View Full Version : EDB Linux Debugger 0.9.0 Release :)

June 24th, 2008, 13:44
0.9.0 released, change log is very long, and this is the first version to support x86-64! Now that the big move to supporting both x86 and x86-64 (compile time decision) is done. I hope to get back into a faster release cycle.

Hope you all enjoy!:


* Fixed a bug in the hardware breakpoint manager plugin which didn't allow
disabling of the last breakpoint.

* Extended the maximum size that OpcodeSearcher will consider from 4 bytes to
8 bytes, which yields some more options.

* Finished changing OpcodeSearcher plugin to use edisassm, it should be a lot more
robust now. Forutnately, edisassm is pretty fast, so the performance impact isn't too

* Most dialogs use QT 4.2.x's QDialogButtonBox's now which should give a better
look on non-KDE platforms.


* Fixed a bug in DebuggerCore involving hardware debug registers in 64-bit mode.
this fix allows hardware breakpoints to work in 64-bit builds.

* Changed OpcodeSearcher plugin to use edisassm when searching instead of hard
coded values. This allows the code to be more easily ported to new archs such
as x86-64.


* Fixed minor bug with selections in QHexWidgets when selecting outside of the
viewable range. There was an underflow, which was cast to an unsigned type
causing some upward selections to select from start to the end of the range.

* More improvements in 64-bit support. The ArchProcessor for x86-64 is now
aware of the amd64 C calling convention and will now properly predict function
arguments for when symbols are available.


* Hardware breakpoints are much more complete, supporting Write, Read/Write,
and Execute types of 1, 2, and 4 bytes sizes.


* edisassm 1.5.2 released, mostely making the code more standards compliant to
ensure that the code will compile on newer versions of g++.
tested with 4.2.3 on Ubuntu.


* edisassm 1.5.1 released with some minor bug fixes

* Corrected some bugs in edb under x86-64 involving the analysis engine.


* edisassm 1.5.0 released with EMT64 support! A lot of time was put into
verifying the instruction tables to ensure that disassembly woudl be accurate.

* A couple of minor bug fixes were done in EDB.

* Added patches to clean up build on ubuntu systems.


* Added LOTs of SSE4 ops to edissasm, updated a bunch of the tables.


* edisassm now can handle RIP relative addressing mode. I also fixed some decode
ordering issues that were introduced when 64-bit mode was being added. The
only piece left is the tweaking of the instruction tables to match what was
added/removed/changed for 64-bit mode!


* edisassm now can disassemble 64-bit code partially correct. It does not yet
support RIP relative modes and does not take into account changes in the
opcode map (new and removed opcodes). Soon edb will have full 64-bit support!


* Made a large effort to port edisassm to 64-bit The most visible change
is that is makes much larger use of templates. Instruction and Operand now
take a template param (32 and 64 are valid). which can be used like this:
Instruction<32> insn(buf, size); or you can use edb::Instruction which will be
be typedefed to the appropriate type based on your build environment. Because
of the massive ammount of templating needed to implement this, it is possible
that older compilers will have trouble with it. I will test which compilers
are expected to work.


* Renamed REG_NONE to REG_NULL to avoid a conflict with windows headers.

* Got edisassm compile on win32 for the first time


* Improved some of the function finder code, I am planning on moving this to a
more central analysis system.


* Fixed some incorrect bit setting in HW breakpoint code.


* Improved the HW breakpoint code. It will now show the enabled state based on
what the application is actually in. So if you do something like reset the
application, then the HW breakpoints will show as disabled (because they are).

* Some general code optimizations.


* First code for hardware breakpoints is in, edb can now set a hardware bp
and resume from it, next is setting the proper type of bp (read/write/execute)
as needed and also making the dialog show correctly even when application
has been terminated or restarted.


* Simplified some signal code in QHexView and Bookmarks plugin.

* Started some very preliminary work on the hardware breakpoint plugin. So far
I have the GUI planned out for it. It will likely require that the plugin
hook the debug event system in order to enable resuming after hitting the BP.
This is ok though since there is an infrastructure in place for that .


* Improved handling of breakpoints which aren't caused by int3 bytes placed by
edb. for example: "int 3" (which encodes as 0xcd 0x03) is now handeled more

* Preliminary code for hardware breakpoints is in place, the DebuggerCore is now
able to get/set the debug registers on intel. The only real hurdle left is
continuing after it is hit. This will need a similar system to software


* Made some changes to help with portability.

* Made edisassm use std::ifstream instead of mmap.


* Simplified the expression code a bit by factoring down common code a bit. This
results in a slightly larger binary, but smaller source (due to small function
inlining). I think this is fine since the code is more managable.

* Fixed expressions handling of the XOR operator "^". It was not properly

* Moved the known function table to a plugin. It isn't super efficient quite yet
but works well.


* Made the columns in the disassembly view movable when mouse is 2 or less
pixels away from from the line, not just exact match. This should make it an
easier target.


* Made DebuggerCore::readPages account for breakpoints in its results.

* Fixed a bug where reads/writes could return success when they couldn't read
this resulted. Fortunately this really didn't effect the result of any


* applied patch from elitak@gmail.com to plugins.pri to help avoid build errors
on certain configuration.


* updates QT dependancy to be for version 4.2 or greater. There are a few
features of QT that I have held off from using or have worked around in the
past. The next version (0.9.0) will no longer compile on versions lower than


* Fixed more bugs in edisassm, it was some SSE opcodes where Intel docs claimed
both operands have be Mod/RM, in which case I have no idea what the proper
thing to do is. So, it is now in sync with what sandpile.org says, which
matches other disassemblers output. I have also added a regression test for

* You can now see symbols in the disassembler view if you move the left most
line right. By default it will look as usual. But in a very similar way to
ollydbg, you can now see known symbols next to addresses.

