
  ___________ _____  ______   _____
  \___   ___/ _==_ \'   ._ \/ _==_ \
    \'   '//        \   '   \       \  for radare
     \___/ \________/.______/_______/

===========================================================

* Remove tm dependency for winedbg backend
  - or just check it and warn the user
  - implement .!reg* and so
* mark jumps that evaluate to true
* 'ag' window does not works to get command output :???
* vm.eip (vm in static doesnt works well.. check and fix :)

* Cannot debug signal handlers???

* DEPRECATE !set dbg system command (!reg xx=yy works beter)

TODO 1.4.2
==========
* IO tracer (logs all access to memory (address+content)) f.ex:
  0x80481020  READ  0xbf883000    10203040 'ascii'
  0x80481022  READ  0xbf883004    10203040 'ascii'
  0x80481024  READ  0xbf883008    10203040 'ascii'

* Show exit value of process
* BUG: write on virtualized addresses (like the LOAD ELF regions) is not ok
* TODO: implement file.dbg_arg
* TODO: add documentation for file.dbg_env and dbg.env_ldso

* Allow to easily store the stack contents and get a diff
* show info where register points to
  - px 16@@=`!reg*~[1]`

---- bugs
* disasm is incorrect. always returns the negative value :OO
  - 03 e4 f0 = and esp, 0xf0
  but must be= and esp, 0xfffffff0
* RASM is buggy about relative/absolute offsets
---- bugs

* Allow to edit flags in Vt
* grep multiple strings: (only for r2 or backport?)
  pdf ~call,ebp
* Handle ^C in print hexdump ?huh! cannot break huge reads
  - We have to split the io_read() calls in blocks of 64k
  - This way the kernel will be locking less and ^C is possible
*) r2's r.db with delete and update (merge here plz)
*) refactoring r_bin_pe r_bin_elf: remove dupped code (r2)
*) add r_bin_msil
* do the remote API has something to do with FDs? (only open+close?)
* set fpregs (yep, ineedit for process store/restore)

* stack analysis
  - track esp register
  - when it changes record an item in a list
    { old_esp, esp, size, oeip, data }
  - repeated items are deleted (we can use a linked list here)
    - overwrites can be notified (useful?)
  - we can disassemble the instruction at oeip
  - store all the stack analysis info in a struct per-function
    and before removing it store a comment or metadata at the
    begginging of it.
  - analize previous pushes or stack accesses before a call
    to a function (identify function arguments)
  - not only by the ones accessed in the code)
  - as IRA module
  - show pm xxxxxxxx @ esp (show esp-ebp bytes here or so)


* resume functions
  - show only calls
  - show size of function
  - show number of math ops
  - show stackframe size
  - number of conditionals
  - show refs

* set fpregs, mmregs and xmmregs
* FULLY implement radiff -f and -t (doesnt takes sense on non-b modes)

CALLING CONVENTIONS
===================
1) for functions (depends on compiler and arch)
2) for syscalls (depends on kernel and arch)
  f.ex: syscall 0,1,2,3,4 args using eax,ebx,ecx,edx on x86-32
   - generic actions to be done:
     - set indexed registers
     - write in memory (restore used memory after usage)
   - get result of function (return value is in eax most)
  ---- refactoring
  * syscall-flag using userdefined table (in file)
   - must use asm.os to get proper syscall table
   - must be implemented in code analysis!!
  * Add !int opcode to call a syscall
    f.ex: !int eax=30 ebx=0x8048400
   - store/restore regs
   - shows return value in eax before restoring regs
  * call <flag> arg arg arg
   - done with lua/python

OPTIMIZATIONS
=============
* Optimizations everywhere!11cos(0)
  - config.c, data.c, flags.c
  - Implement btree for flags and so on
  * do not dump on tmp files (use popen or so)
  * flag_get (23%)
  * Optimize string_flag_offset (24%)
    - abuses strstr
  * config_node_get (1%)


TODO 1.5
========
* greplace... ~ is grep, but ~~ is greplace! \o/
  pd~~eax/EAX,ebx/EBX  # example syntax
* LSDJ-like interface
  Visual mode [x]dkdl  -> Q allows to hjkl on those modes
            +---+              <- enable cmd.vprompt*
        +---|---|-----------+
        | x | d | o | d | l |  <- disabled cmd.vprmpt
        +-------------------+
          ^._____________________ hexa, disasm, octal, ...

