├── README.md ├── ReplaceFunction ├── CMakeLists.txt └── ReplaceFunction.cpp ├── llvm-setup.sh ├── replace.sh ├── replace2functions.sh ├── run.sh ├── test.sh └── tests ├── arguments ├── mode1 │ ├── withArgs │ ├── withArgs.bc │ ├── withArgs.c │ ├── withArgs.cfg │ ├── withArgs.ll │ ├── withArgs.log │ ├── withArgs.new │ ├── withArgs.new.bc │ ├── withArgs.new.o │ ├── withArgsReplacement │ ├── withArgsReplacement.bc │ ├── withArgsReplacement.c │ ├── withArgsReplacement.cfg │ ├── withArgsReplacement.ll │ ├── withArgsReplacement.log │ └── withArgsReplacement.o └── mode2 │ ├── withArgs │ ├── withArgs.bc │ ├── withArgs.c │ ├── withArgs.cfg │ ├── withArgs.ll │ ├── withArgs.log │ ├── withArgs.new │ ├── withArgs.new.bc │ ├── withArgs.new.o │ ├── withArgsReplacement │ ├── withArgsReplacement.bc │ ├── withArgsReplacement.c │ ├── withArgsReplacement.cfg │ ├── withArgsReplacement.ll │ ├── withArgsReplacement.log │ ├── withArgsReplacement.new.bc │ └── withArgsReplacement.new.o ├── basic ├── mode1 │ ├── basic │ ├── basic.bc │ ├── basic.c │ ├── basic.cfg │ ├── basic.ll │ ├── basic.log │ ├── basic.new │ ├── basic.new.bc │ ├── basic.new.o │ ├── basicReplacement │ ├── basicReplacement.bc │ ├── basicReplacement.c │ ├── basicReplacement.cfg │ ├── basicReplacement.ll │ ├── basicReplacement.log │ ├── basicReplacement.new.bc │ ├── basicReplacement.new.o │ └── basicReplacement.o └── mode2_notReplaced │ ├── basic │ ├── basic.bc │ ├── basic.c │ ├── basic.cfg │ ├── basic.ll │ ├── basic.log │ ├── basic.new │ ├── basic.new.bc │ ├── basic.new.o │ ├── basicReplacement │ ├── basicReplacement.bc │ ├── basicReplacement.c │ ├── basicReplacement.cfg │ ├── basicReplacement.ll │ ├── basicReplacement.log │ ├── basicReplacement.new.bc │ └── basicReplacement.new.o ├── crypto ├── AES-CBC-decrypt.c ├── AES-CBC-encrypt.c ├── base64decode.c ├── base64decode.h ├── base64encode.c ├── base64encode.h ├── decrypt ├── mode1 │ ├── encrypt │ ├── encrypt.bc │ ├── encrypt.cfg │ ├── encrypt.ll │ ├── encrypt.log │ ├── encrypt.new │ ├── encrypt.new.bc │ ├── encrypt.new.o │ ├── replaceIV_mode1 │ ├── replaceIV_mode1.bc │ ├── replaceIV_mode1.c │ ├── replaceIV_mode1.cfg │ ├── replaceIV_mode1.ll │ ├── replaceIV_mode1.log │ └── replaceIV_mode1.o └── mode2 │ ├── encrypt │ ├── encrypt.bc │ ├── encrypt.cfg │ ├── encrypt.ll │ ├── encrypt.log │ ├── encrypt.new │ ├── encrypt.new.bc │ ├── encrypt.new.o │ ├── replaceIV_mode2 │ ├── replaceIV_mode2.bc │ ├── replaceIV_mode2.c │ ├── replaceIV_mode2.cfg │ ├── replaceIV_mode2.ll │ ├── replaceIV_mode2.log │ ├── replaceIV_mode2.new.bc │ └── replaceIV_mode2.new.o ├── fopen ├── mode1 │ ├── myfopen │ ├── myfopen.bc │ ├── myfopen.c │ ├── myfopen.cfg │ ├── myfopen.ll │ ├── myfopen.log │ ├── myfopen.o │ ├── myfopen.so │ ├── prog │ ├── prog.bc │ ├── prog.c │ ├── prog.cfg │ ├── prog.ll │ ├── prog.log │ ├── prog.new │ ├── prog.new.bc │ ├── prog.new.o │ └── test.txt ├── mode1_usefopen │ ├── myfopen │ ├── myfopen.bc │ ├── myfopen.c │ ├── myfopen.cfg │ ├── myfopen.ll │ ├── myfopen.log │ ├── myfopen.new.bc │ ├── myfopen.new.o │ ├── myfopen.o │ ├── prog │ ├── prog.bc │ ├── prog.c │ ├── prog.cfg │ ├── prog.ll │ ├── prog.log │ ├── prog.new │ ├── prog.new.bc │ └── prog.new.o ├── mode2 │ ├── myfopen │ ├── myfopen.bc │ ├── myfopen.c │ ├── myfopen.cfg │ ├── myfopen.ll │ ├── myfopen.log │ ├── myfopen.new.bc │ ├── myfopen.new.o │ ├── myfopen.o │ ├── prog │ ├── prog.bc │ ├── prog.c │ ├── prog.cfg │ ├── prog.ll │ ├── prog.log │ ├── prog.new │ ├── prog.new.bc │ └── prog.new.o └── test.txt └── stripped_crypto ├── mode1 ├── encryptStripped ├── encryptStripped.bc ├── encryptStripped.cfg ├── encryptStripped.ll ├── encryptStripped.log ├── encryptStripped.new ├── encryptStripped.new.bc ├── encryptStripped.new.o ├── replaceIV_mode1 ├── replaceIV_mode1.bc ├── replaceIV_mode1.c ├── replaceIV_mode1.cfg ├── replaceIV_mode1.ll ├── replaceIV_mode1.log └── replaceIV_mode1.o └── mode2 ├── encryptStripped ├── encryptStripped.bc ├── encryptStripped.cfg ├── encryptStripped.ll ├── encryptStripped.log ├── encryptStripped.new ├── encryptStripped.new.bc ├── encryptStripped.new.o ├── replaceIV_mode2 ├── replaceIV_mode2.bc ├── replaceIV_mode2.c ├── replaceIV_mode2.cfg ├── replaceIV_mode2.ll ├── replaceIV_mode2.log ├── replaceIV_mode2.new.bc └── replaceIV_mode2.new.o /README.md: -------------------------------------------------------------------------------- 1 | # Fennec 2 | 3 | Fennec enables post-compilation function call changes; for an arbitrary x86-64 ELF binary, a user can write a function that will be substituted in for a given function in the binary. Fennec will output a new compiled binary that is identical to the original, except that the specified function will be replaced by the new function. This process requires no runtime linking, nor access to the source code of the binary. 4 | 5 | ## Modes 6 | Fennec allows a choice of two modes, to be specified at runtime using either a `1` or a `2` in the command. 7 | 1. **Single Function Replacement**: This mode should be used for "normal" cases of function replacement, when there is no use for the original function that you are replacing. If you wish to replace the function no matter what, and do not need to call it anywhere else, this is the appropriate mode. 8 | 2. **Dual Function Replacement**: This mode allows you to access the original function from your replacement function. If you wish to test something about the original function or use its result in some manner when you are replacing it, this is the appropriate mode. For example, if your replacement function were used simply to modify the output of the original in some way, this would be the appropriate mode, as you would be able to call the original function in your replacement function. 9 | 10 | ## Usage 11 | 12 | #### Installation 13 | 14 | First, clone this repository using `git clone https://github.com/trailofbits/fennec` and navigate into the directory. 15 | 16 | ##### McSema Setup 17 | You will need a working copy of McSema and Remill - specifically, version 2.0.0. Build instructions can be found at https://github.com/trailofbits/mcsema/tree/v2.0.0. This requires a copy of IDA Pro. 18 | 19 | ##### LLVM Setup 20 | You will need a copy of LLVM 4.0.1. Then, you must register the pass that will replace a function. To do this, run `bash llvm-setup.sh`. This step might take some time. 21 | 22 | ##### Binary Setup 23 | 24 | To use Fennec, you will need two binaries: the binary you wish to modify, and a binary containing the function you would like to swap into the original. For your replacement binary, the function you wish to use should have a different name from the original, and the `main` function can be anything. 25 | 26 | If you are using mode 2, you will also need to create a stub function as a placeholder for the original function that you're going to be replacing. Make sure to call it something different from the original so the tool can differentiate between them. In your replacement function, you'll want to call this stub where you eventually want to call the original function. 27 | 28 | #### Commands 29 | 30 | To replace your function, run the following command: 31 | 32 | `bash run.sh [mode (1 or 2)] [path to remill-build directory] [path to IDA Pro] [original binary] [replacement binary] [name of original function] [name of replacement function] [if using mode 2: name of stub function] [any necessary compilation flags]` 33 | 34 | #### Testing 35 | 36 | To test your installation process, run `bash test.sh [path to remill-build directory] [path to IDA Pro]`. This will check several examples, found in the `tests` directory. 37 | 38 | ## FAQ 39 | 40 | #### Where does the name come from? 41 | Fennec is named after the fennec fox, which digs burrows that connect to other foxes' burrows, creating complex tunnel systems in the sand dunes where they live. 42 | 43 | #### Does Fennec work on stripped binaries? 44 | Yes! Simply specify the stripped function address as it appears in the binary (for example, `sub_400df0`) as the name of the original function. 45 | 46 | #### Can I use Fennec to change dynamically loaded functions? 47 | Yes again! Replacing dynamically loaded functions (for example,`glibc` functions such as `printf` or `fopen`) works the same way as normal function replacement. In Mode 1, you can continue to use the original function as usual in your replacement function. In other words, there is no need to switch to Mode 2 to retain access to it, so your replacement function can still call the same library function as it worked originally. Alternatively, you can use Mode 2 and create a stub function to replace. These two options will have the same outcome. 48 | -------------------------------------------------------------------------------- /ReplaceFunction/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_llvm_loadable_module( LLVMReplaceFunction 2 | ReplaceFunction.cpp 3 | 4 | PLUGIN_TOOL 5 | opt 6 | ) 7 | -------------------------------------------------------------------------------- /ReplaceFunction/ReplaceFunction.cpp: -------------------------------------------------------------------------------- 1 | #include "llvm/Pass.h" 2 | #include "llvm/IR/Function.h" 3 | #include "llvm/Support/raw_ostream.h" 4 | #include "llvm/IR/InstrTypes.h" 5 | #include "llvm/IR/IRBuilder.h" 6 | #include "llvm/Transforms/Utils/BasicBlockUtils.h" 7 | #include "llvm/IR/Module.h" 8 | #include "llvm/IR/CallSite.h" 9 | #include 10 | #include "llvm/Support/CommandLine.h" 11 | #include 12 | 13 | using namespace llvm; 14 | 15 | // take names of functions as command line arguments 16 | cl::opt OriginalFunction("original", cl::desc(""), cl::Required); 17 | cl::opt ReplacementFunction("replacement", cl::desc(""), cl::Required); 18 | 19 | namespace { 20 | struct ReplaceFunction : public FunctionPass { 21 | static char ID; 22 | ReplaceFunction() : FunctionPass(ID) {} 23 | bool runOnFunction(Function &F) override { 24 | Function *newFunction = NULL; 25 | bool typeFound = false; // whether new function has been created already 26 | for (auto &B : F) { 27 | // store calls to original function to delete 28 | std::vector dels; 29 | dels.clear(); 30 | 31 | for (auto &I : B) { 32 | // check if instruction is a call to the function we want to replace 33 | if (auto *op = dyn_cast(&I)) { 34 | auto function = op->getCalledFunction(); 35 | if (function != NULL) { 36 | auto name = function->getName(); 37 | if (name == OriginalFunction) { 38 | 39 | // get type of function and create new replacement function 40 | if (typeFound == false) { 41 | Type *retType = function->getReturnType(); 42 | FunctionType *newFunctionType = 43 | FunctionType::get(retType, function->getFunctionType()->params(), false); 44 | // create new function 45 | newFunction = 46 | (Function *)(F.getParent()->getOrInsertFunction(ReplacementFunction, newFunctionType)); 47 | typeFound = true; 48 | } 49 | 50 | // set up for insertion of new instruction 51 | IRBuilder<> builder(op); 52 | CallSite CS(&I); 53 | 54 | // get arguments to original function so they can be passed to replacement 55 | std::vector arguments; 56 | for (unsigned int i = 0; i < CS.arg_size(); i++) { 57 | Value *arg = CS.getArgument(i); 58 | arguments.push_back(arg); 59 | } 60 | ArrayRef argArray = ArrayRef(arguments); 61 | 62 | // create call to replacement function 63 | Value* newCall = builder.CreateCall(newFunction, argArray); 64 | // replace all calls to old function with calls to new function 65 | for (auto& U : op->uses()) { 66 | User* user = U.getUser(); 67 | user->setOperand(U.getOperandNo(), newCall); 68 | } 69 | 70 | // need to remove the original instruction 71 | dels.push_back(&I); 72 | } 73 | } 74 | } 75 | } 76 | 77 | // remove calls to original function 78 | for (auto &I : dels) { 79 | if (!I->use_empty()) I->replaceAllUsesWith(UndefValue::get(I->getType())); 80 | I->eraseFromParent(); 81 | } 82 | } 83 | return true; 84 | } 85 | }; 86 | } 87 | 88 | // register pass 89 | char ReplaceFunction::ID = 0; 90 | static RegisterPass X("replaceFunction", "ReplaceFunction Pass", false, false); 91 | -------------------------------------------------------------------------------- /llvm-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | wget http://releases.llvm.org/4.0.1/llvm-4.0.1.src.tar.xz 4 | tar xf llvm-4.0.1.src.tar.xz 5 | mv llvm-4.0.1.src llvm 6 | cd llvm 7 | mkdir build 8 | cd build 9 | cmake -G "Unix Makefiles" .. 10 | make 11 | mv ../../ReplaceFunction ../lib/Transforms 12 | echo "add_subdirectory(ReplaceFunction)" >> ../lib/Transforms/CMakeLists.txt 13 | make 14 | version=$(./bin/opt --version | grep "LLVM version" | grep -o [0-9\.]* | xargs) 15 | python -c "assert('$version'=='4.0.1')" 16 | -------------------------------------------------------------------------------- /replace.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # MODE 1 4 | # use this mode if you have no use for the original function and want to replace 5 | # it no matter what 6 | # this will perform a single function replacement 7 | 8 | remillPath=$1 # path to remill-build directory in copy of McSema 9 | llvmPath=$2 # path to build directory in copy of LLVM 10 | idaPath=$3 # path to copy of IDA 11 | original=$4 # original binary, containing function that you want to replace 12 | replacement=$5 # replacement binary, containing the new function 13 | originalFunction=$6 # name of original function 14 | newFunction=$7 # name of replacement function 15 | flags=$8 # any compilation flags/libraries to link 16 | 17 | # generate .cfg file, then lift to bitcode for original binary 18 | mcsema-disass --disassembler $idaPath --os linux --arch amd64 --output $original.cfg --binary $original --entrypoint main --log_file $original.log 19 | mcsema-lift-4.0 --arch amd64 --os linux --cfg $original.cfg --output $original.bc 20 | # generate .cfg file, then lift to bitcode for replacement binary 21 | # because McSema alters the way functions are called, this allows us to replace the function easily 22 | mcsema-disass --disassembler $idaPath --os linux --arch amd64 --output $replacement.cfg --binary $replacement --entrypoint main --log_file $replacement.log 23 | mcsema-lift-4.0 --arch amd64 --os linux --cfg $replacement.cfg --output $replacement.bc 24 | 25 | # turn both bitcode files into .ll files 26 | ./$remillPath/libraries/llvm/bin/llvm-dis $replacement.bc 27 | ./$remillPath/libraries/llvm/bin/llvm-dis $original.bc 28 | # change all functions in replacement file marked as "internal" by McSema so that they can be accessed 29 | sed -i 's/internal//g' $replacement.ll 30 | # find new names of functions, based on McSema's changes 31 | functionToReplace=$(grep -o -m 1 sub_[^_]*_*$originalFunction $original.ll) 32 | exitCode=$(echo $?) 33 | if [ $exitCode = '1' ] # replacing a library function 34 | then 35 | functionToReplace=$(grep -o -m 1 ext_[^_]*_*$originalFunction $original.ll) 36 | exitCode2=$(echo $?) 37 | if [ $exitCode2 = '1' ] # a stripped binary, where function name is the address 38 | then 39 | functionToReplace=$originalFunction 40 | fi 41 | fi 42 | replacementFunction=$(grep -o -m 1 sub_[^_]*_*$newFunction $replacement.ll) 43 | # recompile altered replacement .ll to bitcode 44 | ./$remillPath/libraries/llvm/bin/llvm-as -o $replacement.bc $replacement.ll 45 | 46 | # run pass on original bitcode to replace function 47 | ./$llvmPath/bin/opt -load $llvmPath/lib/LLVMReplaceFunction.so -replaceFunction < $original.bc -original $functionToReplace -replacement $replacementFunction > $original.new.bc 48 | 49 | # recompile to [original].new 50 | ./$remillPath/libraries/llvm/bin/llc -filetype=obj $original.new.bc 51 | ./$remillPath/libraries/llvm/bin/llc -filetype=obj $replacement.ll 52 | remill-clang-4.0 -Xlinker --allow-multiple-definition -o $original.new $original.new.o $replacement.o /usr/local/lib/libmcsema_rt64-4.0.a $flags 53 | -------------------------------------------------------------------------------- /replace2functions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # MODE 2 4 | # use this mode if you wish to keep a copy of the original function and 5 | # use it within your replacement 6 | # for example, if you want to check a certain characteristic of the original 7 | # function, and replace it only if it meets a particular condition, this mode 8 | # will allow you to call the original function from your replacement 9 | 10 | remillPath=$1 # path to remill-build directory in copy of McSema 11 | llvmPath=$2 # path to build directory in copy of LLVM 12 | idaPath=$3 # path to copy of IDA 13 | original=$4 # original binary, containing function that you want to replace 14 | replacement=$5 # replacement binary, containing the new function 15 | originalFunction=$6 # name of original function 16 | newFunction=$7 # name of replacement function 17 | originalStub=$8 # name of stub function being called within replacement function, representing original function that is being replaced 18 | flags=$9 # any compilation flags/libraries to link 19 | 20 | # generate .cfg file, then lift to bitcode for original binary 21 | mcsema-disass --disassembler $idaPath --os linux --arch amd64 --output $original.cfg --binary $original --entrypoint main --log_file $original.log 22 | mcsema-lift-4.0 --arch amd64 --os linux --cfg $original.cfg --output $original.bc 23 | # generate .cfg file, then lift to bitcode for replacement binary 24 | # because McSema alters the way functions are called, this allows us to replace the function easily 25 | mcsema-disass --disassembler $idaPath --os linux --arch amd64 --output $replacement.cfg --binary $replacement --entrypoint main --log_file $replacement.log 26 | mcsema-lift-4.0 --arch amd64 --os linux --cfg $replacement.cfg --output $replacement.bc 27 | 28 | # turn both bitcode files into .ll files 29 | ./$remillPath/libraries/llvm/bin/llvm-dis $replacement.bc 30 | ./$remillPath/libraries/llvm/bin/llvm-dis $original.bc 31 | # change all functions marked as "internal" by McSema so that they can be accessed 32 | sed -i 's/internal//g' $replacement.ll 33 | sed -i 's/internal//g' $original.ll 34 | # find new names of functions, based on McSema's changes 35 | functionToReplace=$(grep -o -m 1 sub_[^_]*_*$originalFunction $original.ll) 36 | exitCode=$(echo $?) 37 | if [ $exitCode = '1' ] # replacing a library function 38 | then 39 | functionToReplace=$(grep -o -m 1 ext_[^_]*_*$originalFunction $original.ll) 40 | exitCode2=$(echo $?) 41 | if [ $exitCode2 = '1' ] # a stripped binary, where function name is the address 42 | then 43 | functionToReplace=$originalFunction 44 | fi 45 | fi 46 | replacementFunction=$(grep -o -m 1 sub_[^_]*_*$newFunction $replacement.ll) 47 | oldFunctionStub=$(grep -o -m 1 sub_[^_]*_*$originalStub $replacement.ll) 48 | # recompile to bitcode 49 | ./$remillPath/libraries/llvm/bin/llvm-as -o $replacement.bc $replacement.ll 50 | ./$remillPath/libraries/llvm/bin/llvm-as -o $original.bc $original.ll 51 | 52 | # run pass on original bitcode to replace function 53 | ./$llvmPath/bin/opt -load $llvmPath/lib/LLVMReplaceFunction.so -replaceFunction < $original.bc -original $functionToReplace -replacement $replacementFunction > $original.new.bc 54 | # run pass on replacement bitcode to provide access to original function in replacement function 55 | ./$llvmPath/bin/opt -load $llvmPath/lib/LLVMReplaceFunction.so -replaceFunction < $replacement.bc -original $oldFunctionStub -replacement $functionToReplace > $replacement.new.bc 56 | 57 | # recompile to [original].new 58 | ./$remillPath/libraries/llvm/bin/llc -filetype=obj $original.new.bc 59 | ./$remillPath/libraries/llvm/bin/llc -filetype=obj $replacement.new.bc 60 | remill-clang-4.0 -Xlinker --allow-multiple-definition -o $original.new $original.new.o $replacement.new.o /usr/local/lib/libmcsema_rt64-4.0.a $flags 61 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | remillPath=$2 # path to remill-build directory in copy of McSema 4 | idaPath=$3 # path to copy of IDA 5 | original=$4 # original binary, containing function that you want to replace 6 | replacement=$5 # replacement binary, containing the new function 7 | originalFunction=$6 # name of original function 8 | newFunction=$7 # name of replacement function 9 | llvmPath="llvm/build" 10 | 11 | if [ $1 -eq 1 ] # mode 1, i.e. not using original function anymore 12 | then 13 | flags=$8 # any compilation flags/libraries to link 14 | bash replace.sh $remillPath $llvmPath $idaPath $original $replacement $originalFunction $newFunction $flags 15 | elif [ $1 -eq 2 ] # mode 2, i.e. storing original function for use in replacement function 16 | then 17 | originalStub=$8 # name of stub function being called within replacement function, representing original function that is being replaced 18 | flags=$9 # any compilation flags/libraries to link 19 | bash replace2functions.sh $remillPath $llvmPath $idaPath $original $replacement $originalFunction $newFunction $originalStub $flags 20 | else 21 | echo "Specify a mode (1 or 2)" 22 | fi 23 | -------------------------------------------------------------------------------- /test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | remillPath=$1 4 | idaPath=$2 5 | 6 | status=0 7 | 8 | # test basic mode 1 9 | bash run.sh 1 $remillPath $idaPath tests/basic/mode1/basic tests/basic/mode1/basicReplacement generate replacement 10 | basicMode1=$(./tests/basic/mode1/basic.new | xargs) 11 | if [ $basicMode1 = '2' ] 12 | then 13 | echo Basic Mode 1 passed 14 | else 15 | echo -e "\e[31mBasic Mode 1 failed\e[0m" 16 | status=1 17 | fi 18 | 19 | # test basic mode 2 20 | bash run.sh 2 $remillPath $idaPath tests/basic/mode2_notReplaced/basic tests/basic/mode2_notReplaced/basicReplacement generate replacement original 21 | basicMode2=$(./tests/basic/mode2_notReplaced/basic.new | xargs) 22 | if [ $basicMode2 = '1' ] 23 | then 24 | echo Basic Mode 2 passed 25 | else 26 | echo -e "\e[31mBasic Mode 2 failed\e[0m" 27 | status=1 28 | fi 29 | 30 | # test arguments mode 1 31 | bash run.sh 1 $remillPath $idaPath tests/arguments/mode1/withArgs tests/arguments/mode1/withArgsReplacement generate replacement 32 | argumentsMode1=$(./tests/arguments/mode1/withArgs.new | xargs) 33 | if [ $argumentsMode1 = '4' ] 34 | then 35 | echo Arguments Mode 1 passed 36 | else 37 | echo -e "\e[31mArguments Mode 1 failed\e[0m" 38 | status=1 39 | fi 40 | 41 | # test arguments mode 2 42 | bash run.sh 2 $remillPath $idaPath tests/arguments/mode2/withArgs tests/arguments/mode2/withArgsReplacement generate replacement generate_original 43 | argumentsMode2=$(./tests/arguments/mode2/withArgs.new | xargs) 44 | if [ $argumentsMode2 = '4' ] 45 | then 46 | echo Arguments Mode 2 passed 47 | else 48 | echo -e "\e[31mArguments Mode 2 failed\e[0m" 49 | status=1 50 | fi 51 | 52 | # test encryption mode 1 53 | bash run.sh 1 $remillPath $idaPath tests/crypto/mode1/encrypt tests/crypto/mode1/replaceIV_mode1 generate_iv replacement -lcrypto 54 | encryptMode1Test1=$(./tests/crypto/mode1/encrypt.new "" | head -n 1 | xargs) 55 | encryptMode1Test2=$(./tests/crypto/mode1/encrypt.new "" | head -n 1 | xargs) 56 | if [ $encryptMode1Test1 != $encryptMode1Test2 ] 57 | then 58 | echo Crypto Mode 1 passed 59 | else 60 | echo -e "\e[31mCrypto Mode 1 failed\e[0m" 61 | status=1 62 | fi 63 | 64 | # test encryption mode 2 65 | bash run.sh 2 $remillPath $idaPath tests/crypto/mode2/encrypt tests/crypto/mode2/replaceIV_mode2 generate_iv replacement generate_iv_original -lcrypto 66 | encryptMode2Test1=$(./tests/crypto/mode2/encrypt.new "" | head -n 1 | xargs) 67 | encryptMode2Test2=$(./tests/crypto/mode2/encrypt.new "" | head -n 1 | xargs) 68 | if [ $encryptMode2Test1 != $encryptMode2Test2 ] 69 | then 70 | echo Crypto Mode 2 passed 71 | else 72 | echo -e "\e[31mCrypto Mode 2 failed\e[0m" 73 | status=1 74 | fi 75 | 76 | # test stripped encryption mode 1 77 | bash run.sh 1 $remillPath $idaPath tests/stripped_crypto/mode1/encryptStripped tests/stripped_crypto/mode1/replaceIV_mode1 sub_400df0 replacement -lcrypto 78 | strippedMode1Test1=$(./tests/stripped_crypto/mode1/encryptStripped.new "" | head -n 1 | xargs) 79 | strippedMode1Test2=$(./tests/stripped_crypto/mode1/encryptStripped.new "" | head -n 1 | xargs) 80 | if [ $strippedMode1Test1 != $strippedMode1Test2 ] 81 | then 82 | echo Stripped Crypto Mode 1 passed 83 | else 84 | echo -e "\e[31mStripped Crypto Mode 1 failed\e[0m" 85 | status=1 86 | fi 87 | 88 | # test stripped encryption mode 2 89 | bash run.sh 2 $remillPath $idaPath tests/stripped_crypto/mode2/encryptStripped tests/stripped_crypto/mode2/replaceIV_mode2 sub_400df0 replacement generate_iv_original -lcrypto 90 | strippedMode2Test1=$(./tests/stripped_crypto/mode2/encryptStripped.new "" | head -n 1 | xargs) 91 | strippedMode2Test2=$(./tests/stripped_crypto/mode2/encryptStripped.new "" | head -n 1 | xargs) 92 | if [ $strippedMode2Test1 != $strippedMode2Test2 ] 93 | then 94 | echo Stripped Crypto Mode 2 passed 95 | else 96 | echo -e "\e[31mStripped Crypto Mode 2 failed\e[0m" 97 | status=1 98 | fi 99 | 100 | # test fopen mode 1 101 | bash run.sh 1 $remillPath $idaPath tests/fopen/mode1/prog tests/fopen/mode1/myfopen fopen newfopen 102 | fopenMode1=$(./tests/fopen/mode1/prog.new | xargs) 103 | if [ "$fopenMode1" = 'Calling the fopen() function... Always failing fopen fopen() returned NULL' ] 104 | then 105 | echo fopen Mode 1 passed 106 | else 107 | echo -e "\e[31mfopen Mode 1 failed\e[0m" 108 | status=1 109 | fi 110 | 111 | # test fopen mode 1 usefopen 112 | bash run.sh 1 $remillPath $idaPath tests/fopen/mode1_usefopen/prog tests/fopen/mode1_usefopen/myfopen fopen newfopen 113 | fopenMode1usefopen=$(./tests/fopen/mode1_usefopen/prog.new | xargs) 114 | if [ "$fopenMode1usefopen" = 'Calling the fopen() function... fopen has been replaced fopen() succeeded' ] 115 | then 116 | echo fopen Mode 1 usefopen passed 117 | else 118 | echo -e "\e[31mfopen Mode 1 usefopen failed\e[0m" 119 | status=1 120 | fi 121 | 122 | # test fopen mode 2 123 | bash run.sh 2 $remillPath $idaPath tests/fopen/mode2/prog tests/fopen/mode2/myfopen fopen newfopen stub 124 | fopenMode2=$(./tests/fopen/mode2/prog.new | xargs) 125 | if [ "$fopenMode2" = 'Calling the fopen() function... fopen has been replaced fopen() succeeded' ] 126 | then 127 | echo fopen Mode 2 passed 128 | else 129 | echo -e "\e[31mfopen Mode 2 failed\e[0m" 130 | status=1 131 | fi 132 | 133 | if [ $status -eq 0 ] 134 | then 135 | echo -e "\e[32mAll tests passed!