Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    kj.xwings.l
    @xwings
    its in github's readme, credits.txt and docs.qiling.com
    sharksforarms
    @sharksforarms
    Hey awesome project. I'm wondering if anyone's tried to emulate the tplink router httpd?
    I've tried patching some interfaces to lo but with no luck...
    I think the binary is running, using multithreaded mode and it's in a pool()/getpid() loop
    kj.xwings.l
    @xwings
    i did not try before
    Dominik Maier
    @domenukk
    @xwings about the speed improvement on twitter, is coverage still working properly? Cuz you got only a single path with may be concerning (if your target has branches)
    And a little fyi, unique crashes in AFL is not a super good metric, too inprecise
    What did you do to get the speed improvements? Looks pretty quick
    kj.xwings.l
    @xwings
    nah, its a stupid trick
    i did partial execution
    of the enitire binary
    like 15 instruction out of a 1MB arm binary (not with .so, with .so will be more)
    @domenukk i can pass u the code if u wanna take a look
    kj.xwings.l
    @xwings
    ql.save() and ql.restore() added. we can do complete snapshot now. https://docs.qiling.io/en/latest/snapshot/
    1 reply
    Dominik Maier
    @domenukk
    BTW are you already using persistent mode for the fuzz case?
    kj.xwings.l
    @xwings
    yes
    and very short code
    thats why it show the path error
    we can have a google meet to show u the code and how i do the test
    Dominik Maier
    @domenukk
    would be cool, but next week, this weekend's my birthday partey :D
    kj.xwings.l
    @xwings
    happy birdday !
    Pedro Ribeiro
    @pedrib_gitlab
    hey guys
    Pedro Ribeiro
    @pedrib_gitlab
    so I'm trying to run a mips binary under partial execution
    but I'm getting a qiling internal exception
    [+] load 0x400000 - 0x40f000
    [+] load 0x41e000 - 0x41f000
    [+] mem_start: 0x400000 mem_end: 0x41f000
    [+] interp is : squashfs-root/lib/ld-uClibc.so.0
    [+] interp_mem_size is : 0x18000
    [+] interp_address is : 0x47ba000
    [+] mmap_address is : 0x774bf000
    [+] dynsym name b'avl_strcmp'
    Traceback (most recent call last):
      File "connector.py", line 17, in <module>
        ql.run(begin = begin_point, end = end_point)
      File "/home/john/.virtualenvs/qiling/lib/python3.7/site-packages/qiling/core.py", line 198, in run
        self.os.run()
      File "/home/john/.virtualenvs/qiling/lib/python3.7/site-packages/qiling/os/linux/linux.py", line 130, in run
        raise self.ql.internal_exception
      File "/home/john/.virtualenvs/qiling/lib/python3.7/site-packages/qiling/utils.py", line 19, in wrapper
        return func(*args, **kw)
      File "/home/john/.virtualenvs/qiling/lib/python3.7/site-packages/qiling/core_hooks.py", line 126, in _hook_intr_cb
        raise QlErrorCoreHook("_hook_intr_cb : catched == False")
    qiling.exception.QlErrorCoreHook: _hook_intr_cb : catched == False
    the code is basically this:
    if __name__ == "__main__":
        ql = Qiling(["squashfs-root/usr/sbin/connector"], "squashfs-root", output = "debug")
        begin_point = 0x4058b8
        end_point = 0x405c60
        ql.run(begin = begin_point, end = end_point)
    kj.xwings.l
    @xwings
    you need the "snapsnot" to work
    Pedro Ribeiro
    @pedrib_gitlab
    ok, can you elaborate? The docs only show the code as I have
    Jhe
    @ucgJhe
    partial execution does no magic but simply run the code between begin and end and you should make sure that all registers is in the right position
    Jhe
    @ucgJhe
    before you run it
    kj.xwings.l
    @xwings
    i added an example on how to do partial execution with ql.save() and ql.restore
    Pedro Ribeiro
    @pedrib_gitlab
    got it, thanks, easier to understand
    what if the code calls a function outside of the range?
    for example I want to run a function between 0x10000 and 0x20000, but in the middle there's a jump to 0x30000, which then returns
    kj.xwings.l
    @xwings
    try and u will know :)
    Pedro Ribeiro
    @pedrib_gitlab
    ok I actually can't get it to run even once since it fails when it tries to call the ioctl
    however it works fine under qemu
    does qiling have a problem with ioctl?
    kj.xwings.l
    @xwings
    windows ?
    actually, no. i dont think we ever write syscall for iotctl.
    kj.xwings.l
    @xwings
    actually we do
    Pedro Ribeiro
    @pedrib_gitlab
    Linux, mips
    kj.xwings.l
    @xwings
    if thre is a bug. post an issue. if u can fix it. post a pr :)
    kj.xwings.l
    @xwings
    @pedrib_gitlab can u pull the latest version and try dev branch again
    kj.xwings.l
    @xwings
    @pedrib_gitlab just make sure you need proper ql.save and ql.restore. or else partial execution will never work
    kj.xwings.l
    @xwings
    updated to 1.1.3
    kj.xwings.l
    @xwings
    We just created a telegram group!