fdbg0025
[+] AVX2 support added to disasm engine (not tested thoroughly)
     - possible errors in "Opxx.asm" could cause disasm engine to crash; please report any errors
[+] replaced SysListView32 with smoother windows; draws with BitBlt and DrawText
     - closing any child window causes all open children to disappear from face menu (needs fixing)
     - hardware breakpoints are not indicated in code window 
[+] FASM is used to parse/assemble edits to debuggee memory 
     - "ShellExecuteA" in the fxn "RequestFromUser" in "CPUChild.asm" should be replaced by a more robust solution
[+] windows positions are saved
[+] cpu window's subwindows' sizes can be changed by draging


fdbg0024
[+] AVX support:
        developpers: Alphonso, tthsqe (windows AVX APIs)
                     tthsqe (disasm engine for AVX instructions)




fdbg0023
[+] automatic correction for wrong OEP (the same as Rambo -> First blood) - prevents users from running possible malware without stopping it at executable entry point - I had this idea after reading Peter Ferrie article
[+] fixed one fdbg weakness and added automatically defeating one general antidebug trick sent to me by Peter Ferrie (based on overwriting int3 breakpoint using repeated string instruction)
[+] better and more clever way of reading debuggee memory at the end of contiguously allocated virtual memory
[-] fixed failure to obtain names of DLLs which don't have name exports (like windows 2008 server R2 x64 PROFAPI.DLL)
[+] new menu Rambo -> D-tox page attributes (you may edit page attributes and set a page guarded, not executable, read only, ... and then capture accesses on the page (e.g. after debuggee allocates a page for much postponded use you may select it PAGE_GUARD and the F9 run and after debugger shows EXCEPTION_GUARD_PAGE you have it...)
[+] comments in code (usefull for reversing)
[+] saving soft breakpoints and comments between 2 debug session, N.B. it is disabled by default (why? - read the help file) - enable it in the menu Face -> Various settings -> Reload comments and soft breakpoints
[-] fixed horizontal scrolling edited item in SysListView32 using horizontal scroll bar
[+] added some antidebug samples (not trivial to reverse) which debug itself fdbg0023_samples\self_dbg\*.* and also see fdbg0023_samples\entrypoint\a03.*
[-] corrected scrolling in code/data/stack - disallowing SysListView32 to contain more items than MaxLinesInSysListView32 (exceeded items caused unfunctionality of PAGE UP)
[+] added choices to break not only on exceptions (single step, breakpoint, divide by zero, access violation, ...) but also on CREATE_THREAD_DEBUG_EVENT, CREATE_PROCESS_DEBUG_EVENT, EXIT_THREAD_DEBUG_EVENT, EXIT_PROCESS_DEBUG_EVENT, LOAD_DLL_DEBUG_EVENT, UNLOAD_DLL_DEBUG_EVENT, OUTPUT_DEBUG_STRING_EVENT, RIP_EVENT (to enable dumping the memory of process before EXIT_PROCESS_DEBUG_EVENT, stepping newly created thread before it starts to run after CREATE_THREAD_DEBUG_EVENT, debugging DLL init procedures after LOAD_DLL_DEBUG_EVENT - note this features are disabled by default, you must enable them in the menu Face -> Various settings) - to train these features try fdbg0023_samples\debug_dll_init\*.*, fdbg0023_samples\debug_process_start\*.*, fdbg0023_samples\debug_thread_start\*.*
[+] new menu Rambo -> PEB.BeingDebugged Eraser (analogy with Rambo -> IsDebuggerPresent fight, but this menu erases the memory directly without creating remote thread)
[+] showing DLL EntryPoint (DLL init, DLL main) in the Log - it allows to debug init procedure of DLL, see fdbg0023_samples\debug_dll_init\a00.asm and it also allows to easier debug fdbg0023_samples\entrypoint\a03.*

