Argh...

I am getting tired of this, on my win 2k box, i do not have icedump, everytime i want to dump i have to do the "jmp eip" trick to freeze the prog then load procdump to dump it... the thing is that while on win 98 last time, I did not have significance deprovement of the system speed... however on win2k, my box almost freezes, becomes extremely slow, i usually use Task Manager to set thread priority to low, most of the time it owrks but sometimes the freezed prog still hogs up CPU cycles and it can take like 10 min to load up procdump... such a pain...

For those who are using win2k out there, is ther any other trick to stop the freezed prog from hogging my CPU cycles???

Thanx a lot,

Hello binh81 !

I don't know how it is called in english, but there is an option called "Acceleration Of Foreground Applications" or similar. You should find it by pressing WIN+BREAK (properties of system). Set it to 0% and it should be fine.

Hi Dakien,

I have nto been able to find that "Acceleration Of Foreground Applications" options to set it to 0%... i have only found

Optimize performance option for
[X ]Application [ ]Background Service

i try changing these 2 values but they dont help much... in fact if i change to Background services, it seems even slower when i freeze prog with jmp eip..

can you tell me more specifically how to access that option you are refering to...

Windows is such a pain, the help system is crap... all these features are not documented, or documented in a way that it is impossible to find where it is????

Thanx,

Hello binh81 !

Actually the option exists on WinNT, I've never tried to find it on Win2K.
But since all world claims Win2K is the successor of WinNT, I thought there might be a similar option.
And at least the option works in WinNT.

Hi binh:

Like the subject line goes

However, I *do not* think this is possible on Win2K. Esp. because, the thread quanta alloc scheme in the scheduler has been re-designed from NT and 2K (explaining the missing Foreground Accel option). Actually, it is supposed to happen "automagically" under 2K. Anyway, JMP EIP puts the app in a tight loop which "automagically" consumer 100% CPU cycles.

You can try that with a small Win32 Proggie which does while(1) and see the CPU spike!

However, (and I'm just talking off my head here), there was a article in MSJ which talked about limiting CPU utilization of a process to say max 30% (I'd implemented this in one of my proggies actually and it worked). You might want to run this before dumping your process.

Try it and see if it helps (I think the prog name was CPUHog)!

Signed,
-- FoxThree

and now for a little adv...

download rv and use it's tracer, you can locate eip with it, it will then freeze the app without taking any cpu resources.
you just dump it with procdump and your done.

Hi Tseph,

Thanx for the "little advice" :>... yeah, RV is great i sometimes wanna learn what is going on inside the program, not just the crack... Also, RV cant substitute softice yet to unpack stuff till it has breakpoint features, memory access to allow patching, it cant unpack Armadillo yet :>...

Just a random thought :>....

Fox3, shall check out the prog :>

Thanx guys,

I tried the tracer with some Asprotect programs using the same addresses I normally use for the tracex, but the tracer stops nearly immediately (at the asprotect entry?) and the PE-Dump button remains always greyed out.

I'm doing something wrong?

Hi Stone,

read revirgin manual on how to use trace again :>

Cheers,

Well, well you got me here. Bad habit from me. From time to time I should read some manuals

Thanks.

at the end it was not the none reading of the manual but RV's tracer does not work on my W2K box, it works however with my ME installation.

Furthermore when fixing a dumped file it works on W2K, but on ME it scrambles the file.

Having all resolved I create it.bin on W2K and get a size of
9,362 and on Me 9,330, loading the same resolved text.

?

Here is another way to "freeze" your applications besides "jmp eip". I posted it in this forum long time ago

replace JMP EIP with the following:

push 7FFFFFFF
call kernel32!sleep

Then your target will sleep forever and cost no CPU usage

Doh! Yes

Sleep(INFINITE) puts the thread into a non-schedulable state so that it is not taken into consideration for scheduling and hence the effect... Pretty cool, Solomon

Signed,
-- FoxThree