* Improved function finder plugin. It will now give "bonus points" to functions
which have known symbols.


* Fixed a harmless crash when EDB failed to load the debugger core plugin. This
was introduced in the last release .


* For builds on QT >= 4.3, you can now give a tab a label but right clicking
on it.

* Made the QHexView and QDisassembly widgets use the system palette colors.
This will make it so EDB will match the prefered colour scheme of the user.




June 24th, 2008, 14:52

June 24th, 2008, 16:06
Thanks to whomever updated the CRCETL entry also.


June 25th, 2008, 23:42

June 26th, 2008, 04:07
I 'll try to debug some elf.

July 28th, 2008, 10:17
0.9.1 released, code analysis was the focus of this release (along with fixing a crashable bug )

Hope you all enjoy!:


* Made analysis slightly faster by factoring out some no longer needed code.

* Simplified some code in the QDisassembler widget. Instead of passing an
instruction, its buffer and its size, you can now just pass the instruction
since it has references to the buffer and its size anyway.

* Made the analyzer aware of using zeros as padding between functions. This will
make the display more correct if displaying analyzed code.


* Added "Follow Immediate in Dump" and "Follow Immediate in Stack" CPU context
menus. They act similarly to the generic "Follow" CPU context menu.

* Improved analysis speed.

* Improved analysis quality, a few more types of common optimizations are


* Added a "Follow" item to the CPU context menu. Basically, if you right click
on either a JMP or CALL which has an operand which can be evaluated, then
there will be a "Follow" menu item that will scroll the CPU view to that


* Removed some code which was implemented to work around QT 4.0.x bugs since
4.2 is now a base requirement.

* Added some atomic-ness for pointer manipulations.

* Renamed some settings in configuration file to make them more consistent with
new convention.

* Fixed a integer underflow crash involving trying to select an address beyond
the end of a region. Which was causing a negative size to be passed to the
"edb::v1::getInstructionBytes" function. Q_ASSERTS were added to catch this
in the future if a similar bug is present elsewhere.

* Fixed a minor bug where tooltips would show data outside of the current
region if there is an adjacent region sometimes.

* Now attaching to a new process or opening a new program to debug will
invalidate any analysis that has been done. Eventually, the analysis will be
stored in session files so that it can be reused. But not yet .


* more minor improvements to the analysis engine.

* Fixed a corner case in the disassembler where it would misformat things like
"and eax, 0xffff" as "and eax, -1" due to a mis-optimization.


* Improved the analysis engine to be slightly more accurate.

* Added graphical indication of function bounds based on analysis results.

* You can now scroll the QHexView widgets by individual bytes by pressing up
or down while holding the control key.


* Centralized analysis engine and provided it with a plugin. The FunctionFinder
plugin is now just an interface towards it. Ctrl+A will analyze the current
region (though nothing is done with the results yet). I am hoping to have
function framing and scrolling by instructions.

* Added a "set EIP to selected instruction" to CPU context menu.

* Improved hueristic for analyzer. It will now more accurately identify certain
types of functions.




July 29th, 2008, 20:31
nice tool, btw i saw ur website and i thought...

proxy + pancake ( http://radare.nopcode.org ("http://radare.nopcode.org") ) = no good?

and... wow, making an OS, RPG Engine, a Debugger, libraries...

L.Spiro 2

rly nice, keep going

July 30th, 2008, 10:55
yea, me and pancake have had some discussions. We both agree that there is probably some really cool stuff that we could do together. But it has yet to materialize. (We do have somewhat different development preferences, which may slow things down).

But I do think that I'd like to have some of his input on certain things since he has done such wonderful work with radare.

And yea, I tend to keep myself busy with projects .

Finally, just a heads up, but there will be a bug fix release very soon. One of my latest optimizations revealed an error in some code which can possibly lead to a read based segfault . Even worse, I noticed that the last two releases don't save all settings to the config file (some, but not all), fortunately the defaults are quite useable. I believe I have it all ironed out.

Of course there will be some new features as well .


July 30th, 2008, 12:04
Thanks proxy for keeping our readers updated and for working on these projects where there is an insufficient supply of available solutions and RCE tools. We appreciate the effort and the contributions.


July 31st, 2008, 12:08
0.9.2 released, this is primarily a bug fix release:


* Since the config file was partially broken, I am taking this opportunity to
finish reworking the naming convention for settings. Some settings will
unfortunately be lost. But odds are they were being dropped anyway .

* WOW, I just noticed that for a long time (2-3 versions) options were not being
actually saved. Fixed.

* Seems that my QDisassemblyView optimization revealed an off by one error in
the DebuggerCore which unfortunately was also crashable . But I believe
that the logic is correct now. I've added a few more asserts to help avoid
this type of bug in the future.




August 8th, 2008, 17:37
One more bug fix release and I think all is well


* Ouch, another bug fix. At least this time it was a failed assert. Basically
During my last fix, I forgot that reads can and will fail if done while the
debugee is running. I have added code to special case this and handle it more
correctly. (Which is of course how it used to act in the first place).


* made plugins.pri smarter with library location. For 64-bit builds it will
default to $prefix/lib64/edb/




August 13th, 2008, 03:18
This time it's a two version bump to 0.9.4 since I was notified of some x86-64 compilation issues in the last version. Plus I've added a few things.


* Sped up analysis by avoiding redundant function analysis. It still isn't
blazing fast, but is significantly better.

* Fixed a few previously missed 64-bit portability issues.
(toULong -> toULongLong). They were minor, but all of this type should be

* Added a symbol viewer plugin. Double click to see a symbol's value in the
the current data view. Eventually, I'll add a context menu to make it
so you can view it in the code view too depending on the type.


* Continued to make improvements to analyzer. It is more accurate, but also
slower at the moment. I will look into good ways to speed it up.


* Fixed some compilation issues on x86-64. Thanks to Stephan Hegel for working
with me to make sure that x86-64 users have a functioning EDB.

* Reworked analysis to have a higher initial favoritism towards findings
functions by recursivly tracing known functions
(symbols/main/entry point, etc). This will make the analysis more accurate
though it does have the side effect of making "percentage complete" at lot
less meaningful since while it will always stop, the number of iterations
during analysis is indefinite.


* Seems that <QtGlobal> needed to be included in QDisassemblyView.cpp for x86-64
targets. Simple fix, but it broke compilation for some platforms so I'm going
to make a release for it.




August 15th, 2008, 20:31
I install QT4.4.1,but when I install EDB,it show QString is not exist,as to Qglobal,Qmap,QList in SymbolManager.h,why?
I install them in RedHat AS3.

August 18th, 2008, 10:43
Sounds like you have qt4 but not qt4-devel installed. This basically means that you have all the .so file necessary to run qt4 applications, but not the headers needed to compile them.

This should fix the problem.


August 18th, 2008, 22:18
Thanks for your answer.
I want to ask which linux platform such as redhat or other suit for this good tool with QT4 opensource X11.

August 19th, 2008, 11:48
I want to ask which linux platform such as redhat or other suit for this good tool with QT4 opensource X11.

I'm sorry, but I'm unclear on what you are asking. I think you are trying to ask which distribution EDB is "supported" on. In which case, just about any modern (2.6 kernel) one will do if it has QT 4.2 or greater. Ubuntu is a good distro, simple to setup and use. I'm a bit partial to Gentoo, but it requires a large time investment.

If this wasn't your question, please rephrase and I'll try to give you what you need.


August 19th, 2008, 19:15
Thank you very much,I will test Ubuntu.
I use RedHat AS3 with QT4.4.1,but it is failed.

August 20th, 2008, 11:07
You should be more clear by what you mean "it is failed." Does it not compile? Did you install the qt4-devel packages? Does it not run? In either case, please provide some error output.


August 21st, 2008, 18:42
I compile it and run it now,thanks.

September 29th, 2008, 11:04
It's that time again Another edb release.


* Added context menu to Symbol viewer's list so that you can select where to
view the symbol in.

* Added a plugin managment window. Currently, it just lets you see what's been
loaded. But in the future, I will try to make it so you can disable/enable
different plugins.


* Attempt #2 at making the /lib/ vs. /lib64/ automatic for 64-bit platforms. I
think the new solution should work.


* Added the ability for edb to get the base of the GS and FS segments. This
allows the instruction analyzer to correctly display the values of certain
expressions. This also makes segments valid in expressions, they will resolve
to the base of the segment. Though CS/DS/ES/SS will always resolve to 0.
One nice trick is that you can break on each system call by puting a
breakpoint on [gs+0x10] (though 0x10 may vary from system to system).


* Finished making the Heap Analyzer plugin work on x86-64.




September 29th, 2008, 13:05
Nice progress as usual.

November 14th, 2008, 18:57
W00t, 0.9.6 is out the door Mostly minor updates, but a few things that possibly bugged people should be fixed.


* Improved the ebuild on 64-bit platforms.

* Fixed search and replace error with default plugin path, it should work
correctly now.

* Minor improvements to the html documentation.


* Right clicking in the register view will no longer show "Follow In ___"
options for things such as segments, eflags and FPU values. these do not
have meaningful values as addresses.


* Fixed a bug where some old stub code from before the 64-bit port was breaking
any instructions which use the FS or GS segments .

* Made the find ascii string routines more intelligent about what they consider
to be an "ascii" character. The output is a lot more comparable to the unix
strings command.


* Switched from edb::v1::log to qDebug. The nice thing about this is that it
functions very much the same as my old logging. But also supports stream
oriented logging. Finally, it is "hookable" so that a widget could be used to
show the logging in a widget if we want.

* Made several string displays a bit more unicode friendly. This most visibly
results in "high" ascii characters no longer appearing as junk.


* Started prepping the code for internationalization, this will be an ongoing
process. Once the process is started and I have at least one non-english
translation, then it will be helpful if people report un-translated strings.
But we aren't quite ready for that yet .

* Fixed a 64-bit compatibility bug in the breakpoint plugin.

* Sped up heap analyzer a lot by disabling updates during population.


* Fixed a bug introduced in last version where several entries for 0x00000000
were be entered in the function finder plugin. This was actually a bug in
the analysis engine where I failed to notice the side effects of reading a
map using the [] syntax.

* Made it so the symbol viewer plugin will by default open up symbols for code
in the disassembly and data in the data views when double clicked.

* Vastly improved the analyzer's handling of symbol information in its function
search algorithm.




Ricardo Narvaja
November 16th, 2008, 12:45
two easy tutorials in spanish of installing and using edb debugger (and IDA) in linux, i think write more in this theme.


ricardo narvaja

November 16th, 2008, 14:49
Fantastic, any chance you could have versions that are translated to english? Also would you be interested in adding translation files for edb?

