Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

EDB Linux Debugger 0.8.0 Release :)

RCE of Linux tools and programs.
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

also, you may want to look into possibly updating you libraries because I get very different output from valgrind with full memory leak checking.

Code: Select all

==26507== IN SUMMARY: 36 errors from 3 contexts (suppressed: 7 from 1)
==26507==
==26507== malloc/free: in use at exit: 308,231 bytes in 3,824 blocks.
==26507== malloc/free: 164,138 allocs, 160,314 frees, 10,879,333 bytes allocated.
==26507==
==26507== searching for pointers to 3,824 not-freed blocks.
==26507== checked 907,240 bytes.
==26507==
==26507==
==26507== 20 bytes in 1 blocks are definitely lost in loss record 30 of 116
==26507==    at 0x40245D8: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==26507==    by 0x4ACDF8A: strdup (in /lib/libc-2.4.so)
==26507==
==26507==
==26507== 156 (36 direct, 120 indirect) bytes in 1 blocks are definitely lost in loss record 71 of 116
==26507==    at 0x40245D8: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==26507==    by 0x4B43F54: (within /lib/libc-2.4.so)
==26507==
==26507==
==26507== 216 bytes in 1 blocks are definitely lost in loss record 77 of 116
==26507==    at 0x40245D8: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==26507==    by 0x46D5379: _XimOpenIM (in /usr/lib/libX11.so.6.2.0)
==26507==
==26507==
==26507== 2,038 bytes in 2 blocks are definitely lost in loss record 101 of 116
==26507==    at 0x40245D8: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==26507==    by 0x45C7BBA: (within /usr/lib/libfreetype.so.6.3.8)
==26507==
==26507== LEAK SUMMARY:
==26507==    definitely lost: 2,310 bytes in 5 blocks.
==26507==    indirectly lost: 120 bytes in 10 blocks.
==26507==      possibly lost: 0 bytes in 0 blocks.
==26507==    still reachable: 305,801 bytes in 3,809 blocks.
==26507==         suppressed: 0 bytes in 0 blocks.
it doesn't seem from this output with my version of things, there are no leaks which can be traced back to a QT/Debugger object.

QT version 4.1.4, glibc version 2.4, gcc version 4.1.1

proxy
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

0.8.12 released, adding a few fixes, a few speedups, and a few new features

CHANGELOG:

2007-02-26
----------

* Added ability to change the working directory opened applications run in.

2007-02-23
----------

* Improved about dialog box :-P

2007-02-15
----------

* Added ability to dump the contents of a data view tab to a file.

2007-01-17
----------

* Added recent file list to File menu.

2007-01-16
----------

* Cleared internal state tracking on detach, nothing major.

2006-12-23
----------

* Added new stylized register view window, still working out the programmers API
for it, but at least it looks nice :)

enjoy :)

http://www.codef00.com/projects.php#Debugger

proxy
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

0.8.13 released, adding a few fixes and a few new features

CHANGELOG:

2007-03-14
----------

* Fixed compile issue for some versions of QT4.

* Added getting of working directory and arguments from attached processes
this makes restarting work much better (which is now enabled).

2007-03-12
----------

* Internally,a lot of i386 specific code was moved to a new class
"i386ArchProcessor", which will eventually be a plugin (one for each arch).
It is still a work in progress, but is a start.

* Removed quit role property from exit menu as this prevented
compiles on QT < 4.2.0

2007-03-03
----------

* started work on restart code, seems to work ok

enjoy

http://www.codef00.com/projects.php#Debugger
User avatar
lcx2005
Posts: 57
Joined: Tue Jun 06, 2006 12:56 am

Post by lcx2005 »

Linux RCE -tools heh :) good work guys and thanks for this, because of you ,I'm happy to be here , and thank you for woodmann, jmi etc for bring back this forum again, you know after along Error Page, I really happy to see a gain. there's a new monster (Vista) out there in our hunting ground , lets refine our weapon(knowlege) also. good hunt
~ Destination is there,but a little step to reach ~
0xf001
Posts: 601
Joined: Thu Jul 29, 2004 11:00 am
Contact:

Post by 0xf001 »

this is a very nice project!

i did not try it yet, just looked at the code etc, VERY NICE! decent code, really! when i will move to QT4 i probably would want to use your qhexview ... ;)
i am wondering if we could probably somehow leverage from eachother, we both use libdisasm, and qt :)
For the gui we have some similar requirements. I could offer you syntax highlighted insn formatting a la http://home.pages.at/f001/review/imgs/review_dis2.jpg

hm i really think it could be cool to share the same qui routines at least. i am finishing my code for a release and set up a page for access, if you are interested i would like to discuss with u if we would like to combine our creativity :)

cheers, 0xf001
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

I agree, it would simply be awesome if we could collaborate and make use of each others code. I would love it if I could improve my disassembly viewer and have some of the features review has display wise.

Anyway, let me know what you have in mind and we'll figure something out.

Evan
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

0.8.14 released, adding a few fixes and a few new features

2007-04-15
----------
* Added heuristic for resolving "main" symbol byte on bytecode matching
if the symbol is not provided in the symbol map. This feature is currently
very likely glibc specific.

