AArch64 - wa write assembly instruction gives wrong results

[MatejKastak]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Linux kali 4.14.71-v8 #1 SMP PREEMPT Wed Oct 31 21:41:06 UTC 2018 aarch64 GNU/Linux
File format of the file you reverse (mandatory)	ELF
Architecture/bits of the file (mandatory)	ARMv8-A AArch64
r2 -v full output, not truncated (mandatory)	radare2 3.6.0-git 21712 @ linux-arm-64 git.3.5.0-9-g34f2f9f25 commit: 34f2f9f build: 2019-05-13__16:01:05

Expected behavior

I was using the wa ( wa write opcode, separated by ';' (use '"' around the command) command to write a instruction to binary that I am debugging. It seems like the assembler is giving the wrong results.

1. Write the instruction wa add x0, x1, #3
2. Step the debugger ds
3. The written instruction should be add x0, x1, #3 (but its add x0, x1, #0)
4. Print the registers drj and see x0 == 3 (given everything is zero)

I tried this also on x86 and it seems to work.

Actual behavior

For example:
wa add x0, x1, #3 -> "add x0, x1, #0"
wa neg x0, x1 -> Cannot assemble 'neg x0, x1' at line 3
wa sub x0, xzr, x1 -> "sub x0, x0, x1"

Steps to reproduce the behavior

root@kali:[insrunner]# r2 -d source
Process with PID 18235 started...
= attach 18235 18235
bin.baddr 0x00400000
Using 0x400000
asm.bits 64
 -- (gdb) ^D
[0x00400078]> dr pc = main
0x00400078 ->0x00400078
[0x00400078]> s main
[0x00400078]> wa add x0, x1, #3
Written 4 byte(s) (add x0, x1, #3) = wx 20000091
[0x00400078]> pd 1 @ pc
            ;-- main:
            ;-- entry0:
            ;-- section..text:
            ;-- .text:
            ;-- $d:
            ;-- __start:
            ;-- _start:
            ;-- pc:
            0x00400078      20000091       add x0, x1, 0               ; [01] -r-x section size 512 named .text
[0x00400078]> ds
[0x00400078]> drj
{"x0":0,"x1":0,"x2":0,"x3":0,"x4":0,"x5":0,"x6":0,"x7":0,"x8":0,"x9":0,"x10":0,"x11":0,"x12":0,"x13":0,"x14":0,"x15":0,"x16":0,"x17":0,"x18":0,"x19":0,"x20":0,"x21":0,"x22":0,"x23":0,"x24":0,"x25":0,"x26":0,"x27":0,"x28":0,"x29":0,"x30":0,"sp":549076061536,"pc":4194428,"d0":0,"d1":0,"d2":0,"d3":0,"d4":0,"d5":0,"d6":0,"d7":0,"d8":0,"d9":0,"d10":0,"d11":0,"d12":0,"d13":0,"d14":0,"d15":0,"d16":0,"d17":0,"d18":0,"d19":0,"d20":0,"d21":0,"d22":0,"d23":0,"d24":0,"d25":0,"d26":0,"d27":0,"d28":0,"d29":0,"d30":0,"dsp":549076061536,"pstate":2097152,"fstate":2097152}
[0x00400078]> 

or

root@kali:[insrunner]# r2 source
 -- What do you want to debug today?
[0x00400078]> ood
Process with PID 18256 started...
File dbg:///root/dev/insrunner/source  reopened in read-write mode
= attach 18256 18256
ptrace (PT_ATTACH): Operation not permitted
18256
[0x00400078]> dr pc = main
0x00400078 ->0x00400078
[0x00400078]> s main
[0x00400078]> wa neg x0, x1
Cannot assemble 'neg x0, x1' at line 3
[0x00400078]> wa sub x0, xzr, x1
Written 4 byte(s) (sub x0, xzr, x1) = wx 000001cb
[0x00400078]> pd 1 @ pc
            ;-- main:
            ;-- entry0:
            ;-- section..text:
            ;-- .text:
            ;-- $d:
            ;-- __start:
            ;-- _start:
            ;-- pc:
            0x00400078      000001cb       sub x0, x0, x1              ; [01] -r-x section size 512 named .text
[0x00400078]> ds
[0x00400078]> drj
{"x0":0,"x1":0,"x2":0,"x3":0,"x4":0,"x5":0,"x6":0,"x7":0,"x8":0,"x9":0,"x10":0,"x11":0,"x12":0,"x13":0,"x14":0,"x15":0,"x16":0,"x17":0,"x18":0,"x19":0,"x20":0,"x21":0,"x22":0,"x23":0,"x24":0,"x25":0,"x26":0,"x27":0,"x28":0,"x29":0,"x30":0,"sp":549705955536,"pc":4194428,"d0":0,"d1":0,"d2":0,"d3":0,"d4":0,"d5":0,"d6":0,"d7":0,"d8":0,"d9":0,"d10":0,"d11":0,"d12":0,"d13":0,"d14":0,"d15":0,"d16":0,"d17":0,"d18":0,"d19":0,"d20":0,"d21":0,"d22":0,"d23":0,"d24":0,"d25":0,"d26":0,"d27":0,"d28":0,"d29":0,"d30":0,"dsp":549705955536,"pstate":2097152,"fstate":2097152}
[0x00400078]> 

source.zip

[radare]

because in the r2 prompt, the # is considered a comment, so just do 'wa add x0, x1, 3' about the neg and sub, feel free to submit a PR fixing them, otherwise just wait until someone have 5 spare free minutes to implement that you can also install the keystone assembler plugin for r2

