Ejemplo n.º 1
0
def main():
    entrypoint = 0x401094
    fuzzed_address = set()
    queue = multiprocessing.Queue()
    process = list()

    ctx = TritonContext()
    ctx.setArchitecture(ARCH.X86_64)
    ctx.enableMode(MODE.ALIGNED_MEMORY, True)
    ctx.setAstRepresentationMode(AST_REPRESENTATION.PYTHON)

    exploration = Exploration()
    tracer = Tracer(program_name, True)
    tracer.tracer_init(ctx)

    # Sets callbacks
    tracer.add_start_callback(exploration.start)
    tracer.add_instruction_callback(exploration.get_instruction)
    tracer.add_end_callback(exploration.end)
    tracer.add_memory_callback(exploration.symbolized_memory_input)
    tracer.add_register_callback(exploration.symbolized_register_input)

    for i in range(30):
        tracer.start(ctx, 1, entrypoint)

        if exploration.fuzz_is_needed is True:
            untaken_branch = set(exploration.get_untaken_branch())
            for i in untaken_branch:
                if i not in fuzzed_address:
                    if exploration.untaken_branch[i] != 0:
                        process.append(
                            send_to_fuzz(
                                entrypoint,
                                copy.deepcopy(exploration.exploration_memory),
                                copy.deepcopy(
                                    exploration.exploration_registers),
                                copy.copy(exploration.untaken_branch[i]), i,
                                queue))
                        process[-1].start()
                        process[-1].join()

                    fuzzed_address.add(i)

            try:
                new_inputs = queue.get(block=True, timeout=5)
                exploration.add_fuzz_inputs(new_inputs[0], new_inputs[1])
            except Queue.Empty:
                print(map(hex, exploration.get_untaken_branch()))
                print("Can't find more branch")
                break

    exploration.show_exploration()