Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

IDA x64 strange error

Questions concerning tools (other than OllyDbg) - IDA Pro, SoftIce, member contributions, etc.
<b>NOTE:</b> You must <b>always</b> make sure you cannot find what you are looking for in our <a href="/collaborative/tools">Collaborative RCE Tool Library</a> before asking for <b>any</b> tools that can do this or that though!
Locked
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

IDA x64 strange error

Post by roocoon »

Hello.

I hope somebody can explain the following IDA behaviour and suggest some solution.

This refers to IDA 6.1 running under Win7 x64. (No problems at all in 32-bit).
When I trace some 64-bit program (with lots of modules), most of the time I get one of the following error popups:

"oops! internal error 40208"

or

"irs_recv: The wait operation timed out."

If I use IDA 5.5 x64 instead, the message becomes:

"rpc event protocol error"

This is clearly a communication timeout but I have no idea where it comes from.
Only topic on it I found, pointed to armlinux_stub.plw which shouldn't apply to my case.
Also the title of an unreachable link refers to rpc_debmod.cpp which again should not apply.

Nothing in the system's event log and nothing obvious in IDA's log.
No blocking by the firewall and no difference if I disable the network controller.

It could relate to the module I'm modifying of course (but why IDA crashes?) but again I don't see anything.
No TLC in the module, I break when it loads and while I just look at it, I get the comms error.
The fact that it doesn't happen all the time, complicates it a bit.

I checked all the .NET Frameworks in the system and they are clean and properly registered.

What else could I be missing?

Thanks in advance for any pointers.
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

I'm bringing this alive again.
I must say I find it surprising that nobody came across the irs_recv errors (or they did and didn't bother to comment maybe).
It should be a pretty common error if you debug 64-bit code.

Some related discussions about debugging cellular software, brought me to this:

http://social.msdn.microsoft.com/forums/en-US/windowscompatibility/thread/179b7738-d9fe-40fb-9014-f05f3cbfb34b/

Most of the errors disappeared after I signed IDA's debug server.

I still get them here and there but it could be some other piece of code (maybe non-IDA related) that has to be signed.
Unfortunately I have no way to find which one it is (there are dozens of loaded plugins on the platform I debug).

Anyway, I hope the above helps somebody.
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

As Above

Post by Aimless »

I do not get them if I DO NOT USE my remote debugger.

Have Phun
Blame Microsoft, get l337 !!
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

I know. Me neither.

But how can you debug 64-bit without remote debug? Even with the debug server running on the localhost (which is also considered 'remote'), the problem is still there.
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

"irs_recv" returns!

This problem I've been having for some months, came back pretty soon after the initial improvement when I resigned the IDA remote server and a few other files.
I can't tell if it's some Windows update that reverts something, so I decided to try and fix it some other way.

According to the error message "irs_recv: The wait operation timed out" (and assuming the message is the proper one), some handshake times out.

I have no way to live trace with wireshark or anything else since the error happens after IDA code rebases that take way upwards of 30 minutes to over an hour and a half. I doubt my laptop could even handle the generated log.

Looking for "irs_recv" I came across rpc_engine.cpp in the IDA v6.1 SDK that had some related piece of code in it:
...
...
//#define DEBUG_NETWORK

#ifndef RECV_TIMEOUT_PERIOD
# define RECV_TIMEOUT_PERIOD 10000
#endif
...
// receives a buffer from the network
// this may block if polling is required, then virtual poll_events() is called
int rpc_engine_t::recv_all(void *ptr, int left, bool poll)
{
ssize_t code;
while ( true )
{
code = 0;
if ( left <= 0 )
break;

// the server needs to wait and poll till events are ready
if ( is_server )
{
if ( poll && poll_debug_events && irs_ready(irs, 0) == 0 )
{
code = poll_events(TIMEOUT);
if ( code != 0 )
break;
continue;
}
}
code = irs_recv(irs, ptr, left, is_server ? -1 : RECV_TIMEOUT_PERIOD);
if ( code <= 0 )
{
code = irs_error(irs);
if ( code == 0 )
{
code = -1; // anything but not success
}
else
{
network_error_code = code;
dmsg("irs_recv: %s\n", winerr(uint32(code)));
}
break;
}
left -= (uint32)code;
// visual studio 64 does not like simple
// (char*)ptr += code;
char *p2 = (char *)ptr;
p2 += code;
ptr = p2;
}
return code;
}
...
irs_recv has a timeout value as the last parameter:
ssize_t irs_recv(idarpc_stream_t *irs, void *buf, size_t n, int timeout);

RECV_TIMEOUT_PERIOD has an expected default of 10000 milliseconds.

