 'admin' and DNS hostname is 'KLONE_X64-PC' [ GOOD ]
[*] Checking whether username is 'John' and two sandbox files exist [ GOOD ]
[*] Checking whether four known sandbox 'email' file paths exist [ GOOD ]
[*] Checking whether three known sandbox 'foobar' files exist [ GOOD ]
[*] Checking Number of processors in machine [ GOOD ]
[*] Checking Interupt Descriptor Table location [ GOOD ]
[*] Checking Local Descriptor Table location [ BAD ]
[*] Checking Global Descriptor Table location [ GOOD ]
[*] Checking Store Task Register [ GOOD ]
[*] Checking Number of cores in machine using WMI [ GOOD ]
[*] Checking hard disk size using WMI wine: Read access denied for device L"\\??\\Z:\\", FS volume label and serial are not available.
wine: Read access denied for device L"\\??\\Z:\\", FS volume label and serial are not available.
wine: Read access denied for device L"\\??\\Z:\\", FS volume label and serial are not available.
[ BAD ]
[*] Checking hard disk size using DeviceIoControl [ BAD ]
[*] Checking SetupDi_diskdrive [ GOOD ]
[*] Checking mouse movement [ GOOD ]
[*] Checking memory space using GlobalMemoryStatusEx [ GOOD ]
[*] Checking disk size using GetDiskFreeSpaceEx [ GOOD ]
[*] Checking if CPU hypervisor field is set using cpuid(0x1) [ GOOD ]
[*] Checking hypervisor vendor using cpuid(0x40000000) [ GOOD ]
[*] VM Driver Services [ GOOD ]
[*] Checking Model from ComputerSystem using WMI [ GOOD ]
[*] Checking Manufacturer from ComputerSystem using WMI [ GOOD ]
[*] Checking Current Temperature using WMI [ GOOD ]
[*] Checking ProcessId using WMI [ GOOD ]
[*] Checking power capabilities [ GOOD ]
[*] Checking CPU fan using WMI [ BAD ]
[*] Checking NtQueryLicenseValue with Kernel-VMDetection-Private [ GOOD ]
[*] Checking Win32_CacheMemory with WMI [ BAD ]
[*] Checking Win32_PhysicalMemory with WMI [ GOOD ]
[*] Checking Win32_MemoryDevice with WMI [ BAD ]
[*] Checking Win32_MemoryArray with WMI [ BAD ]
[*] Checking Win32_VoltageProbe with WMI [ BAD ]
[*] Checking Win32_PortConnector with WMI [ BAD ]
[*] Checking Win32_SMBIOSMemory with WMI [ BAD ]
[*] Checking ThermalZoneInfo performance counters with WMI [ BAD ]
[*] Checking CIM_Memory with WMI [ BAD ]
[*] Checking CIM_Sensor with WMI [ BAD ]
[*] Checking CIM_NumericSensor with WMI [ BAD ]
[*] Checking CIM_TemperatureSensor with WMI [ BAD ]
[*] Checking CIM_VoltageSensor with WMI [ BAD ]
[*] Checking CIM_PhysicalConnector with WMI [ BAD ]
[*] Checking CIM_Slot with WMI [ BAD ]
[*] Checking Services\Disk\Enum entries for VM strings [ GOOD ]
[*] Checking Enum\IDE and Enum\SCSI entries for VM strings [ GOOD ]
-------------------------[VirtualBox Detection]-------------------------
[*] Checking reg key HARDWARE\Description\System - Identifier is set to VBOX [ GOOD ]
[*] Checking reg key HARDWARE\Description\System - SystemBiosVersion is set to VBOX [ GOOD ]
[*] Checking reg key HARDWARE\Description\System - VideoBiosVersion is set to VIRTUALBOX [ GOOD ]
[*] Checking reg key HARDWARE\Description\System - SystemBiosDate is set to 06/23/99 [ GOOD ]
[*] Checking VirtualBox Guest Additions directory [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxMouse.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxGuest.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxSF.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\VBoxVideo.sys [ GOOD ]
[*] Checking file C:\windows\System32\vboxdisp.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxhook.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxmrxnp.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxogl.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglarrayspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglcrutil.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglerrorspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglfeedbackspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglpackspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxoglpassthroughspu.dll [ GOOD ]
[*] Checking file C:\windows\System32\vboxservice.exe [ GOOD ]
[*] Checking file C:\windows\System32\vboxtray.exe [ GOOD ]
[*] Checking file C:\windows\System32\VBoxControl.exe [ GOOD ]
[*] Checking reg key HARDWARE\ACPI\DSDT\VBOX__ [ GOOD ]
[*] Checking reg key HARDWARE\ACPI\FADT\VBOX__ [ GOOD ]
[*] Checking reg key HARDWARE\ACPI\RSDT\VBOX__ [ GOOD ]
[*] Checking reg key SOFTWARE\Oracle\VirtualBox Guest Additions [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxGuest [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxMouse [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxService [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxSF [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxVideo [ GOOD ]
[*] Checking Mac Address start with 08:00:27 [ GOOD ]
[*] Checking MAC address (Hybrid Analysis) [ GOOD ]
[*] Checking device \\.\VBoxMiniRdrDN [ GOOD ]
[*] Checking device \\.\VBoxGuest [ GOOD ]
[*] Checking device \\.\pipe\VBoxMiniRdDN [ GOOD ]
[*] Checking device \\.\VBoxTrayIPC [ GOOD ]
[*] Checking device \\.\pipe\VBoxTrayIPC [ GOOD ]
[*] Checking VBoxTrayToolWndClass / VBoxTrayToolWnd [ GOOD ]
[*] Checking VirtualBox Shared Folders network provider [ GOOD ]
[*] Checking VirtualBox process vboxservice.exe [ GOOD ]
[*] Checking VirtualBox process vboxtray.exe [ GOOD ]
[*] Checking Win32_PnPDevice DeviceId from WMI for VBox PCI device [ GOOD ]
[*] Checking Win32_PnPDevice Name from WMI for VBox controller hardware [ GOOD ]
[*] Checking Win32_Bus from WMI [ GOOD ]
[*] Checking Win32_BaseBoard from WMI [ GOOD ]
[*] Checking MAC address from WMI [ GOOD ]
[*] Checking NTEventLog from WMI [ GOOD ]
[*] Checking SMBIOS firmware [ GOOD ]
[*] Checking ACPI tables [ BAD ]
-------------------------[VMWare Detection]-------------------------
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation [ GOOD ]
[*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation [ GOOD ]
[*] Checking reg key SOFTWARE\VMware, Inc.\VMware Tools [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmnet.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmmouse.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmusb.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vm3dmp.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmci.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmhgfs.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmmemctl.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmx86.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmrawdsk.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmusbmouse.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmkdb.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmnetuserif.sys [ GOOD ]
[*] Checking file C:\windows\System32\drivers\vmnetadapter.sys [ GOOD ]
[*] Checking MAC starting with 00:05:69 [ GOOD ]
[*] Checking MAC starting with 00:0c:29 [ GOOD ]
[*] Checking MAC starting with 00:1C:14 [ GOOD ]
[*] Checking MAC starting with 00:50:56 [ GOOD ]
[*] Checking VMWare network adapter name [ GOOD ]
[*] Checking device \\.\HGFS [ GOOD ]
[*] Checking device \\.\vmci [ GOOD ]
[*] Checking VMWare directory [ GOOD ]
[*] Checking SMBIOS firmware [ GOOD ]
[*] Checking ACPI tables [ BAD ]
-------------------------[Virtual PC Detection]-------------------------
[*] Checking Virtual PC processes VMSrvc.exe [ GOOD ]
[*] Checking Virtual PC processes VMUSrvc.exe [ GOOD ]
[*] Checking reg key SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters [ GOOD ]
-------------------------[QEMU Detection]-------------------------
[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
[*] Checking reg key HARDWARE\Description\System [ GOOD ]
[*] Checking qemu processes qemu-ga.exe [ GOOD ]
[*] Checking SMBIOS firmware [ GOOD ]
[*] Checking ACPI tables [ BAD ]
```
</p>
</details>
Good news: Wine works almost the same on MacOS as it does on Linux
Bad news: There's no GOOD/BAD difference in the VM section output. Thus the error is might be caused by one of the Wine issues mentioned above.
All I can do is to ask Wine developers whether they could have a look at the memory management and process information. Both cases could be patched in the binary, but it's difficult to figure out what exactly is used as detection by the game.
Thank you for testing it again.
Good news: Wine works almost the same on MacOS as it does on Linux
Bad news: There's no GOOD/BAD difference in the VM section output. Thus the error is might be caused by one of the Wine issues mentioned above.
All I can do is to ask Wine developers whether they could have a look at the memory management and process information. Both cases could be patched in the binary, but it's difficult to figure out *what exactly* is used as detection by the game.
You could use the WINEDEBUG=+relay env variable but that will likely result in a massive text file, and is only helpful to a degree because there's no information where exactly that API is called within the game binaries.
You could use the `WINEDEBUG=+relay` env variable but that will likely result in a massive text file, and is only helpful to a degree because there's no information where exactly that API is called within the game binaries.
I was also thinking about trying it on another Mac, but I just have one and I can't reinstall macOS now, but if someone wants to try on a clean install that would be cool
I was also thinking about trying it on another Mac, but I just have one and I can't reinstall macOS now, but if someone wants to try on a clean install that would be cool
I forgot to say that I tried to run GI and al-khaser in a High Sierra VM, but macOS doesn't allow the hypervisor.cpuid.v0 = "FALSE" in the config file, it will not boot and only show a "forbidden" logo, so no VM for testing
I forgot to say that I tried to run GI and al-khaser in a High Sierra VM, but macOS doesn't allow the `hypervisor.cpuid.v0 = "FALSE"` in the config file, it will not boot and only show a "forbidden" logo, so no VM for testing
Hello, little update! Gcenx updated his repo (here), so I upgraded Wine (Staging) from 5.2 to 6.2, but there's no difference, macOS is still recognized as a virtual machine
Hello, little update!
[Gcenx](https://github.com/Gcenx) updated his repo ([here](https://github.com/Gcenx/homebrew-wine)), so I upgraded Wine (Staging) from 5.2 to 6.2, but there's no difference, macOS is still recognized as a virtual machine
Hello,
I searched a bit about the T2 chip on recent Macs and its compatibility with Wine, but no one talked about this (or I missed some articles)
Could the "VM error" be related to that chip?
(My machine is a 2020 Intel MacBook Pro (MacBookPro16,3))
Hello,
I searched a bit about the T2 chip on recent Macs and its compatibility with Wine, but no one talked about this (or I missed some articles)
Could the "VM error" be related to that chip?
(My machine is a 2020 Intel MacBook Pro (MacBookPro16,3))
Edit: https://support.apple.com/fr-fr/guide/security/sec59b0b31ff/web can help
@Artichaut Thank you for the updates and your research. I do neither know enough about this hardware nor Wine to give a helpful answer to this. Whereas I don't expect this to influence the game, only debugging it on MacOS could clarify this.
It's a shame that no sane Win64 debugger runs in Wine, so you'd be limited to analyze WINEDEBUG output and/or compare it with Linux.
@Artichaut Thank you for the updates and your research. I do neither know enough about this hardware nor Wine to give a helpful answer to this. Whereas I don't expect this to influence the game, only debugging it on MacOS could clarify this.
