Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

EDB Linux Debugger 0.9.0 Release :)

RCE of Linux tools and programs.
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

yea, that's the problem. I've recently done some adjustments to make it compile in some other compilers, but i still think gcc 3.x isn't quite up to snuff. I would recommend gcc 4.x, probably the newer the better.
Previnlin
Junior Member
Posts: 7
Joined: Thu Dec 04, 2008 10:38 pm

Post by Previnlin »

I met with some trouble when compile gcc 4.3.2, for some other packages needed missed. Have to delay the test, I'll give update next week then, thank you.

Previn
Previnlin
Junior Member
Posts: 7
Joined: Thu Dec 04, 2008 10:38 pm

Post by Previnlin »

Dear proxy,

By the way, would you kindly share an older version EDB that can be compiled by gcc3.4.x to let me use the tool first? The regular download page of http://www.codef00.com don't work these days.

Thank you,
Previn
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

All old releases are available at codef00.com just not directly linked from any pages.

http://www.codef00.com/projects/

I can't make any guarantees about any version compiling with gcc 3.x as it is a very a old version of the compiler compiler with relatively poor standars compliance.

Also, please note that I only "officially" support the latest release since many issues have been resolved over time.
Previnlin
Junior Member
Posts: 7
Joined: Thu Dec 04, 2008 10:38 pm

Post by Previnlin »

HI Proxy,

Understand, thanks a lot for your warm help!

Previn
Previnlin
Junior Member
Posts: 7
Joined: Thu Dec 04, 2008 10:38 pm

Post by Previnlin »

Hi Proxy,

After taking long time, I have installed gcc4.1.2 under RHEL3 and compiled 0.9.6 version edb tool succesfully, now the remained thing is to study the usage. May still need your help later.

Thanks you,
Previn
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

Another version bump for EDB. I figured that I'd do a release to make sure people knew the project wasn't stalled :-P.


2009-02-10
----------

* Moved the session handler code to be a plugin now. This will allow more
creative session implementations. For example, the session files could
be actually in a sqlite3 database, or even a mysql database for collaborative
commenting. It should be much more flexible.

2009-02-04
----------

* Fixed a bug in the memory region modification code. It would ask if you wanted
to remove the execute permissions of the last executable region any time
there was only one left with execute permissions. This was the case even if
the region you wanted to modify wasn't executable to begin with.

* Started using boost::bind a lot more to make the code much more concise. Doing
this will allow me to make a lot of the "search memory" code be run by a
std::for_each calling a function object. The nice thing about this is that
it will nicely match the way that Qt's concurrent model. Making for a smooth
transition.

2009-01-23
----------

* I've decided to start using boost (particularly smart pointers) wherever
appropriate. It will help make the code less likely to have bugs. Once Qt 4.5
is out for long enough, I'll likely switch over to them their smart pointers
since there is no point in having multiple library dependencies. But I feel
that boost is such a robust library, it would be silly not to take advantage
of it.

2009-01-22
----------

* Implemented the "Find ASCII string in stack" feature. Works like a charm.
To be clear, it is searching for pointers to matching strings on the stack,
no strings in the stack itself. I *think* this is what people would want.
Also, it only cares if the the search string is the begining of the string
on the stack (so if you look for "/bin/" it'll find "/bin/ls"). This is
because there could be any amount of data (or characters) after the string
on the stack.

* Added the ability for plugins to add items to the various context menus. This
should allow much more useful plugins in the future. Starting with the
recently requested "Find ASCII string in stack" feature.

2009-01-08
----------

* Reorganized much of the DebuggerCore code into seperate platform specific
files to make things much easier to maintain.

2008-12-28
----------

* Imported some code provided by Phillip Mayhew which is the begining of a
OSX port. He provided almost all of the functionality necessary to get the
DebuggerCore plugin to be functional. Now I'll just have to start testing
on a Mac soon.

2008-12-11
----------

* Fixed defunct process issue on kill/restart (missing waitpid)

* simplified a lot of code involving starting and stopping things. I used to
delete/create objects each time. But simply stopping/starting them is
sufficient and means that I can do less NULL checks.

* Simplified the event loop.

* Replaced all dynamic_cast's with qobject_cast's which don't require rtti.

2008-12-10
----------

* New plugin system is complete and things are working normally again. A few
internal functions take more parameters but it decouples those parts from the
rest of the system.

* Windows port is now able to attach and (usually) step.

* Improved portability of error handing system.

2008-12-08
----------

* Started to make some large changes to how plugins interact with the core
application. Not all platforms I'd like to target support having a plugin
import symbols from the application that is loading it
(*cough* windows *cough*). So now there is a "PluginAPI" structure which is
passed to every plugin upon init which it will make a copy of (the interface
code does this for you and makes it accessible through an m_API variable).

This new system allows me to have much more strict control over what a plugin
is allowed to do within EDB which is nice, but it also will require I have a
"Core Library" that all plugins and EDB will have to link to in order for
them to share classes which unfortunately means a little bit of binary code
duplication. Oh well.

2008-12-07
----------

* Added a messagebox warning when the arch EDB was built for doesn't match the
target process's arch.

2008-12-06
----------

* More changes to support Win32/Win64

* Fixed a crash when no analyzer plugin is available.

* Started framework for supporting UTF16 strings in analysis. Currently it's a
lot of boxes and such, but I beleive it is working generally ok.

2008-12-05
----------

* Made some minor changes to the edisassm.pro file

* Reworked some function definitions to work around a visual studio bug.

* edisassm *finally* builds with visual studio 2008! Time to start porting edb
to windows :-)

enjoy

http://www.codef00.com/projects.php#Debugger

proxy
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

hi,

did you write edissasm ?
i love it!
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

hi again,

ive just played around a bit with edisassm and notepad.exe entrypoint. it seems that there are some problems with BYTE and WORD operands.

