diff options
Diffstat (limited to 'frida_mode/src/instrument')
| -rw-r--r-- | frida_mode/src/instrument/instrument.c | 21 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_arm32.c | 6 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_arm64.c | 1 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_coverage.c | 66 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_debug.c | 12 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_x64.c | 148 | ||||
| -rw-r--r-- | frida_mode/src/instrument/instrument_x86.c | 2 |
7 files changed, 141 insertions, 115 deletions
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index eeebe545..0262e461 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -6,7 +6,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "hash.h" #include "asan.h" @@ -261,14 +260,14 @@ void instrument_init(void) { if (!instrument_is_coverage_optimize_supported()) instrument_optimize = false; - OKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); - OKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); - OKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); - OKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]", - instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed); - OKF("Instrumentation - unstable coverage [%c] [%s]", - instrument_coverage_unstable_filename == NULL ? ' ' : 'X', - instrument_coverage_unstable_filename); + FOKF("Instrumentation - optimize [%c]", instrument_optimize ? 'X' : ' '); + FOKF("Instrumentation - tracing [%c]", instrument_tracing ? 'X' : ' '); + FOKF("Instrumentation - unique [%c]", instrument_unique ? 'X' : ' '); + FOKF("Instrumentation - fixed seed [%c] [0x%016" G_GINT64_MODIFIER "x]", + instrument_use_fixed_seed ? 'X' : ' ', instrument_fixed_seed); + FOKF("Instrumentation - unstable coverage [%c] [%s]", + instrument_coverage_unstable_filename == NULL ? ' ' : 'X', + instrument_coverage_unstable_filename); if (instrument_tracing && instrument_optimize) { @@ -352,8 +351,8 @@ void instrument_init(void) { } - OKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", - instrument_hash_seed); + FOKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", + instrument_hash_seed); instrument_hash_zero = instrument_get_offset_hash(0); instrument_coverage_optimize_init(); diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 395d56c1..fa8b0bd2 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -18,13 +16,13 @@ void instrument_coverage_optimize(const cs_insn * instr, UNUSED_PARAMETER(instr); UNUSED_PARAMETER(output); - FATAL("Optimized coverage not supported on this architecture"); + FFATAL("Optimized coverage not supported on this architecture"); } void instrument_coverage_optimize_init(void) { - WARNF("Optimized coverage not supported on this architecture"); + FWARNF("Optimized coverage not supported on this architecture"); } diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index 358e8e6b..0f635458 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -1,7 +1,6 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" diff --git a/frida_mode/src/instrument/instrument_coverage.c b/frida_mode/src/instrument/instrument_coverage.c index 513df29a..95a24808 100644 --- a/frida_mode/src/instrument/instrument_coverage.c +++ b/frida_mode/src/instrument/instrument_coverage.c @@ -5,8 +5,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -251,7 +249,7 @@ static void coverage_write(void *data, size_t size) { if (written < 0) { - FATAL("Coverage - Failed to write: %s (%d)\n", (char *)data, errno); + FFATAL("Coverage - Failed to write: %s (%d)\n", (char *)data, errno); } @@ -371,7 +369,7 @@ static void instrument_coverage_normal_run() { if (close(normal_coverage_pipes[STDOUT_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -379,7 +377,7 @@ static void instrument_coverage_normal_run() { g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, g_free); if (coverage_hash == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -396,7 +394,7 @@ static