It's a shame that no sane Win64 debugger runs in Wine, so you'd be limited to analyze WINEDEBUG output and/or compare it with Linux.
As a workaround, a Windows virtual machine with Hyper-V enabled apparently works. Despite this being tested only on Linux, chances are there that it's applicable to MacOS as well.
I will also inform M.P. Barbier on GitHub about this possibility.
As a workaround, a Windows virtual machine with Hyper-V enabled apparently works. Despite this being tested only on Linux, chances are there that it's applicable to MacOS as well.
Instructions: https://youtu.be/L1JCCdo1bG4?t=205
I will also inform M.P. Barbier on GitHub about this possibility.
Hello, thanks for your answers!
(and sorry for my very late one)
I didn't really understood how should I use these instructions ? (It's in an vm xml, but I'm on a physical machine..?)
Have a great day ^^
Hello, thanks for your answers!
(and sorry for my *very* late one)
I didn't really understood how should I use these instructions ? (It's in an vm xml, but I'm on a physical machine..?)
Have a great day ^^
He uses a QEMU/KVM setup. KVM is Linux-specific, hence it might not help much aside that QEMU seems to be one part of the puzzle.
Once again I can only hint to tutorials that worked for other games with VM detection such as Valorant, Rainbow 6 Siege and perhaps League of Legends. Working around VM detection in a VM is an even more complicated matter because it's pretty much impossible to figure out what triggers the detection.
I just thought that I should at least inform you about this; despite that I have no experience with this.
He uses a QEMU/KVM setup. KVM is Linux-specific, hence it might not help much aside that QEMU seems to be one part of the puzzle.
Once again I can only hint to tutorials that worked for other games with VM detection such as Valorant, Rainbow 6 Siege and perhaps League of Legends. Working around VM detection in a VM is an even more complicated matter because it's pretty much impossible to figure out what triggers the detection.
I just thought that I should at least inform you about this; despite that I have no experience with this.
#174 was closed as it's a duplicate of this one, but in that issue, Krock mentioned
What might also be interesting is to test a Wine64-only installation on Linux. If it happens to work with 64-bit only, then it's either due to an "__APPLE__"-specific part in Wine, or due to a MacOS-specific hypervisor/app sandbox feature.
I tried the opposite of this a while ago: running it on an older mac (I think it's a 2009 iMac) with macOS High Sierra, which can run 32bit processes, and I still got the VMProtect error, so I don't think it's an issue with the lack of 32 bit support. (It was upstream's wine, not the Gcenx one).
I also tried making a dummy application with vmprotect's trial software and only virtual machine detection enabled (so no obfuscation), but not even linux wine could run that. There are older versions of the trial software in the wayback machine.
#174 was closed as it's a duplicate of this one, but in that issue, Krock mentioned
> What might also be interesting is to test a Wine64-only installation on Linux. If it happens to work with 64-bit only, then it's either due to an "\_\_APPLE__"-specific part in Wine, or due to a MacOS-specific hypervisor/app sandbox feature.
I tried the opposite of this a while ago: running it on an older mac (I think it's a 2009 iMac) with macOS High Sierra, which *can* run 32bit processes, and I still got the VMProtect error, so I don't think it's an issue with the lack of 32 bit support. (It was upstream's wine, not the Gcenx one).
I also tried making a dummy application with vmprotect's [trial software](http://vmpsoft.com/files/VMProtectDemo.exe) and only virtual machine detection enabled (so no obfuscation), but not even linux wine could run that. There are older versions of the trial software in the wayback machine.
@Redectorating: Hello! Trial and paid VMProtect are very different, especially in feature parity. I have a legitimate version of VMProtect 3.4 that I never renewed, but it should be sufficiently new that the VM detection shouldn't differ. Well, hopefully...
Here's a test program (password: qwerty) compiled with the x64 MSVC v143 toolchain and static CRT, and then packed with:
I've already used up the battery life on my laptop, whose charging port is extremely fickle, so I'm not sure that this works at all, either. And of course there's the whole standard disclaimer about false positives on antivirus software because of VMProtect. Either way, I'm going to leave this here for the time being, though I understand if you have your reservations on running a random exe even if it's through wine.
Hope this helps a bit!
@Redectorating: Hello! Trial and paid VMProtect are very different, especially in feature parity. I have a legitimate version of VMProtect 3.4 that I never renewed, but it _should be_ sufficiently new that the VM detection shouldn't differ. Well, hopefully...
[Here's a test program](https://raymonf.me/vmp-test.zip) (password: `qwerty`) compiled with the x64 MSVC v143 toolchain and static CRT, and then packed with:
* "Ultra" level protection on `main`
* Memory, import, resource protection enabled
* No debugger detection
* VM detection enabled
The code is:
```
#include <iostream>
int main()
{
std::cout << "beep boop" << std::endl;
return 0;
}
```
I've already used up the battery life on my laptop, whose charging port is extremely fickle, so I'm not sure that this works at all, either. And of course there's the whole standard disclaimer about false positives on antivirus software because of VMProtect. Either way, I'm going to leave this here for the time being, though I understand if you have your reservations on running a random exe even if it's through wine.
Hope this helps a bit!
Sorry it took so long for me to see this. Linux's wine can run that exe fine, but macOS has the same Virtual Machine error with it as genshin does.
On my MacBookPro16,1, with macOS BigSur, I can't use winedbg on it, but on my older iMac10,1 with macOS High Sierra, I can run it in winedbg:
$ winedbg test.vmp.exe
WineDbg starting on pid 04bc
0x000000007bc52f85 EntryPoint+0xffffffffffffffff in ntdll: ret
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5d4 EntryPoint+0xffffffffffffffff in ntdll: movq 0x0000000000000040(%rsp),%rax
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5d9 EntryPoint+0xffffffffffffffff in ntdll: movq %rax,(%rbx)
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5dc EntryPoint+0xffffffffffffffff in ntdll: jmp 0x000000007bc2f5ad EntryPoint+0xffffffffffffffff
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5ad EntryPoint+0xffffffffffffffff in ntdll: addq $0x170,%rsp
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5b4 EntryPoint+0xffffffffffffffff in ntdll: popq %rbx
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5b5 EntryPoint+0xffffffffffffffff in ntdll: ret
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc36eb6 EntryPoint+0xffffffffffffffff in ntdll: leaq 0x000000000002f683(%rip),%rcx
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc36ebd EntryPoint+0xffffffffffffffff in ntdll: call 0x000000007bc59a00 EntryPoint+0xffffffffffffffff
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc36ec5 EntryPoint+0xffffffffffffffff in ntdll: call 0x000000007bc52f44 EntryPoint+0xffffffffffffffff
Wine-dbg>step
0x000000014078f3f8: nop
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f3f9: pushq $0x3dce74e2
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f3fe: call 0x0000000140879e6e
Wine-dbg>
If I use quit here instead of step, it continues to the "cannot be run under virtual machine error", doesn't print "beep boop", doesn't crash, and no other logs are printed by wine.
If I step again instead of quit:
Wine-dbg>step
0x000000014078f410: nop
Wine-dbg>
If I use quit here instead of step, it prints beep boop to the cmd window and crashes with:
05a4:fixme:heap:EnumSystemFirmwareTables (0x4649524d, 0000000000000000, 0)
05a4:fixme:heap:RtlSetHeapInformation 0000000000730000 0 000000000021F490 4 stub
05a4:fixme:seh:get_thread_times not implemented on this platform
wine: Unhandled page fault on read access to FFFFFFFFFFFFFFFF at address 000000014001B121 (thread 05a4), starting debugger...
If I instead keep stepping, I get this:
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f411: pushq $0xca21055f
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f416: call 0x00000001408d1ed0
Wine-dbg>step
04c0:fixme:heap:EnumSystemFirmwareTables (0x4649524d, 0000000000000000, 0)
04c0:fixme:heap:RtlSetHeapInformation 0000000000730000 0 000000000021F490 4 stub
04c0:fixme:seh:get_thread_times not implemented on this platform
04c0:err:seh:call_stack_handlers invalid frame 0000000000220178 (0000000000122000-0000000000220000)
Unhandled exception: page fault on read access to 0x2600000009, invalid program stack in 64-bit code (0x000000014001b121).
Register dump:
rip:000000014001b121 rsp:000000000021fd40 rbp:000000000021fdf0 eflags:00010246 ( R- -- I Z- -P- )
rax:0000000068111100 rbx:0000000000000000 rcx:0000002600000001 rdx:0000000140022390
rsi:0000000000000000 rdi:0000000000085c30 r8:00000000ffffffff r9:0000000000010000 r10:0000000000010458
r11:000000000021fc18 r12:0000000000000000 r13:0000000000000000 r14:0000000000000000 r15:0000000000000000
Stack dump:
0x000000000021fd40: 000000000021fdd0 000000000021fdf0
0x000000000021fd50: 0000000000000000 000000007bc59a00
0x000000000021fd60: 0000000000000000 0000000140010fd1
0x000000000021fd70: 0000000000000000 0000000000000000
0x000000000021fd80: 0000000000000000 0000000000000000
0x000000000021fd90: 0000000000000000 0000000140010fc3
0x000000000021fda0: 0000000000000000 0000000000000000
0x000000000021fdb0: 000000000021fd00 000000000021fdc4
0x000000000021fdc0: 0000000200000000 0000000100000002
0x000000000021fdd0: 000000000021fe08 000000000021fe10
0x000000000021fde0: 000000000021fe18 96b46a04d10c0000
0x000000000021fdf0: 0000000000000000 00000001400054c7
Backtrace:
=>0 0x000000014001b121 in test.vmp (+0x1b121) (0x000000000021fdf0)
1 0x0000000140010fd1 in test.vmp (+0x10fd0) (0x000000000021fdf0)
2 0x0000000140010fc3 in test.vmp (+0x10fc2) (0x000000000021fdf0)
3 0x00000001400054c7 in test.vmp (+0x54c6) (0x0000000000000000)
4 0x000000007b62cca9 EntryPoint+0xffffffffffffffff() in kernel32 (0x0000000000000000)
5 0x000000007bc59cd3 EntryPoint+0xffffffffffffffff() in ntdll (0x0000000000000000)
0x000000014001b121: cmpl %ebx,0x0000000000000008(%rcx)
Wine-dbg>
"beep boop" is shown in the cmd window after it crashes.
It looks like something winedbg does bypasses the false positive VM detection, but winedbg also causes the exe to crash after that. Here's the backtrace that wine said to use if I were to report the crash upstream.
Sorry it took so long for me to see this. Linux's wine can run that exe fine, but macOS has the same Virtual Machine error with it as genshin does.
