pancake radare

## gist:9450383

** CID 1191329:  Unchecked return value from library (CHECKED_RETURN)
/shlr/gdb/src/core.c: 414 in send_ack()

** CID 1191328:  Unchecked return value from library (CHECKED_RETURN)
/shlr/gdb/src/core.c: 370 in send_vcont()

** CID 1191327:  Unchecked return value from library (CHECKED_RETURN)
/shlr/gdb/src/core.c: 214 in gdbr_read_registers()

## fxos-mail-logcat

I/Gonk    (  125): Setting nice for pid 1184 to 1
I/Gonk    (  125): Changed nice for pid 1184 from 18 to 1.
I/Gecko   (  125): [Parent 125] WARNING: waitpid failed pid:1184 errno:10: file /home/geeksphone/FOS/peak/gecko/ipc/chromium/src/base/process_util_posix.cc, line 254
I/Gonk    (  125): Setting nice for pid 349 to 18
I/Gonk    (  125): Changed nice for pid 349 from 1 to 18.
D/wpa_supplicant( 1304): RTM_NEWLINK: operstate=1 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])
D/wpa_supplicant( 1304): RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
D/wpa_supplicant( 1304): nl80211: if_removed already cleared - ignore event
I/GeckoDump( 1184): LOG: pushCard for type: message_list

## RMeta.Add optimization
pancakes-iPhone:~ root# echo q | time r2 iOSApp
 -- I love gradients.
       26.39 real        24.83 user         0.00 sys
pancakes-iPhone:~ root# dpkg -i radare2_0.9.8.git5_iphoneos-arm.deb
(Reading database ... 11662 files and directories currently installed.)
Preparing to replace radare2 0.9.8.git4 (using radare2_0.9.8.git5_iphoneos-arm.deb) ...
Unpacking replacement radare2 ...
Setting up radare2 (0.9.8.git5) ...
pancakes-iPhone:~ root# echo q | time r2 iOSApp
 -- This computer has gone to sleep.

## capstonecrash
[0x00000000]> e asm.arch=arm
[0x00000000]> e asm.bits=32
[0x00000000]> wx 00108100
[0x00000000]> pd 1
==15855== Use of uninitialised value of size 8
==15855==    at 0x5EFF3FE: _ARM_getInstruction (in /var/lib/jenkins/workspace/radare2/libr/anal/libr_anal.so)
==15855==    by 0x5F00642: ARM_getInstruction (in /var/lib/jenkins/workspace/radare2/libr/anal/libr_anal.so)
==15855==    by 0x5ECEBF1: cs_disasm_ex (cs.c:469)
==15855==    by 0x71EEFC0: disassemble (asm_arm_cs.c:31)
==15855==    by 0x7264B67: r_asm_disassemble (asm.c:307)

## gist:5a46a9c2570644a85c9e
==37226== Conditional jump or move depends on uninitialised value(s)
==37226==    at 0x168F2: r_core_cmd (cmd.c:1462)
==37226==    by 0x1602C: r_core_cmd_lines (cmd.c:1490)
==37226==    by 0x161AD: r_core_cmd_file (cmd.c:1518)
==37226==    by 0x100002C7F: main (in /usr/bin/r2)
==37226==
==37226== Conditional jump or move depends on uninitialised value(s)
==37226==    at 0x16952: r_core_cmd (cmd.c:1469)
==37226==    by 0x1602C: r_core_cmd_lines (cmd.c:1490)
==37226==    by 0x161AD: r_core_cmd_file (cmd.c:1518)

## gist:fd1a3ea41d31073311b8
$ r2 -
 -- ASLR stands for Age/Sex/Location/Reverser.
[0x00000000]> ae 2,1,==,%z,zf,=,zf,?{,80,}
zf=0x0
zf=0x0
zf=0x0
StackDump:
 [1] }
 [0] 80
[0x00000000]> ae 1,1,==,%z,zf,=,zf,?{,80,}

## gist:4e5e90338029c41e4818
[pancake@koega ~]$ r2 -qni test.r2 -
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x00050000  2020 2023 2050 6572 7661 7369 7665 204c     # Pervasive L
0x00050010  6973 7465 6e65 720a 7076 7377 2020 2020  istener.pvsw
- 3397568 malloc://512 @ 0x0 ; rw
- 6 /etc/services @ 0x4000 ; r
- 8 /bin/ls @ 0x50000 ; r
file    /bin/ls
fd      8
size    0x1c6c8