Ricardo Narvaja
November 16th, 2008, 14:57
well i don't speak in english for make a translation, but if any is interested in translating, there are no problem at all.

thanks for this good tool, EDB is improving each version, good job.
best regards

December 4th, 2008, 22:45
Dear proxy,

When I try to compiler 0.9.6 version edb, it reports errors below:

cd src/ && make -f Makefile
make[1]: Entering directory `/rh/ixd/tool_test/temp/evan/debugger/src'
g++ -c -m64 -pipe -O2 -Wall -W -D_REENTRANT -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/lib64/qt44/mkspecs/linux-g++-64 -I. -I/usr/lib64/qt44/include/QtCore -I/usr/lib64/qt44/include/QtCore -I/usr/lib64/qt44/include/QtGui -I/usr/lib64/qt44/include/QtGui -I/usr/lib64/qt44/include -I../include -Iwidgets -Ios/unix -I../include/os/unix -Iarch/x86_64 -I../include/arch/x86_64 -I../include/arch/x86_64/edisassm -I. -I. -o SymbolManager.o SymbolManager.cpp
In file included from ../include/arch/x86_64/edisassm/Instruction.h:1249,
from ../include/arch/x86_64/ArchTypes.h:24,
from ../include/Types.h:23,
from ../include/SymbolManager.h:27,
from SymbolManager.cpp:20:
../include/arch/x86_64/edisassm/Instruction.tcc:678: expected 1 levels of
template parms for `void Instruction<N>::decode(const uint8_t*)', got 2
../include/arch/x86_64/edisassm/Instruction.tcc:689: redefinition of `void
Instruction<N>::decode(const uint8_t*)'
../include/arch/x86_64/edisassm/Instruction.tcc:678: `void
Instruction<N>::decode(const uint8_t*)' previously declared here
../include/arch/x86_64/edisassm/Instruction.tcc:689: no `void
Instruction<N>::decode(const uint8_t*)' member function declared in class `
../include/arch/x86_64/edisassm/Instruction.tcc:689: expected 1 levels of
template parms for `void Instruction<N>::decode(const uint8_t*)', got 2
../include/arch/x86_64/edisassm/Instruction.tcc:699: redefinition of `void
Instruction<N>::decode(const uint8_t*)'
../include/arch/x86_64/edisassm/Instruction.tcc:678: `void
Instruction<N>::decode(const uint8_t*)' previously declared here
../include/arch/x86_64/edisassm/Instruction.tcc:699: no `void
Instruction<N>::decode(const uint8_t*)' member function declared in class `
../include/arch/x86_64/edisassm/Instruction.tcc:699: expected 1 levels of
template parms for `void Instruction<N>::decode(const uint8_t*)', got 2
../include/arch/x86_64/edisassm/Instruction.tcc:2076: redefinition of `void
Instruction<N>::decode(const uint8_t*)'
../include/arch/x86_64/edisassm/Instruction.tcc:678: `void
Instruction<N>::decode(const uint8_t*)' previously declared here
../include/arch/x86_64/edisassm/Instruction.tcc:2076: no `void
Instruction<N>::decode(const uint8_t*)' member function declared in class `
make[1]: *** [SymbolManager.o] Error 1
make[1]: Leaving directory `/rh/ixd/tool_test/temp/evan/debugger/src'
make: *** [sub-src-make_default] Error 2

My system:

<1>Red Hat Enterprise Linux AS release 3 (Taroon Update 6)
<2>QMake version 2.01a
Using Qt version 4.4.3 in /usr/lib64/qt44/lib

December 4th, 2008, 22:48
could you please post the version of g++ you are using. I beleive this to be an issue with older gcc's (i experienced it when using mingw which is based on gcc 3.x).


December 4th, 2008, 22:48
Dear proxy,

When I try to compiler 0.9.6 version edb, it reports errors below:

cd src/ && make -f Makefile
make[1]: Entering directory `/rh/ixd/tool_test/temp/evan/debugger/src'
g++ -c -m64 -pipe -O2 -Wall -W -D_REENTRANT -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/lib64/qt44/mkspecs/linux-g++-64 -I. -I/usr/lib64/qt44/include/QtCore -I/usr/lib64/qt44/include/QtCore -I/usr/lib64/qt44/include/QtGui -I/usr/lib64/qt44/include/QtGui -I/usr/lib64/qt44/include -I../include -Iwidgets -Ios/unix -I../include/os/unix -Iarch/x86_64 -I../include/arch/x86_64 -I../include/arch/x86_64/edisassm -I. -I. -o SymbolManager.o SymbolManager.cpp
In file included from ../include/arch/x86_64/edisassm/Instruction.h:1249,
from ../include/arch/x86_64/ArchTypes.h:24,
from ../include/Types.h:23,
from ../include/SymbolManager.h:27,
from SymbolManager.cpp:20:
../include/arch/x86_64/edisassm/Instruction.tcc:678: expected 1 levels of
template parms for `void Instruction<N>::decode(const uint8_t*)', got 2
../include/arch/x86_64/edisassm/Instruction.tcc:689: redefinition of `void
Instruction<N>::decode(const uint8_t*)'
../include/arch/x86_64/edisassm/Instruction.tcc:678: `void
Instruction<N>::decode(const uint8_t*)' previously declared here
../include/arch/x86_64/edisassm/Instruction.tcc:689: no `void
Instruction<N>::decode(const uint8_t*)' member function declared in class `
../include/arch/x86_64/edisassm/Instruction.tcc:689: expected 1 levels of
template parms for `void Instruction<N>::decode(const uint8_t*)', got 2
../include/arch/x86_64/edisassm/Instruction.tcc:699: redefinition of `void
Instruction<N>::decode(const uint8_t*)'
../include/arch/x86_64/edisassm/Instruction.tcc:678: `void
Instruction<N>::decode(const uint8_t*)' previously declared here
../include/arch/x86_64/edisassm/Instruction.tcc:699: no `void
Instruction<N>::decode(const uint8_t*)' member function declared in class `
../include/arch/x86_64/edisassm/Instruction.tcc:699: expected 1 levels of
template parms for `void Instruction<N>::decode(const uint8_t*)', got 2
../include/arch/x86_64/edisassm/Instruction.tcc:2076: redefinition of `void
Instruction<N>::decode(const uint8_t*)'
../include/arch/x86_64/edisassm/Instruction.tcc:678: `void
Instruction<N>::decode(const uint8_t*)' previously declared here
../include/arch/x86_64/edisassm/Instruction.tcc:2076: no `void
Instruction<N>::decode(const uint8_t*)' member function declared in class `
make[1]: *** [SymbolManager.o] Error 1
make[1]: Leaving directory `/rh/ixd/tool_test/temp/evan/debugger/src'
make: *** [sub-src-make_default] Error 2

