From a1c9c497d5e0659e94a25f8cb399f4d111643606 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 15:37:49 +0200 Subject: aarch64 support for afl-untracer --- examples/afl_untracer/Makefile | 10 ++++-- examples/afl_untracer/README.md | 15 ++++++++ examples/afl_untracer/afl-untracer.c | 67 ++++++++++++++++++++++++++++++++---- 3 files changed, 83 insertions(+), 9 deletions(-) (limited to 'examples') diff --git a/examples/afl_untracer/Makefile b/examples/afl_untracer/Makefile index 5c525877..ad67e8bc 100644 --- a/examples/afl_untracer/Makefile +++ b/examples/afl_untracer/Makefile @@ -1,10 +1,16 @@ +ifdef DEBUG + OPT=-O0 +else + OPT=-O3 +endif + all: afl-untracer libtestinstr.so afl-untracer: afl-untracer.c - $(CC) -I../../include -g -o afl-untracer afl-untracer.c -ldl -pthread + $(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c -ldl -pthread libtestinstr.so: libtestinstr.c - $(CC) -fPIC -o libtestinstr.so -shared libtestinstr.c + $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c clean: rm -f afl-untracer libtestinstr.so *~ core diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 4ff96423..8e24c2a4 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -14,6 +14,21 @@ To generate the `patches.txt` file for your target library use the `ida_get_patchpoints.py` script for IDA Pro or `ghidra_get_patchpoints.java` for Ghidra. +The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`. + +Example (after modfying afl-untracer.c to your needs, compiling and creating +patches.txt): +``` +AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer +``` + +To testing/debugging you can try: +``` +make DEBUG=1 +AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer +``` +and then you can easily set breakpoints to "breakpoint" and "fuzz". + This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL) and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz). This implementation is slower because the traps are not patched out with each diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index d319b530..ed1a8239 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -156,7 +156,7 @@ void read_library_information() { liblist[liblist_cnt].addr_end = strtoull(m, NULL, 16); if (debug) fprintf( - stderr, "%s:%x (%lx-%lx)\n", liblist[liblist_cnt].name, + stderr, "%s:%llx (%llx-%llx)\n", liblist[liblist_cnt].name, liblist[liblist_cnt].addr_end - liblist[liblist_cnt].addr_start, liblist[liblist_cnt].addr_start, liblist[liblist_cnt].addr_end - 1); @@ -276,6 +276,17 @@ library_list_t *find_library(char *name) { } +/* for having an easy breakpoint after load the shared library */ +// this seems to work for clang too. nice :) requires gcc 4.4+ +#pragma GCC push_options +#pragma GCC optimize ("O0") +void breakpoint() { + + if (debug) fprintf(stderr, "Breakpoint function \"breakpoint\" reached.\n"); + +} +#pragma GCC pop_options + /* Error reporting to forkserver controller */ void send_forkserver_error(int error) { @@ -433,10 +444,17 @@ static void __afl_end_testcase(int status) { } +#ifdef __aarch64__ +#define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) +#else #define SHADOW(addr) \ ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ MEMORY_MAP_DECREMENT - \ ((uintptr_t)addr & 0x3) * 0x10000000000)) +#endif void setup_trap_instrumentation() { @@ -453,7 +471,11 @@ void setup_trap_instrumentation() { if (!patches) FATAL("Couldn't open AFL_UNTRACER_FILE file %s", filename); // Index into the coverage bitmap for the current trap instruction. - int bitmap_index = 0; +#ifdef __aarch64__ + uint64_t bitmap_index = 0; +#else + uint32_t bitmap_index = 0; +#endif while ((nread = getline(&line, &len, patches)) != -1) { @@ -486,7 +508,11 @@ void setup_trap_instrumentation() { FATAL("Failed to mprotect library %s writable", line); // Create shadow memory. +#ifdef __aarch64__ + for (int i = 0; i < 8; i++) { +#else for (int i = 0; i < 4; i++) { +#endif void *shadow_addr = SHADOW(lib_addr + i); void *shadow = mmap(shadow_addr, lib_size, PROT_READ | PROT_WRITE, @@ -513,12 +539,17 @@ void setup_trap_instrumentation() { if (bitmap_index >= __afl_map_size) FATAL("Too many basic blocks to instrument"); - uint32_t *shadow = SHADOW(lib_addr + offset); +#ifdef __arch64__ + uint64_t +#else + uint32_t +#endif + *shadow = SHADOW(lib_addr + offset); if (*shadow != 0) continue; // skip duplicates // Make lookup entry in shadow memory. -#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__)) +#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || defined(__i386__)) // this is for Intel x64 @@ -531,10 +562,24 @@ void setup_trap_instrumentation() { lib_addr, offset, lib_addr + offset, orig_byte, shadow, bitmap_index, *shadow); +#elif defined(__aarch64__) + + // this is for aarch64 + + uint32_t *patch_bytes = (uint32_t*)(lib_addr + offset); + uint32_t orig_bytes = *patch_bytes; + *shadow = (bitmap_index << 32) | orig_bytes; + *patch_bytes = 0xd4200000; // replace instruction with debug trap + if (debug) + fprintf(stderr, + "Patch entry: %p[%x] = %p = %02x -> SHADOW(%p) #%d -> %016x\n", + lib_addr, offset, lib_addr + offset, orig_bytes, shadow, + bitmap_index, *shadow); + #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -#error "non x86_64 not supported yet" +#error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -573,8 +618,15 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) - ctx->uc_mcontext.gregs[REG_RIP] -= 1; - addr = ctx->uc_mcontext.gregs[REG_RIP]; +#if defined(__x86_64__) || defined(__i386__) + ctx->uc_mcontext.mc_rip -= 1; + addr = ctx->uc_mcontext.mc_rip; +#elif defined(__aarch64__) + ctx->uc_mcontext.pc -= 4; + addr = ctx->uc_mcontext.pc; +#else +#error "Unsupported processor" +#endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; @@ -642,6 +694,7 @@ int main(int argc, char *argv[]) { // END STEP 2 /* setup instrumentation, shared memory and forkserver */ + breakpoint(); read_library_information(); setup_trap_instrumentation(); __afl_map_shm(); -- cgit v1.2.3 From e910882e320f33f4413ba9c2dff537f885276bb5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 15:43:39 +0200 Subject: fix untracer --- examples/afl_untracer/afl-untracer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index ed1a8239..99f06f36 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -619,8 +619,8 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) #if defined(__x86_64__) || defined(__i386__) - ctx->uc_mcontext.mc_rip -= 1; - addr = ctx->uc_mcontext.mc_rip; + ctx->uc_mcontext.gregs[REG_RIP] -= 1; + addr = ctx->uc_mcontext.gregs[REG_RIP]; #elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -- cgit v1.2.3 From 8cdf767bf589e3f709fda1d580b5899f046ae070 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 15:57:38 +0200 Subject: doc update --- examples/afl_untracer/Makefile | 2 +- examples/afl_untracer/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'examples') diff --git a/examples/afl_untracer/Makefile b/examples/afl_untracer/Makefile index ad67e8bc..14a09b41 100644 --- a/examples/afl_untracer/Makefile +++ b/examples/afl_untracer/Makefile @@ -7,7 +7,7 @@ endif all: afl-untracer libtestinstr.so afl-untracer: afl-untracer.c - $(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c -ldl -pthread + $(CC) $(OPT) -I../../include -g -o afl-untracer afl-untracer.c -ldl libtestinstr.so: libtestinstr.c $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 8e24c2a4..0bd788f3 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -3,7 +3,7 @@ afl-untracer is an example skeleton file which can easily be used to fuzz a closed source library. -It requires less memory than qemu_mode however it is way +It requires less memory and is x3-5 faster than qemu_mode however it is way more course grained and does not provide interesting features like compcov or cmplog. -- cgit v1.2.3 From 01b5aa123df8200f6c071f6ee1f3c05722b12fee Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 17:20:42 +0200 Subject: better README for untracer --- examples/afl_untracer/README.md | 32 ++++++++++++++++++++++++---- examples/afl_untracer/ida_get_patchpoints.py | 3 +++ 2 files changed, 31 insertions(+), 4 deletions(-) (limited to 'examples') diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 0bd788f3..7d870c42 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -1,4 +1,6 @@ -# afl-untracer +# afl-untracer - fast fuzzing of binary-only libraries + +## Introduction afl-untracer is an example skeleton file which can easily be used to fuzz a closed source library. @@ -7,8 +9,17 @@ It requires less memory and is x3-5 faster than qemu_mode however it is way more course grained and does not provide interesting features like compcov or cmplog. -Read and modify afl-untracer.c then `make` and use it as the afl-fuzz target -(or even remote via afl-network-proxy). +Supported is so far Intel (i386/x86_64) and AARCH64. + +## How-to + +### Modify afl-untracer.c + +Read and modify afl-untracer.c then `make`. +To adapt afl-untracer.c to your need read the header of the file and then +search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. + +### Generate patches.txt file To generate the `patches.txt` file for your target library use the `ida_get_patchpoints.py` script for IDA Pro or @@ -16,19 +27,32 @@ To generate the `patches.txt` file for your target library use the The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`. +To easily run the scripts without needing to run the GUI with Ghidra: +``` +$ /opt/ghidra/support/analyzeHeadless /tmp/ tmp$$ -import libtestinstr.so -postscript ./ghidra_get_patchpoints.java +$ rm -rf /tmp/tmp$$ +``` + +### Fuzzing + Example (after modfying afl-untracer.c to your needs, compiling and creating patches.txt): ``` AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer ``` +(or even remote via afl-network-proxy). + +### Testing and debugging -To testing/debugging you can try: +For testing/debugging you can try: ``` make DEBUG=1 AFL_UNTRACER_FILE=./patches.txt AFL_DEBUG=1 gdb ./afl-untracer ``` and then you can easily set breakpoints to "breakpoint" and "fuzz". +# Background + This idea is based on [UnTracer](https://github.com/FoRTE-Research/UnTracer-AFL) and modified by [Trapfuzz](https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz). This implementation is slower because the traps are not patched out with each diff --git a/examples/afl_untracer/ida_get_patchpoints.py b/examples/afl_untracer/ida_get_patchpoints.py index c7e8f899..43cf6d89 100644 --- a/examples/afl_untracer/ida_get_patchpoints.py +++ b/examples/afl_untracer/ida_get_patchpoints.py @@ -57,3 +57,6 @@ with open(home + "/Desktop/patches.txt", "w") as f: f.write('\n') print("Done, found {} patchpoints".format(len(patchpoints))) + +# For headless script running remove the comment from the next line +#ida_pro.qexit() -- cgit v1.2.3 From 140053502bd5ce162ab7e6bfbb151494381d704c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 May 2020 08:08:20 +0200 Subject: import transform fix into autodict, code-format --- examples/afl_untracer/afl-untracer.c | 40 ++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 18 deletions(-) (limited to 'examples') diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 99f06f36..5dbc71bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -279,12 +279,13 @@ library_list_t *find_library(char *name) { /* for having an easy breakpoint after load the shared library */ // this seems to work for clang too. nice :) requires gcc 4.4+ #pragma GCC push_options -#pragma GCC optimize ("O0") -void breakpoint() { +#pragma GCC optimize("O0") +void breakpoint() { if (debug) fprintf(stderr, "Breakpoint function \"breakpoint\" reached.\n"); } + #pragma GCC pop_options /* Error reporting to forkserver controller */ @@ -470,7 +471,7 @@ void setup_trap_instrumentation() { FILE *patches = fopen(filename, "r"); if (!patches) FATAL("Couldn't open AFL_UNTRACER_FILE file %s", filename); - // Index into the coverage bitmap for the current trap instruction. + // Index into the coverage bitmap for the current trap instruction. #ifdef __aarch64__ uint64_t bitmap_index = 0; #else @@ -507,11 +508,13 @@ void setup_trap_instrumentation() { PROT_READ | PROT_WRITE | PROT_EXEC) != 0) FATAL("Failed to mprotect library %s writable", line); - // Create shadow memory. + // Create shadow memory. #ifdef __aarch64__ for (int i = 0; i < 8; i++) { + #else for (int i = 0; i < 4; i++) { + #endif void *shadow_addr = SHADOW(lib_addr + i); @@ -540,16 +543,17 @@ void setup_trap_instrumentation() { FATAL("Too many basic blocks to instrument"); #ifdef __arch64__ - uint64_t + uint64_t #else - uint32_t + uint32_t #endif - *shadow = SHADOW(lib_addr + offset); + *shadow = SHADOW(lib_addr + offset); if (*shadow != 0) continue; // skip duplicates // Make lookup entry in shadow memory. -#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || defined(__i386__)) +#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || \ + defined(__i386__)) // this is for Intel x64 @@ -566,10 +570,10 @@ void setup_trap_instrumentation() { // this is for aarch64 - uint32_t *patch_bytes = (uint32_t*)(lib_addr + offset); - uint32_t orig_bytes = *patch_bytes; + uint32_t *patch_bytes = (uint32_t *)(lib_addr + offset); + uint32_t orig_bytes = *patch_bytes; *shadow = (bitmap_index << 32) | orig_bytes; - *patch_bytes = 0xd4200000; // replace instruction with debug trap + *patch_bytes = 0xd4200000; // replace instruction with debug trap if (debug) fprintf(stderr, "Patch entry: %p[%x] = %p = %02x -> SHADOW(%p) #%d -> %016x\n", @@ -577,14 +581,14 @@ void setup_trap_instrumentation() { bitmap_index, *shadow); #else - // this will be ARM and AARCH64 - // for ARM we will need to identify if the code is in thumb or ARM + // this will be ARM and AARCH64 + // for ARM we will need to identify if the code is in thumb or ARM #error "non x86_64/aarch64 not supported yet" - //__arm__: - // linux thumb: 0xde01 - // linux arm: 0xe7f001f0 - //__aarch64__: - // linux aarch64: 0xd4200000 + //__arm__: + // linux thumb: 0xde01 + // linux arm: 0xe7f001f0 + //__aarch64__: + // linux aarch64: 0xd4200000 #endif bitmap_index++; -- cgit v1.2.3 From 37b681ac11f62ccb41d13a146a319819af1c178d Mon Sep 17 00:00:00 2001 From: hexcoder Date: Thu, 7 May 2020 10:09:08 +0200 Subject: untracer README: one typo fixed --- examples/afl_untracer/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 7d870c42..29234889 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -35,7 +35,7 @@ $ rm -rf /tmp/tmp$$ ### Fuzzing -Example (after modfying afl-untracer.c to your needs, compiling and creating +Example (after modifying afl-untracer.c to your needs, compiling and creating patches.txt): ``` AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer -- cgit v1.2.3 From 26f8708fede1b15e6a93709d0baa2e5f481e082d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 10 May 2020 11:35:31 +0200 Subject: fix warning, code format --- examples/afl_network_proxy/afl-network-client.c | 12 +++---- examples/afl_network_proxy/afl-network-server.c | 4 +-- examples/afl_proxy/afl-proxy.c | 2 +- examples/afl_untracer/afl-untracer.c | 42 ++++++++++++------------- 4 files changed, 30 insertions(+), 30 deletions(-) (limited to 'examples') diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index cf09b2ad..fca2a9f1 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -15,7 +15,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -42,7 +42,7 @@ #include #ifdef USE_DEFLATE -#include +# include #endif u8 *__afl_area_ptr; @@ -321,7 +321,7 @@ int main(int argc, char *argv[]) { // fprintf(stderr, "Sending testcase with len %u\n", *lenptr); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES +# ifdef COMPRESS_TESTCASES // we only compress the testcase if it does not fit in the TCP packet if (*lenptr > 1500 - 20 - 32 - 4) { @@ -341,17 +341,17 @@ int main(int argc, char *argv[]) { } else { -#endif +# endif #endif if (send(s, buf, *lenptr + 4, 0) != *lenptr + 4) PFATAL("sending test data failed"); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES +# ifdef COMPRESS_TESTCASES // fprintf(stderr, "unCOMPRESS (%u)\n", *lenptr); } -#endif +# endif #endif received = 0; diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 2de91cbd..7d97e2db 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -25,7 +25,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" @@ -62,7 +62,7 @@ #include #ifdef USE_DEFLATE -#include +# include struct libdeflate_compressor * compressor; struct libdeflate_decompressor *decompressor; #endif diff --git a/examples/afl_proxy/afl-proxy.c b/examples/afl_proxy/afl-proxy.c index 36121e17..46861008 100644 --- a/examples/afl_proxy/afl-proxy.c +++ b/examples/afl_proxy/afl-proxy.c @@ -24,7 +24,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 5dbc71bf..cc614f67 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -34,7 +34,7 @@ #define _GNU_SOURCE #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -58,14 +58,14 @@ #include #if defined(__linux__) -#include +# include #elif defined(__APPLE__) && defined(__LP64__) -#include +# include #elif defined(__FreeBSD__) -#include -#include +# include +# include #else -#error "Unsupported platform" +# error "Unsupported platform" #endif #define MEMORY_MAP_DECREMENT 0x200000000000 @@ -446,15 +446,15 @@ static void __afl_end_testcase(int status) { } #ifdef __aarch64__ -#define SHADOW(addr) \ - ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x7) * 0x10000000000)) +# define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) #else -#define SHADOW(addr) \ - ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x3) * 0x10000000000)) +# define SHADOW(addr) \ + ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x3) * 0x10000000000)) #endif void setup_trap_instrumentation() { @@ -583,7 +583,7 @@ void setup_trap_instrumentation() { #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -#error "non x86_64/aarch64 not supported yet" +# error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -622,20 +622,20 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) -#if defined(__x86_64__) || defined(__i386__) +# if defined(__x86_64__) || defined(__i386__) ctx->uc_mcontext.gregs[REG_RIP] -= 1; addr = ctx->uc_mcontext.gregs[REG_RIP]; -#elif defined(__aarch64__) +# elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -#else -#error "Unsupported processor" -#endif +# else +# error "Unsupported processor" +# endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; #else -#error "Unsupported platform" +# error "Unsupported platform" #endif // fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, -- cgit v1.2.3 From 30bfd44dfd9f442d5514a7100d76d1fd3d9deb74 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 10 May 2020 12:09:37 +0200 Subject: indenting preprocessor directives breaks compilation and cant be fixed, reverting ... :-( --- examples/afl_network_proxy/afl-network-client.c | 12 +++---- examples/afl_network_proxy/afl-network-server.c | 4 +-- examples/afl_proxy/afl-proxy.c | 2 +- examples/afl_untracer/afl-untracer.c | 42 ++++++++++++------------- 4 files changed, 30 insertions(+), 30 deletions(-) (limited to 'examples') diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index fca2a9f1..cf09b2ad 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -15,7 +15,7 @@ */ #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -42,7 +42,7 @@ #include #ifdef USE_DEFLATE -# include +#include #endif u8 *__afl_area_ptr; @@ -321,7 +321,7 @@ int main(int argc, char *argv[]) { // fprintf(stderr, "Sending testcase with len %u\n", *lenptr); #ifdef USE_DEFLATE -# ifdef COMPRESS_TESTCASES +#ifdef COMPRESS_TESTCASES // we only compress the testcase if it does not fit in the TCP packet if (*lenptr > 1500 - 20 - 32 - 4) { @@ -341,17 +341,17 @@ int main(int argc, char *argv[]) { } else { -# endif +#endif #endif if (send(s, buf, *lenptr + 4, 0) != *lenptr + 4) PFATAL("sending test data failed"); #ifdef USE_DEFLATE -# ifdef COMPRESS_TESTCASES +#ifdef COMPRESS_TESTCASES // fprintf(stderr, "unCOMPRESS (%u)\n", *lenptr); } -# endif +#endif #endif received = 0; diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 7d97e2db..2de91cbd 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -25,7 +25,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" @@ -62,7 +62,7 @@ #include #ifdef USE_DEFLATE -# include +#include struct libdeflate_compressor * compressor; struct libdeflate_decompressor *decompressor; #endif diff --git a/examples/afl_proxy/afl-proxy.c b/examples/afl_proxy/afl-proxy.c index 46861008..36121e17 100644 --- a/examples/afl_proxy/afl-proxy.c +++ b/examples/afl_proxy/afl-proxy.c @@ -24,7 +24,7 @@ */ #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index cc614f67..5dbc71bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -34,7 +34,7 @@ #define _GNU_SOURCE #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -58,14 +58,14 @@ #include #if defined(__linux__) -# include +#include #elif defined(__APPLE__) && defined(__LP64__) -# include +#include #elif defined(__FreeBSD__) -# include -# include +#include +#include #else -# error "Unsupported platform" +#error "Unsupported platform" #endif #define MEMORY_MAP_DECREMENT 0x200000000000 @@ -446,15 +446,15 @@ static void __afl_end_testcase(int status) { } #ifdef __aarch64__ -# define SHADOW(addr) \ - ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x7) * 0x10000000000)) +#define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) #else -# define SHADOW(addr) \ - ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x3) * 0x10000000000)) +#define SHADOW(addr) \ + ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x3) * 0x10000000000)) #endif void setup_trap_instrumentation() { @@ -583,7 +583,7 @@ void setup_trap_instrumentation() { #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -# error "non x86_64/aarch64 not supported yet" +#error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -622,20 +622,20 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) -# if defined(__x86_64__) || defined(__i386__) +#if defined(__x86_64__) || defined(__i386__) ctx->uc_mcontext.gregs[REG_RIP] -= 1; addr = ctx->uc_mcontext.gregs[REG_RIP]; -# elif defined(__aarch64__) +#elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -# else -# error "Unsupported processor" -# endif +#else +#error "Unsupported processor" +#endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; #else -# error "Unsupported platform" +#error "Unsupported platform" #endif // fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, -- cgit v1.2.3 From 845522f59b3a040a6c8bc9ef20920802752edb03 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 13:34:57 +0200 Subject: remove warnings --- examples/afl_network_proxy/afl-network-server.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'examples') diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 2de91cbd..59064b2c 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -142,6 +142,8 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } + return ret; + } /* Handle Ctrl-C and the like. */ @@ -665,7 +667,7 @@ int main(int argc, char **argv_orig, char **envp) { while ((in_len = recv_testcase(s, (void **)&in_data, &max_len)) > 0) { // fprintf(stderr, "received %u\n", in_len); - run_target(fsrv, use_argv, in_data, in_len, 1); + (void)run_target(fsrv, use_argv, in_data, in_len, 1); memcpy(send_buf + 4, fsrv->trace_bits, fsrv->map_size); -- cgit v1.2.3 From 30a675ab875d2f9ef971324a154fb4f46cebc122 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 11 May 2020 14:40:42 +0200 Subject: silened warnings --- examples/afl_network_proxy/GNUmakefile | 2 ++ 1 file changed, 2 insertions(+) (limited to 'examples') diff --git a/examples/afl_network_proxy/GNUmakefile b/examples/afl_network_proxy/GNUmakefile index cf1cbad5..25a3df82 100644 --- a/examples/afl_network_proxy/GNUmakefile +++ b/examples/afl_network_proxy/GNUmakefile @@ -6,6 +6,8 @@ PROGRAMS = afl-network-client afl-network-server HASH=\# +CFLAGS += -Wno-pointer-sign + ifdef STATIC CFLAGS += -static endif -- cgit v1.2.3 From 38dac93f631356d6a1288931e01f9effec9c8c88 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 22:44:44 +0200 Subject: fix typos --- examples/afl_untracer/README.md | 4 ++-- examples/afl_untracer/afl-untracer.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'examples') diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 29234889..05fd8776 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -16,7 +16,7 @@ Supported is so far Intel (i386/x86_64) and AARCH64. ### Modify afl-untracer.c Read and modify afl-untracer.c then `make`. -To adapt afl-untracer.c to your need read the header of the file and then +To adapt afl-untracer.c to your needs, read the header of the file and then search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. ### Generate patches.txt file @@ -25,7 +25,7 @@ To generate the `patches.txt` file for your target library use the `ida_get_patchpoints.py` script for IDA Pro or `ghidra_get_patchpoints.java` for Ghidra. -The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`. +The patches.txt file has to be pointed to by `AFL_UNTRACER_FILE`. To easily run the scripts without needing to run the GUI with Ghidra: ``` diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 5dbc71bf..af16a6bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -276,7 +276,7 @@ library_list_t *find_library(char *name) { } -/* for having an easy breakpoint after load the shared library */ +/* for having an easy breakpoint location after loading the shared library */ // this seems to work for clang too. nice :) requires gcc 4.4+ #pragma GCC push_options #pragma GCC optimize("O0") -- cgit v1.2.3