* implement serial:// for '=' command
* implement main prompt (rash?? rashell??)
  - rarun
  - listen at a port waiting for commands
  - can be used to remotely upload files
* show labels of all jumps/calls (not only bookmarked ones)
* Invert doesnt works for disassembly!!!
  - manually done disassembly instruction by instruction!
  - negative block size is used to invert (deprecate invert?)
* !fork should be fixed
* write shellcode to dump a buffer in hexa (inline jump)
* regexp search?? (backport from r2)
* full support for inner radare_cmd_str (two nested calls breaks the console buffer)
* drop sdk dependency for osx-arm
---
* set flags to jumps to the middle of instructions while analyzing code (.af*)
* Better 'cD' command (use gnu diff method, but take as size the smaller file)
* Better integration with -P (projects) (do not analyze twice...)

* rax should support different sizes double/base64/7bit/LSBstego/...
* cfg.vbar = p%
* remove the ':' command -> use it to drop colors instead of verbose?

* Add disassembler for
  - ParrotVM
  - DalvikVM
  - CUDA
  - Flash10

*++++++++++

binary masks (enums, bitmasks)
> aB rwx R:4 W:2 X:1
> aBb rwx 777
RWX,RWX,RWX
> aBm rwx @ $$:1
> aB -rwx

* Support to undefine variables
* mov dword[ebp+0xfff], eax -> this is not mov dword[0xffff] code analysis!

* Screen column grep should skip escaped sequences (ansi*)
* Documentate visual cursor with marks ',' and '.' keys
* documentate the change of the execstack protection in program section of ELF
* doc4 'g' and 'x' in visual

* Added cached filtered IO layer for r_io ... accelerate debug!
  - we should have a flag to invalidate the cached memory

* Use modify_ldt(2) on x86 as IO for the debugger

* Added at% like ar%
* fer q libr.syscall suporti lectura dsd fitxers

===========================================================

* !contsc should allow return value not error
* r_io_map_join()
  > o connect://1.1.1.3:9999//bin/ls 0x100000
  > o /bin/ls 0x200000
  > join 0x200000 // WTF
    writes /bin/ls file info over under io layers

* '<' and '>' commands converted in prefix modifiers
* Add !log command for serial:// and socket://

* rsc monitor implemented as a gui plugin
* .rfile.$FOO and .radare.tmp.$FOO are not removed!!
* support string print mode for [len][str] formats
* organize Functions (RDBs) in visual mode ala 't' or 'e'

---- debugger
* !dall should pseudo-initialize the !maps internal structures
  - identify page type by contents (ELF header and so)
  - export info as S commands

* trace.libcode = trace libcode or not?
  - dbg.steplibs = true|false ??
  * dbg.stepolibs = true ;  step over non-user code?
  - automatic stepu 
* !bpc -> execute command when hitting breakpoint
  - stop on breakpoint after N hits
  * breakpoint callbacks:
   - integrated with !wp too
    A hook to an api can be emulated from the debugger, no need to inject
    code everywhere, just BP and change regs
   - ptrace layer make't support syscall proxying for remote debugging!!1 rasc -l rulez
* Watchpoints:
  - Make !wp work with ? conditionals
  - Make dbg.wptrace = make it stop when there's a breakpoint
  - support for %eax = %ebx f.ex
  - ^C should be always catched!!
* !contuh doesnt works :O
 - implement continue until cursor
 - implement !bpt properly

java bug:
  0x000001EE  |           b80007           invokestatic java/lang/Object (null)
-> this should be a call to callme()



===========

>1.5 STUFF

* Allow to run shellcodes on debugged process.
  (autodetect .s or raw binary)
  - read shellcode from a file 
    should support .c or .s or raw or elf _start
* add margin right to the text
  - or margin left to the shell code
  - cut all lines at column scr.width
  - add screen.hshift (horitzontal scrolling)
* 'x' char should not be accepted as hexpair
* !lib /lib/libm.so.1   ; use 'uselib' on linux and dlopen on *bsd MUAHA
  - implement !call
  - must allocate strings

* support to remove fixed nodes
  - show comments in a separated toggleable box:

* Signal handling should idenitfy backtracing and siginfo and so from here or so

       static void
       handler(int sig, siginfo_t *si, void *unused)
       {
           printf("Got SIGSEGV at address: 0x%lx\n",
                   (long) si->si_addr);
           exit(EXIT_FAILURE);
       }

