This is not a question.
I just would like to know people's opinions and experiences with the the debugger.
I have had problems running it, as it freezes quite often, and only a cold boot can solve it.
Mastering it could be both challenging and productive.

Just to start a conversation. . .

i'm very unimpressed with the debugger. until datarescue can integrate a debugger with olly-like quality, i'll stick with using ida just for disassembling.

Isn't Olly open source?

yes

You guys talk in monosylables, Perhaps a Beer?

the only thing ida dbg is better than olly is than you can place comments without alt+tab'ing other than that it's very inconvenient to use.

Hi there

the IDA Pro debugger is exactly like IDA Pro: needs time to be mastered... However, I never expected freezing or something like that...

Also I feel that we are going in the right direction for RE tools... No more small tools to be used together, but a "suite" to deal with any situation... With IDA Pro I can analize statically my listing and use debugger to reveal only interesting sequences.... I think I'll no more use any other debugger.

Byyyyezzz,
Polaris

you can place comments in ollydbg. unless you mean you want to comment your static listing, in which case ignore this post

And if you mean adding comments to the static code then use dual monitors.

Make life alot more fun. Anyone Softice on dual monitors. Tried once and it basically ignored the second screen So Use Ollydbg since then without any problems. (except breakpoints disappearing all the time )

Tried IDA and found it difficult to read mainly. Thought never gonna use it to its full potential so got rid of it..

Peterg70

@peterg70
you know that when you are using softice, even if you had 10 monitors, they would all be "frozen" when the softice window pops up ? it's still 1 cpu.

(getting a little off-topic)
For long projects, a setup that I found to be efficient is a debugging machine and another one with IDA + all the other tools.

I still can't get used to ollydbg.. I always go back to softice; I find it much more powerful.. unless I was doing something wrong, I wasn't impressed very much by olly when tracing through SMC.. at some point I was just stepping over opcodes (It would refuse to 'assemble it' back)

And since 80% of protectors use smc...

Few months ago, when the Debugger option to IDA was announced, some people here, me included, became very excited. If this tool was going to be as powerful as the dissasembler, and it was seamlessly integrated to it, IDA would become the 'Ultimate' tool.

While this first version did not meet expectations, which were high to start with, does not mean that the idea and the tool lacks potential. I do not know if Ilfak ever reads this boards, or other RCE for that matter, but I think he could benefit from suggestions and observations about the debugger.

I concede that it may increased the chances of IDA being Warezed, but on the other hand, he could deliver an improved product to his market base.

Be kind to me.

Well, softICE has its place. The only real reason to use softICe now for me (I use 2.7) is so I can set a global process breakpoint, for those nasty createprocess protectors (like armadillo). A normal debugger like Olly won't do that - it will only break on calls in its current process (which is good).

But I've used Olly for ALL my latest unpacking. It kicks butt big time. The biggest best thing about it is there are only a few ways to detect a ring3 debugger, and the debugger itself can modify these ways! With SoftICE you just have to hide it somehow. Also, with Olly you can take notes and work in a hex dump, or dump memory areas of interest on the spot, since ur computer doesn't freeze.

IDA is ok, it still doesn't always give as much information as I'd like. I mean, sure the graph of a function is nice, but I haven't found it all that helpful yet. The one thing that I've found the most useful is variable names. However, one thing I DONT like is it should be smart enough (maybe sooner or later), so I could name a variable like "mov eax, [ebx+4Ch]" into "mov eax, CountNumDays". I mean, with appropriate "code analysis" this should be possible, even if of course it requires a type of "virtual" engine to simulate so it can calculate where these offsets end up later, etc. I know it's prolly hard, but I think it sure would make things better...

-nt20

well you can do some fancy stuff if you define structures and enums approprietly

your statement would appear as:

mov eax, [ebx+CountNumDays] ; any comments defined in struct definition

I'm not sure if you can define ebx as a pointer to a structure over an entire function (to auto rename all [ebx+XYZ] arguments) yet.. but that just seems like the next logical step if it's not yet implemented.

And when your register is a 'biased pointer' to a memory location, ex:
(context: ebp is pointing to the start of the code segment, ebp+2C5h points to the string: "\\.\SICE"
lea esi, [ebp+2C5h]

you can give the instruction a 'Base Address' (using ctrl+r) of 'start' (either using its symbolic name or address) and the last instruction will look like: (adding an x-ref also)
lea esi, (meltICE_strings - start)[ebp] ; "\\\\.\\SICE"

Ah, thanks doug - the struct define. Ok I will try that.

-nt20

Also, it does analyze and define/name all such stack-based variables without having to define structs, enums or anything, practically always for me anyway?! It does indeed have stack analysis, so it even handles esp-based stack variables!

Yes, I know it does stack variables just fine, but it doesn't do other register based variables. For example, if you are looking at code that is from a C++ class, the object pointer gets passed in on a register, like ebx. So all the member variables (and possibly some functions) are [ebx+XXX]. Currently if I double click on the XXX you can't do anything with it. It would be nice if you could at least label it.

ESP variables such as [esp+XXX] do get a variable "name", IDA says like "var_0", "var_4", etc. But register based variables do not.

-nt20