The evolution of debugging tools bridges the gap between early personal computing and modern low-level engineering. This guide traces that journey, starting with the classic 16-bit DOS DEBUG.EXE and moving into the advanced environments used for modern assembly language analysis. 1. The Era of DOS DEBUG
In the days of MS-DOS, DEBUG.EXE was a built-in, lightweight utility that provided direct access to system memory, CPU registers, and disk sectors. Operating entirely in real mode, it was both a debugger and a rudimentary assembler. Core Architecture and Real Mode
DOS operated on the ⁄8088 processor architecture using a 20-bit segmented memory model. Since registers were only 16 bits wide, memory addresses were calculated using a segment and an offset:
Physical Address=(Segment×16)+OffsetPhysical Address equals open paren Segment cross 16 close paren plus Offset
DEBUG.EXE exposed this architecture directly. It loaded executables (typically .COM or .EXE files) into memory, defaulting to an offset of 0100h for .COM files to preserve the Program Segment Prefix (PSP). Essential Command Reference
The interface was minimal, relying on single-letter commands:
A (Assemble): Enter assembly instructions directly into memory.
U (Unassemble): Disassemble machine code back into assembly mnemonics.
R (Register): Display or modify the contents of the CPU registers (AX, BX, CX, DX, SP, BP, SI, DI, IP, Flags).
D (Dump): View the hexadecimal and ASCII representation of memory contents.
E (Enter): Edit memory bytes directly at a specific address.
T (Trace): Execute a single instruction and display the updated register states.
G (Go): Execute the program until a specified breakpoint or completion. Creating a “Hello World” .COM Program
You can use DEBUG to write a functional program manually by interacting with DOS multiplex interrupts (Interrupt 21h).
-a 100 XXXX:0100 mov ah, 09 ; DOS function: print string XXXX:0102 mov dx, 010c ; Point DX to the string offset XXXX:0105 int 21 ; Call DOS interrupt XXXX:0107 mov ax, 4c00 ; DOS function: exit program XXXX:010a int 21 ; Call DOS interrupt XXXX:010c db ‘Hello\(' ; String terminated with '\)’ XXXX:0112 -rcx CX 0000 :12 ; Set file size to 18 bytes -n hello.com ; Name the file -w ; Write to disk Writing 00012 bytes -q ; Quit Use code with caution. 2. Transitioning to Protected and Long Modes
As processors advanced to 32-bit (80386) and 64-bit (x86-64) architectures, the computing landscape shifted away from Real Mode limitations. Real Mode vs. Protected Mode vs. Long Mode
Real Mode (16-bit): Linear addressing up to 1 MB. No memory protection. Any program can crash the entire system.
Protected Mode (32-bit): Introduces Virtual Memory, Paging, and Privilege Rings (Ring 0 for kernel, Ring 3 for user land). Registers expand to 32 bits (EAX, EBX, etc.). Memory segments act as selectors pointing to Descriptor Tables rather than raw physical locations.
Long Mode (64-bit): Registers expand to 64 bits (RAX, RBX, etc.), adding 8 new general-purpose registers (R8-R15). Flat memory model replaces segmentation entirely for code and data. It supports vast linear address spaces and enforces NX (No-Execute) bits for enhanced security.
Because of these architectural shifts, 16-bit DEBUG.EXE cannot run natively on 64-bit operating systems without emulation environments like DOSBox. 3. Advanced Modern Assembly Environments
Modern assembly debugging requires tools capable of handling complex operating system APIs, multi-threaded execution, dynamic link libraries (DLLs), and virtualized memory spaces. x64dbg (Windows)
An open-source x64/x32 debugger for Windows, optimized for malware analysis and reverse engineering.
Interface: Graphical user interface (GUI) featuring synchronized views of disassembly, CPU registers, memory dumps, and the expression stack.
Key Feature: Dynamic instrumentation and robust plugin support (e.g., Scylla for dumping processes). GDB with GEF (Linux)
The GNU Debugger (GDB) is the standard for Linux environments. When paired with GEF (GDB Enhanced Features), it transforms into a highly visual tool for exploit development.
Interface: Command-line based but visually rich, rendering real-time register states, stack frames, and vector registers contextually on every step.
Key Feature: Deep integration with Python for scripting complex debugging automation. IDA Pro / Ghidra
While primarily Interactive Disassemblers, these tools feature built-in debuggers that map execution directly onto high-level control-flow graphs or decompiled C-like code. 4. Practical Exercise: Modern 64-Bit Debugging
To understand the difference between past and present tools, consider debugging a standard 64-bit binary inside GDB with GEF. Instead of looking at raw hex blocks, modern workflows emphasize context. Examination of Registers
When a breakpoint hits, advanced debuggers display high-level insights alongside the raw values:
\(rax : 0x0000000000000001 \)rbx : 0x00007fffffffe4a0 → 0x0000000000000001 \(rcx : 0x00007ffff7e43630 → <__libc_start_main+240> mov edi, eax \)rdx : 0x00007fffffffe4b8 → 0x00007fffffffe6e7 → “/path/to/binary” \(rsp : 0x00007fffffffe390 → 0x0000000000400540 → <_start+0> xor ebp, ebp \)rip : 0x0000000000400507 → Use code with caution.
Notice how the debugger automatically dereferences pointers to show that RDX points to an argv string array, and RCX references an internal standard C library function. Modern Debugging Flow
Instead of raw single-stepping (T), modern developers leverage:
Conditional Breakpoints: break main if $rdi > 5 (Stop execution only when conditions match).
Memory Watchpoints: watch0x7fffffffe390 (Halt execution the exact moment a specific memory value changes).
Backtracing: backtrace (View the entire nested chain of function calls leading to the current instruction).
From the limitations of a 16-bit command prompt to the massive multi-gigabyte virtual views of modern system tools, mastering debugging means understanding how code interacts directly with physical execution units. Whether fixing legacy industrial automation systems or analyzing advanced software vulnerabilities, the fundamental methodology remains unchanged: observe the registers, map the memory, and control the instruction pointer.
To help tailor this guide further,If you tell me your preferred operating system (Windows, Linux, macOS), the target architecture (x86, x64, ARM), or your specific use case (reverse engineering, malware analysis, OS development), I can provide highly specific commands and workflow examples.
Leave a Reply