def mutate_seq_32_bit_rand32bit(self, index):
self.cur_program.set_state('seq_32bits_rand32bit')
data = self.cur_program.irps[index].InBuffer
# limit interesting up to MAX_RAND_VALUES_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_RAND_VALUES_SIZE:
start = rand.Intn(
((end - 1) // MAX_RAND_VALUES_SIZE)) * MAX_RAND_VALUES_SIZE
end = min(end, start + MAX_RAND_VALUES_SIZE)
for i in range(start, end - 3):
orig = data[i:i + 4]
oval = (orig[3] << 24) | (orig[2] << 16) | (orig[1] << 8) | orig[0]
for _ in range(32):
value = in_range_32((rand.Intn(0xff) << 24)
| (rand.Intn(0xff) << 16)
| (rand.Intn(0xff) << 8) | rand.Intn(0xff))
if (is_not_bitflip(oval ^ value)
and is_not_arithmetic(oval, value, 4)
and is_not_interesting(oval, value, 4, 1)):
data[i:i + 4] = [
value & 0xff, (value >> 8) & 0xff, (value >> 16) & 0xff,
(value >> 24) & 0xff
]
if self.execute_irp(index):
return True
data[i:i + 4] = orig
def mutate_seq_64_bit_rand8bit(self, index):
self.cur_program.set_state('seq_64bits_rand8bit')
data = self.cur_program.irps[index].InBuffer
# limit interesting up to MAX_RAND_VALUES_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_RAND_VALUES_SIZE:
start = rand.Intn(
((end - 1) // MAX_RAND_VALUES_SIZE)) * MAX_RAND_VALUES_SIZE
end = min(end, start + MAX_RAND_VALUES_SIZE)
for i in range(start, end - 7):
orig = data[i:i + 8]
for _ in range(32):
num1 = in_range_64(rand.Intn(0xff))
num2 = swap_64(num1)
data[i:i+8] = [num1 & 0xff, (num1 >> 8)&0xff, (num1 >> 16)&0xff, (num1 >> 24)&0xff, \
(num1 >> 32)&0xff, (num1 >> 40)&0xff, (num1 >> 48)&0xff, (num1 >> 52)&0xff]
if self.execute_irp(index):
return True
data[i:i+8] = [num2 & 0xff, (num2 >> 8)&0xff, (num2 >> 16)&0xff, (num2 >> 24)&0xff, \
(num2 >> 32)&0xff, (num2 >> 40)&0xff, (num2 >> 48)&0xff, (num2 >> 52)&0xff]
if self.execute_irp(index):
return True
data[i:i + 8] = orig
def mutate_seq_8_bit_arithmetic(self, index):
self.cur_program.set_state('seq_8bits_arithmetic')
data = self.cur_program.irps[index].InBuffer
# limit arithmethic up to MAX_ARITHMETIC_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_ARITHMETIC_SIZE:
start = rand.Intn(
((end - 1) // MAX_ARITHMETIC_SIZE)) * MAX_ARITHMETIC_SIZE
end = min(end, start + MAX_ARITHMETIC_SIZE)
for i in range(start, end):
orig = data[i]
for j in range(1, AFL_ARITH_MAX + 1):
r1 = (orig + j) & 0xff
r2 = (orig - j) & 0xff
data[i] = r1
if is_not_bitflip(orig ^ r1):
if self.execute_irp(index):
return True
data[i] = r2
if is_not_bitflip(orig ^ r2):
if self.execute_irp(index):
return True
data[i] = orig
def mutate_seq_16_bit_interesting(self, index):
self.cur_program.set_state('seq_16bits_interesting')
data = self.cur_program.irps[index].InBuffer
# limit interesting up to MAX_INTERESTING_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_INTERESTING_SIZE:
start = rand.Intn(
((end - 1) // MAX_INTERESTING_SIZE)) * MAX_INTERESTING_SIZE
end = min(end, start + MAX_INTERESTING_SIZE)
for i in range(start, end - 1):
orig = data[i:i + 2]
oval = (orig[1] << 8) | orig[0]
