Resently i came to the problem with 'Symbol Retriever' tool wich as you guess doesn't work on my PC (WinXP Pro SP2).

I'm tring now to download needed PDB-files manually. For that porpose i use 'trashbin' (http://www27.brinkster.com/sparksite/work/trashbin/trashbin.htm).

For example:

i've copied 'ntoskrnl.exe' from %Windows%/system32/ to c:/temp. Then downloaded 'trashbin' from http://www27.brinkster.com/sparksite/work/trashbin/trashbin.htm and put it in the same dir. Then in the shell...

c:\temp\trashbin ntoskrnl.exe /coff /pe

Then looking for strings 'TimeDataStamp = 1050016239' and 'SizeOfImage = 0x1d6e80'.

Then put these HEX data to MSDL link by formula:

http://msdl.microsoft.com/download/symbols/ntoskrnl.dbg/{TimeDataStamp}{SizeOfImage}/ntoskrnl.db_

and get

http://msdl.microsoft.com/download/symbols/ntoskrnl.dbg/3E95F9EF1D6E80/ntoskrnl.db_

Try to d/l ntoskrnl.db_ by this link and ..... YES! - nothing. this makes me fill sad. Oh, guys, what you can do to get SoftIce work properly breaking up on WinMain etc...

Looking back for your comments....

BTW, to extract file from *.db_ we use this windows tool 'c:\temp\expand ntoskrnl.db_ ntoskrnl.dbg'.... So, this way we get 'ntoskrnl.dbg'. By similar scheme we would get 'ntoskrnl.pdb'.

NOTE: I use in my 'research' ntoskrnl.dll v5.1.2600.1024 (xpsp2.030410-1604)

from your other posts, I'm guessing you want to load those symbols into softice.

did you try SoftIce's tools, the SymbolRetriever? symrtrvr.exe. Yes? why isn't it working? is it setup properly?

I don't see why you want to go through that trouble of manually downloading symbols when a ready-made, fully working tool exists, and will even translate it to .nms.


I've never had to use that feature of softice, there are tons of other ways to get the _same_ thing done.

--
btw: this is a newbie question.

SymbolRetriever Status - Error Download. Tried 100 times, but get the same Error message.

Yes, I agree with you, WinMain break doesn't matter 100% true... BUT, tried hundreds of API functions and nothing breaks. TRY to explore TradeStation 8.0 (tradestation.com).....

Yes. SymbolRetriever shouldn't be installed there no setup procedure. It works like independend API.



Ok. This is an easy question for you rite? Then tell me how to download PDB-files from Microsoft without SymbolRetriever and WinXP Licens?

you could try downloading and installing the full symbol package, and then
set paths in symbol retriever to reflect your changes(ie get symbols locally),

hXXp://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx

sorry, but I own the license for my windows version - I guess I can't help you on that side. (normally you get a support CD or a /SUPPORT dir on the beta CD)

But if you were one bit serious you would try to understand why the symbol retriever doesn't work.

Did you try with a non-beta file?
Does the symbol retriever work under other situations?
Could it be that you are using a beta which does __not__ have public symbols available? (as a registration is required on beta.microsoft.com)

I'm sorry, but your little provocative statements won't get you the spoon-feed answers that you are waiting for.
And this isn't tech support hotline - we don't owe you answers.

--
@arz: Only symbols for XP Sp1 are there. and if a windowsUpdate changed some of your system files, their symbols are no-longer valid.

@doug: k thnx for the info..., just grabbed the addr from 'favs' and didnt bother
checking...

try to down ntoskrnl.exe,
never seen ntoskrnl.dll

Yep, you've confirmed my anxiety - SoftICE doesn't work with symbols library in WinXP Pro SP2 (v1204), that's the derivation. I'm using now 'break & exit' API to get SI break on WinMain. Thanks for flame in my sirious topic

Well, I haven't got much sympathy for complaints about a pirated OS either... but for others interested...

What I do is use Nmsym to translate the symbols to NMS using a .bat file. I just stick all the files needed into a new folder, but you can specify individual paths in the batch file if you want.

Take the 2 files nmsym.exe and nmtrans.dll from the Softice directory and put them into a folder. Then take each of the system dll/exe/drv/ocx... files you want translated, along with their respective .DBG and .PDB symbol files and stick them in the same directory.

Then create a batch file in this directory with a line for each symbol to translate, such as:

------------------
@echo off

nmsym.exe /TRANSLATE:source,package,always /SOURCE:. kernel32.dll
nmsym.exe /TRANSLATE:source,package,always /SOURCE:. user32.dll
nmsym.exe /TRANSLATE:source,package,always /SOURCE:. ntoskrnl.exe
nmsym.exe /TRANSLATE:source,package,always /SOURCE:. hal.dll
nmsym.exe /TRANSLATE:source,package,always /SOURCE:. ntdll.dll
nmsym.exe /TRANSLATE:source,package,always /SOURCE:. advapi32.dll
------------------

Run the .bat file and you should have .NMS files for each system file. Now under the Softice Initialization/ Symbols settings you can point to this directory and have the .NMS files loaded during startup.

Also, this method is great when you are debugging with softice your own applications.

