#
# 80483ed: 55 push ebp
# 80483ee: 89 e5 mov ebp,esp
# 80483f0: 83 ec 10 sub esp,0x10
# 80483f3: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
# 80483f6: 0f af 45 f8 imul eax,DWORD PTR [ebp-0x8]
# 80483fa: 83 c0 05 add eax,0x5
# 80483fd: 89 45 fc mov DWORD PTR [ebp-0x4],eax
# 8048400: 8b 45 fc mov eax,DWORD PTR [ebp-0x4]
# 8048403: c9 leave
# 8048404: c3 ret
print("[+] Adding instructions to the analyzer...")
for addr, asm_instr, reil_instrs in barf.translate(start=0x80483ed, end=0x8048402):
print("0x{0:08x} : {1}".format(addr, asm_instr))
for reil_instr in reil_instrs:
barf.code_analyzer.add_instruction(reil_instr)
print("[+] Adding pre and post conditions to the analyzer...")
ebp = barf.code_analyzer.get_register_expr("ebp", mode="post")
# Preconditions: Set range for variable a and b
a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4, mode="pre")
b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4, mode="pre")
for const in [a >= 2, a <= 100, b >= 2, b <= 100]:
barf.code_analyzer.add_constraint(const)
# 80483f0: 83 ec 10 sub esp,0x10
# 80483f3: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
# 80483f6: 0f af 45 f8 imul eax,DWORD PTR [ebp-0x8]
# 80483fa: 83 c0 05 add eax,0x5
# 80483fd: 89 45 fc mov DWORD PTR [ebp-0x4],eax
# 8048400: 8b 45 fc mov eax,DWORD PTR [ebp-0x4]
# 8048403: c9 leave
# 8048404: c3 ret
start_addr = 0x80483ed
end_addr = 0x8048402
# Add instructions to analyze
print("[+] Adding instructions to the analyzer...")
for addr, asm_instr, reil_instrs in barf.translate(start_addr, end_addr):
print("0x{0:08x} : {1}".format(addr, asm_instr))
for reil_instr in reil_instrs:
print("{0:14}{1}".format("", reil_instr))
barf.code_analyzer.add_instruction(reil_instr)
# Get smt expressions and set pre and post conditions
print("[+] Adding pre and post conditions to the analyzer...")
# Get smt expression for eax and ebp registers
eax = barf.code_analyzer.get_register_expr("eax", mode="post")
ebp = barf.code_analyzer.get_register_expr("ebp", mode="post")
# Get smt expressions for memory locations (each one of 4 bytes)
# 83a4: e0823003 add r3, r2, r3
# 83a8: e2833005 add r3, r3, #5
# 83ac: e50b3010 str r3, [fp, #-16]
# 83b0: e51b3010 ldr r3, [fp, #-16]
# 83b4: e1a00003 mov r0, r3
# 83b8: e28bd000 add sp, fp, #0
# 83bc: e8bd0800 ldmfd sp!, {fp}
# 83c0: e12fff1e bx lr
start_addr = 0x8390
end_addr = 0x83bc
# Add instructions to analyze
print("[+] Adding instructions to the analyzer...")
for addr, asm_instr, reil_instrs in barf.translate(ea_start=start_addr, ea_end=end_addr, arch_mode=ARCH_ARM_MODE_ARM):
print("0x{0:08x} : {1}".format(addr, asm_instr))
for reil_instr in reil_instrs:
print("{0:14}{1}".format("", reil_instr))
barf.code_analyzer.add_instruction(reil_instr)
# Get smt expressions and set pre and post conditions
print("[+] Adding pre and post conditions to the analyzer...")
# Get smt expression for eax and ebp registers
fp = barf.code_analyzer.get_register_expr("fp")
# Get smt expressions for memory locations (each one of 4 bytes)
a = barf.code_analyzer.get_memory_expr(fp - 0x08, 4)
# 8394: e28db000 add fp, sp, #0
# 8398: e24dd014 sub sp, sp, #20
# 839c: e51b2008 ldr r2, [fp, #-8]
# 83a0: e51b300c ldr r3, [fp, #-12]
# 83a4: e0823003 add r3, r2, r3
# 83a8: e2833005 add r3, r3, #5
# 83ac: e50b3010 str r3, [fp, #-16]
# 83b0: e51b3010 ldr r3, [fp, #-16]
# 83b4: e1a00003 mov r0, r3
# 83b8: e28bd000 add sp, fp, #0
# 83bc: e8bd0800 ldmfd sp!, {fp}
# 83c0: e12fff1e bx lr
print("[+] Adding instructions to the analyzer...")
