variable AFL_ENTRY_POINT=000012f2 and rebuilding qemu, it also writes out a file with the correct entry point, this case the force value. But when running AFL alone or through your run_afl script, no file is created. I have also tried copying out the exact command and... (2/n)
-
-
Replying to @Blurbdust
So bspfuzz works by itself, without AFL? Getting it to work should be the first step.
2 replies 0 retweets 0 likes -
Replying to @_niklasb @Blurbdust
AFL_ENTRY_POINT=000012f2 doesn't make sense by the way, it should be an actual absolute address, pointing to the beginning of a basic block.
1 reply 0 retweets 0 likes -
Replying to @_niklasb
In afl_run.sh it sets AFL_ENTRY_POINT to $(nm bspfuzz |& grep forkserver | cut -d' ' -f1) which is always 000012f2 for me.
1 reply 0 retweets 0 likes -
Replying to @Blurbdust
See my other tweet, looks like you have PIE enabled for that binary, should have turned it off explicitly.
1 reply 0 retweets 0 likes -
Replying to @_niklasb
...yup. I disabled ASLR but forgot about PIE. It does still segfault but it at least prints out startpoint() now.
2 replies 0 retweets 0 likes -
Replying to @Blurbdust
You probably have to fix the offsets here too:https://github.com/niklasb/bspfuzz/blob/master/main.cpp#L80 …
1 reply 0 retweets 0 likes -
Replying to @_niklasb
Yeah, I have only been able to find CModelLoader::FindModel in http://engine.so and not *GetModelForName. I've checked with Binja, r2, and Hopper. FindModel should be called within GetModel and there are 5 x-refs but nothing stands out.
1 reply 0 retweets 0 likes -
Replying to @Blurbdust
There are no symbols, just a little reversing exercise :) I used IDA for everything, so can't help you with the other tools
2 replies 0 retweets 0 likes -
Replying to @_niklasb
Thanks for all the help! I appreciate it! I'm sorry it was something dumb like not checking for PIE.
1 reply 0 retweets 0 likes
No worries, that was my bad, I should have known that it was a bad idea to rely on 16.04 behaviour here! Now it's fixed for everybody :)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.