edb (Evan’s Debugger) is a cross-platform debugger similar to OllyDbg that supports x86, x86-64, and AArch64 architectures. It’s essential for dynamic program analysis, reverse engineering, exploit development, and vulnerability research. edb provides a graphical interface with powerful debugging capabilities.
sudo apt-get update
sudo apt-get install edb-debugger
git clone https://github.com/eteran/edb-debugger.git
cd edb-debugger
mkdir build && cd build
cmake ..
make
sudo make install
sudo dnf install edb-debugger
# Build from source on macOS
brew install qt cmake graphviz
git clone https://github.com/eteran/edb-debugger.git
cd edb-debugger
mkdir build && cd build
cmake -DCMAKE_PREFIX_PATH=$(brew --prefix qt) ..
make
edb --version
which edb
edb ./program_to_debug
edb ./program arg1 arg2 arg3
edb -pid <process_id>
edb --run ./vulnerable_program
edb --attach ./binary_file
| Command | Function | Shortcut |
|---|
| Step Into | Execute single instruction, follow calls | F11 / Step |
| Step Over | Execute single instruction, skip calls | F10 / Next |
| Continue | Resume execution | F5 / Continue |
| Pause | Pause running program | Ctrl+Break |
| Restart | Restart debugging session | F2 |
| Stop | Stop debugging session | Shift+F5 |
| Set Breakpoint | Set breakpoint at address | F3 / Double-click |
| Clear Breakpoint | Remove breakpoint | F3 / Click BP |
| View Stack | Display stack contents | Stack tab |
| View Registers | Show CPU registers | Registers tab |
| View Memory | Browse memory contents | Memory tab |
Address: 0x08048400
Right-click → Breakpoint
Address: 0x08048400
Right-click → Set Conditional Breakpoint
Condition: eax == 0x1234
Main function: main
Look up in functions list
Set breakpoint at function entry
Use hardware breakpoints for:
- Read/Write breakpoints
- Large executable sections
- System-level debugging
Right-click → Hardware Breakpoint
| Operation | Purpose |
|---|
| Enable/Disable | Toggle breakpoint activation |
| Conditional | Only break when condition met |
| One-shot | Break once then auto-remove |
| Hit count | Break after N hits |
| Log action | Log when breakpoint hit |
RAX - Accumulator (return value)
RBX - Base register (callee-saved)
RCX - Counter (loop variable)
RDX - Data register
RSI - Source Index (function arg)
RDI - Destination Index (function arg)
RBP - Base pointer (stack frame)
RSP - Stack pointer
RIP - Instruction pointer
Registers Panel → Right side of edb
Hex/Decimal toggle available
Double-click to modify value
# Modify register in debugger
RAX = 0x41414141
RBP = RSP + 0x100
RIP = function_address
Memory Panel → Specify address
View in Hex, ASCII, or Mixed format
Scroll to explore adjacent memory
Search for text string: "admin"
Search for hex pattern: 41 42 43
Search for bytes: \x41\x42\x43
# Dump memory to file
Tools → Dump Memory
Range: 0x08048000 to 0x0804a000
Output: dump.bin
# View memory sections
Tools → Memory Map
Show permissions (R/W/X)
Identify executable regions
Stack Panel shows:
Address | Value | Reference
Monitor ESP/RSP changes
Trace function calls/returns
[Local Variables]
[Saved RBP]
[Return Address] ← ESP points here after CALL
[Function Arguments]
# In edb Stack panel:
Monitor RSP during execution
Identify buffer boundaries
Check for stack corruption
Common x86-64 prologue:
push rbp
mov rbp, rsp
sub rsp, 0x20
# Find function entry points
Disassembly → Look for prologue
Monitor return instructions (ret)
Use function list panel
Step through instructions
Watch register changes
Monitor memory modifications
Track control flow
# Common patterns:
CMP instruction → test condition
JE, JNE, JL, JG → conditional jumps
JMP → unconditional branch
# Identify useful instruction sequences
Search for: pop rdi; ret
Useful for: setting function arguments
Location: libc or binary
# Set breakpoint before vulnerable function
Step through string operations
Monitor buffer bounds
Check ESP/RBP relationships
# Craft exploit payload
Set breakpoints at critical points
Inject shellcode in memory
Verify execution flow
# Identify information leaks
Search for pointer dereferences
Find addresses of library functions
Use for address space discovery
Plugins located in: ~/.edb/plugins/
Create custom analysis tools
Extend debugger capabilities
Write in C++ or Python
# Python plugin example:
import edb
def my_function():
edb.set_breakpoint(0x08048400)
edb.continue_execution()
regs = edb.registers()
return regs['eax']
# Break when specific condition met
Breakpoint → Expression
Example: (eax > 1000) && (ebx == 0x41414141)
# Enable execution logging
View → Output Panel
Tools → Logging
Save trace for analysis
# edb supports GDB-style commands
set $eax = 0x1234
print $ebx
continue
# Export debugging info to IDA
Save breakpoints
Export memory maps
Cross-reference with IDA analysis
# Remote debugging capability
edb --gdbserver localhost:9999
Connect remote gdb client
1. Load crashed binary
2. Run to crash point
3. Examine registers/stack
4. Analyze crash dump
5. Identify root cause
1. Set breakpoint at auth check
2. Modify return value (RAX = 1)
3. Continue execution
4. Test bypass effectiveness
1. Monitor heap operations
2. Track buffer writes
3. Set memory watchpoints
4. Identify overflow point
1. Identify vulnerability
2. Craft test case
3. Debug execution
4. Verify exploitation
5. Document findings
| Debugger | Platform | Focus | GUI |
|---|
| edb | Linux/Windows/macOS | Reverse Engineering | Yes |
| GDB | Unix/Linux | General debugging | No (TUI) |
| IDA Pro | Multi-platform | Disassembly | Yes |
| OllyDbg | Windows | x86 debugging | Yes |
| Frida | Multi-platform | Runtime injection | CLI |
# Reduce overhead during long executions
Tools → Options → Plugins
Disable unnecessary plugins
Minimize output verbosity
# Too many breakpoints slow execution
Remove inactive breakpoints
Use conditional breakpoints
Prefer one-shot breakpoints
# Large memory dumps are slow
View specific regions
Use memory search instead
Dump to file for analysis
# Reset debugger state
Close edb
Remove ~/.edb/settings.ini
Rebuild from source if persistent
# Check permissions
sudo edb --pid <pid>
# Verify process exists
ps aux | grep process_name
# Ensure binary not stripped
file /path/to/binary
# Verify breakpoint address
View disassembly at address
Confirm address is correct
Check if code is actually executed
# Debug symbols needed for function names
objdump -t /binary | grep FUNC
# Recompile with -g flag
gcc -g program.c -o program
# Save debugging sessions
File → Save Session
Document findings during analysis
Keep detailed notes
Create debugging journal
# Always work in isolated environment
Use VM or container
Never execute untrusted binaries
Keep backups of original binaries
# Record your analysis
Screenshot key findings
Note function addresses
Document exploit techniques
Create reproducible steps
edb Debugger is an essential tool for dynamic binary analysis, reverse engineering, and exploit development on Linux and other platforms. Its intuitive interface combined with powerful features makes it comparable to OllyDbg on Windows. Mastering edb enables deeper understanding of program behavior, vulnerability discovery, and security research.
