Log in

View Full Version : Anti Debugging ? ?


LOUZEW
March 5th, 2005, 13:00
Hi, all
I've unpacked an Asprotected App (***)and it work fine but when i run it with Softice active, i have a big problem when shuting down this App.
An ***.exe process is active and it's occupying 99% CPU time, I think it's an anti-debugging tip and i've searched for common issues, searched on this board too but i can't find anything.

Note : This prob don't appear when i'm debugging with Olly, the process is killed when i close Olly !

Does anybody have an idea ?

Thank's in advance

disavowed
March 5th, 2005, 13:05
Read the FAQ: http://www.woodmann.com/fravia/rce-faq.htm ("http://www.woodmann.com/fravia/rce-faq.htm")

LOUZEW
March 5th, 2005, 15:36
Hi, disavowed !
I think you are pointing this part of the rules :
Quote:
DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem.


I know this rule but if you read correctly my post, you can see that i never post any SPECIFIC RELATED CODE for this App, so i think i can post the target name no ?

Kayaker
March 5th, 2005, 19:03
Hi

I don't really see a need to name the target at all. What would that result in? Say by chance you've discovered a new trick, though I see no logic at all in such an 'anti' tactic. We're talking about the usually straightforward *exit* process here. Well, this is a reversing board, so reverse it! wm_close, wm_destroy,... You should be able to find out where it's hanging at least, if not why. Then tell us there's something to get excited about.

Regards,
Kayaker

disavowed
March 5th, 2005, 19:57
Quote:
[Originally Posted by LOUZEW]Hi, disavowed !
I think you are pointing this part of the rules :


I know this rule but if you read correctly my post, you can see that i never post any SPECIFIC RELATED CODE for this App, so i think i can post the target name no ?

i stand corrected

LOUZEW
March 6th, 2005, 14:33
Hi, guys !
First of all, i've to said to KAYAKER that the target name is not an important thing, i send it here for exemple only !

Finally my problem was not the app itself but DS 3.2.
In fact, my unpacked target work fine but Softice had a bug after updating Windows XP (inline) with the last updates available.
The first App loaded under DS (or run with DS active), don't exit correctly and an app related process stay in memory using 99% CPU time. In this case if i load a second app under softice, this one exit correctly.
I've tried to reload the Compuware patch (OSINFO.DAT), nothing to do.
Tried to re-install DS 3.1, same thing.
For now, not found any solution and i don't want to reinstall all my system.

Let you know if i can find anything !

Peace.

Kayaker
March 6th, 2005, 20:40
Oh, I know LOUZEW, you've been around long enough to know which end is up, and that the target had nothing to do with the question, it simply wasn't necessary that's all. Nor to encourage a dump/oep discussion...


There could very well likely be issues with the OSINFO.dat files after the latest MS updates, that does seem to happen. But on the other hand, there may simply be some weird glitch in your dump. If nothing else seems to fail, then you probably know the answer.

You say,

> In this case if i load a second app under softice, this one exit correctly.

Do you mean a 2nd instance of the hung app while the CPU is still looping on the 1st?
In this case the target name may be important ;-)
ART.exe doesn't allow a 2nd instance of itself. It uses a mutex named App_Art to prevent this, which you can see in WinObj, or from the OpenMutexA near the start of code. If, as you say, you can open a 2nd instance, then logically this mutex *must not exist* on the system, as seen by WinObj. Else the initialization of the 2nd app should fail as it's designed to. The mutex will be deleted sometime during ExitProcess by the system, if not explicitly with CloseHandle.

In other words, check if the mutex exists when your app is hung. If it doesn't exist, then this hang is *very, very* late in the overall exit process, and may be stack related. If it does exist, check if Art normally allows more than one instance. If not, then it seems like you've done the impossible

Luck,
Kayaker

LOUZEW
March 7th, 2005, 16:52
Quote:
[Originally Posted by Kayaker]

Do you mean a 2nd instance of the hung app while the CPU is still looping on the 1st?
In this case the target name may be important ;-)


MAny thank's for your response Kayaker but i'm sure at 99% that my prob is not ART itself but DS.
It's not a second instance of the hung app but an other app. Moreover, any app loaded in softice hang when exiting.

Tried to reinstall XP SP2 (without lastests updates) on an other computer, in this case DS work fine but when i apply the lastest updates, the problem appear again.
I think it's a pb with one of the latest updates !

LOUZEW
March 11th, 2005, 12:11
YES guys, i found it !

Problem with Microsoft KB867282 update. When you update your XP with this package, Softice Hang your system;
Compuware don't release the OSINFO.DAT after these XP update, we have to wait for or to remove this XP update package (it's what i've done).

Quote:
FOR JMI or any ADMINISTRATOR

Maybe this thread can be moved to the "Tools of our Trade (TOT) Messageboard" like a DS 3.2 troubleshooting !