It looks like, if I could increase this timeout value, say to -1 for infinity or something pretty big, I could get by this error (assuming it's RPC-related).

The question is how to do that so it affects IDA itself?
Can I override the value with some environment variable or some registry tcp/ip setting, or do I have to find and fix it in some of IDA's dlls?

I raised HKLM\Software\Policies\Microsoft\Windows NT\RPC\MinimumConnectionTimeout DWORD to 1c20 (7200 secs = 120 minutes)
and lowered HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\KeepAliveTime DWORD to 493e0 (300000 mils) (5 minutes)
but it made no difference.
(That might be because the keepalive setting is ignored by the system unless it's explicitly set up at a higher level than tcpip).

Any suggestions for a solution?
zadow
Junior Member
Posts: 10
Joined: Mon Feb 03, 2014 3:58 pm

Post by zadow »

i got the same errors about an year ago. not spesific irs_recieve but debug rights.
i would do Run > WF.msc
new rule
both inbound/outbound port spesific 23946.to be sure you get free acces for the port.
You could use just in time debugger also within ida.
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

zadow wrote:i got the same errors about an year ago. not spesific irs_recieve but debug rights.
i would do Run > WF.msc
new rule
both inbound/outbound port spesific 23946.to be sure you get free acces for the port.
You could use just in time debugger also within ida.
I have this already (I use Comodo and have the Windows firewall off) and had also uninstalled the firewall to try.
No luck.

In any case, it happens only with a specific set of programs. No problems with other x64 applications so it can't be the port or some IDA restriction.

I'll try the JIT approach though I think I had tried it a few months ago.

Thanks.
zadow
Junior Member
Posts: 10
Joined: Mon Feb 03, 2014 3:58 pm

Post by zadow »

okay
You can try the remote version 1.15 http://filemare.com/en-no/browse/89.161.129.196 for ida pro 6.2/6.3/6.4 :)
i see that there was a russian that had same error with remote gdb, but recompiling the armlinux_stub.plw helped him.
IDA use for developing and debugging native code on android.
Detect problems when debugging Android.

Debugger does not connect. While another 2 days ago everything was ok.

Here Kartika from adb shell:
# / Data / tmp-p5000
/ Data / tmp-p5000
IDA Android 32-bit remote debug server (ST) v1.14. Hex-Rays (c) 2004-2011
Listening on port # 5000 ...
================================================== =======
[1] Accepting connection from 10.0.2.2 ...
Could not establish the connection
================================================== =======
[2] Accepting connection from 10.0.2.2 ...
Could not establish the connection

Here is what the IDA:
irs_recv: The wait operation timed out.
Command "ProcessAttach" failed
Command "ProcessAttach" failed

When this is done naturally redir (redir add tcp: 5000:5000) and telnet localhost 5000 works perfectly.

Recreate the emulator, made even rollback Windows on the date when everything worked, nothing helps.
gdbserver debugger connects fine, but you can not put bryakpoynty.

I do not understand what's wrong. 6 hours spent trying to understand and shamans. Who says that?

-------------------------------------------------- ---------------------
I answer myself:
All repaired. Perekompilit armlinux_stub.plw and was all ok.
The problem is that the localhost IP and had two of the first connection was impossible to vstoromu as possible.
A rpc_engine_t :: network_error_code reset to 0 only on the plugin is loaded. Inserted at the beginning of a connection reset and all was chudesnenko, polosatenkie and raspberry.
http://translate.google.com/translate?h ... &sandbox=1
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

I found a few cases having to do with Android debugging. I tried similar fixes (resigning some IDA modules) but they never really fixed it.