Debugger:
	* when attaching sets <pid>.rdb ..should be <program.pid>.rdb?
	* !contu must use '!mp rw- 0x8048000 0x4045' if supported
	* load libraries on the child process
	* !contall
	* !cont <pid> ???
	* breakpoints
	  - command
          - stop at count
	  - log (trace)
	  - enable/disable

Rasc:
	* rasc - helper for format strings (orly?)
	* rasc : send file and execute (pitbull inside!)
 	* add selfsigstop/stackperm shellcodes in lua script or rasc

Core:
	* reload project file if changes

Rsc:
  	- fer un binpatch a traves del contexte del asm que sigui muahah (LUA)
	* pcap/radare for fun

* autodetect references to flags with aop.ref on
  - aop.ref must get more ref types (write checks)
	a1acc30508      mov eax, [0x805c3ac]
	3d00800000      cmp eax, 0x8000
	833d0cc4050803  cmp dword [0x805c40c], 0x3
	bf0d9b0508      mov edi, 0x8059b0d

Radare:
    + Dwarf support:
        - dwarfdump parser???
        - natively use libwarf in rabin

* Allow to draw new lines manually (static defined arch_aop lines_t)


DWARF
=====
	/* Merge libdwarf inside rabin ?? */
	/* This is dwarfdump -G <file> */

==============================================================

* Funroll mode - stacked disassembly

* Add 'strings-cmt' to add comments in strings and use Cs to convert them
  - Make 'Cs' be more intelligent for multiple strings
  - Support for cursor range split
  - Without argument must find the end of string from curseek

* function hooker in C (dbg.hooker)
  - some C macros or so to create a .so and LD_PRELOAD't
  - if static...should inject trampolines to our code.
  - or just manage the breakpoints
  - if bp == 1 !jmp 0x8084840 - redirect code execution on certain points
  - stored in file
    [from-address] \t  [to-address]
 * 'ar' -> anal reset -> reset vm
 * populate the use of cmd.flag (in prompt and so)
 * graphically draw data structures in memory (adg, aD)?

 * add nanosleep shellcode
  - using nanosleep
    -> nanosleep(&foo, NULL);
	call +1
	pop ebx
	push 3
	push 0
	mov eax, 162
	mov ebx
	int 0x80

 * options for trace
  - trace.depth = 0
  - trace.alarm = 0
 * ^C doesnt works with trace

 * shellcode to get cur eip in eax
	de call +1
	pop eax
	mv  [deplaz+eax], restore_value

 * add !status to get last crash info and stuff like that
 * fix autocomplete stuff for readline-flags
 * add full autocompletion support for dietline
 * Use SIGHUP to dump monitor stuff to files
 * blinking byte at cursor
 * support for search and replace
 * support for oprofile (via rsc or so)

Gui
===
* implement start/pause/continue/stop/reload button for a pid
* frontend for hasher (Vala api for hashing)
* the gui must listen:// and connect:// too!

Open streams
============
* radare pcap://"eth0/port 4000"

/////////////////////////////////////////////////////////////////////////
/* Fetch the thread-local storage pointer for libthread_db.  */
ps_err_e
ps_get_thread_area (const struct ps_prochandle *ph,
                    lwpid_t lwpid, int idx, void **base)
{
  if (ptrace (PTRACE_GET_THREAD_AREA, lwpid, NULL, base) != 0)
    return PS_ERR;

  /* IDX is the bias from the thread pointer to the beginning of the
     thread descriptor.  It has to be subtracted due to implementation
     quirks in libthread_db.  */
  *base = (void *) ((char *)*base - idx);

  return PS_OK;
}
PTRACE_GET_THREAD_AREA_3264:
/////////////////////////////////////////////////////////////////////////

DONE?
=====
* variable block size
  - config.block_size as default
  - tries to find another flag after
  cfg.vbsize = true -> variable block size (until next flag) (with a similar name to cur one?)

Core
=====
* allow to run without opening a file (useful for batch mode)
* make fdsniff and usbsniff generate a project file and a binary one.

(gdb) break ptrace if $r3 == 31 -> !wp equivalent. better docu/integration

ARM
===
* arm backtrace
- when runnin to bp says invalid address (uh?)
- step over doesnt works on arm/mips

BUGS:
=====
 * !pids must control non-printable chars
* keybinding assignment dosnt workz
  - UGLY
* wa doesnt handle file resize
* rsc monitor doesnt works as expected
* !ret should use !bt if possible

Random:
=======
* support to append data (without getting out of the block_size) (or so..)
* cfg.invdelta = inverses the delta (<=1024 ..-> >=1024) (or delta range) deltamin deltamax
* implement insert data inda core
* graph.body=asm,flags,symcalls,description, trace execution data
* define block size by hit1[0]-hit0[0] rollo begin-end (buscar <html> i </html>)

* invert pel disasm
  * inv -> make offsets take sense
  - make cursor bytes take sense too

* /a algorithm defined by search.algorithm
 it flags if search.flag
  - armfuncsearch
  - aes
  - token [from] [to] (dinamic block size)
  - x86funcsearch
  - from file formatted as search db
  - carver (find from-to,maxlen, ...)
  - plugin
* RDBs stored into Projects
  project.rdb = false ; store or not
  use [delimiters] to embed rdbs inside rps
* MSB stego


Graphs
======
* identify nodes with 'ret' in graph
* identify nodes with 'cmp' in graph


   +-------------+
   | 0x0804483   |-----------.
   +-------------+           |
   | mov eax, 3  | sys_write |
   | int 0x80    |           |
   +-------------+-----------'

  - line clicking must be supported!
  - avoid out of context bytes

* tracecc
  - useful to walk to user code
  - copy the program code on another buffer
  - overwrite all code with 0xcc
  - not portable, coz arm mixes data and code
  - continue until breakpoints
* virtual machine decompilation -> helpers for debugging soft VM opcodes (new user-defined archs)

/* done in lua? */
* analize input/output of function calls
  - bp enter
  - bp exit
  - useful to reverse packer VMs
  - see what changes in register and memory

* exception frame information (try { ... } catch stuff)
* ram dump driver for w32

* dinamic block size defined by:
  - height of screen
  - <tags> (set inigial and end binary tags)
    - allow to move forward/backward between 'bintags'
+ EH - event handling (event type + source pid)
  * add '!eh' command, how to handle an event ((ignore?), log, bypass, handle)
* cfg.dbgbsize (default block size for debugger)
* RDB TO GML
* circle to group looped code blocks in graph view

---------------------------
* do not sigalarm in visual
* new flag type: temporal 
  - they will not survive a project save
  - they are destroyed after a timeout


Search
======
* cfg.limit must be size of current maps section by default (file size?) useful for memory searchs
* add map search doing a search inside the process maps only
* search for head and foot
  - for each head finds a foot and defines block size

Core
====
* Add views/states/.. (S (switch) command) (open multiple files)
  - A view is just a stored copy of the config_t structure
  - and store different states for the same file
  - think on how to allocate new states (linked list of config_t structs)
  - S
    0 /bin/ls 0x0000000 ; comment
    1 /bin/ls 0x0000123 ; comment2
  - S [number]


Tracer
======
* store more info in trace (output of command)
* timeline of a trace |----------------|
  - available as a zoom view
  - in rsc script? - can dump traces on separated files? slow? bloat?
   - single file is better
  - allow to view frame windows inside the timeline
  - extended 'f' and 'F' keys mode
  * List viewer (get offset as index fr cursor, right view shows the
    contents of th selected offset
    - linked list browser
* cmd.trace -> command to execute when tracing
  - trace.log should be parsed insiide radare visual
    (next/next-->prev...)
  - trace extra regs info: (show bytes where they point)
    eax 0x8048484 bytes...
  - blank line means a trace step
  - program_t -> asign name and color
    -> useful to merge graphs of code analysis and code execution
* tracepoints
  - allow to execute a command (!dump?)
    - follow some variables
* colorize traces in vala graphs
* trace graph
  - debug.c -> implement a while(debug_step()) loop to arch_aop() each instruction
    and draw a graph until a breakpoint or ^C
  - creates a program_t graphable with vala


Debugger
========
* Show FPU stack contents
* Support for MMX register manipulation
* dosdebug:// to debug dosemu-based applications
  - semi done..not finished. should be integrated as a plugin
* qemu:// plugin to connect to qemus :D
* windbg:// for serial port (w32 kernel debugger)
* code injector for accessing non GP registers like mmx,
   fp, etc and other's section segments. (%ss, ..)
  off_t value = get_reg_inline("m0");
  - store a struct containing 
	char * register_name;
	uchar *shellcode
  - all shellcodes must be coded and injected in the same way

