# # 80483ed: 55 push ebp # 80483ee: 89 e5 mov ebp,esp # 80483f0: 83 ec 10 sub esp,0x10 # 80483f3: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] # 80483f6: 0f af 45 f8 imul eax,DWORD PTR [ebp-0x8] # 80483fa: 83 c0 05 add eax,0x5 # 80483fd: 89 45 fc mov DWORD PTR [ebp-0x4],eax # 8048400: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] # 8048403: c9 leave # 8048404: c3 ret print("[+] Adding instructions to the analyzer...") for addr, asm_instr, reil_instrs in barf.translate(start=0x80483ed, end=0x8048402): print("0x{0:08x} : {1}".format(addr, asm_instr)) for reil_instr in reil_instrs: barf.code_analyzer.add_instruction(reil_instr) print("[+] Adding pre and post conditions to the analyzer...") ebp = barf.code_analyzer.get_register_expr("ebp", mode="post") # Preconditions: Set range for variable a and b a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4, mode="pre") b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4, mode="pre") for const in [a >= 2, a <= 100, b >= 2, b <= 100]: barf.code_analyzer.add_constraint(const)
# 80483f0: 83 ec 10 sub esp,0x10 # 80483f3: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] # 80483f6: 0f af 45 f8 imul eax,DWORD PTR [ebp-0x8] # 80483fa: 83 c0 05 add eax,0x5 # 80483fd: 89 45 fc mov DWORD PTR [ebp-0x4],eax # 8048400: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] # 8048403: c9 leave # 8048404: c3 ret start_addr = 0x80483ed end_addr = 0x8048402 # Add instructions to analyze print("[+] Adding instructions to the analyzer...") for addr, asm_instr, reil_instrs in barf.translate(start_addr, end_addr): print("0x{0:08x} : {1}".format(addr, asm_instr)) for reil_instr in reil_instrs: print("{0:14}{1}".format("", reil_instr)) barf.code_analyzer.add_instruction(reil_instr) # Get smt expressions and set pre and post conditions print("[+] Adding pre and post conditions to the analyzer...") # Get smt expression for eax and ebp registers eax = barf.code_analyzer.get_register_expr("eax", mode="post") ebp = barf.code_analyzer.get_register_expr("ebp", mode="post") # Get smt expressions for memory locations (each one of 4 bytes)
# 83a4: e0823003 add r3, r2, r3 # 83a8: e2833005 add r3, r3, #5 # 83ac: e50b3010 str r3, [fp, #-16] # 83b0: e51b3010 ldr r3, [fp, #-16] # 83b4: e1a00003 mov r0, r3 # 83b8: e28bd000 add sp, fp, #0 # 83bc: e8bd0800 ldmfd sp!, {fp} # 83c0: e12fff1e bx lr start_addr = 0x8390 end_addr = 0x83bc # Add instructions to analyze print("[+] Adding instructions to the analyzer...") for addr, asm_instr, reil_instrs in barf.translate(ea_start=start_addr, ea_end=end_addr, arch_mode=ARCH_ARM_MODE_ARM): print("0x{0:08x} : {1}".format(addr, asm_instr)) for reil_instr in reil_instrs: print("{0:14}{1}".format("", reil_instr)) barf.code_analyzer.add_instruction(reil_instr) # Get smt expressions and set pre and post conditions print("[+] Adding pre and post conditions to the analyzer...") # Get smt expression for eax and ebp registers fp = barf.code_analyzer.get_register_expr("fp") # Get smt expressions for memory locations (each one of 4 bytes) a = barf.code_analyzer.get_memory_expr(fp - 0x08, 4)
# 8394: e28db000 add fp, sp, #0 # 8398: e24dd014 sub sp, sp, #20 # 839c: e51b2008 ldr r2, [fp, #-8] # 83a0: e51b300c ldr r3, [fp, #-12] # 83a4: e0823003 add r3, r2, r3 # 83a8: e2833005 add r3, r3, #5 # 83ac: e50b3010 str r3, [fp, #-16] # 83b0: e51b3010 ldr r3, [fp, #-16] # 83b4: e1a00003 mov r0, r3 # 83b8: e28bd000 add sp, fp, #0 # 83bc: e8bd0800 ldmfd sp!, {fp} # 83c0: e12fff1e bx lr print("[+] Adding instructions to the analyzer...") for addr, asm_instr, reil_instrs in barf.translate(start=0x8390, end=0x83bc): print("0x{0:08x} : {1}".format(addr, asm_instr)) for