I'll try the 1.15 remote and see what happens. Hopefully it will work properly with the IDA 6.1 I use.
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

Too bad. The 1.15 remote is incompatible with IDA 6.1.
zadow
Junior Member
Posts: 10
Joined: Mon Feb 03, 2014 3:58 pm

Post by zadow »

Yes it have a different protocoll. It works with the demo.well all debuggets from 6.1 do.
I would still look again at the firewall policy. Turning fire wall off also comodo.
Isent the same as the firewall policy rule as i mentionede before.
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

Some of them could work with the demos but not the x64 remotes.
The demos don't include the idaq64 as far as I know.

The firewall policies are OK. I've even uninstalled Comodo and tried but still time out.
In any case, if it was a firewall problem, it would be a problem for all 64-bit programs I trace and not just a few.

Those RPC problems are a headache.
zadow
Junior Member
Posts: 10
Joined: Mon Feb 03, 2014 3:58 pm

Post by zadow »

could it be the tcpip.cpp and tcpip.h


tcpip.h

Code: Select all

#  define SYSTEM_SPECIFIC_TIMEOUT_ERROR ETIME
#include "consts.h"

idarpc_stream_t *init_client_irs(const char *hostname, int port_number);
bool name_to_sockaddr(const char *name, ushort port, sockaddr_in *sa);
void term_client_irs(idarpc_stream_t *irs);
void term_server_irs(idarpc_stream_t *irs);
void setup_irs(idarpc_stream_t *irs);
int irs_ready(idarpc_stream_t *irs, int timeout_ms);
ssize_t irs_recv(idarpc_stream_t *irs, void *buf, size_t n, int timeout);
ssize_t irs_send(idarpc_stream_t *irs, const void *buf, size_t n);
void irs_term(idarpc_stream_t *irs);
bool init_irs_layer(void);
void NT_CDECL term_sockets(void);
int irs_error(idarpc_stream_t *);
bool irs_peername(idarpc_stream_t *irs, char *buf, size_t bufsize);
bool irs_getname(idarpc_stream_t *irs, char *buf, size_t bufsize);

#endif
and
tcpip.cpp set the time in milliseconds

Code: Select all

int irs_ready(idarpc_stream_t *irs, int timeout)
{
  static hit_counter_t *hc = NULL;
  if ( hc == NULL )
    hc = create_hit_counter("irs_ready");
  incrementer_t inc(*hc);

  SOCKET s = sock_from_irs(irs);
  int milliseconds = timeout;
  int seconds = milliseconds / 1000;
  milliseconds %= 1000;
  struct timeval tv = { seconds, milliseconds * 1000 };
  fd_set rd;
  FD_ZERO(&rd);
  FD_SET(s, &rd);
  int code = select(int(s+1),
         &rd, NULL,
         NULL,
         seconds != -1 ? &tv : NULL);
  if ( code == 0 )
    inc.failed();
  return code;
}

Code: Select all

ssize_t [size=134]irs_recv[/size](idarpc_stream_t *irs, void *buf, size_t n, int timeout)
{
  if ( timeout != -1 && !irs_ready(irs, timeout) )
  {
    SET_SYSTEM_SPECIFIC_ERRNO(SYSTEM_SPECIFIC_TIMEOUT_ERROR);
    return -1; // no data
  }
  return qrecv(sock_from_irs(irs), buf, (int)n);
}
defently looks like some sort off socket error you got there.

both files have your warning included.
It could be anything that causes this.
Other software/conflicting varibles path.
Have you tried on a clean user. Admin one.
roocoon
Member
Posts: 58
Joined: Sun Apr 20, 2003 11:48 am

Post by roocoon »

The rpc_engine code I posted higher up also refers to the error.
One of them, or something like them that is still hiding, is the cause, but how do you fix it even if you're sure?
It should be adjustable by some TCP/IP timeout setting but still I can't find the right one (and I changed quite a few).
That's why I tend to suspect some 3rd-party task with a hardcoded timer (like some license server's timeout).
I disabled all I could but nothing.
No help from wireshark, etc and the RPC trace tools didn't show anything useful (but I probably don't use them to their full capacity -- too obscure for me).

I am an Admin but I haven't tried with another clean profile. I'll try it later today.
Locked