fdbg0022
[+] added a choice to run until return from procedure (Action -> Return from procedure Alt-F8)
[+] added a choice of setting breakpoint at export from executable (Breakpoint -> Breakpoint at symbol), this function pretends to be clever (it tries to guess what do you mean)
these 2 functions may be used to capture unpacked/decrypted executable, e.g. most of console programs call GetStdHandle, WriteFile at the early begin of their execution, most of GUI programs call GetModuleHandleA, GetModuleHandleW, DialogBoxParamA, DialogBoxParamW, RegisterClassExA, RegisterClassExW, CreateWindowExA, CreateWindowExW
so you can easily uncompress/decrypt an executable by doing these 4 steps:
- enable Rambo -> IsDebuggerPresent fight
- put breakpoints at these DLL exports (Breakpoint -> Breakpoint at symbol) - GetStdHandle, WriteFile, GetModuleHandleA, GetModuleHandleW, DialogBoxParamA, DialogBoxParamW, RegisterClassExA, RegisterClassExW, CreateWindowExA, CreateWindowExW
- run executable (F9)
- return from procedure (Alt-F8)

fdbg0021
[+] new choice in the menu Face -> Various settings: double click selects the item
[-] a rabbit reported problem with removing permanent software breakpoint (set permanent soft bp at some address, run debuggee, when this bp hits, remove it, then execute single step, int3 instruction is incorrectly still at the address although such record was erased from debugger internal buffer) - corrected
[+] added info after instructions of conditional jumps at current RIP whether the condition(s) meet(s) and the conditional jump occure = string '-> YES' or whether condition(s) do(es)n't meet and execution continues at the following instruction = string '-> No'

fdbg0020
[-] fixed the bug when Explore->Find (missed one new input param for procedure)
[+] removed all procedures using st/mm registers and ported them to xmm registers (editing values in floating point registers still uses st registers)
[-] corrected displaying not present virtual memory in data (now shown ???????? instead of mess)
[-] fixed crash when trying to obtain some module names
[-] fixed command line problem in windows 2008 server R2 (windows 7 should have the same kernel) - missing 1 input param of CreateThread
[!] backdoor for branching support works for Intel CPUs at win2008 server x64 R2 kernel (the same kernel as windows 7)