My system:

<1>Red Hat Enterprise Linux AS release 3 (Taroon Update 6)
<2>QMake version 2.01a
Using Qt version 4.4.3 in /usr/lib64/qt44/lib

Thanks a lot in advance,

December 4th, 2008, 22:52
Just to be sure you got my last post, please post your g++ version. I beleive that is all I need to confirm what I think the problem is.


December 5th, 2008, 08:46
Dear Proxy,

Thanks for your quick reply. I'm sorry I can't access the computer at present, the gcc is default when installing the OS, although can't remember clearly, yes, just as your said, it should be 3.xx version, any suggestion for gcc version? I'll try to test it tomorrow and give update.

Thanks again,

December 5th, 2008, 14:06
yea, that's the problem. I've recently done some adjustments to make it compile in some other compilers, but i still think gcc 3.x isn't quite up to snuff. I would recommend gcc 4.x, probably the newer the better.

December 6th, 2008, 10:08
I met with some trouble when compile gcc 4.3.2, for some other packages needed missed. Have to delay the test, I'll give update next week then, thank you.


December 6th, 2008, 23:44
Dear proxy,

By the way, would you kindly share an older version EDB that can be compiled by gcc3.4.x to let me use the tool first? The regular download page of http://www.codef00.com don't work these days.

Thank you,

December 12th, 2008, 16:35
All old releases are available at codef00.com just not directly linked from any pages.


I can't make any guarantees about any version compiling with gcc 3.x as it is a very a old version of the compiler compiler with relatively poor standars compliance.

Also, please note that I only "officially" support the latest release since many issues have been resolved over time.

December 14th, 2008, 08:14
HI Proxy,

Understand, thanks a lot for your warm help!


December 16th, 2008, 20:27
Hi Proxy,

After taking long time, I have installed gcc4.1.2 under RHEL3 and compiled 0.9.6 version edb tool succesfully, now the remained thing is to study the usage. May still need your help later.

Thanks you,

March 16th, 2009, 14:33
Another version bump for EDB. I figured that I'd do a release to make sure people knew the project wasn't stalled :-P.


* Moved the session handler code to be a plugin now. This will allow more
creative session implementations. For example, the session files could
be actually in a sqlite3 database, or even a mysql database for collaborative
commenting. It should be much more flexible.


* Fixed a bug in the memory region modification code. It would ask if you wanted
to remove the execute permissions of the last executable region any time
there was only one left with execute permissions. This was the case even if
the region you wanted to modify wasn't executable to begin with.

* Started using boost::bind a lot more to make the code much more concise. Doing
this will allow me to make a lot of the "search memory" code be run by a
std::for_each calling a function object. The nice thing about this is that
it will nicely match the way that Qt's concurrent model. Making for a smooth


* I've decided to start using boost (particularly smart pointers) wherever
appropriate. It will help make the code less likely to have bugs. Once Qt 4.5
is out for long enough, I'll likely switch over to them their smart pointers
since there is no point in having multiple library dependencies. But I feel
that boost is such a robust library, it would be silly not to take advantage
of it.


* Implemented the "Find ASCII string in stack" feature. Works like a charm.
To be clear, it is searching for pointers to matching strings on the stack,
no strings in the stack itself. I *think* this is what people would want.
Also, it only cares if the the search string is the begining of the string
on the stack (so if you look for "/bin/" it'll find "/bin/ls". This is
because there could be any amount of data (or characters) after the string
on the stack.

* Added the ability for plugins to add items to the various context menus. This
should allow much more useful plugins in the future. Starting with the
recently requested "Find ASCII string in stack" feature.


* Reorganized much of the DebuggerCore code into seperate platform specific
files to make things much easier to maintain.


* Imported some code provided by Phillip Mayhew which is the begining of a
OSX port. He provided almost all of the functionality necessary to get the
DebuggerCore plugin to be functional. Now I'll just have to start testing
on a Mac soon.


* Fixed defunct process issue on kill/restart (missing waitpid)

* simplified a lot of code involving starting and stopping things. I used to
delete/create objects each time. But simply stopping/starting them is
sufficient and means that I can do less NULL checks.

* Simplified the event loop.

* Replaced all dynamic_cast's with qobject_cast's which don't require rtti.


* New plugin system is complete and things are working normally again. A few
internal functions take more parameters but it decouples those parts from the
rest of the system.

* Windows port is now able to attach and (usually) step.

* Improved portability of error handing system.


* Started to make some large changes to how plugins interact with the core
application. Not all platforms I'd like to target support having a plugin
import symbols from the application that is loading it
(*cough* windows *cough*). So now there is a "PluginAPI" structure which is
passed to every plugin upon init which it will make a copy of (the interface
code does this for you and makes it accessible through an m_API variable).

This new system allows me to have much more strict control over what a plugin
is allowed to do within EDB which is nice, but it also will require I have a
"Core Library" that all plugins and EDB will have to link to in order for
them to share classes which unfortunately means a little bit of binary code
duplication. Oh well.


