0

My issue is with memory location values displayed in the Registers and Dump windows in edb on Linux. With my process paused, register EAX contains b77190a0. This address points to within a buffer.

I do a Follow In Dump for EAX to display the contents from the address in EAX.
In Dump view, the expected contents are displayed but at the address b750da0e.

I've read: Difference between logical addresses, and physical addresses?
The conclusion I have come to is that EAX contains a logical address (for the process) which gets evaluated to the physical address shown in Dump View.

Is this the right basic thinking or am I missing something else?
I have used Immunity Debugger on x86 windows without this behaviour following register addresses.

Community
  • 1
  • 1
user1330734
  • 390
  • 6
  • 21
  • You're right that any address your process will have in a register is a logical address. Don't even think about physical memory, just think about your process's memory as a flat 4GB space that your process owns all of. (It's not really, and a 32bit kernel won't let you map the upper 1GB of your virtual address space, IIRC, but this mental model is good enough.) – Peter Cordes Jun 03 '16 at 21:10
  • I don't use EDB, so I have no idea what you're asking. Where did `b750da0e` come from, if it wasn't in `eax`? Is `eax` maybe pointing part way in to a large buffer? – Peter Cordes Jun 03 '16 at 21:12
  • I tried recreating the issue and _Follow in Dump_ now goes to the address in the register as initially expected! Please see screenshot at [imgur.com/0kExhZ9](http://imgur.com/0kExhZ9) Note in the screenshot, I am observing `ECX`, but that behaviour is the same for `EAX`. – user1330734 Jun 04 '16 at 07:16
  • Did you single-step past an instruction that modified `eax` before? If the dump window moves to follow the register value, maybe you didn't re-check the register? Anyway, voting to close as non-reproducible. It might be user-error or a bug in edb. Questions about how to use development software are not what SO is nominally for, I think. (Although there are a lot of git questions.) – Peter Cordes Jun 04 '16 at 14:16
  • Thanks for your reply Peter. Hold off on that vote for a moment as I can confirm it's not user error, see the screenshot reproducing a similar occurrence: http://imgur.com/9t8ZmfJ – user1330734 Jun 05 '16 at 02:40
  • Looks fishy, although I don't use that debugger. I think I tried it once, I forget why I didn't keep using it. Anyway, go report a bug on the edb page. – Peter Cordes Jun 05 '16 at 02:46
  • Hi, I'm the author of edb. So to answer your question. No edb does not have any concern about physical addresses. I've never seen this behavior before, so if it is acting as your describe, then it is likely a bug. – Evan Teran Jun 07 '16 at 03:08
  • Thanks Evan, I'll put some info together for you. – user1330734 Jun 07 '16 at 11:23

0 Answers0