\e[0m" 136 | else 137 | echo -e "\e[31mFailed!\e[0m" 138 | exit 1 139 | fi 140 | -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgs -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgs.bc -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int generate(int a) { 4 | return a; 5 | } 6 | 7 | int main() { 8 | printf("%d", generate(2)); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgs.cfg -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module withArgs 6 | Looking for instructions in segment .init 7 | Default block heads for function 4003c8 with loose bounds [4003c8, 4003e2) 8 | block [4003c8, 4003d8) 9 | block [4003d8, 4003dd) 10 | block [4003dd, 4003e2) 11 | chunk [4003c8, 4003e2) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 400400 with loose bounds [400400, 400406) 14 | block [400400, 400406) 15 | chunk [400400, 400406) 16 | Default block heads for function 400410 with loose bounds [400410, 400416) 17 | block [400410, 400416) 18 | chunk [400410, 400416) 19 | Looking for instructions in segment .plt.got 20 | Default block heads for function 400420 with loose bounds [400420, 400426) 21 | block [400420, 400426) 22 | chunk [400420, 400426) 23 | Looking for instructions in segment .text 24 | Default block heads for function 400430 with loose bounds [400430, 40045a) 25 | block [400430, 40045a) 26 | chunk [400430, 40045a) 27 | Default block heads for function 400460 with loose bounds [400460, 40048a) 28 | block [400460, 400471) 29 | block [400471, 40047b) 30 | block [40047b, 400483) 31 | block [400488, 40048a) 32 | chunk [400460, 40048a) 33 | Default block heads for function 400490 with loose bounds [400490, 4004ca) 34 | block [400490, 4004b3) 35 | block [4004b3, 4004bd) 36 | block [4004bd, 4004c5) 37 | block [4004c8, 4004ca) 38 | chunk [400490, 4004ca) 39 | Default block heads for function 4004d0 with loose bounds [4004d0, 4004f2) 40 | block [4004d0, 4004d9) 41 | block [4004d9, 4004eb) 42 | block [4004f0, 4004f2) 43 | chunk [4004d0, 4004f2) 44 | Default block heads for function 400500 with loose bounds [400500, 400507) 45 | block [400500, 400507) 46 | chunk [400500, 400507) 47 | Default block heads for function 400510 with loose bounds [400510, 40051c) 48 | block [400510, 40051c) 49 | chunk [400510, 40051c) 50 | Default block heads for function 400520 with loose bounds [400520, 400559) 51 | block [400520, 400559) 52 | chunk [400520, 400559) 53 | Default block heads for function 400560 with loose bounds [400560, 4005c5) 54 | block [400560, 400596) 55 | block [400596, 4005a0) 56 | block [4005a0, 4005b6) 57 | block [4005b6, 4005c5) 58 | chunk [400560, 4005c5) 59 | Default block heads for function 4005d0 with loose bounds [4005d0, 4005d2) 60 | block [4005d0, 4005d2) 61 | chunk [4005d0, 4005d2) 62 | Looking for instructions in segment .fini 63 | Default block heads for function 4005d4 with loose bounds [4005d4, 4005dd) 64 | block [4005d4, 4005dd) 65 | chunk [4005d4, 4005dd) 66 | Looking for strings in segment .rodata [4005e0, 4005e7) 67 | Found string '%d' of length 3 at 4005e4, jumping to 4005e7 68 | Looking for strings in segment .eh_frame_hdr [4005e8, 400624) 69 | Looking for strings in segment .eh_frame [400628, 40073c) 70 | Looking for strings in segment .init_array [600e18, 600e20) 71 | Looking for strings in segment .fini_array [600e20, 600e28) 72 | Looking for strings in segment .got [600ff8, 601000) 73 | Looking for strings in segment .got.plt [601000, 601028) 74 | Looking for strings in segment .data [601028, 601038) 75 | Looking for strings in segment .bss [601038, 601040) 76 | Looking for strings in segment extern [601040, 601078) 77 | Looking for cross-references in segment .init [4003c8, 4003e2) 78 | Looking for cross-references in segment .plt [4003f0, 400420) 79 | Stopping scan at 4003fc 80 | Stopping scan at 40040c 81 | Stopping scan at 40041c 82 | Looking for cross-references in segment .plt.got [400420, 400428) 83 | Stopping scan at 400428 84 | Looking for cross-references in segment .text [400430, 4005d2) 85 | Stopping scan at 40045c 86 | Stopping scan at 400484 87 | Stopping scan at 40048c 88 | Stopping scan at ffffffffffffffff 89 | Stopping scan at 4004cc 90 | Stopping scan at 4004ec 91 | Stopping scan at 4004fc 92 | Stopping scan at 40050c 93 | Stopping scan at 40051c 94 | Stopping scan at 40055c 95 | Stopping scan at 4005cc 96 | Looking for cross-references in segment .fini [4005d4, 4005dd) 97 | Looking for cross-references in segment .rodata [4005e0, 4005e7) 98 | Found string at 4005e4, jumping to 4005e7 99 | Stopping scan at 4005e4 100 | Looking for cross-references in segment .eh_frame_hdr [4005e8, 400624) 101 | Stopping scan at 400620 102 | Looking for cross-references in segment .eh_frame [400628, 40073c) 103 | Stopping scan at 400738 104 | Looking for cross-references in segment .init_array [600e18, 600e20) 105 | Adding qword reference from 600e18 to 400500 106 | Stopping scan at 600e18 107 | Looking for cross-references in segment .fini_array [600e20, 600e28) 108 | Adding qword reference from 600e20 to 4004d0 109 | Stopping scan at 600e20 110 | Looking for cross-references in segment .got [600ff8, 601000) 111 | Adding qword reference from 600ff8 to 601068 112 | Stopping scan at 600ff8 113 | Looking for cross-references in segment .got.plt [601000, 601028) 114 | Adding qword reference from 601018 to 601050 115 | Adding qword reference from 601020 to 601058 116 | Stopping scan at 601020 117 | Looking for cross-references in segment .data [601028, 601038) 118 | Stopping scan at 601034 119 | Looking for cross-references in segment .bss [601038, 601040) 120 | Stopping scan at 60103c 121 | Looking for cross-references in segment extern [601040, 601078) 122 | Stopping scan at 601074 123 | Looking for thunks 124 | Found thunk for printf targeting 601050 at 400400 125 | Found thunk for __libc_start_main targeting 601058 at 400410 126 | Found thunk for off_600FF8 targeting 600ff8 at 400420 127 | Looking for external symbols 128 | Function at 400400 is the external function printf 129 | Function at 400410 is the external function __libc_start_main 130 | True name of printf@@GLIBC_2.2.5 is printf 131 | Function at 601040 is the external function printf 132 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 133 | Function at 601048 is the external function __libc_start_main 134 | Function at 601050 is the external function printf 135 | Function at 601058 is the external function __libc_start_main 136 | Function at 601068 is the external function __gmon_start__ 137 | Looking for entrypoints 138 | Recovering deregister_tm_clones at 400460 139 | Analysing subroutine deregister_tm_clones at 400460 140 | Subroutine deregister_tm_clones at 400460 has 4 blocks 141 | BB: 400460 in func 400460 with 5 insts 142 | I: 400460 143 | I: 400461 (data imm internal 601038 __bss_start) 144 | I: 400466 (data imm internal 601038 __bss_start) 145 | I: 40046c 146 | I: 40046f (code flow internal 400488 ) 147 | Successors: 400488, 400471 148 | BB: 400471 in func 400460 with 3 insts 149 | I: 400471 150 | I: 400476 151 | I: 400479 (code flow internal 400488 ) 152 | Successors: 400488, 40047b 153 | BB: 400488 in func 400460 with 2 insts 154 | I: 400488 155 | I: 400489 156 | No successors 157 | BB: 40047b in func 400460 with 3 insts 158 | I: 40047b 159 | I: 40047c (data imm internal 601038 __bss_start) 160 | I: 400481 161 | No successors 162 | Recovering __gmon_start__ at 400420 163 | Analysing subroutine __gmon_start__ at 400420 164 | Subroutine __gmon_start__ at 400420 has 1 blocks 165 | BB: 400420 in func 400420 with 1 insts 166 | I: 400420 (data mem internal 600ff8 ) 167 | No successors 168 | Recovering .init_proc at 4003c8 169 | Analysing subroutine .init_proc at 4003c8 170 | Subroutine .init_proc at 4003c8 has 3 blocks 171 | BB: 4003c8 in func 4003c8 with 4 insts 172 | I: 4003c8 173 | I: 4003cc (data mem internal 600ff8 ) 174 | I: 4003d3 175 | I: 4003d6 (code flow internal 4003dd ) 176 | Successors: 4003d8, 4003dd 177 | BB: 4003d8 in func 4003c8 with 1 insts 178 | I: 4003d8 (data flow internal 600ff8 off_600FF8) 179 | Successors: 4003dd 180 | BB: 4003dd in func 4003c8 with 2 insts 181 | I: 4003dd 182 | I: 4003e1 183 | No successors 184 | Recovering generate at 400510 185 | Analysing subroutine generate at 400510 186 | Subroutine generate at 400510 has 1 blocks 187 | BB: 400510 in func 400510 with 6 insts 188 | I: 400510 189 | I: 400511 190 | I: 400514 191 | I: 400517 192 | I: 40051a 193 | I: 40051b 194 | No successors 195 | Recovering register_tm_clones at 400490 196 | Analysing subroutine register_tm_clones at 400490 197 | Subroutine register_tm_clones at 400490 has 4 blocks 198 | BB: 400490 in func 400490 with 10 insts 199 | I: 400490 (data imm internal 601038 __bss_start) 200 | I: 400495 201 | I: 400496 (data imm internal 601038 __bss_start) 202 | I: 40049d 203 | I: 4004a0 204 | I: 4004a4 205 | I: 4004a7 206 | I: 4004ab 207 | I: 4004ae 208 | I: 4004b1 (code flow internal 4004c8 ) 209 | Successors: 4004c8, 4004b3 210 | BB: 4004c8 in func 400490 with 2 insts 211 | I: 4004c8 212 | I: 4004c9 213 | No successors 214 | BB: 4004b3 in func 400490 with 3 insts 215 | I: 4004b3 216 | I: 4004b8 217 | I: 4004bb (code flow internal 4004c8 ) 218 | Successors: 4004c8, 4004bd 219 | BB: 4004bd in func 400490 with 3 insts 220 | I: 4004bd 221 | I: 4004be (data imm internal 601038 __bss_start) 222 | I: 4004c3 223 | No successors 224 | Recovering __do_global_dtors_aux at 4004d0 225 | Analysing subroutine __do_global_dtors_aux at 4004d0 226 | Subroutine __do_global_dtors_aux at 4004d0 has 3 blocks 227 | BB: 4004d0 in func 4004d0 with 2 insts 228 | I: 4004d0 (data mem internal 601038 __bss_start) 229 | I: 4004d7 (code flow internal 4004f0 ) 230 | Successors: 4004f0, 4004d9 231 | BB: 4004d9 in func 4004d0 with 6 insts 232 | I: 4004d9 233 | I: 4004da 234 | I: 4004dd (code flow internal 400460 deregister_tm_clones) 235 | I: 4004e2 (data mem internal 601038 __bss_start) 236 | I: 4004e9 237 | I: 4004ea 238 | No successors 239 | BB: 4004f0 in func 4004d0 with 1 insts 240 | I: 4004f0 241 | No successors 242 | Recovering frame_dummy at 400500 243 | Analysing subroutine frame_dummy at 400500 244 | Subroutine frame_dummy at 400500 has 1 blocks 245 | BB: 400500 in func 400500 with 4 insts 246 | I: 400500 247 | I: 400501 248 | I: 400504 249 | I: 400505 (code flow internal 400490 register_tm_clones) 250 | Successors: 400490 251 | Recovering main at 400520 252 | Analysing subroutine main at 400520 253 | Subroutine main at 400520 has 1 blocks 254 | BB: 400520 in func 400520 with 16 insts 255 | I: 400520 256 | I: 400521 257 | I: 400524 258 | I: 400528 259 | I: 40052d 260 | I: 400534 (code flow internal 400510 generate) 261 | I: 400539 (data imm internal 4005e4 format) 262 | I: 400543 263 | I: 400545 264 | I: 400547 (data flow external 601050 printf) 265 | I: 40054c 266 | I: 40054e 267 | I: 400551 268 | I: 400553 269 | I: 400557 270 | I: 400558 271 | No successors 272 | Recovering _start at 400430 273 | Analysing subroutine _start at 400430 274 | Subroutine _start at 400430 has 1 blocks 275 | BB: 400430 in func 400430 with 12 insts 276 | I: 400430 277 | I: 400432 278 | I: 400435 279 | I: 400436 280 | I: 400439 281 | I: 40043d 282 | I: 40043e 283 | I: 40043f (code imm internal 4005d0 __libc_csu_fini) 284 | I: 400446 (code imm internal 400560 __libc_csu_init) 285 | I: 40044d (code imm internal 400520 main) 286 | I: 400454 (data flow external 601058 __libc_start_main) 287 | I: 400459 288 | Does not return 289 | Recovering __libc_csu_init at 400560 290 | Analysing subroutine __libc_csu_init at 400560 291 | Subroutine __libc_csu_init at 400560 has 4 blocks 292 | BB: 400560 in func 400560 with 17 insts 293 | I: 400560 294 | I: 400562 295 | I: 400564 296 | I: 400567 297 | I: 400569 298 | I: 40056b (data mem internal 600e18 __frame_dummy_init_array_entry) 299 | I: 400572 300 | I: 400573 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 301 | I: 40057a 302 | I: 40057b 303 | I: 40057e 304 | I: 400581 305 | I: 400584 306 | I: 400588 307 | I: 40058c (code flow internal 4003c8 .init_proc) 308 | I: 400591 309 | I: 400594 (code flow internal 4005b6 ) 310 | Successors: 4005b6, 400596 311 | BB: 4005a0 in func 400560 with 7 insts 312 | I: 4005a0 313 | I: 4005a3 314 | I: 4005a6 315 | I: 4005a9 316 | I: 4005ad 317 | I: 4005b1 318 | I: 4005b4 (code flow internal 4005a0 ) 319 | Successors: 4005a0, 4005b6 320 | BB: 400596 in func 400560 with 2 insts 321 | I: 400596 322 | I: 400598 323 | Successors: 4005a0 324 | BB: 4005b6 in func 400560 with 8 insts 325 | I: 4005b6 326 | I: 4005ba 327 | I: 4005bb 328 | I: 4005bc 329 | I: 4005be 330 | I: 4005c0 331 | I: 4005c2 332 | I: 4005c4 333 | No successors 334 | Recovering __libc_csu_fini at 4005d0 335 | Analysing subroutine __libc_csu_fini at 4005d0 336 | Subroutine __libc_csu_fini at 4005d0 has 1 blocks 337 | BB: 4005d0 in func 4005d0 with 1 insts 338 | I: 4005d0 339 | No successors 340 | Recovering .term_proc at 4005d4 341 | Analysing subroutine .term_proc at 4005d4 342 | Subroutine .term_proc at 4005d4 has 1 blocks 343 | BB: 4005d4 in func 4005d4 with 3 insts 344 | I: 4005d4 345 | I: 4005d8 346 | I: 4005dc 347 | No successors 348 | Global Variable None 349 | WARNING: Global constructor and destructor sections are adjacent! 350 | Splitting segment .bss at 601038 for exported variable __bss_start 351 | Recovering region .rodata [4005e0, 4005e7) in segment .rodata 352 | Variable format at 4005e4 353 | Recovering region .text [400430, 4005d2) in segment .text 354 | Recovering region .eh_frame [400628, 40073c) in segment .eh_frame 355 | Recovering region .got.plt [601000, 601028) in segment .got.plt 356 | 8-byte reference at 601018 to 601050 (printf) 357 | 8-byte reference at 601020 to 601058 (__libc_start_main) 358 | Recovering region .plt.got [400420, 400428) in segment .plt.got 359 | Recovering region .init [4003c8, 4003e2) in segment .init 360 | Recovering region .plt [4003f0, 400420) in segment .plt 361 | Recovering region .eh_frame_hdr [4005e8, 400624) in segment .eh_frame_hdr 362 | Recovering region .fini [4005d4, 4005dd) in segment .fini 363 | Recovering region .got [600ff8, 601000) in segment .got 364 | 8-byte reference at 600ff8 to 601068 (__gmon_start__) 365 | Recovering region .data [601028, 601038) in segment .data 366 | Recovering region .init_array [600e18, 600e28) in segment .init_array 367 | 8-byte reference at 600e18 to 400500 (frame_dummy) 368 | 8-byte reference at 600e20 to 4004d0 (__do_global_dtors_aux) 369 | Variable __frame_dummy_init_array_entry at 600e18 370 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 371 | Recovering region __bss_start [601038, 601040) in segment .bss 372 | Variable __bss_start at 601038 373 | Recovering extern function printf at 400400 374 | Recovering extern function printf at 601040 375 | Recovering extern function __libc_start_main at 601048 376 | Recovering extern function printf at 601050 377 | Recovering extern function __libc_start_main at 400410 378 | Recovering extern function __gmon_start__ at 601068 379 | Recovering extern function __libc_start_main at 601058 380 | Recovered 12 functions. 381 | Saving to: /home/aditi/ToB-Summer19/tests/arguments/mode1/withArgs.cfg 382 | Done analysis! 383 | -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgs.new -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgs.new.bc -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgs.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgs.new.o -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgsReplacement: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgsReplacement -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgsReplacement.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgsReplacement.bc -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgsReplacement.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int replacement(int b) { 4 | return (b+2); 5 | } 6 | 7 | int main() { 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgsReplacement.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgsReplacement.cfg -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgsReplacement.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module withArgsReplacement 6 | Looking for instructions in segment .init 7 | Default block heads for function 400390 with loose bounds [400390, 4003aa) 8 | block [400390, 4003a0) 9 | block [4003a0, 4003a5) 10 | block [4003a5, 4003aa) 11 | chunk [400390, 4003aa) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 4003c0 with loose bounds [4003c0, 4003c6) 14 | block [4003c0, 4003c6) 15 | chunk [4003c0, 4003c6) 16 | Looking for instructions in segment .plt.got 17 | Default block heads for function 4003d0 with loose bounds [4003d0, 4003d6) 18 | block [4003d0, 4003d6) 19 | chunk [4003d0, 4003d6) 20 | Looking for instructions in segment .text 21 | Default block heads for function 4003e0 with loose bounds [4003e0, 40040a) 22 | block [4003e0, 40040a) 23 | chunk [4003e0, 40040a) 24 | Default block heads for function 400410 with loose bounds [400410, 40043a) 25 | block [400410, 400421) 26 | block [400421, 40042b) 27 | block [40042b, 400433) 28 | block [400438, 40043a) 29 | chunk [400410, 40043a) 30 | Default block heads for function 400440 with loose bounds [400440, 40047a) 31 | block [400440, 400463) 32 | block [400463, 40046d) 33 | block [40046d, 400475) 34 | block [400478, 40047a) 35 | chunk [400440, 40047a) 36 | Default block heads for function 400480 with loose bounds [400480, 4004a2) 37 | block [400480, 400489) 38 | block [400489, 40049b) 39 | block [4004a0, 4004a2) 40 | chunk [400480, 4004a2) 41 | Default block heads for function 4004b0 with loose bounds [4004b0, 4004b7) 42 | block [4004b0, 4004b7) 43 | chunk [4004b0, 4004b7) 44 | Default block heads for function 4004c0 with loose bounds [4004c0, 4004d1) 45 | block [4004c0, 4004d1) 46 | chunk [4004c0, 4004d1) 47 | Default block heads for function 4004e0 with loose bounds [4004e0, 4004ef) 48 | block [4004e0, 4004ef) 49 | chunk [4004e0, 4004ef) 50 | Default block heads for function 4004f0 with loose bounds [4004f0, 400555) 51 | block [4004f0, 400526) 52 | block [400526, 400530) 53 | block [400530, 400546) 54 | block [400546, 400555) 55 | chunk [4004f0, 400555) 56 | Default block heads for function 400560 with loose bounds [400560, 400562) 57 | block [400560, 400562) 58 | chunk [400560, 400562) 59 | Looking for instructions in segment .fini 60 | Default block heads for function 400564 with loose bounds [400564, 40056d) 61 | block [400564, 40056d) 62 | chunk [400564, 40056d) 63 | Looking for strings in segment .rodata [400570, 400574) 64 | Looking for strings in segment .eh_frame_hdr [400574, 4005b0) 65 | Looking for strings in segment .eh_frame [4005b0, 4006c4) 66 | Looking for strings in segment .init_array [600e18, 600e20) 67 | Looking for strings in segment .fini_array [600e20, 600e28) 68 | Looking for strings in segment .got [600ff8, 601000) 69 | Looking for strings in segment .got.plt [601000, 601020) 70 | Looking for strings in segment .data [601020, 601030) 71 | Looking for strings in segment .bss [601030, 601038) 72 | Looking for strings in segment extern [601038, 601060) 73 | Looking for cross-references in segment .init [400390, 4003aa) 74 | Looking for cross-references in segment .plt [4003b0, 4003d0) 75 | Stopping scan at 4003bc 76 | Stopping scan at 4003cc 77 | Looking for cross-references in segment .plt.got [4003d0, 4003d8) 78 | Stopping scan at 4003d8 79 | Looking for cross-references in segment .text [4003e0, 400562) 80 | Stopping scan at 40040c 81 | Stopping scan at 400434 82 | Stopping scan at 40043c 83 | Stopping scan at ffffffffffffffff 84 | Stopping scan at 40047c 85 | Stopping scan at 40049c 86 | Stopping scan at 4004ac 87 | Stopping scan at 4004bc 88 | Stopping scan at 4004dc 89 | Stopping scan at ffffffffffffffff 90 | Stopping scan at 40055c 91 | Looking for cross-references in segment .fini [400564, 40056d) 92 | Looking for cross-references in segment .rodata [400570, 400574) 93 | Stopping scan at 400570 94 | Looking for cross-references in segment .eh_frame_hdr [400574, 4005b0) 95 | Stopping scan at 4005ac 96 | Looking for cross-references in segment .eh_frame [4005b0, 4006c4) 97 | Stopping scan at 4006c0 98 | Looking for cross-references in segment .init_array [600e18, 600e20) 99 | Adding qword reference from 600e18 to 4004b0 100 | Stopping scan at 600e18 101 | Looking for cross-references in segment .fini_array [600e20, 600e28) 102 | Adding qword reference from 600e20 to 400480 103 | Stopping scan at 600e20 104 | Looking for cross-references in segment .got [600ff8, 601000) 105 | Adding qword reference from 600ff8 to 601050 106 | Stopping scan at 600ff8 107 | Looking for cross-references in segment .got.plt [601000, 601020) 108 | Adding qword reference from 601018 to 601040 109 | Stopping scan at 601018 110 | Looking for cross-references in segment .data [601020, 601030) 111 | Stopping scan at 60102c 112 | Looking for cross-references in segment .bss [601030, 601038) 113 | Stopping scan at 601034 114 | Looking for cross-references in segment extern [601038, 601060) 115 | Stopping scan at 60105c 116 | Looking for thunks 117 | Found thunk for __libc_start_main targeting 601040 at 4003c0 118 | Found thunk for off_600FF8 targeting 600ff8 at 4003d0 119 | Looking for external symbols 120 | Function at 4003c0 is the external function __libc_start_main 121 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 122 | Function at 601038 is the external function __libc_start_main 123 | Function at 601040 is the external function __libc_start_main 124 | Function at 601050 is the external function __gmon_start__ 125 | Looking for entrypoints 126 | Recovering register_tm_clones at 400440 127 | Analysing subroutine register_tm_clones at 400440 128 | Subroutine register_tm_clones at 400440 has 4 blocks 129 | BB: 400440 in func 400440 with 10 insts 130 | I: 400440 (data imm internal 601030 __bss_start) 131 | I: 400445 132 | I: 400446 (data imm internal 601030 __bss_start) 133 | I: 40044d 134 | I: 400450 135 | I: 400454 136 | I: 400457 137 | I: 40045b 138 | I: 40045e 139 | I: 400461 (code flow internal 400478 ) 140 | Successors: 400478, 400463 141 | BB: 400478 in func 400440 with 2 insts 142 | I: 400478 143 | I: 400479 144 | No successors 145 | BB: 400463 in func 400440 with 3 insts 146 | I: 400463 147 | I: 400468 148 | I: 40046b (code flow internal 400478 ) 149 | Successors: 400478, 40046d 150 | BB: 40046d in func 400440 with 3 insts 151 | I: 40046d 152 | I: 40046e (data imm internal 601030 __bss_start) 153 | I: 400473 154 | No successors 155 | Recovering __libc_csu_init at 4004f0 156 | Analysing subroutine __libc_csu_init at 4004f0 157 | Subroutine __libc_csu_init at 4004f0 has 4 blocks 158 | BB: 4004f0 in func 4004f0 with 17 insts 159 | I: 4004f0 160 | I: 4004f2 161 | I: 4004f4 162 | I: 4004f7 163 | I: 4004f9 164 | I: 4004fb (data mem internal 600e18 __frame_dummy_init_array_entry) 165 | I: 400502 166 | I: 400503 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 167 | I: 40050a 168 | I: 40050b 169 | I: 40050e 170 | I: 400511 171 | I: 400514 172 | I: 400518 173 | I: 40051c (code flow internal 400390 .init_proc) 174 | I: 400521 175 | I: 400524 (code flow internal 400546 ) 176 | Successors: 400546, 400526 177 | BB: 400530 in func 4004f0 with 7 insts 178 | I: 400530 179 | I: 400533 180 | I: 400536 181 | I: 400539 182 | I: 40053d 183 | I: 400541 184 | I: 400544 (code flow internal 400530 ) 185 | Successors: 400530, 400546 186 | BB: 400526 in func 4004f0 with 2 insts 187 | I: 400526 188 | I: 400528 189 | Successors: 400530 190 | BB: 400546 in func 4004f0 with 8 insts 191 | I: 400546 192 | I: 40054a 193 | I: 40054b 194 | I: 40054c 195 | I: 40054e 196 | I: 400550 197 | I: 400552 198 | I: 400554 199 | No successors 200 | Recovering __gmon_start__ at 4003d0 201 | Analysing subroutine __gmon_start__ at 4003d0 202 | Subroutine __gmon_start__ at 4003d0 has 1 blocks 203 | BB: 4003d0 in func 4003d0 with 1 insts 204 | I: 4003d0 (data mem internal 600ff8 ) 205 | No successors 206 | Recovering _start at 4003e0 207 | Analysing subroutine _start at 4003e0 208 | Subroutine _start at 4003e0 has 1 blocks 209 | BB: 4003e0 in func 4003e0 with 12 insts 210 | I: 4003e0 211 | I: 4003e2 212 | I: 4003e5 213 | I: 4003e6 214 | I: 4003e9 215 | I: 4003ed 216 | I: 4003ee 217 | I: 4003ef (code imm internal 400560 __libc_csu_fini) 218 | I: 4003f6 (code imm internal 4004f0 __libc_csu_init) 219 | I: 4003fd (code imm internal 4004e0 main) 220 | I: 400404 (data flow external 601040 __libc_start_main) 221 | I: 400409 222 | Does not return 223 | Recovering deregister_tm_clones at 400410 224 | Analysing subroutine deregister_tm_clones at 400410 225 | Subroutine deregister_tm_clones at 400410 has 4 blocks 226 | BB: 400410 in func 400410 with 5 insts 227 | I: 400410 228 | I: 400411 (data imm internal 601030 __bss_start) 229 | I: 400416 (data imm internal 601030 __bss_start) 230 | I: 40041c 231 | I: 40041f (code flow internal 400438 ) 232 | Successors: 400438, 400421 233 | BB: 400421 in func 400410 with 3 insts 234 | I: 400421 235 | I: 400426 236 | I: 400429 (code flow internal 400438 ) 237 | Successors: 400438, 40042b 238 | BB: 40042b in func 400410 with 3 insts 239 | I: 40042b 240 | I: 40042c (data imm internal 601030 __bss_start) 241 | I: 400431 242 | No successors 243 | BB: 400438 in func 400410 with 2 insts 244 | I: 400438 245 | I: 400439 246 | No successors 247 | Recovering __do_global_dtors_aux at 400480 248 | Analysing subroutine __do_global_dtors_aux at 400480 249 | Subroutine __do_global_dtors_aux at 400480 has 3 blocks 250 | BB: 400480 in func 400480 with 2 insts 251 | I: 400480 (data mem internal 601030 __bss_start) 252 | I: 400487 (code flow internal 4004a0 ) 253 | Successors: 4004a0, 400489 254 | BB: 400489 in func 400480 with 6 insts 255 | I: 400489 256 | I: 40048a 257 | I: 40048d (code flow internal 400410 deregister_tm_clones) 258 | I: 400492 (data mem internal 601030 __bss_start) 259 | I: 400499 260 | I: 40049a 261 | No successors 262 | BB: 4004a0 in func 400480 with 1 insts 263 | I: 4004a0 264 | No successors 265 | Recovering frame_dummy at 4004b0 266 | Analysing subroutine frame_dummy at 4004b0 267 | Subroutine frame_dummy at 4004b0 has 1 blocks 268 | BB: 4004b0 in func 4004b0 with 4 insts 269 | I: 4004b0 270 | I: 4004b1 271 | I: 4004b4 272 | I: 4004b5 (code flow internal 400440 register_tm_clones) 273 | Successors: 400440 274 | Recovering replacement at 4004c0 275 | Analysing subroutine replacement at 4004c0 276 | Subroutine replacement at 4004c0 has 1 blocks 277 | BB: 4004c0 in func 4004c0 with 8 insts 278 | I: 4004c0 279 | I: 4004c1 280 | I: 4004c4 281 | I: 4004c7 282 | I: 4004ca 283 | I: 4004cd 284 | I: 4004cf 285 | I: 4004d0 286 | No successors 287 | Recovering main at 4004e0 288 | Analysing subroutine main at 4004e0 289 | Subroutine main at 4004e0 has 1 blocks 290 | BB: 4004e0 in func 4004e0 with 6 insts 291 | I: 4004e0 292 | I: 4004e1 293 | I: 4004e4 294 | I: 4004e6 295 | I: 4004ed 296 | I: 4004ee 297 | No successors 298 | Recovering .init_proc at 400390 299 | Analysing subroutine .init_proc at 400390 300 | Subroutine .init_proc at 400390 has 3 blocks 301 | BB: 400390 in func 400390 with 4 insts 302 | I: 400390 303 | I: 400394 (data mem internal 600ff8 ) 304 | I: 40039b 305 | I: 40039e (code flow internal 4003a5 ) 306 | Successors: 4003a0, 4003a5 307 | BB: 4003a0 in func 400390 with 1 insts 308 | I: 4003a0 (data flow internal 600ff8 off_600FF8) 309 | Successors: 4003a5 310 | BB: 4003a5 in func 400390 with 2 insts 311 | I: 4003a5 312 | I: 4003a9 313 | No successors 314 | Recovering __libc_csu_fini at 400560 315 | Analysing subroutine __libc_csu_fini at 400560 316 | Subroutine __libc_csu_fini at 400560 has 1 blocks 317 | BB: 400560 in func 400560 with 1 insts 318 | I: 400560 319 | No successors 320 | Recovering .term_proc at 400564 321 | Analysing subroutine .term_proc at 400564 322 | Subroutine .term_proc at 400564 has 1 blocks 323 | BB: 400564 in func 400564 with 3 insts 324 | I: 400564 325 | I: 400568 326 | I: 40056c 327 | No successors 328 | Global Variable None 329 | WARNING: Global constructor and destructor sections are adjacent! 330 | Splitting segment .bss at 601030 for exported variable __bss_start 331 | Recovering region .text [4003e0, 400562) in segment .text 332 | Recovering region .plt [4003b0, 4003d0) in segment .plt 333 | Recovering region .plt.got [4003d0, 4003d8) in segment .plt.got 334 | Recovering region .got.plt [601000, 601020) in segment .got.plt 335 | 8-byte reference at 601018 to 601040 (__libc_start_main) 336 | Recovering region .data [601020, 601030) in segment .data 337 | Recovering region __bss_start [601030, 601038) in segment .bss 338 | Variable __bss_start at 601030 339 | Recovering region .init [400390, 4003aa) in segment .init 340 | Recovering region .rodata [400570, 400574) in segment .rodata 341 | Recovering region .eh_frame [4005b0, 4006c4) in segment .eh_frame 342 | Recovering region .eh_frame_hdr [400574, 4005b0) in segment .eh_frame_hdr 343 | Recovering region .got [600ff8, 601000) in segment .got 344 | 8-byte reference at 600ff8 to 601050 (__gmon_start__) 345 | Recovering region .init_array [600e18, 600e28) in segment .init_array 346 | 8-byte reference at 600e18 to 4004b0 (frame_dummy) 347 | 8-byte reference at 600e20 to 400480 (__do_global_dtors_aux) 348 | Variable __frame_dummy_init_array_entry at 600e18 349 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 350 | Recovering region .fini [400564, 40056d) in segment .fini 351 | Recovering extern function __libc_start_main at 4003c0 352 | Recovering extern function __libc_start_main at 601038 353 | Recovering extern function __gmon_start__ at 601050 354 | Recovering extern function __libc_start_main at 601040 355 | Recovered 12 functions. 356 | Saving to: /home/aditi/ToB-Summer19/tests/arguments/mode1/withArgsReplacement.cfg 357 | Done analysis! 358 | -------------------------------------------------------------------------------- /tests/arguments/mode1/withArgsReplacement.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode1/withArgsReplacement.o -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgs -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgs.bc -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int generate(int a) { 4 | return a; 5 | } 6 | 7 | int main() { 8 | printf("%d", generate(2)); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgs.cfg -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module withArgs 6 | Looking for instructions in segment .init 7 | Default block heads for function 4003c8 with loose bounds [4003c8, 4003e2) 8 | block [4003c8, 4003d8) 9 | block [4003d8, 4003dd) 10 | block [4003dd, 4003e2) 11 | chunk [4003c8, 4003e2) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 400400 with loose bounds [400400, 400406) 14 | block [400400, 400406) 15 | chunk [400400, 400406) 16 | Default block heads for function 400410 with loose bounds [400410, 400416) 17 | block [400410, 400416) 18 | chunk [400410, 400416) 19 | Looking for instructions in segment .plt.got 20 | Default block heads for function 400420 with loose bounds [400420, 400426) 21 | block [400420, 400426) 22 | chunk [400420, 400426) 23 | Looking for instructions in segment .text 24 | Default block heads for function 400430 with loose bounds [400430, 40045a) 25 | block [400430, 40045a) 26 | chunk [400430, 40045a) 27 | Default block heads for function 400460 with loose bounds [400460, 40048a) 28 | block [400460, 400471) 29 | block [400471, 40047b) 30 | block [40047b, 400483) 31 | block [400488, 40048a) 32 | chunk [400460, 40048a) 33 | Default block heads for function 400490 with loose bounds [400490, 4004ca) 34 | block [400490, 4004b3) 35 | block [4004b3, 4004bd) 36 | block [4004bd, 4004c5) 37 | block [4004c8, 4004ca) 38 | chunk [400490, 4004ca) 39 | Default block heads for function 4004d0 with loose bounds [4004d0, 4004f2) 40 | block [4004d0, 4004d9) 41 | block [4004d9, 4004eb) 42 | block [4004f0, 4004f2) 43 | chunk [4004d0, 4004f2) 44 | Default block heads for function 400500 with loose bounds [400500, 400507) 45 | block [400500, 400507) 46 | chunk [400500, 400507) 47 | Default block heads for function 400510 with loose bounds [400510, 40051c) 48 | block [400510, 40051c) 49 | chunk [400510, 40051c) 50 | Default block heads for function 400520 with loose bounds [400520, 400559) 51 | block [400520, 400559) 52 | chunk [400520, 400559) 53 | Default block heads for function 400560 with loose bounds [400560, 4005c5) 54 | block [400560, 400596) 55 | block [400596, 4005a0) 56 | block [4005a0, 4005b6) 57 | block [4005b6, 4005c5) 58 | chunk [400560, 4005c5) 59 | Default block heads for function 4005d0 with loose bounds [4005d0, 4005d2) 60 | block [4005d0, 4005d2) 61 | chunk [4005d0, 4005d2) 62 | Looking for instructions in segment .fini 63 | Default block heads for function 4005d4 with loose bounds [4005d4, 4005dd) 64 | block [4005d4, 4005dd) 65 | chunk [4005d4, 4005dd) 66 | Looking for strings in segment .rodata [4005e0, 4005e7) 67 | Found string '%d' of length 3 at 4005e4, jumping to 4005e7 68 | Looking for strings in segment .eh_frame_hdr [4005e8, 400624) 69 | Looking for strings in segment .eh_frame [400628, 40073c) 70 | Looking for strings in segment .init_array [600e18, 600e20) 71 | Looking for strings in segment .fini_array [600e20, 600e28) 72 | Looking for strings in segment .got [600ff8, 601000) 73 | Looking for strings in segment .got.plt [601000, 601028) 74 | Looking for strings in segment .data [601028, 601038) 75 | Looking for strings in segment .bss [601038, 601040) 76 | Looking for strings in segment extern [601040, 601078) 77 | Looking for cross-references in segment .init [4003c8, 4003e2) 78 | Looking for cross-references in segment .plt [4003f0, 400420) 79 | Stopping scan at 4003fc 80 | Stopping scan at 40040c 81 | Stopping scan at 40041c 82 | Looking for cross-references in segment .plt.got [400420, 400428) 83 | Stopping scan at 400428 84 | Looking for cross-references in segment .text [400430, 4005d2) 85 | Stopping scan at 40045c 86 | Stopping scan at 400484 87 | Stopping scan at 40048c 88 | Stopping scan at ffffffffffffffff 89 | Stopping scan at 4004cc 90 | Stopping scan at 4004ec 91 | Stopping scan at 4004fc 92 | Stopping scan at 40050c 93 | Stopping scan at 40051c 94 | Stopping scan at 40055c 95 | Stopping scan at 4005cc 96 | Looking for cross-references in segment .fini [4005d4, 4005dd) 97 | Looking for cross-references in segment .rodata [4005e0, 4005e7) 98 | Found string at 4005e4, jumping to 4005e7 99 | Stopping scan at 4005e4 100 | Looking for cross-references in segment .eh_frame_hdr [4005e8, 400624) 101 | Stopping scan at 400620 102 | Looking for cross-references in segment .eh_frame [400628, 40073c) 103 | Stopping scan at 400738 104 | Looking for cross-references in segment .init_array [600e18, 600e20) 105 | Adding qword reference from 600e18 to 400500 106 | Stopping scan at 600e18 107 | Looking for cross-references in segment .fini_array [600e20, 600e28) 108 | Adding qword reference from 600e20 to 4004d0 109 | Stopping scan at 600e20 110 | Looking for cross-references in segment .got [600ff8, 601000) 111 | Adding qword reference from 600ff8 to 601068 112 | Stopping scan at 600ff8 113 | Looking for cross-references in segment .got.plt [601000, 601028) 114 | Adding qword reference from 601018 to 601050 115 | Adding qword reference from 601020 to 601058 116 | Stopping scan at 601020 117 | Looking for cross-references in segment .data [601028, 601038) 118 | Stopping scan at 601034 119 | Looking for cross-references in segment .bss [601038, 601040) 120 | Stopping scan at 60103c 121 | Looking for cross-references in segment extern [601040, 601078) 122 | Stopping scan at 601074 123 | Looking for thunks 124 | Found thunk for printf targeting 601050 at 400400 125 | Found thunk for __libc_start_main targeting 601058 at 400410 126 | Found thunk for off_600FF8 targeting 600ff8 at 400420 127 | Looking for external symbols 128 | Function at 400400 is the external function printf 129 | Function at 400410 is the external function __libc_start_main 130 | True name of printf@@GLIBC_2.2.5 is printf 131 | Function at 601040 is the external function printf 132 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 133 | Function at 601048 is the external function __libc_start_main 134 | Function at 601050 is the external function printf 135 | Function at 601058 is the external function __libc_start_main 136 | Function at 601068 is the external function __gmon_start__ 137 | Looking for entrypoints 138 | Recovering deregister_tm_clones at 400460 139 | Analysing subroutine deregister_tm_clones at 400460 140 | Subroutine deregister_tm_clones at 400460 has 4 blocks 141 | BB: 400460 in func 400460 with 5 insts 142 | I: 400460 143 | I: 400461 (data imm internal 601038 __bss_start) 144 | I: 400466 (data imm internal 601038 __bss_start) 145 | I: 40046c 146 | I: 40046f (code flow internal 400488 ) 147 | Successors: 400488, 400471 148 | BB: 400471 in func 400460 with 3 insts 149 | I: 400471 150 | I: 400476 151 | I: 400479 (code flow internal 400488 ) 152 | Successors: 400488, 40047b 153 | BB: 400488 in func 400460 with 2 insts 154 | I: 400488 155 | I: 400489 156 | No successors 157 | BB: 40047b in func 400460 with 3 insts 158 | I: 40047b 159 | I: 40047c (data imm internal 601038 __bss_start) 160 | I: 400481 161 | No successors 162 | Recovering __gmon_start__ at 400420 163 | Analysing subroutine __gmon_start__ at 400420 164 | Subroutine __gmon_start__ at 400420 has 1 blocks 165 | BB: 400420 in func 400420 with 1 insts 166 | I: 400420 (data mem internal 600ff8 ) 167 | No successors 168 | Recovering .init_proc at 4003c8 169 | Analysing subroutine .init_proc at 4003c8 170 | Subroutine .init_proc at 4003c8 has 3 blocks 171 | BB: 4003c8 in func 4003c8 with 4 insts 172 | I: 4003c8 173 | I: 4003cc (data mem internal 600ff8 ) 174 | I: 4003d3 175 | I: 4003d6 (code flow internal 4003dd ) 176 | Successors: 4003d8, 4003dd 177 | BB: 4003d8 in func 4003c8 with 1 insts 178 | I: 4003d8 (data flow internal 600ff8 off_600FF8) 179 | Successors: 4003dd 180 | BB: 4003dd in func 4003c8 with 2 insts 181 | I: 4003dd 182 | I: 4003e1 183 | No successors 184 | Recovering generate at 400510 185 | Analysing subroutine generate at 400510 186 | Subroutine generate at 400510 has 1 blocks 187 | BB: 400510 in func 400510 with 6 insts 188 | I: 400510 189 | I: 400511 190 | I: 400514 191 | I: 400517 192 | I: 40051a 193 | I: 40051b 194 | No successors 195 | Recovering register_tm_clones at 400490 196 | Analysing subroutine register_tm_clones at 400490 197 | Subroutine register_tm_clones at 400490 has 4 blocks 198 | BB: 400490 in func 400490 with 10 insts 199 | I: 400490 (data imm internal 601038 __bss_start) 200 | I: 400495 201 | I: 400496 (data imm internal 601038 __bss_start) 202 | I: 40049d 203 | I: 4004a0 204 | I: 4004a4 205 | I: 4004a7 206 | I: 4004ab 207 | I: 4004ae 208 | I: 4004b1 (code flow internal 4004c8 ) 209 | Successors: 4004c8, 4004b3 210 | BB: 4004c8 in func 400490 with 2 insts 211 | I: 4004c8 212 | I: 4004c9 213 | No successors 214 | BB: 4004b3 in func 400490 with 3 insts 215 | I: 4004b3 216 | I: 4004b8 217 | I: 4004bb (code flow internal 4004c8 ) 218 | Successors: 4004c8, 4004bd 219 | BB: 4004bd in func 400490 with 3 insts 220 | I: 4004bd 221 | I: 4004be (data imm internal 601038 __bss_start) 222 | I: 4004c3 223 | No successors 224 | Recovering __do_global_dtors_aux at 4004d0 225 | Analysing subroutine __do_global_dtors_aux at 4004d0 226 | Subroutine __do_global_dtors_aux at 4004d0 has 3 blocks 227 | BB: 4004d0 in func 4004d0 with 2 insts 228 | I: 4004d0 (data mem internal 601038 __bss_start) 229 | I: 4004d7 (code flow internal 4004f0 ) 230 | Successors: 4004f0, 4004d9 231 | BB: 4004d9 in func 4004d0 with 6 insts 232 | I: 4004d9 233 | I: 4004da 234 | I: 4004dd (code flow internal 400460 deregister_tm_clones) 235 | I: 4004e2 (data mem internal 601038 __bss_start) 236 | I: 4004e9 237 | I: 4004ea 238 | No successors 239 | BB: 4004f0 in func 4004d0 with 1 insts 240 | I: 4004f0 241 | No successors 242 | Recovering frame_dummy at 400500 243 | Analysing subroutine frame_dummy at 400500 244 | Subroutine frame_dummy at 400500 has 1 blocks 245 | BB: 400500 in func 400500 with 4 insts 246 | I: 400500 247 | I: 400501 248 | I: 400504 249 | I: 400505 (code flow internal 400490 register_tm_clones) 250 | Successors: 400490 251 | Recovering main at 400520 252 | Analysing subroutine main at 400520 253 | Subroutine main at 400520 has 1 blocks 254 | BB: 400520 in func 400520 with 16 insts 255 | I: 400520 256 | I: 400521 257 | I: 400524 258 | I: 400528 259 | I: 40052d 260 | I: 400534 (code flow internal 400510 generate) 261 | I: 400539 (data imm internal 4005e4 format) 262 | I: 400543 263 | I: 400545 264 | I: 400547 (data flow external 601050 printf) 265 | I: 40054c 266 | I: 40054e 267 | I: 400551 268 | I: 400553 269 | I: 400557 270 | I: 400558 271 | No successors 272 | Recovering _start at 400430 273 | Analysing subroutine _start at 400430 274 | Subroutine _start at 400430 has 1 blocks 275 | BB: 400430 in func 400430 with 12 insts 276 | I: 400430 277 | I: 400432 278 | I: 400435 279 | I: 400436 280 | I: 400439 281 | I: 40043d 282 | I: 40043e 283 | I: 40043f (code imm internal 4005d0 __libc_csu_fini) 284 | I: 400446 (code imm internal 400560 __libc_csu_init) 285 | I: 40044d (code imm internal 400520 main) 286 | I: 400454 (data flow external 601058 __libc_start_main) 287 | I: 400459 288 | Does not return 289 | Recovering __libc_csu_init at 400560 290 | Analysing subroutine __libc_csu_init at 400560 291 | Subroutine __libc_csu_init at 400560 has 4 blocks 292 | BB: 400560 in func 400560 with 17 insts 293 | I: 400560 294 | I: 400562 295 | I: 400564 296 | I: 400567 297 | I: 400569 298 | I: 40056b (data mem internal 600e18 __frame_dummy_init_array_entry) 299 | I: 400572 300 | I: 400573 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 301 | I: 40057a 302 | I: 40057b 303 | I: 40057e 304 | I: 400581 305 | I: 400584 306 | I: 400588 307 | I: 40058c (code flow internal 4003c8 .init_proc) 308 | I: 400591 309 | I: 400594 (code flow internal 4005b6 ) 310 | Successors: 4005b6, 400596 311 | BB: 4005a0 in func 400560 with 7 insts 312 | I: 4005a0 313 | I: 4005a3 314 | I: 4005a6 315 | I: 4005a9 316 | I: 4005ad 317 | I: 4005b1 318 | I: 4005b4 (code flow internal 4005a0 ) 319 | Successors: 4005a0, 4005b6 320 | BB: 400596 in func 400560 with 2 insts 321 | I: 400596 322 | I: 400598 323 | Successors: 4005a0 324 | BB: 4005b6 in func 400560 with 8 insts 325 | I: 4005b6 326 | I: 4005ba 327 | I: 4005bb 328 | I: 4005bc 329 | I: 4005be 330 | I: 4005c0 331 | I: 4005c2 332 | I: 4005c4 333 | No successors 334 | Recovering __libc_csu_fini at 4005d0 335 | Analysing subroutine __libc_csu_fini at 4005d0 336 | Subroutine __libc_csu_fini at 4005d0 has 1 blocks 337 | BB: 4005d0 in func 4005d0 with 1 insts 338 | I: 4005d0 339 | No successors 340 | Recovering .term_proc at 4005d4 341 | Analysing subroutine .term_proc at 4005d4 342 | Subroutine .term_proc at 4005d4 has 1 blocks 343 | BB: 4005d4 in func 4005d4 with 3 insts 344 | I: 4005d4 345 | I: 4005d8 346 | I: 4005dc 347 | No successors 348 | Global Variable None 349 | WARNING: Global constructor and destructor sections are adjacent! 350 | Splitting segment .bss at 601038 for exported variable __bss_start 351 | Recovering region .rodata [4005e0, 4005e7) in segment .rodata 352 | Variable format at 4005e4 353 | Recovering region .text [400430, 4005d2) in segment .text 354 | Recovering region .eh_frame [400628, 40073c) in segment .eh_frame 355 | Recovering region .got.plt [601000, 601028) in segment .got.plt 356 | 8-byte reference at 601018 to 601050 (printf) 357 | 8-byte reference at 601020 to 601058 (__libc_start_main) 358 | Recovering region .plt.got [400420, 400428) in segment .plt.got 359 | Recovering region .init [4003c8, 4003e2) in segment .init 360 | Recovering region .plt [4003f0, 400420) in segment .plt 361 | Recovering region .eh_frame_hdr [4005e8, 400624) in segment .eh_frame_hdr 362 | Recovering region .fini [4005d4, 4005dd) in segment .fini 363 | Recovering region .got [600ff8, 601000) in segment .got 364 | 8-byte reference at 600ff8 to 601068 (__gmon_start__) 365 | Recovering region .data [601028, 601038) in segment .data 366 | Recovering region .init_array [600e18, 600e28) in segment .init_array 367 | 8-byte reference at 600e18 to 400500 (frame_dummy) 368 | 8-byte reference at 600e20 to 4004d0 (__do_global_dtors_aux) 369 | Variable __frame_dummy_init_array_entry at 600e18 370 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 371 | Recovering region __bss_start [601038, 601040) in segment .bss 372 | Variable __bss_start at 601038 373 | Recovering extern function printf at 400400 374 | Recovering extern function printf at 601040 375 | Recovering extern function __libc_start_main at 601048 376 | Recovering extern function printf at 601050 377 | Recovering extern function __libc_start_main at 400410 378 | Recovering extern function __gmon_start__ at 601068 379 | Recovering extern function __libc_start_main at 601058 380 | Recovered 12 functions. 381 | Saving to: /home/aditi/ToB-Summer19/tests/arguments/mode2/withArgs.cfg 382 | Done analysis! 383 | -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgs.new -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgs.new.bc -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgs.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgs.new.o -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgsReplacement: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgsReplacement -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgsReplacement.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgsReplacement.bc -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgsReplacement.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int generate_original(int c) { 4 | return 0; 5 | } 6 | 7 | int replacement(int b) { 8 | if (generate_original(b) == b) return (b+2); 9 | return generate_original(b); 10 | } 11 | 12 | int main() { 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgsReplacement.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgsReplacement.cfg -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgsReplacement.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module withArgsReplacement 6 | Looking for instructions in segment .init 7 | Default block heads for function 400390 with loose bounds [400390, 4003aa) 8 | block [400390, 4003a0) 9 | block [4003a0, 4003a5) 10 | block [4003a5, 4003aa) 11 | chunk [400390, 4003aa) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 4003c0 with loose bounds [4003c0, 4003c6) 14 | block [4003c0, 4003c6) 15 | chunk [4003c0, 4003c6) 16 | Looking for instructions in segment .plt.got 17 | Default block heads for function 4003d0 with loose bounds [4003d0, 4003d6) 18 | block [4003d0, 4003d6) 19 | chunk [4003d0, 4003d6) 20 | Looking for instructions in segment .text 21 | Default block heads for function 4003e0 with loose bounds [4003e0, 40040a) 22 | block [4003e0, 40040a) 23 | chunk [4003e0, 40040a) 24 | Default block heads for function 400410 with loose bounds [400410, 40043a) 25 | block [400410, 400421) 26 | block [400421, 40042b) 27 | block [40042b, 400433) 28 | block [400438, 40043a) 29 | chunk [400410, 40043a) 30 | Default block heads for function 400440 with loose bounds [400440, 40047a) 31 | block [400440, 400463) 32 | block [400463, 40046d) 33 | block [40046d, 400475) 34 | block [400478, 40047a) 35 | chunk [400440, 40047a) 36 | Default block heads for function 400480 with loose bounds [400480, 4004a2) 37 | block [400480, 400489) 38 | block [400489, 40049b) 39 | block [4004a0, 4004a2) 40 | chunk [400480, 4004a2) 41 | Default block heads for function 4004b0 with loose bounds [4004b0, 4004b7) 42 | block [4004b0, 4004b7) 43 | chunk [4004b0, 4004b7) 44 | Default block heads for function 4004c0 with loose bounds [4004c0, 4004cb) 45 | block [4004c0, 4004cb) 46 | chunk [4004c0, 4004cb) 47 | Default block heads for function 4004d0 with loose bounds [4004d0, 40050e) 48 | block [4004d0, 4004ec) 49 | block [4004ec, 4004fa) 50 | block [4004fa, 400505) 51 | block [400505, 40050e) 52 | chunk [4004d0, 40050e) 53 | Default block heads for function 400510 with loose bounds [400510, 40051f) 54 | block [400510, 40051f) 55 | chunk [400510, 40051f) 56 | Default block heads for function 400520 with loose bounds [400520, 400585) 57 | block [400520, 400556) 58 | block [400556, 400560) 59 | block [400560, 400576) 60 | block [400576, 400585) 61 | chunk [400520, 400585) 62 | Default block heads for function 400590 with loose bounds [400590, 400592) 63 | block [400590, 400592) 64 | chunk [400590, 400592) 65 | Looking for instructions in segment .fini 66 | Default block heads for function 400594 with loose bounds [400594, 40059d) 67 | block [400594, 40059d) 68 | chunk [400594, 40059d) 69 | Looking for strings in segment .rodata [4005a0, 4005a4) 70 | Looking for strings in segment .eh_frame_hdr [4005a4, 4005e8) 71 | Looking for strings in segment .eh_frame [4005e8, 40071c) 72 | Looking for strings in segment .init_array [600e18, 600e20) 73 | Looking for strings in segment .fini_array [600e20, 600e28) 74 | Looking for strings in segment .got [600ff8, 601000) 75 | Looking for strings in segment .got.plt [601000, 601020) 76 | Looking for strings in segment .data [601020, 601030) 77 | Looking for strings in segment .bss [601030, 601038) 78 | Looking for strings in segment extern [601038, 601060) 79 | Looking for cross-references in segment .init [400390, 4003aa) 80 | Looking for cross-references in segment .plt [4003b0, 4003d0) 81 | Stopping scan at 4003bc 82 | Stopping scan at 4003cc 83 | Looking for cross-references in segment .plt.got [4003d0, 4003d8) 84 | Stopping scan at 4003d8 85 | Looking for cross-references in segment .text [4003e0, 400592) 86 | Stopping scan at 40040c 87 | Stopping scan at 400434 88 | Stopping scan at 40043c 89 | Stopping scan at ffffffffffffffff 90 | Stopping scan at 40047c 91 | Stopping scan at 40049c 92 | Stopping scan at 4004ac 93 | Stopping scan at 4004bc 94 | Stopping scan at 4004cc 95 | Stopping scan at ffffffffffffffff 96 | Stopping scan at ffffffffffffffff 97 | Stopping scan at 40058c 98 | Looking for cross-references in segment .fini [400594, 40059d) 99 | Looking for cross-references in segment .rodata [4005a0, 4005a4) 100 | Stopping scan at 4005a0 101 | Looking for cross-references in segment .eh_frame_hdr [4005a4, 4005e8) 102 | Stopping scan at 4005e4 103 | Looking for cross-references in segment .eh_frame [4005e8, 40071c) 104 | Stopping scan at 400718 105 | Looking for cross-references in segment .init_array [600e18, 600e20) 106 | Adding qword reference from 600e18 to 4004b0 107 | Stopping scan at 600e18 108 | Looking for cross-references in segment .fini_array [600e20, 600e28) 109 | Adding qword reference from 600e20 to 400480 110 | Stopping scan at 600e20 111 | Looking for cross-references in segment .got [600ff8, 601000) 112 | Adding qword reference from 600ff8 to 601050 113 | Stopping scan at 600ff8 114 | Looking for cross-references in segment .got.plt [601000, 601020) 115 | Adding qword reference from 601018 to 601040 116 | Stopping scan at 601018 117 | Looking for cross-references in segment .data [601020, 601030) 118 | Stopping scan at 60102c 119 | Looking for cross-references in segment .bss [601030, 601038) 120 | Stopping scan at 601034 121 | Looking for cross-references in segment extern [601038, 601060) 122 | Stopping scan at 60105c 123 | Looking for thunks 124 | Found thunk for __libc_start_main targeting 601040 at 4003c0 125 | Found thunk for off_600FF8 targeting 600ff8 at 4003d0 126 | Looking for external symbols 127 | Function at 4003c0 is the external function __libc_start_main 128 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 129 | Function at 601038 is the external function __libc_start_main 130 | Function at 601040 is the external function __libc_start_main 131 | Function at 601050 is the external function __gmon_start__ 132 | Looking for entrypoints 133 | Recovering register_tm_clones at 400440 134 | Analysing subroutine register_tm_clones at 400440 135 | Subroutine register_tm_clones at 400440 has 4 blocks 136 | BB: 400440 in func 400440 with 10 insts 137 | I: 400440 (data imm internal 601030 __bss_start) 138 | I: 400445 139 | I: 400446 (data imm internal 601030 __bss_start) 140 | I: 40044d 141 | I: 400450 142 | I: 400454 143 | I: 400457 144 | I: 40045b 145 | I: 40045e 146 | I: 400461 (code flow internal 400478 ) 147 | Successors: 400478, 400463 148 | BB: 400478 in func 400440 with 2 insts 149 | I: 400478 150 | I: 400479 151 | No successors 152 | BB: 400463 in func 400440 with 3 insts 153 | I: 400463 154 | I: 400468 155 | I: 40046b (code flow internal 400478 ) 156 | Successors: 400478, 40046d 157 | BB: 40046d in func 400440 with 3 insts 158 | I: 40046d 159 | I: 40046e (data imm internal 601030 __bss_start) 160 | I: 400473 161 | No successors 162 | Recovering __gmon_start__ at 4003d0 163 | Analysing subroutine __gmon_start__ at 4003d0 164 | Subroutine __gmon_start__ at 4003d0 has 1 blocks 165 | BB: 4003d0 in func 4003d0 with 1 insts 166 | I: 4003d0 (data mem internal 600ff8 ) 167 | No successors 168 | Recovering _start at 4003e0 169 | Analysing subroutine _start at 4003e0 170 | Subroutine _start at 4003e0 has 1 blocks 171 | BB: 4003e0 in func 4003e0 with 12 insts 172 | I: 4003e0 173 | I: 4003e2 174 | I: 4003e5 175 | I: 4003e6 176 | I: 4003e9 177 | I: 4003ed 178 | I: 4003ee 179 | I: 4003ef (code imm internal 400590 __libc_csu_fini) 180 | I: 4003f6 (code imm internal 400520 __libc_csu_init) 181 | I: 4003fd (code imm internal 400510 main) 182 | I: 400404 (data flow external 601040 __libc_start_main) 183 | I: 400409 184 | Does not return 185 | Recovering deregister_tm_clones at 400410 186 | Analysing subroutine deregister_tm_clones at 400410 187 | Subroutine deregister_tm_clones at 400410 has 4 blocks 188 | BB: 400410 in func 400410 with 5 insts 189 | I: 400410 190 | I: 400411 (data imm internal 601030 __bss_start) 191 | I: 400416 (data imm internal 601030 __bss_start) 192 | I: 40041c 193 | I: 40041f (code flow internal 400438 ) 194 | Successors: 400438, 400421 195 | BB: 400421 in func 400410 with 3 insts 196 | I: 400421 197 | I: 400426 198 | I: 400429 (code flow internal 400438 ) 199 | Successors: 400438, 40042b 200 | BB: 40042b in func 400410 with 3 insts 201 | I: 40042b 202 | I: 40042c (data imm internal 601030 __bss_start) 203 | I: 400431 204 | No successors 205 | BB: 400438 in func 400410 with 2 insts 206 | I: 400438 207 | I: 400439 208 | No successors 209 | Recovering __do_global_dtors_aux at 400480 210 | Analysing subroutine __do_global_dtors_aux at 400480 211 | Subroutine __do_global_dtors_aux at 400480 has 3 blocks 212 | BB: 400480 in func 400480 with 2 insts 213 | I: 400480 (data mem internal 601030 __bss_start) 214 | I: 400487 (code flow internal 4004a0 ) 215 | Successors: 4004a0, 400489 216 | BB: 400489 in func 400480 with 6 insts 217 | I: 400489 218 | I: 40048a 219 | I: 40048d (code flow internal 400410 deregister_tm_clones) 220 | I: 400492 (data mem internal 601030 __bss_start) 221 | I: 400499 222 | I: 40049a 223 | No successors 224 | BB: 4004a0 in func 400480 with 1 insts 225 | I: 4004a0 226 | No successors 227 | Recovering frame_dummy at 4004b0 228 | Analysing subroutine frame_dummy at 4004b0 229 | Subroutine frame_dummy at 4004b0 has 1 blocks 230 | BB: 4004b0 in func 4004b0 with 4 insts 231 | I: 4004b0 232 | I: 4004b1 233 | I: 4004b4 234 | I: 4004b5 (code flow internal 400440 register_tm_clones) 235 | Successors: 400440 236 | Recovering generate_original at 4004c0 237 | Analysing subroutine generate_original at 4004c0 238 | Subroutine generate_original at 4004c0 has 1 blocks 239 | BB: 4004c0 in func 4004c0 with 6 insts 240 | I: 4004c0 241 | I: 4004c1 242 | I: 4004c4 243 | I: 4004c6 244 | I: 4004c9 245 | I: 4004ca 246 | No successors 247 | Recovering main at 400510 248 | Analysing subroutine main at 400510 249 | Subroutine main at 400510 has 1 blocks 250 | BB: 400510 in func 400510 with 6 insts 251 | I: 400510 252 | I: 400511 253 | I: 400514 254 | I: 400516 255 | I: 40051d 256 | I: 40051e 257 | No successors 258 | Recovering __libc_csu_init at 400520 259 | Analysing subroutine __libc_csu_init at 400520 260 | Subroutine __libc_csu_init at 400520 has 4 blocks 261 | BB: 400520 in func 400520 with 17 insts 262 | I: 400520 263 | I: 400522 264 | I: 400524 265 | I: 400527 266 | I: 400529 267 | I: 40052b (data mem internal 600e18 __frame_dummy_init_array_entry) 268 | I: 400532 269 | I: 400533 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 270 | I: 40053a 271 | I: 40053b 272 | I: 40053e 273 | I: 400541 274 | I: 400544 275 | I: 400548 276 | I: 40054c (code flow internal 400390 .init_proc) 277 | I: 400551 278 | I: 400554 (code flow internal 400576 ) 279 | Successors: 400576, 400556 280 | BB: 400560 in func 400520 with 7 insts 281 | I: 400560 282 | I: 400563 283 | I: 400566 284 | I: 400569 285 | I: 40056d 286 | I: 400571 287 | I: 400574 (code flow internal 400560 ) 288 | Successors: 400560, 400576 289 | BB: 400556 in func 400520 with 2 insts 290 | I: 400556 291 | I: 400558 292 | Successors: 400560 293 | BB: 400576 in func 400520 with 8 insts 294 | I: 400576 295 | I: 40057a 296 | I: 40057b 297 | I: 40057c 298 | I: 40057e 299 | I: 400580 300 | I: 400582 301 | I: 400584 302 | No successors 303 | Recovering .init_proc at 400390 304 | Analysing subroutine .init_proc at 400390 305 | Subroutine .init_proc at 400390 has 3 blocks 306 | BB: 400390 in func 400390 with 4 insts 307 | I: 400390 308 | I: 400394 (data mem internal 600ff8 ) 309 | I: 40039b 310 | I: 40039e (code flow internal 4003a5 ) 311 | Successors: 4003a0, 4003a5 312 | BB: 4003a0 in func 400390 with 1 insts 313 | I: 4003a0 (data flow internal 600ff8 off_600FF8) 314 | Successors: 4003a5 315 | BB: 4003a5 in func 400390 with 2 insts 316 | I: 4003a5 317 | I: 4003a9 318 | No successors 319 | Recovering __libc_csu_fini at 400590 320 | Analysing subroutine __libc_csu_fini at 400590 321 | Subroutine __libc_csu_fini at 400590 has 1 blocks 322 | BB: 400590 in func 400590 with 1 insts 323 | I: 400590 324 | No successors 325 | Recovering .term_proc at 400594 326 | Analysing subroutine .term_proc at 400594 327 | Subroutine .term_proc at 400594 has 1 blocks 328 | BB: 400594 in func 400594 with 3 insts 329 | I: 400594 330 | I: 400598 331 | I: 40059c 332 | No successors 333 | Recovering replacement at 4004d0 334 | Analysing subroutine replacement at 4004d0 335 | Subroutine replacement at 4004d0 has 4 blocks 336 | BB: 4004d0 in func 4004d0 with 8 insts 337 | I: 4004d0 338 | I: 4004d1 339 | I: 4004d4 340 | I: 4004d8 341 | I: 4004db 342 | I: 4004de (code flow internal 4004c0 generate_original) 343 | I: 4004e3 344 | I: 4004e6 (code flow internal 4004fa ) 345 | Successors: 4004fa, 4004ec 346 | BB: 4004fa in func 4004d0 with 3 insts 347 | I: 4004fa 348 | I: 4004fd (code flow internal 4004c0 generate_original) 349 | I: 400502 350 | Successors: 400505 351 | BB: 4004ec in func 4004d0 with 4 insts 352 | I: 4004ec 353 | I: 4004ef 354 | I: 4004f2 355 | I: 4004f5 (code flow internal 400505 ) 356 | Successors: 400505 357 | BB: 400505 in func 4004d0 with 4 insts 358 | I: 400505 359 | I: 400508 360 | I: 40050c 361 | I: 40050d 362 | No successors 363 | Global Variable None 364 | WARNING: Global constructor and destructor sections are adjacent! 365 | Splitting segment .bss at 601030 for exported variable __bss_start 366 | Recovering region .rodata [4005a0, 4005a4) in segment .rodata 367 | Recovering region .plt [4003b0, 4003d0) in segment .plt 368 | Recovering region .plt.got [4003d0, 4003d8) in segment .plt.got 369 | Recovering region .text [4003e0, 400592) in segment .text 370 | Recovering region .got.plt [601000, 601020) in segment .got.plt 371 | 8-byte reference at 601018 to 601040 (__libc_start_main) 372 | Recovering region .data [601020, 601030) in segment .data 373 | Recovering region .eh_frame [4005e8, 40071c) in segment .eh_frame 374 | Recovering region __bss_start [601030, 601038) in segment .bss 375 | Variable __bss_start at 601030 376 | Recovering region .init [400390, 4003aa) in segment .init 377 | Recovering region .got [600ff8, 601000) in segment .got 378 | 8-byte reference at 600ff8 to 601050 (__gmon_start__) 379 | Recovering region .fini [400594, 40059d) in segment .fini 380 | Recovering region .init_array [600e18, 600e28) in segment .init_array 381 | 8-byte reference at 600e18 to 4004b0 (frame_dummy) 382 | 8-byte reference at 600e20 to 400480 (__do_global_dtors_aux) 383 | Variable __frame_dummy_init_array_entry at 600e18 384 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 385 | Recovering region .eh_frame_hdr [4005a4, 4005e8) in segment .eh_frame_hdr 386 | Recovering extern function __libc_start_main at 4003c0 387 | Recovering extern function __libc_start_main at 601038 388 | Recovering extern function __gmon_start__ at 601050 389 | Recovering extern function __libc_start_main at 601040 390 | Recovered 13 functions. 391 | Saving to: /home/aditi/ToB-Summer19/tests/arguments/mode2/withArgsReplacement.cfg 392 | Done analysis! 393 | -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgsReplacement.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgsReplacement.new.bc -------------------------------------------------------------------------------- /tests/arguments/mode2/withArgsReplacement.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/arguments/mode2/withArgsReplacement.new.o -------------------------------------------------------------------------------- /tests/basic/mode1/basic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basic -------------------------------------------------------------------------------- /tests/basic/mode1/basic.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basic.bc -------------------------------------------------------------------------------- /tests/basic/mode1/basic.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int generate() { 4 | return 1; 5 | } 6 | 7 | int main() { 8 | printf("%d", generate()); 9 | } 10 | -------------------------------------------------------------------------------- /tests/basic/mode1/basic.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basic.cfg -------------------------------------------------------------------------------- /tests/basic/mode1/basic.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module basic 6 | Looking for instructions in segment .init 7 | Default block heads for function 4003c8 with loose bounds [4003c8, 4003e2) 8 | block [4003c8, 4003d8) 9 | block [4003d8, 4003dd) 10 | block [4003dd, 4003e2) 11 | chunk [4003c8, 4003e2) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 400400 with loose bounds [400400, 400406) 14 | block [400400, 400406) 15 | chunk [400400, 400406) 16 | Default block heads for function 400410 with loose bounds [400410, 400416) 17 | block [400410, 400416) 18 | chunk [400410, 400416) 19 | Looking for instructions in segment .plt.got 20 | Default block heads for function 400420 with loose bounds [400420, 400426) 21 | block [400420, 400426) 22 | chunk [400420, 400426) 23 | Looking for instructions in segment .text 24 | Default block heads for function 400430 with loose bounds [400430, 40045a) 25 | block [400430, 40045a) 26 | chunk [400430, 40045a) 27 | Default block heads for function 400460 with loose bounds [400460, 40048a) 28 | block [400460, 400471) 29 | block [400471, 40047b) 30 | block [40047b, 400483) 31 | block [400488, 40048a) 32 | chunk [400460, 40048a) 33 | Default block heads for function 400490 with loose bounds [400490, 4004ca) 34 | block [400490, 4004b3) 35 | block [4004b3, 4004bd) 36 | block [4004bd, 4004c5) 37 | block [4004c8, 4004ca) 38 | chunk [400490, 4004ca) 39 | Default block heads for function 4004d0 with loose bounds [4004d0, 4004f2) 40 | block [4004d0, 4004d9) 41 | block [4004d9, 4004eb) 42 | block [4004f0, 4004f2) 43 | chunk [4004d0, 4004f2) 44 | Default block heads for function 400500 with loose bounds [400500, 400507) 45 | block [400500, 400507) 46 | chunk [400500, 400507) 47 | Default block heads for function 400510 with loose bounds [400510, 40051b) 48 | block [400510, 40051b) 49 | chunk [400510, 40051b) 50 | Default block heads for function 400520 with loose bounds [400520, 40054d) 51 | block [400520, 40054d) 52 | chunk [400520, 40054d) 53 | Default block heads for function 400550 with loose bounds [400550, 4005b5) 54 | block [400550, 400586) 55 | block [400586, 400590) 56 | block [400590, 4005a6) 57 | block [4005a6, 4005b5) 58 | chunk [400550, 4005b5) 59 | Default block heads for function 4005c0 with loose bounds [4005c0, 4005c2) 60 | block [4005c0, 4005c2) 61 | chunk [4005c0, 4005c2) 62 | Looking for instructions in segment .fini 63 | Default block heads for function 4005c4 with loose bounds [4005c4, 4005cd) 64 | block [4005c4, 4005cd) 65 | chunk [4005c4, 4005cd) 66 | Looking for strings in segment .rodata [4005d0, 4005d7) 67 | Found string '%d' of length 3 at 4005d4, jumping to 4005d7 68 | Looking for strings in segment .eh_frame_hdr [4005d8, 400614) 69 | Looking for strings in segment .eh_frame [400618, 40072c) 70 | Looking for strings in segment .init_array [600e18, 600e20) 71 | Looking for strings in segment .fini_array [600e20, 600e28) 72 | Looking for strings in segment .got [600ff8, 601000) 73 | Looking for strings in segment .got.plt [601000, 601028) 74 | Looking for strings in segment .data [601028, 601038) 75 | Looking for strings in segment .bss [601038, 601040) 76 | Looking for strings in segment extern [601040, 601078) 77 | Looking for cross-references in segment .init [4003c8, 4003e2) 78 | Looking for cross-references in segment .plt [4003f0, 400420) 79 | Stopping scan at 4003fc 80 | Stopping scan at 40040c 81 | Stopping scan at 40041c 82 | Looking for cross-references in segment .plt.got [400420, 400428) 83 | Stopping scan at 400428 84 | Looking for cross-references in segment .text [400430, 4005c2) 85 | Stopping scan at 40045c 86 | Stopping scan at 400484 87 | Stopping scan at 40048c 88 | Stopping scan at ffffffffffffffff 89 | Stopping scan at 4004cc 90 | Stopping scan at 4004ec 91 | Stopping scan at 4004fc 92 | Stopping scan at 40050c 93 | Stopping scan at 40051c 94 | Stopping scan at ffffffffffffffff 95 | Stopping scan at 4005bc 96 | Looking for cross-references in segment .fini [4005c4, 4005cd) 97 | Looking for cross-references in segment .rodata [4005d0, 4005d7) 98 | Found string at 4005d4, jumping to 4005d7 99 | Stopping scan at 4005d4 100 | Looking for cross-references in segment .eh_frame_hdr [4005d8, 400614) 101 | Stopping scan at 400610 102 | Looking for cross-references in segment .eh_frame [400618, 40072c) 103 | Stopping scan at 400728 104 | Looking for cross-references in segment .init_array [600e18, 600e20) 105 | Adding qword reference from 600e18 to 400500 106 | Stopping scan at 600e18 107 | Looking for cross-references in segment .fini_array [600e20, 600e28) 108 | Adding qword reference from 600e20 to 4004d0 109 | Stopping scan at 600e20 110 | Looking for cross-references in segment .got [600ff8, 601000) 111 | Adding qword reference from 600ff8 to 601068 112 | Stopping scan at 600ff8 113 | Looking for cross-references in segment .got.plt [601000, 601028) 114 | Adding qword reference from 601018 to 601050 115 | Adding qword reference from 601020 to 601058 116 | Stopping scan at 601020 117 | Looking for cross-references in segment .data [601028, 601038) 118 | Stopping scan at 601034 119 | Looking for cross-references in segment .bss [601038, 601040) 120 | Stopping scan at 60103c 121 | Looking for cross-references in segment extern [601040, 601078) 122 | Stopping scan at 601074 123 | Looking for thunks 124 | Found thunk for printf targeting 601050 at 400400 125 | Found thunk for __libc_start_main targeting 601058 at 400410 126 | Found thunk for off_600FF8 targeting 600ff8 at 400420 127 | Looking for external symbols 128 | Function at 400400 is the external function printf 129 | Function at 400410 is the external function __libc_start_main 130 | True name of printf@@GLIBC_2.2.5 is printf 131 | Function at 601040 is the external function printf 132 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 133 | Function at 601048 is the external function __libc_start_main 134 | Function at 601050 is the external function printf 135 | Function at 601058 is the external function __libc_start_main 136 | Function at 601068 is the external function __gmon_start__ 137 | Looking for entrypoints 138 | Recovering deregister_tm_clones at 400460 139 | Analysing subroutine deregister_tm_clones at 400460 140 | Subroutine deregister_tm_clones at 400460 has 4 blocks 141 | BB: 400460 in func 400460 with 5 insts 142 | I: 400460 143 | I: 400461 (data imm internal 601038 __bss_start) 144 | I: 400466 (data imm internal 601038 __bss_start) 145 | I: 40046c 146 | I: 40046f (code flow internal 400488 ) 147 | Successors: 400488, 400471 148 | BB: 400471 in func 400460 with 3 insts 149 | I: 400471 150 | I: 400476 151 | I: 400479 (code flow internal 400488 ) 152 | Successors: 400488, 40047b 153 | BB: 400488 in func 400460 with 2 insts 154 | I: 400488 155 | I: 400489 156 | No successors 157 | BB: 40047b in func 400460 with 3 insts 158 | I: 40047b 159 | I: 40047c (data imm internal 601038 __bss_start) 160 | I: 400481 161 | No successors 162 | Recovering .term_proc at 4005c4 163 | Analysing subroutine .term_proc at 4005c4 164 | Subroutine .term_proc at 4005c4 has 1 blocks 165 | BB: 4005c4 in func 4005c4 with 3 insts 166 | I: 4005c4 167 | I: 4005c8 168 | I: 4005cc 169 | No successors 170 | Recovering __gmon_start__ at 400420 171 | Analysing subroutine __gmon_start__ at 400420 172 | Subroutine __gmon_start__ at 400420 has 1 blocks 173 | BB: 400420 in func 400420 with 1 insts 174 | I: 400420 (data mem internal 600ff8 ) 175 | No successors 176 | Recovering .init_proc at 4003c8 177 | Analysing subroutine .init_proc at 4003c8 178 | Subroutine .init_proc at 4003c8 has 3 blocks 179 | BB: 4003c8 in func 4003c8 with 4 insts 180 | I: 4003c8 181 | I: 4003cc (data mem internal 600ff8 ) 182 | I: 4003d3 183 | I: 4003d6 (code flow internal 4003dd ) 184 | Successors: 4003d8, 4003dd 185 | BB: 4003d8 in func 4003c8 with 1 insts 186 | I: 4003d8 (data flow internal 600ff8 off_600FF8) 187 | Successors: 4003dd 188 | BB: 4003dd in func 4003c8 with 2 insts 189 | I: 4003dd 190 | I: 4003e1 191 | No successors 192 | Recovering generate at 400510 193 | Analysing subroutine generate at 400510 194 | Subroutine generate at 400510 has 1 blocks 195 | BB: 400510 in func 400510 with 5 insts 196 | I: 400510 197 | I: 400511 198 | I: 400514 199 | I: 400519 200 | I: 40051a 201 | No successors 202 | Recovering register_tm_clones at 400490 203 | Analysing subroutine register_tm_clones at 400490 204 | Subroutine register_tm_clones at 400490 has 4 blocks 205 | BB: 400490 in func 400490 with 10 insts 206 | I: 400490 (data imm internal 601038 __bss_start) 207 | I: 400495 208 | I: 400496 (data imm internal 601038 __bss_start) 209 | I: 40049d 210 | I: 4004a0 211 | I: 4004a4 212 | I: 4004a7 213 | I: 4004ab 214 | I: 4004ae 215 | I: 4004b1 (code flow internal 4004c8 ) 216 | Successors: 4004c8, 4004b3 217 | BB: 4004c8 in func 400490 with 2 insts 218 | I: 4004c8 219 | I: 4004c9 220 | No successors 221 | BB: 4004b3 in func 400490 with 3 insts 222 | I: 4004b3 223 | I: 4004b8 224 | I: 4004bb (code flow internal 4004c8 ) 225 | Successors: 4004c8, 4004bd 226 | BB: 4004bd in func 400490 with 3 insts 227 | I: 4004bd 228 | I: 4004be (data imm internal 601038 __bss_start) 229 | I: 4004c3 230 | No successors 231 | Recovering __do_global_dtors_aux at 4004d0 232 | Analysing subroutine __do_global_dtors_aux at 4004d0 233 | Subroutine __do_global_dtors_aux at 4004d0 has 3 blocks 234 | BB: 4004d0 in func 4004d0 with 2 insts 235 | I: 4004d0 (data mem internal 601038 __bss_start) 236 | I: 4004d7 (code flow internal 4004f0 ) 237 | Successors: 4004f0, 4004d9 238 | BB: 4004d9 in func 4004d0 with 6 insts 239 | I: 4004d9 240 | I: 4004da 241 | I: 4004dd (code flow internal 400460 deregister_tm_clones) 242 | I: 4004e2 (data mem internal 601038 __bss_start) 243 | I: 4004e9 244 | I: 4004ea 245 | No successors 246 | BB: 4004f0 in func 4004d0 with 1 insts 247 | I: 4004f0 248 | No successors 249 | Recovering frame_dummy at 400500 250 | Analysing subroutine frame_dummy at 400500 251 | Subroutine frame_dummy at 400500 has 1 blocks 252 | BB: 400500 in func 400500 with 4 insts 253 | I: 400500 254 | I: 400501 255 | I: 400504 256 | I: 400505 (code flow internal 400490 register_tm_clones) 257 | Successors: 400490 258 | Recovering main at 400520 259 | Analysing subroutine main at 400520 260 | Subroutine main at 400520 has 1 blocks 261 | BB: 400520 in func 400520 with 14 insts 262 | I: 400520 263 | I: 400521 264 | I: 400524 265 | I: 400528 (code flow internal 400510 generate) 266 | I: 40052d (data imm internal 4005d4 format) 267 | I: 400537 268 | I: 400539 269 | I: 40053b (data flow external 601050 printf) 270 | I: 400540 271 | I: 400542 272 | I: 400545 273 | I: 400547 274 | I: 40054b 275 | I: 40054c 276 | No successors 277 | Recovering _start at 400430 278 | Analysing subroutine _start at 400430 279 | Subroutine _start at 400430 has 1 blocks 280 | BB: 400430 in func 400430 with 12 insts 281 | I: 400430 282 | I: 400432 283 | I: 400435 284 | I: 400436 285 | I: 400439 286 | I: 40043d 287 | I: 40043e 288 | I: 40043f (code imm internal 4005c0 __libc_csu_fini) 289 | I: 400446 (code imm internal 400550 __libc_csu_init) 290 | I: 40044d (code imm internal 400520 main) 291 | I: 400454 (data flow external 601058 __libc_start_main) 292 | I: 400459 293 | Does not return 294 | Recovering __libc_csu_init at 400550 295 | Analysing subroutine __libc_csu_init at 400550 296 | Subroutine __libc_csu_init at 400550 has 4 blocks 297 | BB: 400550 in func 400550 with 17 insts 298 | I: 400550 299 | I: 400552 300 | I: 400554 301 | I: 400557 302 | I: 400559 303 | I: 40055b (data mem internal 600e18 __frame_dummy_init_array_entry) 304 | I: 400562 305 | I: 400563 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 306 | I: 40056a 307 | I: 40056b 308 | I: 40056e 309 | I: 400571 310 | I: 400574 311 | I: 400578 312 | I: 40057c (code flow internal 4003c8 .init_proc) 313 | I: 400581 314 | I: 400584 (code flow internal 4005a6 ) 315 | Successors: 4005a6, 400586 316 | BB: 400590 in func 400550 with 7 insts 317 | I: 400590 318 | I: 400593 319 | I: 400596 320 | I: 400599 321 | I: 40059d 322 | I: 4005a1 323 | I: 4005a4 (code flow internal 400590 ) 324 | Successors: 400590, 4005a6 325 | BB: 400586 in func 400550 with 2 insts 326 | I: 400586 327 | I: 400588 328 | Successors: 400590 329 | BB: 4005a6 in func 400550 with 8 insts 330 | I: 4005a6 331 | I: 4005aa 332 | I: 4005ab 333 | I: 4005ac 334 | I: 4005ae 335 | I: 4005b0 336 | I: 4005b2 337 | I: 4005b4 338 | No successors 339 | Recovering __libc_csu_fini at 4005c0 340 | Analysing subroutine __libc_csu_fini at 4005c0 341 | Subroutine __libc_csu_fini at 4005c0 has 1 blocks 342 | BB: 4005c0 in func 4005c0 with 1 insts 343 | I: 4005c0 344 | No successors 345 | Global Variable None 346 | WARNING: Global constructor and destructor sections are adjacent! 347 | Splitting segment .bss at 601038 for exported variable __bss_start 348 | Recovering region .plt.got [400420, 400428) in segment .plt.got 349 | Recovering region .text [400430, 4005c2) in segment .text 350 | Recovering region .got.plt [601000, 601028) in segment .got.plt 351 | 8-byte reference at 601018 to 601050 (printf) 352 | 8-byte reference at 601020 to 601058 (__libc_start_main) 353 | Recovering region .fini [4005c4, 4005cd) in segment .fini 354 | Recovering region .init_array [600e18, 600e28) in segment .init_array 355 | 8-byte reference at 600e18 to 400500 (frame_dummy) 356 | 8-byte reference at 600e20 to 4004d0 (__do_global_dtors_aux) 357 | Variable __frame_dummy_init_array_entry at 600e18 358 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 359 | Recovering region .init [4003c8, 4003e2) in segment .init 360 | Recovering region .plt [4003f0, 400420) in segment .plt 361 | Recovering region .eh_frame [400618, 40072c) in segment .eh_frame 362 | Recovering region .rodata [4005d0, 4005d7) in segment .rodata 363 | Variable format at 4005d4 364 | Recovering region .got [600ff8, 601000) in segment .got 365 | 8-byte reference at 600ff8 to 601068 (__gmon_start__) 366 | Recovering region .data [601028, 601038) in segment .data 367 | Recovering region .eh_frame_hdr [4005d8, 400614) in segment .eh_frame_hdr 368 | Recovering region __bss_start [601038, 601040) in segment .bss 369 | Variable __bss_start at 601038 370 | Recovering extern function printf at 400400 371 | Recovering extern function printf at 601040 372 | Recovering extern function __libc_start_main at 601048 373 | Recovering extern function printf at 601050 374 | Recovering extern function __libc_start_main at 400410 375 | Recovering extern function __gmon_start__ at 601068 376 | Recovering extern function __libc_start_main at 601058 377 | Recovered 12 functions. 378 | Saving to: /home/aditi/ToB-Summer19/tests/basic/mode1/basic.cfg 379 | Done analysis! 380 | -------------------------------------------------------------------------------- /tests/basic/mode1/basic.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basic.new -------------------------------------------------------------------------------- /tests/basic/mode1/basic.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basic.new.bc -------------------------------------------------------------------------------- /tests/basic/mode1/basic.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basic.new.o -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basicReplacement -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basicReplacement.bc -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int replacement() { 4 | return 2; 5 | } 6 | 7 | int main() { 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basicReplacement.cfg -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module basicReplacement 6 | Looking for instructions in segment .init 7 | Default block heads for function 400390 with loose bounds [400390, 4003aa) 8 | block [400390, 4003a0) 9 | block [4003a0, 4003a5) 10 | block [4003a5, 4003aa) 11 | chunk [400390, 4003aa) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 4003c0 with loose bounds [4003c0, 4003c6) 14 | block [4003c0, 4003c6) 15 | chunk [4003c0, 4003c6) 16 | Looking for instructions in segment .plt.got 17 | Default block heads for function 4003d0 with loose bounds [4003d0, 4003d6) 18 | block [4003d0, 4003d6) 19 | chunk [4003d0, 4003d6) 20 | Looking for instructions in segment .text 21 | Default block heads for function 4003e0 with loose bounds [4003e0, 40040a) 22 | block [4003e0, 40040a) 23 | chunk [4003e0, 40040a) 24 | Default block heads for function 400410 with loose bounds [400410, 40043a) 25 | block [400410, 400421) 26 | block [400421, 40042b) 27 | block [40042b, 400433) 28 | block [400438, 40043a) 29 | chunk [400410, 40043a) 30 | Default block heads for function 400440 with loose bounds [400440, 40047a) 31 | block [400440, 400463) 32 | block [400463, 40046d) 33 | block [40046d, 400475) 34 | block [400478, 40047a) 35 | chunk [400440, 40047a) 36 | Default block heads for function 400480 with loose bounds [400480, 4004a2) 37 | block [400480, 400489) 38 | block [400489, 40049b) 39 | block [4004a0, 4004a2) 40 | chunk [400480, 4004a2) 41 | Default block heads for function 4004b0 with loose bounds [4004b0, 4004b7) 42 | block [4004b0, 4004b7) 43 | chunk [4004b0, 4004b7) 44 | Default block heads for function 4004c0 with loose bounds [4004c0, 4004cb) 45 | block [4004c0, 4004cb) 46 | chunk [4004c0, 4004cb) 47 | Default block heads for function 4004d0 with loose bounds [4004d0, 4004df) 48 | block [4004d0, 4004df) 49 | chunk [4004d0, 4004df) 50 | Default block heads for function 4004e0 with loose bounds [4004e0, 400545) 51 | block [4004e0, 400516) 52 | block [400516, 400520) 53 | block [400520, 400536) 54 | block [400536, 400545) 55 | chunk [4004e0, 400545) 56 | Default block heads for function 400550 with loose bounds [400550, 400552) 57 | block [400550, 400552) 58 | chunk [400550, 400552) 59 | Looking for instructions in segment .fini 60 | Default block heads for function 400554 with loose bounds [400554, 40055d) 61 | block [400554, 40055d) 62 | chunk [400554, 40055d) 63 | Looking for strings in segment .rodata [400560, 400564) 64 | Looking for strings in segment .eh_frame_hdr [400564, 4005a0) 65 | Looking for strings in segment .eh_frame [4005a0, 4006b4) 66 | Looking for strings in segment .init_array [600e18, 600e20) 67 | Looking for strings in segment .fini_array [600e20, 600e28) 68 | Looking for strings in segment .got [600ff8, 601000) 69 | Looking for strings in segment .got.plt [601000, 601020) 70 | Looking for strings in segment .data [601020, 601030) 71 | Looking for strings in segment .bss [601030, 601038) 72 | Looking for strings in segment extern [601038, 601060) 73 | Looking for cross-references in segment .init [400390, 4003aa) 74 | Looking for cross-references in segment .plt [4003b0, 4003d0) 75 | Stopping scan at 4003bc 76 | Stopping scan at 4003cc 77 | Looking for cross-references in segment .plt.got [4003d0, 4003d8) 78 | Stopping scan at 4003d8 79 | Looking for cross-references in segment .text [4003e0, 400552) 80 | Stopping scan at 40040c 81 | Stopping scan at 400434 82 | Stopping scan at 40043c 83 | Stopping scan at ffffffffffffffff 84 | Stopping scan at 40047c 85 | Stopping scan at 40049c 86 | Stopping scan at 4004ac 87 | Stopping scan at 4004bc 88 | Stopping scan at 4004cc 89 | Stopping scan at ffffffffffffffff 90 | Stopping scan at 40054c 91 | Looking for cross-references in segment .fini [400554, 40055d) 92 | Looking for cross-references in segment .rodata [400560, 400564) 93 | Stopping scan at 400560 94 | Looking for cross-references in segment .eh_frame_hdr [400564, 4005a0) 95 | Stopping scan at 40059c 96 | Looking for cross-references in segment .eh_frame [4005a0, 4006b4) 97 | Stopping scan at 4006b0 98 | Looking for cross-references in segment .init_array [600e18, 600e20) 99 | Adding qword reference from 600e18 to 4004b0 100 | Stopping scan at 600e18 101 | Looking for cross-references in segment .fini_array [600e20, 600e28) 102 | Adding qword reference from 600e20 to 400480 103 | Stopping scan at 600e20 104 | Looking for cross-references in segment .got [600ff8, 601000) 105 | Adding qword reference from 600ff8 to 601050 106 | Stopping scan at 600ff8 107 | Looking for cross-references in segment .got.plt [601000, 601020) 108 | Adding qword reference from 601018 to 601040 109 | Stopping scan at 601018 110 | Looking for cross-references in segment .data [601020, 601030) 111 | Stopping scan at 60102c 112 | Looking for cross-references in segment .bss [601030, 601038) 113 | Stopping scan at 601034 114 | Looking for cross-references in segment extern [601038, 601060) 115 | Stopping scan at 60105c 116 | Looking for thunks 117 | Found thunk for __libc_start_main targeting 601040 at 4003c0 118 | Found thunk for off_600FF8 targeting 600ff8 at 4003d0 119 | Looking for external symbols 120 | Function at 4003c0 is the external function __libc_start_main 121 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 122 | Function at 601038 is the external function __libc_start_main 123 | Function at 601040 is the external function __libc_start_main 124 | Function at 601050 is the external function __gmon_start__ 125 | Looking for entrypoints 126 | Recovering register_tm_clones at 400440 127 | Analysing subroutine register_tm_clones at 400440 128 | Subroutine register_tm_clones at 400440 has 4 blocks 129 | BB: 400440 in func 400440 with 10 insts 130 | I: 400440 (data imm internal 601030 __bss_start) 131 | I: 400445 132 | I: 400446 (data imm internal 601030 __bss_start) 133 | I: 40044d 134 | I: 400450 135 | I: 400454 136 | I: 400457 137 | I: 40045b 138 | I: 40045e 139 | I: 400461 (code flow internal 400478 ) 140 | Successors: 400478, 400463 141 | BB: 400478 in func 400440 with 2 insts 142 | I: 400478 143 | I: 400479 144 | No successors 145 | BB: 400463 in func 400440 with 3 insts 146 | I: 400463 147 | I: 400468 148 | I: 40046b (code flow internal 400478 ) 149 | Successors: 400478, 40046d 150 | BB: 40046d in func 400440 with 3 insts 151 | I: 40046d 152 | I: 40046e (data imm internal 601030 __bss_start) 153 | I: 400473 154 | No successors 155 | Recovering __gmon_start__ at 4003d0 156 | Analysing subroutine __gmon_start__ at 4003d0 157 | Subroutine __gmon_start__ at 4003d0 has 1 blocks 158 | BB: 4003d0 in func 4003d0 with 1 insts 159 | I: 4003d0 (data mem internal 600ff8 ) 160 | No successors 161 | Recovering _start at 4003e0 162 | Analysing subroutine _start at 4003e0 163 | Subroutine _start at 4003e0 has 1 blocks 164 | BB: 4003e0 in func 4003e0 with 12 insts 165 | I: 4003e0 166 | I: 4003e2 167 | I: 4003e5 168 | I: 4003e6 169 | I: 4003e9 170 | I: 4003ed 171 | I: 4003ee 172 | I: 4003ef (code imm internal 400550 __libc_csu_fini) 173 | I: 4003f6 (code imm internal 4004e0 __libc_csu_init) 174 | I: 4003fd (code imm internal 4004d0 main) 175 | I: 400404 (data flow external 601040 __libc_start_main) 176 | I: 400409 177 | Does not return 178 | Recovering deregister_tm_clones at 400410 179 | Analysing subroutine deregister_tm_clones at 400410 180 | Subroutine deregister_tm_clones at 400410 has 4 blocks 181 | BB: 400410 in func 400410 with 5 insts 182 | I: 400410 183 | I: 400411 (data imm internal 601030 __bss_start) 184 | I: 400416 (data imm internal 601030 __bss_start) 185 | I: 40041c 186 | I: 40041f (code flow internal 400438 ) 187 | Successors: 400438, 400421 188 | BB: 400421 in func 400410 with 3 insts 189 | I: 400421 190 | I: 400426 191 | I: 400429 (code flow internal 400438 ) 192 | Successors: 400438, 40042b 193 | BB: 40042b in func 400410 with 3 insts 194 | I: 40042b 195 | I: 40042c (data imm internal 601030 __bss_start) 196 | I: 400431 197 | No successors 198 | BB: 400438 in func 400410 with 2 insts 199 | I: 400438 200 | I: 400439 201 | No successors 202 | Recovering __do_global_dtors_aux at 400480 203 | Analysing subroutine __do_global_dtors_aux at 400480 204 | Subroutine __do_global_dtors_aux at 400480 has 3 blocks 205 | BB: 400480 in func 400480 with 2 insts 206 | I: 400480 (data mem internal 601030 __bss_start) 207 | I: 400487 (code flow internal 4004a0 ) 208 | Successors: 4004a0, 400489 209 | BB: 400489 in func 400480 with 6 insts 210 | I: 400489 211 | I: 40048a 212 | I: 40048d (code flow internal 400410 deregister_tm_clones) 213 | I: 400492 (data mem internal 601030 __bss_start) 214 | I: 400499 215 | I: 40049a 216 | No successors 217 | BB: 4004a0 in func 400480 with 1 insts 218 | I: 4004a0 219 | No successors 220 | Recovering frame_dummy at 4004b0 221 | Analysing subroutine frame_dummy at 4004b0 222 | Subroutine frame_dummy at 4004b0 has 1 blocks 223 | BB: 4004b0 in func 4004b0 with 4 insts 224 | I: 4004b0 225 | I: 4004b1 226 | I: 4004b4 227 | I: 4004b5 (code flow internal 400440 register_tm_clones) 228 | Successors: 400440 229 | Recovering replacement at 4004c0 230 | Analysing subroutine replacement at 4004c0 231 | Subroutine replacement at 4004c0 has 1 blocks 232 | BB: 4004c0 in func 4004c0 with 5 insts 233 | I: 4004c0 234 | I: 4004c1 235 | I: 4004c4 236 | I: 4004c9 237 | I: 4004ca 238 | No successors 239 | Recovering __libc_csu_init at 4004e0 240 | Analysing subroutine __libc_csu_init at 4004e0 241 | Subroutine __libc_csu_init at 4004e0 has 4 blocks 242 | BB: 4004e0 in func 4004e0 with 17 insts 243 | I: 4004e0 244 | I: 4004e2 245 | I: 4004e4 246 | I: 4004e7 247 | I: 4004e9 248 | I: 4004eb (data mem internal 600e18 __frame_dummy_init_array_entry) 249 | I: 4004f2 250 | I: 4004f3 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 251 | I: 4004fa 252 | I: 4004fb 253 | I: 4004fe 254 | I: 400501 255 | I: 400504 256 | I: 400508 257 | I: 40050c (code flow internal 400390 .init_proc) 258 | I: 400511 259 | I: 400514 (code flow internal 400536 ) 260 | Successors: 400536, 400516 261 | BB: 400520 in func 4004e0 with 7 insts 262 | I: 400520 263 | I: 400523 264 | I: 400526 265 | I: 400529 266 | I: 40052d 267 | I: 400531 268 | I: 400534 (code flow internal 400520 ) 269 | Successors: 400520, 400536 270 | BB: 400516 in func 4004e0 with 2 insts 271 | I: 400516 272 | I: 400518 273 | Successors: 400520 274 | BB: 400536 in func 4004e0 with 8 insts 275 | I: 400536 276 | I: 40053a 277 | I: 40053b 278 | I: 40053c 279 | I: 40053e 280 | I: 400540 281 | I: 400542 282 | I: 400544 283 | No successors 284 | Recovering .init_proc at 400390 285 | Analysing subroutine .init_proc at 400390 286 | Subroutine .init_proc at 400390 has 3 blocks 287 | BB: 400390 in func 400390 with 4 insts 288 | I: 400390 289 | I: 400394 (data mem internal 600ff8 ) 290 | I: 40039b 291 | I: 40039e (code flow internal 4003a5 ) 292 | Successors: 4003a0, 4003a5 293 | BB: 4003a0 in func 400390 with 1 insts 294 | I: 4003a0 (data flow internal 600ff8 off_600FF8) 295 | Successors: 4003a5 296 | BB: 4003a5 in func 400390 with 2 insts 297 | I: 4003a5 298 | I: 4003a9 299 | No successors 300 | Recovering __libc_csu_fini at 400550 301 | Analysing subroutine __libc_csu_fini at 400550 302 | Subroutine __libc_csu_fini at 400550 has 1 blocks 303 | BB: 400550 in func 400550 with 1 insts 304 | I: 400550 305 | No successors 306 | Recovering .term_proc at 400554 307 | Analysing subroutine .term_proc at 400554 308 | Subroutine .term_proc at 400554 has 1 blocks 309 | BB: 400554 in func 400554 with 3 insts 310 | I: 400554 311 | I: 400558 312 | I: 40055c 313 | No successors 314 | Recovering main at 4004d0 315 | Analysing subroutine main at 4004d0 316 | Subroutine main at 4004d0 has 1 blocks 317 | BB: 4004d0 in func 4004d0 with 6 insts 318 | I: 4004d0 319 | I: 4004d1 320 | I: 4004d4 321 | I: 4004d6 322 | I: 4004dd 323 | I: 4004de 324 | No successors 325 | Global Variable None 326 | WARNING: Global constructor and destructor sections are adjacent! 327 | Splitting segment .bss at 601030 for exported variable __bss_start 328 | Recovering region .text [4003e0, 400552) in segment .text 329 | Recovering region .plt [4003b0, 4003d0) in segment .plt 330 | Recovering region .plt.got [4003d0, 4003d8) in segment .plt.got 331 | Recovering region .got.plt [601000, 601020) in segment .got.plt 332 | 8-byte reference at 601018 to 601040 (__libc_start_main) 333 | Recovering region .data [601020, 601030) in segment .data 334 | Recovering region __bss_start [601030, 601038) in segment .bss 335 | Variable __bss_start at 601030 336 | Recovering region .init [400390, 4003aa) in segment .init 337 | Recovering region .rodata [400560, 400564) in segment .rodata 338 | Recovering region .eh_frame [4005a0, 4006b4) in segment .eh_frame 339 | Recovering region .fini [400554, 40055d) in segment .fini 340 | Recovering region .got [600ff8, 601000) in segment .got 341 | 8-byte reference at 600ff8 to 601050 (__gmon_start__) 342 | Recovering region .init_array [600e18, 600e28) in segment .init_array 343 | 8-byte reference at 600e18 to 4004b0 (frame_dummy) 344 | 8-byte reference at 600e20 to 400480 (__do_global_dtors_aux) 345 | Variable __frame_dummy_init_array_entry at 600e18 346 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 347 | Recovering region .eh_frame_hdr [400564, 4005a0) in segment .eh_frame_hdr 348 | Recovering extern function __libc_start_main at 4003c0 349 | Recovering extern function __libc_start_main at 601038 350 | Recovering extern function __gmon_start__ at 601050 351 | Recovering extern function __libc_start_main at 601040 352 | Recovered 12 functions. 353 | Saving to: /home/aditi/ToB-Summer19/tests/basic/mode1/basicReplacement.cfg 354 | Done analysis! 355 | -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basicReplacement.new.bc -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basicReplacement.new.o -------------------------------------------------------------------------------- /tests/basic/mode1/basicReplacement.