…

On 13 May 2019, at 18:38, MatejKastak ***@***.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Linux kali 4.14.71-v8 #1 <#1> SMP PREEMPT Wed Oct 31 21:41:06 UTC 2018 aarch64 GNU/Linux File format of the file you reverse (mandatory) ELF Architecture/bits of the file (mandatory) ARMv8-A AArch64 r2 -v full output, not truncated (mandatory) radare2 3.6.0-git 21712 @ linux-arm-64 git.3.5.0-9-g34f2f9f25 commit: 34f2f9f <34f2f9f> build: 2019-05-13__16:01:05 Expected behavior I was using the wa ( wa write opcode, separated by ';' (use '"' around the command) command to write a instruction to binary that I am debugging. It seems like the assembler is giving the wrong results. Write the instruction wa add x0, x1, #3 Step the debugger ds The written instruction should be add x0, x1, #3 (but its add x0, x1, #0) Print the registers drj and see x0 == 5 (given everything is zero) I tried this also on x86 and it seems to work. Actual behavior For example: wa add x0, x1, #3 -> "add x0, x1, #0" wa neg x0, x1 -> Cannot assemble 'neg x0, x1' at line 3 wa sub x0, xzr, x1 -> "sub x0, x0, x1" Steps to reproduce the behavior ***@***.***:[insrunner]# r2 -d source Process with PID 18235 started... = attach 18235 18235 bin.baddr 0x00400000 Using 0x400000 asm.bits 64 -- (gdb) ^D [0x00400078]> dr pc = main 0x00400078 ->0x00400078 [0x00400078]> s main [0x00400078]> wa add x0, x1, #3 Written 4 byte(s) (add x0, x1, #3) = wx 20000091 [0x00400078]> pd 1 @ pc ;-- main: ;-- entry0: ;-- section..text: ;-- .text: ;-- $d: ;-- __start: ;-- _start: ;-- pc: 0x00400078 20000091 add x0, x1, 0 ; [01] -r-x section size 512 named .text [0x00400078]> ds [0x00400078]> drj {"x0":0,"x1":0,"x2":0,"x3":0,"x4":0,"x5":0,"x6":0,"x7":0,"x8":0,"x9":0,"x10":0,"x11":0,"x12":0,"x13":0,"x14":0,"x15":0,"x16":0,"x17":0,"x18":0,"x19":0,"x20":0,"x21":0,"x22":0,"x23":0,"x24":0,"x25":0,"x26":0,"x27":0,"x28":0,"x29":0,"x30":0,"sp":549076061536,"pc":4194428,"d0":0,"d1":0,"d2":0,"d3":0,"d4":0,"d5":0,"d6":0,"d7":0,"d8":0,"d9":0,"d10":0,"d11":0,"d12":0,"d13":0,"d14":0,"d15":0,"d16":0,"d17":0,"d18":0,"d19":0,"d20":0,"d21":0,"d22":0,"d23":0,"d24":0,"d25":0,"d26":0,"d27":0,"d28":0,"d29":0,"d30":0,"dsp":549076061536,"pstate":2097152,"fstate":2097152} [0x00400078]> or ***@***.***:[insrunner]# r2 source -- What do you want to debug today? [0x00400078]> ood Process with PID 18256 started... File dbg:///root/dev/insrunner/source reopened in read-write mode = attach 18256 18256 ptrace (PT_ATTACH): Operation not permitted 18256 [0x00400078]> dr pc = main 0x00400078 ->0x00400078 [0x00400078]> s main [0x00400078]> wa neg x0, x1 Cannot assemble 'neg x0, x1' at line 3 [0x00400078]> wa sub x0, xzr, x1 Written 4 byte(s) (sub x0, xzr, x1) = wx 000001cb [0x00400078]> pd 1 @ pc ;-- main: ;-- entry0: ;-- section..text: ;-- .text: ;-- $d: ;-- __start: ;-- _start: ;-- pc: 0x00400078 000001cb sub x0, x0, x1 ; [01] -r-x section size 512 named .text [0x00400078]> ds [0x00400078]> drj {"x0":0,"x1":0,"x2":0,"x3":0,"x4":0,"x5":0,"x6":0,"x7":0,"x8":0,"x9":0,"x10":0,"x11":0,"x12":0,"x13":0,"x14":0,"x15":0,"x16":0,"x17":0,"x18":0,"x19":0,"x20":0,"x21":0,"x22":0,"x23":0,"x24":0,"x25":0,"x26":0,"x27":0,"x28":0,"x29":0,"x30":0,"sp":549705955536,"pc":4194428,"d0":0,"d1":0,"d2":0,"d3":0,"d4":0,"d5":0,"d6":0,"d7":0,"d8":0,"d9":0,"d10":0,"d11":0,"d12":0,"d13":0,"d14":0,"d15":0,"d16":0,"d17":0,"d18":0,"d19":0,"d20":0,"d21":0,"d22":0,"d23":0,"d24":0,"d25":0,"d26":0,"d27":0,"d28":0,"d29":0,"d30":0,"dsp":549705955536,"pstate":2097152,"fstate":2097152} [0x00400078]> source.zip <https://github.com/radare/radare2/files/3173907/source.zip> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#14052>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAG75FUPBE7S2JAPPA44ZDTPVGKRJANCNFSM4HMRRRIA>.

[MatejKastak]

Oh, thanks for quick response.

I forgot/didn't know that r2 is I guess assembling those instructions on its own. If I will have some free time I will definitely look into that.

Thanks.

[radare]

r2pm -i keystone and then use e asm.assembler=arm.ks and you may be able to assemble them using keystone inside r2. But its desirable to avoid this dependency and use our own assembler to not depend on c++

[radare]

Just tested them , and they all work fine, closing