* Added a messagebox warning when the arch EDB was built for doesn't match the
target process's arch.


* More changes to support Win32/Win64

* Fixed a crash when no analyzer plugin is available.

* Started framework for supporting UTF16 strings in analysis. Currently it's a
lot of boxes and such, but I beleive it is working generally ok.


* Made some minor changes to the edisassm.pro file

* Reworked some function definitions to work around a visual studio bug.

* edisassm *finally* builds with visual studio 2008! Time to start porting edb
to windows :-)




March 29th, 2009, 02:41

did you write edissasm ?
i love it!

March 29th, 2009, 03:46
hi again,

ive just played around a bit with edisassm and notepad.exe entrypoint. it seems that there are some problems with BYTE and WORD operands.

1003e06 a23bae01 'mov byte ptr [0x3b], al' (5) != 'mov [0x0100AE3B], al' (2)
100416d 66a390ae01 'mov word ptr [0xffffae90], ax' (6) != 'mov [0x0100AE90], ax' (4)

the string after '!=' is from edisassm, instructionsize is in brackets

March 29th, 2009, 12:29
Firslty, yes I did write edisassm Glad you like it.

As far as the bugs you've found. Let's clarify what it is and what it should be..

are you saying that EDB produces 'mov [0x0100AE3B], al' or 'mov byte ptr [0x3b], al'? Your comments make me think you are saying it produces 'mov [0x0100AE3B], al' however, when I test it with the byte sequence 'A2 3B AE 01'

edisassm outputs this on the command line:

10000000: mov byte ptr [0x3b], al
10000002: scasb

So I think you mixed up which is from edisassm and which correct. But you've found a bug non-the-less.

Thank you for letting me know (feel free to email me directly about this stuff as well: eteran@alum.rit.edu).

I'll try to find out where the bug is ASAP and get a fix out for ya.


March 29th, 2009, 23:39
You were correct, edisassm had a bug in it's decoding of operands of type Ob and Ow. (Unfortunately the wording in the docs is kinda difficult to interpret it just says this for "O" types.

direct offset; no mod R/M byte; offset of operand is encoded in instruction; no base register, index register, or scaling factor can be applied.

which I assumed when combined with the byte/word modifier meant that the expression's contents were a byte or word, but the reality it that the offset is *always* 32-bit and that the byte/word stuff only effects the size of what the expression points too.

I will post a fix ASAP (likely tomorrow).

Thanks again!


April 2nd, 2009, 12:38
thx for the fix

April 2nd, 2009, 12:44
no problem. Let me know if you find anything else (hopefully there isn't anything else to find...).

Also if there are any features you would like to see, let me know.

Recently I've added the ability to compare two "Instruction" objects. It is fairly efficient except for the ones with operands which are expressions. This is because there are many (sometimes like 16) encodings which are equivalent in functionality.

I'm hoping to make it so you can do "vague" comparisons. like "mov eax, ebx" == "mov REG1, REG2" or "xor eax, eax" == "xor REG1, REG1".

Finally, I hope to one day write an assembler which matches the exact syntax that edisassm uses.

There are a few things which are higher priority at the moment, but let me know if there is anything that would really help.


July 8th, 2009, 15:03
EDB 0.9.10 is out the door, may improvements and a few bug fixes.


* Heap analyzer now uses a linear search for the heap structures. This seem to work nicely for both
x86-64 and x86 arches.


* Added code to the heap analyzer to have it work with newer versions of glibc.
I should probably have some sort of search method instead of fixed offsets,
or better yet, do something reliable :-P.

* Provided a means for plugins to add tabs to the options dialog. The
CheckVersion and Analyzer plugins now use this feature.

* The analyzer now has the option of not using "fuzzy" logic to find functions.
Without fuzzy logic, it is *much* faster and the results are very high
quality (since it only searches for functions reachable from known code). But
will find much less. The default is to use fuzzy logic.


* Analyzer is *much* faster than it was, and more accurate in finding functions.


* More work done to the core to help add thread support (not quite there yet).

* Working on cleaning up the conditional BP stuff, making it more robust.

* I beleive that I have fixed the restart occasionally failing issue. Turns out
that you should do a waitpid() after a detach to avoid getting events from the
previously debugged process.


* Enabled UTF-16 support in base string searching routines. For now, it only
will find strings which use the basic ASCII character set. Eventually I'll
find a good technique for finding non-english language strings as well.

* I Finally figured out how to safely catch SIGCHLD when using Qt4. This has
enabled me to implement a version of waitpid which has a timeout! I am hoping
that this proves to be nice and stable to I can finally phase out the
"Event Thread." Which is neccessary since ptrace really doesn't play nicely
when different threads are used.


* Once again revised the plugin API. Now that the win32 build produces an
edb.lib file, the original style is more appropriate. So once again, plugins
can directly access the exported API. However, only the classes and functions
which are part of the stable API will be exported since EDB is now compiled
with -fvisibility=hidden.

* Cleaned up a lot of code now that the plugin system is simpler.

* Internal managment of breakpoints is now simpler. Now I use shared pointers
to BP objects which use RAII techniques. This has made the code which manages
breakpoints MUCH cleaner .

* Fixed a crash when removing breakpoints via the breakpoint manager plugin.


* Fixed the currently line being outside of the disassembly view in certain


* Added display of symbols in the code view.

* Added the basis for future colorization in the disassembly.

* Improved the way uppercase disassembly is handled. Most visibly, hex strings
are displayed like "0xDEADBEEF" instead of "0XDEADBEEF" making this much more
readable in uppercase mode.


