____ ___ ___ ___ ____ ___ _____ ____ | _ \/ \| \/ \ _ \/ _ \ \__ \ / \ | < V . | . V . < _/ .-' _/| () | |__\__|_|__|___/__|__|_\__\___/ |____(_)____/ BINARY INFORMATION ================== dwarf, pdb, def, lib - from file, from section, ... - load symbols from .lib or .def (find signatures) .def -> .idt , .lib -> ar2idt UNDER DEVELOPMENT ================= * r2-swig : Distribute generated .i files and cxx files.. so build is faster - ./configure --without-valaswig # compile without generating cxx files - build with swig/ Random stuff ----------- * For each "call" or "push offset"+"ret" create a function. - And, if deep code analysis is enabled: - Search every possible function by searching typical prologs and put them in a queue. - Perform the same actions as in the previous steps with the entry points. * Stolen from pyew - e anal.ops = true INT num: Interruptions. Typically used as antiemulation (INT 4) and antidebugging tricks (INT 3). UD2: Undefined instruction. Found in some packers/protectors as an antiemulation tricks. RDTSC: Widely used in malware to check if the software is being traced. A typical way to detect binary instrumentation (PIN, DynamoRIO, etc...). SIDT/SGDT: Store Interrupt/Global Descriptor Table. Trick used to detect some Virtual Machines (known as the red pill trick). CPUID: Used to detect Virtual Machines and emulators. // NOP args: NOP with arguments are typical antiemulation tricks. SYSENTER: Direct system calls. Commonly, used as antiemulation tricks. * implement aoe = anal op exec - sync regs or what? * Search for wide strings /Z or so? /w maybe? pancake ------- * if console width > X place comments there (ash) * Implement BLOCK in r_core_sysenv_begin|end () * comparisions doesnt works (RAnalCond) * Fix iterators for r_macro (test only?) * Add support for STATIC_PLUGINS in r_lang - r_lang_define is implemented in lang.c, but requires the collaboration of the plugins to properly setup the environment for the script execution. - Add support for STATIC_PLUGINS in r_lang - dlerror(/usr/lib/radare2/lang_perl.so): libperl.so: cannot open shared object file: No such file or directory This issue is fixed by setting LD_LIBRARY_PATH...looks like dlopen ignores rpath earada ------ * Add print support for bitfields (pm b...) - r_bin_demangle (); // r_util maybe? * _ZN7WebCore11CounterNode7recountERKNS_12AtomicStringE - demangle c++ and objc names WebCore.CounterNode.recount(AtomicString) _ZN = begin of stream 0-9+ = count of chars E = end of stream RKNS_ = start of arguments * Fix avr/ppc code analysis // fix or use or what? :) * Implement print Zoom mode (copypasta from r1) (useful for forensics) <-- MUST * mount /mnt/ must chop last '/' * test fatfs and others * Add SSL support to r_socket * remove all uses of alloca() // mingw and grep reports them all :) * typedef all function pointers, like in r_bp * Implement /A : search AES * Implement case-insensitive search (e search.casematters ?) any better name? Use /i? * Implement /. to search using a file .. isnt zignatures about this? * Implement /p to search for patterns - implement it in r_core ?? or add r_io_bind support * Implement search and replace /s - insert or append? (see r1 cfg vars) nibble ------ * scrollup by bwdisasm not yet implemented * '+' key in visual cursor mode only increments lower nibble! - only in debugger mode :/ * register renaming (per-instruction or ranges) - r_parser fun? a specific asm.parser plugin that does all this tricks? - fix instruction navigation - do not allow to disassemble unaligned addresses (toggle) - use 'jk' with bwdisasm to go up to previous opcode. - r_asm can reduce cpu without disasm on fixed size ops archs. * Display getsym() stuff in rabin2, not only legit syms * Check if python plugin works from inside - write tuto, how to call py code from shell or r2 * dmi command must read from memory if no file path provided - rabin from memory ftw, to get libnames of dll, so.. * add support for sign/unsigned registers..or at least a way to cast them * use r_anal_value everywhere * diff code analysis - diff two programs 1st level: - check all functions EQUAL, DIFFERENT, REMOVED, ADDED - check all symbols - check all imports - check all strings 2nd level: - basic block level diffing (output in graph mode) 0.7 release =========== * GMP - big-ssl.c big-gmp.c ... - implement GMP in util/big.c - http://etutorials.org/Programming/secure+programming/Chapter+7.+Public+Key+Cryptography/7.5+Generating+a+Prime+Number+Testing+for+Primality/ DEBUGGER: (pancake) --------- * Implement DRX support * Implement dump+restore as macros (dump,) * Implement software stepping (with code analysis+breakpoints) * Implement dbg.bep - in r_core? in r_debug after attach? maybe only in r2 binr? - must be refined.. and look for better names CORE ---- * Add "pm ?" for bit print like in pb? bit level binary memory printage - add support for PDB files - Handle ^C in searches (at least) - Add support for DEX file format - display filesize info instead of virtual space address limit - "wx jeje" does not says "invalid hexpair string" (must report error) - allow to hook r_asm_disassemble and assemble with custom callbacks - extend a disassembler with own instructions. Assembler --------- * Embed bits/arch/endian in a separated structure - So one can change from one arch to another with a pointer - Cool for defining ranges of memory 0.8 === * Reimplement or fix the