radareorg/radare2

Cs help info is misleading or it does not work as stated in help

Open

#9,999 建立於 2018年5月2日

在 GitHub 查看
 (2 留言) (0 反應) (0 負責人)C (23,826 star) (3,229 fork)batch import
consoleuigood first issue

描述

Work environment

Questions Answers
OS/arch/bits (mandatory) macOS x86_64
File format of the file you reverse (mandatory) PE
Architecture/bits of the file (mandatory) x86/32
r2 -v full output, not truncated (mandatory) radare2 2.6.0-git 18048 @ darwin-x86-64 git.2.5.0-160-gd774f579a, commit: d774f579ac9a1c68cbe2c8fdba7f615921caa78b build: 2018-05-02__07:25:51

Expected behavior

Cs should correctly create a string

Actual behavior

radare2 hangs

Steps to reproduce the behavior

If we check the Cs? command we can see that we can use Cs like this:

| Cs [size] @addr add string (guess latin1/utf16le) but when executed like this:

Cs 31 0x401034 it hangs the r2.

  1. r2 EsetCrackMe2015.exe (Dropbox link)
  2. Navigate to data to be converted to string s 0x401034
  3. Execute Cs command like help suggests Cs 31 0x401034
  4. Observe r2 hangs

Additional Logs, screenshots, source-code, configuration dump, ...

A bit of invesitgation done and it looks like the code that handles this cmd (libr/core/cmd_meta.c) treats the 3rd paramter as a repeat counter and not the address location.

The code in question is in mentioned file in lines 658-665.

char *rep = strchr (input + len, '[');
if (!rep) {
	rep = strchr (input + len, ' ');
	}
if (rep) {
	repeat = r_num_math (core->num, rep + 1);
}

We can see that the third argument is parsed and set as reapet variable and later it's used as an condition for exiting the while-loop. Having this knowledge it's obvious that r2 hangs as it tries to repeat the action 0x401034 times.

Not sure if my understanding of this command usage is wrong, help message is not updated or the code is not working as it should according to the spec.

Also noticed additional (if think) wrong behavior, if the third parameter is something that's not parsable as number it will be set as the string itself (which is weird).

I.e. Cs 31 @0x401034 will put in the current location the string "Error". (https://asciinema.org/a/Tv9uMsuYlUYqwfQ5zJ8gSATEJ)

Note, that the address-less form (Cs 31) of this command works as expected.

貢獻者指南

技術棧
c
領域
clisecurity
議題類型
bug
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
2
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-3 hours
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
stale
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
C programmingradare2 build system
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
60
研究方向
The issue identifies the problematic code in libr/core/cmd meta.c lines 658-665, where the third argument to `Cs` is parsed as a repeat counter instead of an address. The fix should either modify the parsing to treat the third argument as an address (e.g., using `r num math` with an '@' prefix), or update the help string to accurately reflect the current behavior. Examine how other commands handle address arguments for consistency. Additionally, verify if the behavior with a non numeric third argument (which sets the string itself) is intended.