.text:00000001400723B0 KiSaveDebugRegisterState proc near      ; CODE XREF: KiApcInterrupt+78p
.text:00000001400723B0                                         ; .text:00000001400504F9p ...
.text:00000001400723B0                 mov     r9, gs:18h
.text:00000001400723B9                 mov     rax, dr0
.text:00000001400723BC                 mov     rdx, dr1
.text:00000001400723BF                 mov     [rbp+58h], rax
.text:00000001400723C3                 mov     [rbp+60h], rdx
.text:00000001400723C7                 mov     rax, dr2
.text:00000001400723CA                 mov     rdx, dr3
.text:00000001400723CD                 mov     [rbp+68h], rax
.text:00000001400723D1                 mov     [rbp+70h], rdx
.text:00000001400723D5                 mov     rax, dr6
.text:00000001400723D8                 mov     rdx, dr7
.text:00000001400723DB                 mov     [rbp+78h], rax
.text:00000001400723DF                 mov     [rbp+80h], rdx
.text:00000001400723E6                 xor     eax, eax
.text:00000001400723E8                 mov     dr7, rax
.text:00000001400723EB                 test    byte ptr gs:4D4Ah, 2
.text:00000001400723F4                 jz      short loc_140072473
.text:00000001400723F6                 test    dx, 300h
.text:00000001400723FB                 jz      short loc_140072473
.text:00000001400723FD                 mov     r8d, cs:KiLastBranchTOSMSR
.text:0000000140072404                 or      r8d, r8d
.text:0000000140072407                 jz      short loc_140072411
.text:0000000140072409                 mov     ecx, r8d
.text:000000014007240C                 rdmsr
.text:000000014007240E                 mov     r8d, eax
.text:0000000140072411
.text:0000000140072411 loc_140072411:                          ; CODE XREF: KiSaveDebugRegisterState+57j
.text:0000000140072411                 mov     ecx, cs:KiLastBranchFromBaseMSR
.text:0000000140072417                 add     ecx, r8d
.text:000000014007241A                 rdmsr
.text:000000014007241C                 mov     [rbp+98h], eax
.text:0000000140072422                 mov     ecx, cs:KiLastBranchToBaseMSR
.text:0000000140072428                 mov     [rbp+9Ch], edx
.text:000000014007242E                 add     ecx, r8d
.text:0000000140072431                 rdmsr
.text:0000000140072433                 mov     [rbp+90h], eax
.text:0000000140072439                 mov     [rbp+94h], edx
.text:000000014007243F                 mov     ecx, cs:KiLastExceptionFromBaseMSR
.text:0000000140072445                 rdmsr
.text:0000000140072447                 mov     [rbp+0A8h], eax
.text:000000014007244D                 mov     [rbp+0ACh], edx
.text:0000000140072453                 mov     ecx, cs:KiLastExceptionToBaseMSR
.text:0000000140072459                 rdmsr
.text:000000014007245B                 mov     [rbp+0A0h], eax
.text:0000000140072461                 mov     [rbp+0A4h], edx
.text:0000000140072467                 mov     ecx, 1D9h
.text:000000014007246C                 rdmsr
.text:000000014007246E                 and     eax, 0FFFFFFFCh
.text:0000000140072471                 wrmsr
.text:0000000140072473
.text:0000000140072473 loc_140072473:                          ; CODE XREF: KiSaveDebugRegisterState+44j
.text:0000000140072473                                         ; KiSaveDebugRegisterState+4Bj
.text:0000000140072473                 test    word ptr [r9+208h], 355h
.text:000000014007247D                 jz      short locret_1400724EB
.text:000000014007247F                 mov     rax, [r9+1E0h]
.text:0000000140072486                 mov     rdx, [r9+1E8h]
.text:000000014007248D                 mov     dr0, rax
.text:0000000140072490                 mov     dr1, rdx
.text:0000000140072493                 mov     rax, [r9+1F0h]
.text:000000014007249A                 mov     rdx, [r9+1F8h]
.text:00000001400724A1                 mov     dr2, rax
.text:00000001400724A4                 mov     dr3, rdx
.text:00000001400724A7                 mov     rdx, [r9+208h]
.text:00000001400724AE                 xor     eax, eax
.text:00000001400724B0                 mov     dr6, rax
.text:00000001400724B3                 mov     dr7, rdx
.text:00000001400724B6                 test    byte ptr gs:4D4Ah, 2
.text:00000001400724BF                 jz      short locret_1400724EB
.text:00000001400724C1                 test    dx, 200h
.text:00000001400724C6                 jz      short loc_1400724CB
.text:00000001400724C8                 or      eax, 2
.text:00000001400724CB
.text:00000001400724CB loc_1400724CB:                          ; CODE XREF: KiSaveDebugRegisterState+116j
.text:00000001400724CB                 test    dx, 100h
.text:00000001400724D0                 jz      short loc_1400724D5
.text:00000001400724D2                 or      eax, 1
.text:00000001400724D5
.text:00000001400724D5 loc_1400724D5:                          ; CODE XREF: KiSaveDebugRegisterState+120j
.text:00000001400724D5                 test    eax, eax
.text:00000001400724D7                 jz      short locret_1400724EB
.text:00000001400724D9                 mov     r8d, eax
.text:00000001400724DC                 mov     ecx, 1D9h
.text:00000001400724E1                 rdmsr
.text:00000001400724E3                 and     eax, 0FFFFFFFCh
.text:00000001400724E6                 or      eax, r8d
.text:00000001400724E9                 wrmsr
.text:00000001400724EB
.text:00000001400724EB locret_1400724EB:                       ; CODE XREF: KiSaveDebugRegisterState+CDj
.text:00000001400724EB                                         ; KiSaveDebugRegisterState+10Fj ...
.text:00000001400724EB                 retn    0
.text:00000001400724EB KiSaveDebugRegisterState endp