On my MacBookPro16,1, with macOS BigSur, I can't use winedbg on it, but on my older iMac10,1 with macOS High Sierra, I can run it in winedbg:
```
$ winedbg test.vmp.exe
WineDbg starting on pid 04bc
0x000000007bc52f85 EntryPoint+0xffffffffffffffff in ntdll: ret
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5d4 EntryPoint+0xffffffffffffffff in ntdll: movq 0x0000000000000040(%rsp),%rax
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5d9 EntryPoint+0xffffffffffffffff in ntdll: movq %rax,(%rbx)
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5dc EntryPoint+0xffffffffffffffff in ntdll: jmp 0x000000007bc2f5ad EntryPoint+0xffffffffffffffff
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5ad EntryPoint+0xffffffffffffffff in ntdll: addq $0x170,%rsp
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5b4 EntryPoint+0xffffffffffffffff in ntdll: popq %rbx
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc2f5b5 EntryPoint+0xffffffffffffffff in ntdll: ret
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc36eb6 EntryPoint+0xffffffffffffffff in ntdll: leaq 0x000000000002f683(%rip),%rcx
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc36ebd EntryPoint+0xffffffffffffffff in ntdll: call 0x000000007bc59a00 EntryPoint+0xffffffffffffffff
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000007bc36ec5 EntryPoint+0xffffffffffffffff in ntdll: call 0x000000007bc52f44 EntryPoint+0xffffffffffffffff
Wine-dbg>step
0x000000014078f3f8: nop
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f3f9: pushq $0x3dce74e2
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f3fe: call 0x0000000140879e6e
Wine-dbg>
```
If I use quit here instead of step, it continues to the "cannot be run under virtual machine error", doesn't print "beep boop", doesn't crash, and no other logs are printed by wine.
If I step again instead of quit:
```
Wine-dbg>step
0x000000014078f410: nop
Wine-dbg>
```
If I use quit here instead of step, it prints beep boop to the cmd window and crashes with:
```
05a4:fixme:heap:EnumSystemFirmwareTables (0x4649524d, 0000000000000000, 0)
05a4:fixme:heap:RtlSetHeapInformation 0000000000730000 0 000000000021F490 4 stub
05a4:fixme:seh:get_thread_times not implemented on this platform
wine: Unhandled page fault on read access to FFFFFFFFFFFFFFFF at address 000000014001B121 (thread 05a4), starting debugger...
```
If I instead keep stepping, I get this:
```
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f411: pushq $0xca21055f
Wine-dbg>step
Single stepping until exit from function,
which has no line number information.
0x000000014078f416: call 0x00000001408d1ed0
Wine-dbg>step
04c0:fixme:heap:EnumSystemFirmwareTables (0x4649524d, 0000000000000000, 0)
04c0:fixme:heap:RtlSetHeapInformation 0000000000730000 0 000000000021F490 4 stub
04c0:fixme:seh:get_thread_times not implemented on this platform
04c0:err:seh:call_stack_handlers invalid frame 0000000000220178 (0000000000122000-0000000000220000)
Unhandled exception: page fault on read access to 0x2600000009, invalid program stack in 64-bit code (0x000000014001b121).
Register dump:
rip:000000014001b121 rsp:000000000021fd40 rbp:000000000021fdf0 eflags:00010246 ( R- -- I Z- -P- )
rax:0000000068111100 rbx:0000000000000000 rcx:0000002600000001 rdx:0000000140022390
rsi:0000000000000000 rdi:0000000000085c30 r8:00000000ffffffff r9:0000000000010000 r10:0000000000010458
r11:000000000021fc18 r12:0000000000000000 r13:0000000000000000 r14:0000000000000000 r15:0000000000000000
Stack dump:
0x000000000021fd40: 000000000021fdd0 000000000021fdf0
0x000000000021fd50: 0000000000000000 000000007bc59a00
0x000000000021fd60: 0000000000000000 0000000140010fd1
0x000000000021fd70: 0000000000000000 0000000000000000
0x000000000021fd80: 0000000000000000 0000000000000000
0x000000000021fd90: 0000000000000000 0000000140010fc3
0x000000000021fda0: 0000000000000000 0000000000000000
0x000000000021fdb0: 000000000021fd00 000000000021fdc4
0x000000000021fdc0: 0000000200000000 0000000100000002
0x000000000021fdd0: 000000000021fe08 000000000021fe10
0x000000000021fde0: 000000000021fe18 96b46a04d10c0000
0x000000000021fdf0: 0000000000000000 00000001400054c7
Backtrace:
=>0 0x000000014001b121 in test.vmp (+0x1b121) (0x000000000021fdf0)
1 0x0000000140010fd1 in test.vmp (+0x10fd0) (0x000000000021fdf0)
2 0x0000000140010fc3 in test.vmp (+0x10fc2) (0x000000000021fdf0)
3 0x00000001400054c7 in test.vmp (+0x54c6) (0x0000000000000000)
4 0x000000007b62cca9 EntryPoint+0xffffffffffffffff() in kernel32 (0x0000000000000000)
5 0x000000007bc59cd3 EntryPoint+0xffffffffffffffff() in ntdll (0x0000000000000000)
0x000000014001b121: cmpl %ebx,0x0000000000000008(%rcx)
Wine-dbg>
```
"beep boop" is shown in the cmd window after it crashes.
It looks like something winedbg does bypasses the false positive VM detection, but winedbg also causes the exe to crash after that. Here's the [backtrace](https://gist.github.com/Redecorating/196d9f6ef56b779fd7b30f79c62b8821) that wine said to use if I were to report the crash upstream.
@Redecorating: Interesting. I'll definitely take a look down this path.
Apple has finally announced their "special event" so hopefully we'll get new MacBooks soon, and I'll be able to actually look into this!
I don't think this would be worth reporting upstream because they seem to think bypassing VM detection is "bYpAsSiNg DRM."
@Redecorating: Interesting. I'll definitely take a look down this path.
Apple has finally announced their "special event" so hopefully we'll get new MacBooks soon, and I'll be able to actually look into this!
I don't think this would be worth reporting upstream because they seem to think bypassing VM detection is "bYpAsSiNg DRM."
I did a little research and discovered that Metal apparently doesn't support geometry shaders, which means that MoltenVK doesn't, which finally means that DXVK on macOS doesn't support them. I wonder if it'd be possible to use WineD3D...