for addr, asm_instr, reil_instrs in barf.translate(start=0x8390,
end=0x83bc):
print("0x{0:08x} : {1}".format(addr, asm_instr))
for reil_instr in reil_instrs:
barf.code_analyzer.add_instruction(reil_instr)
print("[+] Adding pre and post conditions to the analyzer...")
fp = barf.code_analyzer.get_register_expr("fp", mode="post")
# Preconditions: set range for variable a and b
a = barf.code_analyzer.get_memory_expr(fp - 0x08, 4, mode="pre")
b = barf.code_analyzer.get_memory_expr(fp - 0x0c, 4, mode="pre")
for constr in [a >= 2, a <= 100, b >= 2, b <= 100]:
barf.code_analyzer.add_constraint(constr)
# 83a4: e0030392 mul r3, r2, r3
# 83a8: e2833005 add r3, r3, #5
# 83ac: e50b3010 str r3, [fp, #-16]
# 83b0: e51b3010 ldr r3, [fp, #-16]
# 83b4: e1a00003 mov r0, r3
# 83b8: e28bd000 add sp, fp, #0
# 83bc: e8bd0800 ldmfd sp!, {fp}
# 83c0: e12fff1e bx lr
start_addr = 0x8390
end_addr = 0x83bc
# Add instructions to analyze
print("[+] Adding instructions to the analyzer...")
for addr, asm_instr, reil_instrs in barf.translate(
ea_start=start_addr, ea_end=end_addr, arch_mode=ARCH_ARM_MODE_ARM):
print("0x{0:08x} : {1}".format(addr, asm_instr))
for reil_instr in reil_instrs:
print("{0:14}{1}".format("", reil_instr))
barf.code_analyzer.add_instruction(reil_instr)
# Get smt expressions and set pre and post conditions
print("[+] Adding pre and post conditions to the analyzer...")
# Get smt expression for eax and ebp registers
r3 = barf.code_analyzer.get_register_expr("r3", mode="post")
fp = barf.code_analyzer.get_register_expr("fp", mode="post")
# Get smt expressions for memory locations (each one of 4 bytes)
# 80483f3: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8]
# 80483f6: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc]
# 80483f9: 01 d0 add eax,edx
# 80483fb: 83 c0 05 add eax,0x5
# 80483fe: 89 45 fc mov DWORD PTR [ebp-0x4],eax
# 8048401: 8b 45 fc mov eax,DWORD PTR [ebp-0x4]
# 8048404: c9 leave
# 8048405: c3 ret
start_addr = 0x80483ed
end_addr = 0x8048401
# Add instructions to analyze
print("[+] Adding instructions to the analyzer...")
for addr, asm_instr, reil_instrs in barf.translate(start_addr, end_addr):
print("0x{0:08x} : {1}".format(addr, asm_instr))
for reil_instr in reil_instrs:
print("{0:14}{1}".format("", reil_instr))
barf.code_analyzer.add_instruction(reil_instr)
# Get smt expressions and set pre and post conditions
print("[+] Adding pre and post conditions to the analyzer...")
# Get smt expression for eax and ebp registers
eax = barf.code_analyzer.get_register_expr("eax")
ebp = barf.code_analyzer.get_register_expr("ebp")
# Get smt expressions for memory locations (each one of 4 bytes)
# 80483ed: 55 push ebp
# 80483ee: 89 e5 mov ebp,esp
# 80483f0: 83 ec 10 sub esp,0x10
# 80483f3: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8]
# 80483f6: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc]
# 80483f9: 01 d0 add eax,edx
# 80483fb: 83 c0 05 add eax,0x5
# 80483fe: 89 45 fc mov DWORD PTR [ebp-0x4],eax
# 8048401: 8b 45 fc mov eax,DWORD PTR [ebp-0x4]
# 8048404: c9 leave
# 8048405: c3 ret
print("[+] Adding instructions to the analyzer...")
for addr, asm_instr, reil_instrs in barf.translate(start=0x80483ed, end=0x8048401):
print("0x{0:08x} : {1}".format(addr, asm_instr))
for reil_instr in reil_instrs:
barf.code_analyzer.add_instruction(reil_instr)
print("[+] Adding pre and post conditions to the analyzer...")
ebp = barf.code_analyzer.get_register_expr("ebp", mode="post")
# Preconditions: set range for variable a and b
a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4, mode="pre")
b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4, mode="pre")
for constr in [a >= 2, a <= 100, b >= 2, b <= 100]:
barf.code_analyzer.add_constraint(constr)