fdbg001F
[+] clicking on any column header showing Data 1st, Data 2nd, Data 3rd toggles among displaying data as qwords/dwords/words/bytes
[+] if any MDI child window is minimized, any fields aren't updated there which speeds up the debugger (especially displaying all MDI child windows under win2008 kernels are so slow that when holding F7 or F8 key down, not every keystoke is accepted and some of them are discarded (interval between repeated keystrokes is shorter than time consumed to display every child windows, in this case minimizing less important windows like Segment Registers may improve performace)
[-] fixed the TEST R8B disassembling mistake (DIV/IDIV/MUL/IMUL/NOT instructions affected also) - incorrectly disassembled as test al, wrong REX.R, now correct REX.B prefix

fdbg001E
[?] removed exception handler to allow GetOpenFileName to go over unfinished parts in DLL shipped with windows

fdbg001D
[+] passing executable via command line parameter - bitRAKE, thanks for idea !

fdbg001C
[-] fixed bug when disassembling instructions like vmxon qword [gs:r9+r15*8-470h] (previosly incorrectly disassembled without the displacement -470h)
[+] check whether LAHF/SAHF supported (may lead into very rare incorrect results in SMP machines where CPUs are different, e.g. one CPU supports LAHF/SAHF and another not, procedure checking those instructions support may run at one CPU and disassemble engine or debugge may run at another CPU)

fdbg001B
[-] iretq/iret instructions disassembled correctly
[+] support for some intel vmx instructions
[-] fixed LAR and LSL missing destination operand
[+] goto command (keystroke shortcut G) - alorent's idea, thanks man!
[-] fixed missing path for the fdbg help file (necessity to do it in that way in SP2 for win2003)

fdbg001A
[?] testing stage: driver for saving LastBranch... and for step on branches (Action -> Trace into F7 does "bigger steps") try them on z.exe sample
    please go to www.amd.com then download 24593.pdf then read chapter 13.2.5 Control-Transfer Breakpoint Features
    For Vista, you must do these steps:
    - During boot, press F8 and then select
    - Disable Driver Signature Enforcement
    - Righ click on fdbg.exe and select Run as administrator
    you still risk BSOD by patchguard (present in XP_x64 / w2003_x64 as well in Vista_x64 / w2008_x64)
[!] discovered MS backdoor (works only at AMD processors, doesn't work on Intel) to play with DebugCtlMSR.LBR and DebugCtlMSR.BTF !!! so developping driver is now less necessary... (but driver is still more accurate at saving LastBranchFromIP immediatelly at start of exception handler (ms exception handlers destroy this value by doing call before safing branches) and Intel supports even more branches records than AMD... Usually LastBranchFromIP=address_of_exception so we needn't to worry about destroying LastBranchFromIP since address of exception is well known (except int3 exceptions caused by CC, CD03 where microsoft exception handler reports incorrect exception address inside CD03 instruction and LastBranchFromIP reports it correctly at the begin of CD03)
[-] Alt-F9 uses HW BP when Rambo -> CC Collateral Damage
[?] instruction execution breakpoint - resume by setting rflags.RF (more effective and simpler than the old simulation procedures)
    wrong !!! rolling back to old way...
[-] fixed incorrect disassembling of 410F20E0 mov r8 (should be mov r8,cr4)
[-] fixed setting GE and LE bits of debug registers when setting HW BP, just check what does setting of GE bit (it enables DebugCtlMSR.BTF, it is microsoft undocumented backdoor to setting this bit) and LE bit (enables DebugCtlMSR.LBR branches recording)
[-] fixed small mistake in disassemble back procedure
[+] call stack support (explore -> stack)
[+] Rambo -> Stop on TLS callback, see  fdbg001A_samples\TLS_callback\a00.exe and 01.exe (for a manual way see fdbg001A_samples\TLS_callback\howto.txt)
[?] my idea: 837C085C01 cmp dword [rax+rcx*1+5C],01 - should be ...,00000001 = BULLSHIT ! Change discarded. Changing the old way is a step back. The old way is good.



