30 replies to this topic

[Zorg]

Note: These are alpha builds. Tests builds, essentially. These are not stable releases. The latest stable release is 1.5.2

Mostly internal changes have been done so far:

*Dropped support for 32-bit architecture. Bit Slicer now requires 10.6 or later, and a 64-bit Intel Mac.

*Code signed. Friendly to Gatekeeper in Mountain Lion. Bit Slicer does not have to run as root anymore, and will bother you less about asking for your password.

*With that, I was able to finally enable document auto-saving.

*Improved process handling (determining when processes launch and terminate), and changed a bit how it works. When a process terminates, Bit Slicer will never randomly select another process now. Removed 'locking/unlocking' target option.

*Improved search performance a lot when choosing to search between a beginning and ending address.

*Fixed extra newline character for string representation of copying variable's in the table onto the clipboard.

*Code refactoring, turning ARC on, adding mach_port_deallocate() cleanup, tweaked memory viewer UI slightly, changed over to BSD open source license.

Bit Slicer alpha 1.6 alpha 1

[gamnark]

Not sure if it's been caught yet, but this version seems to break when using it on a non-admin account under 10.6.8, even after entering an admin username and password.

[Zorg]

gamnark, on 21 August 2012 - 10:22 AM, said:

Not sure if it's been caught yet, but this version seems to break when using it on a non-admin account under 10.6.8, even after entering an admin username and password.

I can't seem to reproduce this on a non-admin account, but I don't have a 10.6.8 machine lying around (although someone told me it has ran on his 10.6 machine, although most likely an admin account). What error did you get (if any?). Did it allow you to authenticate? If it did, what process/application was targeted in Bit Slicer? You can try this later alpha and see if the problem persists. [EDIT]: Also, does anything show up in Console app (spotlight it) if you filter for Bit Slicer?

[gamnark]

Tried again with the newer alpha, no change.
When it first launches, it targets the Finder by default, and asks to authenticate. After I enter the authentication, when I choose most other apps and it says "Failed accessing (whichever app)".

Some seem to work, I can target the Dock without the error for example. I don't see anything that matches in the console app.

[Zorg]

Have been kind of busy lately, but just posted a new alpha here:

Changes since alpha 1:
*Refined memory viewer, removed 'size' field, now you just enter an address you want to go to. Improved scrolling too.
*In-built calculator expressions are evaluated a little more carefully.
*Removed a bit of authorization that was unnecessary (only one dialog will should show up now).
*Improved performance for watching variables, especially strings.
*Printing out error messages to console if a process failed to be accessible, for debugging purposes.
*Fixed bug where changing variable's type may not update the variable's display value if the variable becomes inaccessible (eg: at the end of a virtual page with a size too long).

@gamnark: I had someone on 10.6.8 test it on a guest account and it seemed to work for him, so this is an odd problem.. I can't access some processes like loginwindow, although I think that's a normal case. If you go to Console app again, this build should spit out errors if you search for bit slicer. If you open Activity Monitor, the process ID's there should match with the process ID's in Bit Slicer (next to the process' name). Otherwise, maybe try restarting the computer and see if that changes anything.

[Zorg]

Alpha 4

Changes:
*Made optimizations to improve searching speed, including splitting work into separate tasks for initial search
*Inserted a "Data Inspector" in Memory menubar for the memory viewer; you can select a number of bytes and it will show you integer or float representation
*Can toggle between hex and base-10 notations for memory viewer addresses
*Fixed bug with reading one less character with 1-byte string (bug introduced in last alpha likely)

[Zorg]

Alpha 7, a big one:

Download

*Implemented Disassembler Viewer (and can edit byte arrays that show, and NOP instructions)
*Implemented "Watch Variable Change" feature (hardware watchpoints basically). Select a variable in a document, Tools -> Watch for Variable Changes. When variable changes, a new one will be added reflecting the instruction that changed that variable.
*Implemented contextual menu items for documents table (and disassembler). Can NOP instruction from document.
*Implemented Undo/Redo for changing memory protection in a document
*Implemented new way of detecting existing processes; Bit Slicer should show more processes than it did before, including child processes created by Terminal for example.
*Fixed bug where memory viewer may not auto-update if opened from an application launch restoration.
*Improved process detection handling with memory viewer.
*Slightly increased variable type column width.
*Scanning unwritable values is off by default now.

[EDIT]: Had uploaded new build since this post, fixing a couple of things.
[EDIT2]: Had uploaded another build again, fixing an instruction alignment bug when watching variables.

[Zorg]

Alpha 15:

Download

*Bit Slicer will now automatically change and revert protection attributes if the user wants to write to a variable whose protection is not marked as writable
*Fixed bug that made processes not show up if they were being manipulated by a debugger.
*You can add instruction breakpoints in the disassembler. Once a breakpoint is hit, you can continue, step into, step over to resume the process.
*You can jump to an address when a breakpoint is hit.
*You can view and modify the registers when a breakpoint is hit.
*Attempt to fix bug that gamnark had by limiting use of calling task_for_pid, although this is not very easy to reproduce.
*Improved process handling since last alphas such that Bit Slicer will consume less CPU usage in normal cases, and possibly also fixed a related crash.
*Added more contextual menu support for disassembler and document windows.
*Can copy instructions from disassembler and registers window to a document table.
*Improved narrow-search speed significantly, i.e, 10 second narrowing down search could take < 1 second.
*Disassembler can now view code that is not marked executable (eg, dynamically loaded branch tables)
*Added "Read or write" watchpoints (now called 'accesses' in the UI).

Appreciate any feedback for what works, and what bugs there may be. I've been working on this almost constantly lately.

[Zorg]

Alpha 16:

*Fixed CPU spike idling bug when bit slicer has scanned many variables.
*Canceling searches should be much more responsive; deallocation of temporarily allocated variables is handled on a separate thread
*Clearing should be more responsive; again, deallocation is handled on separate thread
*Scanning stored values should be faster as better search algorithm is being used.
*Disassembler and Register table rows are now draggable and droppable onto a slice document table.
*When watching for variable accesses, the name of the variable added is now the instruction text.

Download

[SlicerMan]

Hello,

I have suggestion for the "watch Variable" function,
The function stop automatically when he found the first instruction read/write the address. Because of this, If i search an other instruction, its can't possible to find.
I suggest to remplace it by a "Stop watch" button.
And why Watch variable have "Write Accesses", "Read & Write Accesses" and not "Read Accesses" ?

For the memory viewer, with the minium width of the window, each line show 4x  32 bit  +  2 byte,
like "CFFAEDFE 07000001 03000080 02000000 1500" for exemple, its a little disturbing. 4x 32 bit would be more correct.

Thanks for this great memory tools for the mac !

[Zorg]

SlicerMan, on 26 January 2013 - 04:33 PM, said:

Hello,

I have suggestion for the "watch Variable" function,
The function stop automatically when he found the first instruction read/write the address. Because of this, If i search an other instruction, its can't possible to find.
I suggest to remplace it by a "Stop watch" button.

That's a good point. I'm considering changing this to like you described. Bit Slicer would add each different instruction it encounters until the user stops.

SlicerMan, on 26 January 2013 - 04:33 PM, said:

And why Watch variable have "Write Accesses", "Read & Write Accesses" and not "Read Accesses" ?

Hardware supports "write" and "read and write" watchpoints, but it doesn't support "just reading" although I have not looked into how hard this would be to simulate.

SlicerMan, on 26 January 2013 - 04:33 PM, said:

For the memory viewer, with the minium width of the window, each line show 4x  32 bit  +  2 byte,
like "CFFAEDFE 07000001 03000080 02000000 1500" for exemple, its a little disturbing. 4x 32 bit would be more correct.

Resize the window to get it show the way you want. I could constrain it so it's impossible to resize it in a way where it would display unevenly.

Thanks for the feedback!

[Zorg]

Alpha 17:

*When watching instructions, the user now has to stop the process. This way, bit slicer can report multiple instructions that accessed an address.
*Stepping over an instruction should now respect the base pointer of the stack, thus should work properly with recursive functions.
*Moved memory protection and dumping memory to memory viewer component rather than slice documents.
*Improved tooltips for hovering over variables in a slice table. Now shows name, value, address formula, size in bytes, and protection attributes.
*Fixed bug where you could store all values even though target isn't alive.
*Added 'Store all Values' in the functions list.
*Pausing/Unpausing processes now works from memory viewer and disassembler. Disabled if the process hit a breakpoint via disassembler.
*Memory viewer can now only be resized such that number of bytes per line is divisible by 4.
*Added user notifications for OS X 10.8 users for when searches finish, breakpoints hits via disassembler, dumping all memory finished, and when a watchpoint hits.

Download

[Zorg]

Alpha 18:

*Added stepping out of a function.
*Fixed issue with freezing string variables if they are altered in the program with a different null-terminated length.
*32-bit integer is now default datatype again, accidentally broke this in previous build.

