Scepticz
commented
1 year ago Hi YSaxon,
Fuzzing a return value
for fuzzing the return value, you should be able to use the native.get_fuzz function in python, cast the bytes to an int, write them to r0 and configure the handler to return. To create a handler in a python file in the directory which contains the config, you can use the PYTHONPATH env variable targeting the directory and then create a simple myhandlers.py containing a function which you can then target via handler: myhandlers.myhook.
These files look something like this (I have not tested these exact ones but have used the PYTHONPATH once lately)
myhandlers.py
from fuzzware_harness.native import get_fuzz
def handle(uc):
b = get_fuzz(4)
retval = struct.unpack("<I", b)
uc.regs.r0 = retvalconfig.yml
handlers:
myhandler:
addr: 0xdeadbeef
do_return: true
handler: myhandlers.handlerun.sh
export PYTHONPATH=$(pwd)
fuzzware emu -c config.yml <my_input>In case you get this to work, another documentation entry would be great to have here.
Readable ASM
That sounds like a reasonable thing to implement. Feel free to create a pull request. :-)
Tobi
Two suggestions for handlers:
Fuzz Return: Sometimes it would be nice to fuzz the return value of a function instead of replacing it with a static value. I've prototyped this with the inline asm
native.inline_asm_024900bfd1f800007047efbe0040which returns the value of 0x4000beef (a made up peripheral address), but I suspect there may be better ways to do this.Readable ASM: Rather than specify inline_asm through hex values, it would be nice to have an option to write it out in readable form, and have it assembled, so as to make the config files more readable. This should be pretty easy with the keystone library. Something like
as compared to
in
emulator/harness/fuzzware_harness/user_hooks/__init__.pyshould work