From c96f1f64d0cd1bf6dfbabe479925978f4f7894d7 Mon Sep 17 00:00:00 2001
From: eagleoflqj <liumeo@pku.edu.cn>
Date: Sat, 9 Jan 2021 14:40:53 -0500
Subject: [PATCH] Support arm32 esil stmib/ldmib ##esil

---
 libr/anal/p/anal_arm_cs.c |  33 ++++++---
 test/db/esil/arm_32       | 141 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+), 8 deletions(-)

diff --git a/libr/anal/p/anal_arm_cs.c b/libr/anal/p/anal_arm_cs.c
index 0599f83534..e74c6fbb35 100644
--- a/libr/anal/p/anal_arm_cs.c
+++ b/libr/anal/p/anal_arm_cs.c
@@ -2050,17 +2050,25 @@ PUSH { r4, r5, r6, r7, lr }
 		r_strbuf_appendf (&op->esil, "%d,sp,=[*]",
 			insn->detail->arm.op_count);
 		break;
+	case ARM_INS_STMDA:
+	case ARM_INS_STMDB:
 	case ARM_INS_STM:
-		r_strbuf_setf (&op->esil, "%s", "");
+	case ARM_INS_STMIB: {
+		int direction = (insn->id == ARM_INS_STMDA || insn->id == ARM_INS_STMDB ? -1 : 1);
+		int offset = direction > 0 ? -1 : -insn->detail->arm.op_count;
+		if (insn->id == ARM_INS_STMDA || insn->id == ARM_INS_STMIB) {
+			offset++;
+		}
 		for (i = 1; i < insn->detail->arm.op_count; i++) {
-			r_strbuf_appendf (&op->esil, "%s,%s,%d,%c,=[4],",
-				REG (i), ARG (0), R_ABS ((i - 1) * 4), i > 0? '+': '-');
+			r_strbuf_appendf (&op->esil, "%s,%s,%d,+,=[4],",
+				REG (i), ARG (0), (i + offset) * 4);
 		}
 		if (insn->detail->arm.writeback == true) { //writeback, reg should be incremented
 			r_strbuf_appendf (&op->esil, "%d,%s,+=,",
-				(insn->detail->arm.op_count - 1) * 4, ARG (0));
+				direction * (insn->detail->arm.op_count - 1) * 4, ARG (0));
 		}
 		break;
+	}
 	case ARM_INS_VSTMIA:
 		r_strbuf_set (&op->esil, "");
 		width = 0;
@@ -2141,15 +2149,24 @@ r6,r5,r4,3,sp,[*],12,sp,+=
 		r_strbuf_appendf (&op->esil, "%d,sp,+=",
 			4 * insn->detail->arm.op_count);
 		break;
+	case ARM_INS_LDMDA:
+	case ARM_INS_LDMDB:
 	case ARM_INS_LDM:
+	case ARM_INS_LDMIB: {
+		int direction = (insn->id == ARM_INS_LDMDA || insn->id == ARM_INS_LDMDB) ? -1 : 1;
+		int offset = direction > 0 ? -1 : -insn->detail->arm.op_count;
+		if (insn->id == ARM_INS_LDMDA || insn->id == ARM_INS_LDMIB) {
+			offset++;
+		}
 		for (i = 1; i < insn->detail->arm.op_count; i++) {
-			r_strbuf_appendf (&op->esil, "%s,%d,+,[4],%s,=,", ARG (0), (i - 1) * 4, REG (i));
+			r_strbuf_appendf (&op->esil, "%s,%d,+,[4],%s,=,", ARG (0), (i + offset) * 4, REG (i));
 		}
-		if (insn->detail->arm.writeback) { //writeback, reg should be incremented
+		if (insn->detail->arm.writeback) {
 			r_strbuf_appendf (&op->esil, "%d,%s,+=,",
-				(insn->detail->arm.op_count - 1) * 4, ARG (0));
+				direction * (insn->detail->arm.op_count - 1) * 4, ARG (0));
 		}
-        break;
+		break;
+	}
 	case ARM_INS_CMP:
 		r_strbuf_appendf (&op->esil, "%s,%s,==", ARG (1), ARG (0));
 		break;
diff --git a/test/db/esil/arm_32 b/test/db/esil/arm_32
index 2b292fca7a..c9f03aed1f 100644
--- a/test/db/esil/arm_32
+++ b/test/db/esil/arm_32
@@ -2445,6 +2445,63 @@ EXPECT=<<EOF
 EOF
 RUN
 
+NAME=stmib no writeback
+FILE=-
+CMDS=<<EOF
+e asm.arch=arm
+e asm.bits=32
+wx 0a0080e9 # stmib r0, {r1, r3}
+aer r0=8
+aer r1=9
+aer r3=10
+aes
+aer r0
+p8 12 @8
+EOF
+EXPECT=<<EOF
+0x00000008
+00000000090000000a000000
+EOF
+RUN
+
+NAME=stmda writeback
+FILE=-
+CMDS=<<EOF
+e asm.arch=arm
+e asm.bits=32
+wx 0a0020e8 # stmda r0!, {r1, r3}
+aer r0=16
+aer r1=9
+aer r3=10
+aes
+aer r0
+p8 12 @8
+EOF
+EXPECT=<<EOF
+0x00000008
+00000000090000000a000000
+EOF
+RUN
+
+NAME=stmdb no writeback
+FILE=-
+CMDS=<<EOF
+e asm.arch=arm
+e asm.bits=32
+wx 0a0000e9 # stmdb r0, {r1, r3}
+aer r0=16
+aer r1=9
+aer r3=10
+aes
+aer r0
+p8 12 @8
+EOF
+EXPECT=<<EOF
+0x00000010
+090000000a00000000000000
+EOF
+RUN
+
 NAME=r0 and mem correct after vstmia
 FILE=malloc://0x200
 CMDS=<<EOF
@@ -2512,6 +2569,90 @@ c0decafef00dc001aaaaaaaaaaaaaaaa
 EOF
 RUN
 
+NAME=ldmda no writeback
+FILE=-
+CMDS=<<EOF
+e asm.arch=arm
+e asm.bits=32
+wx 0a0010e8 # ldmda r0, {r1, r3}
+wx 01234567 @8
+wx 890abcde @12
+aer r0=12
+aes
+aer r0
+aer r1
+aer r3
+EOF
+EXPECT=<<EOF
+0x0000000c
+0x67452301
+0xdebc0a89
+EOF
+RUN
+
+NAME=ldmdb writeback
+FILE=-
+CMDS=<<EOF
+e asm.arch=arm
+e asm.bits=32
+wx 0a0030e9 # ldmdb r0!, {r1, r3}
+wx 01234567 @8
+wx 890abcde @12
+aer r0=16
+aes
+aer r0
+aer r1
+aer r3
+EOF
+EXPECT=<<EOF
+0x00000008
+0x67452301
+0xdebc0a89
+EOF
+RUN
+
+NAME=ldm no writeback
+FILE=-
+CMDS=<<EOF
+e asm.arch=arm
+e asm.bits=32
+wx 0a0090e8 # ldm r0, {r1, r3}
+wx 01234567 @8
+wx 890abcde @12
+aer r0=8
+aes
+aer r0
+aer r1
+aer r3
+EOF
+EXPECT=<<EOF
+0x00000008
+0x67452301
+0xdebc0a89
+EOF
+RUN
+
+NAME=ldmib writeback
+FILE=-
+CMDS=<<EOF
+e asm.arch=arm
+e asm.bits=32
+wx 0a00b0e9 # ldmib r0!, {r1, r3}
+wx 01234567 @8
+wx 890abcde @12
+aer r0=4
+aes
+aer r0
+aer r1
+aer r3
+EOF
+EXPECT=<<EOF
+0x0000000c
+0x67452301
+0xdebc0a89
+EOF
+RUN
+
 NAME=regs correct after vldmia
 FILE=malloc://0x200
 CMDS=<<EOF