[Zorg]

Alpha 22:

*Added backtrace view when breakpoint is hit, turned registers panel into a part of the window (split view).
*Added debug symbols to disassembler if they're available.
*Stepping out of a function should respect the stack frame now.
*Breakpoints cannot be added, and one cannot step over/out into an area, whose protection isn't executable. If user desires to do so, change memory protection of the area using memory viewer. (Fixes running target from crashing).
*Added 'Copy Address' and 'Show in Memory Viewer' items (latter for disassembler window).
*Freezing variables now makes value text red instead of address.
*Experimental app icon.

[EDIT]: Quickly uploaded a version with a minor fix.

[EDIT2]: Another update:
*Fixed UI issues with displaying current address that is breakpoint'ed.
*Fixed backtrace-selection not changing disassembler view in certain case.

[NSObject]

Interesting for this to still be in development. I haven't taken a look at the source, but I'm guessing you use mach_vm? Good on you for writing a utility that uses it because of basically the complete lack of documentation of mach_vm.

[Zorg]

Yeah, Bit Slicer uses a handful of them. The API's are sometimes confusing to use.. Have you used them before?

Also, a new alpha:

Alpha 24:

• Added an assembler for modifiying instructions in the debugger. Eg: can change "sub ..." to "add ..."
  
• Watching current target terminate should be a little more reliable now
  
• Undo/Redo'ing byte array changes should now work better when the array sizes change, in debugger and documents
  
• If atos (used for debug symbols) is not found on user's machine, user is given an alert indicating so.
  
• Added Sparkle for updating now.
  
• Code signed frameworks and helper tools

[Zorg]

New alpha is out. Due to a bug, alpha 24 may not automatically notify users of a new update, so you'll have to check it manually, or download it here. I'm close to done with 1.6.

Alpha 28:

• Hopefully fixed rare-ish crash that occurred when performing a search
  
• Fixed bug where Sparkle may not automatically notify user of an update
  
• Search button is now changed to Store if function is Store All Values
  
• Added back and forward navigation to memory viewer and debugger
  
• Added menu item (to best of its ability) to go the function referenced by the currently selected call type instruction
  
• When setting a breakpoint or stepping over/out into a page whose protection isn't marked executable, we now automatically mark it executable before creating the breakpoint
  
• When scrolling all the way up or down in the debugger, new rows are added to the table as needed
  
• When going to an address in the debugger that is already in the table, we just go to it instead of disassembling all instructions again
  
• Fixed bug when the memory viewer window size may slowly grow each time it's shown
  
• Fixed resizing issues with the data inspector in the memory viewer
  
• Improved validation for checking if a variable can be shown in the disassembler or memory viewer
  
• When watching for variable accesses more than one time (i.e, watch, cancel, watch again), new results may have not been added; fixed this bug
  
• When modifying an instruction's text via the assembler, if the new instruction takes smaller or larger amount of space, we nop the leftover bytes to preserve alignment (and show an alert if we are overwriting more than one instruction)
  
• Added an alert to clear all variables in a document, as it's too easy to do accidently and the action is not un-doable
  
• Now pairing task_threads() with a mach_vm_deallocate() call
  
• Testing to see if updating notification will work

[Zorg]

Alpha 29:

• Hopefully fixed rare-ish crash that occurred when performing a search (again)
  
• Fixed raised-exception when copying a variable in a document (bug was introduced in last alpha)
  
• Implemented dragging variables from one document to another (this copies them). Trying to do this before actually caused a crash
  
• Improved performance and fixed crash with watching variable accesses where many accesses were hit frequently
  
• Validation for showing a variable in the debugger from a document only checks if its protection is readable now
  
• Autosaving is disabled if Bit Slicer is run as superuser for whatever reason
  
• Fixed back and forward navigation for memory viewer, causing it to show wrong addresses when going from one region to another
  
• When a user makes a search and only one variable is returned back, the table now becomes in focus
  
• Changed "Data type:" to "Data Type:" in document window
  
• Tons of refactoring
  
• Created a project page, a wiki, and a bug tracker on bitbucket. The help menu now redirects to the wiki

[what_are_answers]

I'm a little worried that the scope of these development builds is getting out of proportion and we won't ever see a 1.6 release. I know it feels good to add a lot of new features and improvements, but if you keep doing that you'll lose interest one day and everyone is left with an unstable program. Please, start finalizing the features for 1.6, fix bugs and get a release out!

Thanks for making Bit Slicer.

[Zorg]

I work on a new major version every once in a while. Once I am in the groove of working, it is difficult for me to lose interest. But I do have limited time, so I am trying to get this done as soon as possible (and I am now avoiding new features). There have been some major-stopper bugs/crashes that I have been encountering recently; sometimes they come about from trying to fix other issues. I am going to release another alpha quite shortly, possibly the final one, if it goes well enough from testing. Another thing I'm waiting on is for a friend to do some icon work, which I hope can get done by the week. Thanks for the feedback, I do understand the concern.

