eqv
commented
4 years ago Did you use build.sh to build?
Open DanielGuoVT opened 4 years ago
eqv
commented
4 years ago Did you use build.sh to build?
DanielGuoVT
commented
4 years ago Yes.
On Mon, May 25, 2020, 02:52 eqv notifications@github.com wrote:
Did you use build.sh to build?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/RUB-SysSec/ijon-data/issues/3#issuecomment-633487326, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACTVD2JBELTGILAPIIQ36BLRTI5VBANCNFSM4NJI4QQA .
DanielGuoVT
commented
4 years ago Did you use build.sh to build?
I only modified "AFL_INST_RATIO=1" in the build.sh since AFL reports no instrumentation if AFL_INST_RATIO is set to 1.
eqv
commented
4 years ago If you want to use the IJON_MAX(player_x) annotation, I'd recommend not to enable AFL Instrumentation, as this will massively increase the performance. If you didn't enable the max annotation, AFL will not be very good at solving any level (usually taking at least a few hours)...
DanielGuoVT
commented
4 years ago Got it. I merely set the AFL_INST_RATIO to 2 to avoid the "no instrumentation" problem at the dry run stage of the IJON AFL. Also, the _USE_IJON option is enabled for IJON_MAX. Still, there is only one path from the original seed, and the ijon_max directory under the workdir is empty. How to know IJON successfully solves an SMB level?
eqv
commented
4 years ago if the ijon_max dir is empty then it's most certainly not using the IJON_MAX annotation for some reason. If you run wihtout AFL ui (AFL_NO_UI) you should see "updated maxmap" every now and then, particular in the beginning, that should show up every few seconds. If the level was successfully solved (you can take the expected times for the different levels from the paper), it triggers a crash.
DanielGuoVT
commented
4 years ago Hi, I enabled the _USE_IJON option and ijon_max is surely invoked in the binary. Running AFL with AFL_NO_UI did not bring out any "updated maxmap" information but only a repeated "scheduled normal input" message. The fuzzing command is: /root/smb/ijon/afl-fuzz -S ijon_afl_2 -m 200 -t 250 -i indir -o ./workdir_ijon -- ./build/smbc_ijon 1
eqv
commented
4 years ago that sounds super weird... No idea than. I know that this release is working for a few other people...
DanielGuoVT
commented
4 years ago Thanks... Btw, do u use afl-gcc or afl-clang-fast with llvm6.0 to compile the smb code in experiments? I used the latter.
On Tue, May 26, 2020, 13:44 eqv notifications@github.com wrote:
that sounds super weird... No idea than. I know that this release is working for a few other people...
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/RUB-SysSec/ijon-data/issues/3#issuecomment-634268561, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACTVD2PYP7BJKKX554QK4P3RTQSYZANCNFSM4NJI4QQA .
eqv
commented
4 years ago all of the ijon stuff only works with afl-clang-fast. I would probably recommend to printf debug the values that are being passed to the ijon_max and see if the game is actually running at all.
DanielGuoVT
commented
4 years ago I tried the standalone version by running "./smbc_ijon 0", and kept pressing "enter" until "done mainLoop" appears. The ijon_max invocation seems usual, and following is the printf output: ...... ijon_max: 10,191 ijon_max: 10,194 ijon_max: 11,196 ijon_max: 11,199 ijon_max: 11,201 ijon_max: 11,204 ijon_max: 11,206 ijon_max: 11,209 ijon_max: 11,211 ijon_max: 11,214 ijon_max: 11,216
ijon_max: 10,219 ijon_max: 10,221 ijon_max: 10,224 ijon_max: 9,226 ijon_max: 9,229 ijon_max: 9,231 ijon_max: 9,234 ijon_max: 8,236 ijon_max: 8,239 ijon_max: 8,241 ijon_max: 8,243
ijon_max: 7,242 ijon_max: 7,242 ijon_max: 7,242 ijon_max: 7,242 ijon_max: 7,242 ijon_max: 7,242 done mainLoop root@8428a69f9ac4:~/smb/SuperMarioBros-C/build#
However, if I press any other key (e.g., number 8), it quickly goes to a segmentation fault as follows: ...... ijon_max: 0,0 ijon_max: 11,40 ijon_max: 11,40 ijon_max: 11,40 ijon_max: 11,40 ijon_max: 11,40 ijon_max: 11,40 ijon_max: 11,40 ijon_max: 11,41 ijon_max: 11,41 ijon_max: 11,41 ijon_max: 11,42 ijon_max: 11,42 ijon_max: 11,43 ijon_max: 11,44 ijon_max: 11,44 ijon_max: 11,45 ijon_max: 10,46 ijon_max: 10,47 ijon_max: 10,48 ijon_max: 10,49 ijon_max: 9,50 ijon_max: 9,51 ijon_max: 9,52 ijon_max: 9,53 ijon_max: 9,54 ijon_max: 8,55 ijon_max: 8,56 ijon_max: 8,57 ijon_max: 8,58 ijon_max: 8,60 ijon_max: 8,61 ijon_max: 7,62 ijon_max: 7,64 Segmentation fault (core dumped) root@8428a69f9ac4:~/smb/SuperMarioBros-C/build#
eqv
commented
4 years ago weird... that's not expected behavior... I need to look into this, might be the same issue #1
DanielGuoVT
commented
4 years ago Hi there, I've spent several days on this issue but still cannot fix it. Did you get any new findings?
weird... that's not expected behavior... I need to look into this, might be the same issue #1
eqv
commented
4 years ago should be fixed in c75433e1ce5252363803c2a9a221ee99808f796f, please confirm & close
Hi there,
I tried IJON to fuzz the provided SMB code with the given seed. It runs fine, but after some time, I still cannot see any new seeds generated.
By reading the source code, the input seems to be a character from STDIN_FILENO; and the controller button states are associated with boolean values computed from the character.
I used the afl.sh under the SuperMarioBros-C directory to start IJON and compile the source code by afl-clang-fast of IJON.
Are there any missing points that may cause this unusual result?
Thanks, Daniel.