void instrument_coverage_normal_run() { } - if (bytes != 0) { FATAL("Coverage data truncated"); } + if (bytes != 0) { FFATAL("Coverage data truncated"); } instrument_coverage_print("Coverage - Preparing\n"); @@ -435,7 +433,7 @@ static GArray *instrument_coverage_unstable_read_unstable_ids(void) { if (!g_file_get_contents(unstable_coverage_fuzzer_stats, &contents, &length, NULL)) { - FATAL("Failed to read fuzzer_stats"); + FFATAL("Failed to read fuzzer_stats"); } @@ -526,7 +524,7 @@ static GHashTable *instrument_collect_unstable_blocks( GHashTable *child = (GHashTable *)g_hash_table_lookup(unstable_coverage_hash, *id); - if (child == NULL) { FATAL("Failed to find edge ID"); } + if (child == NULL) { FFATAL("Failed to find edge ID"); } GHashTableIter iter = {0}; gpointer value; @@ -565,7 +563,7 @@ static void instrument_coverage_unstable_run(void) { if (close(unstable_coverage_pipes[STDOUT_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -573,7 +571,7 @@ static void instrument_coverage_unstable_run(void) { g_direct_hash, g_direct_equal, NULL, (GDestroyNotify)g_hash_table_unref); if (unstable_coverage_hash == NULL) { - FATAL("Failed to g_hash_table_new, errno: %d", errno); + FFATAL("Failed to g_hash_table_new, errno: %d", errno); } @@ -599,7 +597,7 @@ static void instrument_coverage_unstable_run(void) { if (!g_hash_table_insert(unstable_coverage_hash, GSIZE_TO_POINTER(value->edge), hash_value)) { - FATAL("Entry already in hashtable"); + FFATAL("Entry already in hashtable"); } @@ -613,7 +611,7 @@ static void instrument_coverage_unstable_run(void) { } - if (bytes != 0) { FATAL("Unstable coverage data truncated"); } + if (bytes != 0) { FFATAL("Unstable coverage data truncated"); } instrument_coverage_print("Coverage - Preparing\n"); @@ -659,33 +657,33 @@ void instrument_coverage_config(void) { void instrument_coverage_normal_init(void) { - OKF("Coverage - enabled [%c]", - instrument_coverage_filename == NULL ? ' ' : 'X'); + FOKF("Coverage - enabled [%c]", + instrument_coverage_filename == NULL ? ' ' : 'X'); if (instrument_coverage_filename == NULL) { return; } - OKF("Coverage - file [%s]", instrument_coverage_filename); + FOKF("Coverage - file [%s]", instrument_coverage_filename); char *path = g_canonicalize_filename(instrument_coverage_filename, g_get_current_dir()); - OKF("Coverage - path [%s]", path); + FOKF("Coverage - path [%s]", path); normal_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (normal_coverage_fd < 0) { - FATAL("Failed to open coverage file '%s'", path); + FFATAL("Failed to open coverage file '%s'", path); } g_free(path); - if (pipe(normal_coverage_pipes) != 0) { FATAL("Failed to create pipes"); } + if (pipe(normal_coverage_pipes) != 0) { FFATAL("Failed to create pipes"); } pid_t pid = fork(); - if (pid == -1) { FATAL("Failed to start coverage process"); } + if (pid == -1) { FFATAL("Failed to start coverage process"); } if (pid == 0) { @@ -697,13 +695,13 @@ void instrument_coverage_normal_init(void) { if (close(normal_coverage_fd) < 0) { - FATAL("Failed to close coverage output file"); + FFATAL("Failed to close coverage output file"); } if (close(normal_coverage_pipes[STDIN_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -714,11 +712,11 @@ void instrument_coverage_unstable_find_output(void) { gchar *fds_name = g_strdup_printf("/proc/%d/fd/", getppid()); gchar *root = g_file_read_link("/proc/self/root", NULL); - if (root == NULL) { FATAL("Failed to read link"); } + if (root == NULL) { FFATAL("Failed to read link"); } GDir *dir = g_dir_open(fds_name, 0, NULL); - OKF("Coverage Unstable - fds: %s", fds_name); + FOKF("Coverage Unstable - fds: %s", fds_name); for (const gchar *filename = g_dir_read_name(dir); filename != NULL; filename = g_dir_read_name(dir)) { @@ -726,7 +724,7 @@ void instrument_coverage_unstable_find_output(void) { gchar *fullname = g_build_path("/", fds_name, filename, NULL); gchar *link = g_file_read_link(fullname, NULL); - if (link == NULL) { FATAL("Failed to read