search

wuhailinjerry / edb-debugger

Automatically exported from code.google.com/p/edb-debugger
GNU General Public License v2.0
0 stars 0 forks source link

64-bit debugging #55

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I don't know if it's a bug or a feature not implemented, but it sems that 
64-bit debuging is not possible when the code uses 64-bit registers like rax, 
rbx, etc. 
The debugger dissasembels the program right at first but when i "step into", or 
"step over" a instruction that uses a 64-bit register it treats it as a 32-bit 
register,

ex.
at first when i start debuging the code is:

   48 b8 88 77 66 55 44 33 22 11   |   mov rax, 0x1122334455667788 
   48 bb 88 77 66 55 44 33 22 11   |   mov rbx, 0x1122334455667788
   48 b9 88 77 66 55 44 33 22 11   |   mov rcx, 0x1122334455667788
   00 00
   ...  

but then when i press F7 and step into the code it all shanges to:

   b8 88 77 66 55   |   mov eax, 0x55667788
   44 33 22         |   xor r12,dword ptr [rdx]
   11 48 bb         |   adc dword ptr [rax - 69], ecx
   88 77 66         |   mov byte ptr [rdi + 102], dh
   55               |   push rdp
   44 33 22         |   xor r12,dword ptr [rdx]
   11 48 b9         |   adc dword ptr [rax - 71], ecx
   88 77 66         |   mov byte ptr [rdi + 102], dh
   55               |   push rdp
   44 33 22         |   xor r12,dword ptr [rdx]
   11 00            |   adc dword ptr [rax], eax
   00 00
   ...

Original issue reported on code.google.com by evan.teran on 3 Oct 2012 at 3:21

GoogleCodeExporter commented 9 years ago 
The problem is that this elf is a 32-bit executable. And if you build 64-bit 
EDB, it can only debug 64-bit applications. I should probably have a notice for 
this. Unfortunately, EDB assumes that it is debugging applications built for 
the same arch it was built for.

Original comment by evan.teran on 3 Oct 2012 at 4:07

GoogleCodeExporter commented 9 years ago 
Just to be clear, what happening is that since the ELF is 32-bit, the operating 
system loads it as a 32-bit program (as it should). EDB, mistakenly assumes it 
is 64-bit and shows you a disassembly based on that, but it will still execute 
as 32-bit.

From here, the rest is obvious, the 0x48 is a single byte "inc" instruction on 
x86 (it's the REX byte on x86-64). So when you step, the program executes one 
instruction and sets EIP accordingly. Which is why the disassembly got adjusted 
to what you see next.

Build your app as a 64-bit ELF file and it will not be a problem.

Original comment by evan.teran on 3 Oct 2012 at 4:07