Skip to content

Instantly share code, notes, and snippets.

@moyix
Created October 26, 2020 01:14
Show Gist options
  • Save moyix/717beccb95c77cb6ddf2e50593b3f600 to your computer and use it in GitHub Desktop.
Save moyix/717beccb95c77cb6ddf2e50593b3f600 to your computer and use it in GitHub Desktop.
Recover edge information from afl-showmap
If you have a list of edge hashes produced by AFL (e.g. from something like this):
./afl-showmap -o foo.edges -t 500 -q -e -- ./program arg1
Re-run the program using gdb to trace the sequence of block IDs:
./collect_coverage.sh trace.txt ./program arg1
Print edges in the trace:
python tracehash.py foo.edges trace.txt
Sample output:
51839 0x0 -> 0x8049e2d found? True
11284 0x8049e2d -> 0x819eecd found? True
6453 0x819eecd -> 0x819ef49 found? True
30868 0x819ef49 -> 0x819ef99 found? True
14108 0x819ef99 -> 0x819efcd found? True
[...]
20581 0x804b725 -> 0x804bb59 found? True
54125 0x804bb59 -> 0x804bbd1 found? True
13282 0x804bbd1 -> 0x804bc19 found? True
Collision on block 6160: 2 edges
Collision on block 42150: 2 edges
Collision on block 51564: 2 edges
Collision on block 59275: 2 edges
Collision on block 53047: 2 edges
Collision on block 10033: 2 edges
Collision on block 62044: 2 edges
#!/bin/bash
logname=$1
shift
scriptfile=$(mktemp)
outfile=$(mktemp)
cat > $scriptfile <<EOF
break __afl_maybe_log
commands 1
printf "BLOCK %d %x\\n", \$ecx, *(unsigned int *)\$esp
c
end
set pagination off
set logging file $outfile
set logging redirect on
set logging on
run
quit
EOF
gdb -batch-silent -x $scriptfile --args "$@"
grep BLOCK "$outfile" > "$logname"
rm -f "$scriptfile"
rm -f "$outfile"
#!/usr/bin/env python
import sys
from collections import defaultdict
edgefile = sys.argv[1]
tracefile = sys.argv[2]
edges = []
for line in open(edgefile):
edges.append(int(line.split(':')[0]))
edges = set(edges)
coll_map = defaultdict(set)
prev_id = 0
prev_addr = 0
for line in open(tracefile):
_, blockid, addr = line.strip().split()
blockid = int(blockid)
addr = int(addr,16)
edgehash = (prev_id >> 1) ^ blockid
print("%d %#x -> %#x found? %s" % (edgehash, prev_addr, addr, edgehash in edges))
coll_map[edgehash].add( (prev_addr, addr) )
prev_id = blockid
prev_addr = addr
for k in coll_map:
if len(coll_map[k]) > 1:
print("Collision on block %d: %d edges" % (k, len(coll_map[k])))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment