Olydbg and thousands events per second [Archive] - RCE Messageboard's Regroupment

View Full Version : Olydbg and thousands events per second

Morfi

March 25th, 2014, 01:27

I'm trying to debug an application that uses QT GUI library. The problem is that I can't even start debugging as ollydbg seems to be processing ~1k events per second where in stack trace I see all of them running inside QT. The application has very fancy GUI (blending, custom window and buttons etc) and perhaps that is what hangs the debugger as it tries to process all this. Can I somehow force olly to skip or ignore these events?

This happens with every larger application (Even those without QT, written in VB6)

[url]http://reverseengineering.stackexchange.com/questions/3828/ollydbg-and-hundreds-of-events-under-qt-gui

blabberer

March 25th, 2014, 02:26

1 k events should not make any differnce ollydbg is capable of handling far far more than that

Quote:

Note that status changes to "Tracing" and status bar blinks displaying something like "120672 events per second".

OllyDbg usually traces 300,000 to 600,000 commands per second.

i that blinking is a hinderance disable it (options->events->uncheck warn on frequent events check box )

alt+o

Morfi

March 25th, 2014, 02:28

Quote:

[Originally Posted by blabberer;96278]1 k events should not make any differnce ollydbg is capable of handling far far more than that

i that blinking is a hinderance disable it (options->events->uncheck warn on frequent events check box )

alt+o

Thanks for the reply.
Yet the foreground application that is being debugged hangs. QT udd file is over 50MB big, perhaps this is expected then and I should wait patiently until it's done forming it?

blabberer

March 25th, 2014, 03:02

first off all ensure you have no leftover stray memory breakpoints ollydbg will blink only if it is processing some debug events

running with with f9 should not make it process any event at all

you can disable auto analysis of all modules and opt for manual analysis as and when needed

again it is in alt+o

you can disable Debugging data loading (or stop all the pdb symbols requests sent to from ms symbol server )

these all could speed up the startup of a large binary

i have an 82 mb udd file of microsoft excel.exe and ollydbg doesnt stall loading or analysing it
i just loaded it before replying

loaded excel in a jiffy set a bp on mso#3087 and clicked a cell in excel to break all under a minute max

Code:





Call stack of main thread

Stack     Data              Procedure                                     Called from                                                 Frame

0013F828  3036DAAD          EXCEL.3013F050                                EXCEL.3036DAA8

0013F85C  30799651          EXCEL.3036DA72                                EXCEL.3079964C

0013F9D4  303A68AF          EXCEL.30797EA4                                EXCEL.303A68AA

0013FA94  30016869          ???                                           EXCEL.30016866

0013FB7C  30016767          EXCEL.30016796                                EXCEL.30016762

0013FB9C  7E418734          ???                                           USER32.InternalCallWinProc+25

0013FBC8  7E418816          USER32.InternalCallWinProc                    USER32.UserCallWinProcCheckWow+0B2

0013FC30  7E42A013          USER32.UserCallWinProcCheckWow                USER32.CallWindowProcAorW+4C

0013FC60  7E42A039          USER32.CallWindowProcAorW                     USER32.CallWindowProcW+16

0013FC80  32650ACD          USER32.CallWindowProcW                        mso.32650AC7

0013FCB8  7E418734          ???                                           USER32.InternalCallWinProc+25

0013FCE4  7E418816          USER32.InternalCallWinProc                    USER32.UserCallWinProcCheckWow+0B2

0013FD4C  7E4189CD          USER32.UserCallWinProcCheckWow                USER32.DispatchMessageWorker+0D7

0013FDAC  7E418A10          USER32.DispatchMessageWorker                  USER32.DispatchMessageW+0A

0013FDBC  30027AF5          USER32.DispatchMessageW                       EXCEL.30027AEF

0013FDE0  3002771F          EXCEL.30027A6A                                EXCEL.3002771A

0013FEC4  30003AD8          EXCEL.30026B30                                EXCEL.30003AD3

0013FF34  300037EC          EXCEL.30003802                                EXCEL.300037E7

0013FFC4  7C817077          ???                                           kernel32.BaseProcessStart+20

Code:





C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201\odbg201>ls -lah EXCEL.udd

-rw-rw-rw-  1 Admin 0 81M 2014-03-25 12:56 EXCEL.udd

Morfi

April 5th, 2014, 01:12

Thanks for the replies.
So you were able to run Excel in around one minute. That's large binary as you said and I wish I could get such good time.

I tried to run TeamSpeak 3 x86 client and I waited 20 minutes until I gave up.

I recorded a video on how it looked like so that you can see yourself. At 11:30 I'm restarting it (became unpatient) but I end up in the same place. After I stopped recording I let it run but only couple threads have changed, GUI didn't even show up nor tray icon.
https://www.youtube.com/watch?v=zgpcoLbgR70
https://www.youtube.com/watch?v=ApEfMAq5Ewc

Thanks!

Morfi

April 5th, 2014, 16:37

Now I'm trying to run windows messenger and it's already 1:30h I'm waiting but it's not hang. It's still processing and *something* is happening.

And no, I don't run 64Mhz

I'm on i7

edit: I also realized that if I pause the execution then discard the hit trace and continue, it speeds up drastically (for a short while).
But for some reason it ALWAYS log the hit trace (even if I don't ask for it)
Confirmed (I'm not sure if it's a coincidence though) after I was constantly pausing, after discarding hit trace (and possibly clear trace - tho not crucial), resume over and over it took around one minute to load everything!

Sometimes I'm getting "Invalidating non-flushed cache!" error though when doing that.