for j in range(len(interesting_16_Bit)):
num1 = in_range_16(interesting_16_Bit[j])
num2 = swap_16(num1)
if (is_not_bitflip(oval ^ num1) and is_not_arithmetic(
oval, num1, 2, arith_max=AFL_ARITH_MAX)
and is_not_interesting(oval, num1, 2, 0)):
data[i:i + 2] = [num1 & 0xff, num1 >> 8]
if self.execute_irp(index):
return True
if (num1 != num2 and \
is_not_bitflip(oval ^ num2) and \
is_not_arithmetic(oval, num2, 2, arith_max=AFL_ARITH_MAX) and \
is_not_interesting(oval, num2, 2, 1)):
data[i:i + 2] = [num2 & 0xff, num2 >> 8]
if self.execute_irp(index):
return True
data[i:i + 2] = orig
def __replaceBytes(self, buffer):
width = 1 << rand.Index(4)
if len(buffer) < width:
width = len(buffer)
pos = rand.Index(len(buffer) - width + 1)
for i in range(width):
buffer[pos + i] = rand.Intn(0xff)
return True
def mutate_seq_32_bit_arithmetic(self, index):
self.cur_program.set_state('seq_32bits_arithmetic')
data = self.cur_program.irps[index].InBuffer
# limit arithmethic up to MAX_ARITHMETIC_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_ARITHMETIC_SIZE:
start = rand.Intn(
((end - 1) // MAX_ARITHMETIC_SIZE)) * MAX_ARITHMETIC_SIZE
end = min(end, start + MAX_ARITHMETIC_SIZE)
for i in range(start, end - 3):
orig = data[i:i + 4]
num1 = (orig[3] << 24) | (orig[2] << 16) | (orig[1] << 8) | orig[0]
num2 = (orig[0] << 24) | (orig[1] << 16) | (orig[2] << 8) | orig[3]
for j in range(1, AFL_ARITH_MAX + 1):
r1 = (num1 + j) & 0xffffffff
r2 = (num1 - j) & 0xffffffff
r3 = (num2 + j) & 0xffffffff
r4 = (num2 - j) & 0xffffffff
if is_not_bitflip(num1 ^ r1) and (num1 & 0xffff) + j > 0xffff:
data[i:i + 4] = [
r1 & 0xff, (r1 >> 8) & 0xff, (r1 >> 16) & 0xff,
(r1 >> 24) & 0xff
]
if self.execute_irp(index):
return True
if is_not_bitflip(num1 ^ r2) and num1 & 0xffff < j:
data[i:i + 4] = [
r2 & 0xff, (r2 >> 8) & 0xff, (r2 >> 16) & 0xff,
(r2 >> 24) & 0xff
]
if self.execute_irp(index):
return True
if is_not_bitflip(num2 ^ r3) and (num2 & 0xffff) + j > 0xffff:
data[i:i + 4] = [
r3 & 0xff, (r3 >> 8) & 0xff, (r3 >> 16) & 0xff,
(r3 >> 24) & 0xff
]
if self.execute_irp(index):
return True
if is_not_bitflip(num2 ^ r4) and num2 & 0xffff < j:
data[i:i + 4] = [
r4 & 0xff, (r4 >> 8) & 0xff, (r4 >> 16) & 0xff,
(r4 >> 24) & 0xff
]
if self.execute_irp(index):
return True
data[i:i + 4] = orig
def __insertBytes(self, buffer):
n = rand.Index(16) + 1
if len(buffer) + n > MAX_BUFFER_LEN:
n = MAX_BUFFER_LEN - len(buffer)
if n == 0:
return False
arr = []
for _ in range(n):
arr.append(rand.Intn(0xff))
pos = rand.Index(len(buffer))
buffer = buffer[:pos] + arr + buffer[pos:]
return True
def bruteforce_irps(self):
self.cur_program.set_state('bruteforce_irps')
orilen = len(self.cur_program.irps)
for _ in range(rand.Intn(30)):
self.cur_program.irps += random.choice(
self.database.get_unique_programs()).irps
self.q.reload_driver()
for i in range(len(self.cur_program.irps)):
if self.execute_irp(i):
return True
self.cur_program.irps = self.cur_program.irps[:orilen]
def mutate_seq_walking_bit(self, index):