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode1/basicReplacement.o -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basic -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basic.bc -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int generate() { 4 | return 1; 5 | } 6 | 7 | int main() { 8 | printf("%d", generate()); 9 | } 10 | -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basic.cfg -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module basic 6 | Looking for instructions in segment .init 7 | Default block heads for function 4003c8 with loose bounds [4003c8, 4003e2) 8 | block [4003c8, 4003d8) 9 | block [4003d8, 4003dd) 10 | block [4003dd, 4003e2) 11 | chunk [4003c8, 4003e2) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 400400 with loose bounds [400400, 400406) 14 | block [400400, 400406) 15 | chunk [400400, 400406) 16 | Default block heads for function 400410 with loose bounds [400410, 400416) 17 | block [400410, 400416) 18 | chunk [400410, 400416) 19 | Looking for instructions in segment .plt.got 20 | Default block heads for function 400420 with loose bounds [400420, 400426) 21 | block [400420, 400426) 22 | chunk [400420, 400426) 23 | Looking for instructions in segment .text 24 | Default block heads for function 400430 with loose bounds [400430, 40045a) 25 | block [400430, 40045a) 26 | chunk [400430, 40045a) 27 | Default block heads for function 400460 with loose bounds [400460, 40048a) 28 | block [400460, 400471) 29 | block [400471, 40047b) 30 | block [40047b, 400483) 31 | block [400488, 40048a) 32 | chunk [400460, 40048a) 33 | Default block heads for function 400490 with loose bounds [400490, 4004ca) 34 | block [400490, 4004b3) 35 | block [4004b3, 4004bd) 36 | block [4004bd, 4004c5) 37 | block [4004c8, 4004ca) 38 | chunk [400490, 4004ca) 39 | Default block heads for function 4004d0 with loose bounds [4004d0, 4004f2) 40 | block [4004d0, 4004d9) 41 | block [4004d9, 4004eb) 42 | block [4004f0, 4004f2) 43 | chunk [4004d0, 4004f2) 44 | Default block heads for function 400500 with loose bounds [400500, 400507) 45 | block [400500, 400507) 46 | chunk [400500, 400507) 47 | Default block heads for function 400510 with loose bounds [400510, 40051b) 48 | block [400510, 40051b) 49 | chunk [400510, 40051b) 50 | Default block heads for function 400520 with loose bounds [400520, 40054d) 51 | block [400520, 40054d) 52 | chunk [400520, 40054d) 53 | Default block heads for function 400550 with loose bounds [400550, 4005b5) 54 | block [400550, 400586) 55 | block [400586, 400590) 56 | block [400590, 4005a6) 57 | block [4005a6, 4005b5) 58 | chunk [400550, 4005b5) 59 | Default block heads for function 4005c0 with loose bounds [4005c0, 4005c2) 60 | block [4005c0, 4005c2) 61 | chunk [4005c0, 4005c2) 62 | Looking for instructions in segment .fini 63 | Default block heads for function 4005c4 with loose bounds [4005c4, 4005cd) 64 | block [4005c4, 4005cd) 65 | chunk [4005c4, 4005cd) 66 | Looking for strings in segment .rodata [4005d0, 4005d7) 67 | Found string '%d' of length 3 at 4005d4, jumping to 4005d7 68 | Looking for strings in segment .eh_frame_hdr [4005d8, 400614) 69 | Looking for strings in segment .eh_frame [400618, 40072c) 70 | Looking for strings in segment .init_array [600e18, 600e20) 71 | Looking for strings in segment .fini_array [600e20, 600e28) 72 | Looking for strings in segment .got [600ff8, 601000) 73 | Looking for strings in segment .got.plt [601000, 601028) 74 | Looking for strings in segment .data [601028, 601038) 75 | Looking for strings in segment .bss [601038, 601040) 76 | Looking for strings in segment extern [601040, 601078) 77 | Looking for cross-references in segment .init [4003c8, 4003e2) 78 | Looking for cross-references in segment .plt [4003f0, 400420) 79 | Stopping scan at 4003fc 80 | Stopping scan at 40040c 81 | Stopping scan at 40041c 82 | Looking for cross-references in segment .plt.got [400420, 400428) 83 | Stopping scan at 400428 84 | Looking for cross-references in segment .text [400430, 4005c2) 85 | Stopping scan at 40045c 86 | Stopping scan at 400484 87 | Stopping scan at 40048c 88 | Stopping scan at ffffffffffffffff 89 | Stopping scan at 4004cc 90 | Stopping scan at 4004ec 91 | Stopping scan at 4004fc 92 | Stopping scan at 40050c 93 | Stopping scan at 40051c 94 | Stopping scan at ffffffffffffffff 95 | Stopping scan at 4005bc 96 | Looking for cross-references in segment .fini [4005c4, 4005cd) 97 | Looking for cross-references in segment .rodata [4005d0, 4005d7) 98 | Found string at 4005d4, jumping to 4005d7 99 | Stopping scan at 4005d4 100 | Looking for cross-references in segment .eh_frame_hdr [4005d8, 400614) 101 | Stopping scan at 400610 102 | Looking for cross-references in segment .eh_frame [400618, 40072c) 103 | Stopping scan at 400728 104 | Looking for cross-references in segment .init_array [600e18, 600e20) 105 | Adding qword reference from 600e18 to 400500 106 | Stopping scan at 600e18 107 | Looking for cross-references in segment .fini_array [600e20, 600e28) 108 | Adding qword reference from 600e20 to 4004d0 109 | Stopping scan at 600e20 110 | Looking for cross-references in segment .got [600ff8, 601000) 111 | Adding qword reference from 600ff8 to 601068 112 | Stopping scan at 600ff8 113 | Looking for cross-references in segment .got.plt [601000, 601028) 114 | Adding qword reference from 601018 to 601050 115 | Adding qword reference from 601020 to 601058 116 | Stopping scan at 601020 117 | Looking for cross-references in segment .data [601028, 601038) 118 | Stopping scan at 601034 119 | Looking for cross-references in segment .bss [601038, 601040) 120 | Stopping scan at 60103c 121 | Looking for cross-references in segment extern [601040, 601078) 122 | Stopping scan at 601074 123 | Looking for thunks 124 | Found thunk for printf targeting 601050 at 400400 125 | Found thunk for __libc_start_main targeting 601058 at 400410 126 | Found thunk for off_600FF8 targeting 600ff8 at 400420 127 | Looking for external symbols 128 | Function at 400400 is the external function printf 129 | Function at 400410 is the external function __libc_start_main 130 | True name of printf@@GLIBC_2.2.5 is printf 131 | Function at 601040 is the external function printf 132 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 133 | Function at 601048 is the external function __libc_start_main 134 | Function at 601050 is the external function printf 135 | Function at 601058 is the external function __libc_start_main 136 | Function at 601068 is the external function __gmon_start__ 137 | Looking for entrypoints 138 | Recovering deregister_tm_clones at 400460 139 | Analysing subroutine deregister_tm_clones at 400460 140 | Subroutine deregister_tm_clones at 400460 has 4 blocks 141 | BB: 400460 in func 400460 with 5 insts 142 | I: 400460 143 | I: 400461 (data imm internal 601038 __bss_start) 144 | I: 400466 (data imm internal 601038 __bss_start) 145 | I: 40046c 146 | I: 40046f (code flow internal 400488 ) 147 | Successors: 400488, 400471 148 | BB: 400471 in func 400460 with 3 insts 149 | I: 400471 150 | I: 400476 151 | I: 400479 (code flow internal 400488 ) 152 | Successors: 400488, 40047b 153 | BB: 400488 in func 400460 with 2 insts 154 | I: 400488 155 | I: 400489 156 | No successors 157 | BB: 40047b in func 400460 with 3 insts 158 | I: 40047b 159 | I: 40047c (data imm internal 601038 __bss_start) 160 | I: 400481 161 | No successors 162 | Recovering .term_proc at 4005c4 163 | Analysing subroutine .term_proc at 4005c4 164 | Subroutine .term_proc at 4005c4 has 1 blocks 165 | BB: 4005c4 in func 4005c4 with 3 insts 166 | I: 4005c4 167 | I: 4005c8 168 | I: 4005cc 169 | No successors 170 | Recovering __gmon_start__ at 400420 171 | Analysing subroutine __gmon_start__ at 400420 172 | Subroutine __gmon_start__ at 400420 has 1 blocks 173 | BB: 400420 in func 400420 with 1 insts 174 | I: 400420 (data mem internal 600ff8 ) 175 | No successors 176 | Recovering .init_proc at 4003c8 177 | Analysing subroutine .init_proc at 4003c8 178 | Subroutine .init_proc at 4003c8 has 3 blocks 179 | BB: 4003c8 in func 4003c8 with 4 insts 180 | I: 4003c8 181 | I: 4003cc (data mem internal 600ff8 ) 182 | I: 4003d3 183 | I: 4003d6 (code flow internal 4003dd ) 184 | Successors: 4003d8, 4003dd 185 | BB: 4003d8 in func 4003c8 with 1 insts 186 | I: 4003d8 (data flow internal 600ff8 off_600FF8) 187 | Successors: 4003dd 188 | BB: 4003dd in func 4003c8 with 2 insts 189 | I: 4003dd 190 | I: 4003e1 191 | No successors 192 | Recovering generate at 400510 193 | Analysing subroutine generate at 400510 194 | Subroutine generate at 400510 has 1 blocks 195 | BB: 400510 in func 400510 with 5 insts 196 | I: 400510 197 | I: 400511 198 | I: 400514 199 | I: 400519 200 | I: 40051a 201 | No successors 202 | Recovering register_tm_clones at 400490 203 | Analysing subroutine register_tm_clones at 400490 204 | Subroutine register_tm_clones at 400490 has 4 blocks 205 | BB: 400490 in func 400490 with 10 insts 206 | I: 400490 (data imm internal 601038 __bss_start) 207 | I: 400495 208 | I: 400496 (data imm internal 601038 __bss_start) 209 | I: 40049d 210 | I: 4004a0 211 | I: 4004a4 212 | I: 4004a7 213 | I: 4004ab 214 | I: 4004ae 215 | I: 4004b1 (code flow internal 4004c8 ) 216 | Successors: 4004c8, 4004b3 217 | BB: 4004c8 in func 400490 with 2 insts 218 | I: 4004c8 219 | I: 4004c9 220 | No successors 221 | BB: 4004b3 in func 400490 with 3 insts 222 | I: 4004b3 223 | I: 4004b8 224 | I: 4004bb (code flow internal 4004c8 ) 225 | Successors: 4004c8, 4004bd 226 | BB: 4004bd in func 400490 with 3 insts 227 | I: 4004bd 228 | I: 4004be (data imm internal 601038 __bss_start) 229 | I: 4004c3 230 | No successors 231 | Recovering __do_global_dtors_aux at 4004d0 232 | Analysing subroutine __do_global_dtors_aux at 4004d0 233 | Subroutine __do_global_dtors_aux at 4004d0 has 3 blocks 234 | BB: 4004d0 in func 4004d0 with 2 insts 235 | I: 4004d0 (data mem internal 601038 __bss_start) 236 | I: 4004d7 (code flow internal 4004f0 ) 237 | Successors: 4004f0, 4004d9 238 | BB: 4004d9 in func 4004d0 with 6 insts 239 | I: 4004d9 240 | I: 4004da 241 | I: 4004dd (code flow internal 400460 deregister_tm_clones) 242 | I: 4004e2 (data mem internal 601038 __bss_start) 243 | I: 4004e9 244 | I: 4004ea 245 | No successors 246 | BB: 4004f0 in func 4004d0 with 1 insts 247 | I: 4004f0 248 | No successors 249 | Recovering frame_dummy at 400500 250 | Analysing subroutine frame_dummy at 400500 251 | Subroutine frame_dummy at 400500 has 1 blocks 252 | BB: 400500 in func 400500 with 4 insts 253 | I: 400500 254 | I: 400501 255 | I: 400504 256 | I: 400505 (code flow internal 400490 register_tm_clones) 257 | Successors: 400490 258 | Recovering main at 400520 259 | Analysing subroutine main at 400520 260 | Subroutine main at 400520 has 1 blocks 261 | BB: 400520 in func 400520 with 14 insts 262 | I: 400520 263 | I: 400521 264 | I: 400524 265 | I: 400528 (code flow internal 400510 generate) 266 | I: 40052d (data imm internal 4005d4 format) 267 | I: 400537 268 | I: 400539 269 | I: 40053b (data flow external 601050 printf) 270 | I: 400540 271 | I: 400542 272 | I: 400545 273 | I: 400547 274 | I: 40054b 275 | I: 40054c 276 | No successors 277 | Recovering _start at 400430 278 | Analysing subroutine _start at 400430 279 | Subroutine _start at 400430 has 1 blocks 280 | BB: 400430 in func 400430 with 12 insts 281 | I: 400430 282 | I: 400432 283 | I: 400435 284 | I: 400436 285 | I: 400439 286 | I: 40043d 287 | I: 40043e 288 | I: 40043f (code imm internal 4005c0 __libc_csu_fini) 289 | I: 400446 (code imm internal 400550 __libc_csu_init) 290 | I: 40044d (code imm internal 400520 main) 291 | I: 400454 (data flow external 601058 __libc_start_main) 292 | I: 400459 293 | Does not return 294 | Recovering __libc_csu_init at 400550 295 | Analysing subroutine __libc_csu_init at 400550 296 | Subroutine __libc_csu_init at 400550 has 4 blocks 297 | BB: 400550 in func 400550 with 17 insts 298 | I: 400550 299 | I: 400552 300 | I: 400554 301 | I: 400557 302 | I: 400559 303 | I: 40055b (data mem internal 600e18 __frame_dummy_init_array_entry) 304 | I: 400562 305 | I: 400563 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 306 | I: 40056a 307 | I: 40056b 308 | I: 40056e 309 | I: 400571 310 | I: 400574 311 | I: 400578 312 | I: 40057c (code flow internal 4003c8 .init_proc) 313 | I: 400581 314 | I: 400584 (code flow internal 4005a6 ) 315 | Successors: 4005a6, 400586 316 | BB: 400590 in func 400550 with 7 insts 317 | I: 400590 318 | I: 400593 319 | I: 400596 320 | I: 400599 321 | I: 40059d 322 | I: 4005a1 323 | I: 4005a4 (code flow internal 400590 ) 324 | Successors: 400590, 4005a6 325 | BB: 400586 in func 400550 with 2 insts 326 | I: 400586 327 | I: 400588 328 | Successors: 400590 329 | BB: 4005a6 in func 400550 with 8 insts 330 | I: 4005a6 331 | I: 4005aa 332 | I: 4005ab 333 | I: 4005ac 334 | I: 4005ae 335 | I: 4005b0 336 | I: 4005b2 337 | I: 4005b4 338 | No successors 339 | Recovering __libc_csu_fini at 4005c0 340 | Analysing subroutine __libc_csu_fini at 4005c0 341 | Subroutine __libc_csu_fini at 4005c0 has 1 blocks 342 | BB: 4005c0 in func 4005c0 with 1 insts 343 | I: 4005c0 344 | No successors 345 | Global Variable None 346 | WARNING: Global constructor and destructor sections are adjacent! 347 | Splitting segment .bss at 601038 for exported variable __bss_start 348 | Recovering region .plt.got [400420, 400428) in segment .plt.got 349 | Recovering region .text [400430, 4005c2) in segment .text 350 | Recovering region .got.plt [601000, 601028) in segment .got.plt 351 | 8-byte reference at 601018 to 601050 (printf) 352 | 8-byte reference at 601020 to 601058 (__libc_start_main) 353 | Recovering region .fini [4005c4, 4005cd) in segment .fini 354 | Recovering region .init_array [600e18, 600e28) in segment .init_array 355 | 8-byte reference at 600e18 to 400500 (frame_dummy) 356 | 8-byte reference at 600e20 to 4004d0 (__do_global_dtors_aux) 357 | Variable __frame_dummy_init_array_entry at 600e18 358 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 359 | Recovering region .init [4003c8, 4003e2) in segment .init 360 | Recovering region .plt [4003f0, 400420) in segment .plt 361 | Recovering region .eh_frame [400618, 40072c) in segment .eh_frame 362 | Recovering region .rodata [4005d0, 4005d7) in segment .rodata 363 | Variable format at 4005d4 364 | Recovering region .got [600ff8, 601000) in segment .got 365 | 8-byte reference at 600ff8 to 601068 (__gmon_start__) 366 | Recovering region .data [601028, 601038) in segment .data 367 | Recovering region .eh_frame_hdr [4005d8, 400614) in segment .eh_frame_hdr 368 | Recovering region __bss_start [601038, 601040) in segment .bss 369 | Variable __bss_start at 601038 370 | Recovering extern function printf at 400400 371 | Recovering extern function printf at 601040 372 | Recovering extern function __libc_start_main at 601048 373 | Recovering extern function printf at 601050 374 | Recovering extern function __libc_start_main at 400410 375 | Recovering extern function __gmon_start__ at 601068 376 | Recovering extern function __libc_start_main at 601058 377 | Recovered 12 functions. 378 | Saving to: /home/aditi/ToB-Summer19/tests/basic/mode2_notReplaced/basic.cfg 379 | Done analysis! 380 | -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basic.new -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basic.new.bc -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basic.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basic.new.o -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basicReplacement: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basicReplacement -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basicReplacement.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basicReplacement.bc -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basicReplacement.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int original() { 4 | return 8; 5 | } 6 | 7 | int replacement() { 8 | if (original() >= 2) return 2; 9 | return original(); 10 | } 11 | 12 | int main() { 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basicReplacement.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basicReplacement.cfg -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basicReplacement.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module basicReplacement 6 | Looking for instructions in segment .init 7 | Default block heads for function 400390 with loose bounds [400390, 4003aa) 8 | block [400390, 4003a0) 9 | block [4003a0, 4003a5) 10 | block [4003a5, 4003aa) 11 | chunk [400390, 4003aa) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 4003c0 with loose bounds [4003c0, 4003c6) 14 | block [4003c0, 4003c6) 15 | chunk [4003c0, 4003c6) 16 | Looking for instructions in segment .plt.got 17 | Default block heads for function 4003d0 with loose bounds [4003d0, 4003d6) 18 | block [4003d0, 4003d6) 19 | chunk [4003d0, 4003d6) 20 | Looking for instructions in segment .text 21 | Default block heads for function 4003e0 with loose bounds [4003e0, 40040a) 22 | block [4003e0, 40040a) 23 | chunk [4003e0, 40040a) 24 | Default block heads for function 400410 with loose bounds [400410, 40043a) 25 | block [400410, 400421) 26 | block [400421, 40042b) 27 | block [40042b, 400433) 28 | block [400438, 40043a) 29 | chunk [400410, 40043a) 30 | Default block heads for function 400440 with loose bounds [400440, 40047a) 31 | block [400440, 400463) 32 | block [400463, 40046d) 33 | block [40046d, 400475) 34 | block [400478, 40047a) 35 | chunk [400440, 40047a) 36 | Default block heads for function 400480 with loose bounds [400480, 4004a2) 37 | block [400480, 400489) 38 | block [400489, 40049b) 39 | block [4004a0, 4004a2) 40 | chunk [400480, 4004a2) 41 | Default block heads for function 4004b0 with loose bounds [4004b0, 4004b7) 42 | block [4004b0, 4004b7) 43 | chunk [4004b0, 4004b7) 44 | Default block heads for function 4004c0 with loose bounds [4004c0, 4004cb) 45 | block [4004c0, 4004cb) 46 | chunk [4004c0, 4004cb) 47 | Default block heads for function 4004d0 with loose bounds [4004d0, 400503) 48 | block [4004d0, 4004e6) 49 | block [4004e6, 4004f2) 50 | block [4004f2, 4004fa) 51 | block [4004fa, 400503) 52 | chunk [4004d0, 400503) 53 | Default block heads for function 400510 with loose bounds [400510, 40051f) 54 | block [400510, 40051f) 55 | chunk [400510, 40051f) 56 | Default block heads for function 400520 with loose bounds [400520, 400585) 57 | block [400520, 400556) 58 | block [400556, 400560) 59 | block [400560, 400576) 60 | block [400576, 400585) 61 | chunk [400520, 400585) 62 | Default block heads for function 400590 with loose bounds [400590, 400592) 63 | block [400590, 400592) 64 | chunk [400590, 400592) 65 | Looking for instructions in segment .fini 66 | Default block heads for function 400594 with loose bounds [400594, 40059d) 67 | block [400594, 40059d) 68 | chunk [400594, 40059d) 69 | Looking for strings in segment .rodata [4005a0, 4005a4) 70 | Looking for strings in segment .eh_frame_hdr [4005a4, 4005e8) 71 | Looking for strings in segment .eh_frame [4005e8, 40071c) 72 | Looking for strings in segment .init_array [600e18, 600e20) 73 | Looking for strings in segment .fini_array [600e20, 600e28) 74 | Looking for strings in segment .got [600ff8, 601000) 75 | Looking for strings in segment .got.plt [601000, 601020) 76 | Looking for strings in segment .data [601020, 601030) 77 | Looking for strings in segment .bss [601030, 601038) 78 | Looking for strings in segment extern [601038, 601060) 79 | Looking for cross-references in segment .init [400390, 4003aa) 80 | Looking for cross-references in segment .plt [4003b0, 4003d0) 81 | Stopping scan at 4003bc 82 | Stopping scan at 4003cc 83 | Looking for cross-references in segment .plt.got [4003d0, 4003d8) 84 | Stopping scan at 4003d8 85 | Looking for cross-references in segment .text [4003e0, 400592) 86 | Stopping scan at 40040c 87 | Stopping scan at 400434 88 | Stopping scan at 40043c 89 | Stopping scan at ffffffffffffffff 90 | Stopping scan at 40047c 91 | Stopping scan at 40049c 92 | Stopping scan at 4004ac 93 | Stopping scan at 4004bc 94 | Stopping scan at 4004cc 95 | Stopping scan at 40050c 96 | Stopping scan at ffffffffffffffff 97 | Stopping scan at 40058c 98 | Looking for cross-references in segment .fini [400594, 40059d) 99 | Looking for cross-references in segment .rodata [4005a0, 4005a4) 100 | Stopping scan at 4005a0 101 | Looking for cross-references in segment .eh_frame_hdr [4005a4, 4005e8) 102 | Stopping scan at 4005e4 103 | Looking for cross-references in segment .eh_frame [4005e8, 40071c) 104 | Stopping scan at 400718 105 | Looking for cross-references in segment .init_array [600e18, 600e20) 106 | Adding qword reference from 600e18 to 4004b0 107 | Stopping scan at 600e18 108 | Looking for cross-references in segment .fini_array [600e20, 600e28) 109 | Adding qword reference from 600e20 to 400480 110 | Stopping scan at 600e20 111 | Looking for cross-references in segment .got [600ff8, 601000) 112 | Adding qword reference from 600ff8 to 601050 113 | Stopping scan at 600ff8 114 | Looking for cross-references in segment .got.plt [601000, 601020) 115 | Adding qword reference from 601018 to 601040 116 | Stopping scan at 601018 117 | Looking for cross-references in segment .data [601020, 601030) 118 | Stopping scan at 60102c 119 | Looking for cross-references in segment .bss [601030, 601038) 120 | Stopping scan at 601034 121 | Looking for cross-references in segment extern [601038, 601060) 122 | Stopping scan at 60105c 123 | Looking for thunks 124 | Found thunk for __libc_start_main targeting 601040 at 4003c0 125 | Found thunk for off_600FF8 targeting 600ff8 at 4003d0 126 | Looking for external symbols 127 | Function at 4003c0 is the external function __libc_start_main 128 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 129 | Function at 601038 is the external function __libc_start_main 130 | Function at 601040 is the external function __libc_start_main 131 | Function at 601050 is the external function __gmon_start__ 132 | Looking for entrypoints 133 | Recovering register_tm_clones at 400440 134 | Analysing subroutine register_tm_clones at 400440 135 | Subroutine register_tm_clones at 400440 has 4 blocks 136 | BB: 400440 in func 400440 with 10 insts 137 | I: 400440 (data imm internal 601030 __bss_start) 138 | I: 400445 139 | I: 400446 (data imm internal 601030 __bss_start) 140 | I: 40044d 141 | I: 400450 142 | I: 400454 143 | I: 400457 144 | I: 40045b 145 | I: 40045e 146 | I: 400461 (code flow internal 400478 ) 147 | Successors: 400478, 400463 148 | BB: 400478 in func 400440 with 2 insts 149 | I: 400478 150 | I: 400479 151 | No successors 152 | BB: 400463 in func 400440 with 3 insts 153 | I: 400463 154 | I: 400468 155 | I: 40046b (code flow internal 400478 ) 156 | Successors: 400478, 40046d 157 | BB: 40046d in func 400440 with 3 insts 158 | I: 40046d 159 | I: 40046e (data imm internal 601030 __bss_start) 160 | I: 400473 161 | No successors 162 | Recovering __gmon_start__ at 4003d0 163 | Analysing subroutine __gmon_start__ at 4003d0 164 | Subroutine __gmon_start__ at 4003d0 has 1 blocks 165 | BB: 4003d0 in func 4003d0 with 1 insts 166 | I: 4003d0 (data mem internal 600ff8 ) 167 | No successors 168 | Recovering _start at 4003e0 169 | Analysing subroutine _start at 4003e0 170 | Subroutine _start at 4003e0 has 1 blocks 171 | BB: 4003e0 in func 4003e0 with 12 insts 172 | I: 4003e0 173 | I: 4003e2 174 | I: 4003e5 175 | I: 4003e6 176 | I: 4003e9 177 | I: 4003ed 178 | I: 4003ee 179 | I: 4003ef (code imm internal 400590 __libc_csu_fini) 180 | I: 4003f6 (code imm internal 400520 __libc_csu_init) 181 | I: 4003fd (code imm internal 400510 main) 182 | I: 400404 (data flow external 601040 __libc_start_main) 183 | I: 400409 184 | Does not return 185 | Recovering deregister_tm_clones at 400410 186 | Analysing subroutine deregister_tm_clones at 400410 187 | Subroutine deregister_tm_clones at 400410 has 4 blocks 188 | BB: 400410 in func 400410 with 5 insts 189 | I: 400410 190 | I: 400411 (data imm internal 601030 __bss_start) 191 | I: 400416 (data imm internal 601030 __bss_start) 192 | I: 40041c 193 | I: 40041f (code flow internal 400438 ) 194 | Successors: 400438, 400421 195 | BB: 400421 in func 400410 with 3 insts 196 | I: 400421 197 | I: 400426 198 | I: 400429 (code flow internal 400438 ) 199 | Successors: 400438, 40042b 200 | BB: 40042b in func 400410 with 3 insts 201 | I: 40042b 202 | I: 40042c (data imm internal 601030 __bss_start) 203 | I: 400431 204 | No successors 205 | BB: 400438 in func 400410 with 2 insts 206 | I: 400438 207 | I: 400439 208 | No successors 209 | Recovering __do_global_dtors_aux at 400480 210 | Analysing subroutine __do_global_dtors_aux at 400480 211 | Subroutine __do_global_dtors_aux at 400480 has 3 blocks 212 | BB: 400480 in func 400480 with 2 insts 213 | I: 400480 (data mem internal 601030 __bss_start) 214 | I: 400487 (code flow internal 4004a0 ) 215 | Successors: 4004a0, 400489 216 | BB: 400489 in func 400480 with 6 insts 217 | I: 400489 218 | I: 40048a 219 | I: 40048d (code flow internal 400410 deregister_tm_clones) 220 | I: 400492 (data mem internal 601030 __bss_start) 221 | I: 400499 222 | I: 40049a 223 | No successors 224 | BB: 4004a0 in func 400480 with 1 insts 225 | I: 4004a0 226 | No successors 227 | Recovering frame_dummy at 4004b0 228 | Analysing subroutine frame_dummy at 4004b0 229 | Subroutine frame_dummy at 4004b0 has 1 blocks 230 | BB: 4004b0 in func 4004b0 with 4 insts 231 | I: 4004b0 232 | I: 4004b1 233 | I: 4004b4 234 | I: 4004b5 (code flow internal 400440 register_tm_clones) 235 | Successors: 400440 236 | Recovering original at 4004c0 237 | Analysing subroutine original at 4004c0 238 | Subroutine original at 4004c0 has 1 blocks 239 | BB: 4004c0 in func 4004c0 with 5 insts 240 | I: 4004c0 241 | I: 4004c1 242 | I: 4004c4 243 | I: 4004c9 244 | I: 4004ca 245 | No successors 246 | Recovering main at 400510 247 | Analysing subroutine main at 400510 248 | Subroutine main at 400510 has 1 blocks 249 | BB: 400510 in func 400510 with 6 insts 250 | I: 400510 251 | I: 400511 252 | I: 400514 253 | I: 400516 254 | I: 40051d 255 | I: 40051e 256 | No successors 257 | Recovering __libc_csu_init at 400520 258 | Analysing subroutine __libc_csu_init at 400520 259 | Subroutine __libc_csu_init at 400520 has 4 blocks 260 | BB: 400520 in func 400520 with 17 insts 261 | I: 400520 262 | I: 400522 263 | I: 400524 264 | I: 400527 265 | I: 400529 266 | I: 40052b (data mem internal 600e18 __frame_dummy_init_array_entry) 267 | I: 400532 268 | I: 400533 (data mem internal 600e20 __do_global_dtors_aux_fini_array_entry) 269 | I: 40053a 270 | I: 40053b 271 | I: 40053e 272 | I: 400541 273 | I: 400544 274 | I: 400548 275 | I: 40054c (code flow internal 400390 .init_proc) 276 | I: 400551 277 | I: 400554 (code flow internal 400576 ) 278 | Successors: 400576, 400556 279 | BB: 400560 in func 400520 with 7 insts 280 | I: 400560 281 | I: 400563 282 | I: 400566 283 | I: 400569 284 | I: 40056d 285 | I: 400571 286 | I: 400574 (code flow internal 400560 ) 287 | Successors: 400560, 400576 288 | BB: 400556 in func 400520 with 2 insts 289 | I: 400556 290 | I: 400558 291 | Successors: 400560 292 | BB: 400576 in func 400520 with 8 insts 293 | I: 400576 294 | I: 40057a 295 | I: 40057b 296 | I: 40057c 297 | I: 40057e 298 | I: 400580 299 | I: 400582 300 | I: 400584 301 | No successors 302 | Recovering .init_proc at 400390 303 | Analysing subroutine .init_proc at 400390 304 | Subroutine .init_proc at 400390 has 3 blocks 305 | BB: 400390 in func 400390 with 4 insts 306 | I: 400390 307 | I: 400394 (data mem internal 600ff8 ) 308 | I: 40039b 309 | I: 40039e (code flow internal 4003a5 ) 310 | Successors: 4003a0, 4003a5 311 | BB: 4003a0 in func 400390 with 1 insts 312 | I: 4003a0 (data flow internal 600ff8 off_600FF8) 313 | Successors: 4003a5 314 | BB: 4003a5 in func 400390 with 2 insts 315 | I: 4003a5 316 | I: 4003a9 317 | No successors 318 | Recovering __libc_csu_fini at 400590 319 | Analysing subroutine __libc_csu_fini at 400590 320 | Subroutine __libc_csu_fini at 400590 has 1 blocks 321 | BB: 400590 in func 400590 with 1 insts 322 | I: 400590 323 | No successors 324 | Recovering .term_proc at 400594 325 | Analysing subroutine .term_proc at 400594 326 | Subroutine .term_proc at 400594 has 1 blocks 327 | BB: 400594 in func 400594 with 3 insts 328 | I: 400594 329 | I: 400598 330 | I: 40059c 331 | No successors 332 | Recovering replacement at 4004d0 333 | Analysing subroutine replacement at 4004d0 334 | Subroutine replacement at 4004d0 has 4 blocks 335 | BB: 4004d0 in func 4004d0 with 6 insts 336 | I: 4004d0 337 | I: 4004d1 338 | I: 4004d4 339 | I: 4004d8 (code flow internal 4004c0 original) 340 | I: 4004dd 341 | I: 4004e0 (code flow internal 4004f2 ) 342 | Successors: 4004f2, 4004e6 343 | BB: 4004f2 in func 4004d0 with 2 insts 344 | I: 4004f2 (code flow internal 4004c0 original) 345 | I: 4004f7 346 | Successors: 4004fa 347 | BB: 4004fa in func 4004d0 with 4 insts 348 | I: 4004fa 349 | I: 4004fd 350 | I: 400501 351 | I: 400502 352 | No successors 353 | BB: 4004e6 in func 4004d0 with 2 insts 354 | I: 4004e6 355 | I: 4004ed (code flow internal 4004fa ) 356 | Successors: 4004fa 357 | Global Variable None 358 | WARNING: Global constructor and destructor sections are adjacent! 