link: %s", fullname); } + if (link == NULL) { FFATAL("Failed to read link: %s", fullname); } gchar *basename = g_path_get_basename(link); if (g_strcmp0(basename, "default") != 0) { @@ -778,11 +776,11 @@ void instrument_coverage_unstable_find_output(void) { if (unstable_coverage_fuzzer_stats == NULL) { - FATAL("Failed to find fuzzer stats"); + FFATAL("Failed to find fuzzer stats"); } - OKF("Fuzzer stats: %s", unstable_coverage_fuzzer_stats); + FOKF("Fuzzer stats: %s", unstable_coverage_fuzzer_stats); } @@ -793,14 +791,14 @@ void instrument_coverage_unstable_init(void) { char *path = g_canonicalize_filename(instrument_coverage_unstable_filename, g_get_current_dir()); - OKF("Coverage - unstable path [%s]", instrument_coverage_unstable_filename); + FOKF("Coverage - unstable path [%s]", instrument_coverage_unstable_filename); unstable_coverage_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); if (unstable_coverage_fd < 0) { - FATAL("Failed to open unstable coverage file '%s'", path); + FFATAL("Failed to open unstable coverage file '%s'", path); } @@ -810,12 +808,12 @@ void instrument_coverage_unstable_init(void) { if (pipe(unstable_coverage_pipes) != 0) { - FATAL("Failed to create unstable pipes"); + FFATAL("Failed to create unstable pipes"); } pid_t pid = fork(); - if (pid == -1) { FATAL("Failed to start coverage process"); } + if (pid == -1) { FFATAL("Failed to start coverage process"); } if (pid == 0) { @@ -827,13 +825,13 @@ void instrument_coverage_unstable_init(void) { if (close(unstable_coverage_fd) < 0) { - FATAL("Failed to close unstable coverage output file"); + FFATAL("Failed to close unstable coverage output file"); } if (close(unstable_coverage_pipes[STDIN_FILENO]) != 0) { - FATAL("Failed to close parent read pipe"); + FFATAL("Failed to close parent read pipe"); } @@ -865,7 +863,7 @@ void instrument_coverage_end(uint64_t address) { if (write(normal_coverage_pipes[STDOUT_FILENO], &data, sizeof(normal_coverage_data_t)) != sizeof(normal_coverage_data_t)) { - FATAL("Coverage I/O error"); + FFATAL("Coverage I/O error"); } @@ -888,7 +886,7 @@ void instrument_coverage_unstable(guint64 edge, guint64 previous_rip, sizeof(unstable_coverage_data_t)) != sizeof(unstable_coverage_data_t)) { - FATAL("Unstable coverage I/O error"); + FFATAL("Unstable coverage I/O error"); } diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index b8cca634..a175b585 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -5,8 +5,6 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" @@ -89,24 +87,24 @@ void instrument_debug_config(void) { void instrument_debug_init(void) { - OKF("Instrumentation debugging - enabled [%c]", - instrument_debug_filename == NULL ? ' ' : 'X'); + FOKF("Instrumentation debugging - enabled [%c]", + instrument_debug_filename == NULL ? ' ' : 'X'); if (instrument_debug_filename == NULL) { return; } - OKF("Instrumentation debugging - file [%s]", instrument_debug_filename); + FOKF("Instrumentation debugging - file [%s]", instrument_debug_filename); if (instrument_debug_filename == NULL) { return; } char *path = g_canonicalize_filename(instrument_debug_filename, g_get_current_dir()); - OKF("Instrumentation debugging - path [%s]", path); + FOKF("Instrumentation debugging - path [%s]", path); debugging_fd = open(path, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - if (debugging_fd < 0) { FATAL("Failed to open stats file '%s'", path); } + if (debugging_fd < 0) { FFATAL("Failed to open stats file '%s'", path); } g_free(path); diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 27704f9b..e2cbb804 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -15,11 +15,11 @@ #include "frida-gumjs.h" #include "config.h" -#include "debug.h" #include "instrument.h" #include "ranges.h" #include "stalker.h" +#include "util.h" #if defined(__x86_64__) @@ -52,29 +52,46 @@ typedef struct { // shared_mem[cur_location ^ prev_location]++; // prev_location = cur_location >> 1; - // => 0x7ffff6cfb086: lea rsp,[rsp-0x80] - // 0x7ffff6cfb08b: pushf - // 0x7ffff6cfb08c: push rsi - // 0x7ffff6cfb08d: mov rsi,0x228 - // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # - // 0x7ffff700e740 0x7ffff6cfb09b: xor rsi,0x451 0x7ffff6cfb0a2: add - // BYTE PTR [rsi+0x10000],0x1 0x7ffff6cfb0a9: adc BYTE PTR - // [rsi+0x10000],0x0 0x7ffff6cfb0b0: pop rsi 0x7ffff6cfb0b1: popf - // 0x7ffff6cfb0b2: lea rsp,[rsp+0x80] + // 0x7ffff6cbca41: lea rsp,[rsp-0x80] + // + // 0x7ffff6cbca46: push rax + // 0x7ffff6cbca47: lahf + // 0x7ffff6cbca48: push rax + // + // 0x7ffff6cbca49: mov eax,DWORD PTR [rip+0x33bcf1] + // 0x7ffff6cbca4f: xor eax,0x3f77 + // 0x7ffff6cbca54: add eax,0x10000 + // 0x7ffff6cbca59: add BYTE PTR [rax],0x1 + // 0x7ffff6cbca5c: adc BYTE PTR [rax],0x0 + // + // 0x7ffff6cbca5f: mov eax,0xbf77 + // 0x7ffff6cbca64: mov DWORD PTR [rip+0x33bcd6],eax + // + // 0x7ffff6cbca6a: pop rax + // 0x7ffff6cbca6b: sahf + // 0x7ffff6cbca6c: pop rax + // + // 0x7ffff6cbca6d: lea rsp,[rsp+0x80] uint8_t lea_rsp_rsp_sub_rz[5]; - uint8_t push_fq; - uint8_t push_rsi; - uint8_t mov_rsi_curr_loc_shr_1[7]; - uint8_t xchg_rsi_prev_loc_curr_loc[7]; - uint8_t xor_rsi_curr_loc[7]; + uint8_t push_rax; + uint8_t lahf; + uint8_t push_rax2; - uint8_t add_rsi_1[7]; - uint8_t adc_rsi_0[7]; + uint8_t mov_eax_prev_loc[6]; + uint8_t xor_eax_curr_loc[5]; + uint8_t add_eax_afl_area[5]; + uint8_t add_rax_1[3]; + uint8_t adc_rax_0[3]; + + uint8_t mov_eax_curr_loc_shr_1[5]; + uint8_t mov_eax_prev_loc_curr_loc[6]; + + uint8_t pop_rax2; + uint8_t sahf; + uint8_t pop_rax; - uint8_t pop_rsi; - uint8_t pop_fq; uint8_t lsa_rsp_rsp_add_rz[8]; } afl_log_code_asm_t; @@ -92,18 +109,24 @@ static const afl_log_code_asm_t template = { .lea_rsp_rsp_sub_rz = {0x48, 0x8D, 0x64, 0x24, 0x80}, - .push_fq = 0x9c, - .push_rsi = 0x56, + .push_rax = 0x50, + .lahf = 0x9f, + .push_rax2 = 0x50, + + .mov_eax_prev_loc = {0x8b, 0x05}, + .xor_eax_curr_loc = {0x35}, + + .add_eax_afl_area = {0x05}, + .add_rax_1 = {0x80, 0x00, 0x01}, + .adc_rax_0 = {0x80, 0x10, 0x00}, - .mov_rsi_curr_loc_shr_1 = {0x48, 0xC7, 0xC6}, - .xchg_rsi_prev_loc_curr_loc = {0x48, 0x87, 0x35}, - .xor_rsi_curr_loc = {0x48, 0x81, 0xF6}, + .mov_eax_curr_loc_shr_1 = {0xb8}, + .mov_eax_prev_loc_curr_loc = {0x89, 0x05}, - .add_rsi_1 = {0x80, 0x86, 0x00, 0x00, 0x00, 0x00, 0x01}, - .adc_rsi_0 = {0x80, 0x96, 0x00, 0x00, 0x00, 0x00, 0x00}, + .pop_rax2 = 0x58, + .sahf = 0x9e, + .pop_rax = 0x58, - .pop_rsi = 0x5E, - .pop_fq = 0x9D, .lsa_rsp_rsp_add_rz = {0x48, 0x8D, 0xA4, 0x24, 0x80, 0x00, 0x00, 0x00}, } @@ -123,7 +146,7 @@ static gboolean instrument_coverage_find_low(const GumRangeDetails *details, } - if (details->range->base_address > ((2ULL << 20) - __afl_map_size)) { + if (details->range->base_address > ((2ULL << 30) - __afl_map_size)) { return FALSE; @@ -215,6 +238,9 @@ static void instrument_coverage_switch(GumStalkerObserver *self, const cs_insn * from_insn, gpointer * target) { + UNUSED_PARAMETER(self); + UNUSED_PARAMETER(start_address); + cs_x86 * x86; cs_x86_op *op; if (from_insn == NULL) { return; } @@ -248,9 +274,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self, } - // OKF("SKIP: %p %s %s", start_address, from_insn->mnemonic, - // from_insn->op_str); - *target = *target + sizeof(afl_log_code); + *target = (guint8 *)*target + sizeof(afl_log_code); } @@ -261,7 +285,7 @@ void instrument_coverage_optimize_init(void) { gum_process_enumerate_ranges(GUM_PAGE_NO_ACCESS, instrument_coverage_find_low, &low_address); - OKF("Low address: %p", low_address); + FOKF("Low address: %p", low_address); if (low_address == 0 || GPOINTER_TO_SIZE(low_address) > ((2UL << 20) - __afl_map_size)) { @@ -273,11 +297,11 @@ void instrument_coverage_optimize_init(void) { ranges_print_debug_maps(); char *shm_env = getenv(SHM_ENV_VAR); - OKF("SHM_ENV_VAR: %s", shm_env); + FOKF("SHM_ENV_VAR: %s", shm_env); if (shm_env == NULL) { - WARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes"); + FWARNF("SHM_ENV_VAR not set, using anonymous map for