self.cur_program.set_state('seq_walking_bit')
data = self.cur_program.irps[index].InBuffer
# limit walking bits up to MAX_WALKING_BITS_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_WALKING_BITS_SIZE:
start = rand.Intn(((end - 1) // MAX_WALKING_BITS_SIZE)) * MAX_WALKING_BITS_SIZE
end = min(end, start + MAX_WALKING_BITS_SIZE)
for i in range(start, end * 8):
data[i // 8] ^= (0x80 >> (i % 8))
if self.execute_irp(index):
return True
data[i // 8] ^= (0x80 >> (i % 8))
def mutate_seq_8_bit_rand8bit(self, index):
self.cur_program.set_state('seq_8bits_rand8bit')
data = self.cur_program.irps[index].InBuffer
# limit interesting up to MAX_RAND_VALUES_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_RAND_VALUES_SIZE:
start = rand.Intn(
((end - 1) // MAX_RAND_VALUES_SIZE)) * MAX_RAND_VALUES_SIZE
end = min(end, start + MAX_RAND_VALUES_SIZE)
for i in range(start, end):
orig = data[i]
for _ in range(32):
value = in_range_8(rand.Intn(0xff))
if (is_not_bitflip(orig ^ value)
and is_not_arithmetic(orig, value, 1)
and is_not_interesting(orig, value, 1, 1)):
data[i] = value
if self.execute_irp(index):
return True
data[i] = orig
def mutate_seq_16_bit_arithmetic(self, index):
self.cur_program.set_state('seq_16bits_arithmetic')
data = self.cur_program.irps[index].InBuffer
# limit arithmethic up to MAX_ARITHMETIC_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_ARITHMETIC_SIZE:
start = rand.Intn(
((end - 1) // MAX_ARITHMETIC_SIZE)) * MAX_ARITHMETIC_SIZE
end = min(end, start + MAX_ARITHMETIC_SIZE)
for i in range(start, end - 1):
orig = data[i:i + 2]
num1 = (orig[0] << 8) | orig[1]
num2 = (orig[1] << 8) | orig[0]
for j in range(1, AFL_ARITH_MAX + 1):
r1 = (num1 + j) & 0xffff
r2 = (num1 - j) & 0xffff
r3 = (num2 + j) & 0xffff
r4 = (num2 - j) & 0xffff
if is_not_bitflip(num1 ^ r1) and num1 ^ r1 > 0xff:
data[i:i + 2] = [r1 & 0xff, r1 >> 8]
if self.execute_irp(index):
return True
if is_not_bitflip(num1 ^ r2) and num1 ^ r2 > 0xff:
data[i:i + 2] = [r2 & 0xff, r2 >> 8]
if self.execute_irp(index):
return True
if is_not_bitflip(num2
^ r3) and swap_16(r1) != r3 and num2 ^ r3 > 0xff:
data[i:i + 2] = [r3 & 0xff, r3 >> 8]
if self.execute_irp(index):
return True
if is_not_bitflip(num2
^ r4) and swap_16(r2) != r4 and num2 ^ r4 > 0xff:
data[i:i + 2] = [r4 & 0xff, r4 >> 8]
if self.execute_irp(index):
return True
data[i:i + 2] = orig
def mutate_seq_8_bit_interesting(self, index):
self.cur_program.set_state('seq_8bits_interesting')
data = self.cur_program.irps[index].InBuffer
# limit interesting up to MAX_INTERESTING_SIZE.
start, end = 0, self.cur_program.irps[index].InBufferLength
if end > MAX_INTERESTING_SIZE:
start = rand.Intn(
((end - 1) // MAX_INTERESTING_SIZE)) * MAX_INTERESTING_SIZE
end = min(end, start + MAX_INTERESTING_SIZE)
for i in range(start, end):
orig = data[i]
for j in range(len(interesting_8_Bit)):
value = in_range_8(interesting_8_Bit[j])
if (is_not_bitflip(orig ^ value)
and is_not_arithmetic(orig, value, 1)):
data[i] = value
if self.execute_irp(index):
return True
data[i] = orig