radareorg/radare2

Cs help info is misleading or it does not work as stated in help

Open

#9,999 创建于 2018年5月2日

在 GitHub 查看
 (2 评论) (0 反应) (0 负责人)C (23,826 star) (3,229 fork)batch import
consoleuigood first issue

描述

Work environment

Questions Answers
OS/arch/bits (mandatory) macOS x86_64
File format of the file you reverse (mandatory) PE
Architecture/bits of the file (mandatory) x86/32
r2 -v full output, not truncated (mandatory) radare2 2.6.0-git 18048 @ darwin-x86-64 git.2.5.0-160-gd774f579a, commit: d774f579ac9a1c68cbe2c8fdba7f615921caa78b build: 2018-05-02__07:25:51

Expected behavior

Cs should correctly create a string

Actual behavior

radare2 hangs

Steps to reproduce the behavior

If we check the Cs? command we can see that we can use Cs like this:

| Cs [size] @addr add string (guess latin1/utf16le) but when executed like this:

Cs 31 0x401034 it hangs the r2.

  1. r2 EsetCrackMe2015.exe (Dropbox link)
  2. Navigate to data to be converted to string s 0x401034
  3. Execute Cs command like help suggests Cs 31 0x401034
  4. Observe r2 hangs

Additional Logs, screenshots, source-code, configuration dump, ...

A bit of invesitgation done and it looks like the code that handles this cmd (libr/core/cmd_meta.c) treats the 3rd paramter as a repeat counter and not the address location.

The code in question is in mentioned file in lines 658-665.

char *rep = strchr (input + len, '[');
if (!rep) {
	rep = strchr (input + len, ' ');
	}
if (rep) {
	repeat = r_num_math (core->num, rep + 1);
}

We can see that the third argument is parsed and set as reapet variable and later it's used as an condition for exiting the while-loop. Having this knowledge it's obvious that r2 hangs as it tries to repeat the action 0x401034 times.

Not sure if my understanding of this command usage is wrong, help message is not updated or the code is not working as it should according to the spec.

Also noticed additional (if think) wrong behavior, if the third parameter is something that's not parsable as number it will be set as the string itself (which is weird).

I.e. Cs 31 @0x401034 will put in the current location the string "Error". (https://asciinema.org/a/Tv9uMsuYlUYqwfQ5zJ8gSATEJ)

Note, that the address-less form (Cs 31) of this command works as expected.

贡献者指南

技术栈
c
领域
clisecurity
议题类型
bug
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
2
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-3 hours
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
stale
清晰度议题是否清楚说明期望改动、验收标准和下一步。
clear
前置要求
C programmingradare2 build system
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
60
研究方向
The issue identifies the problematic code in libr/core/cmd meta.c lines 658-665, where the third argument to `Cs` is parsed as a repeat counter instead of an address. The fix should either modify the parsing to treat the third argument as an address (e.g., using `r num math` with an '@' prefix), or update the help string to accurately reflect the current behavior. Examine how other commands handle address arguments for consistency. Additionally, verify if the behavior with a non numeric third argument (which sets the string itself) is intended.