Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More handlers #11

Open
YSaxon opened this issue Dec 7, 2022 · 1 comment
Open

More handlers #11

YSaxon opened this issue Dec 7, 2022 · 1 comment

Comments

@YSaxon
Copy link
Contributor

YSaxon commented Dec 7, 2022

Two suggestions for handlers:

Fuzz Return:
Sometimes it would be nice to fuzz the return value of a function instead of replacing it with a static value. I've prototyped this with the inline asm native.inline_asm_024900bfd1f800007047efbe0040 which returns the value of 0x4000beef (a made up peripheral address), but I suspect there may be better ways to do this.

Readable ASM:
Rather than specify inline_asm through hex values, it would be nice to have an option to write it out in readable form, and have it assembled, so as to make the config files more readable.
This should be pretty easy with the keystone library. Something like

from keystone import Ks,KS_ARCH_ARM,KS_MODE_THUMB
patch = bytes(Ks(KS_ARCH_ARM, KS_MODE_THUMB).asm(readable_patch)[0])

as compared to

patch = binascii.unhexlify(inline_patch_hex)

in emulator/harness/fuzzware_harness/user_hooks/__init__.py should work
@Scepticz
Copy link
Contributor

Scepticz commented Dec 8, 2022

Hi YSaxon,

Fuzzing a return value

for fuzzing the return value, you should be able to use the native.get_fuzz function in python, cast the bytes to an int, write them to r0 and configure the handler to return. To create a handler in a python file in the directory which contains the config, you can use the PYTHONPATH env variable targeting the directory and then create a simple myhandlers.py containing a function which you can then target via handler: myhandlers.myhook.

These files look something like this (I have not tested these exact ones but have used the PYTHONPATH once lately)

myhandlers.py

from fuzzware_harness.native import get_fuzz

def handle(uc):
   b = get_fuzz(4)
   retval = struct.unpack("<I", b)
   uc.regs.r0 = retval

config.yml

handlers:
   myhandler:
      addr: 0xdeadbeef
      do_return: true
      handler: myhandlers.handle

run.sh

export PYTHONPATH=$(pwd)
fuzzware emu -c config.yml <my_input>

In case you get this to work, another documentation entry would be great to have here.

Readable ASM

That sounds like a reasonable thing to implement. Feel free to create a pull request. :-)

Tobi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@YSaxon @Scepticz