1003e06 a23bae01 'mov byte ptr [0x3b], al' (5) != 'mov [0x0100AE3B], al' (2)
100416d 66a390ae01 'mov word ptr [0xffffae90], ax' (6) != 'mov [0x0100AE90], ax' (4)

the string after '!=' is from edisassm, instructionsize is in brackets
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

Firslty, yes I did write edisassm ;) Glad you like it.

As far as the bugs you've found. Let's clarify what it is and what it should be..

are you saying that EDB produces 'mov [0x0100AE3B], al' or 'mov byte ptr [0x3b], al'? Your comments make me think you are saying it produces 'mov [0x0100AE3B], al' however, when I test it with the byte sequence 'A2 3B AE 01'

edisassm outputs this on the command line:

Code: Select all

10000000: mov byte ptr [0x3b], al
10000002: scasb
(bad)

So I think you mixed up which is from edisassm and which correct. But you've found a bug non-the-less.

Thank you for letting me know (feel free to email me directly about this stuff as well: [email protected]).

I'll try to find out where the bug is ASAP and get a fix out for ya.

proxy
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

You were correct, edisassm had a bug in it's decoding of operands of type Ob and Ow. (Unfortunately the wording in the docs is kinda difficult to interpret it just says this for "O" types.
direct offset; no mod R/M byte; offset of operand is encoded in instruction; no base register, index register, or scaling factor can be applied.
which I assumed when combined with the byte/word modifier meant that the expression's contents were a byte or word, but the reality it that the offset is *always* 32-bit and that the byte/word stuff only effects the size of what the expression points too.

I will post a fix ASAP (likely tomorrow).

Thanks again!

proxy
0rp
Posts: 111
Joined: Wed Mar 03, 2004 12:47 pm

Post by 0rp »

thx for the fix
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

no problem. Let me know if you find anything else (hopefully there isn't anything else to find...).

Also if there are any features you would like to see, let me know.

Recently I've added the ability to compare two "Instruction" objects. It is fairly efficient except for the ones with operands which are expressions. This is because there are many (sometimes like 16) encodings which are equivalent in functionality.

I'm hoping to make it so you can do "vague" comparisons. like "mov eax, ebx" == "mov REG1, REG2" or "xor eax, eax" == "xor REG1, REG1".

Finally, I hope to one day write an assembler which matches the exact syntax that edisassm uses.

There are a few things which are higher priority at the moment, but let me know if there is anything that would really help.

proxy
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

EDB 0.9.10 is out the door, may improvements and a few bug fixes.


2009-07-08
----------

* Heap analyzer now uses a linear search for the heap structures. This seem to work nicely for both
x86-64 and x86 arches.

2009-07-03
----------

* Added code to the heap analyzer to have it work with newer versions of glibc.
I should probably have some sort of search method instead of fixed offsets,
or better yet, do something reliable :-P.

* Provided a means for plugins to add tabs to the options dialog. The
CheckVersion and Analyzer plugins now use this feature.

* The analyzer now has the option of not using "fuzzy" logic to find functions.
Without fuzzy logic, it is *much* faster and the results are very high
quality (since it only searches for functions reachable from known code). But
will find much less. The default is to use fuzzy logic.

2009-07-01
----------

* Analyzer is *much* faster than it was, and more accurate in finding functions.

2009-06-30
----------

* More work done to the core to help add thread support (not quite there yet).

* Working on cleaning up the conditional BP stuff, making it more robust.

* I beleive that I have fixed the restart occasionally failing issue. Turns out
that you should do a waitpid() after a detach to avoid getting events from the
previously debugged process.

2009-06-20
----------

* Enabled UTF-16 support in base string searching routines. For now, it only
will find strings which use the basic ASCII character set. Eventually I'll
find a good technique for finding non-english language strings as well.

* I Finally figured out how to safely catch SIGCHLD when using Qt4. This has
enabled me to implement a version of waitpid which has a timeout! I am hoping
that this proves to be nice and stable to I can finally phase out the
"Event Thread." Which is neccessary since ptrace really doesn't play nicely
when different threads are used.

2009-05-29
----------

* Once again revised the plugin API. Now that the win32 build produces an
edb.lib file, the original style is more appropriate. So once again, plugins
can directly access the exported API. However, only the classes and functions
which are part of the stable API will be exported since EDB is now compiled
with -fvisibility=hidden.

* Cleaned up a lot of code now that the plugin system is simpler.

* Internal managment of breakpoints is now simpler. Now I use shared pointers
to BP objects which use RAII techniques. This has made the code which manages
breakpoints MUCH cleaner :) .

* Fixed a crash when removing breakpoints via the breakpoint manager plugin.

2009-05-27
----------

* Fixed the currently line being outside of the disassembly view in certain
circumstances.

2009-05-26
----------

* Added display of symbols in the code view.

* Added the basis for future colorization in the disassembly.

* Improved the way uppercase disassembly is handled. Most visibly, hex strings
are displayed like "0xDEADBEEF" instead of "0XDEADBEEF" making this much more
readable in uppercase mode.

2009-05-15
----------

* Fixed crash during initial config if it couldn't find the DebuggerCore plugin.

2009-04-14
----------

* Added the undocumented SAL opcode to edisassm.

2009-03-30
----------

* Fixed a bug in edisassm's disassembly of operands of type Ob and Ow.

enjoy

http://www.codef00.com/projects.php#Debugger

proxy
Externalist
Member
Posts: 57
Joined: Wed Dec 26, 2007 8:00 am

Post by Externalist »

This just keeps getting better and better. :) Waiting for the next release. :)
Externalist
Locked