def main(): entrypoint = 0x401094 fuzzed_address = set() queue = multiprocessing.Queue() process = list() ctx = TritonContext() ctx.setArchitecture(ARCH.X86_64) ctx.enableMode(MODE.ALIGNED_MEMORY, True) ctx.setAstRepresentationMode(AST_REPRESENTATION.PYTHON) exploration = Exploration() tracer = Tracer(program_name, True) tracer.tracer_init(ctx) # Sets callbacks tracer.add_start_callback(exploration.start) tracer.add_instruction_callback(exploration.get_instruction) tracer.add_end_callback(exploration.end) tracer.add_memory_callback(exploration.symbolized_memory_input) tracer.add_register_callback(exploration.symbolized_register_input) for i in range(30): tracer.start(ctx, 1, entrypoint) if exploration.fuzz_is_needed is True: untaken_branch = set(exploration.get_untaken_branch()) for i in untaken_branch: if i not in fuzzed_address: if exploration.untaken_branch[i] != 0: process.append( send_to_fuzz( entrypoint, copy.deepcopy(exploration.exploration_memory), copy.deepcopy( exploration.exploration_registers), copy.copy(exploration.untaken_branch[i]), i, queue)) process[-1].start() process[-1].join() fuzzed_address.add(i) try: new_inputs = queue.get(block=True, timeout=5) exploration.add_fuzz_inputs(new_inputs[0], new_inputs[1]) except Queue.Empty: print(map(hex, exploration.get_untaken_branch())) print("Can't find more branch") break exploration.show_exploration()