radare2 - 'wa' failed to assemble x64 opcode

[nixawk]

Lab     : Ubuntu 17.04 x64
Kernel  : Linux lab 4.10.0-32-generic #36-Ubuntu SMP Tue Aug 8 12:10:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

code@lab:~/debug$ radare2 -A -a x86 -b 64 -d function_params
Process with PID 26841 started...
= attach 26841 26841
bin.baddr 0x55ab490d5000
USING 55ab490d5000
Assuming filepath /home/code/debug/function_params
asm.bits 64
[x] Analyze all flags starting with sym. and entry0 (aa)
[Cannot determine xref search boundariesr references (aar)
[x] Analyze len bytes of instructions for references (aar)
[Oops invalid rangen calls (aac)
[x] Analyze function calls (aac)
[ ] [*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan))
[0x7fe8ae6afc20]> afl
0x55ab490d5000    8 409  -> 412  sym.imp.__cxa_finalize
0x55ab490d54f8    3 23           sym._init
0x55ab490d5520    1 16           sub.__cxa_finalize_248_520
0x55ab490d5530    1 43           entry0
0x55ab490d5560    4 50   -> 44   sym.deregister_tm_clones
0x55ab490d55a0    4 66   -> 57   sym.register_tm_clones
0x55ab490d55f0    5 50           sym.__do_global_dtors_aux
0x55ab490d5630    4 48   -> 42   sym.frame_dummy
0x55ab490d5660    1 61           sym.add
0x55ab490d569d    1 48           sym.main
0x55ab490d56d0    4 101          sym.__libc_csu_init
0x55ab490d5740    1 2            sym.__libc_csu_fini
0x55ab490d5744    1 9            sym._fini
0x55ab492d5fd8    1 1020         reloc.__cxa_finalize_216
[0x7fe8ae6afc20]> s sym.main
[0x55ab490d569d]> pdf
            ;-- main:
/ (fcn) sym.main 48
|   sym.main ();
|           ; DATA XREF from 0x55ab490d554d (entry0)
|           0x55ab490d569d      55             push rbp
|           0x55ab490d569e      4889e5         mov rbp, rsp
|           0x55ab490d56a1      41b906000000   mov r9d, 6
|           0x55ab490d56a7      41b805000000   mov r8d, 5
|           0x55ab490d56ad      b904000000     mov ecx, 4
|           0x55ab490d56b2      ba03000000     mov edx, 3
|           0x55ab490d56b7      be02000000     mov esi, 2
|           0x55ab490d56bc      bf01000000     mov edi, 1
|           0x55ab490d56c1      e89affffff     call sym.add
|           0x55ab490d56c6      b800000000     mov eax, 0
|           0x55ab490d56cb      5d             pop rbp
\           0x55ab490d56cc      c3             ret

---

Issue details

[0x56375e9a769d]> wa?
|Usage: wa[of*] [arg]
| wa nop           write nopcode using asm.arch and asm.bits
| wa* mov eax, 33  show 'wx' op with hexpair bytes of assembled opcode
| "wa nop;nop"     assemble more than one instruction (note the quotes)
| waffoo.asm       assemble file and write bytes
| wao?             show help for assembler operation on current opcode (hack)

[0x55ab490d569d]> "wa push rbp;mov rbp,rsp;mov r9d, 6"
Cannot assemble 'mov r9d, 6' at line 9

function_params.c

// $: gcc -g -o function_params function_params.c

int
add(int a, int b, int c, int d, int e, int f)
{
    int x = 1;
    return a + b + c + d + e + f;
}

int
main()
{
    add(1, 2, 3, 4, 5, 6);
    return 0;
}

[Maijin]

Greetings,

x86.nz (x86 handmade assembler) is one of the many x86 assemblers available in radare2 and is updated frequently. Please add a test case so we can fix x86.nz in https://github.com/radare/radare2-regressions/blob/master/t.asm/x86/nz/x86_asm You can do so with github web editor without even cloning the repo.

