http://en.wikipedia.org/wiki/FR-V_%28microprocessor%29 used in DSLR and other stuff

• ignore and continue
• stop emulating there
• ...

ESIL exceptions should happen when trying to emulate an instruction that doesnt have an ESIL representation (marked as TODO). or it's just an invalid instruction.

Other kind of ESIL exceptions may happen when trying to read or write on non-allocated memory. This case is not handled yet. and we should have C callbacks for this case. /cc @condret

The disasm loop should handle data regions in a more handy way than we do right now

This can be solved with an special @@ foreach iterator. the idea is to allow r2 list all the sections of all the binaries mapped in memory, like (lldb) image dump sections does. This will be useful as an extend to dm to list memory regions.

This will be also useful when we add support for core files

• esil.os config-var
• there must be hooks in esilcallbacks reserved for tracing and hooks reserved for platform voodo custom
• explicit regprofiles in analplugins (don't expect the one from the debugger to be the correct choice for your emulation)
• more interrupt-handlers for x86, that depend on esil.os and anal.bits
• api to register syscalls, so we can hook them instead of hooking the interrupts for catching the syscalls
• fork-syscall (requires the 2 previous points)
  • clearing the question how brk-syscall could/should work in esil
  • switching between multiple esil-instances that have memory and reg-stats associated to them (this will cause a shitload of bugs, i think)
• redefining stuff with RLang
• open and load libs on aei
• Hook a native handler for esil to a specific pc=ADDR
• close those libs on esil-fini
• more people interested in esil
  • Write an article on the blog explaining how to use ESIL

Add a command, and proper checks in the breakpoint hit callback to skip in case the break occurs in a thread not listed.

https://github.com/mikeryan/sm5emu has emulator for sm5, we should support this (should be easy)

This will allow us to better track the r2pipe compatibility issues between releases. Which commands has changed its format, etc. just by diffing all the tests marked with this between two tags.
This is important after 1.0 imho

@milabs like this for example https://github.com/radare/radare2/blob/master/libr/anal/p/anal_x86_udis.c#L295

Open any radare2 build log to see something like:

x86_64-pc-linux-gnu-gcc -c -O0 -ggdb -O0 -ggdb -O0 -ggdb -MD -O0 -ggdb -MD   -fPIC -g -Wall -D__UNIX__=1 -O0 -ggdb -O0 -ggdb -MD   -fPIC -g -Wall -D__UNIX__=1 -O0 
-ggdb -O0 -ggdb -MD   -fPIC -g -Wall -D__UNIX__=1 -DCORELIB -I/var/tmp/portage/dev-util/radare2-9999/work/radare2-9999/libr/include 
-DGIT_TAP=\"0.9.8-1335-g7e79b19\" -o help.o help.c

It would be a good feature to cache the IO for slow connections via network or serial port, like debuggers for example.

• debugger
• rabin2

r2 needs to provide checksec information from the libraries loaded in memory. we already can extract this information from a specific module. and this is very useful when doing exploiting. So we must display that information in dm. or maybe just as a separate commnad implemented in a plugin.

FMI: https://github.com/philwantsfish/gdb_commands

We already have this implemented in 'dsue', but this command only accepts one expression (which can be complex and contain more than one condition), but it would be better if we could register them as watchpoints and use the r_bp api to manage them

Currently this field is not used at all; but it should be filled by the output of r_asm_disassemble (and reuse the asm decoding information to do the analysis). Also, as long as its not used, this will increase size and time for doing analysis, I would prefer to make it optional by adding a flags to choose what fields you want to fill from the analop.

https://theiphonewiki.com/wiki/IMG3_File_Format

We want to have breakpoints that may be defined when the lib or file is loaded. This is, for example a dependency library or a dlopen() where symbols are only available when the file is loaded.

This requires a different implementation for OSX/W32/NIX, and also, needs oa to be working, which actually it is not.

mona.py is a handy python script from corelan, designed to assist in exploits development. I don't know how much do we want r2 to be designed for this purpose, but I think that we should borrow some of their features:

• Building a complete ROP chain
• Badchar detection
• Jump to reg: search for pointers that will lead to execute the code located at the address pointed by a given register.
• Searching for specialized gadgets such as for SEH overwrite, stackpivots.
• Showing all loaded modules with all their security features.
• Find pattern in memory (marking if it's in SEH, sEIP or registers)
• Heap visualization.
• Display memory map (dm). This could be improved (ASLR/...)
• Assemble/disassemble.
• Search instructions/strings/...
• Cyclic patterns
• Search with wild-cards (like !mona findwild -s "push r32#*#pop eax#inc eax#*#retn")
• Analyse the heap, especially guessing pointers.