* make libgdb2fd work

* xrefs does not works for string references
  - make xrefs support base address

===========================================================

TOTHINK
=======
* Add 'e scr.xy' as a replacment for the old 'g' command // XXX no way
* Filesystem support
  * emulate filesystems from a defined seek
  * can be done with losetup? not portable
  * use fuse emulation?
  * use linux kernel emulation?
  * shell with grub-like commands to extract and insert files?
* Implement libcaca/aalib backend for grava! :D
* new search engine allowing AES and RSA key (so...predefined algos for signature searches)
  - must think on! - entropia = 1 en un block (tots numeros primers)
* implement process freze and bootup
* use 'tm' (terminal mixer) to run the target debugged program
   - allows multiple interactives consoles over the program,
     keeping the debugger window clean
   - we need to know the pid of the child process of tm.
   - maybe a debug flag to tm would be nice - i will talk to the author
   - must be hardcoded inside the core
 - handle ^C properly , to allow to stop the process with any signal
* Indentify, parse and show the auxv_t structure
  * LD_AUXV_SHOW=1 /bin/ls before start to debug
  * dbg.auxv = true // WHY?
* output of rsc help should start with ';'
* asm.offset must be for all print modes?
  - renamed to scr.offset?
* Really?
 * define default print format per flags (useful to find strings, code,etc..) :D
* rename -v to -q (quiet or -s silent)
  - cfg.verbose = integer (autosetup scr.color and asm.color)
  - cfg.quiet = false
* make !dump incremental using bindiff (too complicated approach)
  - support to enable full dump (with hashing for reducing sizes)
  - ultra slow ? i should analyze code to enhace this


FileDescriptors
===============
* read/write from/to child filedescriptor
* sniff filedescriptor (dumping to file or socket)
 - using CONTSC ?
 - hooks read/write/ syscalls and gets buf and so
 - can be done in lua
 - !contsc needs lua interface

Random Stuff
============
* use libasm to get metadata from each opcode (why? :)
* Do not use the char '(' in asm.lines. just use - or =
* record radare commands
  - all commands executed within a recording time are stored on a single script file
  - you can later repeat it or edit
  - history control must be back!

* executable offsets // flag command/grep?
  - execute a command on a certain offset
  - show funtion frames and arguments on the fly
  - automatize unpacks and so

* performance counters:
   - inject code into the child process
   - mmap to backup code from the hooked functions
   - each hooked function should do something like:
       [mmap_addr+func_off]++;
   - these counters can be resetted
   - the mmap is only defined once
   - show statistics of time range and the count of times a function
     has been called.

 - timers:
   - inject code into the child process to define from-to zones
   - these from-to zones have an mmap address assigned
   - uses rdtsc to get time

	// 'from' hook
     push eax
     rdtsc
     mov [mmap_addr+my_func], eax
     pop eax

	// 'to' hook
     push eax
     rdtsc
     mov [mmap_addr+my_func+4], eax
     pop eax

   - statistics will show the time spend to run a determined piece of code


Imports:
========
* import pdi-tool from gerardo to inject code
* import esteve's object injector
* import libdwarf
  * http://reality.sgiweb.org/davea/dwarf.html
  * add 'list' gdb -like command
  * parse dwarfdump output in perl

BSD_SYSCALL_PTRACE:
===================

.global foo
foo:
        mov $2, %ebx
        mov $1, %eax
        push %ebx
        push %eax
        int $0x80

mips:
	li $v0, syscall
	li $v1, arg0
	syscall


 ____  ___ ____  ___ ____  ___  ______   ____
|  _ \/   \'   \/   \  _ \/ _ \ \__   | /    \
|    <  V  . T  . V      <   _/ .--'_/ |  ()  |
|_|\__|_|__|___/|_|_|_|\__\___/ |_____(_)____/

/* ONGOING 2.0 */

* full charsets support (search strings in utf8, etc) using iconv
* multithread traces <pid>:<addr>

* implement 'commit' command. delayed write operations with bindiff output
  - using the 'u' command

* pD -> 'decompile or sthg like that'
* search for strings in disassembly
  - pd 1 -> strstr(cons_buffer, mystr)

* next pel debugger (next source line) -- needs dwarf integration?

plugins
 - small plugin descriptor that loads the real plugin
 - avoid unnecesasry library loading (gtk and so)

* total world domination
