-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathafl_maybe_log.s
235 lines (190 loc) · 5.19 KB
/
afl_maybe_log.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
__afl_maybe_log:
lahf
seto al
mov rdx, qword ptr [rip + __afl_area_ptr]
test rdx, rdx
je __afl_setup
__afl_store:
xor rcx, qword ptr [rip + __afl_prev_loc]
xor qword ptr [rip + __afl_prev_loc], rcx
shr qword ptr [rip + __afl_prev_loc], 1
inc byte ptr [rdx + rcx]
__afl_return:
add al, 127
sahf
ret
__afl_setup:
cmp byte ptr [rip + __afl_setup_failure], 0
jne __afl_return
lea rdx, qword ptr [rip + __afl_global_area_ptr]
mov rdx, qword ptr [rdx]
test rdx, rdx
je __afl_setup_first
mov qword ptr [rip + __afl_area_ptr], rdx
jmp __afl_store
__afl_setup_first:
lea rsp, qword ptr [rsp - 352]
mov qword ptr [rsp], rax
mov qword ptr [rsp+8], rcx
mov qword ptr [rsp+16], rdi
mov qword ptr [rsp+32], rsi
mov qword ptr [rsp+40], r8
mov qword ptr [rsp+48], r9
mov qword ptr [rsp+56], r10
mov qword ptr [rsp+64], r11
movq qword ptr [rsp+96], xmm0
movq qword ptr [rsp+112], xmm1
movq qword ptr [rsp+128], xmm2
movq qword ptr [rsp+144], xmm3
movq qword ptr [rsp+160], xmm4
movq qword ptr [rsp+176], xmm5
movq qword ptr [rsp+192], xmm6
movq qword ptr [rsp+208], xmm7
movq qword ptr [rsp+224], xmm8
movq qword ptr [rsp+240], xmm9
movq qword ptr [rsp+256], xmm10
movq qword ptr [rsp+272], xmm11
movq qword ptr [rsp+288], xmm12
movq qword ptr [rsp+304], xmm13
movq qword ptr [rsp+320], xmm14
movq qword ptr [rsp+336], xmm15
push r12
mov r12, rsp
sub rsp, 16
and rsp, 0xfffffffffffffff0
lea rdi, qword ptr [rip + AFL_SHM_ENV]
call {getenv}
test rax, rax
je __afl_setup_abort
mov rdi, rax
call {atoi}
xor rdx, rdx # shmat flags
xor rsi, rsi # requested addr
mov rdi, rax # SHM ID
call {shmat}
cmp rax, -1
je __afl_setup_abort
mov rdx, rax
mov qword ptr [rip + __afl_area_ptr], rax
lea rdx, qword ptr [rip + __afl_global_area_ptr]
mov qword ptr [rdx], rax
mov rdx, rax
__afl_forkserver:
# forkserver mode!
push rdx
push rdx
mov rdx, 4 # length
lea rsi, qword ptr [rip + __afl_temp] # data
mov rdi, {FORKSRV_FD_1} # file desc
call {write}
cmp rax, 4
jne __afl_fork_resume
__afl_fork_wait_loop:
mov rdx, 4 # length
lea rsi, qword ptr [rip + __afl_temp] # data
mov rdi, {FORKSRV_FD} # file desc
call {read}
cmp rax, 4
jne __afl_die
call {fork}
cmp rax, 0
jl __afl_die
je __afl_fork_resume
mov dword ptr [rip + __afl_fork_pid], eax
mov rdx, 4 # length
lea rsi, dword ptr [rip + __afl_fork_pid] # data
mov rdi, {FORKSRV_FD_1}
call {write}
mov rdx, 0 # no flags
lea rsi, dword ptr [rip + __afl_temp] # status
mov rdi, qword ptr [rip + __afl_fork_pid] # PID
call {waitpid}
cmp rax, 0
jle __afl_die
mov rdx, 4 # length
lea rsi, dword ptr [rip + __afl_temp] # data
mov rdi, {FORKSRV_FD_1} # file desc
call {write}
jmp __afl_fork_wait_loop
__afl_fork_resume:
mov rdi, {FORKSRV_FD}
call {close}
mov rdi, {FORKSRV_FD_1}
call {close}
pop rdx
pop rdx
mov rsp, r12
pop r12
mov rax, qword ptr [rsp]
mov rcx, qword ptr [rsp+8]
mov rdi, qword ptr [rsp+16]
mov rsi, qword ptr [rsp+32]
mov r8, qword ptr [rsp+40]
mov r9, qword ptr [rsp+48]
mov r10, qword ptr [rsp+56]
mov r11, qword ptr [rsp+64]
movq xmm0, qword ptr [rsp+96]
movq xmm1, qword ptr [rsp+112]
movq xmm2, qword ptr [rsp+128]
movq xmm3, qword ptr [rsp+144]
movq xmm4, qword ptr [rsp+160]
movq xmm5, qword ptr [rsp+176]
movq xmm6, qword ptr [rsp+192]
movq xmm7, qword ptr [rsp+208]
movq xmm8, qword ptr [rsp+224]
movq xmm9, qword ptr [rsp+240]
movq xmm10, qword ptr [rsp+256]
movq xmm11, qword ptr [rsp+272]
movq xmm12, qword ptr [rsp+288]
movq xmm13, qword ptr [rsp+304]
movq xmm14, qword ptr [rsp+320]
movq xmm15, qword ptr [rsp+336]
lea rsp, qword ptr [rsp + 352]
jmp __afl_store
__afl_die:
xor rax, rax
call {exit}
__afl_setup_abort:
inc byte ptr [rip + __afl_setup_failure]
mov rsp, r12
pop r12
mov rax, qword ptr [rsp]
mov rcx, qword ptr [rsp+8]
mov rdi, qword ptr [rsp+16]
mov rsi, qword ptr [rsp+32]
mov r8, qword ptr [rsp+40]
mov r9, qword ptr [rsp+48]
mov r10, qword ptr [rsp+56]
mov r11, qword ptr [rsp+64]
movq xmm0, qword ptr [rsp+96]
movq xmm1, qword ptr [rsp+112]
movq xmm2, qword ptr [rsp+128]
movq xmm3, qword ptr [rsp+144]
movq xmm4, qword ptr [rsp+160]
movq xmm5, qword ptr [rsp+176]
movq xmm6, qword ptr [rsp+192]
movq xmm7, qword ptr [rsp+208]
movq xmm8, qword ptr [rsp+224]
movq xmm9, qword ptr [rsp+240]
movq xmm10, qword ptr [rsp+256]
movq xmm11, qword ptr [rsp+272]
movq xmm12, qword ptr [rsp+288]
movq xmm13, qword ptr [rsp+304]
movq xmm14, qword ptr [rsp+320]
movq xmm15, qword ptr [rsp+336]
lea rsp, qword ptr [rsp + 352]
jmp __afl_return
__afl_area_ptr:
.quad 0x0
__afl_prev_loc:
.quad 0x0
__afl_setup_failure:
.quad 0x0
__afl_global_area_ptr:
.quad 0x0
__afl_fork_pid:
.long 0x0
__afl_temp:
.long 0x0
AFL_SHM_ENV:
.string "__AFL_SHM_ID"