Log in

View Full Version : References to ws2_32.dll not displayign labels

asm0
July 6th, 2006, 14:10
Hello all.

Firstly, I'm rather new to using OllyDbg, so please bear with me. My problem is fairly straightforward: I've been trying to track down references a program makes to ws2_32.dll. OllyDbg seems to do this rather well, but with one issue...Instead of showing the proper label, it will just give me names like ws2_32.#1 and ws2_32.#151. What I'd like is to be able to see things like ws2_32.connect or ws2_32.socket instead. Oddly enough, though, it properly displays the imported WSA components from ws2_32.dll. Anyway, if anyone knows how to resolve this, please let me know. Thanks.
naides
July 6th, 2006, 15:23
The Problem is with your dll.
If it was compiled without the function labels information, olly can only show the sequential number of the function, no the symbolic, human intelligible one. The imported WSA components do have included the symbols in their export table, so olly can read them and show them to you.

The solution: You need to download the debug symbol table for the ws2_32.dll from the MSoft symbol repository, possibly using windbg. the file name would be ws2_32.pdb.
Then you need to tell olly where to find the .pdb file, using the main menu bar item debug->Select Path for Symbols -> {navigate to the .pdb}
LLXX
July 6th, 2006, 16:10
Actually, the program may be importing by ordinal instead of by name.

I have just checked the ws2_32.dll in both my 98se and XP Pro systems, and all the exports do indeed have names.
asm0
July 6th, 2006, 17:27
Quote:
[Originally Posted by naides]The Problem is with your dll.
If it was compiled without the function labels information, olly can only show the sequential number of the function, no the symbolic, human intelligible one. The imported WSA components do have included the symbols in their export table, so olly can read them and show them to you.

The solution: You need to download the debug symbol table for the ws2_32.dll from the MSoft symbol repository, possibly using windbg. the file name would be ws2_32.pdb.
Then you need to tell olly where to find the .pdb file, using the main menu bar item debug->Select Path for Symbols -> {navigate to the .pdb}


I tried this...Still no go...(I tried setting Olly's path to c:\windows\symbols (Default installation path) and c:\windows\symbols\dll (exactly where ws2_32.pdb is located))

I suppose I should mention that, when disassembling, IDA shows the names of the imported functions fine.

edit: I just realized that if I right click and view the call tree, it shows me the actually name, heh...Well, I can work with this, but for convenience's sake, is there a way I can get it to display that from the names window? Not as big of a problem if I can't, though.
Knight
July 7th, 2006, 01:23
Olly can resolve ordinal imports by using import libraries (Debug->Select import libraries). I checked and my VS has that lib (probably you rather need platform SDK than VS).
This feature is very helpful with MFC apps where all imports are by ordinal.

Regards,
Knight
blabberer
July 7th, 2006, 11:59
Quote:

I tried this...Still no go...(I tried setting Olly's path to c:\windows\symbols (Default installation path) and c:\windows\symbols\dll (exactly where ws2_32.pdb is located))





ollydbg has a little problem that it pushes only the ollydbg directory to SymSetSearchpath() after it calls Syminitialize with null

so effectively the _NT_SYMBOL_PATH doesnt reflect in its search path

there is a little patch you can apply to make it select the Default NT_SYMBOL_PATH

Names in ws2_32, item 30
Address=71AB406A
Section=.text
Type=Export (Known)
Name=connect


check out this thread here for details

http://www.woodmann.com/forum/showthread.php?t=8460
Nacho_dj
July 7th, 2006, 14:19
Hint: If you type CTRL+A (Analyse code) in OllyDbg you are getting besides ordinals all names of functions...

Cheers

Nacho_dj