## gist:342cefab6b7f732e6638
```
[0x7f90d08b8ce0]> "(foo x,?e $0,?e `ai@$0`)"
[0x7f90d08b8ce0]> .(foo rsp)
rsp
read write flag stack
[0x7f90d08b8ce0]> .(foo rip)
rip
exec read flag
[0x7f90d08b8ce0]>
```

## gist:53e8f89506466376439a
$ grep -re getrandom /usr/include/
/usr/include/bits/syscall.h:#define SYS_getrandom __NR_getrandom
/usr/include/bits/syscall.h:#define SYS_getrandom __NR_getrandom
/usr/include/bits/syscall.h:#define SYS_getrandom __NR_getrandom
/usr/include/asm/unistd_64.h:#define __NR_getrandom 318
/usr/include/asm/unistd_32.h:#define __NR_getrandom 355
/usr/include/asm/unistd_x32.h:#define __NR_getrandom (__X32_SYSCALL_BIT + 318)
/usr/include/linux/random.h: * Flags for getrandom(2)
/usr/include/asm-generic/unistd.h:#define __NR_getrandom 278
/usr/include/asm-generic/unistd.h:__SYSCALL(__NR_getrandom, sys_getrandom)

## gist:2805bd415688398d0023
$ r2 /tmp/tmpuT4fF8.fil
=================================================================
==6926==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001c011 at pc 0x7f6add883c57 bp 0x7fffa5cd87a0 sp 0x7fffa5cd7f48
READ of size 11 at 0x61d00001c011 thread T0
    #0 0x7f6add883c56 in __interceptor_strncpy (/usr/lib/libasan.so.1+0x2ec56)
    #1 0x7f6adc7e50ee in Elf32_r_bin_elf_get_symbols /home/pancake/prg/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1263
    #2 0x7f6adc7d3eac in symbols /home/pancake/prg/radare2/libr/..//libr/bin/p/bin_elf.c:248
    #3 0x7f6adc79d6ef in r_bin_object_set_items /home/pancake/prg/radare2/libr/bin/bin.c:377
    #4 0x7f6adc7a0a49 in r_bin_object_new /home/pancake/prg/radare2/libr/bin/bin.c:855
    #5 0x7f6adc7a16a4 in r_bin_file_new_from_bytes /home/pancake/prg/radare2/libr/bin/bin.c:961

