Skip to content

Add fuzz stm32f407_hacklock example#1108

Draft
kabeor wants to merge 8 commits intoqilingframework:devfrom
kabeor:dev
Draft

Add fuzz stm32f407_hacklock example#1108
kabeor wants to merge 8 commits intoqilingframework:devfrom
kabeor:dev

Conversation

@kabeor
Copy link
Member

@kabeor kabeor commented Mar 7, 2022

Checklist

Which kind of PR do you create?

  • This PR only contains minor fixes.
  • This PR contains major feature update.
  • This PR introduces a new function/api for Qiling Framework.

Coding convention?

  • The new code conforms to Qiling Framework naming convention.
  • The imports are arranged properly.
  • Essential comments are added.
  • The reference of the new code is pointed out.

Extra tests?

  • No extra tests are needed for this PR.
  • I have added enough tests for this PR.
  • Tests will be added after some discussion and review.

Changelog?

  • This PR doesn't need to update Changelog.
  • Changelog will be updated after some proper review.
  • Changelog has been updated in my PR.

Target branch?

  • The target branch is dev branch.

One last thing

elicn
elicn requested changes Mar 9, 2022
View reviewed changes
Copy link
Member

@elicn elicn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A good example has to be minimalistic [to avoid confusion] and descriptive [to let people learn from it]. Please comment the example as much as you can and clean up residuals or unnecessary code.

examples/fuzzing/stm32f407/fuzz_stm32f407.py
from qiling.arch.arm import QlArchARM


def watch(ql:Qiling):
Copy link
Member

@elicn elicn Mar 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The usage of this function is commented out.
Consider commenting out the function as well, or remove it altogether.

examples/fuzzing/stm32f407/fuzz_stm32f407.py

def watch(ql:Qiling):
r0 = hex(ql.arch.regs.read('r0'))
if r0 != '0x0':
Copy link
Member

@elicn elicn Mar 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why comparing strings when you can compare integers..?

examples/fuzzing/stm32f407/fuzz_stm32f407.py
ql.emu_stop()

def fuzz_cb(ql:Qiling):
if isinstance(ql.arch, QlArchARM):
Copy link
Member

@elicn elicn Mar 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could use ql.ostype to determine this, or just hasattr(ql.arch, 'effective_pc') if you want to avoid the extra import.

examples/fuzzing/stm32f407/fuzz_stm32f407.py
ql.hw.create('usart1')
ql.hw.create('rcc')

# ql.hw.show_info()
Copy link
Member

@elicn elicn Mar 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove unnecessary leftovers to keep the example as clear as possible.

examples/fuzzing/stm32f407/fuzz_stm32f407.py
# ql.hw.show_info()
# ql.hook_address(watch, 0x08003232)

ql.patch(0x8000238, b'\x00\xBF' * 4)
Copy link
Member

@elicn elicn Mar 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is that..? What are we patching here and why?
Comments are critical for users to understand the example.

examples/fuzzing/stm32f407/fuzz_stm32f407.py

def disasm(count, ql, address, size):
buf = ql.mem.read(address, size)
try:
Copy link
Member

@elicn elicn Mar 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary try / exept.
There is nothing to catch here really.

examples/fuzzing/stm32f407/fuzz_stm32f407.py
buf = ql.mem.read(address, size)
try:
for i in md.disasm(buf, address):
return "{:08X}\t{:08X}: {:24s} {:10s} {:16s}".format(count[0], i.address, spaced_hex(buf), i.mnemonic,
Copy link
Member

@elicn elicn Mar 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The loop doesn't make much sense if you return unconditionally.
Perhaps you mean yield..?

examples/fuzzing/stm32f407/fuzz_stm32f407.py
rtn = '{:100s}'.format(disasm(count, ql, address, size))
print(rtn)
count[0] += 1
# pass
Copy link
Member

@elicn elicn Mar 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean up here too

examples/fuzzing/stm32f407/fuzz_stm32f407.py
# ql.run(end=0x8003236, count=-1)
ql.run(end=0x080031DC)

exits = [0x08003270, 0x08003222]
Copy link
Member

@elicn elicn Mar 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments?
No idea what this is about.

@kabeor
Copy link
Member Author

kabeor commented Mar 9, 2022

@elicn This example is an experimental test yet and depending on some unpublished interface, converting it to draft for now.

@kabeor kabeor marked this pull request as draft March 9, 2022 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elicn elicn elicn requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kabeor @elicn