• fuzzing
• able to load binaries that rewrite their header
• rabin2 -C mz
• Add loading of segments like sections
• Add proper loading of entry point
• Add loading of relocation entries radareorg/radare2#1200
• pf support
• regression tests

Will be useful to search for gadgets that indirectly modify registers that are not implicit by the instruction. This is for example DIV on x86, which drops the mod in xDX.

This is.. some fuzzed bins turn to be problematic for other tools. So let's enhace binpatching support in r2 to fixup headers, sections, symbol names, methods and other susceptible thing to be messed up to allow non-r2 users to use their favourite buggy software.

Just to be able to show also the absolute offsets in the raw file, not only the relative ones.

Add support of parsing not only basic headers, but also section headers for these file formats:

• PE
• ELF
• Mach-O
• TE
• DEX
• Java CLASS

New commands

• dcumn (debug continue until mount notification)
• mn (mount notifications, to start inotify against current pid, or any)
• mn pid (specify pid)
• mn /etc (specify path)
• mn /etc 30482 (specify path and pid)

Resources

• iOS/OSX filemon
• Linux

Need to support C55X qualifies:

• .CR
• port
• mmap
• .LK
• .LR

Merging two or more nodes from the ascii art graph would be very useful, the idea behind this feature consists in the following:

• Add a key to toggle node compactness.
• We want to have more than one group
• Maybe we can just tag each block with a keyword and assign a random color to every tag to print the block box.
• Then add a key to group/ungroup all blocks with the same tag as the currently selected one.
• We can automatically add those tags to entry/exit/math/loop/...
• Graph should be relayouted after the grouping operation happens.
• Grouped nodes can have more than one in and out edges

Check if the file has changed every time it performs a read in order to reopen the file. the correct way to do that is by using mmap, but this can be useful in other situations

Basically printing a structured JSON exposing all the info of n instruction in tree form,
this way we can expose 'capstone-like' struct but for the ESIL representation. This will allow to expose the internals of the IL to the 3rd party scripts without a complex api.

this requires refactoring of current wb and wB commands

Sometimes if we want a faster analysis we can disable some features

• change blocksize (tune for performance?)
• do not follow references, only calls
• Code analysis loop should be pauseable
• Allow background analysis on single thread
• Split the analysis over multiple threads by groups of addresses

• Support in the comments (including the ascii graph mode radareorg/radare2#1098, radareorg/radare2#1675, radareorg/radare2#1566)
• Store the flags space and flag names in the SDB radareorg/radare2#2389
• Fix glitches in visual mode radareorg/radare2#2359
• Printing Unicode strings (including another formats (UTF-16, UTF-32, etc) radareorg/radare2#926
• Support in the panels https://asciinema.org/a/17305
• V! panels and Unicode (UTF-8)
• Unicode compatibility on Windows radareorg/radare2#7235
• p= commands and Unicode (UTF-8) radareorg/radare2#14351
• p- commands and Unicode (UTF-8) radareorg/radare2#14352
• Support in the strings operation (including the search operations)
• String references with emojis shown in disasm
• Support for the various code pages esp. code page 437, windows-1252, iso 8859-5?
• Support for right-to-left scripts e.g. Arabic, Hebrew, Persian ... with/without console support
• Support for character shaping e.g. for Arabic, Persian ... with/without console support
• Support for combining characters e.g. diacritics esp. in graph mode
• Graceful fallback for error cases esp. in graph mode

Adding a command to determine if a bug is exploitable would be really cool. This functionality is implemented as MIT license in a GDB plugin which is linked below.
https://github.com/jfoote/exploitable

We can probably copypasta the code from r2 -C as an initial version, but ideally, the whole visual.c should work with local and remote modes. !=! =!=

http://gameboy.mongenel.com/dmg/first.txt

Things that rop needs

• auto ropper (not soon)
• primitive detecting (pivot, leak, write-what-where, etc.)
• start at "end" gadgets and disassemble backwards (for speed) (pr radareorg/radare2#1835 )
• regexp search (pr radareorg/radare2#1679 )
• not search nx pages (only search in executable pages)
• remove the comma as a delimiter (perhaps use / as delimiter?) (pr radareorg/radare2#1722 semicolon delimeter)
• cache the results in sdb

It would be beneficial to be able to determine whether some exception such as an access violation has occurred during debugging. At the moment, it's only possible to do so by disassembling and determining this from cpu flags, signal received etc...

pancake: but for now you have to disassemble and try to determine this by reading the cpu flags, signal received, instruction, regstate, etc
pancake: this can be a nice TODO for the github issues list" -

pd~call,mov --> grep all CALL and MOVs

but if we do pd~call&mov it gets 0 results, because its not using & as separator. the correct syntax is: pd~&call,mov .. but this is probably not what the user would expect.