	** CID 1191329: Unchecked return value from library (CHECKED_RETURN)
	/shlr/gdb/src/core.c: 414 in send_ack()

	** CID 1191328: Unchecked return value from library (CHECKED_RETURN)
	/shlr/gdb/src/core.c: 370 in send_vcont()

	** CID 1191327: Unchecked return value from library (CHECKED_RETURN)
	/shlr/gdb/src/core.c: 214 in gdbr_read_registers()

	I/Gonk ( 125): Setting nice for pid 1184 to 1
	I/Gonk ( 125): Changed nice for pid 1184 from 18 to 1.
	I/Gecko ( 125): [Parent 125] WARNING: waitpid failed pid:1184 errno:10: file /home/geeksphone/FOS/peak/gecko/ipc/chromium/src/base/process_util_posix.cc, line 254
	I/Gonk ( 125): Setting nice for pid 349 to 18
	I/Gonk ( 125): Changed nice for pid 349 from 1 to 18.
	D/wpa_supplicant( 1304): RTM_NEWLINK: operstate=1 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])
	D/wpa_supplicant( 1304): RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
	D/wpa_supplicant( 1304): nl80211: if_removed already cleared - ignore event
	I/GeckoDump( 1184): LOG: pushCard for type: message_list
	pancakes-iPhone:~ root# echo q \| time r2 iOSApp
	-- I love gradients.
	26.39 real 24.83 user 0.00 sys
	pancakes-iPhone:~ root# dpkg -i radare2_0.9.8.git5_iphoneos-arm.deb
	(Reading database ... 11662 files and directories currently installed.)
	Preparing to replace radare2 0.9.8.git4 (using radare2_0.9.8.git5_iphoneos-arm.deb) ...
	Unpacking replacement radare2 ...
	Setting up radare2 (0.9.8.git5) ...
	pancakes-iPhone:~ root# echo q \| time r2 iOSApp
	-- This computer has gone to sleep.
	[0x00000000]> e asm.arch=arm
	[0x00000000]> e asm.bits=32
	[0x00000000]> wx 00108100
	[0x00000000]> pd 1
	==15855== Use of uninitialised value of size 8
	==15855== at 0x5EFF3FE: _ARM_getInstruction (in /var/lib/jenkins/workspace/radare2/libr/anal/libr_anal.so)
	==15855== by 0x5F00642: ARM_getInstruction (in /var/lib/jenkins/workspace/radare2/libr/anal/libr_anal.so)
	==15855== by 0x5ECEBF1: cs_disasm_ex (cs.c:469)
	==15855== by 0x71EEFC0: disassemble (asm_arm_cs.c:31)
	==15855== by 0x7264B67: r_asm_disassemble (asm.c:307)
	==37226== Conditional jump or move depends on uninitialised value(s)
	==37226== at 0x168F2: r_core_cmd (cmd.c:1462)
	==37226== by 0x1602C: r_core_cmd_lines (cmd.c:1490)
	==37226== by 0x161AD: r_core_cmd_file (cmd.c:1518)
	==37226== by 0x100002C7F: main (in /usr/bin/r2)
	==37226==
	==37226== Conditional jump or move depends on uninitialised value(s)
	==37226== at 0x16952: r_core_cmd (cmd.c:1469)
	==37226== by 0x1602C: r_core_cmd_lines (cmd.c:1490)
	==37226== by 0x161AD: r_core_cmd_file (cmd.c:1518)
	$ r2 -
	-- ASLR stands for Age/Sex/Location/Reverser.
	[0x00000000]> ae 2,1,==,%z,zf,=,zf,?{,80,}
	zf=0x0
	zf=0x0
	zf=0x0
	StackDump:
	[1] }
	[0] 80
	[0x00000000]> ae 1,1,==,%z,zf,=,zf,?{,80,}
	[pancake@koega ~]$ r2 -qni test.r2 -
	- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
	0x00050000 2020 2023 2050 6572 7661 7369 7665 204c # Pervasive L
	0x00050010 6973 7465 6e65 720a 7076 7377 2020 2020 istener.pvsw
	- 3397568 malloc://512 @ 0x0 ; rw
	- 6 /etc/services @ 0x4000 ; r
	- 8 /bin/ls @ 0x50000 ; r
	file /bin/ls
	fd 8
	size 0x1c6c8
	```
	[0x7f90d08b8ce0]> "(foo x,?e $0,?e `ai@$0`)"
	[0x7f90d08b8ce0]> .(foo rsp)
	rsp
	read write flag stack
	[0x7f90d08b8ce0]> .(foo rip)
	rip
	exec read flag
	[0x7f90d08b8ce0]>
	```
	$ grep -re getrandom /usr/include/
	/usr/include/bits/syscall.h:#define SYS_getrandom __NR_getrandom
	/usr/include/bits/syscall.h:#define SYS_getrandom __NR_getrandom
	/usr/include/bits/syscall.h:#define SYS_getrandom __NR_getrandom
	/usr/include/asm/unistd_64.h:#define __NR_getrandom 318
	/usr/include/asm/unistd_32.h:#define __NR_getrandom 355
	/usr/include/asm/unistd_x32.h:#define __NR_getrandom (__X32_SYSCALL_BIT + 318)
	/usr/include/linux/random.h: * Flags for getrandom(2)
	/usr/include/asm-generic/unistd.h:#define __NR_getrandom 278
	/usr/include/asm-generic/unistd.h:__SYSCALL(__NR_getrandom, sys_getrandom)
	$ r2 /tmp/tmpuT4fF8.fil
	=================================================================
	==6926==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001c011 at pc 0x7f6add883c57 bp 0x7fffa5cd87a0 sp 0x7fffa5cd7f48
	READ of size 11 at 0x61d00001c011 thread T0
	#0 0x7f6add883c56 in __interceptor_strncpy (/usr/lib/libasan.so.1+0x2ec56)
	#1 0x7f6adc7e50ee in Elf32_r_bin_elf_get_symbols /home/pancake/prg/radare2/libr/..//libr/bin/p/../format/elf/elf.c:1263
	#2 0x7f6adc7d3eac in symbols /home/pancake/prg/radare2/libr/..//libr/bin/p/bin_elf.c:248
	#3 0x7f6adc79d6ef in r_bin_object_set_items /home/pancake/prg/radare2/libr/bin/bin.c:377
	#4 0x7f6adc7a0a49 in r_bin_object_new /home/pancake/prg/radare2/libr/bin/bin.c:855
	#5 0x7f6adc7a16a4 in r_bin_file_new_from_bytes /home/pancake/prg/radare2/libr/bin/bin.c:961