[Bug 7649] DipTrace 1.3 fails to start.

http://bugs.winehq.org/show_bug.cgi?id=7649

------- Additional Comments From focht@gmx.net 2007-21-03 15:44 ------- Created an attachment (id=5477) --> (http://bugs.winehq.org/attachment.cgi?id=5477&action=view) native xp strace of app

Hello,

interesting app - from reversers point of view :). Lots of anti debugging tricks which make this stuff a pain to debug (even more with half working ollydbg on wine)

The stack exception overflow is on purpose (e.g. recusive calling) probably to hide the real cause (and to misguide any debugger).

I did a system level strace on *native* windows xp. Nothing suspicious (taking the anti-debugging countermeasures into account).

You can "synchronize" the native windows strace and wine trace by searching for:

------ snip native xp strace ---- 2549 3756 3340 NtAddAtom ("W\0n\0d\0P\0r\0o\0c\0P\0t\0r\00\00\04\00\00\00\00\00\00\00\00\00\00\0D\00\0C\0", 52, 1244948, ... ) == 0x0 2550 3756 3340 NtUserGetDC (0, ... ) == 0x9501119f 2551 3756 3340 NtUserCallOneParam (-1795092065, 57, ... ) == 0x1 2552 3756 3340 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0 2553 3756 3340 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 16711680, 1048576, ) == 0x0 ------ snip native xp strace ----

wine (attached wine w2k one):

------ snip wine trace ---- 0009:Call kernel32.GlobalAddAtomA(0033fe98 "WndProcPtr0040000000000009") ret=0045e727 0009:Ret kernel32.GlobalAddAtomA() retval=0000c032 ret=0045e727 0009:Call user32.GetDC(00000000) ret=004833e5 0009:Call winex11.drv.GetDCEx(00010020,00000000,00000003) ret=7ead60bf 0009:Ret winex11.drv.GetDCEx() retval=000002e4 ret=7ead60bf 0009:Ret user32.GetDC() retval=000002e4 ret=004833e5 0009:Call gdi32.GetDeviceCaps(000002e4,0000000c) ret=004833ef 0009:Ret gdi32.GetDeviceCaps() retval=00000018 ret=004833ef 0009:Call gdi32.GetDeviceCaps(000002e4,0000000e) ret=004833f9 0009:Ret gdi32.GetDeviceCaps() retval=00000001 ret=004833f9 0009:Call user32.ReleaseDC(00000000,000002e4) ret=00483419 0009:Call winex11.drv.ReleaseDC(00000000,000002e4,00000000) ret=7ead5b45 0009:Ret winex11.drv.ReleaseDC() retval=00000001 ret=7ead5b45 0009:Ret user32.ReleaseDC() retval=00000001 ret=00483419 ------ snip wine trace ----

The user32 calls before stack overflow are ok.

------ snip ---- 0009:Call user32.LoadStringA(00400000,0000ff02,0033faa4,00000400) ret=00405c5e 0009:Ret user32.LoadStringA() retval=0000000f ret=00405c5e 0009:Call user32.CharLowerBuffA(00971870 "jpg",00000003) ret=00408d37 0009:Ret user32.CharLowerBuffA() retval=00000003 ret=00408d37 err:seh:setup_exception stack overflow 12 bytes in thread 0009 eip 007a85a0 esp 00230ff4 stack 0x231000-0x340000 ------ snip ----

After last user32 call - before the exception - there is a large block of anti debugging stuff. There is no further system call made. Something is probably happening there. "NtCreateEvent" and "NtAllocateVirtualMemory" are never reached. Neither the thread creation following.

Regards