Closed Ricardo-609 closed 1 year ago
It is easy if you are just interested in knowing which input bytes affect your target branch-- when you run your application with VUzzer (internally with libdft pintool), it creates a file called cmp.log. this file contains info for each cmp instruction executed by the application on that input. IMP: you can directly execute this pintool outside of VUzzer and get the cmp.log file (in some of the issues, i explained how to do that. just search).
hi,tosanjay. I'm not sure wether you said is https://github.com/vusec/vuzzer64/issues/9#issuecomment-474956390. Followed the instruction, I can't find cmp.log, it only generate three filecmp.out lea.out pintool.log
.
I'm not sure how to use the command parameter -filename $2
. Is it input as taint ? I use the file named in, but it still need to input manually. And both lea.out and cmp.out are empty when use ./in
.
Hope to hear from your anwer.Thanks.
Yes, it is cmp.out. sorry. if they are empyy it means pin did not run on your binary (yes, issue #9 is the one.). From the command line, i can see the you are running ./hw with no parameter. how do you run hw normally? you have to use the same commandline here with input_file place holder as %s. If you are used to AFL, you use @@ for the same purpose.
Thanks, @tosanjay. I have successfully generated cmp.out like below.
64 mem reg 0x00007f336ff4cc58 {} {} {} {} {} {} {} {} {0} {1} {2} {3} {4} {5} {6} {7} 0x10102464c457f 0x3010102464c457f
64 mem reg 0x00007f336ff4cfb8 {} {} {} {} {} {} {} {} {0} {1} {2} {3} {4} {5} {6} {7} 0x3010102464c457f 0x3010102464c457f
32 mem reg 0x00007f336ff4cc77 {9} {10} {11} {12} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0
16 mem reg 0x00007f336ff4ccd7 {13} {14} {} {} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0
8 mem reg 0x00007f336ff4cce4 {15} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0
But I can't understand the meaning abou each colunms of cmp.out. Can you detailed explain the two output meaning of 64 mem reg 0x00007f336ff4cfb8 {} {} {} {} {} {} {} {} {0} {1} {2} {3} {4} {5} {6} {7} 0x3010102464c457f 0x3010102464c457f
and 16 mem reg 0x00007f336ff4ccd7 {13} {14} {} {} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0
?
And what type file should I chose for -filenmae
?
Thanks again!
you need to provide required option to run a tool in a particular way, thus -filename option is needed (this is how it is designed).
each line of cmp.out tells: operation size, 1st operand type, 2nd operand type, address of the cmp instruction, {taint bytes} affecting the 8 bytes of 1st operand, {taint bytes} affecting the 8 bytes 2nd operand, concrete value of 1st operand, concrete value of 2nd operand
what should I do if I want to use libdft from vuzzer64 for getting the relation of input bytes and branch under execution? Can anyone help me?