SoftICE Symbol Retriever broken? [Archive] - RCE Messageboard's Regroupment

View Full Version : SoftICE Symbol Retriever broken?

laola

June 20th, 2005, 09:32

Hi folks,

I know that not all people here like SoftICE but I'm just familiar with it etc

However, since around last MS patch day, the symbol retriever does not work anymore. All I get when trying to retrieve symbols is "Error - Download" as the file status.
Has anybody using SoftICE encountered such as well? I'm pretty pi**ed at the moment

And yes, I did a lot of googling but could not find anything about except for one post in a board at codingforums.com from someone with the same problem... But I'd need a remedy

No answer yet from the Numega tech support as well

Kayaker

June 20th, 2005, 10:14

Hi,

You're not seriously suggesting an MS patch might "break" or be incompatible with something are you? ;-) There was a recent discussion at rootkit.com on Symbol retrieving problems, some of it was about Windbg but I think there was mention of Sice also. I think scanning for mention of 'Windbg' in the recent thread titles should find the thread, it might be of some help.

I can't double check the thread because I'm at work and,... huh, guess what? "rootkit.com" is a blocked URL! (now why would a government agency consider that inappropriate browsing material?

)

laola

June 20th, 2005, 10:26

Ah, I *knew* it

Sorry for not being clear enough. I was rather thinking along the line that MS changed something about their symbol server or failed to put the proper symbols for the new versions of the fiiles on the server (or the right place on the server). I'll cross-check with WinDbg tomorrow, I am too lazy to set up WinDbg now

But thanks for the pointer, although I know WinDbg uses the same symbol server, I didn't think of trying to retrieve symbols with WinDbg yet. *slaps hand on forehead*
I'll have a look at rootkit.com as suggested. Thanks again!

And answering your question: Because no government trusts its people

JMI

June 20th, 2005, 11:25

Certainly no "sensible" govenment trusts its people with a "rootkit" on the government's servers.

Regards,

laola

June 23rd, 2005, 14:08

Geez, got reply from Numega support today, they claimed that my version of symbol retriever (resp. the MS dll it uses) has issues with firewalls and sent me a new one to try.

Of course nothing changed and playing with the windows firewall didn't help either.

But at least they had another suggestion that finally helped me:
WinDbg comes with a tool called symchk which is capable of downloading all the necessary symbols, too. Even batchcontrolled

So I downloaded all symbols with that tool, pointed Symbol retriever to that same directory for symbol downloads and Symbol Retriever found all the already downloaded symbols and translated them right away

...One Bluescreen later...

DARN IT! One of the recent updates must have manipulated my boot.ini. The previous /NoExecute=AlwaysOff was changed to /NoExecute=OptIn again.
After changing that and rebooting once more, SoftICE was operational again, finally!

(Took me quite some time to stumble across boot.ini... D'oh!)

Hope this helps some folks with the same problems

bilbo

July 11th, 2005, 06:44

Sorry, mates, to bring up an old thread...

but since this is (IMO) a very important resource and since I had exactly the same problem of laola I inspected the matter a little more...

The reason of the message "Error - Download" is simple...
Numega symbol retriever will try to download the PDB files at the link
http://msdl.microsoft.com/download/symbols/FILENAME.pdb/#################################/FILENAME.pdb
(where the 33-digit #'s are the guid(32digits)+age(1 digit) which you can find in the debug Data Directory Entry of the file.

But the latest files are stored in compressed format at the link
http://msdl.microsoft.com/download/symbols/FILENAME.pdb/#################################/FILENAME.pd_
(with trailing underscore)

Download it with your preferred browser and "expand" to FILENAME.pdb ;-)

Best regards, bilbo

5aLIVE

July 12th, 2005, 04:39

An interseting find indeed Bilbo, perhaps laola could contact Numega again to let the support team know of the problem and they may release a patch?

When I attempt to download symbols with the Retriever, I don't appear to get an error message, although it doesn't download the updated symbols.
Hmm. I'm using Symbold Retreiver v1.0(DS) BTW.

5aLIVE.

laola

July 16th, 2005, 12:47

Thanks for the examination, bilbo. I'm forwarding this to Numega support, maybe they will be able to release a fix for the symbol retriever. As it has been mentioned numerous times meanwhile, Numega resp. Compuware seems to be going a bit downhill

At least there is a functioning workaround, and the WindDbg package does not cause any other trouble

wtbw

July 16th, 2005, 20:50

From Ryan Russell on the IDA Board:

Quote:

Code:

D:\disassemble>c:\wget\wget http://msdl.microsoft.com/download/symbols/RDPWD.pdb

/2371F6731A0B48839290F22CF2F6081B1/RDPWD.pd_

--14:29:46-- http://msdl.microsoft.com/download/symbols/RDPWD.pdb/2371F6731A0B4

8839290F22CF2F6081B1/RDPWD.pd_

=> `RDPWD.pd_.1'

Resolving msdl.microsoft.com... done.