359 | Splitting segment .bss at 601030 for exported variable __bss_start 360 | Recovering region .rodata [4005a0, 4005a4) in segment .rodata 361 | Recovering region .plt [4003b0, 4003d0) in segment .plt 362 | Recovering region .plt.got [4003d0, 4003d8) in segment .plt.got 363 | Recovering region .text [4003e0, 400592) in segment .text 364 | Recovering region .got.plt [601000, 601020) in segment .got.plt 365 | 8-byte reference at 601018 to 601040 (__libc_start_main) 366 | Recovering region .data [601020, 601030) in segment .data 367 | Recovering region .eh_frame [4005e8, 40071c) in segment .eh_frame 368 | Recovering region __bss_start [601030, 601038) in segment .bss 369 | Variable __bss_start at 601030 370 | Recovering region .init [400390, 4003aa) in segment .init 371 | Recovering region .got [600ff8, 601000) in segment .got 372 | 8-byte reference at 600ff8 to 601050 (__gmon_start__) 373 | Recovering region .fini [400594, 40059d) in segment .fini 374 | Recovering region .init_array [600e18, 600e28) in segment .init_array 375 | 8-byte reference at 600e18 to 4004b0 (frame_dummy) 376 | 8-byte reference at 600e20 to 400480 (__do_global_dtors_aux) 377 | Variable __frame_dummy_init_array_entry at 600e18 378 | Variable __do_global_dtors_aux_fini_array_entry at 600e20 379 | Recovering region .eh_frame_hdr [4005a4, 4005e8) in segment .eh_frame_hdr 380 | Recovering extern function __libc_start_main at 4003c0 381 | Recovering extern function __libc_start_main at 601038 382 | Recovering extern function __gmon_start__ at 601050 383 | Recovering extern function __libc_start_main at 601040 384 | Recovered 13 functions. 385 | Saving to: /home/aditi/ToB-Summer19/tests/basic/mode2_notReplaced/basicReplacement.cfg 386 | Done analysis! 387 | -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basicReplacement.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basicReplacement.new.bc -------------------------------------------------------------------------------- /tests/basic/mode2_notReplaced/basicReplacement.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/basic/mode2_notReplaced/basicReplacement.new.o -------------------------------------------------------------------------------- /tests/crypto/AES-CBC-decrypt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "base64decode.h" 8 | #include "base64encode.h" 9 | 10 | void handleErrors(void) 11 | { 12 | ERR_print_errors_fp(stderr); 13 | abort(); 14 | } 15 | 16 | int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key, 17 | unsigned char *iv, unsigned char *plaintext) 18 | { 19 | EVP_CIPHER_CTX *ctx; 20 | 21 | int len; 22 | 23 | int plaintext_len; 24 | 25 | /* Create and initialise the context */ 26 | if(!(ctx = EVP_CIPHER_CTX_new())) 27 | handleErrors(); 28 | 29 | /* 30 | * Initialise the decryption operation. IMPORTANT - ensure you use a key 31 | * and IV size appropriate for your cipher 32 | * In this example we are using 256 bit AES (i.e. a 256 bit key). The 33 | * IV size for *most* modes is the same as the block size. For AES this 34 | * is 128 bits 35 | */ 36 | if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) 37 | handleErrors(); 38 | 39 | /* 40 | * Provide the message to be decrypted, and obtain the plaintext output. 41 | * EVP_DecryptUpdate can be called multiple times if necessary. 42 | */ 43 | if(1 != EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len)) 44 | handleErrors(); 45 | plaintext_len = len; 46 | 47 | /* 48 | * Finalise the decryption. Further plaintext bytes may be written at 49 | * this stage. 50 | */ 51 | if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, &len)) 52 | handleErrors(); 53 | plaintext_len += len; 54 | 55 | /* Clean up */ 56 | EVP_CIPHER_CTX_free(ctx); 57 | 58 | return plaintext_len; 59 | } 60 | 61 | int main (int argc, char **argv) 62 | { 63 | char *withIV = argv[1]; 64 | char iv_base64[25]; 65 | memcpy(iv_base64, withIV, 24); 66 | iv_base64[24] = '\0'; 67 | 68 | char *ciphertext_base64 = withIV + 25; 69 | // char *ciphertext_base64 = "uVVOKngftfPXJiOviN4dxFC+2azy0y0k9DlzB6Kaeqb5U1VhVLcvYg8mtrTZbeq9SoMn0blatKWeGGOIMCj1ewN6eXr7eP8Btx8k69V0HfbB9iDfznQukvMNrRPmvVid3493z+8xrYBQSa0i/5g6mIohV4rjQ12K1eBwOAvaS+TvrZBpMjfXpxJh+6fyR8bgc/cHzMEbJRwaE8uKppSMGvQq2i1Svjknzecv+hUh4Sg="; 70 | char *ciphertext_signed; 71 | size_t ciphertext_len; 72 | Base64Decode(ciphertext_base64, &ciphertext_signed, &ciphertext_len); 73 | 74 | unsigned char *ciphertext = (unsigned char *)ciphertext_signed; 75 | 76 | /* A 128 bit key */ 77 | unsigned char *key = (unsigned char *)"16807282475249162265007398494365"; 78 | /* A 128 bit IV */ 79 | char *iv_signed; 80 | size_t iv_len; 81 | Base64Decode(iv_base64, &iv_signed, &iv_len); 82 | unsigned char *iv = (unsigned char *)iv_signed; 83 | 84 | unsigned char decryptedtext[ciphertext_len + 1]; 85 | int decryptedtext_len; 86 | 87 | /* Decrypt the ciphertext */ 88 | decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv, 89 | decryptedtext); 90 | 91 | /* Add a NULL terminator. We are expecting printable text */ 92 | decryptedtext[decryptedtext_len] = '\0'; 93 | 94 | /* Show the decrypted text */ 95 | printf("Decrypted text is:\n"); 96 | printf("%s\n", decryptedtext); 97 | 98 | return 0; 99 | } 100 | -------------------------------------------------------------------------------- /tests/crypto/AES-CBC-encrypt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "base64decode.h" 8 | #include "base64encode.h" 9 | 10 | void handleErrors(void) 11 | { 12 | ERR_print_errors_fp(stderr); 13 | abort(); 14 | } 15 | 16 | int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key, 17 | unsigned char *iv, unsigned char *ciphertext) 18 | { 19 | EVP_CIPHER_CTX *ctx; 20 | 21 | int len; 22 | 23 | int ciphertext_len; 24 | 25 | /* Create and initialise the context */ 26 | if(!(ctx = EVP_CIPHER_CTX_new())) 27 | handleErrors(); 28 | 29 | /* 30 | * Initialise the encryption operation. IMPORTANT - ensure you use a key 31 | * and IV size appropriate for your cipher 32 | * In this example we are using 128 bit AES (i.e. a 128 bit key). The 33 | * IV size for *most* modes is the same as the block size. For AES this 34 | * is 128 bits 35 | */ 36 | if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) 37 | handleErrors(); 38 | 39 | /* 40 | * Provide the message to be encrypted, and obtain the encrypted output. 41 | * EVP_EncryptUpdate can be called multiple times if necessary 42 | */ 43 | if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len)) 44 | handleErrors(); 45 | ciphertext_len = len; 46 | 47 | /* 48 | * Finalise the encryption. Further ciphertext bytes may be written at 49 | * this stage. 50 | */ 51 | if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) 52 | handleErrors(); 53 | ciphertext_len += len; 54 | 55 | /* Clean up */ 56 | EVP_CIPHER_CTX_free(ctx); 57 | 58 | return ciphertext_len; 59 | } 60 | 61 | unsigned char *generate_iv() 62 | { 63 | return (unsigned char *)"0123456789012345"; 64 | } 65 | 66 | int main (int argc, char **argv) 67 | { 68 | /* Set up the key and iv */ 69 | 70 | /* A 128 bit key */ 71 | unsigned char *key = (unsigned char *)"16807282475249162265007398494365"; 72 | 73 | /* A 128 bit IV */ 74 | unsigned char *iv = generate_iv(); 75 | size_t iv_len = 16; 76 | unsigned char *delimiter = (unsigned char *)"/"; 77 | 78 | char *prefix = "0b039286d997a33c9e463b296e4dc7be4c666390cc85"; 79 | size_t prefix_len = 22; 80 | 81 | /* String to append, base64 decoded */ 82 | char *to_append = 83 | "Um9sbGluJyBpbiBteSA1LjAKV2l0aCBteSByYWctdG9wIGRvd24gc28gbXkgaGFpciBjYW4gYmxvdwpUaGUgZ2lybGllcyBvbiBzdGFuZGJ5IHdhdmluZyBqdXN0IHRvIHNheSBoaQpEaWQgeW91IHN0b3A/IE5vLCBJIGp1c3QgZHJvdmUgYnkK"; 84 | char *to_append_decoded; 85 | size_t to_append_len; 86 | Base64Decode(to_append, &to_append_decoded, &to_append_len); 87 | 88 | /* Message to be encrypted */ 89 | char *text_base64 = argv[1]; 90 | char *text; 91 | size_t text_len; 92 | Base64Decode(text_base64, &text, &text_len); 93 | 94 | char p[prefix_len + text_len + to_append_len + 1]; 95 | memcpy(p, prefix, prefix_len); 96 | memcpy(p + prefix_len, text, text_len); 97 | memcpy(p + prefix_len + text_len, to_append_decoded, to_append_len + 1); 98 | unsigned char *plaintext = (unsigned char *)p; 99 | size_t p_len = prefix_len + text_len + to_append_len + 1; 100 | 101 | /* 102 | * Buffer for ciphertext. Ensure the buffer is long enough for the 103 | * ciphertext which may be longer than the plaintext, depending on the 104 | * algorithm and mode. 105 | */ 106 | unsigned char ciphertext[p_len]; 107 | int ciphertext_len; 108 | 109 | /* Encrypt the plaintext */ 110 | ciphertext_len = encrypt (plaintext, p_len, key, iv, 111 | ciphertext); 112 | 113 | /* Do something useful with the ciphertext here */ 114 | // printf("Ciphertext is:\n"); 115 | char *ciphertext_base64; 116 | const unsigned char *c = (const unsigned char *)ciphertext; 117 | Base64Encode(c, ciphertext_len, &ciphertext_base64); 118 | 119 | char *iv_base64; 120 | const unsigned char *i = (const unsigned char *)iv; 121 | Base64Encode(i, iv_len, &iv_base64); 122 | 123 | size_t lengthtoadd = (size_t)strlen(ciphertext_base64); 124 | iv_len = 24; 125 | unsigned char withIV[lengthtoadd + iv_len + 2]; 126 | memcpy(withIV, iv_base64, iv_len); 127 | memcpy(withIV + iv_len, delimiter, 1); 128 | memcpy(withIV + iv_len + 1, ciphertext_base64, lengthtoadd + 1); 129 | printf("%s", withIV); 130 | printf("\n"); 131 | printf("%d", ciphertext_len); 132 | printf("\n"); 133 | // BIO_dump_fp (stdout, (const char *)ciphertext, ciphertext_len); 134 | 135 | return 0; 136 | } 137 | -------------------------------------------------------------------------------- /tests/crypto/base64decode.c: -------------------------------------------------------------------------------- 1 | //modified from https://gist.github.com/barrysteyn/7308212#file-base64decode-c 2 | 3 | //Decodes Base64 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | size_t calcDecodeLength(const char* b64input) { //Calculates the length of a decoded string 12 | size_t len = strlen(b64input), 13 | padding = 0; 14 | 15 | if (b64input[len-1] == '=' && b64input[len-2] == '=') //last two chars are = 16 | padding = 2; 17 | else if (b64input[len-1] == '=') //last char is = 18 | padding = 1; 19 | 20 | return (len*3)/4 - padding; 21 | } 22 | 23 | int Base64Decode(char* b64message, char** buffer, size_t* length) { //Decodes a base64 encoded string 24 | BIO *bio, *b64; 25 | 26 | int decodeLen = calcDecodeLength(b64message); 27 | *buffer = (char*)malloc(decodeLen + 1); 28 | (*buffer)[decodeLen] = '\0'; 29 | 30 | bio = BIO_new_mem_buf(b64message, -1); 31 | b64 = BIO_new(BIO_f_base64()); 32 | bio = BIO_push(b64, bio); 33 | 34 | BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to flush buffer 35 | *length = BIO_read(bio, *buffer, strlen(b64message)); 36 | assert(*length == decodeLen); //length should equal decodeLen, else something went horribly wrong 37 | BIO_free_all(bio); 38 | 39 | return (0); //success 40 | } 41 | -------------------------------------------------------------------------------- /tests/crypto/base64decode.h: -------------------------------------------------------------------------------- 1 | #ifndef BASE64DECODE_H_INCLUDED 2 | #define BASE64DECODE_H_INCLUDED 3 | 4 | size_t calcDecodeLength(const char* b64input); 5 | 6 | int Base64Decode(char* b64message, char** buffer, size_t* length); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /tests/crypto/base64encode.c: -------------------------------------------------------------------------------- 1 | //modified from https://gist.github.com/barrysteyn/7308212#file-base64encode-c 2 | 3 | //Encodes Base64 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int Base64Encode(const unsigned char* buffer, size_t length, char** b64text) { //Encodes a binary safe base 64 string 10 | BIO *bio, *b64; 11 | BUF_MEM *bufferPtr; 12 | 13 | b64 = BIO_new(BIO_f_base64()); 14 | bio = BIO_new(BIO_s_mem()); 15 | bio = BIO_push(b64, bio); 16 | 17 | BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Ignore newlines - write everything in one line 18 | BIO_write(bio, buffer, length); 19 | BIO_flush(bio); 20 | BIO_get_mem_ptr(bio, &bufferPtr); 21 | BIO_set_close(bio, BIO_NOCLOSE); 22 | BIO_free_all(bio); 23 | 24 | *b64text=(*bufferPtr).data; 25 | 26 | return (0); //success 27 | } 28 | -------------------------------------------------------------------------------- /tests/crypto/base64encode.h: -------------------------------------------------------------------------------- 1 | #ifndef BASE64ENCODE_H_INCLUDED 2 | #define BASE64ENCODE_H_INCLUDED 3 | 4 | int Base64Encode(const unsigned char* buffer, size_t length, char** b64text); 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /tests/crypto/decrypt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/decrypt -------------------------------------------------------------------------------- /tests/crypto/mode1/encrypt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/encrypt -------------------------------------------------------------------------------- /tests/crypto/mode1/encrypt.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/encrypt.bc -------------------------------------------------------------------------------- /tests/crypto/mode1/encrypt.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/encrypt.cfg -------------------------------------------------------------------------------- /tests/crypto/mode1/encrypt.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/encrypt.new -------------------------------------------------------------------------------- /tests/crypto/mode1/encrypt.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/encrypt.new.bc -------------------------------------------------------------------------------- /tests/crypto/mode1/encrypt.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/encrypt.new.o -------------------------------------------------------------------------------- /tests/crypto/mode1/replaceIV_mode1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/replaceIV_mode1 -------------------------------------------------------------------------------- /tests/crypto/mode1/replaceIV_mode1.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/replaceIV_mode1.bc -------------------------------------------------------------------------------- /tests/crypto/mode1/replaceIV_mode1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char *replacement() { 5 | unsigned char *iv = malloc(sizeof(int) * 16); 6 | RAND_bytes(iv, 16); 7 | return iv; 8 | } 9 | 10 | int main() { 11 | printf((const char *)(replacement())); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /tests/crypto/mode1/replaceIV_mode1.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/replaceIV_mode1.cfg -------------------------------------------------------------------------------- /tests/crypto/mode1/replaceIV_mode1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode1/replaceIV_mode1.o -------------------------------------------------------------------------------- /tests/crypto/mode2/encrypt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/encrypt -------------------------------------------------------------------------------- /tests/crypto/mode2/encrypt.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/encrypt.bc -------------------------------------------------------------------------------- /tests/crypto/mode2/encrypt.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/encrypt.cfg -------------------------------------------------------------------------------- /tests/crypto/mode2/encrypt.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/encrypt.new -------------------------------------------------------------------------------- /tests/crypto/mode2/encrypt.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/encrypt.new.bc -------------------------------------------------------------------------------- /tests/crypto/mode2/encrypt.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/encrypt.new.o -------------------------------------------------------------------------------- /tests/crypto/mode2/replaceIV_mode2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/replaceIV_mode2 -------------------------------------------------------------------------------- /tests/crypto/mode2/replaceIV_mode2.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/replaceIV_mode2.bc -------------------------------------------------------------------------------- /tests/crypto/mode2/replaceIV_mode2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char *generate_iv_original() { 5 | unsigned char *result = (unsigned char *)""; 6 | return result; 7 | } 8 | 9 | unsigned char *random_iv() { 10 | unsigned char *iv = malloc(sizeof(int) * 16); 11 | RAND_bytes(iv, 16); 12 | return iv; 13 | } 14 | 15 | unsigned char *replacement() { 16 | unsigned char *original = generate_iv_original(); 17 | for (int i = 0; i < 10; i ++) { 18 | unsigned char *iv = generate_iv_original(); 19 | if (iv == original) { 20 | return random_iv(); 21 | } 22 | } 23 | return original; 24 | } 25 | 26 | int main() { 27 | printf((const char *)(replacement())); 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /tests/crypto/mode2/replaceIV_mode2.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/replaceIV_mode2.cfg -------------------------------------------------------------------------------- /tests/crypto/mode2/replaceIV_mode2.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/replaceIV_mode2.new.bc -------------------------------------------------------------------------------- /tests/crypto/mode2/replaceIV_mode2.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/crypto/mode2/replaceIV_mode2.new.o -------------------------------------------------------------------------------- /tests/fopen/mode1/myfopen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/myfopen -------------------------------------------------------------------------------- /tests/fopen/mode1/myfopen.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/myfopen.bc -------------------------------------------------------------------------------- /tests/fopen/mode1/myfopen.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | FILE *newfopen(const char *path, const char *mode) { 4 | printf("Always failing fopen\n"); 5 | return NULL; 6 | } 7 | 8 | int main() { 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /tests/fopen/mode1/myfopen.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/myfopen.cfg -------------------------------------------------------------------------------- /tests/fopen/mode1/myfopen.log: -------------------------------------------------------------------------------- 1 | Debugging is enabled. 