I'm leaving this as a note to my future self:
I did a little research and discovered that Metal apparently doesn't support geometry shaders, which means that MoltenVK doesn't, which finally means that DXVK on macOS doesn't support them. I wonder if it'd be possible to use WineD3D...
Wanted to drop a note that I was able to run the game under macOS on an M1 Max using CrossOver, though there is a model rendering issue; details of my configuration in #374
Wanted to drop a note that I was able to run the game under macOS on an M1 Max using CrossOver, though there is a model rendering issue; details of my configuration in #374
Nope it works even better than M1/M2 (except so far I know vega GPU still needs this patch)
Does that mean that this issue (about x86_64 CPUs) is now resolved? If so, would you have any information since when (e.g. approximate minimal Wine version, macOS version, game version) ?
(based on the discussion in #394)
@3Shain
> Nope it works even better than M1/M2 (except so far I know vega GPU still needs this patch)
Does that mean that this issue (about x86_64 CPUs) is now resolved? If so, would you have any information since when (e.g. approximate minimal Wine version, macOS version, game version) ?
@Krock
Crossover-wine 7.7, on Ventura 13.1. It has been working since 3.4.0.
You can check my recorded [video](https://www.bilibili.com/video/BV1K54y1w7fD)
It's good to see that the single most important and longest lasting issue got solved somehow. In case the error message still appears to certain people, feel free to reply here so that the issue can be picked up again (i.e. reopened).
Documented as of 728358d.
It's good to see that the single most important and longest lasting issue got solved *somehow*. In case the error message still appears to certain people, feel free to reply here so that the issue can be picked up again (i.e. reopened).
Documented as of 728358d.
Hello everyone,
Before 1.1, I had the VM error but now, I have this error :
The procedure entry point StartThreadpoolIo could not be located in the dynamic link library KERNEL32.dll
I'm a macOS user and I'm using Crossover 20 (with Big Sur support), but I thought that Linux patches could help me (so if my message is not appropriate here, feel free to delete it).
Patches doesn't work (the one from UnknownCheats) and I don't really know how to patch it myself..
I've checked the md5 from my UnityPlayer.dll so it's supposed to work.
Another reason can be that Wine doesn't emulate its own Windows kernel, but it doesn't explain why it does work for other Linux users.
Thanks for reading ^^
(sorry for my english, it's not my native language)
The game worked only from 23 Oct (1.0.1 release) to 28 Oct (1.0.1 patch day). Currently all Linux users are stuck with the error code "31 - 4302" when connecting to the game server.
(Information source, Changelog)
Looking at the current Wine status:
StartThreadpoolIOis contained in kernel32.dll - GOODTpStartAsyncIoOperation, ntdll - GOODStartThreadpoolIowas implemented in this commit - BAD. Needs Wine 5.3 or newerPlease wait for Crossover 21 or a patched version that includes this function. Wine 5.0 is too old to run Genshin Impact in general.
I probably have the skills write a patch to get it working with Crossover 20. But the game cannot be played on Linux anyway, thus it's kinda pointless.
Wow, thanks a lot for your fast response! ^^ I understand, I’ll try to find (or create) a patch for Crossover or try to install Wine 5.3, and continue to learn about that stuff, so I can contribute (at least a little bit)
Have a great day ^^ (and thanks again)
You're welcome.
Hello everyone! First, thank u all for this huge work!! That's super impressive!
I'm still blocked with this error (sorry for reopening this issue) I've compiled myself Wine 6.0 rc2 (with 64bit support) on Big Sur, bc I didn't found any alternatives and I can't patch myself GI to work on Wine 5.0... (This post helped me > https://apple.stackexchange.com/a/376427)
I'm stuck with this error when trying to run Wine (6.0):
If anyone knows how to make working GI on CrossOver or compiling Wine correctly (on Mac), that would be awesome! (or if someone can give me hints so I can patch myself)
Searching for
virtual:virtual_setup_exception stack overflowled me to the following articles: https://forum.winehq.org/viewtopic.php?t=32412 and https://bugs.freedesktop.org/show_bug.cgi?id=108662 (dxvk only)Does the same error appear when you run
wine64 cmd?wineclean ; ./wine64 winecfgto check whether a clean Win64 instance workswinetricks ddr=gdi(ddr=openglto revert)EDIT: Perhaps PlayOnMac has a Wine version that works.
Wine is not "installed", I'm running it from its folder (where I've compiled it) so
winecleanwill returncommand not foundand./wine64 winecfgwill return the same error as./wine cmdor./wine64 cmd. So I'm thinking that I've forgotten some step when compiling or smth else...I've reinstalled POM but I can't choose another version of Wine when installing (There's only 'system', maybe I have to install Wine first), and when launching GI it will say that I'm running it in a 32bit drive, which is false (I've created a 64bit bottle) I've also checked the Wine version, it was 4.12.1
I'm a bit out of clue...
Edit: You said that it can be possible to patch CrossOver to work with GI, how could it be done?
Little update, I installed Wine 5.22 from https://github.com/Gcenx/homebrew-wine and I can run the GI launcher fine, but when I launch the game (already patched) it return the same good old error:
Sorry, this application cannot run under a Virtual MachineI'll retry to patch the game and see if it works
Edit: if needed, the md5 of the patched UnityPlayer.dll:
d4f72aa9ae7af39580bb1124d5b74914Edit2: bc patch.sh doesn't work on macOS, I manually entered all commands (the first time and now) but it doesn't work at all. Maybe I'll have to reinstall all the game again, but it's like 18Gb of files, so idk
This means VMprotect within GI somehow thinks that it's a virtual machine. Downloading the game again won't make a difference there. To get around this message box, I'd need a setup to analyze and patch out VMprotect. That however goes kinda deep into the Windows internals, and I'm not so motivated to spend time on that. Perhaps cheaters/hackers on Windows could provide some information on how to do that.