(I've had all sorts of problems with MS VS6's integrated debugger when debugging 'complex' multithreaded apps or client/server apps.)

using the same method shown by Kayaker, I build an .NMS for softice which contains source & symbol information for my project. 'SRC' command to switch between disassembly and source-mode. This is also possible from the Symbol Loader, but I find the batch file method a lot faster than creating a workspace in the symloader (and manually refreshing the symbols)

You need the symbols for ntoskrnl32.exe. AND you have to add the line "NTSYMBOLS=ON" in SoftICE's configuration, or it WONT work. A simple search would have given you this.

-nt20

Navy,

the inquiry to Microsoft Symbol Server has changed with files compiled on Visual Studio 7 (that's the case of XP NTOSKRNL.EXE).
The new format is:
http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/<...>/ntoskrnl.pd_
where <...> is <GUID><AGE>

GUID are 32 digits univoque id,
AGE is one byte denoting the linking level

Both are found inside the Debug Direcory Entry.
You can find those 32+1 bytes inside the executable, immediately after signature "RSDS".
But be careful about the GUID bytes ordering for the first 8 bytes!
E.g. 9C C7 5E C9.FB FB.20 42.AF 2B 6E 9D 09 55 1A 1F becomes
C9 5E C7 9C.FB FB.42 20.AF 2B 6E 9D 09 55 1A 1F without spaces/dots.

Cheers! Bilbo.

Thanks bilbo! This is the most usefull advise, i'll try to get pdb-s this way. Anyway, just already cracked TradeStation8 without symbols help.... Congratulations! mine oh mine!

I agree, even if I am not a cracker... A single crack makes feel you so mighty...
Anyway symbols, for M$ cracks, help a lot!
Go on this way! Bilbo.

Yep, you so understand me BTW, i used 'GetWindowTextA' break & Softaica breaks on this API function only when i add 'BPINT3' break point. Is that normal? Or should i reconfigure my SI?

Don't understand how to do that, too advansed for me... Could you please give me some chief steps how to extract GUID and AGA from ntoskrnl.exe.

a) open NTOSKRNL.EXE with an hex editor (e.g. Hex Workshop)
b) look for the string "RSDS": there is only one occurrence (in XP-SP1 I find it at offset 6BAC)
c) write down the 16+1 bytes following that string: in my case
9C C7 5E C9 FB FB 20 42 AF 2B 6E 9D 09 55 1A 1F 02
d) sort the GUID with the following algoritm:
a0 a1 a2 a3 b0 b1 b2 b3 c0 c1 d0 d1 e0 e1 e2 e3 e4 e5 ->
a3 a2 a1 a0 b3 b2 b1 b0 c1 c0 d1 d0 e0 e1 e2 e3 e4 e5
(so, the e... bytes are not re-sorted) in my case:
C9 5E C7 9C FB FB 42 20 AF 2B 6E 9D 09 55 1A 1F
e) remove the spaces and add a trailing character for the AGE (in my case 02, so add '2'). The final string, in my case, will be
"C95EC79CFBFB4220AF2B6E9D09551A1F2"
f) prepend http://...../, append ntoskrnl.pd_, and download it
g) expand *.pd_ to *.pdb
h) if you want to use it with SoftIce, convert *.pdb to *.nms using NMSYM.EXE

By the way, Symbol Retriever which comes with DS 3.1 is working for me...

Cheers, Bilbo

Thanks for explonations. What i did wrong? Look at the screenshot.

These are bytes from the ntoskrnl.exe:
88 57 0C B7 DE E3 DB 44 A5 65 A4 0B B6 80 36 CC 01

Now i sort bytes with your algoritm:
B7 0C 57 88 44 DB E3 DE 65 A5 0B A4 B6 80 36 CC 01

And get the link:
http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/B70C578844DBE3DE65A50BA4B68036CC1/ntoskrnl.pd_

Nope.

Yes, I have tried your link and it does not work, even if it was formed correctly.
You can try my link and it must work!

h..p://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/C95EC79CFBFB4220AF2B6E9D09551A1F2/ntoskrnl.pd_

The only plausible explanation is that they have not put symbols on their server, because XP2 is yet in beta phase.
Sorry! Bilbo.

which brings us back to the fact that
(i) he isn't a registered XP customer
(ii) he isn't a registered XP Beta customer

I think there should be another link for WinXP SP2 (beta) symbols... I can download symbols for SP1 and it's not require customer/serial number or whatever.. maybe something like that:
http://msdl.microsoft.com/download/beta/symbols/ntoskrnl.pdb/C95EC79CFBFB4220AF2B6E9D09551A1F2/ntoskrnl.pd_
P.S.: Guys, you think negatively about me because of this customer shit. But let me explain you, I live in Russia and here nobody buys licensed software ok, maybe just few peoples and above average corporations. This reality! I’m not proud of this at all. The only reason for this - is cost, and not because we bad guys, not Christians, slow-witted etc.. For example, would you buy WinXP if it costs you $2500? Yes, perhaps you will, but what about majority average Americans?

The reason why I mentionned the license stuff is nothing personnal against you, it's just that (correct me if I'm wrong), you need a special registration/access level to get anything off beta.microsoft.com (incl. XP SP2beta).

We can all download XP SP1 (and its symbols) off the net, because it's no longer tagged as a beta. XP SP2 on the otherhand, is considered a private beta (even if it was leaked on the net instantly), therefore anything related to it will require some level of authorization. From what I could see, MS uses their Passport + some beta user ID..

And since it appears that the SP2 beta was put on the net without the corresponding symbols.
There's nothing you can do unless:
1) You obtain access to microsoft's beta website
2) someone who has access to the website leaks both the ServicePack and its corresponding symbols.