[EDIT]:
And here's the alpha:

Alpha 30

• Fixed a couple possible crashes when performing searches (one of them was introduced in last alpha likely)
  
• Preventing possible crash with the calculator evaluating an expression
  
• Search progress should be more accurate now
  
• Improved narrow-search performance slightly
  
• Prioritizing the selected instructions when going back and forth in debugger (making this less confusing to use)
  
• When asked to overwrite multiple instructions in debugger, cancel is now the default button to hit
  
• Fixed 32-bit integer not being default (must have messed this up recently)
  
• Making Scan Unwritable Values enabled by default again
  
• Nearing towards final release.

[what_are_answers]

Thanks for your reply.

Are you aware of any major memory leaking bugs with Bit Slicer? If, using the latest alpha you just posted, I open Bit Slicer and enter "0" into the "Value" field, leaving all other settings at the default (signed 32-bit Integer, "= Value" and the target being "Skype (20707)"), and click "search", the app starts eating memory at a rate of ½GB per second until the progress bar nearly reaches full at which point it slows down but the search never completes (it finds something like 50,000,000 values). Although the Bit Slicer window stays very responsive (almost no beach-balling) the "Cancel" button doesn't seem to work at that point. It becomes grayed out as if clicked, but the other controls don't become available and the app continues to consume more memory, albeit at a much slower rate.

I had similar issues with previous alphas.

I'm using OS X 10.6.8 (64-bit) and Skype 2.8.0.866.

[Zorg]

Because there's so many results (lots of millions), Bit Slicer will have a tough time adding all of the found variables. It's not likely a memory leak (I'm not aware of any after profiling), it's just a lot of data that is being stored locally in memory. I'd avoid scanning for 0 for your first search. There are many, many 0's in memory.

[what_are_answers]

True... searching for 0's would be rather pointless. It's happened to me with other/more specific searches before though, but I don't remember what the number of results were then so it might have been because as you say. I'll pay more attention next time it happens to me in an actual usage scenario. In any case, the cancel button ceasing to work - that's a bug, isn't it? If the program can eat 10 GB of memory in 20 seconds, surely it must be able to give it back in at least the same amount of time...

[Zorg]

what_are_answers, on 12 March 2013 - 07:43 PM, said:

True... searching for 0's would be rather pointless. It's happened to me with other/more specific searches before though, but I don't remember what the number of results were then so it might have been because as you say. I'll pay more attention next time it happens to me in an actual usage scenario. In any case, the cancel button ceasing to work - that's a bug, isn't it? If the program can eat 10 GB of memory in 20 seconds, surely it must be able to give it back in at least the same amount of time...

You can try this build here (don't have time to publish it to Sparkle/automatic-updating right now). Canceling should be more immediate for first search in this build. The more results the search generates, the longer it'll be to deallocate all the memory that was allocated (you can still use the app while it's deallocating though). This build also tries to fix the assembler (modifying instructions's text in debugger) not working on certain systems.

[Zorg]

Alpha 33

• Fixed (hopefully) assembler not working on some systems; that is, altering instruction's text in debugger.
  
• Fixed bug where in certain scenarios Bit Slicer would fail to detect when running target terminated
  
• Cancelling searches should have a slightly more immediate effect
  
• Added an alert for attempting to search zero on the first scan for seeing what values are equal with default begin/end markers because this is usually a bad idea, currently

[what_are_answers]

I'm impressed. The latest build has been working very well for me! Although I have to admit, I'm not using it to its fullest potential, yet. Thanks for the quick responses.

[Zorg]

Some time after 1.6's release, I'll try looking into optimizing searching such that it'll even be affordable to search for 0 first. The problem should be tied to with how I'm allocating results locally.

[what_are_answers]

That would be awesome. I look forward to it.

[Zorg]

Finally put up an official release. Also, I actually did look into searching more, and it should be considerably better now for millions of results and better on memory consumption as well, so I removed the alert for searching for 0.

[NSObject]

Zorg, on 30 January 2013 - 03:11 AM, said:

Hardware supports "write" and "read and write" watchpoints, but it doesn't support "just reading" although I have not looked into how hard this would be to simulate.

I haven't touched mach_vm in years, but I don't think you need to have read write access on a block you just want to read. I don't know much about hardware watch points, but for specific applications that might have some sort of restriction or write defense, can you create your own watchpoint system? Essentially an NSTimer and a vm_read instruction?