Created
October 26, 2020 01:14
-
-
Save moyix/717beccb95c77cb6ddf2e50593b3f600 to your computer and use it in GitHub Desktop.
Recover edge information from afl-showmap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If you have a list of edge hashes produced by AFL (e.g. from something like this): | |
| ./afl-showmap -o foo.edges -t 500 -q -e -- ./program arg1 | |
| Re-run the program using gdb to trace the sequence of block IDs: | |
| ./collect_coverage.sh trace.txt ./program arg1 | |
| Print edges in the trace: | |
| python tracehash.py foo.edges trace.txt | |
| Sample output: | |
| 51839 0x0 -> 0x8049e2d found? True | |
| 11284 0x8049e2d -> 0x819eecd found? True | |
| 6453 0x819eecd -> 0x819ef49 found? True | |
| 30868 0x819ef49 -> 0x819ef99 found? True | |
| 14108 0x819ef99 -> 0x819efcd found? True | |
| [...] | |
| 20581 0x804b725 -> 0x804bb59 found? True | |
| 54125 0x804bb59 -> 0x804bbd1 found? True | |
| 13282 0x804bbd1 -> 0x804bc19 found? True | |
| Collision on block 6160: 2 edges | |
| Collision on block 42150: 2 edges | |
| Collision on block 51564: 2 edges | |
| Collision on block 59275: 2 edges | |
| Collision on block 53047: 2 edges | |
| Collision on block 10033: 2 edges | |
| Collision on block 62044: 2 edges |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| logname=$1 | |
| shift | |
| scriptfile=$(mktemp) | |
| outfile=$(mktemp) | |
| cat > $scriptfile <<EOF | |
| break __afl_maybe_log | |
| commands 1 | |
| printf "BLOCK %d %x\\n", \$ecx, *(unsigned int *)\$esp | |
| c | |
| end | |
| set pagination off | |
| set logging file $outfile | |
| set logging redirect on | |
| set logging on | |
| run | |
| quit | |
| EOF | |
| gdb -batch-silent -x $scriptfile --args "$@" | |
| grep BLOCK "$outfile" > "$logname" | |
| rm -f "$scriptfile" | |
| rm -f "$outfile" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| from collections import defaultdict | |
| edgefile = sys.argv[1] | |
| tracefile = sys.argv[2] | |
| edges = [] | |
| for line in open(edgefile): | |
| edges.append(int(line.split(':')[0])) | |
| edges = set(edges) | |
| coll_map = defaultdict(set) | |
| prev_id = 0 | |
| prev_addr = 0 | |
| for line in open(tracefile): | |
| _, blockid, addr = line.strip().split() | |
| blockid = int(blockid) | |
| addr = int(addr,16) | |
| edgehash = (prev_id >> 1) ^ blockid | |
| print("%d %#x -> %#x found? %s" % (edgehash, prev_addr, addr, edgehash in edges)) | |
| coll_map[edgehash].add( (prev_addr, addr) ) | |
| prev_id = blockid | |
| prev_addr = addr | |
| for k in coll_map: | |
| if len(coll_map[k]) > 1: | |
| print("Collision on block %d: %d edges" % (k, len(coll_map[k]))) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment