Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

EDB Linux Debugger 0.8.0 Release :)

RCE of Linux tools and programs.
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

0.8.21 released, this one has some new plugins, features and some minor bug fixes. Hope you all enjoy!:

2007-08-26
----------

* Added cool "data dump" plugin as per 0xf001s request :) . Just hit ctrl+D and
it'll shoot out a dump similar to GDB to stdout.

* Added the ability to skip in-accessible regions (permissions currently "---")
to both the reference search and the binary string plugins. Some applications
such as wine like to create dummy regions like this. It should make the
searching a little more bareable.

2007-08-20
----------

* "Filling" instructions, as in functions which either have no real effect,
and/or are usually used to fill the space between functions are now displayed
in grey. This makes seeing where function boundaries are easier.

2007-08-20
----------

* Added pointer detection to heap analysis.

2007-08-18
----------

* Tables with numeric content columns are now sorted numerically.

* I am working on stabalizing the programming API, BaseTypes:: and Debugger::
namespaces will be merged and renamed to edb::. The contents of Debugger::
will be located in in edb::v1:: to indicate version 1 of the plugin API. This
way plugins will have a nice clean way of knowing which version of the API
they are using. Functions in edb::v1:: will never be removed, after 1.0 is
released.

* Corrected a bug where step over didn't work if you were on a breakpoint.

2007-08-16
----------

* Corrected copy and past bug in FunctionFinder plugin menu item name.

2007-08-15
----------

* updated some of the documentation.

2007-08-14
----------

* Added a "bookmarks" plugin, which allows you to put code addresses of your
choice into a list, which you can later jump to. This plugin also serves
as an example of how to add dock widgets to the main gui in a safe manor.

* Fixed a subtle crash caused by debugging an app, opening a plugin dialog, then
detaching, and eventually debugging a new process (which not closing the
dialog.

* Added a new "function finder" plugin. Suprisingly accurate. It includes a
"reference count" column which is how many potential calls to this function
the plugin saw. The higher the number, the greater the confidence that it is
really a function entry point.

* Speed increases.

2007-08-13
----------

* Changed some of the global objects from pointers to references, this will
reduce the need for null checks in many situations as well as simplify code.

* added wait for console process to die before closing for a better cleanup.

2007-08-10
----------

* Fixed accidentaly reference of breakpoint data after it was free when using
one time breakpoints. Dangling pointers are no bueno!

2007-08-09
----------

* Removed references to QT 4.3 features from UI files.

enjoy

http://www.codef00.com/projects.php#Debugger

proxy
User avatar
linhanshi
Member
Posts: 34
Joined: Thu Aug 05, 2004 9:08 pm

Post by linhanshi »

Good WORK.
sailor__eda
Junior Member
Posts: 24
Joined: Sun May 30, 2004 2:01 pm

Error when compiling debugging core plugin on x64 machine

Post by sailor__eda »

Hi there Proxy,

I'm getting the following error when compiling edb on a x64 machine. The State.h defines the struct State for x86 32bit registers. I can just modify the file to have the x64 registers (rax, rbx etc) but I didn't go through the code to see a simple fix would work or break something else.

Comments?

Thanks

Sailor_eda

DebuggerCore.cpp: In member function ‘virtual void DebuggerCore::getState(State&)’:
DebuggerCore.cpp:527: error: ‘struct user_regs_struct’ has no member named ‘eax’
DebuggerCore.cpp:528: error: ‘struct user_regs_struct’ has no member named ‘ebx’
DebuggerCore.cpp:529: error: ‘struct user_regs_struct’ has no member named ‘ecx’
DebuggerCore.cpp:530: error: ‘struct user_regs_struct’ has no member named ‘edx’
DebuggerCore.cpp:531: error: ‘struct user_regs_struct’ has no member named ‘esp’
DebuggerCore.cpp:532: error: ‘struct user_regs_struct’ has no member named ‘ebp’
DebuggerCore.cpp:533: error: ‘struct user_regs_struct’ has no member named ‘edi’
DebuggerCore.cpp:534: error: ‘struct user_regs_struct’ has no member named ‘esi’
DebuggerCore.cpp:535: error: ‘struct user_regs_struct’ has no member named ‘eip’
DebuggerCore.cpp:537: error: ‘struct user_regs_struct’ has no member named ‘xcs’
DebuggerCore.cpp:538: error: ‘struct user_regs_struct’ has no member named ‘xds’
DebuggerCore.cpp:539: error: ‘struct user_regs_struct’ has no member named ‘xes’
DebuggerCore.cpp:540: error: ‘struct user_regs_struct’ has no member named ‘xfs’
DebuggerCore.cpp:541: error: ‘struct user_regs_struct’ has no member named ‘xgs’
DebuggerCore.cpp:542: error: ‘struct user_regs_struct’ has no member named ‘xss’
DebuggerCore.cpp:543: error: ‘struct user_regs_struct’ has no member named ‘orig_eax’
DebuggerCore.cpp: In member function ‘virtual void DebuggerCore::setState(const State&)’:
DebuggerCore.cpp:568: error: ‘struct user_regs_struct’ has no member named ‘eax’
DebuggerCore.cpp:569: error: ‘struct user_regs_struct’ has no member named ‘ebx’
DebuggerCore.cpp:570: error: ‘struct user_regs_struct’ has no member named ‘ecx’
DebuggerCore.cpp:571: error: ‘struct user_regs_struct’ has no member named ‘edx’
DebuggerCore.cpp:572: error: ‘struct user_regs_struct’ has no member named ‘esp’
DebuggerCore.cpp:573: error: ‘struct user_regs_struct’ has no member named ‘ebp’
DebuggerCore.cpp:574: error: ‘struct user_regs_struct’ has no member named ‘edi’
DebuggerCore.cpp:575: error: ‘struct user_regs_struct’ has no member named ‘esi’
DebuggerCore.cpp:576: error: ‘struct user_regs_struct’ has no member named ‘eip’
DebuggerCore.cpp:578: error: ‘struct user_regs_struct’ has no member named ‘xcs’
DebuggerCore.cpp:579: error: ‘struct user_regs_struct’ has no member named ‘xds’
DebuggerCore.cpp:580: error: ‘struct user_regs_struct’ has no member named ‘xes’
DebuggerCore.cpp:581: error: ‘struct user_regs_struct’ has no member named ‘xfs’
DebuggerCore.cpp:582: error: ‘struct user_regs_struct’ has no member named ‘xgs’
DebuggerCore.cpp:583: error: ‘struct user_regs_struct’ has no member named ‘xss’
DebuggerCore.cpp:584: error: ‘struct user_regs_struct’ has no member named ‘orig_eax’
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

First of all, what happened to the boards for so long?

x86_64 support is not quite there yet. Sorry, but edb is x86 only for now :(

I'm hoping to have x86 support in the future though, no time table for it yet.

proxy
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

proxy wrote:what happened to the boards for so long?
I'm not sure what you mean by this Proxy, could you please clarify?
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

heh, I could not pull up the website for about a month. All other sites worked, just not woodmann.com. I figured that the site was dead!

Dunno what the problem was if it was just me, but I tried from multiple locations still no dice until today.

proxy
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

Very strange, the board has been up and running continuously indeed (except for some routing problems for less than a day), as far as any admins have been able to see. :confused:

Do note that some "surf-out filters" that companies use block this site though, but I assume you have tried it from unfiltered locations too, so I have no idea then. Please send us an email with a traceroute the next time this happens, so we know and can investigate it.
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

Just wanted to give everyone an update. A new version is coming soon with lots of updates and a handful of new features :)

I'm also in the midsts of setting up a virtual machine which will run x86-64 Linux. This will give me an opportunity to port EDB to 64-bit Linux hopefully ready for the version after next.

I've also setup a bugzilla for EDB at: http://bugs.codef00.com/. Please feel free to submit bugs and requests there :) .

So anyway, the game plan is as follows. Next release is a few new features and bug fixes, hopefully within a week or so. And I hope the release after that will build and run on x86-64. Preliminary tests look good for the porting since I tried to plan ahead as much as possible. The biggest thing to port is adding x86-64 support to the disassembler engine.

Have a good thanksgiving everyone!

proxy
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

Thanks for the update. :yay:

Regards,
JMI
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

0.8.22 released, change log is pretty long, hopefully won't be quite so long until next release (0.9.0 which is planned to be the first version to support x86-64!).
Hope you all enjoy!:


2008-01-16
----------

* Fixed a potential crash on shutdown in the cleanup code

* Fixed a silly crash where if you ran the function finder with no selected
region (or if you are not attached to a program) it would crash.

2008-01-15
----------

* Fixed a bug in ModRM/SIB decoding where in some cases the index and base were
inversed. This only really showed up in the less used redundant encodings, so
it didn't show up until I started my regression tests.