The md5 hash of the patched binary is
d4f72aa9ae7af39580bb1124d5b74914, but this mismatch does not have any influence on your error.About CrossOver: This is basically Wine, thus it is very likely that you'll get the same error message when the game starts up.
Sorry, I cannot help you with that issue.
But isn't their own anticheat who makes that verification? Before 1.1, I saw Linux users getting this error, so I thought that your patch is getting rid of that error too (sorry if I'm wrong)
No sorry. I don't know the origins of the Virtual Machine error. That's an anti-debugger and anti-VM system provided by Unity. What I did is to patch their anticheat, which is a separate part.
I'd really like to know which Linux users were affected by this error. Perhaps we could compare system specs to figure out possible causes.
All I can tell is that nVIDIA (proprietary driver) + Ubuntu 20.04 + Wine 5.17+ in combination with Intel CPUs work well.
My bad, I think I've misremembered when I saw posts of linux users with VM (not on Wine), sorry (so linux users doesn't get that error on Wine after all)
I can't understand why the anti-VM detect Wine on Mac, but not on Linux, so I'll have to search a bit more
Do you know where the anti-VM is located or called?
It's called VMprotect and is pretty common among commercial Unity games.
According to https://github.com/Marc-Pierre-Barbier/Genshin-Impact-on-linux it might be related to
cpuidinstructions/bitfields that are responsible for detecting a "virtual machine". Perhaps MacOS handles them differently?Maybe macOS doesn't allow the cpuid instruction but that seems weird
Is there a way for Wine to "fake" (or disable) hypervisor cpuid like in VMware ?
Edit: I checked "regedit" and I found my cpu, so I don't know why VMprotect return an error (
cpuidshould return a real cpu, not a "vm" one I think)Little update, I found that we can hide the Wine version with Wine-staging (https://www.reddit.com/r/wine_gaming/comments/fuzql8/wine_registry_key_to_hide_wine_version_from/) but it seems to do nothing with GI (not really surprising)
A few more inputs, gathered from
"application cannot run under a Virtual Machine"search results.HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEODriverDesctoGeForce GTX 1070or whatever matches your specs wellVideoBiosVersion(inHKLM>Hardware>Description>System) was not here, so I created a new multi-strings value with no value in, but it didn't workedDriverDescis already my gpu's name, but am I supposed to change the value's name? (changeDriverDesctoIntelIrisPlusGraphics645) (It seems weird so no I suppose)DeviceIDandVendorIDwere inHKCU>Software>Wine>Direct3D, and there's noDirect3D(or evenDirect2D)... So I can't change thatEdit: I found that: https://kb.vmware.com/s/article/1009458, but idk how to access this "bit" and change its value, maybe macOS handles it differently so GI considers it as a VM
Edit2: I also found: https://github.com/jslegendre/macOS-CPUID, I built the file and executed it:
If that can be helpful...
Edit3: I was thinking about changing (or reading) that bit with some assembly, but I don't know assembly, so I'll try to learn a bit of it (but if someone knows assembly and wants to help, that would be really cool)
Edit4: it's mentioned in the github page of the 2nd edit, but I put it here if needed: https://en.wikipedia.org/wiki/CPUID
Edit5: I found this: https://blog.cubieserver.de/2018/query-cpuid-with-inline-assembly/, could be helpful to read bit 31 (for VM detection)
Edit6:
sysctl -ashows all kernel parameters, andsysctl -w name=valueset the variable (https://www.oreilly.com/library/view/mac-os-x/0596003560/ch08s02s03.html)Maybe I can find that value here
Edit7: also maybe this can help: https://opensource.apple.com/source/xnu/xnu-1228/osfmk/i386/cpuid.c but that would be cool if I can get the raw data of
cpuiddirectly from cmd like here: https://unix.stackexchange.com/questions/349968/how-to-check-if-the-hypervisor-present-bit-is-set-using-cpuidEdit8: This library can be helpful: https://github.com/anrieff/libcpuid and I found this issue: https://github.com/anrieff/libcpuid/issues/90
One more idea: Could you please download al-khaser and run it as follows?
The executable does not terminate on its own, but you should see the sections
Generic Sandboxe/VM Detectionuntil (and including)QEMU Detection. Could you please upload these five sections to pastebin/hastebin/here?EDIT: Reference output, Linux: https://pastebin.com/raw/H0Y1LhD0
I did run it, but it stops with a wine error :
Log
Maybe it can be solved easily?
Edit: I'm running Wine 5.22 (Staging)
Edit2: It does the same with
al-khaser.exeInteresting. That error means that MacOS' KERNEL32.dll does not process VEH exception callbacks (EDIT, removed).
Anyway, I removed that check too. Hopefully this updated binary will work.
EDIT: That error is a MacOS specific wine bug. The exception register is not read out, whereas it is on Linux here.
Thanks! it works at little bit better
Log
Okay. This is really not fun to troubleshoot. Many Windows special cases do not seem to be working well on a sole Wine64 installation. Here's a few conclusions, all of them could be reported as a Wine bug:
__readgsqword(0x60)returnedProcessParameters->ImagePathNameis set to -1 (for whatever reason). Not relevant for Virtual Machine detection.Removed the process name check. -> patched again, version 3
Okay, now it works :
Log (Generic Sandbox/VM detection to Qemu detection)
Thank you for testing it again.
Good news: Wine works almost the same on MacOS as it does on Linux
Bad news: There's no GOOD/BAD difference in the VM section output. Thus the error is might be caused by one of the Wine issues mentioned above.
All I can do is to ask Wine developers whether they could have a look at the memory management and process information. Both cases could be patched in the binary, but it's difficult to figure out what exactly is used as detection by the game.