reil_instr in reil_instrs: barf.code_analyzer.add_instruction(reil_instr) print("[+] Adding pre and post conditions to the analyzer...") fp = barf.code_analyzer.get_register_expr("fp", mode="post") # Preconditions: set range for variable a and b a = barf.code_analyzer.get_memory_expr(fp - 0x08, 4, mode="pre") b = barf.code_analyzer.get_memory_expr(fp - 0x0c, 4, mode="pre") for constr in [a >= 2, a <= 100, b >= 2, b <= 100]: barf.code_analyzer.add_constraint(constr)
# 83a4: e0030392 mul r3, r2, r3 # 83a8: e2833005 add r3, r3, #5 # 83ac: e50b3010 str r3, [fp, #-16] # 83b0: e51b3010 ldr r3, [fp, #-16] # 83b4: e1a00003 mov r0, r3 # 83b8: e28bd000 add sp, fp, #0 # 83bc: e8bd0800 ldmfd sp!, {fp} # 83c0: e12fff1e bx lr start_addr = 0x8390 end_addr = 0x83bc # Add instructions to analyze print("[+] Adding instructions to the analyzer...") for addr, asm_instr, reil_instrs in barf.translate( ea_start=start_addr, ea_end=end_addr, arch_mode=ARCH_ARM_MODE_ARM): print("0x{0:08x} : {1}".format(addr, asm_instr)) for reil_instr in reil_instrs: print("{0:14}{1}".format("", reil_instr)) barf.code_analyzer.add_instruction(reil_instr) # Get smt expressions and set pre and post conditions print("[+] Adding pre and post conditions to the analyzer...") # Get smt expression for eax and ebp registers r3 = barf.code_analyzer.get_register_expr("r3", mode="post") fp = barf.code_analyzer.get_register_expr("fp", mode="post") # Get smt expressions for memory locations (each one of 4 bytes)
# 80483f3: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] # 80483f6: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc] # 80483f9: 01 d0 add eax,edx # 80483fb: 83 c0 05 add eax,0x5 # 80483fe: 89 45 fc mov DWORD PTR [ebp-0x4],eax # 8048401: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] # 8048404: c9 leave # 8048405: c3 ret start_addr = 0x80483ed end_addr = 0x8048401 # Add instructions to analyze print("[+] Adding instructions to the analyzer...") for addr, asm_instr, reil_instrs in barf.translate(start_addr, end_addr): print("0x{0:08x} : {1}".format(addr, asm_instr)) for reil_instr in reil_instrs: print("{0:14}{1}".format("", reil_instr)) barf.code_analyzer.add_instruction(reil_instr) # Get smt expressions and set pre and post conditions print("[+] Adding pre and post conditions to the analyzer...") # Get smt expression for eax and ebp registers eax = barf.code_analyzer.get_register_expr("eax") ebp = barf.code_analyzer.get_register_expr("ebp") # Get smt expressions for memory locations (each one of 4 bytes)
# 80483ed: 55 push ebp # 80483ee: 89 e5 mov ebp,esp # 80483f0: 83 ec 10 sub esp,0x10 # 80483f3: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] # 80483f6: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc] # 80483f9: 01 d0 add eax,edx # 80483fb: 83 c0 05 add eax,0x5 # 80483fe: 89 45 fc mov DWORD PTR [ebp-0x4],eax # 8048401: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] # 8048404: c9 leave # 8048405: c3 ret print("[+] Adding instructions to the analyzer...") for addr, asm_instr, reil_instrs in barf.translate(start=0x80483ed, end=0x8048401): print("0x{0:08x} : {1}".format(addr, asm_instr)) for reil_instr in reil_instrs: barf.code_analyzer.add_instruction(reil_instr) print("[+] Adding pre and post conditions to the analyzer...") ebp = barf.code_analyzer.get_register_expr("ebp", mode="post") # Preconditions: set range for variable a and b a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4, mode="pre") b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4, mode="pre") for constr in [a >= 2, a <= 100, b >= 2, b <= 100]: barf.code_analyzer.add_constraint(constr)