You can contribute to x86.nz by completing the following file https://github.com/radare/radare2/blob/master/libr/asm/p/asm_x86_nz.c. You can also use keystone(http://keystone-engine.org) within radare2/rasm2 by installing the radare2 plugin via r2pm :

    r2pm -i keystone-lib
    r2pm -i keystone
then
    rasm2 -a x86.ks…
or in radare2 session
    e asm.assembler = x86.ks

Others x86 assemblers are also available trough r2pm or master (see rasm2 -L list):

a___  16 32 64   x86.as      LGPL3   Intel X86 GNU Assembler
a___  16 32 64   x86.nasm    LGPL3   X86 nasm assembler
a___  16 32 64   x86.nz      LGPL3   x86 handmade assembler
ad__  32         x86.olly    GPL2    OllyDBG X86 disassembler

[Maijin]

Also, Ensure you are using radare2 from git, if you're unsure paste output of r2 -v here. To install radare2 from git, first uninstall your version of radare2 and clean your distro. Then use git clone https://github.com/radare/radare2 && cd radare2 && ./sys/install.sh, verify your version and check if there is no error using r2 -v.

[nixawk]

Thanks @Maijin. radare2 is updated and compiled again, as follow:

• compilation details in radare2_compile_log

Lab     : Ubuntu 17.04 x64
Kernel  : Linux lab 4.10.0-32-generic #36-Ubuntu SMP Tue Aug 8 12:10:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ git pull https://github.com/radare/radare2/
$ cd radare2
$ sudo ./sys/install.sh

$ radare2 -v
radare2 1.7.0-git 15640 @ linux-x86-64 git.1.6.0-401-gb645c7fd1
commit: b645c7fd1ade3f2b85b0bd255795ef53862292b1 build: 2017-08-22__09:39:22

$ radare2 -V
1.6.0-401-gb645c7fd1  r2
1.6.0-401-gb645c7fd1  r_anal
1.6.0-401-gb645c7fd1  r_lib
1.6.0-401-gb645c7fd1  r_egg
1.6.0-401-gb645c7fd1  r_asm
1.6.0-401-gb645c7fd1  r_bin
1.6.0-401-gb645c7fd1  r_cons
1.6.0-401-gb645c7fd1  r_flag
1.6.0-401-gb645c7fd1  r_core
1.6.0-401-gb645c7fd1  r_crypto
1.6.0-401-gb645c7fd1  r_bp
1.6.0-401-gb645c7fd1  r_debug
1.6.0-401-gb645c7fd1  r_hash
1.6.0-401-gb645c7fd1  r_fs
1.6.0-401-gb645c7fd1  r_io
1.6.0-401-gb645c7fd1  r_magic
1.6.0-401-gb645c7fd1  r_parse
1.6.0-401-gb645c7fd1  r_reg
1.6.0-401-gb645c7fd1  r_sign
1.6.0-401-gb645c7fd1  r_search
1.6.0-401-gb645c7fd1  r_syscall
1.6.0-401-gb645c7fd1  r_util

