diff options
Diffstat (limited to 'unicorn_mode')
| -rw-r--r-- | unicorn_mode/README.md | 2 | ||||
| -rwxr-xr-x | unicorn_mode/build_unicorn_support.sh | 69 | ||||
| -rw-r--r-- | unicorn_mode/patches/afl-unicorn-common.h | 2 | ||||
| -rw-r--r-- | unicorn_mode/patches/afl-unicorn-cpu-inl.h | 2 | ||||
| -rw-r--r-- | unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h | 2 | ||||
| -rw-r--r-- | unicorn_mode/patches/afl-unicorn-tcg-op-inl.h | 2 | ||||
| -rw-r--r-- | unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h | 70 | ||||
| -rw-r--r-- | unicorn_mode/samples/compcov_x64/compcov_target.bin | bin | 86 -> 86 bytes | |||
| -rw-r--r-- | unicorn_mode/samples/compcov_x64/compcov_target.c | 6 | ||||
| -rwxr-xr-x | unicorn_mode/samples/compcov_x64/compcov_target.elf | bin | 5728 -> 13200 bytes |
10 files changed, 131 insertions, 24 deletions
diff --git a/unicorn_mode/README.md b/unicorn_mode/README.md index ea3e3c9b..8f381b59 100644 --- a/unicorn_mode/README.md +++ b/unicorn_mode/README.md @@ -99,7 +99,7 @@ The options that enables Unicorn CompareCoverage are the same used for QEMU. AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate values. QEMU_COMPCOV_LEVEL=2 instruments all comparison instructions. Comparison instructions are currently instrumented only -on the x86 and x86_64 targets. +for the x86, x86_64 and ARM targets. ## 4) Gotchas, feedback, bugs diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 1575f66c..589ab852 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -6,7 +6,7 @@ # Originally written by Nathan Voss <njvoss99@gmail.com> # # Adapted from code by Andrew Griffiths <agriffiths@google.com> and -# Michal Zalewski <lcamtuf@google.com> +# Michal Zalewski # # Adapted for AFLplusplus by Dominik Maier <mail@dmnk.co> # @@ -43,9 +43,11 @@ echo echo "[*] Performing basic sanity checks..." -if [ ! "`uname -s`" = "Linux" ]; then +PLT=`uname -s` - echo "[-] Error: Unicorn instrumentation is supported only on Linux." +if [ ! "$PLT" = "Linux" ] && [ ! "$PLT" = "Darwin" ] && [ ! "$PLT" = "FreeBSD" ] && [ ! "$PLT" = "NetBSD" ] && [ ! "$PLT" = "OpenBSD" ]; then + + echo "[-] Error: Unicorn instrumentation is unsupported on $PLT." exit 1 fi @@ -64,7 +66,43 @@ if [ ! -f "../afl-showmap" ]; then fi -for i in wget python automake autoconf sha384sum; do +if [ "$PLT" = "Linux" ]; then + CKSUMCMD='sha384sum --' + PYTHONBIN=python2 + MAKECMD=make + CORES=`nproc` + TARCMD=tar + EASY_INSTALL=easy_install +fi + +if [ "$PLT" = "Darwin" ]; then + CKSUMCMD="shasum -a 384" + PYTHONBIN=python2.7 + MAKECMD=make + CORES=`sysctl hw.ncpu | cut -d' ' -f2` + TARCMD=tar + EASY_INSTALL=easy_install-2.7 +fi + +if [ "$PLT" = "FreeBSD" ]; then + CKSUMCMD="sha384 -q" + PYTHONBIN=python2.7 + MAKECMD=gmake + CORES=`sysctl hw.ncpu | cut -d' ' -f2` + TARCMD=gtar + EASY_INSTALL=easy_install-2.7 +fi + +if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then + CKSUMCMD="cksum -a sha384 -q" + PYTHONBIN=python2.7 + MAKECMD=gmake + CORES=`sysctl hw.ncpu | cut -d' ' -f2` + TARCMD=gtar + EASY_INSTALL=easy_install-2.7 +fi + +for i in wget $PYTHONBIN automake autoconf $MAKECMD $TARCMD; do T=`which "$i" 2>/dev/null` @@ -77,10 +115,10 @@ for i in wget python automake autoconf sha384sum; do done -if ! which easy_install > /dev/null; then +if ! which $EASY_INSTALL > /dev/null; then # work around for unusual installs - if [ '!' -e /usr/lib/python2.7/dist-packages/easy_install.py ]; then + if [ '!' -e /usr/lib/python2.7/dist-packages/easy_install.py ] && [ '!' -e /usr/local/lib/python2.7/dist-packages/easy_install.py ] && [ '!' -e /usr/pkg/lib/python2.7/dist-packages/easy_install.py ]; then echo "[-] Error: Python setup-tools not found. Run 'sudo apt-get install python-setuptools'." exit 1 @@ -100,15 +138,18 @@ echo "[+] All checks passed!" ARCHIVE="`basename -- "$UNICORN_URL"`" -CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1` +CKSUM=`$CKSUMCMD "$ARCHIVE" 2>/dev/null | cut -d' ' -f1` if [ ! "$CKSUM" = "$UNICORN_SHA384" ]; then echo "[*] Downloading Unicorn v1.0.1 from the web..." rm -f "$ARCHIVE" - wget -O "$ARCHIVE" -- "$UNICORN_URL" || exit 1 + OK= + while [ -z "$OK" ]; do + wget -c -O "$ARCHIVE" -- "$UNICORN_URL" && OK=1 + done - CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1` + CKSUM=`$CKSUMCMD "$ARCHIVE" 2>/dev/null | cut -d' ' -f1` fi @@ -127,7 +168,7 @@ echo "[*] Uncompressing archive (this will take a while)..." rm -rf "unicorn" || exit 1 mkdir "unicorn" || exit 1 -tar xzf "$ARCHIVE" -C ./unicorn --strip-components=1 || exit 1 +$TARCMD xzf "$ARCHIVE" -C ./unicorn --strip-components=1 || exit 1 echo "[+] Unpacking successful." @@ -149,7 +190,7 @@ echo "[+] Configuration complete." echo "[*] Attempting to build Unicorn (fingers crossed!)..." -UNICORN_QEMU_FLAGS='--python=python2' make -j `nproc` || exit 1 +UNICORN_QEMU_FLAGS="--python=$PYTHONBIN" $MAKECMD -j$CORES || exit 1 echo "[+] Build process successful!" @@ -157,10 +198,10 @@ echo "[*] Installing Unicorn python bindings..." cd bindings/python || exit 1 if [ -z "$VIRTUAL_ENV" ]; then echo "[*] Info: Installing python unicorn using --user" - python setup.py install --user || exit 1 + $PYTHONBIN setup.py install --user || exit 1 else echo "[*] Info: Installing python unicorn to virtualenv: $VIRTUAL_ENV" - python setup.py install || exit 1 + $PYTHONBIN setup.py install || exit 1 fi export LIBUNICORN_PATH='$(pwd)' # in theory, this allows to switch between afl-unicorn and unicorn so files. @@ -175,7 +216,7 @@ cd ../samples/simple || exit 1 # Run afl-showmap on the sample application. If anything comes out then it must have worked! unset AFL_INST_RATIO -echo 0 | ../../../afl-showmap -U -m none -q -o .test-instr0 -- python simple_test_harness.py ./sample_inputs/sample1.bin || exit 1 +echo 0 | ../../../afl-showmap -U -m none -q -o .test-instr0 -- $PYTHONBIN simple_test_harness.py ./sample_inputs/sample1.bin || exit 1 if [ -s .test-instr0 ] then diff --git a/unicorn_mode/patches/afl-unicorn-common.h b/unicorn_mode/patches/afl-unicorn-common.h index fd88e21b..66d03803 100644 --- a/unicorn_mode/patches/afl-unicorn-common.h +++ b/unicorn_mode/patches/afl-unicorn-common.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co> diff --git a/unicorn_mode/patches/afl-unicorn-cpu-inl.h b/unicorn_mode/patches/afl-unicorn-cpu-inl.h index 082d6d68..72092e29 100644 --- a/unicorn_mode/patches/afl-unicorn-cpu-inl.h +++ b/unicorn_mode/patches/afl-unicorn-cpu-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co> diff --git a/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h b/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h index 7c84058f..70472a72 100644 --- a/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h +++ b/unicorn_mode/patches/afl-unicorn-cpu-translate-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co> diff --git a/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h