Results 1 to 6 of 6

Thread: Olydbg and thousands events per second

  1. #1

    Olydbg and thousands events per second

    I'm trying to debug an application that uses QT GUI library. The problem is that I can't even start debugging as ollydbg seems to be processing ~1k events per second where in stack trace I see all of them running inside QT. The application has very fancy GUI (blending, custom window and buttons etc) and perhaps that is what hangs the debugger as it tries to process all this. Can I somehow force olly to skip or ignore these events?

    This happens with every larger application (Even those without QT, written in VB6)


    [url]http://reverseengineering.stackexchange.com/questions/3828/ollydbg-and-hundreds-of-events-under-qt-gui
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    1 k events should not make any differnce ollydbg is capable of handling far far more than that

    Note that status changes to "Tracing" and status bar blinks displaying something like "120672 events per second".

    OllyDbg usually traces 300,000 to 600,000 commands per second.
    i that blinking is a hinderance disable it (options->events->uncheck warn on frequent events check box )

    alt+o

  3. #3
    Quote Originally Posted by blabberer View Post
    1 k events should not make any differnce ollydbg is capable of handling far far more than that


    i that blinking is a hinderance disable it (options->events->uncheck warn on frequent events check box )

    alt+o
    Thanks for the reply.
    Yet the foreground application that is being debugged hangs. QT udd file is over 50MB big, perhaps this is expected then and I should wait patiently until it's done forming it?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    first off all ensure you have no leftover stray memory breakpoints ollydbg will blink only if it is processing some debug events

    running with with f9 should not make it process any event at all

    you can disable auto analysis of all modules and opt for manual analysis as and when needed

    again it is in alt+o

    you can disable Debugging data loading (or stop all the pdb symbols requests sent to from ms symbol server )

    these all could speed up the startup of a large binary

    i have an 82 mb udd file of microsoft excel.exe and ollydbg doesnt stall loading or analysing it
    i just loaded it before replying

    loaded excel in a jiffy set a bp on mso#3087 and clicked a cell in excel to break all under a minute max

    Code:
    Call stack of main thread
    Stack     Data              Procedure                                     Called from                                                 Frame
    0013F828  3036DAAD          EXCEL.3013F050                                EXCEL.3036DAA8
    0013F85C  30799651          EXCEL.3036DA72                                EXCEL.3079964C
    0013F9D4  303A68AF          EXCEL.30797EA4                                EXCEL.303A68AA
    0013FA94  30016869          ???                                           EXCEL.30016866
    0013FB7C  30016767          EXCEL.30016796                                EXCEL.30016762
    0013FB9C  7E418734          ???                                           USER32.InternalCallWinProc+25
    0013FBC8  7E418816          USER32.InternalCallWinProc                    USER32.UserCallWinProcCheckWow+0B2
    0013FC30  7E42A013          USER32.UserCallWinProcCheckWow                USER32.CallWindowProcAorW+4C
    0013FC60  7E42A039          USER32.CallWindowProcAorW                     USER32.CallWindowProcW+16
    0013FC80  32650ACD          USER32.CallWindowProcW                        mso.32650AC7
    0013FCB8  7E418734          ???                                           USER32.InternalCallWinProc+25
    0013FCE4  7E418816          USER32.InternalCallWinProc                    USER32.UserCallWinProcCheckWow+0B2
    0013FD4C  7E4189CD          USER32.UserCallWinProcCheckWow                USER32.DispatchMessageWorker+0D7
    0013FDAC  7E418A10          USER32.DispatchMessageWorker                  USER32.DispatchMessageW+0A
    0013FDBC  30027AF5          USER32.DispatchMessageW                       EXCEL.30027AEF
    0013FDE0  3002771F          EXCEL.30027A6A                                EXCEL.3002771A
    0013FEC4  30003AD8          EXCEL.30026B30                                EXCEL.30003AD3
    0013FF34  300037EC          EXCEL.30003802                                EXCEL.300037E7
    0013FFC4  7C817077          ???                                           kernel32.BaseProcessStart+20


    Code:
    C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201\odbg201>ls -lah EXCEL.udd
    -rw-rw-rw-  1 Admin 0 81M 2014-03-25 12:56 EXCEL.udd

  5. #5
    Thanks for the replies.
    So you were able to run Excel in around one minute. That's large binary as you said and I wish I could get such good time.

    I tried to run TeamSpeak 3 x86 client and I waited 20 minutes until I gave up.

    I recorded a video on how it looked like so that you can see yourself. At 11:30 I'm restarting it (became unpatient) but I end up in the same place. After I stopped recording I let it run but only couple threads have changed, GUI didn't even show up nor tray icon.
    https://www.youtube.com/watch?v=zgpcoLbgR70
    https://www.youtube.com/watch?v=ApEfMAq5Ewc

    Thanks!
    Last edited by Morfi; April 5th, 2014 at 02:28.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Now I'm trying to run windows messenger and it's already 1:30h I'm waiting but it's not hang. It's still processing and *something* is happening.

    And no, I don't run 64Mhz I'm on i7

    edit: I also realized that if I pause the execution then discard the hit trace and continue, it speeds up drastically (for a short while).
    But for some reason it ALWAYS log the hit trace (even if I don't ask for it)
    Confirmed (I'm not sure if it's a coincidence though) after I was constantly pausing, after discarding hit trace (and possibly clear trace - tho not crucial), resume over and over it took around one minute to load everything!

    Sometimes I'm getting "Invalidating non-flushed cache!" error though when doing that.
    Last edited by Morfi; April 5th, 2014 at 17:03.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. how to intercept debug events in a debugged proces
    By Lord_Looser in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 28th, 2004, 15:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •