WINE Is Not an Emulator (that’s what the acronym actually stands for).
At a program level, WINE creates a dummy Windows directory structure, slaps files where an exe expects them, and executes the program.
EXEs (well, all programs) will use system calls to request resources (ie. files, access to hardware like GPUs, data from other processes) which Windows maps to certain areas of memory and has its own protocols for how to handle requests. Linux has its own protocols and methods that are incompatible, hence why Windows and Linux apps can’t run natively together.
Then the magic happens: WINE maps these requests to Linux requests so that the running program is none the wiser. It asks for GPU resources like a Windows app would, then gets those resources back just like a Windows app would expect. There are thousands of edge cases, hundreds of system calls, and a bunch else that complicates things but that’s how WINE (and Proton) works.
The reason this fucks up Kernel-level anticheat is that it isn’t trying to communicate via these established channels. They usually operate with full resources outside of the jurisdiction of your OS, and scan your memory bit-by-bit rather than asking the OS politely via system calls for info on other processes.
With WINE, whilst a typical application will not notice the differences they’re designed to not throw a fit if your underlying OS is configured differently, a kernel anticheat will not even recognise the system as a valid OS even if it was able to run in the first place.
The solution here is systems like EasyAC that give up the benefits of being able to analyse processes at the kernel level in favour of portability. Another potential solution (though unlikely imo) is a cross-platform kernel anticheat protocol, that all major operating systems agree to implement, similar to how operating systems will implement the TCP/IP protocol to communicate across networks regardless of underlying OS.
Now the reason "WINE"s acronym is particularly important is that if it DID emulate windows, as in what most virtual machine providers do, then anticheat would be running in an environment mapped out like a real Windows install - because it is. This is how many Linux gamers prefer to run certain titles, and something that should always be functional. It is much more annoying to maintain, However - balance how much you really wanna play the latest COD with your willingness to debug GPU passthrough shit.
Good read, what if they just want the games to run and don’t care about functional anticheat? Couldn’t they send fake info to the anticheats, or do you think that would be technically impossible?
Short answer: Yep, cheat softwares regularly do this too, but it’s costly and prone to being immediately patched, and it’s potentially illegal.
Anticheat systems are designed around this since a cheat client would try to do exactly that. One way for example is for the anticheat to provide a cryptographic key to the game which it uses to prove to a multiplayer server that the anticheat is functioning and untampered with. Even if you bypass anticheat locally, you still have to prove that the game client is legitimate to the server. This does happen! But kernel anticheats are much harder to access and tamper with, and in our case of using WINE are unlikely to even work from the outset.
So okay, let’s hypothetically bypass anticheat locally. We modify the game to tell the server it’s legit, and it works! A few days later the game gets patched, and suddenly our bypass is defunct. For cheat sellers this part of the cost of business but for people just trying to game on Linux there’s little money in it, and if there is it won’t ever be spent on circumventing anticheat (which also falls under some legal grey areas if not outright illegal depending on your country).
Given enough time and resources we could probably find some novel way to crack anticheat on a game as such as it becomes playable on Linux. But it’s so much easier to use that effort somewhere else or just use a Windows VM that is guaranteed to work even if slightly slower.
WINE Is Not an Emulator (that’s what the acronym actually stands for).
At a program level, WINE creates a dummy Windows directory structure, slaps files where an exe expects them, and executes the program.
EXEs (well, all programs) will use system calls to request resources (ie. files, access to hardware like GPUs, data from other processes) which Windows maps to certain areas of memory and has its own protocols for how to handle requests. Linux has its own protocols and methods that are incompatible, hence why Windows and Linux apps can’t run natively together.
Then the magic happens: WINE maps these requests to Linux requests so that the running program is none the wiser. It asks for GPU resources like a Windows app would, then gets those resources back just like a Windows app would expect. There are thousands of edge cases, hundreds of system calls, and a bunch else that complicates things but that’s how WINE (and Proton) works.
The reason this fucks up Kernel-level anticheat is that it isn’t trying to communicate via these established channels. They usually operate with full resources outside of the jurisdiction of your OS, and scan your memory bit-by-bit rather than asking the OS politely via system calls for info on other processes.
With WINE, whilst a typical application will not notice the differences they’re designed to not throw a fit if your underlying OS is configured differently, a kernel anticheat will not even recognise the system as a valid OS even if it was able to run in the first place.
The solution here is systems like EasyAC that give up the benefits of being able to analyse processes at the kernel level in favour of portability. Another potential solution (though unlikely imo) is a cross-platform kernel anticheat protocol, that all major operating systems agree to implement, similar to how operating systems will implement the TCP/IP protocol to communicate across networks regardless of underlying OS.
Now the reason "WINE"s acronym is particularly important is that if it DID emulate windows, as in what most virtual machine providers do, then anticheat would be running in an environment mapped out like a real Windows install - because it is. This is how many Linux gamers prefer to run certain titles, and something that should always be functional. It is much more annoying to maintain, However - balance how much you really wanna play the latest COD with your willingness to debug GPU passthrough shit.
Good read, what if they just want the games to run and don’t care about functional anticheat? Couldn’t they send fake info to the anticheats, or do you think that would be technically impossible?
Short answer: Yep, cheat softwares regularly do this too, but it’s costly and prone to being immediately patched, and it’s potentially illegal.
Anticheat systems are designed around this since a cheat client would try to do exactly that. One way for example is for the anticheat to provide a cryptographic key to the game which it uses to prove to a multiplayer server that the anticheat is functioning and untampered with. Even if you bypass anticheat locally, you still have to prove that the game client is legitimate to the server. This does happen! But kernel anticheats are much harder to access and tamper with, and in our case of using WINE are unlikely to even work from the outset.
So okay, let’s hypothetically bypass anticheat locally. We modify the game to tell the server it’s legit, and it works! A few days later the game gets patched, and suddenly our bypass is defunct. For cheat sellers this part of the cost of business but for people just trying to game on Linux there’s little money in it, and if there is it won’t ever be spent on circumventing anticheat (which also falls under some legal grey areas if not outright illegal depending on your country).
Given enough time and resources we could probably find some novel way to crack anticheat on a game as such as it becomes playable on Linux. But it’s so much easier to use that effort somewhere else or just use a Windows VM that is guaranteed to work even if slightly slower.