delta diffing in C - first we need to do it for ired.. * add support for .a files (r_fs supports cpio and ar archives...) * Implement rap:// upload/download protocol commands (maybe just system() with rsc2+wget? * code injection facilities? (wtf? insert,execute, restore) * Trace contents of buffers: filter search results..? cc 8080 @@ hit* .. check for values that has changed. * Record trace of register status for each function when running - r_reg_arena_copy(); * Create radare2-testsuite project - tests for ired, rax2, radare2, rabin2 ... * Is RCore->block and blocksize a RBuf ? refactor!11 Things to improve in r2 ======================= * focus in single arch (rock allover) mips, ppc64 or arm? * code analysis must resolve jump tables * Enhace code analysis - calculate multiple execution paths to give branch prediction results - get/set register status of the vm - analyze from various parent functions and resolve ranged values - a ranged value can be: - ut64 from, to - restrict : %2 (module) - ... * Add support for aout binaries? * eprintf should be modified to log into a file - eprintf_open() -- start log to file - eprintf_close() -- stop log to file Debugger ======== * stepover waits for one unknown event that cannot be stopped * Implement list threads on ALL supported platforms (win,lin,osx) * All threads must be stopped when a breakpoint is handled.. * Add support for windbg+virtualkd * Floating point registers * MMX/XMM/DRX control pancake ------- * Implement PTRACE_BLOCK on Linux * fork/clone child . inject code to create new threads or pids * Functions in r_util to get lil/big ut8,16,32 from ut8* - already done..must find better names probably * merge asm.arch vm.arch * support for macro scripting * better debugger support for OSX and iOS * rarc2 allows to compile invalid code like calling puts() out of context * Implement RAnalCall (analyze function arguments, return values, propagate types..) - define number of arguments for given function - warn if signature and analysis differs in number of args or so.. - when calling a function - identify arguments passed and compare with arguments required - if they do not match: we need to warn/ask user/store multiple options - function signature comparsion if they dont match r_anal_fcn_cmp (anal, f1, f2); Questions ========= * Only use uppercase KMG for Kilo,Mega,Giga in r_num? - 'g' is for double * radare2.c:217 . find name for maxfilesize to hash * r_list_foreach_prev is buggy, review and remove.. * make symstall in swig/ ? * What about rsc2 ? deprecate, maintain? cleanup from 1? build? install? * Add deltified offset in PC? +10, +30 ... asm.reladdr * regio not implemented // it is really necessary? imho no.. * distribute 'spp' with 'rarc2' ? imho no Bindings ======== * generate accessors from valaswig ? why? * Script plugins - We should enable r_lib to implement plugins in any scripting language, so we can for example prepare a .c stub interface for python/perl/ruby/.. - this requires a swig bridge Refactoring =========== * Import r_vm register values from flags or from r_debug->r_reg - r_vm must use mmu cache when emulating code - use the one from r_io? and deprecate vm->mmu_cache? * Review the r_flags api * Add pipe_to_buffer..not only file descriptors * r_config set_int and so..simplify - find/use more common cases for char* or &int maps - automatic callbacks for most common usecases * What do we have to do with r_th, r_vm ? * Merge r_vm into r_anal ? * Merge r_socket inside r_util ? * Discuss missing r_core_sysenv_update in core/file.c:33 * Add RLog API.. pipeable to disk and stderr..also hookable ..cool for ui (partially done) * Move disasm loop into r_print (r_print should depend on r_asm) - thats hard :) * Move 'r_syscall_t' stuff into r_debug (sync r_core) * Implement r_bind api to link multiple pointers core->asm = r_bind_set (core->asm->bind, r_asm_new ()); * Find a better name for r_buf_fread (really?) * Review r_io and r_reg API * semi-ok state (R_TRUFAE), implement r_errno and r_errstr in r_util? - useful in r_sys_mkdir ? * Finish and import the spp's getopt owns implementation in r_util (like in p9) Future ====== * r_file_slurp should work fine for big files (not prio) r_file_slurp_buf? - mmap if supported - add r_file_mmap ? - read file in blocks instead of the whole file in a single syscall * Realign flags when using project in debug mode * FileDescriptors: dd -- copy from !fd in r1 * Initial analysis looking for xrefs to strings and so? ax? ./a@@entry0 - Launched at startup * install.sh (to track installed files ..) * acr -ldl check must be fixed for kfreebsd * Add support for float/double in r_num :? * radare2 -e dbg.engine=vm -d ls - load the program using r_bin in virtual space - initialize vm and set regs - debug backend should use the vm * metaflags? support to define relations between flags (flag hirearchies) r_flagtree - r_flags should have a tree construction to access to them faster - btree? following pointers like bigger,smaller { struct r_flag_t *bigger, *smaller; } - hooks r_flag_add to recalculate in r_flag_optimize(), bigger/smaller pointers - hooks r_flag_del to recalculate too. - the r_flag_get by string should have another construction with btree for the string of the name .------------------------. | ___ ___ ____ | | | - ) _ _ | _ |/ _/ | please! | | - \| | |\_ |\_ \ |___. report! :) | |___/'___'|___'|___/ ___/ | | `------------------------'