We should fix rcons to handle that syntax too

This will be useful when moving to SIOL (the io rewrite), or test different io plugins, and hash implementations. When searching we have a counter that shows the current hit count, address, etc.. but we should enhance this status line with bytes/second processed. we can add a config var to specify which option we want to use for that. (dunno if necessary)

OMAP4 community would love to use r2 on ducati bios images http://omappedia.org/wiki/Ducati_For_Dummies

I uploaded a variety of bios images from various OMAP4 devices below

CortexM3 bios images - http://goo.gl/4dndeg

I also linked some C6x assembly related content below

http://www.ti.com/lit/ug/spru189g/spru189g.pdf

http://cnx.org/contents/429524a4-6e7e-48f9-8899-18e5d5712116@1

http://www.cs.cmu.edu/afs/cs/academic/class/15745-s05/www/c6xref/tms320c6000.pdf

http://cnx.org/contents/7c6f27c8-b458-4976-ba26-dee0a14ceea4@1/C6x_Assembly_Programming

http://onlinelibrary.wiley.com/doi/10.1002/0471221120.appa/pdf

http://www.ti.com/lit/ug/spru198k/spru198k.pdf

http://www.ti.com/lit/ug/spru187v/spru187v.pdf

http://processors.wiki.ti.com/index.php/SYS/BIOS_Getting_Started_Guide

http://jason.sdsu.edu/c6x/ASSEMBLE.PDF

http://rtsc.eclipse.org/cdoc-tip/ti/targets/C64T.html

http://rtsc.eclipse.org/cdoc-tip/index.html#ti/

http://www.ti.com/lit/ug/spru186x/spru186x.pdf

http://www.cs.cmu.edu/afs/cs/academic/class/15745-s05/www/c6xref/tms320c6000.pdf

https://gcc.gnu.org/onlinedocs/gcc-4.7.3/gcc/C6X-Options.html

https://gcc.gnu.org/wiki/cauldron2013?action=AttachFile&do=get&target=port-gdb-tic6x-qi.pdf

Cauldron 2013 - Port GDB to the TI C6X Architectu…: http://youtu.be/nSL4jcQCeKg

https://github.com/potorange/binutils-tic6x-dis-16bits/commits/tic6x-dis-16bits

https://github.com/potorange/ais-disasm/commits/function-definition-and-boundary

https://github.com/Groundworkstech/pybfd/commits/master

https://github.com/WojciechMigda/gcc/commits/gcc-4.8.2-tic6x-elf-hybrid-pseudo-ops

https://github.com/WojciechMigda/c6xcoffdump/commits/develop

https://github.com/WojciechMigda/binutils/commits/bu-2.24-tic6x-coff

@milabs @XVilka

Thanks for this epic resource fellas r2 is really second to none ;)

Suggested by @radare
Read this before starting http://newosxbook.com/DMG.html

Like here: https://github.com/asciimoo/drawille

Autoanalysis

Wine already supports gdb protocol, but winedbg protocol is more advanced and add some useful options.

From fractalg:

This seems to be the procedure for te binaries

• The program image base should be set to the uin64t field ImageBase.
• The .text segment address should be:
  BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))
• The entrypoint address should be:
  BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER)) + AddressOfEntryPoint
  The same formula is valid to process the segments virtual address:
  Start: BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))) + IMAGE_SECTION_HEADER->VirtualAddress
  End: start + IMAGE_SECTION_HEADER->Size of Raw Data (because alignment???)

The 'newc' file format is used for initial boot filesystem images. It could be nice to have support for identifying these. Maybe it isn't very high demand though? The specs are pretty well labeled:

https://www.kernel.org/doc/Documentation/early-userspace/buffer-format.txt

I may add it if no one else does once I add more features to the compressed Linux kernel (zimg) format.

Symbol postprocessing

• Only printable names
• Avoid dupped symnames
• Demangle

Also, we can also specify a rule to run a program before everything. this way we can write rarun2 script that runs a program to create an input file to be used by the stdin= rule

file header is: dec0170b
See also llvm-dis and clang -emit-llvm -c foo.c -o foo.bc

bitcode can be executed with the lli tool:

% mount -t binfmt_misc none /proc/sys/fs/binfmt_misc
% echo ':llvm:M::BC::/path/to/lli:' > /proc/sys/fs/binfmt_misc/register
% chmod u+x hello.bc   (if needed)
% ./hello.bc

Add this option to make debugger async (non-locking), this requires different changes in the debugger backend:

• we cant asume anything is sync (getregs, cont, step, ..)
• we need a way to determine the state of the queue of commands sent to the debugger backend
• never wait() blocking
• allow to send signals to child to make it stop instead of using ^C