Bug??
CrackerCat opened this issue · 3 comments
i use recover_cfg to create CFG,but the boclk is not same to IDA.
use code:
barf.recover_cfg(ea_start=start, ea_end=0x00008790 + 0x2, arch_mode=ARCH_ARM_MODE_THUMB)`
to create the end address is 0x875d; but the real end adress is 0x00008790
the binary :
.
There was a slight change in the API. The right way to invoke the function is:
barf.recover_cfg(start=start, end=0x00008790 + 0x2, arch_mode=ARCH_ARM_MODE_THUMB)You have an example of how to use the cfg recovery functionality in the following script: recover_cfg.py
If the problem persist, please send me a png of the CFG obtained with BARF and the one obtained with IDA so I can check it.
the png of the CFG obtained with BARF and the one obtained with IDA is too big, so i send you a rar file contain binary and code. link: link.
and i result:
block start :0x85b0
block end :0x85d3
block start :0x85d4
block end :0x85dd
block start :0x85de
block end :0x85df
block start :0x85e0
block end :0x85e7
block start :0x85e8
block end :0x85e9
block start :0x85ea
block end :0x85f1
block start :0x85f2
block end :0x85f3
block start :0x85f4
block end :0x85fb
block start :0x85fc
block end :0x85fd
block start :0x85fe
block end :0x8605
block start :0x8606
block end :0x860f
block start :0x8610
block end :0x8619
block start :0x861a
block end :0x8623
block start :0x8624
block end :0x862d
block start :0x862e
block end :0x862f
block start :0x8630
block end :0x8637
block start :0x8638
block end :0x8641
block start :0x8642
block end :0x864b
block start :0x864c
block end :0x864d
block start :0x864e
block end :0x8655
block start :0x8656
block end :0x8657
block start :0x8658
block end :0x865f
block start :0x8660
block end :0x8669
block start :0x866a
block end :0x866d
block start :0x866e
block end :0x867f
block start :0x8680
block end :0x8683
block start :0x8684
block end :0x8689
block start :0x868a
block end :0x868f
block start :0x8690
block end :0x86a1
block start :0x86a2
block end :0x86ad
block start :0x86ae
block end :0x86bb
block start :0x86bc
block end :0x86bf
block start :0x86c0
block end :0x86c5
block start :0x86c6
block end :0x86d7
block start :0x86d8
block end :0x86db
block start :0x86dc
block end :0x86fb
block start :0x86fc
block end :0x870b
block start :0x870c
block end :0x870f
block start :0x8710
block end :0x8715
block start :0x8716
block end :0x8725
block start :0x8726
block end :0x8729
block start :0x872a
block end :0x872f
block start :0x8730
block end :0x8745
block start :0x8746
block end :0x8749
block start :0x874a
block end :0x875d
There was an arm branch instruction (bgt) missing in the list of conditional branches. That causes the CFG generated by BARF didn't match the one generated by IDA. I've just pushed the fix. Please, check it now.
The code for generated the CFG is the following (note that I updated the end address):
if __name__ == "__main__":
filename = "native-lib-thumb"
start = 0x000085B0
end = start + 0x1e2
try:
# ARM THUMB
barf = BARF(filename)
except Exception as err:
print(err)
print("[-] Error opening file : %s" % filename)
sys.exit(1)
cfg = barf.recover_cfg(start=start, end=end, arch_mode=ARCH_ARM_MODE_THUMB)
blocks = cfg.basic_blocks
cfg.save(filename + "_cfg", print_ir=False)
for block in blocks:
print 'block start :%#x' % block.address
print 'block end :%#x' % block.end_address