User Interface

Zeta Debugger has a rich context sensitive help for each command. When you press Control, Alt or Shift keys or any combination of them, a help balloon will pop up on the screen near the panel owning the keyboard focus. From this balloon window you can either select commands by left mouse button click or by pressing appropriate character key.

Note that all functional keys, i.e. F1 - F10, reserved for the main frame window, whereas all character and movement keys are defined specifically for each panel.

Debugger's graphical interface consists of the following panels:

• Source - Source/module file panel
• Code - Disassembly panel
• CPU - Processor's registers, flags and stack frames.
  Note that for correct frame recognition your must use special compiler options to force usage of frame base pointer (EBP register). For VC compiler use option /Oy-
• Data - Data dump panel
• Log - Panel of your log file. By default the debugger uses it own logfile
• Watch - Panel of C expression to watch
• Map - Panel showing sections for the current module and current code/data positions within it
• Animator - Animation of program execution
• Menu - Menu panel for functional keys (F1-F10)
• Status - Status bar showing the mode, address location, last error, and so on.

Note: the debugger does not use stack panel, because it shows all procedures frames in the CPU panel.

Cover

The cover is an entry point to the debugger from which it starts. It appears only when no application is loaded into debugger and it allows you to quickly access to the last opened projects.

To launch one of projects from the list just double click on it, or select one of them and then press Enter key. To delete project from the list, press Delete button or Delete key.

Layouts

The debugger has a several number of predefined panel layouts which could be switched by pressing F4. Each of this layouts defines the size and placement of all debugger's panels at the moment. There are four such layouts. In the near future we slightly change these technique to allow mouse usage too.

The active panel, - the one which gets keyboard control focus, - always surrounded by black/yellow frame. You can select the active panel by left/right clicking on it or by pressing CONTROL+F(n) keys. For each panel there is a single key combination. To view associated with panels keys just press CONTROL key and holding it down look at the menu bar.

Moreover, there is a single passive panel in the debugger. The previous active panel always becomes passive, and you can switch between passive and active panels by pressing TAB key.

The active panel can be always zoomed in by F3 key. To restore its original size just press F3 key again.

Animation

You can view animation of your program execution by pressing F5 key. This mode allows the user to observe the execution through symbols interaction with one another.

Animation graph calculated based on special algorithm that is quite simple: the debugger periodically pauses your program's process, reads its stack frames, gets return addresses from them and converts them into symbols of functions. Those functions that most frequently detected on the top of the stack - moved up, others - pushed down and then disappear.

Links between nodes show how frequently one function calls another. The more times it calls another, the more move impulses it gets to the direction of this function, and gets closer and closer...

That is simple, but very effective.

Expressions

In every dialog that asks you for an address or a value, you can enter a C-like expression. Its syntax is not fully compatible with C language, some operators are missed: +=, -=, *= and so on, some added: -/, +/, [..], and some overloaded: ,.

Besides, C expressions can include asm expressions in type ptr [] brackets, so you do not need additionally to specify whether you mean C or ASM.

Operators

Here is the list of supported operators:

Offset -/ Negative byte offset +/ Positive byte offset -> Element of pointer or scalar structure . Element of pointer or scalar structure Logical || OR && AND ! NOT Comparison != Not equal == Equal <= Less or Equal >= Greater or Equal < Less > Greater

Arithmetic * Multiplication + Plus - Minus / Division % Mod Bitwise ~ NOT ^ XOR & AND | OR << Left shift >> Right shift Special ( .. ) Expression in braces [ .. ] Take address in assemply-like style { .. } Structure (Not Implemented Yet) , Delimits values of a list a ? x:y Retrieves x, when condition a is true, or y otherwise

Strings and byte sequences

You can use quoted strings in expression. Both ANSI and wide strings are supported. To specify ANSI string enbrace it into double quotes. To specify a wide string do the same and prefix it with L letter.

Examples of strings:

"Hello world!" // Ordinal string
L"Hello world!" // Widecharacter string
"Hello world!\n" // NL-terminated string
"Hello world!\0" // Zero-terminated string
"Hello world!", 0 // Zero-terminated string
6, "Hello!" // Length-prefixed string
72, 101, 108, 108, 111, 33, 0	// "Hello!" string using bytes
(int)77, (short) 0x1234	// Bytes 0x77, 0, 0, 0, 0x34, 0x12

All strings may contain backslach characters. There is a full list of them:

Symbol	Code	Purpose
\b	8	backspace
\t	9	tabulator
\n	10	new line
\v	11	vertical
\f	12	format
\r	13	carriage return
\e	27	escape
\s	32	space
\q	34	double quote
\"	34	double quote
\'	39	single quote
\036	30	octal number
\x1E	30	heximal number
\ space	no	visual delimiter

Interger numbers

Examples of integers:

-100
200
'MZ'

Unsigned numbers

Examples of unsigned integers:

0x100
0xFFFFffff
(dword) 0x100, 

Floating point numbers

Examples of floating point numbers:

0.1
1.999
(float) 1
1.51e4

Symbols

To accommodate all special characters used by compiler developers, the following character sequences allowed to be used for symbol identifiers: '@', '$', '??', '::', '::~'

Examples of symbols:

CreateFile
ImageList_Create
??_Gbad_cast@@UAEPAXI@Z
?terminate@@YAXXZ
Apllication::Create
Apllication::~Apllication

Types

To use C-like typecast operations in epxressions you must use the following keywords of types:

Sign	1 byte	2 bytes	4 bytes	8 bytes
Signed	char	short	long	quad
Unsigned	byte	word	dword	qword

For example, to fill some selected area with a word value 'Z', you can use the following expression: (word)'Z'. It will give you "Z\0\Z\0\Z\0\Z\0\Z\0" sequence as a result. Without the typecast operator the 'Z' token will be interpreted as a single character and your bytes would be "ZZZZZ".

Options

To simplify the work with debugger, almost all used options are saved between sessions. As usual, they saved into system's registry when you close the debugger and restored when you run it the next time. These options called globals.

But each time you load or open a new process, the debugger tries to find and then to open from process's parent directory a file with default name zd.ini, which contains local options that override the global ones. When you close the process, all local parameters saved back into this file, and all previous values of globals are restored.

In options dialog box there is a button called Flush Into Config that saves all globals into local file. After that, you can manually remove from the file only those options that must be global and leave others.

Workspace

There is another file called zd.job that is created by debugger for each process opened by you. All objects created during debugging session are saved there. It is loaded from the parent directory of debugged process and saved again into there when you close this process.

Format of this file is simple: each line until ';' contains one element, which can be one of the following: watch expression, comment, breakpoint or guard. At the start of each such a line comes a type identifier of the element, and then come all its agruments delimited by comma.

There are four types of elements:

Example of JOB file

watch "Count+1000";
watch argn;
break "_main+/0x25";
guard "&ItemList [100]", "ItemNum >= 100";

Command line

The debugger can be run from command line. It takes the following arguments:

PID:n         - Open to debug the process with specified PID idenitfier.
FILE:filename - Open to debug the executable file with specified name.
RUN[:address] - Run application until the specified address or symbol.
MAXIMIZE      - Maximize debugger's window when started.