fix: correct qemu usage, harden gdb wrappers and release fetches

- Dockerfile: bake libc6-{armhf,arm64}-cross sysroots so qemu-user -L
  works for dynamic ARM/AARCH64 binaries without per-container apt-get.
  Also guard GitHub release fetches: only send Authorization header when
  a token is actually present (avoids empty 'token ' header on anon
  rebuilds, which can trigger rate-limit edge cases).
- config/gdb-{pwndbg,gef,peda}: add -nx to skip system/user/CWD .gdbinit
  so the explicit -x plugin load is deterministic, and a malicious
  .gdbinit in a challenge directory cannot auto-execute.
- README.md: replace nonexistent 'qemu-user' command with real binaries
  (qemu-arm, qemu-aarch64), document new sysroot setup, split static vs
  dynamic vs gdbserver examples, fix history count (78 not 97), refresh
  stale weekly tag placeholder.
- config/zsh_history: same qemu binary fix.
- CLAUDE.md: document cross-libc bake decision.
- .gitignore: ignore .omc/ workspace.

Author: gl0bal01

.gitignore

@@ -31,3 +31,6 @@ venv/
 *.tar.gz
 *.tar.xz
 *.zip
+
+# oh-my-claudecode workspace
+.omc/

CLAUDE.md

@@ -28,7 +28,7 @@ Single `Dockerfile` with 13 logical layers, organized by purpose:
 
 | Layer | Contents |
 |---|---|
-| 1. Base | Ubuntu 24.04, system deps, multilib, X11/GL, JDK 21, QEMU user-mode, wabt, neovim, upx, p7zip |
+| 1. Base | Ubuntu 24.04, system deps, multilib, X11/GL, JDK 21, QEMU user-mode + arm/aarch64 cross-libc sysroots, wabt, neovim, upx, p7zip |
 | 2-4. Python | pwntools, angr, qiling, ropper, ROPgadget, binary-refinery, frida-tools, unblob (pipx). Libraries (capstone, keystone, unicorn, z3, yara, r2pipe) injected into pwntools venv |
 | 5. Pip/Manual | binwalk, hash-identifier, opengrep |
 | 6. Ruby | one_gadget, seccomp-tools |
@@ -60,3 +60,4 @@ Single `Dockerfile` with 13 logical layers, organized by purpose:
 - **`CTF_UID`/`CTF_GID` build args** — default 1000 to match most Linux hosts; avoids X11 socket permission issues
 - **`openjdk-21-jdk` (not headless)** — Ghidra needs AWT/Swing for its GUI
 - **`--cap-add=SYS_PTRACE`** — required at runtime for GDB to attach to processes
+- **`libc6-{armhf,arm64}-cross` baked in** — provides `/usr/arm-linux-gnueabihf` and `/usr/aarch64-linux-gnu` sysroots for `qemu-user -L`. Avoids per-container `apt-get` (broken in air-gapped CTF env) at ~50-80 MB cost

Dockerfile

@@ -27,6 +27,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
         libxkbcommon-x11-0 libxkbcommon0 \
         openjdk-21-jdk \
         qemu-user qemu-user-static \
+        libc6-armhf-cross libc6-arm64-cross \
         llvm clang lld \
         python3 python3-dev python3-pip python3-venv pipx \
         ruby-dev
@@ -59,7 +60,8 @@ RUN git clone --depth=1 https://github.com/blackploit/hash-identifier /opt/hash-
 
 RUN --mount=type=secret,id=github_token \
     tok=$(cat /run/secrets/github_token 2>/dev/null || true); \
-    url=$(curl -fsSL -H "Authorization: token ${tok}" https://api.github.com/repos/opengrep/opengrep/releases/latest \
+    curl_auth=(); [ -z "$tok" ] || curl_auth=(-H "Authorization: token ${tok}"); \
+    url=$(curl -fsSL "${curl_auth[@]}" https://api.github.com/repos/opengrep/opengrep/releases/latest \
         | jq -er '.assets[] | select(.name == "opengrep_manylinux_x86") | .browser_download_url' | head -1); \
     [ -n "$url" ] || { echo "ERROR: opengrep asset URL not found"; exit 1; }; \
     wget -qO /usr/local/bin/opengrep "$url"; \
@@ -102,7 +104,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 # Cutter (rizin GUI) — extracted AppImage for Docker compatibility
 RUN --mount=type=secret,id=github_token \
     tok=$(cat /run/secrets/github_token 2>/dev/null || true); \
-    url=$(curl -fsSL -H "Authorization: token ${tok}" https://api.github.com/repos/rizinorg/cutter/releases/latest \
+    curl_auth=(); [ -z "$tok" ] || curl_auth=(-H "Authorization: token ${tok}"); \
+    url=$(curl -fsSL "${curl_auth[@]}" https://api.github.com/repos/rizinorg/cutter/releases/latest \
         | jq -er '.assets[] | select(.name | test("Linux-x86_64\\.AppImage$")) | .browser_download_url' | head -1); \
     [ -n "$url" ] || { echo "ERROR: Cutter asset URL not found"; exit 1; }; \
     wget -qO /tmp/cutter.AppImage "$url"; \
@@ -117,7 +120,8 @@ RUN --mount=type=secret,id=github_token \
 # Ghidra (platform-independent zip)
 RUN --mount=type=secret,id=github_token \
     tok=$(cat /run/secrets/github_token 2>/dev/null || true); \
-    url=$(curl -fsSL -H "Authorization: token ${tok}" https://api.github.com/repos/NationalSecurityAgency/ghidra/releases/latest \
+    curl_auth=(); [ -z "$tok" ] || curl_auth=(-H "Authorization: token ${tok}"); \
+    url=$(curl -fsSL "${curl_auth[@]}" https://api.github.com/repos/NationalSecurityAgency/ghidra/releases/latest \
         | jq -er '.assets[] | select(.name | endswith(".zip")) | select(.name | test("PUBLIC")) | .browser_download_url' | head -1); \
     [ -n "$url" ] || { echo "ERROR: Ghidra asset URL not found"; exit 1; }; \
     wget -qO /tmp/ghidra.zip "$url"; \
@@ -132,7 +136,8 @@ RUN --mount=type=secret,id=github_token \
 RUN --mount=type=secret,id=github_token \
     mkdir -p /opt/retdec; \
     tok=$(cat /run/secrets/github_token 2>/dev/null || true); \
-    url=$(curl -fsSL -H "Authorization: token ${tok}" https://api.github.com/repos/avast/retdec/releases/latest \
+    curl_auth=(); [ -z "$tok" ] || curl_auth=(-H "Authorization: token ${tok}"); \
+    url=$(curl -fsSL "${curl_auth[@]}" https://api.github.com/repos/avast/retdec/releases/latest \
         | jq -er '.assets[] | select(.name | test("[Ll]inux.*tar")) | .browser_download_url' | head -1); \
     [ -n "$url" ] || { echo "ERROR: retdec asset URL not found"; exit 1; }; \
     wget -qO /tmp/retdec.tar.xz "$url"; \
@@ -164,7 +169,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
     --mount=type=secret,id=github_token \
     tok=$(cat /run/secrets/github_token 2>/dev/null || true); \
-    url=$(curl -fsSL -H "Authorization: token ${tok}" https://api.github.com/repos/WerWolv/ImHex/releases/latest \
+    curl_auth=(); [ -z "$tok" ] || curl_auth=(-H "Authorization: token ${tok}"); \
+    url=$(curl -fsSL "${curl_auth[@]}" https://api.github.com/repos/WerWolv/ImHex/releases/latest \
         | jq -er '.assets[] | select(.name | test("Ubuntu.*24\\.04.*\\.deb$")) | .browser_download_url' | head -1); \
     [ -n "$url" ] || { echo "ERROR: ImHex asset URL not found"; exit 1; }; \
     wget -qO /tmp/imhex.deb "$url"; \
@@ -176,7 +182,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 # pycdc (pre-built from decompyle-builds)
 RUN --mount=type=secret,id=github_token \
     tok=$(cat /run/secrets/github_token 2>/dev/null || true); \
-    meta=$(curl -fsSL -H "Authorization: token ${tok}" https://api.github.com/repos/extremecoders-re/decompyle-builds/releases/latest); \
+    curl_auth=(); [ -z "$tok" ] || curl_auth=(-H "Authorization: token ${tok}"); \
+    meta=$(curl -fsSL "${curl_auth[@]}" https://api.github.com/repos/extremecoders-re/decompyle-builds/releases/latest); \
     url_pycdc=$(echo "$meta" | jq -er '.assets[] | select(.name == "pycdc.x86_64") | .browser_download_url' | head -1); \
     url_pycdas=$(echo "$meta" | jq -er '.assets[] | select(.name == "pycdas.x86_64") | .browser_download_url' | head -1); \
     [ -n "$url_pycdc" ] && [ -n "$url_pycdas" ] || { echo "ERROR: pycdc/pycdas asset URLs not found"; exit 1; }; \
@@ -218,7 +225,8 @@ RUN git clone --depth=1 https://github.com/niklasb/libc-database /opt/libc-datab
 # pwninit
 RUN --mount=type=secret,id=github_token \
     tok=$(cat /run/secrets/github_token 2>/dev/null || true); \
-    url=$(curl -fsSL -H "Authorization: token ${tok}" https://api.github.com/repos/io12/pwninit/releases/latest \
+    curl_auth=(); [ -z "$tok" ] || curl_auth=(-H "Authorization: token ${tok}"); \
+    url=$(curl -fsSL "${curl_auth[@]}" https://api.github.com/repos/io12/pwninit/releases/latest \
         | jq -er '.assets[] | select(.name == "pwninit") | .browser_download_url' | head -1); \
     [ -n "$url" ] || { echo "ERROR: pwninit asset URL not found"; exit 1; }; \
     wget -qO /usr/local/bin/pwninit "$url"; \