$ rasm2 -L
_dAe  8 16       6502        LGPL3   6502/NES/C64/Tamagotchi/T-1000 CPU
_dA_  8          8051        PD      8051 Intel CPU
_dA_  16 32      arc         GPL3    Argonaut RISC Core
a___  16 32 64   arm.as      LGPL3   as ARM Assembler (use ARM_AS environment)
adAe  16 32 64   arm         BSD     Capstone ARM disassembler
_dA_  16 32 64   arm.gnu     GPL3    Acorn RISC Machine CPU
_d__  16 32      arm.winedbg LGPL2   WineDBG's ARM disassembler
adAe  8 16       avr         GPL     AVR Atmel
adAe  16 32 64   bf          LGPL3   Brainfuck (by pancake, nibble) v4.0.0
_dA_  16         cr16        LGPL3   cr16 disassembly plugin
_dA_  32         cris        GPL3    Axis Communications 32-bit embedded processor
adA_  32 64      dalvik      LGPL3   AndroidVM Dalvik
ad__  16         dcpu16      PD      Mojang's DCPU-16
_dA_  32 64      ebc         LGPL3   EFI Bytecode
ad__  32         evm         MIT     evm (by pancake) v0.0.1
adAe  16         gb          LGPL3   GameBoy(TM) (z80-like)
_dAe  16         h8300       LGPL3   H8/300 disassembly plugin
_d__  32         hexagon     GPL3    Qualcomm DSPv5
_d__  32         hppa        GPL3    HP PA-RISC
_dAe             i4004       LGPL3   Intel 4004 microprocessor
_dA_  8          i8080       BSD     Intel 8080 CPU
adA_  32         java        Apache  Java bytecode
_d__  32         lanai       GPL3    LANAI
_d__  8          lh5801      LGPL3   SHARP LH5801 disassembler
_d__  32         lm32        BSD     disassembly plugin for Lattice Micro 32 ISA
_d__  16 32      m68k        BSD     Capstone M68K disassembler
_dA_  32         malbolge    LGPL3   Malbolge Ternary VM
_d__  16         mcs96       LGPL3   condrets car
adAe  16 32 64   mips        BSD     Capstone MIPS disassembler
adAe  32 64      mips.gnu    GPL3    MIPS CPU
_dA_  16         msp430      LGPL3   msp430 disassembly plugin
_dA_  32         nios2       GPL3    NIOS II Embedded Processor
_dAe  8          pic18c      LGPL3   pic18c disassembler
_dAe  32 64      ppc         BSD     Capstone PowerPC disassembler
_dA_  32 64      ppc.gnu     GPL3    PowerPC
_dA_  32 64      riscv       GPL     RISC-V
_dAe  32         rsp         LGPL3   Reality Signal Processor
_dA_  32         sh          GPL3    SuperH-4 CPU
_dA_  8 16       snes        LGPL3   SuperNES CPU
_dAe  32 64      sparc       BSD     Capstone SPARC disassembler
_dA_  32 64      sparc.gnu   GPL3    Scalable Processor Architecture
_d__  16         spc700      LGPL3   spc700, snes' sound-chip
_d__  32         sysz        BSD     SystemZ CPU disassembler
_dA_  32         tms320      LGPLv3  TMS320 DSP family (c54x,c55x,c55x+,c64x)
_d__  32         tricore     GPL3    Siemens TriCore CPU
_dAe  32         v810        LGPL3   v810 disassembly plugin
_dAe  32         v850        LGPL3   v850 disassembly plugin
_dAe  8 32       vax         GPL     VAX
_d__  32         wasm        MIT     WebAssembly (by pancake) v0.1.0
_dA_  32         ws          LGPL3   Whitespace esotheric VM
a___  16 32 64   x86.as      LGPL3   Intel X86 GNU Assembler
_dAe  16 32 64   x86         BSD     Capstone X86 disassembler
a___  16 32 64   x86.nasm    LGPL3   X86 nasm assembler
a___  16 32 64   x86.nz      LGPL3   x86 handmade assembler
_dAe  16 32 64   x86.udis    BSD     udis86 x86-16,32,64
_dA_  16         xap         PD      XAP4 RISC (CSR)
_dA_  32         xcore       BSD     Capstone XCore disassembler
_dAe  32         xtensa      GPL3    XTensa CPU
adA_  8          z80         GPL     Zilog Z80
_d__  32         propeller   LGPL3   propeller disassembly plugin

---

A new issue here, r2 fails to disassemble opcode.

