Page 2 of 2 FirstFirst 12
Results 16 to 22 of 22

Thread: How to use OS symbol files in OllyDbg?

  1. #16
    Quote Originally Posted by blabberer View Post
    to remove crc errors analyze all modules that got thier pdbs loaded and reload alt+e -> right click -> analyze all modules then ctrl+n
    That's great. Thankyou.

    Quote Originally Posted by blabberer View Post
    when using loadpdb do you have internet connected ? is user32.pdb available in c:\symsrv
    The answer is yes to both those questions.


    Quote Originally Posted by blabberer View Post
    try using loadpdb on an unpatched ollydbg in a newly unzipped folder with just that commandline plugin with a may be temporary _nt_sym_path (use dosbox and fire ollydbg from within that dosbox
    Okay, will do. I'll report back my findings.

    Quote Originally Posted by blabberer View Post
    the plugin should connect to ms server and fetch the pdb and then apply the names
    Thats what I thought. But since my firewall didn't notify me I don't think it made any outgoing requests.

    Quote Originally Posted by blabberer View Post
    btw what os ? (iirc the plugin isnt tested in newer os like vizzzta and w2k8 or win7 )
    I'm using good old XP with SP3 plus all other updates.

  2. #17
    Could you please tell me what "Actualize" does? It doesn't appear to do anything to my untrained eye. I've wondered about this a few times and never seemed to remember to ask.

    Thankyou.

  3. #18
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,513
    Blog Entries
    15
    actulize refreshes stale data to latest data in windows ( many windows do contain stale data at some point and actualizing it shows you the current data

    look at executable window after a loadlib you will see red entries turning to gray after actualize

    look at windows window when you break on some window message etc etc

    btw create new thread for new subject matter

  4. #19
    I created a fresh copy of Olly and copied across the modified plug-in and symsrv.dll and dbghelp.dll files.

    I opened a DOS box and set _NT_SYMBOLS = C:\Symbols*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS

    The important thing to note in the above string is that the Symbols folder is an empty folder I just created. The previous Symserver folder already contained all the downloaded symbols using the SymGet tool which explains why nothing was downloaded before.

    The loadpdb command now downloads symbols on request. The new .pdb files can be viewed in the C:\symbols folder. I'm still not sure if any additonal symbols have been added to the test.exe disassembly listing. I'll try to confirm this.

    The log file stills displays in red ink:
    Code:
               35 C:\SYMBOLS*HTTP://MSDL.MICROSOFT.COM/DOWNLOAD/SYMBOLS
               dbghelp dll loaded and address retrieved
    Is the red ink significant as I would have taken this to be an error or a warning?

    I'll copy over the patched Ollydbg.exe and see if it automates the process of symbol retrieval and report back.

    Quote Originally Posted by blabberer
    actulize refreshes stale data to latest data in windows ( many windows do contain stale data at some point and actualizing it shows you the current data

    look at executable window after a loadlib you will see red entries turning to gray after actualize

    look at windows window when you break on some window message etc etc
    Gotcha! The name "actualize" doesn't give much away nor did the help file. Thankyou.

    Quote Originally Posted by blabberer
    btw create new thread for new subject matter
    Sorry about that.
    Last edited by 5aLIVE; April 24th, 2009 at 03:03.

  5. #20
    I copied the patched olly over to the fresh install and loaded the test.exe. Sure enough Olly will automatically connect to the symbol server.
    However it gets stuck at :
    Code:
    Log data, item 9
     Address=10000000
     Message=Module D:\Program Files\Agnitum\Outpost Firewall\wl_hook.dll
    I've tried disabling the firewall and restarting Olly only to see the same thing. Any idea how I could resolve this please?
    Hmm. After a few attempts it seems to be stopping at randown system DLLs. I tried it once more and it didn't lock up.
    It also downloaded the symbols autmatically. I'm not sure what the problem was before but it now appears to work.

    Now to confirm that the test.exe has the additonal symbols in the disassembly listing...
    Well, it does work, I used win.exe in Iczelions tut #3 like you and shows a lot more symbol names than before which is great.

    Thinking about it, I'm just not sure this additonal symbol infomation will enhance my debugging experience when debugging an exe without source or symbols. Would I be right in saying that this additonal symbol information would only be of value to guys like Kayaker and Matt Pietrek for example who like to see how the internals of the OS libraries and program work?

    I loaded notepad.exe into Olly adn could see the benefits almost immediately, for example:
    01004441 |> E8 052A0000 CALL notepad.01006E4B ; \notepad.01006E4B
    Becomes:
    01004441 |> E8 052A0000 CALL notepad.PrintIt ; \PrintIt

    or :
    01004570 |. A1 04960001 MOV EAX,DWORD PTR DS:[1009604]
    Becomes:
    01004570 |. A1 04960001 MOV EAX,DWORD PTR DS:[__security_cookie]

    I think it must be down to my choice of the test binary I used, i.e., it just does't happen to use any functions which correspond to the new loaded symbol names.

    Even if that is the case, it was a good exercise and I learned something into bargain.
    Last edited by 5aLIVE; April 24th, 2009 at 10:45.

  6. #21
    Quote Originally Posted by blabberer View Post
    to remove crc errors analyze all modules that got thier pdbs loaded and reload alt+e -> right click -> analyze all modules then ctrl+n
    This removes the CRC error for the majority of system files with the exception of ole32.dll, kernel32.dll, ntdll.dll, and user32.dll.

    Why should these errors still remain? Could it be down to Microsoft not providing the most up to date symbols for these files or is it perhaps something else?

    Thanks 5aLIVE.

  7. #22
    All symbols are loading without CRCs now.

Similar Threads

  1. OllyDbg and .bat files
    By jhonniewalk in forum OllyDbg Support Forums
    Replies: 2
    Last Post: August 30th, 2013, 04:11
  2. symbol not defined - Why?
    By 5aLIVE in forum The Newbie Forum
    Replies: 22
    Last Post: December 28th, 2003, 19:39
  3. how can i dump PE files for OllyDbg and ollydump.
    By andyboll in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 17th, 2003, 10:17
  4. Softice symbol help.. please help if u can
    By R I Z E N in forum Tools of Our Trade (TOT) Messageboard
    Replies: 19
    Last Post: April 9th, 2002, 15:53
  5. IDA / symbol loading Q..
    By Znah in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: June 10th, 2001, 23:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •