edb (Evan’s Debugger) is a cross-platform debugger similar to OllyDbg that supports x86, x86-64, and AArch64 architectures. It’s essential for dynamic program analysis, reverse engineering, exploit development, and vulnerability research. edb provides a graphical interface with powerful debugging capabilities.
Installation
Ubuntu/Debian
sudo apt-get update
sudo apt-get install edb-debugger
Building from Source
git clone https://github.com/eteran/edb-debugger.git
cd edb-debugger
mkdir build && cd build
cmake ..
make
sudo make install
Fedora/RHEL
sudo dnf install edb-debugger
macOS
# Build from source on macOS
brew install qt cmake graphviz
git clone https://github.com/eteran/edb-debugger.git
cd edb-debugger
mkdir build && cd build
cmake -DCMAKE_PREFIX_PATH=$(brew --prefix qt) ..
make
Verify Installation
edb --version
which edb
Basic Usage
Launch edb with Binary
edb ./program_to_debug
Debug with Arguments
edb ./program arg1 arg2 arg3
Debug Running Process
edb -pid <process_id>
Debug from Command Line
edb --run ./vulnerable_program
Open Binary Without Running
edb --attach ./binary_file
Core Debugger Commands
| Command | Function | Shortcut |
|---|
| Step Into | Execute single instruction, follow calls | F11 / Step |
| Step Over | Execute single instruction, skip calls | F10 / Next |
| Continue | Resume execution | F5 / Continue |
| Pause | Pause running program | Ctrl+Break |
| Restart | Restart debugging session | F2 |
| Stop | Stop debugging session | Shift+F5 |
| Set Breakpoint | Set breakpoint at address | F3 / Double-click |
| Clear Breakpoint | Remove breakpoint | F3 / Click BP |
| View Stack | Display stack contents | Stack tab |
| View Registers | Show CPU registers | Registers tab |
| View Memory | Browse memory contents | Memory tab |
Breakpoint Management
Set Breakpoint at Address
Address: 0x08048400
Right-click → Breakpoint
Set Conditional Breakpoint
Address: 0x08048400
Right-click → Set Conditional Breakpoint
Condition: eax == 0x1234
Breakpoint by Function Name
Main function: main
Look up in functions list
Set breakpoint at function entry
Hardware Breakpoint
Use hardware breakpoints for:
- Read/Write breakpoints
- Large executable sections
- System-level debugging
Right-click → Hardware Breakpoint
Breakpoint Operations
| Operation | Purpose |
|---|
| Enable/Disable | Toggle breakpoint activation |
| Conditional | Only break when condition met |
| One-shot | Break once then auto-remove |
| Hit count | Break after N hits |
| Log action | Log when breakpoint hit |
Register Analysis
Common x86-64 Registers
RAX - Accumulator (return value)
RBX - Base register (callee-saved)
RCX - Counter (loop variable)
RDX - Data register
RSI - Source Index (function arg)
RDI - Destination Index (function arg)
RBP - Base pointer (stack frame)
RSP - Stack pointer
RIP - Instruction pointer
View Register Values
Registers Panel → Right side of edb
Hex/Decimal toggle available
Double-click to modify value
Common Operations
# Modify register in debugger
RAX = 0x41414141
RBP = RSP + 0x100
RIP = function_address
Memory Operations
Examine Memory Region
Memory Panel → Specify address
View in Hex, ASCII, or Mixed format
Scroll to explore adjacent memory
Search Memory
Search for text string: "admin"
Search for hex pattern: 41 42 43
Search for bytes: \x41\x42\x43
Memory Dump
# Dump memory to file
Tools → Dump Memory
Range: 0x08048000 to 0x0804a000
Output: dump.bin
Memory Protection
# View memory sections
Tools → Memory Map
Show permissions (R/W/X)
Identify executable regions
Stack Analysis
View Stack Contents
Stack Panel shows:
Address | Value | Reference
Monitor ESP/RSP changes
Trace function calls/returns
Stack Frame Structure
[Local Variables]
[Saved RBP]
[Return Address] ← ESP points here after CALL
[Function Arguments]
Follow Stack Pointer
# In edb Stack panel:
Monitor RSP during execution
Identify buffer boundaries
Check for stack corruption
Reverse Engineering Techniques
Analyze Function Prologue
Common x86-64 prologue:
push rbp
mov rbp, rsp
sub rsp, 0x20
Identify Function Boundaries
# Find function entry points
Disassembly → Look for prologue
Monitor return instructions (ret)
Use function list panel
Trace Code Flow
Step through instructions
Watch register changes
Monitor memory modifications
Track control flow
Identify Loops and Conditionals
# Common patterns:
CMP instruction → test condition
JE, JNE, JL, JG → conditional jumps
JMP → unconditional branch
Exploit Development
Find Gadgets for ROP
# Identify useful instruction sequences
Search for: pop rdi; ret
Useful for: setting function arguments
Location: libc or binary
Analyze Buffer Vulnerabilities
# Set breakpoint before vulnerable function
Step through string operations
Monitor buffer bounds
Check ESP/RBP relationships
Test Payload Execution
# Craft exploit payload
Set breakpoints at critical points
Inject shellcode in memory
Verify execution flow
Find ASLR Bypass Gadgets
# Identify information leaks
Search for pointer dereferences
Find addresses of library functions
Use for address space discovery
Advanced Features
Plugin System
Plugins located in: ~/.edb/plugins/
Create custom analysis tools
Extend debugger capabilities
Write in C++ or Python
Script Automation
# Python plugin example:
import edb
def my_function():
edb.set_breakpoint(0x08048400)
edb.continue_execution()
regs = edb.registers()
return regs['eax']
Conditional Debugging
# Break when specific condition met
Breakpoint → Expression
Example: (eax > 1000) && (ebx == 0x41414141)
Log and Trace
# Enable execution logging
View → Output Panel
Tools → Logging
Save trace for analysis
Use with GDB Commands
# edb supports GDB-style commands
set $eax = 0x1234
print $ebx
continue
Combine with IDA Pro
# Export debugging info to IDA
Save breakpoints
Export memory maps
Cross-reference with IDA analysis
Integration with gdbserver
# Remote debugging capability
edb --gdbserver localhost:9999
Connect remote gdb client
Debugging Scenarios
Crash Analysis
1. Load crashed binary
2. Run to crash point
3. Examine registers/stack
4. Analyze crash dump
5. Identify root cause
Authentication Bypass
1. Set breakpoint at auth check
2. Modify return value (RAX = 1)
3. Continue execution
4. Test bypass effectiveness
Memory Corruption Detection
1. Monitor heap operations
2. Track buffer writes
3. Set memory watchpoints
4. Identify overflow point
Vulnerability Proof of Concept
1. Identify vulnerability
2. Craft test case
3. Debug execution
4. Verify exploitation
5. Document findings
Comparison with Other Debuggers
| Debugger | Platform | Focus | GUI |
|---|
| edb | Linux/Windows/macOS | Reverse Engineering | Yes |
| GDB | Unix/Linux | General debugging | No (TUI) |
| IDA Pro | Multi-platform | Disassembly | Yes |
| OllyDbg | Windows | x86 debugging | Yes |
| Frida | Multi-platform | Runtime injection | CLI |
Enable/Disable Detailed Logging
# Reduce overhead during long executions
Tools → Options → Plugins
Disable unnecessary plugins
Minimize output verbosity
Breakpoint Management
# Too many breakpoints slow execution
Remove inactive breakpoints
Use conditional breakpoints
Prefer one-shot breakpoints
# Large memory dumps are slow
View specific regions
Use memory search instead
Dump to file for analysis
Troubleshooting
Debugger Crashes
# Reset debugger state
Close edb
Remove ~/.edb/settings.ini
Rebuild from source if persistent
Cannot Attach to Process
# Check permissions
sudo edb --pid <pid>
# Verify process exists
ps aux | grep process_name
# Ensure binary not stripped
file /path/to/binary
Breakpoints Not Triggering
# Verify breakpoint address
View disassembly at address
Confirm address is correct
Check if code is actually executed
# Debug symbols needed for function names
objdump -t /binary | grep FUNC
# Recompile with -g flag
gcc -g program.c -o program
Best Practices
Session Management
# Save debugging sessions
File → Save Session
Document findings during analysis
Keep detailed notes
Create debugging journal
Safe Reversing
# Always work in isolated environment
Use VM or container
Never execute untrusted binaries
Keep backups of original binaries
Documentation
# Record your analysis
Screenshot key findings
Note function addresses
Document exploit techniques
Create reproducible steps
Summary
edb Debugger is an essential tool for dynamic binary analysis, reverse engineering, and exploit development on Linux and other platforms. Its intuitive interface combined with powerful features makes it comparable to OllyDbg on Windows. Mastering edb enables deeper understanding of program behavior, vulnerability discovery, and security research.