2 | Loading Standard Definitions file: /home/aditi/mcsema-2.0.0-ve/env/bin/lib/python2.7/site-packages/mcsema_disass-2.0-py2.7.egg/mcsema_disass/defs/linux.txt 3 | Using Batch mode. 4 | Starting analysis 5 | Recovering module myfopen 6 | Looking for instructions in segment .init 7 | Default block heads for function 4003c8 with loose bounds [4003c8, 4003e2) 8 | block [4003c8, 4003d8) 9 | block [4003d8, 4003dd) 10 | block [4003dd, 4003e2) 11 | chunk [4003c8, 4003e2) 12 | Looking for instructions in segment .plt 13 | Default block heads for function 400400 with loose bounds [400400, 400406) 14 | block [400400, 400406) 15 | chunk [400400, 400406) 16 | Default block heads for function 400410 with loose bounds [400410, 400416) 17 | block [400410, 400416) 18 | chunk [400410, 400416) 19 | Looking for instructions in segment .plt.got 20 | Default block heads for function 400420 with loose bounds [400420, 400426) 21 | block [400420, 400426) 22 | chunk [400420, 400426) 23 | Looking for instructions in segment .text 24 | Default block heads for function 400430 with loose bounds [400430, 40045a) 25 | block [400430, 40045a) 26 | chunk [400430, 40045a) 27 | Default block heads for function 400460 with loose bounds [400460, 400492) 28 | block [400460, 400475) 29 | block [400475, 40047f) 30 | block [40047f, 400487) 31 | block [400490, 400492) 32 | chunk [400460, 400492) 33 | Default block heads for function 4004a0 with loose bounds [4004a0, 4004da) 34 | block [4004a0, 4004c3) 35 | block [4004c3, 4004cd) 36 | block [4004cd, 4004d5) 37 | block [4004d8, 4004da) 38 | chunk [4004a0, 4004da) 39 | Default block heads for function 4004e0 with loose bounds [4004e0, 4004fc) 40 | block [4004e0, 4004e9) 41 | block [4004e9, 4004fa) 42 | block [4004fa, 4004fc) 43 | chunk [4004e0, 4004fc) 44 | Default block heads for function 400500 with loose bounds [400500, 400526) 45 | block [400500, 40050b) 46 | block [40050b, 40050d) 47 | block [400510, 40051a) 48 | block [40051a, 400526) 49 | chunk [400500, 400526) 50 | Default block heads for function 400526 with loose bounds [400526, 400547) 51 | block [400526, 400547) 52 | chunk [400526, 400547) 53 | Default block heads for function 400547 with loose bounds [400547, 400552) 54 | block [400547, 400552) 55 | chunk [400547, 400552) 56 | Default block heads for function 400560 with loose bounds [400560, 4005c5) 57 | block [400560, 400596) 58 | block [400596, 4005a0) 59 | block [4005a0, 4005b6) 60 | block [4005b6, 4005c5) 61 | chunk [400560, 4005c5) 62 | Default block heads for function 4005d0 with loose bounds [4005d0, 4005d2) 63 | block [4005d0, 4005d2) 64 | chunk [4005d0, 4005d2) 65 | Looking for instructions in segment .fini 66 | Default block heads for function 4005d4 with loose bounds [4005d4, 4005dd) 67 | block [4005d4, 4005dd) 68 | chunk [4005d4, 4005dd) 69 | Looking for strings in segment .rodata [4005e0, 4005f9) 70 | Found string 'Always failing fopen' of length 21 at 4005e4, jumping to 4005f9 71 | Looking for strings in segment .eh_frame_hdr [4005fc, 400638) 72 | Looking for strings in segment .eh_frame [400638, 40074c) 73 | Looking for strings in segment .init_array [600e10, 600e18) 74 | Looking for strings in segment .fini_array [600e18, 600e20) 75 | Looking for strings in segment .jcr [600e20, 600e28) 76 | Looking for strings in segment .got [600ff8, 601000) 77 | Looking for strings in segment .got.plt [601000, 601028) 78 | Looking for strings in segment .data [601028, 601038) 79 | Looking for strings in segment .bss [601038, 601040) 80 | Looking for strings in segment extern [601040, 601080) 81 | Looking for cross-references in segment .init [4003c8, 4003e2) 82 | Looking for cross-references in segment .plt [4003f0, 400420) 83 | Stopping scan at 4003fc 84 | Stopping scan at 40040c 85 | Stopping scan at 40041c 86 | Looking for cross-references in segment .plt.got [400420, 400428) 87 | Stopping scan at 400428 88 | Looking for cross-references in segment .text [400430, 4005d2) 89 | Stopping scan at 40045c 90 | Stopping scan at 40048c 91 | Stopping scan at 40049c 92 | Stopping scan at ffffffffffffffff 93 | Stopping scan at 4004dc 94 | Stopping scan at 4004fc 95 | Stopping scan at ffffffffffffffff 96 | Stopping scan at 40055c 97 | Stopping scan at 4005cc 98 | Looking for cross-references in segment .fini [4005d4, 4005dd) 99 | Looking for cross-references in segment .rodata [4005e0, 4005f9) 100 | Found string at 4005e4, jumping to 4005f9 101 | Stopping scan at 4005e4 102 | Looking for cross-references in segment .eh_frame_hdr [4005fc, 400638) 103 | Stopping scan at 400634 104 | Looking for cross-references in segment .eh_frame [400638, 40074c) 105 | Stopping scan at 400748 106 | Looking for cross-references in segment .init_array [600e10, 600e18) 107 | Adding qword reference from 600e10 to 400500 108 | Stopping scan at 600e10 109 | Looking for cross-references in segment .fini_array [600e18, 600e20) 110 | Adding qword reference from 600e18 to 4004e0 111 | Stopping scan at 600e18 112 | Looking for cross-references in segment .jcr [600e20, 600e28) 113 | Stopping scan at 600e24 114 | Looking for cross-references in segment .got [600ff8, 601000) 115 | Adding qword reference from 600ff8 to 601068 116 | Stopping scan at 600ff8 117 | Looking for cross-references in segment .got.plt [601000, 601028) 118 | Adding qword reference from 601018 to 601050 119 | Adding qword reference from 601020 to 601058 120 | Stopping scan at 601020 121 | Looking for cross-references in segment .data [601028, 601038) 122 | Stopping scan at 601034 123 | Looking for cross-references in segment .bss [601038, 601040) 124 | Stopping scan at 60103c 125 | Looking for cross-references in segment extern [601040, 601080) 126 | Stopping scan at 60107c 127 | Looking for thunks 128 | Found thunk for puts targeting 601050 at 400400 129 | Found thunk for __libc_start_main targeting 601058 at 400410 130 | Found thunk for off_600FF8 targeting 600ff8 at 400420 131 | Looking for external symbols 132 | Function at 400400 is the external function puts 133 | Function at 400410 is the external function __libc_start_main 134 | True name of puts@@GLIBC_2.2.5 is puts 135 | Function at 601040 is the external function puts 136 | True name of __libc_start_main@@GLIBC_2.2.5 is __libc_start_main 137 | Function at 601048 is the external function __libc_start_main 138 | Function at 601050 is the external function puts 139 | Function at 601058 is the external function __libc_start_main 140 | Function at 601068 is the external function __gmon_start__ 141 | Looking for entrypoints 142 | Recovering deregister_tm_clones at 400460 143 | Analysing subroutine deregister_tm_clones at 400460 144 | Subroutine deregister_tm_clones at 400460 has 4 blocks 145 | BB: 400460 in func 400460 with 6 insts 146 | I: 400460 (data imm internal 60103f ) 147 | I: 400465 148 | I: 400466 (data imm internal 601038 __bss_start) 149 | I: 40046c 150 | I: 400470 151 | I: 400473 (code flow internal 400490 ) 152 | Successors: 400490, 400475 153 | BB: 400490 in func 400460 with 2 insts 154 | I: 400490 155 | I: 400491 156 | No successors 157 | BB: 400475 in func 400460 with 3 insts 158 | I: 400475 159 | I: 40047a 160 | I: 40047d (code flow internal 400490 ) 161 | Successors: 400490, 40047f 162 | BB: 40047f in func 400460 with 3 insts 163 | I: 40047f 164 | I: 400480 (data imm internal 601038 __bss_start) 165 | I: 400485 166 | No successors 167 | Recovering main at 400547 168 | Analysing subroutine main at 400547 169 | Subroutine main at 400547 has 1 blocks 170 | BB: 400547 in func 400547 with 5 insts 171 | I: 400547 172 | I: 400548 173 | I: 40054b 174 | I: 400550 175 | I: 400551 176 | No successors 177 | Recovering newfopen at 400526 178 | Analysing subroutine newfopen at 400526 179 | Subroutine newfopen at 400526 has 1 blocks 180 | BB: 400526 in func 400526 with 10 insts 181 | I: 400526 182 | I: 400527 183 | I: 40052a 184 | I: 40052e 185 | I: 400532 186 | I: 400536 (data imm internal 4005e4 s) 187 | I: 40053b (data flow external 601050 puts) 188 | I: 400540 189 | I: 400545 190 | I: 400546 191 | No successors 192 | Recovering __gmon_start__ at 400420 193 | Analysing subroutine __gmon_start__ at 400420 194 | Subroutine __gmon_start__ at 400420 has 1 blocks 195 | BB: 400420 in func 400420 with 1 insts 196 | I: 400420 (data mem internal 600ff8 ) 197 | No successors 198 | Recovering .init_proc at 4003c8 199 | Analysing subroutine .init_proc at 4003c8 200 | Subroutine .init_proc at 4003c8 has 3 blocks 201 | BB: 4003c8 in func 4003c8 with 4 insts 202 | I: 4003c8 203 | I: 4003cc (data mem internal 600ff8 ) 204 | I: 4003d3 205 | I: 4003d6 (code flow internal 4003dd ) 206 | Successors: 4003d8, 4003dd 207 | BB: 4003d8 in func 4003c8 with 1 insts 208 | I: 4003d8 (data flow internal 600ff8 off_600FF8) 209 | Successors: 4003dd 210 | BB: 4003dd in func 4003c8 with 2 insts 211 | I: 4003dd 212 | I: 4003e1 213 | No successors 214 | Recovering register_tm_clones at 4004a0 215 | Analysing subroutine register_tm_clones at 4004a0 216 | Subroutine register_tm_clones at 4004a0 has 4 blocks 217 | BB: 4004a0 in func 4004a0 with 10 insts 218 | I: 4004a0 (data imm internal 601038 __bss_start) 219 | I: 4004a5 220 | I: 4004a6 (data imm internal 601038 __bss_start) 221 | I: 4004ad 222 | I: 4004b1 223 | I: 4004b4 224 | I: 4004b7 225 | I: 4004bb 226 | I: 4004be 227 | I: 4004c1 (code flow internal 4004d8 ) 228 | Successors: 4004d8, 4004c3 229 | BB: 4004d8 in func 4004a0 with 2 insts 230 | I: 4004d8 231 | I: 4004d9 232 | No successors 233 | BB: 4004c3 in func 4004a0 with 3 insts 234 | I: 4004c3 235 | I: 4004c8 236 | I: 4004cb (code flow internal 4004d8 ) 237 | Successors: 4004d8, 4004cd 238 | BB: 4004cd in func 4004a0 with 3 insts 239 | I: 4004cd 240 | I: 4004ce (data imm internal 601038 __bss_start) 241 | I: 4004d3 242 | No successors 243 | Recovering __do_global_dtors_aux at 4004e0 244 | Analysing subroutine __do_global_dtors_aux at 4004e0 245 | Subroutine __do_global_dtors_aux at 4004e0 has 3 blocks 246 | BB: 4004e0 in func 4004e0 with 2 insts 247 | I: 4004e0 (data mem internal 601038 __bss_start) 248 | I: 4004e7 (code flow internal 4004fa ) 249 | Successors: 4004e9, 4004fa 250 | BB: 4004e9 in func 4004e0 with 5 insts 251 | I: 4004e9 252 | I: 4004ea 253 | I: 4004ed (code flow internal 400460 deregister_tm_clones) 254 | I: 4004f2 255 | I: 4004f3 (data mem internal 601038 __bss_start) 256 | Successors: 4004fa 257 | BB: 4004fa in func 4004e0 with 1 insts 258 | I: 4004fa 259 | No successors 260 | Recovering frame_dummy at 400500 261 | Analysing subroutine frame_dummy at 400500 262 | Subroutine frame_dummy at 400500 has 4 blocks 263 | BB: 400500 in func 400500 with 3 insts 264 | I: 400500 (data imm internal 600e20 __JCR_LIST__) 265 | I: 400505 266 | I: 400509 (code flow internal 400510 ) 267 | Successors: 400510, 40050b 268 | BB: 400510 in func 400500 with 3 insts 269 | I: 400510 270 | I: 400515 271 | I: 400518 (code flow internal 40050b ) 272 | Successors: 40051a, 40050b 273 | BB: 40051a in func 400500 with 5 insts 274 | I: 40051a 275 | I: 40051b 276 | I: 40051e 277 | I: 400520 278 | I: 400521 (code flow internal 4004a0 register_tm_clones) 279 | Successors: 4004a0 280 | BB: 40050b in func 400500 with 1 insts 281 | I: 40050b (code flow internal 4004a0 register_tm_clones) 282 | Successors: 4004a0 283 | Recovering _start at 400430 284 | Analysing subroutine _start at 400430 285 | Subroutine _start at 400430 has 1 blocks 286 | BB: 400430 in func 400430 with 12 insts 287 | I: 400430 288 | I: 400432 289 | I: 400435 290 | I: 400436 291 | I: 400439 292 | I: 40043d 293 | I: 40043e 294 | I: 40043f (code imm internal 4005d0 __libc_csu_fini) 295 | I: 400446 (code imm internal 400560 __libc_csu_init) 296 | I: 40044d (code imm internal 400547 main) 297 | I: 400454 (data flow external 601058 __libc_start_main) 298 | I: 400459 299 | Does not return 300 | Recovering __libc_csu_init at 400560 301 | Analysing subroutine __libc_csu_init at 400560 302 | Subroutine __libc_csu_init at 400560 has 4 blocks 303 | BB: 400560 in func 400560 with 17 insts 304 | I: 400560 305 | I: 400562 306 | I: 400564 307 | I: 400567 308 | I: 400569 309 | I: 40056b (data mem internal 600e10 __frame_dummy_init_array_entry) 310 | I: 400572 311 | I: 400573 (data mem internal 600e18 __do_global_dtors_aux_fini_array_entry) 312 | I: 40057a 313 | I: 40057b 314 | I: 40057e 315 | I: 400581 316 | I: 400584 317 | I: 400588 318 | I: 40058c (code flow internal 4003c8 .init_proc) 319 | I: 400591 320 | I: 400594 (code flow internal 4005b6 ) 321 | Successors: 4005b6, 400596 322 | BB: 4005a0 in func 400560 with 7 insts 323 | I: 4005a0 324 | I: 4005a3 325 | I: 4005a6 326 | I: 4005a9 327 | I: 4005ad 328 | I: 4005b1 329 | I: 4005b4 (code flow internal 4005a0 ) 330 | Successors: 4005a0, 4005b6 331 | BB: 400596 in func 400560 with 2 insts 332 | I: 400596 333 | I: 400598 334 | Successors: 4005a0 335 | BB: 4005b6 in func 400560 with 8 insts 336 | I: 4005b6 337 | I: 4005ba 338 | I: 4005bb 339 | I: 4005bc 340 | I: 4005be 341 | I: 4005c0 342 | I: 4005c2 343 | I: 4005c4 344 | No successors 345 | Recovering __libc_csu_fini at 4005d0 346 | Analysing subroutine __libc_csu_fini at 4005d0 347 | Subroutine __libc_csu_fini at 4005d0 has 1 blocks 348 | BB: 4005d0 in func 4005d0 with 1 insts 349 | I: 4005d0 350 | No successors 351 | Recovering .term_proc at 4005d4 352 | Analysing subroutine .term_proc at 4005d4 353 | Subroutine .term_proc at 4005d4 has 1 blocks 354 | BB: 4005d4 in func 4005d4 with 3 insts 355 | I: 4005d4 356 | I: 4005d8 357 | I: 4005dc 358 | No successors 359 | Global Variable None 360 | WARNING: Global constructor and destructor sections are adjacent! 361 | Splitting segment .bss at 601038 for exported variable __bss_start 362 | Recovering region .rodata [4005e0, 4005f9) in segment .rodata 363 | Variable s at 4005e4 364 | Recovering region .text [400430, 4005d2) in segment .text 365 | Recovering region __bss_start [601038, 601040) in segment .bss 366 | Variable __bss_start at 601038 367 | Recovering region .got.plt [601000, 601028) in segment .got.plt 368 | 8-byte reference at 601018 to 601050 (puts) 369 | 8-byte reference at 601020 to 601058 (__libc_start_main) 370 | Recovering region .plt.got [400420, 400428) in segment .plt.got 371 | Recovering region .init [4003c8, 4003e2) in segment .init 372 | Recovering region .plt [4003f0, 400420) in segment .plt 373 | Recovering region .got [600ff8, 601000) in segment .got 374 | 8-byte reference at 600ff8 to 601068 (__gmon_start__) 375 | Recovering region .fini [4005d4, 4005dd) in segment .fini 376 | Recovering region .init_array [600e10, 600e20) in segment .init_array 377 | 8-byte reference at 600e10 to 400500 (frame_dummy) 378 | 8-byte reference at 600e18 to 4004e0 (__do_global_dtors_aux) 379 | Variable __frame_dummy_init_array_entry at 600e10 380 | Variable __do_global_dtors_aux_fini_array_entry at 600e18 381 | Recovering region .jcr [600e20, 600e28) in segment .jcr 382 | Variable __JCR_LIST__ at 600e20 383 | Recovering region .eh_frame [400638, 40074c) in segment .eh_frame 384 | Recovering region .data [601028, 601038) in segment .data 385 | Recovering region .eh_frame_hdr [4005fc, 400638) in segment .eh_frame_hdr 386 | Recovering extern function puts at 400400 387 | Recovering extern function puts at 601040 388 | Recovering extern function __libc_start_main at 601048 389 | Recovering extern function puts at 601050 390 | Recovering extern function __libc_start_main at 400410 391 | Recovering extern function __gmon_start__ at 601068 392 | Recovering extern function __libc_start_main at 601058 393 | Recovered 12 functions. 394 | Saving to: /home/aditi/ToB-Summer19/tests/fopen/myfopen.cfg 395 | Done analysis! 396 | -------------------------------------------------------------------------------- /tests/fopen/mode1/myfopen.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/myfopen.o -------------------------------------------------------------------------------- /tests/fopen/mode1/myfopen.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/myfopen.so -------------------------------------------------------------------------------- /tests/fopen/mode1/prog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/prog -------------------------------------------------------------------------------- /tests/fopen/mode1/prog.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/prog.bc -------------------------------------------------------------------------------- /tests/fopen/mode1/prog.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | printf("Calling the fopen() function...\n"); 5 | 6 | FILE *fd = fopen("tests/fopen/test.txt","r"); 7 | if (!fd) { 8 | printf("fopen() returned NULL\n"); 9 | return 1; 10 | } 11 | 12 | printf("fopen() succeeded\n"); 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /tests/fopen/mode1/prog.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/prog.cfg -------------------------------------------------------------------------------- /tests/fopen/mode1/prog.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/prog.new -------------------------------------------------------------------------------- /tests/fopen/mode1/prog.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/prog.new.bc -------------------------------------------------------------------------------- /tests/fopen/mode1/prog.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1/prog.new.o -------------------------------------------------------------------------------- /tests/fopen/mode1/test.txt: -------------------------------------------------------------------------------- 1 | this is a test 2 | -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/myfopen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/myfopen -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/myfopen.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/myfopen.bc -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/myfopen.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | FILE *newfopen(const char *path, const char *mode) { 4 | printf("fopen has been replaced\n"); 5 | return fopen(path, mode); 6 | } 7 | 8 | int main() { 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/myfopen.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/myfopen.cfg -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/myfopen.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/myfopen.new.bc -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/myfopen.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/myfopen.new.o -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/myfopen.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/myfopen.o -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/prog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/prog -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/prog.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/prog.bc -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/prog.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | printf("Calling the fopen() function...\n"); 5 | 6 | FILE *fd = fopen("tests/fopen/test.txt","r"); 7 | if (!fd) { 8 | printf("fopen() returned NULL\n"); 9 | return 1; 10 | } 11 | 12 | printf("fopen() succeeded\n"); 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/prog.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/prog.cfg -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/prog.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/prog.new -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/prog.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/prog.new.bc -------------------------------------------------------------------------------- /tests/fopen/mode1_usefopen/prog.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode1_usefopen/prog.new.o -------------------------------------------------------------------------------- /tests/fopen/mode2/myfopen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/myfopen -------------------------------------------------------------------------------- /tests/fopen/mode2/myfopen.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/myfopen.bc -------------------------------------------------------------------------------- /tests/fopen/mode2/myfopen.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | FILE *stub(const char *path, const char *mode) { 4 | return NULL; 5 | } 6 | 7 | FILE *newfopen(const char *path, const char *mode) { 8 | printf("fopen has been replaced\n"); 9 | return stub(path, mode); 10 | } 11 | 12 | int main() { 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /tests/fopen/mode2/myfopen.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/myfopen.cfg -------------------------------------------------------------------------------- /tests/fopen/mode2/myfopen.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/myfopen.new.bc -------------------------------------------------------------------------------- /tests/fopen/mode2/myfopen.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/myfopen.new.o -------------------------------------------------------------------------------- /tests/fopen/mode2/myfopen.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/myfopen.o -------------------------------------------------------------------------------- /tests/fopen/mode2/prog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/prog -------------------------------------------------------------------------------- /tests/fopen/mode2/prog.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/prog.bc -------------------------------------------------------------------------------- /tests/fopen/mode2/prog.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | printf("Calling the fopen() function...\n"); 5 | 6 | FILE *fd = fopen("tests/fopen/test.txt","r"); 7 | if (!fd) { 8 | printf("fopen() returned NULL\n"); 9 | return 1; 10 | } 11 | 12 | printf("fopen() succeeded\n"); 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /tests/fopen/mode2/prog.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/prog.cfg -------------------------------------------------------------------------------- /tests/fopen/mode2/prog.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/prog.new -------------------------------------------------------------------------------- /tests/fopen/mode2/prog.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/prog.new.bc -------------------------------------------------------------------------------- /tests/fopen/mode2/prog.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/fopen/mode2/prog.new.o -------------------------------------------------------------------------------- /tests/fopen/test.txt: -------------------------------------------------------------------------------- 1 | this is a test 2 | -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/encryptStripped: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/encryptStripped -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/encryptStripped.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/encryptStripped.bc -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/encryptStripped.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/encryptStripped.cfg -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/encryptStripped.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/encryptStripped.new -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/encryptStripped.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/encryptStripped.new.bc -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/encryptStripped.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/encryptStripped.new.o -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/replaceIV_mode1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/replaceIV_mode1 -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/replaceIV_mode1.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/replaceIV_mode1.bc -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/replaceIV_mode1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char *replacement() { 5 | unsigned char *iv = malloc(sizeof(int) * 16); 6 | RAND_bytes(iv, 16); 7 | return iv; 8 | } 9 | 10 | int main() { 11 | printf((const char *)(replacement())); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/replaceIV_mode1.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/replaceIV_mode1.cfg -------------------------------------------------------------------------------- /tests/stripped_crypto/mode1/replaceIV_mode1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode1/replaceIV_mode1.o -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/encryptStripped: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/encryptStripped -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/encryptStripped.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/encryptStripped.bc -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/encryptStripped.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/encryptStripped.cfg -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/encryptStripped.new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/encryptStripped.new -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/encryptStripped.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/encryptStripped.new.bc -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/encryptStripped.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/encryptStripped.new.o -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/replaceIV_mode2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/replaceIV_mode2 -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/replaceIV_mode2.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/replaceIV_mode2.bc -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/replaceIV_mode2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned char *generate_iv_original() { 5 | unsigned char *result = (unsigned char *)""; 6 | return result; 7 | } 8 | 9 | unsigned char *random_iv() { 10 | unsigned char *iv = malloc(sizeof(int) * 16); 11 | RAND_bytes(iv, 16); 12 | return iv; 13 | } 14 | 15 | unsigned char *replacement() { 16 | unsigned char *original = generate_iv_original(); 17 | for (int i = 0; i < 10; i ++) { 18 | unsigned char *iv = generate_iv_original(); 19 | if (iv == original) { 20 | return random_iv(); 21 | } 22 | } 23 | return original; 24 | } 25 | 26 | int main() { 27 | printf((const char *)(replacement())); 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/replaceIV_mode2.cfg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/replaceIV_mode2.cfg -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/replaceIV_mode2.new.bc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/replaceIV_mode2.new.bc -------------------------------------------------------------------------------- /tests/stripped_crypto/mode2/replaceIV_mode2.new.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lifting-bits/fennec/531120ebc2fc757280795f393a1a2d69b16c6380/tests/stripped_crypto/mode2/replaceIV_mode2.new.o --------------------------------------------------------------------------------