README.md

@@ -33,7 +33,7 @@ docker run -it --rm --cap-add=SYS_PTRACE \
 docker build --build-arg CTF_UID=$(id -u) --build-arg CTF_GID=$(id -g) -t pwndocker-reverse .
 ```
 
-You land in `/ctf` as user `ctf` with sudo, oh-my-zsh, and 97 pre-loaded history entries searchable via Ctrl+R.
+You land in `/ctf` as user `ctf` with sudo, oh-my-zsh, and 78 pre-loaded history entries searchable via Ctrl+R.
 
 ## Reproducibility & Verification
 
@@ -44,7 +44,7 @@ The image is **rebuilt every Monday** from `master` so `latest` stays fresh agai
 docker pull ghcr.io/gl0bal01/pwndocker-reverse:latest
 
 # Dated weekly snapshot — fresh but frozen, good for a CTF weekend
-docker pull ghcr.io/gl0bal01/pwndocker-reverse:weekly-20260406
+docker pull ghcr.io/gl0bal01/pwndocker-reverse:weekly-20260427    # replace with latest weekly-YYYYMMDD tag
 
 # Immutable digest — fully reproducible, pin this in team setups / scripts
 docker pull ghcr.io/gl0bal01/pwndocker-reverse@sha256:<digest>
@@ -76,7 +76,7 @@ docker buildx imagetools inspect ghcr.io/gl0bal01/pwndocker-reverse:latest --for
 | **Analysis** | binary-refinery, opengrep, hash-identifier |
 | **Networking** | socat, ncat, tcpdump, tshark, nmap |
 | **Editors** | vim, neovim |
-| **System** | QEMU user-mode, wabt, gdb-multiarch, p7zip, oh-my-zsh |
+| **System** | QEMU user-mode (+ arm/aarch64 cross-libc sysroots), wabt, gdb-multiarch, p7zip, oh-my-zsh |
 
 ## Usage
 
@@ -176,9 +176,19 @@ libc-dump ./libc.so.6 system __free_hook
 
 ### Emulation
 
+ARM and AARCH64 cross-libc sysroots are pre-installed, so dynamic binaries run out of the box.
+
 ```bash
-qemu-user -L /usr/arm-linux-gnueabihf ./arm_binary
-qemu-user -g 1234 ./binary    # start with GDB server on port 1234
+# Static binaries: no sysroot needed
+qemu-arm ./arm_static_binary
+qemu-aarch64 ./aarch64_static_binary
+
+# Dynamic binaries: -L points at the cross-libc sysroot baked into the image
+qemu-arm     -L /usr/arm-linux-gnueabihf ./arm_binary
+qemu-aarch64 -L /usr/aarch64-linux-gnu   ./aarch64_binary
+
+# Run under GDB server on :1234, then attach with `gdb-multiarch -ex 'target remote :1234'`
+qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./aarch64_binary
 ```
 
 ### Networking
@@ -192,7 +202,7 @@ tshark -r capture.pcap                                  # analyze pcap
 
 ## Pre-Populated History
 
-Hit Ctrl+R and search. 97 commands covering all installed tools are already in your history -- no need to remember syntax.
+Hit Ctrl+R and search. 78 commands covering all installed tools are already in your history -- no need to remember syntax.
 
 ## Project Structure
 

config/gdb-gef

@@ -1,2 +1,2 @@
 #!/bin/bash
-exec gdb -q -x /etc/gdb/gdbinit.d/init-plugins -ex init-gef "$@"
+exec gdb -q -nx -x /etc/gdb/gdbinit.d/init-plugins -ex init-gef "$@"

config/gdb-peda

@@ -1,2 +1,2 @@
 #!/bin/bash
-exec gdb -q -x /etc/gdb/gdbinit.d/init-plugins -ex init-peda "$@"
+exec gdb -q -nx -x /etc/gdb/gdbinit.d/init-plugins -ex init-peda "$@"

config/gdb-pwndbg

@@ -1,2 +1,2 @@
 #!/bin/bash
-exec gdb -q -x /etc/gdb/gdbinit.d/init-plugins -ex init-pwndbg "$@"
+exec gdb -q -nx -x /etc/gdb/gdbinit.d/init-plugins -ex init-pwndbg "$@"

config/zsh_history

@@ -93,5 +93,5 @@ tcpdump -i any -w capture.pcap
 tshark -r capture.pcap
 
 # === Emulation ===
-qemu-user -L /usr/arm-linux-gnueabihf ./binary
-qemu-user -g 1234 ./binary
+qemu-arm -L /usr/arm-linux-gnueabihf ./arm_binary
+qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./aarch64_binary