2008-01-14
----------

* Fixed a bug in edisassm where it would think it didn't have enough space in
the instruction buffer when prefixes are used.

2008-01-13
----------

* Added a graphical indicator of the direction for relative jumps.

2008-01-12
----------

* Improved load time.

* Fixed some very minor bugs in the disassembler.

* made disassembler differentiate between the different versions of ins/outs.

2008-01-10
----------

* Fixed a bug in edisassm where 32-bit signed offsets which have the 16-bit
set were being printed as 16-bit sign extended values.

* Added some regression tests to edisassm. Unfortunately nasm and edisassm
disagree on some syntax points and likes to re-order expressions sometimes,
so I'll have to come up with some normalization strategy before it can be
fully automated. But it's a start :) .


2008-01-03
----------

* Fixed a bug where if you used the fill feature ontop of a breakpoint it
would not properly clear the breakpoint first.

2007-12-12
----------

* Moved the ELFxxBinaryInfo classes to plugins. This is more modular and makes
it far simpler to add new BinaryFile handlers in the future.

2007-12-10
----------

* Added command line running of a program. You may write things like this:
$ ./edb --run /bin/ls /etc /bin
and it will start edb attached to a new instance of /bin/ls with the correct
arguments passed.

2007-12-06
----------

* Fixed a display bug (Bug #37) where it was possible to make the data tabs show data to
a region which does not exist after detaching (showing all 0xff's).

2007-12-03
----------

* Changed some code to convert numbers to toULongLong instead of toUInt to
ensure that when 64-bit is supported, addresses will be interpreted correctly.

2007-11-31
----------

* Ported the dump state plugin to be able to compile correctly on x86-64.

2007-11-29
----------

* Added code to load/save session files (which are currently mostely empty)
This will read the file header, check it for the session signature, md5 the
file in the sessiona and compare that to the md5 of the currently debugged
application. This way, it should never load a session file for the wrong
application. Next, I'll be adding useful data to the session files, for
starters I plan on having sessions remember breakpoints and bookmarks.

2007-11-28
----------

* EDBTypes.h is now Types.h this will include the OSTypes.h and ArchTypes.h
files, this makes adding new arch and os combinations much easier.

* Made various input dialogs accept 64-bit values when building on an x86-64
platform.

* Made many changes to help in portability to other platforms. EDB will likely
be ready for x86-64 within a version or two. The big stumbling block left is
edisassm support for proper disassembly.

2007-11-27
----------

* Now that I discovered that QT has a qmake variable (undocumented) which
represents the arch it is being compiled on. I have started work on dividing
the code which is arch specific into special arch dirs, one for each build
target (i386 is only which compiles, but it's a start). This should really
help with porting to new targets.

* Started very begining work towards a session file concept. I have mostely
fleshed out what I want the file to look like.

2007-11-24
----------

* EDBTypes.h will now define some macros based on the arch it beleives it is
being built on such as EDB_X86_64 or EDB_X86. Also, it will define EDB_FMT_PTR
which is a format specifier suitable for printing an edb::address_t type.

* DebuggerCore now compiles on x86-64, however there is still much work left to
be done. I need to add x86-64 support the the disassembler, and to a few other
arch sensitive areas.

2007-11-20
----------

* Added preliminary code for "--run" option which will allow the user
to execute a program and attach to it from the command line, for example:
$ ./edb --run /bin/ls /etc
which would run /bin/ls with "/etc" as it's argument and attach to it.
This code is not functional yet.

* Added new findPluginByName to plugin API. This should allow some basic
for of dependancies to plugins. This should not be used until plugins are
fully loaded because there is no gaurantee as to the order of loading yet.
So, as a good rule of thumb, don't use it in the plugin constructor.
Hopefully, this will lead to more code reuse and maintainability.

2007-11-15
----------

* Added identification of jump sources to instruction analysis. Now whenever
stopped on an instruction, it will attempt to find out if a nearby relative
jump has a target equaling the the instruction you are stopped on.

2007-11-14
----------

* Setup new bugzilla for EDB at: http://bugs.codef00.com/

* Implemented locked stack feature. It will stay locked at the position of the
stack pointer (unless the stack pointer jumps to a whole other memory region)
when enabled.

2007-11-08
----------

* Added preliminary support for resizing the columns in the disassembly view.

2007-11-07
----------

* Fixed a bug in the disassembler where it would ignore the displacement of
an opcode encoded in a particular way.


2007-11-06
----------

* Added option for CheckVersion plugin to automatically check for newest version
on startup. It will not report anything if you are running an up to date
version of edb. This feature is enabled by default. You can disable this
feature by unchecking the menu item for it, found at:
"Plugins" -> "CheckVersion" -> "Check On Start". When enabled, the plugin
will perform a single HTTP get request to retrieve the latest available
version number each time edb is started.

2007-10-23
----------

* Worked on developing function and code analysis. I now have developed an
algorithm which can do reasonable accurate degree which bytes are actually
code bytes. Basically the concept is first to enumerate potential functions
by disassembling at each possible address in a region. For each call I see I
add it to a list and increase its reference count. Then for each function with
2 or more references, I do further analysis. While reviewing these functions
with 2 or more references, I follow the code looking for the function end. If
I see any calls to functions with a single reference, then they get a bonus
reference and are re-added onto the list of calls to analyze. For now, the
primary goal is to figure out the actual code bytes and bounds of the
functions. Next I will try to identify the conditional logic in the functions.

* Fixed duplicate error reporting on some invalid expressions.

2007-10-20
----------

* Added a heuristic for locating the heap start when using a newer ld. It isn't
100% reliable, but seems to work "ok", I am hoping to solidify more checks
in the future to make it more reliable.

2007-10-11
----------

* Made some changes to the plugin API in order to help move towards
a stable 1.0 API.

2007-10-09
----------

* General code cleanups and optimizations

* Added support for arguments with spaces in them. Arguments with spaces are
specified with quotes, and if you need to have a quote character in the
argument then you can escape it with \.

2007-09-17
----------

* Added shortcuts to bookmarks (Ctrl + N will trigger the first 10 bookmarks).

2007-09-14
----------

* Fixed a bug where I accidentally was copying from a QByteArray directly
memcpy. It worked because the data array was the first class variable, but
was not correct in principle.

2007-09-10
----------

* Corrected a minor bug where the GUI didn't update correctly when using the
stack widgets push/pop menu items.

* Made Debugger::log a variadic function, this allows for passing formatted
output directly without a temp, allowing for cleaner code.

2007-09-08
----------

* Focused on optimising the code in certain locations.

* FunctionFinder now uses the new readPages interface.
This costs more memory, but seems to be more than twice as fast :) .

2007-09-05
----------

* BinaryStringSearch and ReferenceSearch now use the new readPages interface.
This costs more memory, but seems to be more than twice as fast :) .

* Added a readPages routine to the DebuggerCoreInterface, since reading large
blocks of data can be done more efficiently that individual bytes.

2007-08-28
----------

* Fixed a bug where EDB would hang if the TTY console specified in the options
does not exist. It defaults to "/usr/bin/xterm". Thanks Dmitry Bulashev for
reporting!

2007-08-27
----------

* Corrected a minor bug where the core plugin would report success when trying
to read when not attached.

* Bookmarks plugin can now take expressions.

enjoy

http://www.codef00.com/projects.php#Debugger

proxy
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

Thanks for the update. ;)

Regards,
JMI
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

Although you can always do so yourself, I have updated the entry for your EDB Linux Debugger in the Collaborative RCE Tool Library to show it is now at version 0.8.22.

I also updated your Tool's link in the CRECTL to show the current version:

http://www.codef00.com/projects/debugger-0.8.22.tgz

You will find your particular tool described here, if you want to add the updates yourself in the future:

http://www.woodmann.com/collaborative/t ... x_Debugger

Regards,
JMI
proxy
Member
Posts: 85
Joined: Tue Jun 13, 2006 3:59 pm
Contact:

Post by proxy »

Just wanted to give everyone an update. I've been hard at work making edisassm support x86-64 since this has been the biggest hurdle towards making edb support x86-64.

Things are moving along VERY nicely, I almost have it working 100% correctly (for all known/tested cases).

Beyond that, EDB 0.9.0 will hopefully be coming a long relatively shortly (I hope to get back into my fast release cycle I had during the early 0.8.x days soon ;) ).

Catch you guys later!

proxy
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

Glad to hear you're still working on this nice project proxy, thanks for the update. :yay:
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
sailor__eda
Junior Member
Posts: 24
Joined: Sun May 30, 2004 2:01 pm

Post by sailor__eda »

Thanks Proxy, I could really use a good debugger for x64. Can't wait to have this.
Locked