How to use libdft from vuzzer64 to get the relation of input bytes and branch under execution?

[Ricardo-609]

what should I do if I want to use libdft from vuzzer64 for getting the relation of input bytes and branch under execution? Can anyone help me？

[tosanjay]

It is easy if you are just interested in knowing which input bytes affect your target branch-- when you run your application with VUzzer (internally with libdft pintool), it creates a file called cmp.log. this file contains info for each cmp instruction executed by the application on that input. IMP: you can directly execute this pintool outside of VUzzer and get the cmp.log file (in some of the issues, i explained how to do that. just search).

[Ricardo-609]

hi,tosanjay. I'm not sure wether you said is https://github.com/vusec/vuzzer64/issues/9#issuecomment-474956390. Followed the instruction, I can't find cmp.log, it only generate three filecmp.out lea.out pintool.log.

I'm not sure how to use the command parameter -filename $2. Is it input as taint ? I use the file named in, but it still need to input manually. And both lea.out and cmp.out are empty when use ./in. Hope to hear from your anwer.Thanks.

[tosanjay]

Yes, it is cmp.out. sorry. if they are empyy it means pin did not run on your binary (yes, issue #9 is the one.). From the command line, i can see the you are running ./hw with no parameter. how do you run hw normally? you have to use the same commandline here with input_file place holder as %s. If you are used to AFL, you use @@ for the same purpose.

[Ricardo-609]

Thanks, @tosanjay. I have successfully generated cmp.out like below.

64 mem reg 0x00007f336ff4cc58 {} {} {} {} {} {} {} {} {0} {1} {2} {3} {4} {5} {6} {7} 0x10102464c457f 0x3010102464c457f 
64 mem reg 0x00007f336ff4cfb8 {} {} {} {} {} {} {} {} {0} {1} {2} {3} {4} {5} {6} {7} 0x3010102464c457f 0x3010102464c457f 
32 mem reg 0x00007f336ff4cc77 {9} {10} {11} {12} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0 
16 mem reg 0x00007f336ff4ccd7 {13} {14} {} {} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0 
8 mem reg 0x00007f336ff4cce4 {15} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0 

But I can't understand the meaning abou each colunms of cmp.out. Can you detailed explain the two output meaning of 64 mem reg 0x00007f336ff4cfb8 {} {} {} {} {} {} {} {} {0} {1} {2} {3} {4} {5} {6} {7} 0x3010102464c457f 0x3010102464c457f and 16 mem reg 0x00007f336ff4ccd7 {13} {14} {} {} {} {} {} {} {} {} {} {} {} {} {} {} 0x0 0x0? And what type file should I chose for -filenmae ？

Thanks again!

[tosanjay]

you need to provide required option to run a tool in a particular way, thus -filename option is needed (this is how it is designed).

each line of cmp.out tells: operation size, 1st operand type, 2nd operand type, address of the cmp instruction, {taint bytes} affecting the 8 bytes of 1st operand, {taint bytes} affecting the 8 bytes 2nd operand, concrete value of 1st operand, concrete value of 2nd operand