Skip to content

Instantly share code, notes, and snippets.

View stevenjohnstone's full-sized avatar

Steven Johnstone stevenjohnstone

  • Smarter Grid Solutions
  • Glasgow
View GitHub Profile
// https://roadrunnerwmc.github.io/blog/2020/05/08/nsmb-rng.html takes about 10 seconds to find
// a fixed point for the random number generator
#include <assert.h>
#include <stdio.h>
#include <stdint.h>
uint32_t rand_nsmb(uint32_t *state) {
uint64_t value = (uint64_t)(*state) * 1664525 + 1013904223;
return *state = value + (value >> 32);
(set-logic QF_BV)
; Quicker way to find fixpoints in the rng discussed in
; https://roadrunnerwmc.github.io/blog/2020/05/08/nsmb-rng.html .
;
; On my machine (AMD Ryzen 5 3550H with 8G RAM), running this with z3
; finds a fixedpoint in about 80 seconds
; Here's the code we'll be modelling:
;
@stevenjohnstone
stevenjohnstone / antifuzz.go
Created January 27, 2021 22:11
Demonstration of issues with using gofuzz (no-hypen) with go-fuzz (has a hypen)
// +build gofuzz
// Package antifuzz shows how gofuzz transformation of inputs breaks coverage guidance.
//
// When running "go-fuzz -func FuzzGood", a crasher is found almost immediately. In contrast,
// when running "go-fuzz -func FuzzBad" no crasher is found and it likely won't for a long time.
package antifuzz
import fuzz "github.com/google/gofuzz"
{
"meta": {
"theme": "paper-plus-plus"
},
"basics": {
"name": "Steven Johnstone",
"label": "Software Engineer with Strong Security Focus",
"email": "[email protected]",
"summary": "I like to break things and help fix them",
"location": {
@stevenjohnstone
stevenjohnstone / afl-fuzz.c
Last active July 31, 2020 15:20
A Lua AFL integration using the debug hook functionality which fires as Lua traverses lines
// Using the approach of afl-python to make a
// Lua fuzzer.
// Build with "gcc -I/usr/include/lua5.3/ -L/usr/local/lib -llua5.3 -rdynamic afl-fuzz.c"
// (or whatever works on your platform).
//
// Write a script which has a global function "fuzz" which reads all of stdin and processes it
// to exercise some code in which you'd like to find logic bugs.
#include <assert.h>
#include <fcntl.h>
#!/usr/bin/env python
# coding: utf-8
import angr
import archinfo
import claripy
import time
def main():
p = angr.Project('ctf')
#include <assert.h>
#include <dlfcn.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
// Background reading: http://tukan.farm/2017/07/08/tcache/
const size_t msize = 0x100;
#include <stdlib.h>
#include <string.h>
int main(int argc, const char **argv) {
char *foo = getenv("foo");
if (strcmp(foo, "bar") == 0) {
return 0;
}
return 1;
}
#!/usr/bin/env python
# coding: utf-8
import angr
import archinfo
import claripy
import time
def main():
p = angr.Project('ctf')
package main
import (
"fmt"
// a branch of keystone golang bindings which builds on linux
"github.com/stevenjohnstone/keystone/bindings/go/keystone"
uc "github.com/unicorn-engine/unicorn/bindings/go/unicorn"
)