# 80483ef: 83 ec 10 sub esp,0x10
# 80483f2: c7 45 f8 00 00 00 00 mov DWORD PTR [ebp-0x8],0x0
# 80483f9: c7 45 fc 0a 00 00 00 mov DWORD PTR [ebp-0x4],0xa
# 8048400: eb 08 jmp 804840a <main+0x1e>
# 8048402: 83 45 f8 01 add DWORD PTR [ebp-0x8],0x1
# 8048406: 83 6d fc 01 sub DWORD PTR [ebp-0x4],0x1
# 804840a: 83 7d fc 00 cmp DWORD PTR [ebp-0x4],0x0
# 804840e: 75 f2 jne 8048402 <main+0x16>
# 8048410: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8]
# 8048413: c9 leave
# 8048414: c3 ret
#
# Code emulation
#
context_out = barf.emulate(start=0x080483ec, end=0x08048414)
print("{}: {}".format("eax", hex(context_out['registers']["eax"])))
assert context_out['registers']["eax"] == 0xa
# ARM
# ======================================================================= #
#
# Open file
#
barf = BARF("./samples/bin/loop2.arm")
# 00008390 <main>:
# 8390: e52db004 push {fp} ; (str fp, [sp, #-4]!)
# 8394: e28db000 add fp, sp, #0
reil_emulator.write_memory(argv_base_addr + 0x08, 4, 0x00000000)
# Set main parameters.
argc = 0x2
argv = argv_base_addr
# Push parameters into the stack.
reil_emulator.write_memory(esp + 0x00, 4, 0x41414141) # return address
reil_emulator.write_memory(esp + 0x04, 4, argc) # argc
reil_emulator.write_memory(esp + 0x08, 4, argv) # argv
# Set registers.
ctx_init = {
'registers': {
# Set eflags and stack pointer.
'eflags': 0x202,
'esp': esp,
}
}
# Emulate code.
print("[+] Executing from {:#x} to {:#x}".format(
cfg_start.start_address, cfg_end.start_address))
ctx_fini = barf.emulate(context=ctx_init,
start=cfg_start.start_address,
end=cfg_end.start_address)
else:
print("[-] Path unsatisfiable!")
#! /usr/bin/env python
from barf.barf import BARF
if __name__ == "__main__":
#
# Open file
#
barf = BARF("../../samples/bin/loop2.x86")
#
# REIL emulation
#
context_out = barf.emulate(start=0x080483ec, end=0x08048414)
print "%s : %s" % ("eax", hex(context_out['registers']["eax"]))
assert (context_out['registers']["eax"] == 0xa)
argv_base_addr = 0x00001800
reil_emulator.write_memory(argv_base_addr + 0x00, 4, argv_0_addr)
reil_emulator.write_memory(argv_base_addr + 0x04, 4, argv_1_addr)
reil_emulator.write_memory(argv_base_addr + 0x08, 4, 0x00000000)
# Set main parameters.
argc = 0x2
argv = argv_base_addr
# Push parameters into the stack.
reil_emulator.write_memory(esp + 0x00, 4, 0x41414141) # return address
reil_emulator.write_memory(esp + 0x04, 4, argc) # argc
reil_emulator.write_memory(esp + 0x08, 4, argv) # argv
# Set registers.
ctx_init = {
'registers': {
# Set eflags and stack pointer.
'eflags': 0x202,
'esp': esp,
}
}
# Emulate code.
print("[+] Executing from {:#x} to {:#x}".format(cfg_start.start_address, cfg_end.start_address))
ctx_fini = barf.emulate(context=ctx_init, start=cfg_start.start_address, end=cfg_end.start_address)
else:
print("[-] Path unsatisfiable!")
# 8394: e28db000 add fp, sp, #0
# 8398: e24dd00c sub sp, sp, #12
# 839c: e3a03000 mov r3, #0
# 83a0: e50b3008 str r3, [fp, #-8]
# 83a4: e3a0300a mov r3, #10
# 83a8: e50b300c str r3, [fp, #-12]
# 83ac: ea000005 b 83c8 <main+0x38>
# 83b0: e51b3008 ldr r3, [fp, #-8]
# 83b4: e2833001 add r3, r3, #1
# 83b8: e50b3008 str r3, [fp, #-8]
# 83bc: e51b300c ldr r3, [fp, #-12]
# 83c0: e2433001 sub r3, r3, #1
# 83c4: e50b300c str r3, [fp, #-12]
# 83c8: e51b300c ldr r3, [fp, #-12]
# 83cc: e3530000 cmp r3, #0
# 83d0: 1afffff6 bne 83b0 <main+0x20>
# 83d4: e51b3008 ldr r3, [fp, #-8]
# 83d8: e1a00003 mov r0, r3
# 83dc: e28bd000 add sp, fp, #0
# 83e0: e8bd0800 ldmfd sp!, {fp}
# 83e4: e12fff1e bx lr
#
# REIL emulation
#
context_out = barf.emulate(start=0x8390, end=0x83e0) # ARM mode
print "%s : %s" % ("r3", hex(context_out['registers']["r3"]))
assert(context_out['registers']["r3"] == 0xa)