* Fixed crash during initial config if it couldn't find the DebuggerCore plugin.


* Added the undocumented SAL opcode to edisassm.


* Fixed a bug in edisassm's disassembly of operands of type Ob and Ow.




July 13th, 2009, 06:11
This just keeps getting better and better. Waiting for the next release.

July 13th, 2009, 16:14
hell it reminds me ollydbg so much

January 11th, 2010, 14:41
It's been a while, but edb 0.9.11 is out :-). There are generally too many small tweaks to list individually, but here's what I tracked in the change log over the past few months. I hope to get the next releases out in a more timely fashion.


* Too many small changes to list here :-P

* Increased minimum Qt version from 4.2 to 4.5. Now that 4.5 is widely deployed
I think this is a reasonable requirment.


* Fixed builds on some systems.

* Made it so you can load plugins in any order and they should work just fine.

* Disabled graphing capabilities for this release. Unfortunately, graphviz
has made a habit of breaking source compatibility in there C API which means
that the build will break on some systems. I may need to add some sort of
configure script in order to make this work correctly on all supported systems


* Fixed a crash if EDB was set to use a terminal for I/O, but the program
field was empty.

* Many small optimizations.

* A little bit of reorganization in the source tree.

* More steps towards good thread support.

* More functional in Win32 builds (still not good enough yet, but getting

* Heap Graphs! Sometimes they take a really long time to render, but they work
and can show relationships between nodes!


* A few portability tweaks, working on creating a proper visual studio project
file eventually.

* QHexView and QDisassemblyView now format the address based on the size of
address_t instead of the native pointer size of the machine. This will allow
the possibility of future builds being able to do remote debugging and/or
debugging of 32-bit apps on a 64-bit platform.


* Fixed a crashable dead reference usage in Analyzer/FunctionFinder plugins.

* Improved the way that stop codes are handled internally, should make for
cleaner code.

* Some of the bigger operator new usages have exception guards. They shouldn't
be needed in 99% of cases, but it's better to not crash :-P.


* Lots of minor code improvments.

* Fixed conditional Breakpoints.

* Fixed HW Breakpoints (I think).


* Improved the way plugin options pages are shown.


* Instruction<> objects are now "copyable", this is a somewhat expensive
operation, but is the first step towards making edisassm support being an
assembler as well (since it will return an Instruction object).


* Made DebugEvent object a bit smarter as far as the info they carry with them.
This should simplify things a bit.

* Now passing DebugEvent by reference to handlers. I couldn't before because
the events were coming from the "Event Thread" but now that that is phased out
it is more efficient to pass them this way.

* Changed the binary info plugins to be based on looking at a region, not a file
this is more flexible as it will allow it to analyze data which is only seen
at runtime.


* Seems that older versions of gcc have slightly different behaviour with
regard to exported embeded classes. Minor update




February 26th, 2010, 13:52
Lots of goodies in this version. Long awated syntax highlighting,
some minor bugs were fixed. And enhanced bookmarking.


* Added support for highlighting of flow control commands

* Next version will allow "schemes" in the same sense that ollydbg does
you will be able to edit the configuration file to adjust the colors to your


* Added support for comments for bookmarks

* Fixed a bug where the UI didn't update immidiately after closing the config

* syntax highlighting in the CPU view!


* Added "Add Bookmark" to CPU view context menu.




February 26th, 2010, 14:46
Great news, how about MacOs version?

February 26th, 2010, 18:20
The OSX version has been making some progress, mostly because I've been attempting some *BSD ports lately. Unfortunately the main thing holding up the OSX port is that I don't have a mac :-P. So testing any code is somewhat problematic. Eventually I'll get my hands on one and when I do you can rest assured that I will put a large effort into getting an OSX port functional.

May 28th, 2010, 11:06
Some bugs were fixed in this version. But there are lots of small improvements throughout the code. This version also sports a completely re-worked internal event system which will make things like "trace mode" and "run until <some condition>" much easier to implement in the up coming versions. We also have themes!


* Added display of fs and gs base addresses. There is not an aweful lot of
things you can do with this information since you cannot set this value
directly. But it does provide a nice way to see what the address of the
what is commonly the TEB/TCB.

* [E/R]FLAGS is now editable again in the GUI. I accidentally disabled this
in the last release while refactoring some code.

* Much cleaner event model implemented. It is much more robust and simpler too!
Now handlers simply return codes describing the resume state. The only thing
to keep in mind is that if you play with the state in a handler. You almost
always have to call edb::v1::syncronizeState() so the resume functions have
an up to date view to work with.

* Thanks to the new event model, breakpoint conditions work much more reliably.

* Minor optimization in resuming, no longer steps before a resume when it isn't

* NOTE: I believe that I found a kernel bug where stepping in a signal handler
can cause the target process to have the TF flag set incorrectly. Resulting
in a purpetual stepping state. I may be able to work around this by
explicitly masking the flag in certain circumstances. But I feel this might
result in other subtle bugs. Hopefully, if this isn't the expected behavior
the linux guys will have this fixed soon.
See: https://bugzilla.kernel.org/show_bug.cgi?id=16061 for details.


* Fixed decoding of cmpxchg8b in 64-bit mode. It was incorrectly being
decoded as cmpxchg16b.

* Started working on improving the event model of edb. It will be a lot of
work, but in the end it will be much more robust

* Fixed a fairly major bug, I'm suprised that noone noticed Opcodes which
are completely different in 64-bit mode (like 0x06 is "push es" in 32-bit
but invalid in 64-bit) were not being decoded properly at all. The alternated
tables were not being linked into the disassembly library correctly.