Oh I see
Is there like a log file where we can see all the checks made by the game (and wine errors)? (Sorry if irrelevant)
You could use the
WINEDEBUG=+relayenv variable but that will likely result in a massive text file, and is only helpful to a degree because there's no information where exactly that API is called within the game binaries.I was also thinking about trying it on another Mac, but I just have one and I can't reinstall macOS now, but if someone wants to try on a clean install that would be cool
I forgot to say that I tried to run GI and al-khaser in a High Sierra VM, but macOS doesn't allow the
hypervisor.cpuid.v0 = "FALSE"in the config file, it will not boot and only show a "forbidden" logo, so no VM for testingHello, little update!
Gcenx updated his repo (here), so I upgraded Wine (Staging) from 5.2 to 6.2, but there's no difference, macOS is still recognized as a virtual machine
Hello,
I searched a bit about the T2 chip on recent Macs and its compatibility with Wine, but no one talked about this (or I missed some articles)
Could the "VM error" be related to that chip?
(My machine is a 2020 Intel MacBook Pro (MacBookPro16,3))
Edit: https://support.apple.com/fr-fr/guide/security/sec59b0b31ff/web can help
@Artichaut Thank you for the updates and your research. I do neither know enough about this hardware nor Wine to give a helpful answer to this. Whereas I don't expect this to influence the game, only debugging it on MacOS could clarify this.
It's a shame that no sane Win64 debugger runs in Wine, so you'd be limited to analyze WINEDEBUG output and/or compare it with Linux.
As a workaround, a Windows virtual machine with Hyper-V enabled apparently works. Despite this being tested only on Linux, chances are there that it's applicable to MacOS as well.
Instructions: https://youtu.be/L1JCCdo1bG4?t=205
I will also inform M.P. Barbier on GitHub about this possibility.
Hello, thanks for your answers! (and sorry for my very late one)
I didn't really understood how should I use these instructions ? (It's in an vm xml, but I'm on a physical machine..?)
Have a great day ^^
He uses a QEMU/KVM setup. KVM is Linux-specific, hence it might not help much aside that QEMU seems to be one part of the puzzle. Once again I can only hint to tutorials that worked for other games with VM detection such as Valorant, Rainbow 6 Siege and perhaps League of Legends. Working around VM detection in a VM is an even more complicated matter because it's pretty much impossible to figure out what triggers the detection.
I just thought that I should at least inform you about this; despite that I have no experience with this.
#174 was closed as it's a duplicate of this one, but in that issue, Krock mentioned
I tried the opposite of this a while ago: running it on an older mac (I think it's a 2009 iMac) with macOS High Sierra, which can run 32bit processes, and I still got the VMProtect error, so I don't think it's an issue with the lack of 32 bit support. (It was upstream's wine, not the Gcenx one).
I also tried making a dummy application with vmprotect's trial software and only virtual machine detection enabled (so no obfuscation), but not even linux wine could run that. There are older versions of the trial software in the wayback machine.
@Redectorating: Hello! Trial and paid VMProtect are very different, especially in feature parity. I have a legitimate version of VMProtect 3.4 that I never renewed, but it should be sufficiently new that the VM detection shouldn't differ. Well, hopefully...
Here's a test program (password:
qwerty) compiled with the x64 MSVC v143 toolchain and static CRT, and then packed with:mainThe code is:
I've already used up the battery life on my laptop, whose charging port is extremely fickle, so I'm not sure that this works at all, either. And of course there's the whole standard disclaimer about false positives on antivirus software because of VMProtect. Either way, I'm going to leave this here for the time being, though I understand if you have your reservations on running a random exe even if it's through wine.
Hope this helps a bit!
Sorry it took so long for me to see this. Linux's wine can run that exe fine, but macOS has the same Virtual Machine error with it as genshin does.
On my MacBookPro16,1, with macOS BigSur, I can't use winedbg on it, but on my older iMac10,1 with macOS High Sierra, I can run it in winedbg:
If I use quit here instead of step, it continues to the "cannot be run under virtual machine error", doesn't print "beep boop", doesn't crash, and no other logs are printed by wine.
If I step again instead of quit:
If I use quit here instead of step, it prints beep boop to the cmd window and crashes with:
If I instead keep stepping, I get this:
"beep boop" is shown in the cmd window after it crashes.
It looks like something winedbg does bypasses the false positive VM detection, but winedbg also causes the exe to crash after that. Here's the backtrace that wine said to use if I were to report the crash upstream.
@Redecorating: Interesting. I'll definitely take a look down this path.
Apple has finally announced their "special event" so hopefully we'll get new MacBooks soon, and I'll be able to actually look into this!
I don't think this would be worth reporting upstream because they seem to think bypassing VM detection is "bYpAsSiNg DRM."
I'm leaving this as a note to my future self:
I did a little research and discovered that Metal apparently doesn't support geometry shaders, which means that MoltenVK doesn't, which finally means that DXVK on macOS doesn't support them. I wonder if it'd be possible to use WineD3D...
Wine 7.21 has converted all executables to the PE format. That might help in convincing genshin that mac osx is not a virtual machine.
Wanted to drop a note that I was able to run the game under macOS on an M1 Max using CrossOver, though there is a model rendering issue; details of my configuration in #374
(based on the discussion in #394)
@3Shain
Does that mean that this issue (about x86_64 CPUs) is now resolved? If so, would you have any information since when (e.g. approximate minimal Wine version, macOS version, game version) ?
@Krock
Crossover-wine 7.7, on Ventura 13.1. It has been working since 3.4.0.
You can check my recorded video
It's good to see that the single most important and longest lasting issue got solved somehow. In case the error message still appears to certain people, feel free to reply here so that the issue can be picked up again (i.e. reopened).
Documented as of 728358d.