fdbg001A_samples\branches\a00.exe
0000000100001000	4883EC78	sub rsp,78
0000000100001004	B902000000	mov ecx,00000002
0000000100001009	E812000000	call 0000000100001020
000000010000100E	4883C478	add rsp,78
0000000100001012	31C0		xor eax,eax
0000000100001014	C3		ret 
0000000100001020	4883EC38	sub rsp,38
0000000100001024	FFC9		dec ecx
0000000100001026	E815000000	call 0000000100001040
000000010000102B	E2F7		loopq 0000000100001024
000000010000102D	4883C438	add rsp,38
0000000100001031	C3		ret 
0000000100001040	BA10000000	mov edx,00000010
0000000100001045	31C0		xor eax,eax
0000000100001047	8B01		mov eax,[rcx] ; [0000000000000001]=?
0000000100001049	C3		ret 

fdbg20071017
Copying driver into system OK (Sys -> Copy driver into system)
Installing driver OK (Sys -> Install driver)
Starting driver OK (Sys -> Start driver)
Hooking exceptions OK (Sys -> Hook Exceptions)
Enabling Branches Recording OK (Sys -> Enable Branches Recording)
(Ctrl+E -> z.exe)
Process created. ProcessId=00000CB4h ThreadId=00000414h BaseOfImage=0000000100000000-0000000100002000h ThreadLocalBase=000007FFFFFDD000h ThreadStartAddress=0000000100001000h
Software breakpoint No. 00000000h was set. ProcesId=00000CB4h Address=0000000100001000h flag=temporary (will be removed after its trigger)
Loaded dll. ProcessId=00000CB4h ThreadId=00000414h BaseOfDll=0000000078EC0000-0000000078FF9000h DllName=ntdll.dll
Loaded dll. ProcessId=00000CB4h ThreadId=00000414h BaseOfDll=0000000078D40000-0000000078EB2000h DllName=KERNEL32.dll
Temporary software breakpoint No. 00000000h triggered.
LastBranchFromIP=0000000100001000h
LastBranchToIP=FFFFFADFE5149580h
LastExceptionFromIP=0000000078D59658h
LastExceptionToIP=0000000100001000h
Software breakpoint No. 00000000h was removed from address=0000000100001000h of the process PID=00000CB4h flag=temporary
(Action -> Run F9)
Exception. ProcessId=00000CB4h ThreadId=00000414h Address=0000000100001047h ExceptionCode=C0000005h=EXCEPTION_ACCESS_VIOLATION first_chance
LastBranchFromIP=0000000100001047h
LastBranchToIP=FFFFFADFE51496E0h
LastExceptionFromIP=0000000100001026h
LastExceptionToIP=0000000100001040h
Stoping driver OK (Sys -> Stop driver)
Removing driver OK (Sys -> Remove driver)
Deleting driver from system OK (Sys -> Delete driver from system)



Note - addresses in branches:
FFFFFxxxxxxxxxxxh means address in OS kernel (fdbg.sys driver) - address of exception handler
0000000078xxxxxxh means address in user mode system DLL (e.g. kernel32.dll)



Note, hooking interrupts is very hot action. Win x64 (XP as well Vi$ta) checks kernel integrity and reboots PC when any of protected parts of kernel and CPU settings is compromitted. The interval of checks is randomly between 5 and 10 minutes.
So, you must reboot your PC, do what do you want and UNHOOK interrupts til 5 minutes since boot.
If you don't manage it, or you leave interrupts hooked 10 minutes, then you certainly encounter BSOD (blue screen of death) with something like this:

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 "bp", can only be set if the debugger is attached at boot time. Hardware
 breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89322659e, Reserved
Arg2: b3b7465ee59ffeab, Reserved
Arg3: fffff80002865070, Failure type dependent information
Arg4: 0000000000000002, Type of corrupted region, can be
	0 : A generic data region
	1 : Modification of a function or .pdata
	2 : A processor IDT
	3 : A processor GDT
	4 : Type 1 process list corruption
	5 : Type 2 process list corruption
	6 : Debug routine modification
	7 : Critical MSR modification