debugging purposes"); instrument_coverage_optimize_map_mmap_anon(low_address); @@ -297,8 +321,8 @@ void instrument_coverage_optimize_init(void) { } - OKF("__afl_area_ptr: %p", __afl_area_ptr); - OKF("instrument_previous_pc: %p", &instrument_previous_pc); + FOKF("__afl_area_ptr: %p", __afl_area_ptr); + FOKF("instrument_previous_pc: %p", &instrument_previous_pc); } @@ -327,6 +351,7 @@ void instrument_coverage_optimize(const cs_insn * instr, afl_log_code code = {0}; GumX86Writer *cw = output->writer.x86; guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address)); + guint64 area_offset_ror; GumAddress code_addr = 0; instrument_coverage_suppress_init(); @@ -342,19 +367,21 @@ void instrument_coverage_optimize(const cs_insn * instr, code.code = template; gssize curr_loc_shr_1_offset = - offsetof(afl_log_code, code.mov_rsi_curr_loc_shr_1) + - sizeof(code.code.mov_rsi_curr_loc_shr_1) - sizeof(guint32); + offsetof(afl_log_code, code.mov_eax_curr_loc_shr_1) + + sizeof(code.code.mov_eax_curr_loc_shr_1) - sizeof(guint32); + + area_offset_ror = ((area_offset & (MAP_SIZE - 1) >> 1)) | + ((area_offset & 0x1) << (MAP_SIZE_POW2 - 1)); - *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = - (guint32)(area_offset >> 1); + *((guint32 *)&code.bytes[curr_loc_shr_1_offset]) = (guint32)(area_offset_ror); gssize prev_loc_value = GPOINTER_TO_SIZE(&instrument_previous_pc) - - (code_addr + offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) + - sizeof(code.code.xchg_rsi_prev_loc_curr_loc)); + (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc_curr_loc) + + sizeof(code.code.mov_eax_prev_loc_curr_loc)); gssize prev_loc_value_offset = - offsetof(afl_log_code, code.xchg_rsi_prev_loc_curr_loc) + - sizeof(code.code.xchg_rsi_prev_loc_curr_loc) - sizeof(gint); + offsetof(afl_log_code, code.mov_eax_prev_loc_curr_loc) + + sizeof(code.code.mov_eax_prev_loc_curr_loc) - sizeof(gint); if (!instrument_coverage_in_range(prev_loc_value)) { FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value); @@ -363,22 +390,31 @@ void instrument_coverage_optimize(const cs_insn * instr, *((gint *)&code.bytes[prev_loc_value_offset]) = (gint)prev_loc_value; - gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_rsi_curr_loc) + - sizeof(code.code.xor_rsi_curr_loc) - - sizeof(guint32); + gssize prev_loc_value2 = + GPOINTER_TO_SIZE(&instrument_previous_pc) - + (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc) + + sizeof(code.code.mov_eax_prev_loc)); + gssize prev_loc_value_offset2 = + offsetof(afl_log_code, code.mov_eax_prev_loc) + + sizeof(code.code.mov_eax_prev_loc) - sizeof(gint); + if (!instrument_coverage_in_range(prev_loc_value)) { - *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset); + FATAL("Patch out of range (current_pc_value1): 0x%016lX", prev_loc_value2); - gssize add_rsi_1_offset = offsetof(afl_log_code, code.add_rsi_1) + - sizeof(code.code.add_rsi_1) - sizeof(guint32) - 1; + } - *((guint32 *)&code.bytes[add_rsi_1_offset]) = - (guint32)GPOINTER_TO_SIZE(__afl_area_ptr); + *((gint *)&code.bytes[prev_loc_value_offset2]) = (gint)prev_loc_value2; + + gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_eax_curr_loc) + + sizeof(code.code.xor_eax_curr_loc) - + sizeof(guint32); + + *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(area_offset); - gssize adc_rsi_0_ffset = offsetof(afl_log_code, code.adc_rsi_0) + - sizeof(code.code.adc_rsi_0) - sizeof(guint32) - 1; + gssize lea_rax_offset = offsetof(afl_log_code, code.add_eax_afl_area) + + sizeof(code.code.add_eax_afl_area) - sizeof(guint32); - *((guint32 *)&code.bytes[adc_rsi_0_ffset]) = + *((guint32 *)&code.bytes[lea_rax_offset]) = (guint32)GPOINTER_TO_SIZE(__afl_area_ptr); gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c index f90c01c2..79664afa 100644 --- a/frida_mode/src/instrument/instrument_x86.c +++ b/frida_mode/src/instrument/instrument_x86.c @@ -1,7 +1,5 @@ #include "frida-gumjs.h" -#include "debug.h" - #include "instrument.h" #include "util.h" |