Brendan Dolan-Gavitt moyix

## bugged_main.c
int main(int argc, char **argv) {
    FILE *f = fopen(argv[1], "rb");
    file_header head;

    parse_header(f, &head);
    ({
        int lava_77 = 0;
        lava_77 |= ((unsigned char *) &((head).reserved))[0] << (0*8);
        lava_77 |= ((unsigned char *) &((head).reserved))[1] << (1*8);
        lava_77 |= ((unsigned char *) &((head).reserved))[2] << (2*8);

## toy.c
void lava_set(unsigned int bn, unsigned int val);
extern unsigned int lava_get(unsigned int) ;
static unsigned int lava_val[1000000] = {0};
void lava_set(unsigned int bug_num, unsigned int val);
void lava_set(unsigned int bug_num, unsigned int val) { lava_val[bug_num] = val; }
unsigned int lava_get(unsigned int bug_num);
unsigned int lava_get(unsigned int bug_num) { return lava_val[bug_num]; }
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

## consume_record.s
  400f70:       48 8d a4 24 68 ff ff    lea    -0x98(%rsp),%rsp
  400f77:       ff
  400f78:       48 89 14 24             mov    %rdx,(%rsp)
  400f7c:       48 89 4c 24 08          mov    %rcx,0x8(%rsp)
  400f81:       48 89 44 24 10          mov    %rax,0x10(%rsp)
  400f86:       48 c7 c1 aa 30 00 00    mov    $0x30aa,%rcx
  400f8d:       e8 0e 02 00 00          callq  4011a0 <__afl_maybe_log>
  400f92:       48 8b 44 24 10          mov    0x10(%rsp),%rax
  400f97:       48 8b 4c 24 08          mov    0x8(%rsp),%rcx
  400f9c:       48 8b 14 24             mov    (%rsp),%rdx

## toy_unroll.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

#ifndef __AFL_LOOP
#define __AFL_LOOP(n) ({ static int __i; !(__i++); })
#endif

static unsigned char lava_val[4];

## testfile_afl.hex
0000000: 4156 414c 0000 0000 0200 0000 7212 8357  AVAL........r..W
0000010: 6c69 6768 7400 0000 0000 0000 0000 0000  light...........
0000020: 0200 0000 4a78 de11 706c 616e 636b 0000  ....Jx..planck..
0000030: 0000 0000 0000 0000 0100 0000 c308 d440  ...............@

## toy_unroll_multi_if.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

#ifndef __AFL_LOOP
#define __AFL_LOOP(n) ({ static int __i; !(__i++); })
#endif

static unsigned char lava_val[4];

## make_testcases.sh
#!/bin/bash

objdump -d "${1}" | grep -Eo '\$0x[0-9a-f]+' | cut -c 2- | sort -u | while read const; do echo $const | python -c 'import sys, struct; sys.stdout.write("".join(struct.pack("<I" if len(l) <= 11 else "<Q", int(l,0)) for l in sys.stdin.readlines()))' > testcases/$const; done
i=0; strings "${1}"| while read line; do echo -n "$line" > testcases/string_${i} ; i=$[ $i + 1 ] ; done

## klee.sh
#!/bin/bash

cd "$1"/toy/
klee --simplify-sym-indices --write-cvcs --write-cov --output-module --disable-inlining --optimize --use-forked-solver --use-cex-cache --libc=uclibc --posix-runtime --allow-external-sym-calls --only-output-states-covering-new --max-sym-array-size=4096 --max-instruction-time=30. --max-time=18000. --watchdog --max-memory-inhibit=false --max-static-fork-pct=1 --max-static-solve-pct=1 --max-static-cpfork-pct=1 --switch-type=internal --randomize-fork --search=random-path --search=nurs:covnew --use-batching-search --batch-instructions=10000 ./toy.bc A --sym-files 1 128 --sym-stdout

## equation_source_files.txt
=========== ./BANANAGLEE/BANANAUSURPER/BG2200_UPGRADE/UPGRADE/BUSURPER-2211-611.exe ===========
00000000 l    df *ABS*	00000000 upgrade_pix.c
00000000 l    df *ABS*	00000000 change_page_permission.c
00000000 l    df *ABS*	00000000 osVersionChecking.c
=========== ./BANANAGLEE/BANANAUSURPER/BG2200_UPGRADE/UPGRADE/BUSURPER-2211-614.exe ===========
00000000 l    df *ABS*	00000000 upgrade_pix.c
00000000 l    df *ABS*	00000000 change_page_permission.c
00000000 l    df *ABS*	00000000 osVersionChecking.c
=========== ./BANANAGLEE/BANANAUSURPER/BG2200_UPGRADE/UPGRADE/BUSURPER-2211-622.exe ===========
00000000 l    df *ABS*	00000000 upgrade_pix.c