I have a theoretical design how to cheat the Patchguard, I need a time to do it in reality...
While playing with kernel to cheat Patchguard, I discovered a backdoor for cooperation with branches directly from user-mode without the necessity of any driver !!!



fdbg0019
[-] fixed bug in Rambo -> TrapFlag anti-terminator terminator (all previous versions buggy did STEPOVER on CALL LOOP REP when StepInto=singleStep was requested)
[+] loop, jrcxz support showing symbols too
[+] found easy way how to make debug symbols in exe (the same as exports in DLL - several months supported but forgotten feature...
    it didn't require any change into fdbg, just added symbols_easy\*.* into fdbg0019_samples.zip

fdbg0018
[?] added NOP instruction for 0F19 - 0F1E (undocumented, on demand of antidebug developers)
[-] one step only allowed iF key repeats (especially slow Vista was able to accept more keystrokes repeats during execution of 1 loop between ContinueDebugEvent and WaitForDebugEvent)
[+] Rambo -> First Blood (weapon anti fdbg0018_samples\entrypoint\a00.exe IMAGE_OPTIONAL_HEADER64.BaseOfCode=0, it must be < 10000h so win places it higher at least at 10000h)

fdbg0017
[+] improved disassembling of instructions starting with byte 83
    e.g. 4183D7F4 adc r15d,FFFFFFF4
         664183DEF5 sbb si,FFF5
         4883E0FE and rax,FFFFFFFFFFFFFFFE
         4881059CFFFFFFE0FCFFFF add qword [0000000000401000],FFFFFFFFFFFFFCE0
[-] fixed disassemble mistake of mov special registers (CR, TR, DR, ...)
[?] microsoft symbols are disabled by default, caused bugs after installing LiveKD - thanx to Krod - another solution is to remove _NT_SYMBOL_PATH environment variable (added by LiveKD). Krod reversed SymIntialize, and discovered that symsvrClose(void) tried to free a module already freed.
it was caused by calling ntdll.RtlImageNtHeaderEx with RDX=-2 (-2=FFFFFFFFFFFFFFFEh=handle of current thread)
[-] fixed crash after loading 32-bit executables, thanx to Garthower, only PE32+ allowed now
[-] distinguishing between systret and sysretq 
    sysret 0F07 return to 32-bit code, being from 64-bit code to compatibility mode in long mode, or being in legacy mode
    sysretq 480F07 return to 64-bit code

fdbg0016
[+] MazeGen idea - added hexa value for eflags part of rflags register
[-] fixed stack misalignments, thanx to these 2 mine programs and commands:
    disasm.exe fdbg.exe
    fxa16.exe fdbg.d64

fdbg0015
[+] new face of the help file, thanx to MazeGen
[+] Rambo -> CC Collateral Damage (replacing SW BP with HW BP if possible) - usefull for self modifying code, calculate code-self-crc, some antidebugs
    thanx to FRET BaeBA http://beatrix2004.free.fr/BeaBA/BeaBA.rar for kicking me up for thinking about new antidebugs
[-] fixed mistake when displaying stack when the address Stack MDI Child windows is in unaccessible memory

fdbg0014
[-] fixed ugly bug of version 0013 procedure when reading unaccessible memory

fdbg0013
[?] fixed odd behaviour of loading DLLs observed in Vista x64 (thanx to r22 for producing such a DLL)
    (Vista isn't able to read the whole image of DLL by ReadProcessMemory in one step)

fdbg0012
[+] rounding floating point numbers (e.g. 1.00000000000000000*10^0012 instead of 9.99999999999999999*10^11 when e.g. first 35 digits of floating point number are 9)

fdbg0011
[-] fixed bug in displaying of floating point numbers - thanx to Garthower
[-] fixed bug when changing floating point number registers
[+] started to rewrite procedures without usage of floating point instructions to avoid FPU fnstnev antidebug trick

fdbg0010
[+] more accurate disassemble back routine
[+] added possibility for code 1st to start displaying some instructions back (not from RIP exactly),
    set it in Face -> Various face settings -> Code 1st disassemble back instructions.
    0 is there the default choice, but perhaps somebody wants to have real number there.
    Please note that you can turn on logging single steps and steps over by unchecking
    checkboxes just above this settings.