Connecting to msdl.microsoft.com[207.46.248.241]:80... connected.

HTTP request sent, awaiting response... 302 Redirect

Location: http://msdl.microsoft.com/download/symbols/error.htm [following]

--14:29:46-- http://msdl.microsoft.com/download/symbols/error.htm

=> `error.htm'

Connecting to msdl.microsoft.com[207.46.248.241]:80... connected.

HTTP request sent, awaiting response... 302 Redirect

Location: http://msdl.microsoft.com/download/symbols/error.htm [following]

http://msdl.microsoft.com/download/symbols/error.htm: Redirection cycle detected

.

D:\disassemble>c:\wget\wget --user-agent="Microsoft-Symbol-Server/6.5.0003.7" ht

tp://msdl.microsoft.com/download/symbols/RDPWD.pdb/2371F6731A0B48839290F22CF2F60

81B1/RDPWD.pd_

--14:29:55-- http://msdl.microsoft.com/download/symbols/RDPWD.pdb/2371F6731A0B4

8839290F22CF2F6081B1/RDPWD.pd_

=> `RDPWD.pd_.1'

Resolving msdl.microsoft.com... done.

Connecting to msdl.microsoft.com[207.46.248.241]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 27,852 [application/octet-stream]

100%[====================================>] 27,852 61.68K/s ETA 00:00

14:29:56 (61.68 KB/s) - `RDPWD.pd_.1' saved [27852/27852]

D:\disassemble>

Thanks Microsoft!

(In case it's too subtle in the above example, MS is now checking the user agent string to see if an "authorized" application is trying to download the symbol file)

Cheers,

Will

bilbo

July 18th, 2005, 01:52

Quote:

In case it's too subtle in the above example, MS is now checking the user agent string to see if an "authorized" application is trying to download the symbol file

that's correct, wtbw, but anyway NuMega Symbol Retriever is already camouflaging itself as Microsoft-Symbol-Server/6.1.0009.0 - in version 1.1 of Symbol Retriever - and that is OK for M$.

Best regards, bilbo

wtbw

July 18th, 2005, 01:54

Ah i see, didn't check that out

Cheers,

Will

user

July 30th, 2005, 09:38

Quote:

[Originally Posted by bilbo]NuMega Symbol Retriever is already camouflaging itself as Microsoft-Symbol-Server/6.1.0009.0

that's exactly what's no longer good, you need 6.4.0007.1, just hexedit symsrv.dll (the copy in symrtrvr.exe's directory) and SymbolRetriever will work again.

5aLIVE

July 30th, 2005, 10:39

@Bilbo Is Symbol Retriever 1.1 avalaible as a separate download or is it only package with a later release of Driver Suite?

Thanks for any help.

5aLIVE

laola

July 30th, 2005, 12:31

Much easier: Just download the WinDbg package and replace all instances of symsrv.dll in the SoftICE folders with the one from the WinDbg package. Just tried it and it works like a charme. Note: There are multiple instances of the file in the SoftICE folders, at least one for the symbol retriever and another one (probably for softICE itself).
WinDbg is a free download from Microsoft, just feed Google with "Windbg download" and the first hit should be the right page at microsoft.com.

5aLIVE

July 30th, 2005, 13:00

Quote:

[Originally Posted by laola]Much easier: Just download the WinDbg package and replace all instances of symsrv.dll in the SoftICE folders with the one from the WinDbg package.

Thanks very much for this nifty solution I shall give it a shot.

I'm still interested in finding a source for Symbol Retriever 1.1, I'd like to try that too.

Kind regards,
5aLIVE.

laola

July 30th, 2005, 14:18

There is no such download on the Numega website, if it is available seperately, you will have to contact their support guys I guess.
Although I don't see any need to have that 1.1 version - the vital functionality is already there in 1.0 and the faulty part is the very outdated symsrv.dll which can be replaced easily.

@Bilbo: Is there any difference in the functionality between 1.0 and 1.1?

disavowed

August 6th, 2005, 16:26

From http://www.datarescue.com/ubb/ultimatebb.php?/topic/1/901.html ("http://www.datarescue.com/ubb/ultimatebb.php?/topic/1/901.html") - "Well, we got a detailed explanation for the reasons behind this issue and, I have to mention it, great support from one of our long time IDA users and the expert on the topic. We'll probably keep that feature with an updated fetch mechanism in the next release."

Someone at Microsoft must have realized the problem and helped to get it fixed for the future