b/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h index d21bbcc7..8f4a8748 100644 --- a/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h +++ b/unicorn_mode/patches/afl-unicorn-tcg-op-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co> diff --git a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h index 95e68302..3603fae0 100644 --- a/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h +++ b/unicorn_mode/patches/afl-unicorn-tcg-runtime-inl.h @@ -3,7 +3,7 @@ ---------------------------------------------- Originally written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski Adapted for afl-unicorn by Dominik Maier <mail@dmnk.co> @@ -104,3 +104,71 @@ void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, } +/* // Little endian CompCov +void HELPER(afl_compcov_log_16)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(cur_loc); } + +} + +void HELPER(afl_compcov_log_32)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) { + + INC_AFL_AREA(cur_loc + 2); + if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) { + + INC_AFL_AREA(cur_loc + 1); + if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(cur_loc); } + + } + + } + +} + +void HELPER(afl_compcov_log_64)(void* uc_ptr, uint64_t cur_loc, uint64_t arg1, + uint64_t arg2) { + + u8* afl_area_ptr = ((struct uc_struct*)uc_ptr)->afl_area_ptr; + + if ((arg1 & 0xff00000000000000) == (arg2 & 0xff00000000000000)) { + + INC_AFL_AREA(cur_loc + 6); + if ((arg1 & 0xff000000000000) == (arg2 & 0xff000000000000)) { + + INC_AFL_AREA(cur_loc + 5); + if ((arg1 & 0xff0000000000) == (arg2 & 0xff0000000000)) { + + INC_AFL_AREA(cur_loc + 4); + if ((arg1 & 0xff00000000) == (arg2 & 0xff00000000)) { + + INC_AFL_AREA(cur_loc + 3); + if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) { + + INC_AFL_AREA(cur_loc + 2); + if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) { + + INC_AFL_AREA(cur_loc + 1); + if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(cur_loc); } + + } + + } + + } + + } + + } + + } + +} +*/ diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.bin b/unicorn_mode/samples/compcov_x64/compcov_target.bin index 091bf1db..2874860b 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_target.bin +++ b/unicorn_mode/samples/compcov_x64/compcov_target.bin Binary files differdiff --git a/unicorn_mode/samples/compcov_x64/compcov_target.c b/unicorn_mode/samples/compcov_x64/compcov_target.c index eb1205b1..0c863b25 100644 --- a/unicorn_mode/samples/compcov_x64/compcov_target.c +++ b/unicorn_mode/samples/compcov_x64/compcov_target.c @@ -16,11 +16,9 @@ int main(void) { unsigned int *data_buf = (unsigned int *) DATA_ADDRESS; - if (data_buf[0] == 0xabadcafe) { - // Cause an 'invalid read' crash if data[0..3] == '\x01\x02\x03\x04' + if (((unsigned short*)data_buf)[0] == 0x0100) { unsigned char invalid_read = *(unsigned char *) 0x00000000; - } else if (data_buf[1] == data_buf[2] + 0x4141) { - // Cause an 'invalid read' crash if (0x10 < data[0] < 0x20) and data[1] > data[2] + } else if (data_buf[1] == data_buf[2] + 0xfffe) { unsigned char invalid_read = *(unsigned char *) 0x00000000; } diff --git a/unicorn_mode/samples/compcov_x64/compcov_target.elf b/unicorn_mode/samples/compcov_x64/compcov_target.elf index 7015fb46..0f1ad916 100755 --- a/unicorn_mode/samples/compcov_x64/compcov_target.elf +++ b/unicorn_mode/samples/compcov_x64/compcov_target.elf Binary files differ |