We have a new website! If you want to contribute, have a look at the repository!
sudo pip install sphinx
cd radareorg
sphinx-build source build
Open index.html
located in build
directory to start reading the documentation.
We have a new website! If you want to contribute, have a look at the repository!
sudo pip install sphinx
cd radareorg
sphinx-build source build
Open index.html
located in build
directory to start reading the documentation.
http://en.wikipedia.org/wiki/FR-V_%28microprocessor%29 used in DSLR and other stuff
ESIL exceptions should happen when trying to emulate an instruction that doesnt have an ESIL representation (marked as TODO). or it's just an invalid instruction.
Other kind of ESIL exceptions may happen when trying to read or write on non-allocated memory. This case is not handled yet. and we should have C callbacks for this case. /cc @condret
The disasm loop should handle data regions in a more handy way than we do right now
This can be solved with an special @@ foreach iterator. the idea is to allow r2 list all the sections of all the binaries mapped in memory, like (lldb) image dump sections
does. This will be useful as an extend to dm
to list memory regions.
This will be also useful when we add support for core files
esil.os
config-varpc=ADDR
Add a command, and proper checks in the breakpoint hit callback to skip in case the break occurs in a thread not listed.
https://github.com/mikeryan/sm5emu has emulator for sm5, we should support this (should be easy)
This will allow us to better track the r2pipe compatibility issues between releases. Which commands has changed its format, etc. just by diffing all the tests marked with this between two tags.
This is important after 1.0 imho
@milabs like this for example https://github.com/radare/radare2/blob/master/libr/anal/p/anal_x86_udis.c#L295
Open any radare2 build log to see something like:
x86_64-pc-linux-gnu-gcc -c -O0 -ggdb -O0 -ggdb -O0 -ggdb -MD -O0 -ggdb -MD -fPIC -g -Wall -D__UNIX__=1 -O0 -ggdb -O0 -ggdb -MD -fPIC -g -Wall -D__UNIX__=1 -O0
-ggdb -O0 -ggdb -MD -fPIC -g -Wall -D__UNIX__=1 -DCORELIB -I/var/tmp/portage/dev-util/radare2-9999/work/radare2-9999/libr/include
-DGIT_TAP=\"0.9.8-1335-g7e79b19\" -o help.o help.c
It would be a good feature to cache the IO for slow connections via network or serial port, like debuggers for example.
r2 needs to provide checksec information from the libraries loaded in memory. we already can extract this information from a specific module. and this is very useful when doing exploiting. So we must display that information in dm
. or maybe just as a separate commnad implemented in a plugin.
We already have this implemented in 'dsue', but this command only accepts one expression (which can be complex and contain more than one condition), but it would be better if we could register them as watchpoints and use the r_bp api to manage them
Currently this field is not used at all; but it should be filled by the output of r_asm_disassemble
(and reuse the asm decoding information to do the analysis). Also, as long as its not used, this will increase size and time for doing analysis, I would prefer to make it optional by adding a flags to choose what fields you want to fill from the analop.
We want to have breakpoints that may be defined when the lib or file is loaded. This is, for example a dependency library or a dlopen() where symbols are only available when the file is loaded.
This requires a different implementation for OSX/W32/NIX, and also, needs oa
to be working, which actually it is not.
mona.py is a handy python script from corelan, designed to assist in exploits development. I don't know how much do we want r2 to be designed for this purpose, but I think that we should borrow some of their features:
dm
). This could be improved (ASLR/...)!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"
)pf
supportWill be useful to search for gadgets that indirectly modify registers that are not implicit by the instruction. This is for example DIV on x86, which drops the mod in xDX.
This is.. some fuzzed bins turn to be problematic for other tools. So let's enhace binpatching support in r2 to fixup headers, sections, symbol names, methods and other susceptible thing to be messed up to allow non-r2 users to use their favourite buggy software.
Just to be able to show also the absolute offsets in the raw file, not only the relative ones.
Add support of parsing not only basic headers, but also section headers for these file formats:
dcumn
(debug continue until mount notification)mn
(mount notifications, to start inotify against current pid, or any)mn pid
(specify pid)mn /etc
(specify path)mn /etc 30482
(specify path and pid)Need to support C55X qualifies:
Merging two or more nodes from the ascii art graph would be very useful, the idea behind this feature consists in the following:
in
and out
edgesCheck if the file has changed every time it performs a read in order to reopen the file. the correct way to do that is by using mmap, but this can be useful in other situations
Basically printing a structured JSON exposing all the info of n instruction in tree form,
this way we can expose 'capstone-like' struct but for the ESIL representation. This will allow to expose the internals of the IL to the 3rd party scripts without a complex api.
this requires refactoring of current wb
and wB
commands
Sometimes if we want a faster analysis we can disable some features
p=
commands and Unicode (UTF-8) radareorg/radare2#14351p-
commands and Unicode (UTF-8) radareorg/radare2#14352Adding a command to determine if a bug is exploitable would be really cool. This functionality is implemented as MIT license in a GDB plugin which is linked below.
https://github.com/jfoote/exploitable
We can probably copypasta the code from r2 -C as an initial version, but ideally, the whole visual.c should work with local and remote modes. !=! =!=
It would be beneficial to be able to determine whether some exception such as an access violation has occurred during debugging. At the moment, it's only possible to do so by disassembling and determining this from cpu flags, signal received etc...
pancake: but for now you have to disassemble and try to determine this by reading the cpu flags, signal received, instruction, regstate, etc
pancake: this can be a nice TODO for the github issues list" -
pd~call,mov
--> grep all CALL and MOVs
but if we do pd~call&mov
it gets 0 results, because its not using & as separator. the correct syntax is: pd~&call,mov
.. but this is probably not what the user would expect.
We should fix rcons to handle that syntax too
This will be useful when moving to SIOL (the io rewrite), or test different io plugins, and hash implementations. When searching we have a counter that shows the current hit count, address, etc.. but we should enhance this status line with bytes/second processed. we can add a config var to specify which option we want to use for that. (dunno if necessary)
OMAP4 community would love to use r2 on ducati bios images http://omappedia.org/wiki/Ducati_For_Dummies
I uploaded a variety of bios images from various OMAP4 devices below
CortexM3 bios images - http://goo.gl/4dndeg
I also linked some C6x assembly related content below
http://www.ti.com/lit/ug/spru189g/spru189g.pdf
http://cnx.org/contents/429524a4-6e7e-48f9-8899-18e5d5712116@1
http://www.cs.cmu.edu/afs/cs/academic/class/15745-s05/www/c6xref/tms320c6000.pdf
http://cnx.org/contents/7c6f27c8-b458-4976-ba26-dee0a14ceea4@1/C6x_Assembly_Programming
http://onlinelibrary.wiley.com/doi/10.1002/0471221120.appa/pdf
http://www.ti.com/lit/ug/spru198k/spru198k.pdf
http://www.ti.com/lit/ug/spru187v/spru187v.pdf
http://processors.wiki.ti.com/index.php/SYS/BIOS_Getting_Started_Guide
http://jason.sdsu.edu/c6x/ASSEMBLE.PDF
http://rtsc.eclipse.org/cdoc-tip/ti/targets/C64T.html
http://rtsc.eclipse.org/cdoc-tip/index.html#ti/
http://www.ti.com/lit/ug/spru186x/spru186x.pdf
http://www.cs.cmu.edu/afs/cs/academic/class/15745-s05/www/c6xref/tms320c6000.pdf
https://gcc.gnu.org/onlinedocs/gcc-4.7.3/gcc/C6X-Options.html
https://gcc.gnu.org/wiki/cauldron2013?action=AttachFile&do=get&target=port-gdb-tic6x-qi.pdf
Cauldron 2013 - Port GDB to the TI C6X Architectu…: http://youtu.be/nSL4jcQCeKg
https://github.com/potorange/binutils-tic6x-dis-16bits/commits/tic6x-dis-16bits
https://github.com/potorange/ais-disasm/commits/function-definition-and-boundary
https://github.com/Groundworkstech/pybfd/commits/master
https://github.com/WojciechMigda/gcc/commits/gcc-4.8.2-tic6x-elf-hybrid-pseudo-ops
https://github.com/WojciechMigda/c6xcoffdump/commits/develop
https://github.com/WojciechMigda/binutils/commits/bu-2.24-tic6x-coff
Thanks for this epic resource fellas r2 is really second to none ;)
Suggested by @radare
Read this before starting http://newosxbook.com/DMG.html
Like here: https://github.com/asciimoo/drawille
Autoanalysis
Wine already supports gdb protocol, but winedbg protocol is more advanced and add some useful options.
From fractalg:
This seems to be the procedure for te binaries
BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))
BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER)) + AddressOfEntryPoint
BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))) + IMAGE_SECTION_HEADER->VirtualAddress
start + IMAGE_SECTION_HEADER->Size of Raw Data
(because alignment???)The 'newc' file format is used for initial boot filesystem images. It could be nice to have support for identifying these. Maybe it isn't very high demand though? The specs are pretty well labeled:
https://www.kernel.org/doc/Documentation/early-userspace/buffer-format.txt
I may add it if no one else does once I add more features to the compressed Linux kernel (zimg) format.
Symbol postprocessing
Also, we can also specify a rule to run a program before everything. this way we can write rarun2 script that runs a program to create an input file to be used by the stdin= rule
file header is: dec0170b
See also llvm-dis and clang -emit-llvm -c foo.c -o foo.bc
bitcode can be executed with the lli
tool:
% mount -t binfmt_misc none /proc/sys/fs/binfmt_misc
% echo ':llvm:M::BC::/path/to/lli:' > /proc/sys/fs/binfmt_misc/register
% chmod u+x hello.bc (if needed)
% ./hello.bc
Add this option to make debugger async (non-locking), this requires different changes in the debugger backend:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.