Cs help info is misleading or it does not work as stated in help

[pawlos]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	macOS x86_64
File format of the file you reverse (mandatory)	PE
Architecture/bits of the file (mandatory)	x86/32
r2 -v full output, not truncated (mandatory)	radare2 2.6.0-git 18048 @ darwin-x86-64 git.2.5.0-160-gd774f579a, commit: d774f57 build: 2018-05-02__07:25:51

Expected behavior

Cs should correctly create a string

Actual behavior

radare2 hangs

Steps to reproduce the behavior

If we check the Cs? command we can see that we can use Cs like this:

| Cs [size] @addr add string (guess latin1/utf16le)
but when executed like this:

Cs 31 0x401034 it hangs the r2.

1. r2 EsetCrackMe2015.exe (Dropbox link)
2. Navigate to data to be converted to string s 0x401034
3. Execute Cs command like help suggests Cs 31 0x401034
4. Observe r2 hangs

Additional Logs, screenshots, source-code, configuration dump, ...

A bit of invesitgation done and it looks like the code that handles this cmd (libr/core/cmd_meta.c) treats the 3rd paramter as a repeat counter and not the address location.

The code in question is in mentioned file in lines 658-665.

char *rep = strchr (input + len, '[');
if (!rep) {
	rep = strchr (input + len, ' ');
	}
if (rep) {
	repeat = r_num_math (core->num, rep + 1);
}

We can see that the third argument is parsed and set as reapet variable and later it's used as an condition for exiting the while-loop. Having this knowledge it's obvious that r2 hangs as it tries to repeat the action 0x401034 times.

Not sure if my understanding of this command usage is wrong, help message is not updated or the code is not working as it should according to the spec.

Also noticed additional (if think) wrong behavior, if the third parameter is something that's not parsable as number it will be set as the string itself (which is weird).

I.e. Cs 31 @0x401034 will put in the current location the string "Error". (https://asciinema.org/a/Tv9uMsuYlUYqwfQ5zJ8gSATEJ)

Note, that the address-less form (Cs 31) of this command works as expected.

[pawlos]

@XVilka thanks for tagging this, if it's a good first issue I might consider doing it, but I'm still missing what should be the expected behavior here? Is the help message of Cs wrong? Or the code should change to make use the third parameter as addr and not as repeat counter?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. Considering a lot has changed since its creation, we kindly ask you to check again if the issue you reported is still relevant in the current version of radare2. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.