def main_random(*args):
_, addr = args
exception = ''
data = b''
# arguments for fi_model
fi_args = {
'addr': addr,
}
ql2 = QilingFi(
# Qiling args
["ifelse/ifelse"], ".",
console=console, stdin=StringBuffer(), stdout=StringBuffer(),
# QilingFi args
trace_start=MAIN_START, trace_end=TRACE_END,
fi_model=random_word, fi_args=fi_args,
md=md
)
try:
ql2.restore(ql.snapshot)
ql2.tracing = ql.tracing
ql2.ins_counter = ql.ins_counter
ql2.run(begin=addr, timeout=1000000)
except Exception as e:
# print('exception')
exception = str(e)
ql2.emu_stop()
# read out data from the emulation
data = ql2.stdout.read_all()
return {
'data' : data,
'exception': exception,
'addr' : f'{addr:x}',
'ins' : ql2.fi_args['ins'][::-1].hex(),
'addr_i' : addr,
'ins_i' : int.from_bytes(ql2.fi_args['ins'],'big'),
'trace' : '\n'.join(ql.trace)
}
def main_nop():
NO_BEER = 0
FREE_BEER = 0
EXCEPTION = 0
COUNTER = -1
for addr in tqdm_it.it:
addr = addr[0]
COUNTER += 1
exception = ''
data = b''
# arguments for fi_model
fi_args = {
'addr': addr,
'ins': b'\x00'*4
}
ql = QilingFi(
# Qiling args
["ifelse/ifelse"], ".",
console=console, stdin=StringBuffer(), stdout=StringBuffer(),
# QilingFi args
trace_start=MAIN_START, trace_end=TRACE_END,
fi_model=set_word, fi_args=fi_args,
md=md
)
try:
# provide a timeout as some faults will trigger some deadlock, not sure how the scale works here
ql.run(timeout=1000000)
except Exception as e:
# print('exception')
exception = str(e)
ql.emu_stop()
EXCEPTION += 1
# read out data from the emulation
data = ql.stdout.read_all()
# read out faulted instruction
ins = ql.fi_args['ins']
# disassemble using capstone
disasm = ''
for i in md.disasm(ins, addr):
disasm += ql.trace_fstring.format(i.address, ins[::-1].hex(), i.mnemonic, i.op_str)
category = 0
if b'FREE BEER' in data and b'NO BEER' not in data:
FREE_BEER += 1
category = 1
elif data == b'NO BEER' or data == b'NO BEER\n':
NO_BEER += 1
category = 2
else:
pass
db.add_row(data, category, ins[::-1].hex(), disasm, exception, '\n'.join(ql.trace))
# print(f'[{COUNTER}] FREE_BEER: {FREE_BEER} | NO_BEER: {NO_BEER} | EXCEPTION: {EXCEPTION}', end='\n' if console else '\r')
if terminal_logging:
tqdm_it.tqdm.write(f'{addr:x} | {ins[::-1].hex()} | {disasm} | {data} | {exception}')
tqdm_it.tqdm.set_description(f'FREE_BEER: {FREE_BEER} | NO_BEER: {NO_BEER} | EXCEPTION: {EXCEPTION}')
def main_random(*args):
exception = ''
ql2 = QilingFi(
# Qiling args
["ifelse/ifelse"],
".",
console=console,
stdin=StringBuffer(),
stdout=StringBuffer(),
# QilingFi args
trace_start=MAIN_START,
trace_end=TRACE_END,
fi_model=random_word,
fi_args=fi_args,
md=md)
try:
if sys.argv[1] == 'simple':
# provide a timeout as some faults will trigger some deadlock, not sure how the scale works here
ql2.run(timeout=1000000)
else:
ql2.restore(ql.snapshot)
# continue tracing (or not) depending on snapshot
ql2.tracing = ql.tracing
# restore instruction counter state
ql2.ins_counter = ql.ins_counter
# create snapshot after addr-4 execution, continue from addr
ql2.run(begin=addr, timeout=1000000)
except Exception as e:
# print('exception')
exception = str(e)
ql2.emu_stop()
# read out data from the emulation
data = ql2.stdout.read_all()
if sys.argv[1] == 'snapshotmulti':
return (ql2.fi_args['ins'], data, exception)
else:
tqdm.write(str((data, exception)))
NRUNS = 1000
md = capstone.Cs(ARCH, MODE)
addr = 0x102f8 #4#ec#0x102f8
# arguments for fi_model
fi_args = {'addr': addr, 'ins': b'\x00' * 4}
ql = QilingFi(
# Qiling args
["ifelse/ifelse"],
".",
console=console,
stdin=StringBuffer(),
stdout=StringBuffer(),
# QilingFi args
trace_start=MAIN_START,
trace_end=TRACE_END,
snapshot_addr=addr - 4, #snapshot_file='.snapshot.bin',
md=md)
ql.run()
if sys.argv[1] == 'snapshotmulti':
ret = process_map(main_random, range(NRUNS))
for x in ret:
print(x)
else:
for _ in trange(NRUNS):
for addr, it1, it2, ... in tqdm_it.it:
COUNTER += 1
exception = ''
data = b''
# arguments for fi_model
fi_args = {
'addr': addr,
TODO
}
ql = QilingFi(
# Qiling args
[TODO], TODO,
console=console, stdin=StringBuffer(), stdout=StringBuffer(),
# QilingFi args
trace_start=MAIN_ADDRS[0], trace_end=MAIN_ADDRS[-1],
fi_model=flip_single_bit, fi_args=fi_args,
md=md
)
try:
# provide a timeout as some faults will trigger some deadlock, not sure how the scale works here
ql.run(timeout=1000000)
except Exception as e:
# print('exception')
exception = str(e)
ql.emu_stop()
EXCEPTION += 1
# read out data from the emulation