code@lab:~/debug$ r2 -d function_params
Process with PID 5470 started...
= attach 5470 5470
bin.baddr 0x558a7aba5000
Using 0x558a7aba5000
asm.bits 64
 -- This page intentionally left blank.
[0x7f47aff79c20]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
TODO: esil-vm not initialized
[Cannot determine xref search boundariesr references (aar)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
ptrace (PT_ATTACH): No such process
= attach 3 3
[0x7f47aff79c20]> afl
0x558a7aba54f8    3 23           sym._init
0x558a7aba5520    1 16           sym.imp.__cxa_finalize
0x558a7aba5530    1 43           entry0
0x558a7aba5560    4 50   -> 44   sym.deregister_tm_clones
0x558a7aba55a0    4 66   -> 57   sym.register_tm_clones
0x558a7aba55f0    5 50           sym.__do_global_dtors_aux
0x558a7aba5630    4 48   -> 42   sym.frame_dummy
0x558a7aba5660    1 61           sym.add
0x558a7aba569d    1 48           sym.main
0x558a7aba56d0    4 101          sym.__libc_csu_init
0x558a7aba5740    1 2            sym.__libc_csu_fini
0x558a7aba5744    1 9            sym._fini
0x558a7ada5ad2    1 790          sym.imp.__libc_start_main
0x558a7ada5fd8    1 1020         reloc.__libc_start_main_216
[0x7f47aff79c20]> s sym.main 
[0x558a7aba569d]> pdf
            ;-- main:
/ (fcn) sym.main 48
|   sym.main ();
|              ; DATA XREF from 0x558a7aba554d (entry0)
|           0x558a7aba569d      ff             invalid
|           0x558a7aba569e      ff             invalid
|           0x558a7aba569f      ff             invalid
|           0x558a7aba56a0      ff             invalid
|           0x558a7aba56a1      ff             invalid
|           0x558a7aba56a2      ff             invalid
|           0x558a7aba56a3      ff             invalid
|           0x558a7aba56a4      ff             invalid
|           0x558a7aba56a5      ff             invalid
|           0x558a7aba56a6      ff             invalid
|           0x558a7aba56a7      ff             invalid
|           0x558a7aba56a8      ff             invalid
|           0x558a7aba56a9      ff             invalid

[radare]

Never ever do aaa on debugger and never ever run it in the dynamic linker because i doubt u want to analyze the linker

On 22 Aug 2017, at 04:00, Vex Woo notifications@github.com wrote:

Thanks @Maijin. radare2 is updated and compiled again, as follow:

Lab : Ubuntu 17.04 x64 Kernel : Linux lab 4.10.0-32-generic #36-Ubuntu SMP Tue Aug 8 12:10:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ git pull https://github.com/radare/radare2/ $ cd radare2 $ sudo ./sys/install.sh

$ radare2 -v radare2 1.7.0-git 15640 @ linux-x86-64 git.1.6.0-401-gb645c7fd1 commit: b645c7fd1ade3f2b85b0bd255795ef53862292b1 build: 2017-08-22__09:39:22 A new issue here, r2 fails to disassebmle opcode.

code@lab:~/debug$ r2 -d function_params Process with PID 5470 started... = attach 5470 5470 bin.baddr 0x558a7aba5000 Using 0x558a7aba5000 asm.bits 64 -- This page intentionally left blank. [0x7f47aff79c20]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) TODO: esil-vm not initialized [Cannot determine xref search boundariesr references (aar) [x] Analyze len bytes of instructions for references (aar) [x] Analyze function calls (aac) [x] Use -AA or aaaa to perform additional experimental analysis. [x] Constructing a function name for fcn. and sym.func. functions (aan) ptrace (PT_ATTACH): No such process = attach 3 3 [0x7f47aff79c20]> afl 0x558a7aba54f8 3 23 sym._init 0x558a7aba5520 1 16 sym.imp.cxa_finalize 0x558a7aba5530 1 43 entry0 0x558a7aba5560 4 50 -> 44 sym.deregister_tm_clones 0x558a7aba55a0 4 66 -> 57 sym.register_tm_clones 0x558a7aba55f0 5 50 sym.do_global_dtors_aux 0x558a7aba5630 4 48 -> 42 sym.frame_dummy 0x558a7aba5660 1 61 sym.add 0x558a7aba569d 1 48 sym.main 0x558a7aba56d0 4 101 sym.libc_csu_init 0x558a7aba5740 1 2 sym.__libc_csu_fini 0x558a7aba5744 1 9 sym._fini 0x558a7ada5ad2 1 790 sym.imp.libc_start_main 0x558a7ada5fd8 1 1020 reloc.__libc_start_main_216 [0x7f47aff79c20]> s sym.main [0x558a7aba569d]> pdf ;-- main: / (fcn) sym.main 48 | sym.main (); | ; DATA XREF from 0x558a7aba554d (entry0) | 0x558a7aba569d ff invalid | 0x558a7aba569e ff invalid | 0x558a7aba569f ff invalid | 0x558a7aba56a0 ff invalid | 0x558a7aba56a1 ff invalid | 0x558a7aba56a2 ff invalid | 0x558a7aba56a3 ff invalid | 0x558a7aba56a4 ff invalid | 0x558a7aba56a5 ff invalid | 0x558a7aba56a6 ff invalid | 0x558a7aba56a7 ff invalid | 0x558a7aba56a8 ff invalid | 0x558a7aba56a9 ff invalid

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[nixawk]

Try the following method, radare2 works good.

$ ./sys/static.sh

Thanks @Svenito . #8265 works.

[0x55e48d07a69d]> "wa push rbp;mov rbp,rsp;mov r9d, 6"
Written 10 bytes (push rbp;mov rbp,rsp;mov r9d, 6) = wx 554889e541b906000000
[0x55e48d07a69d]> pdf
            ;-- main:
/ (fcn) sym.main (64 bits) 48
|   sym.main ();
|              ; DATA XREF from 0x55e48d07a54d (entry0)
|           0x55e48d07a69d      55             push ebp
|           0x55e48d07a69e      48             dec eax
|           0x55e48d07a69f      89e5           mov ebp, esp
|           0x55e48d07a6a1      41             inc ecx
|           0x55e48d07a6a2      b906000000     mov ecx, 6
|           0x55e48d07a6a7      41             inc ecx
|           0x55e48d07a6a8      b805000000     mov eax, 5
|           0x55e48d07a6ad      b904000000     mov ecx, 4
|           0x55e48d07a6b2      ba03000000     mov edx, 3
|           0x55e48d07a6b7      be02000000     mov esi, 2
|           0x55e48d07a6bc      bf01000000     mov edi, 1
|           0x55e48d07a6c1      e89affffff     call 0x8d07a660         ; sym.add
|           0x55e48d07a6c6      b800000000     mov eax, 0
|           0x55e48d07a6cb      5d             pop ebp
\           0x55e48d07a6cc      c3             ret

[0x55e48d07a69d]> e asm.pseudo = true
[0x55e48d07a69d]> pdf
            ;-- main:
/ (fcn) sym.main 48
|   sym.main ();
|              ; DATA XREF from 0x55e48d07a54d (entry0)
|           0x55e48d07a69d      55             push rbp
|           0x55e48d07a69e      4889e5         rbp = rsp
|           0x55e48d07a6a1      41b906000000   r9d = 6
|           0x55e48d07a6a7      41b805000000   r8d = 5
|           0x55e48d07a6ad      b904000000     ecx = 4
|           0x55e48d07a6b2      ba03000000     edx = 3
|           0x55e48d07a6b7      be02000000     esi = 2
|           0x55e48d07a6bc      bf01000000     edi = 1
|           0x55e48d07a6c1      e89affffff     sym.add ()
|           0x55e48d07a6c6      b800000000     eax = 0
|           0x55e48d07a6cb      5d             pop rbp
\           0x55e48d07a6cc      c3