* Added some more steps towards 64-bit build support.

2007-04-13
----------

* Added more consitancy to context menus (operations you can do in the dump
view, you can also do in the stack view most of the time now.

2007-04-11
----------

* Registers are now highlighted in red if they have changed.

2007-04-08
----------

* Fixed a crashable bug BinaryString search plugin if an empty string was
supplied.

2007-04-07
----------

* CheckVersion plugin will now respect the HTTP_PROXY environment variable.

2007-04-06
----------

* corrected minor bug in edb_make_symbolmap.sh which preventing it from running
on certain distributions which actually have /bin/sh act like the original sh
not bash :)

* Added basic conditional breakpoints. The can be set in the breakpoint
manager plugin and are based on the expressions that were recently added.
At the moment, the expressions are tested for validity at the moment of
the breakpoint, eventually this will be checked when you enter it.

2007-04-02
----------

* Added expression support to "Goto Address" in both the CPU and data views.
Please see the README for more detailed information on this.

2007-03-29
----------

* Added MD5 code, which will notify the user of outdated symbol files.

* Added code to remove duplicates from the instruction analysis list.

2007-03-28
----------

* Renamed make_symbolmap.sh to edb_make_symbolmap.sh to make it more
distribution friendly.

* edb_make_symbolmap.sh now puts errors to stderr, not stdout, so you dont get
false symbol files if you process a whole dir at a time.

2007-03-24
----------

* Shellcode address used to change region premissions is now chosen dynamically.

2007-03-20
----------

* Added preliminiary framework for resolving parameters to standard library
functions.

* Added ability to show/hide the toolbar.

2007-03-15
----------

* Added ability to specify compile time some default directory strings,
makes package managment easier.

* Added preliminary meathod for code to find a plugin based on the plugins name
this will allow code to be written which depends on functionality exported
by plugins, which could be cool.

* Added some basic measures to help prevent duplicate plugin loading caused
by symlink trickery

* EDB will now look in the current working directory as well as the path
specified in the options for plugins

enjoy

http://www.codef00.com/projects.php#Debugger
FrankRizzo
Posts: 359
Joined: Sat Nov 27, 2004 7:43 pm
Contact:

Post by FrankRizzo »

GREAT job Proxy, I'd been needing something like this. I was just looking at a target that had both a Linux, and a windows version, and the code for the Linux version was MUCH more straight forward, and I ended up with a nice keygen as a result!

Now, a comment. Sometimes when scrolling up or down using the mouse wheel, the code changes (like a problem with the backwards disassembler), and sometimes when scrolling down, it takes effort to get to an address just a few bytes away.

// My system details
Fedora Core 6, 6 proc P3 Xeon server, 4 GB of RAM.
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

yea, currently it scrolls by bytes, not instructions, so the code will appear to change as the length of the first instruction shown determines how the rest are disassembled.

This is a feature I am really working on, but it is a tough nut to crack because Intel instructions are variable length. I believe that Ollydbg "snaps" the origin to the nearest known function, but is a pretty good approach, but does depend on the existence of the analyzer. So eventually it'll get in there :) .

I'm glad that you were able to make use of EDB and found it to be useful, are there any "killer features" that you would recommend that I focus on (check my TODO list to see what i'm already looking at, since it may already be in the works)

PS: to get to a specific address, even just a few bytes away, it is sometimes easier to right click on the disassembly and choose "goto address", just remember that hex values start with "0x" just like in C.
PPS: also, the goto addresses accept expressions, so you may right: "eip + 10" or something to just scroll relative to eip

proxy
0xf001
Posts: 601
Joined: Thu Jul 29, 2004 11:00 am
Contact:

Post by 0xf001 »

hi,

i setup my qt4 dev environment, and had a chance to quickly test ... looks VERY good!

i wanted to add the UID into the process list, which displays when you attemt to attach to a process. that would help looking at just user processes etc ...

how open do you see your development? do you think of going sourceforge or similar, or shall we send you patches, in case we would want to modify something?

regards, 0xf001
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

First of all, I can add the UID thing no problem, it'll be in the next release :)

As far as how open I feel the development is, I want to make it very open but I would still like patches sent to me so I apply them. This way I'll at least be able to know what things are being added!

Also, I hope that most of the time, new functionality can be added via plugins, so keep that in mind.

Anyway, I'm glad that you like it, I hope to continue to make it better and better over time, so please let me know of any features you think it needs.

BTW: any news on review? I've been looking forward to checking it out and seeing if there is anyway we can work together to improve both of our projects. Let me know.

proxy
0xf001
Posts: 601
Joined: Thu Jul 29, 2004 11:00 am
Contact:

Post by 0xf001 »

hi proxy,
As far as how open I feel the development is, I want to make it very open but I would still like patches sent to me so I apply them. This way I'll at least be able to know what things are being added!
very nice! i can recommend sourceforge, i am sure you know it, ... u are there project owner, and can control everything. they give you a svn repos, where u can make it public, or just to a list of developers etc. when u have some time, maybe u can look at it. i think its very nice for maintaining projects. i personally am perfectly fine with sending "stuff" to you, too :yay:

i had another idea: wat i _really_ like about gdb in text mode is - i can so easily
have a texteditor open, and copy/paste the outoput - ie the state of a process at a certain point of execution.

i would like to add a feature - where it can just dump to STDOUT a similar output like

Code: Select all

_______________________________________________________________________________
     eax:0000000E ebx:BFFFF47C  ecx:0000009D  edx:BFFFF13C     eflags:00200302
     esi:BFFFF14C edi:0000000E  esp:BFFFF0F8  ebp:BFFFF160     eip:0804A528
     cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B    o d I T s z a p c
[007B:BFFFF0F8]---------------------------------------------------------[stack]
BFFFF128 : 00 00 00 00  00 00 00 00 - 00 00 00 00  8C 7D 1D 01 .............}..
BFFFF118 : C8 FF FF BF  0E 00 00 00 - 40 01 C8 FF  00 40 0E 40 [email protected]@[email protected]
BFFFF108 : 8C F1 FF BF  28 F1 FF BF - E6 11 43 40  4C F1 FF BF ....([email protected]
BFFFF0F8 : 8C 7D 1D 40  FC A3 04 08 - FC A3 04 08  0C 00 00 00 .}[email protected]
[007B:BFFFF14C]---------------------------------------------------------[ data]
BFFFF14C : 31 32 33 34  35 36 37 38 - 39 30 61 62  63 64 9D 00 1234567890abcd..
BFFFF15C : 94 F1 FF BF  94 F1 FF BF - C8 33 0C 40  7C F4 FF BF [email protected]|...
[0073:0804A528]---------------------------------------------------------[ code]
0x804a528 <decodifica__9Controllo+300>: mov    $0xe,%esi
0x804a52d <decodifica__9Controllo+305>: mov    %esi,%ecx
0x804a52f <decodifica__9Controllo+307>: sub    0xffffffd8(%ebp),%ecx
0x804a532 <decodifica__9Controllo+310>: lea    0xffffffec(%ebp),%esi
0x804a535 <decodifica__9Controllo+313>: mov    (%eax,%edx,1),%al
0x804a538 <decodifica__9Controllo+316>: cmp    (%ecx,%esi,1),%al
------------------------------------------------------------------------------
to familiarize with your code base, i would want to try to add it. what do you think?

regarding review, i get more and more requests. i have still some (little, but still) parts to finish, but want to do that not in a rush. please let me test your patience a bit ;) also i am thinking of moving to qt4, which i just yesterday got straight in parallel to qt3 (was easy, but i was afraid to break my dev system) - in order we can better share.

i want to look if i could provide you with my disasm output, that should be fairly easy - since we both use libdisasm ...

something other popped up in the meantime, which got all my attention,
something you will hear from soon :devil: its unplanned and eating my time for review
(no, not knoppix|RE, that just popped up, too, thanks to 0x0804 who is great help).

i think of being able to release the code to the end of the month - around that time.

proxy, you are a damn good coder, and i like your quality of code and well thought concepts how you work! :yay: i am impressed, its damn cool you came here to this board, very appreciated :yay:

i for example need to beautify a lot of proof of concept code in review, it looks far not as clean as your debugger. it motivates me to see your code :yay: :yay: :yay:

best regards, 0xf001
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

0.8.15 released, some big fixes and new features:


2007-05-16
----------

* Added UID to attach dialog.

* Added ability to filter out entries that dont match your UID in the attach
dialog.

2007-05-15
----------

* Added "Goto ESP/EBP" to stack context menu.

* Fixed crashable bug in QDisassembly view, involving libdisasm, libdisasm will
do a double free if "x86_oplist_free" is called on invalid opcodes, this is
now avoided.

* You can now always disassemble code nearing the edge of a region.

2007-04-30
----------

* Isolated how recent files are managed away from primary GUI code.

* Made register view and disassembly view fonts configurable from options
dialog.

* Made data view's font default to what is set in the options.

* Font changes in the options now show immidiately after accepting (clicking ok)
the options dialog.

2007-04-27
----------

* Break point manger now takes an expression for it's address

* General code cleanups

* Added stack analysis, will now show returns and ascii strings in stack viewer!

2007-04-24
----------

* Made minimum length for ascii string detection tunable in options.

* Improved the String Searcher plugin to reuse code in the Debugger API instead
of using its own.

2007-04-23
----------

* Began work on a new "Open Files" plugin, it can currently list open files
and will eventually be able to show socket/pipe information as well.

* Fixed minor display bug in tooltips for long instructions

* Improved the internal disassembly API to make it more adaptable to other
disassembly libraries

2007-04-19
----------

* Vastley improved the speed of the Heap Analizer's result view (order of
minutes to seconds)

enjoy :)

http://www.codef00.com/projects.php#Debugger

proxy
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

Nice work as usual. :yay:
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
highenergy

Post by highenergy »

it's amazing wow. We have now a powerful gui debugger under linux. Thank you very much proxy. Keep working.


cheers
:yay:
Locked