* Lots of minor tweaks and code refactoring

* Themes! there is no UI for modifying them, but you can set them up in the
config file (~/.config/codef00.com/EDB.conf) manually. Basically there is a
"[Theme]" section which gets read on startup (a change will need a restart
to take effect). In this section there are a bunch of settings that effect
the look of the disassembly which looks like this:


Valid categories are:


Valid properties are:



you may omit any property, which will yield the default value look for that

foreground and background are colors, this is a string which can be anything
you can pass to a QColor(const char *) constructor. So, it can take named
constants such as "green" or hex color codes like "#00ff00", the special value,
transparent is also allowed. See the Qt documentation for the full details.

weight is on a scale of 0 to 99. 50 being normal and 75 being bold.

italic and underline are typical boolean values.

EXAMPLE (this will give the default look):



* Made the copy operation of QHexView widgets do an ascii rendering of what the
user has selected, this is infinitely more useful.

* Re-added the jump/call target symbol display in the disassembly view. This
was accidentally chopped when I added syntax highlighting.


* Code cleanup

* Fixed potential memory corruption in symbol management code (could not
demonstrate it, but technically it was possible).

* Added some options to the DumpState plugin

* The DumpState plugin now uses the current data view tab as the basis for
its "data" portion of the output

* Got rid of the insanity of having "ctrl+c" mean "check version". :-P

* The BreakpointManager is no longer a modal dialog.

* Improved const correctness of some things

* Fixed corner case where the UI wouldn't update immediately




May 29th, 2010, 02:47

May 29th, 2010, 14:56
Very nice really

May 29th, 2010, 15:57
I just did a maintenance release 0.9.15 which fixes the build on certain platforms.

October 19th, 2010, 23:46
Finally got the next version "release" worthy :-). Too many tweaks and changes to enumerate, but as usual, here's the changelog.


* Since the tools that ./edb_make_symbolmap is dependant on are not uniform
across all the platforms that I intend to support. I have built symbol
file generation into edb directly. Running './edb --symbols <filename>' will
create a symbol file in the same format as the old script. For now, ELF is the
only supported format but more will be added as needed. This also means
that future versions of edb will be able to generate symbols as needed
if no symbol file is provided, making things "just work" more often.


* Improved the way that different OS's are handled in the source tree a bit

* Added more detection of suspicious breakpoints (ones that are likely
a user error).

* OpenBSD support is now at a functional level. There are some features
missing, but it is a good start. You can do all of the basic debugging
tasks now.


* Reference finder now will find calls/jumps and consider them code refernces
double clicking those results will jump to the address in the CPU view.

* Code in general has now adopted a more clean and consistant style. It is
a work in progress, but almost all plugin accessible code is conformant.

* Compiles and attaches on OpenBSD, but unfortunately cannot step yet. Almost

* OpenBSD use KVM to get process maps, much cleaner than relying on other

* The breakpoint API is simpler and has less redundancy between the core and
the edb namespace.

* Minor fixes for arches that don't support unaligned access. No such arch is
currently supported, but may as well plan ahead ;-).

* New ROP gadget finder plugin. It is in the early stages, but will evolve over
time. I hope to support some form of automatic shellcode generation in the

* Experimental "run until return" support. This is slow and not always correct
but a start. It seems that linux delivers a different event when stepping
over a syscall instruction, so I'm not sure of the best way to address that.


* Lots of small fixes here and there.

* Lots of work towards a working OSX port. It isn't quite there yet, but the
ground work is being layed.

* Fixed a bug in the expression parser.

* Working towards a new improved edisassm API which will make introducing new
arches much simpler in the long run.

* Fixed a hang when trying to use gnome-terminal as the I/O TTY. It's not what
I consider an ideal fix (string compare to determine what terminal you are
using), but it appears to be reasonable.

* LOTS of small speed tweaks all over the place.

* Did some work trying to get a functional trace mode, in my tests it is almost
working correctly, but not quite there.


* Added Ctrl+G shortcut. This is a global shortcut which will activate the
"goto" functionality of the widget with the focus.

* Made the instruction analysis window update the register values are
changed by the user.


* Added the ability to analyze the currently *viewed* region, not just the one
that the IP is in currently. Also added an "Analyze Here" context menu to the
cpu view.

Enjoy :-)

October 20th, 2010, 06:12
* Since the tools that ./edb_make_symbolmap is dependant on are not uniform
across all the platforms that I intend to support. I have built symbol
file generation into edb directly. Running './edb --symbols <filename>' will
create a symbol file in the same format as the old script.

Well the quick and dirty way you provided works fine so, just put that in a script that takes the platform as argument for example..

Question: does the update option in the menu works well ?

Thanks for sharing with us Proxy.

October 27th, 2010, 10:40
[Originally Posted by Silkut;87946]Question: does the update option in the menu works well ?

I am not sure what you mean by "update option" since there is no menu item called update. Are you referring to the "Check Version" plugin? If so, that plugin works fine, but it is up to the user to actually download and install the update.

April 14th, 2011, 15:48
Another edb release is out the door! I know it too a while, but there are tons of little tweaks and fixes in the code.

I didn't do the best at tracking things with the CHANGELOG this time, but here's a list off the top of my head:

* State structures are now defined in the DebuggerCore instead of in the main source, this will allow better portability in the future.

* Improved edisassm decoding and organization.

* Fixed some corner cases in search routines.

* Fixed false positive in "main" detection for non C binaries.

* Preliminary thread debugging support (it's still very experimental, expect it to not work 100% correctly).

* Improved analyzer code and speed.

* Cleaned up plugin interface stuff. If it doesn't need to be in the public headers, it won't be.

* Many small bug fixes!

Enjoy :-)