[Bug 7649] DipTrace 1.3 fails to start.

Wine Bugs wine-bugs at winehq.org
Wed Mar 21 15:44:10 CDT 2007 

http://bugs.winehq.org/show_bug.cgi?id=7649





------- Additional Comments From focht at gmx.net  2007-21-03 15:44 -------
Created an attachment (id=5477)
 --> (http://bugs.winehq.org/attachment.cgi?id=5477&action=view)
native xp strace of app

Hello,

interesting app - from reversers point of view :).
Lots of anti debugging tricks which make this stuff a pain to debug (even more
with half working ollydbg on wine)

The stack exception overflow is on purpose (e.g. recusive calling) probably to
hide the real cause (and to misguide any debugger).

I did a system level strace on *native* windows xp.
Nothing suspicious (taking the anti-debugging countermeasures into account).

You can "synchronize" the native windows strace and wine trace by searching
for:

------ snip native xp strace ----
2549 3756 3340 NtAddAtom
("W\0n\0d\0P\0r\0o\0c\0P\0t\0r\00\00\04\00\00\00\00\00\00\00\00\00\00\0D\00\0C\0",
52, 1244948, ... ) == 0x0
2550 3756 3340 NtUserGetDC (0, ... ) == 0x9501119f
2551 3756 3340 NtUserCallOneParam (-1795092065, 57, ... ) == 0x1
2552 3756 3340 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
2553 3756 3340 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ...
16711680, 1048576, ) == 0x0
------ snip native xp strace ----

wine (attached wine w2k one):

------ snip wine trace ----
0009:Call kernel32.GlobalAddAtomA(0033fe98 "WndProcPtr0040000000000009")
ret=0045e727
0009:Ret  kernel32.GlobalAddAtomA() retval=0000c032 ret=0045e727
0009:Call user32.GetDC(00000000) ret=004833e5
0009:Call winex11.drv.GetDCEx(00010020,00000000,00000003) ret=7ead60bf
0009:Ret  winex11.drv.GetDCEx() retval=000002e4 ret=7ead60bf
0009:Ret  user32.GetDC() retval=000002e4 ret=004833e5
0009:Call gdi32.GetDeviceCaps(000002e4,0000000c) ret=004833ef
0009:Ret  gdi32.GetDeviceCaps() retval=00000018 ret=004833ef
0009:Call gdi32.GetDeviceCaps(000002e4,0000000e) ret=004833f9
0009:Ret  gdi32.GetDeviceCaps() retval=00000001 ret=004833f9
0009:Call user32.ReleaseDC(00000000,000002e4) ret=00483419
0009:Call winex11.drv.ReleaseDC(00000000,000002e4,00000000) ret=7ead5b45
0009:Ret  winex11.drv.ReleaseDC() retval=00000001 ret=7ead5b45
0009:Ret  user32.ReleaseDC() retval=00000001 ret=00483419
------ snip wine trace ----

The user32 calls before stack overflow are ok.

------ snip ----
0009:Call user32.LoadStringA(00400000,0000ff02,0033faa4,00000400) ret=00405c5e
0009:Ret  user32.LoadStringA() retval=0000000f ret=00405c5e
0009:Call user32.CharLowerBuffA(00971870 "jpg",00000003) ret=00408d37
0009:Ret  user32.CharLowerBuffA() retval=00000003 ret=00408d37
err:seh:setup_exception stack overflow 12 bytes in thread 0009 eip 007a85a0 esp
00230ff4 stack 0x231000-0x340000
------ snip ----

After last user32 call - before the exception - there is a large block of anti
debugging stuff.
There is no further system call made.
Something is probably happening there.
"NtCreateEvent" and "NtAllocateVirtualMemory" are never reached. Neither the
thread creation following.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the wine-bugs mailing list