dmp -> ERROR: r_egg_assemble: invalid assembly

[plsph]

Environment

# copypaste this script into your shell and replace it with the output
nie, 4 lut 2024, 15:57:41 CET
radare2 5.8.9 32366 @ linux-x86-64
birth: git.5.8.8-1023-g7180005db0 2024-01-21__21:27:20
commit: 7180005db00811c5690e534556f36de5d14e8dfa
options: gpl -O? cs:5 cl:2 make
Linux x86_64

Description

dmp fails:
[0x55c6c3eb7d20]> dmp 0x00007f914f81f000 8k rwx
ERROR: Cannot assemble 'mov rax, 7' at line 3
ERROR: r_asm_massemble has failed
.global main
main:

rcc_fun 1 (sc)

mov rax, 7
push rax
mov rax, 8192
push rax
mov rax, 0x7f914f81f000
push rax

set syscall args

mov rdi, [rsp]
mov rsi, [rsp+8]
mov rdx, [rsp+16]

syscall

mov rax, 10
syscall
add rsp, 24
int3
ret

ERROR: r_egg_assemble: invalid assembly

Probably due to:
egg->rasm->analb not initialized properly
It doesn't go into
if (a->analb.anal) { #./libr/asm/asm.c:504
when stage == 4 and then failes due to no assembly code generated.

#0 r_asm_assemble (a=0x563367020600, op=0x7ffdb10c6bc0, buf=0x5633670e5c10 "mov rax, 7") at asm.c:518
(gdb) p *a
$2 = {arch = 0x0, config = 0x55dbd5dc4700, pc = 0, user = 0x0, ecur = 0x0, dcur = 0x0, plugins = 0x55dbd5dc46d0, analb = {anal = 0x0, get_fcn_in = 0x0, get_hint = 0x0, mnemonics = 0x0, encode = 0x0,
decode = 0x0, opinit = 0x0, opfini = 0x0, use = 0x0}, ifilter = 0x0, ofilter = 0x0, pair = 0x0, syscall = 0x0, num = 0x0, dataalign = 1, codealign = 1, flags = 0x55dbd5f44910, pseudo = false,
parse = 0x55dbd5dc4790}

Full bt:
#0 r_asm_massemble (a=0x563367020600,
assembly=0x5633671018f0 "\n.global main\nmain:\n# rcc_fun 1 (sc)\n mov rax, 7\n push rax\n mov rax, 8192\n push rax\n mov rax, 0x7f946c781000\n push rax\n# set syscall args\n mov rdi, [rsp]\n mov rsi, [rsp+8]\n mov rdx, [rsp+16]\n"...) at asm.c:972
#1 0x00007f2cb233e230 in r_egg_assemble_asm (egg=0x563367014f10, asm_list=0x0) at egg.c:368
#2 0x00007f2cb233e345 in r_egg_assemble (egg=0x563367014f10) at egg.c:385
#3 0x00007f2cb2a5ecc1 in r_debug_native_map_protect (dbg=0x563367014b70, addr=140275451695104, size=8192, perms=7) at p/debug_native.c:1592
#4 0x00007f2cb2a4b708 in r_debug_map_protect (dbg=0x563367014b70, addr=140275451695104, size=8192, perms=7) at debug.c:1717
#5 0x00007f2cb24b3c6f in cmd_debug_map (core=0x7f2cb0ebc010, input=0x5633674dd222 "p 0x00007f946c781000") at /home/plsph/git/radare2/libr/core/cmd_debug.inc.c:1643
#6 0x00007f2cb24c45bf in cmd_debug (data=0x7f2cb0ebc010, input=0x5633674dd221 "mp 0x00007f946c781000") at /home/plsph/git/radare2/libr/core/cmd_debug.inc.c:5699
#7 0x00007f2cb25f873b in r_cmd_call (cmd=0x563367012d40, input=0x5633674dd220 "dmp 0x00007f946c781000") at cmd_api.c:520
#8 0x00007f2cb258dd99 in r_core_cmd_subst_i (core=0x7f2cb0ebc010, cmd=0x5633674dd220 "dmp 0x00007f946c781000", colon=0x0, tmpseek=0x7ffdb10c8bb4) at cmd.c:5055
#9 0x00007f2cb258929e in r_core_cmd_subst (core=0x7f2cb0ebc010, cmd=0x5633674dd220 "dmp 0x00007f946c781000") at cmd.c:3862
#10 0x00007f2cb25912ec in run_cmd_depth (core=0x7f2cb0ebc010, cmd=0x5633674dfc50 "dmp 0x00007f946c781000 8k rwx") at cmd.c:6004
#11 0x00007f2cb2591855 in r_core_cmd (core=0x7f2cb0ebc010, cstr=0x563367102df0 "dmp 0x00007f946c781000 8k rwx", log=true) at cmd.c:6097
#12 0x00007f2cb249866c in r_core_prompt_exec (r=0x7f2cb0ebc010) at core.c:3684
#13 0x00007f2cb2497b03 in r_core_prompt_loop (r=0x7f2cb0ebc010) at core.c:3499
#14 0x00007f2cb2c45cb8 in r_main_radare2 (argc=3, argv=0x7ffdb10c91f8) at radare2.c:1805
#15 0x0000563366e357ea in main (argc=3, argv=0x7ffdb10c91f8) at radare2.c:118

Test

radare2 -d /bin/ls
aaa
db main
dc
dm
dmp addr size perm

[trufae]

$ r2 -a x86 -b64 -qc 'dmp addr size perm' --
ERROR: stdin:2 Nesting of expressions not yet supported
ERROR: Cannot assemble 'mov rax, nil' at line 3
ERROR: r_asm_massemble has failed 
.global main
main:
# rcc_fun 1 (sc)
  mov rax, nil
  push rax
# set syscall args
  mov rdi, [rsp]
# syscall
 mov rax, 10
 syscall
  add rsp, 8
int3
  ret


ERROR: r_egg_assemble: invalid assembly

the error can be reproduced like this tool. even if the debugger is needed to inejct the payload, the failure happens earlier. so we can have a test for this at least.

And yes. the bug seems to be related to what you are refering, and this was probably a regression introduced when rarch joined the game, and no test was using egg. actually it will be good to have this functionality under 'g' so we can use it i static too.

do you want to give it a try and fix it + add a test?

[trufae]

anyway i think i just fixed this issue in the fixi branch. i have some more fixes in mind and i shuold add more tests later. but at least the asm instance inside the debug's egg is now able to use the anal bind \o/