## eqg_graph_edit.dot
graph nsa {
node1 [label="BUSURPER-3101-805.exe"];
node2 [label="BBALL_DA28F-2131.exe"];
node234 [label="pd_create_ruleset-2100"];
node4 [label="SecondDate-3021.exe"];
node5 [label="BUSURPER-3001-705.exe"];
node6 [label="IvlMiniProg-3100"];
node264 [label="SecondDateLP-3020"];
node8 [label="profilerIpv4-2200"];
node11 [label="pd_miniprog-2100"];
	int main(int argc, char **argv) {
	FILE *f = fopen(argv[1], "rb");
	file_header head;

	parse_header(f, &head);
	({
	int lava_77 = 0;
	lava_77 \|= ((unsigned char ) &((head).reserved))[0] << (08);
	lava_77 \|= ((unsigned char ) &((head).reserved))[1] << (18);
	lava_77 \|= ((unsigned char ) &((head).reserved))[2] << (28);
	void lava_set(unsigned int bn, unsigned int val);
	extern unsigned int lava_get(unsigned int) ;
	static unsigned int lava_val[1000000] = {0};
	void lava_set(unsigned int bug_num, unsigned int val);
	void lava_set(unsigned int bug_num, unsigned int val) { lava_val[bug_num] = val; }
	unsigned int lava_get(unsigned int bug_num);
	unsigned int lava_get(unsigned int bug_num) { return lava_val[bug_num]; }
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	400f70: 48 8d a4 24 68 ff ff lea -0x98(%rsp),%rsp
	400f77: ff
	400f78: 48 89 14 24 mov %rdx,(%rsp)
	400f7c: 48 89 4c 24 08 mov %rcx,0x8(%rsp)
	400f81: 48 89 44 24 10 mov %rax,0x10(%rsp)
	400f86: 48 c7 c1 aa 30 00 00 mov $0x30aa,%rcx
	400f8d: e8 0e 02 00 00 callq 4011a0 <__afl_maybe_log>
	400f92: 48 8b 44 24 10 mov 0x10(%rsp),%rax
	400f97: 48 8b 4c 24 08 mov 0x8(%rsp),%rcx
	400f9c: 48 8b 14 24 mov (%rsp),%rdx
	0000000: 4156 414c 0000 0000 0200 0000 7212 8357 AVAL........r..W
	0000010: 6c69 6768 7400 0000 0000 0000 0000 0000 light...........
	0000020: 0200 0000 4a78 de11 706c 616e 636b 0000 ....Jx..planck..
	0000030: 0000 0000 0000 0000 0100 0000 c308 d440 ...............@
	#!/bin/bash

	objdump -d "${1}" \| grep -Eo '\$0x[0-9a-f]+' \| cut -c 2- \| sort -u \| while read const; do echo $const \| python -c 'import sys, struct; sys.stdout.write("".join(struct.pack("<I" if len(l) <= 11 else "<Q", int(l,0)) for l in sys.stdin.readlines()))' > testcases/$const; done
	i=0; strings "${1}"\| while read line; do echo -n "$line" > testcases/string_${i} ; i=$[ $i + 1 ] ; done
	#!/bin/bash

	cd "$1"/toy/
	klee --simplify-sym-indices --write-cvcs --write-cov --output-module --disable-inlining --optimize --use-forked-solver --use-cex-cache --libc=uclibc --posix-runtime --allow-external-sym-calls --only-output-states-covering-new --max-sym-array-size=4096 --max-instruction-time=30. --max-time=18000. --watchdog --max-memory-inhibit=false --max-static-fork-pct=1 --max-static-solve-pct=1 --max-static-cpfork-pct=1 --switch-type=internal --randomize-fork --search=random-path --search=nurs:covnew --use-batching-search --batch-instructions=10000 ./toy.bc A --sym-files 1 128 --sym-stdout
	=========== ./BANANAGLEE/BANANAUSURPER/BG2200_UPGRADE/UPGRADE/BUSURPER-2211-611.exe ===========
	00000000 l df ABS 00000000 upgrade_pix.c
	00000000 l df ABS 00000000 change_page_permission.c
	00000000 l df ABS 00000000 osVersionChecking.c
	=========== ./BANANAGLEE/BANANAUSURPER/BG2200_UPGRADE/UPGRADE/BUSURPER-2211-614.exe ===========
	00000000 l df ABS 00000000 upgrade_pix.c
	00000000 l df ABS 00000000 change_page_permission.c
	00000000 l df ABS 00000000 osVersionChecking.c
	=========== ./BANANAGLEE/BANANAUSURPER/BG2200_UPGRADE/UPGRADE/BUSURPER-2211-622.exe ===========
	00000000 l df ABS 00000000 upgrade_pix.c
	graph nsa {
	node1 [label="BUSURPER-3101-805.exe"];
	node2 [label="BBALL_DA28F-2131.exe"];
	node234 [label="pd_create_ruleset-2100"];
	node4 [label="SecondDate-3021.exe"];
	node5 [label="BUSURPER-3001-705.exe"];
	node6 [label="IvlMiniProg-3100"];
	node264 [label="SecondDateLP-3020"];
	node8 [label="profilerIpv4-2200"];
	node11 [label="pd_miniprog-2100"];