diff options
| author | hac425 <hac425xxx@gmail.com> | 2019-11-09 15:18:24 +0000 |
|---|---|---|
| committer | hac425 <hac425xxx@gmail.com> | 2019-11-09 15:18:24 +0000 |
| commit | ab8fb271f71c50f46fac86fb7ac09593542726b3 (patch) | |
| tree | 02b0cb63a388357b6ebde3dac92ce36ab7ec2aa7 | |
| parent | 574de9ff4cb2fdf2c28c32a3c2d7c5c773adb6ab (diff) | |
| download | afl++-ab8fb271f71c50f46fac86fb7ac09593542726b3.tar.gz | |
add support for android x86, x86-64 in qbdi mode
| -rwxr-xr-x[-rw-r--r--] | include/android-ashmem.h | 2 | ||||
| -rwxr-xr-x | qbdi_mode/build.sh | 14 | ||||
| -rwxr-xr-x | qbdi_mode/demo-so.c | 8 | ||||
| -rwxr-xr-x | qbdi_mode/template.cpp | 16 |
4 files changed, 29 insertions, 11 deletions
diff --git a/include/android-ashmem.h b/include/android-ashmem.h index f4d31739..7d34b877 100644..100755 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -52,7 +52,7 @@ static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { if (__cmd == IPC_RMID) { int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); - struct ashmem_pin pin = {0, length}; + struct ashmem_pin pin = {0, (unsigned int)length}; ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); close(__shmid); diff --git a/qbdi_mode/build.sh b/qbdi_mode/build.sh index 28b68e40..a45c76e6 100755 --- a/qbdi_mode/build.sh +++ b/qbdi_mode/build.sh @@ -1,6 +1,12 @@ -# ~/workspace/android-standalone-toolchain-21-x86/bin/i686-linux-android-g++ -o loader -Wl,-rpath,/data/lsl template.cpp -Iusr/local/include/ -Lusr/local/lib/ -lQBDI -# ~/workspace/android-standalone-toolchain-21-x86/bin/i686-linux-android-gcc -shared -o libdemo.so demo-so.c -w +compiler_prefix="/home/hac425/workspace/android-standalone-toolchain-21-x86/bin/i686-linux-android-" +CFLAGS="-Iusr/local/include/ -Lusr/local/lib/" +# for x86-64 android +# compiler_prefix="/home/hac425/workspace/android-standalone-toolchain-21/bin/x86_64-linux-android-" +# CFLAGS="-Iandroid-x64/usr/local/include/ -Landroid-x64/usr/local/lib/" -g++ -o loader template.cpp -lQBDI -ldl -w -gcc -shared -o libdemo.so demo-so.c -w \ No newline at end of file +${compiler_prefix}g++ -o loader template.cpp -lQBDI -ldl -w -g ${CFLAGS} +${compiler_prefix}gcc -shared -o libdemo.so demo-so.c -w -g + +cd .. +${compiler_prefix}gcc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-misc.c src/afl-fuzz-extras.c src/afl-fuzz-queue.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-stats.c src/afl-fuzz-init.c src/afl-fuzz.c src/afl-fuzz-bitmap.c src/afl-fuzz-run.c src/afl-fuzz-globals.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz -ldl -w diff --git a/qbdi_mode/demo-so.c b/qbdi_mode/demo-so.c index 1820ea2f..3ba7c449 100755 --- a/qbdi_mode/demo-so.c +++ b/qbdi_mode/demo-so.c @@ -14,7 +14,8 @@ int target_func(char* buf, int size){ case 1: puts("222"); if(buf[1]=='\x44'){ - puts("xxxiiii"); + puts("aaaaaaaaaaaaaaaaaaaaa"); + *(char*)(0) = 1; } break; case '\xfe': @@ -26,10 +27,9 @@ int target_func(char* buf, int size){ case 0xff: if(buf[2]=='\xff'){ if(buf[1]=='\x44'){ - puts("xxxiiii"); - assert(0); + *(char*)(0xdeadbeef) = 1; }else{ - puts("xxxiiii"); + puts("kkkkkk"); } } puts("xxxx"); diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index 6c118a12..85b46d2f 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -10,10 +10,17 @@ #include <fcntl.h> #include <dlfcn.h> +#ifdef __ANDROID__ +#include "../include/android-ashmem.h" +#endif +#include <sys/ipc.h> #include <sys/shm.h> #include "../config.h" + + + #include <QBDI.h> using namespace QBDI; @@ -49,7 +56,6 @@ int afl_setup(void) { /* Fork server logic, invoked once we hit _start. */ - static void afl_forkserver() { @@ -141,8 +147,14 @@ QBDI_NOINLINE int fuzz_func() static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *state, QBDI::GPRState *gprState, QBDI::FPRState *fprState, void *data) { // errno = SAVED_ERRNO; +#ifdef __x86_64__ unsigned long pc = gprState->rip; - // printf("%p\n", pc); +#elif defined(i386) + unsigned long pc = gprState->eip; +#elif defined(__arm__) + unsigned long pc = gprState->pc; +#endif + if(pc >= module_base && pc <= module_end){ unsigned long offset = pc - module_base; printf("\toffset:%p\n", offset); |