add support for android x86, x86-64 in qbdi mode

2025-06-21 21:54:25 +00:00 · 2019-11-09 15:18:24 +00:00
parent 574de9ff4c
commit ab8fb271f7
4 changed files with 29 additions and 11 deletions
--- a/include/android-ashmem.h
+++ b/include/android-ashmem.h
@ -52,7 +52,7 @@ static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
  if (__cmd == IPC_RMID) {

    int               length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
-    struct ashmem_pin pin = {0, length};
+    struct ashmem_pin pin = {0, (unsigned int)length};
    ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
    close(__shmid);

--- a/qbdi_mode/build.sh
+++ b/qbdi_mode/build.sh
@ -1,6 +1,12 @@
-# ~/workspace/android-standalone-toolchain-21-x86/bin/i686-linux-android-g++ -o loader  -Wl,-rpath,/data/lsl template.cpp -Iusr/local/include/ -Lusr/local/lib/ -lQBDI
-# ~/workspace/android-standalone-toolchain-21-x86/bin/i686-linux-android-gcc -shared -o libdemo.so demo-so.c -w
+compiler_prefix="/home/hac425/workspace/android-standalone-toolchain-21-x86/bin/i686-linux-android-"
+CFLAGS="-Iusr/local/include/ -Lusr/local/lib/"

+# for x86-64 android
+# compiler_prefix="/home/hac425/workspace/android-standalone-toolchain-21/bin/x86_64-linux-android-"
+# CFLAGS="-Iandroid-x64/usr/local/include/ -Landroid-x64/usr/local/lib/"

-g++ -o loader template.cpp -lQBDI -ldl -w
-gcc -shared -o libdemo.so demo-so.c -w
+${compiler_prefix}g++ -o loader template.cpp -lQBDI -ldl -w  -g ${CFLAGS}
+${compiler_prefix}gcc -shared -o libdemo.so demo-so.c -w -g
+
+cd ..
+${compiler_prefix}gcc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-misc.c src/afl-fuzz-extras.c src/afl-fuzz-queue.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-stats.c src/afl-fuzz-init.c src/afl-fuzz.c src/afl-fuzz-bitmap.c src/afl-fuzz-run.c src/afl-fuzz-globals.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz  -ldl -w
--- a/qbdi_mode/demo-so.c
+++ b/qbdi_mode/demo-so.c
@ -14,7 +14,8 @@ int target_func(char* buf, int size){
    case 1:
        puts("222");
        if(buf[1]=='\x44'){
-            puts("xxxiiii");
+            puts("aaaaaaaaaaaaaaaaaaaaa");
+            *(char*)(0) = 1;
        }
        break;
    case '\xfe':
@ -26,10 +27,9 @@ int target_func(char* buf, int size){
    case 0xff:
        if(buf[2]=='\xff'){
            if(buf[1]=='\x44'){
-                puts("xxxiiii");
-                assert(0);
+                *(char*)(0xdeadbeef) = 1;
            }else{
-                puts("xxxiiii");
+                puts("kkkkkk");
            }
        }
        puts("xxxx");
--- a/qbdi_mode/template.cpp
+++ b/qbdi_mode/template.cpp
@ -10,10 +10,17 @@
 #include <fcntl.h>
 #include <dlfcn.h>

+#ifdef __ANDROID__
+#include "../include/android-ashmem.h"
+#endif

+#include <sys/ipc.h>
 #include <sys/shm.h>
 #include "../config.h"

+
+
+
 #include <QBDI.h>

 using namespace QBDI;
@ -49,7 +56,6 @@ int afl_setup(void) {


 /* Fork server logic, invoked once we hit _start. */
-
 static void afl_forkserver()
 {

@ -141,8 +147,14 @@ QBDI_NOINLINE int fuzz_func()
 static QBDI::VMAction bbcallback(QBDI::VMInstanceRef vm, const QBDI::VMState *state, QBDI::GPRState *gprState, QBDI::FPRState *fprState, void *data) {
    // errno = SAVED_ERRNO;

+#ifdef __x86_64__
    unsigned long pc = gprState->rip;
-    // printf("%p\n", pc);
+#elif defined(i386)
+    unsigned long pc = gprState->eip;
+#elif defined(__arm__)
+    unsigned long pc = gprState->pc;
+#endif
+
    if(pc >= module_base && pc <= module_end){
        unsigned long offset =  pc - module_base;
        printf("\toffset:%p\n", offset);