#!/bin/sh # Patcher for dynamically linked library # Copyright (C) 2025 Nguyễn Gia Phong # # This file is part of taosc. # # Taosc is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Taosc is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with taosc. If not, see . set -ex if test $# -lt 4 then echo Usage: taosc-fix-lib executable library address workdir option... exit 1 fi binary="$(realpath $1)" library="$(realpath $2)" lib="$(basename $library)" address="$3" wd="$(realpath $4)" bin="$wd/$(basename $binary)" opts="${@:5}" afl-dyninst --library="$library" -x "$binary" "$bin.fuzzee" pushd DATA_DIR > /dev/null trap 'popd > /dev/null' EXIT mkdir -p "$wd/collect" e9tool -M false -P 'log(state)@collect' -o "$bin.collect" "$binary" e9tool -M addr=$address -P 'log(state)@collect'\ -o "$wd/collect/$lib" --shared "$library" mkdir -p "$wd/patched" e9tool -M addr=$address -P 'if dest(state)@patch goto'\ -o "$wd/patched/$lib" --shared "$library" # TODO: augment number of executions afl-dyninst-env afl-fuzz -i "$wd/fuzz/exploits" -o "$wd/fuzz/crashes"\ -CE 10000 -- "$bin.fuzzee" $opts @@ # TODO: use patchelf find "$wd/fuzz/crashes/default/crashes" -name id:* | parallel\ LD_LIBRARY_PATH="$wd/collect" TAOSC_OUTPUT="$wd/vars/neg/"'$(basename {})'\ "$bin.collect" $opts {} || true taosc-synth "$wd/vars" > "$wd/predicates" taosc-scout "$library" "$address" > "$wd/destinations" # vim: filetype=sh.m4