fdbg000F
[+] status window
[+] you can enter 64-bit register name (rax rbx rcx ... r15 rip) instead of hexa address in address column of code data stack

fdbg000E
[-] fixed bug when disassembling imul reg16,reg16/mem,val as reg32 and missing content on [mem]
[+] more user-friendly displaying of floating point registers

fdbg000D
[+] added support for displaying content at disassembled address like:
    xor qword [rbp+rbx*8+0],9A2FC517 ; [000000010000308C]=0000000078CC9A80=USER32.MessageBoxA
    mov rdx,[0000000100003150] ; []=0000000000000045
    GS mov rax,[00000030] ; [000007FFFFFDE030]=000007FFFFFDE000
    if there is any register in brackets, RIP have to be on the instruction for display something (because executing instruction changes RIP + executing instruction may change register in brackets)
[-] corrected mistake of editing code->hexa when instruction size exceeded 8 bytes
[-] fixed few disassembler mistakes
[+] more accurate 80-bit floatings (due to the setting of floating control word precision bits to 11b = 64 bit precision mantissa)
[+] added Explore->Memory->List of pages
[-] fixed bug in displaying of DLL names in the Log window
[?] final exe was to big, so I decided to compress it, shrinked to less than 40% of its original size
    [?] because I don't know whether it is good [+] or bad [-]
    it should be good to defeat antidebugs searching for e.g. kernel32.WaitForDebugEvent or ntdll.NtWaitForDebugEvent in imports of its parent process
    it could be bad because I could violate some PE32+ rules (any violation isn't known to me yet, but nobody can be sure...)
[+] added support for writing-at-once through borders on pages with different access flags, e.g. writing code (read execute) and data (read write) from one file (or even you can now write the whole executable image = header + code + data + resource + imports + ...  from one file at once !!!)

fdbg000C
[+] added multibyte NOP instruction, AMD64 Pacifica instructions (disallowed in long mode RING3, usefull only for detecting malware)
[-] fixed bugs in proc_UNLOAD_DLL_DEBUG_EVENT, find_first_empty_slot_put_SW_BP_temporary_flag, find_first_empty_slot_put_SW_BP_permanent_flag
[+] added attaching to a process
[+] added debug symbols support (thanx to dbghelp.dll for doing this dirty job...)
[+] doubleclicking on Imports copies the whole line of your interest (all iSubitems of the iItem) into LogEdit
    then you can there comfortable select and copy (Ctrl-C) address and put breakpoint on it (Alt-F2 -> Ctrl-V)
    the return address in the stack after triggering breakpoint is the address of the instruction just after call the API
    I suppose kernel32 GetSystemTime, GetLocalTime, SystemTimeToFileTime, GetSystemTimeAsFileTime, ...
    are the hottest APIs of the interest of some type of guys playing with some type of program not having its sources
[-] I don't know how to fix this: Help doesn't work fast after attaching to test_attach.exe sample
    You have to wait about 10 seconds !!! Help starts to work quickly after exit of second thread of the sample...
[+] Rambo menu from fdbg000A is back !!!

fdbg000B
[+] the source code of fdbg000A completely rewritten from the base
[+] totaly new face, based on MDI, every ListView or Edit is on its own MDI child window
[+] comfortable face settings
[+] SysListView32 items don't loose their colors
[+] new debug loop design
[+] Successfully managed temporary/permanent SW as well HW breakpoints. Please don't set both
    permanent on the same RIP, I'm not able to manage this choice yet.
[+] fixed mistake in disasm engine (some SIB32 indexing opcodes, e.g. disasm of db 43h,80h,7ch,65h,04h,0b8h = cmp byte [r13+r12*2+04],-48)
