Draft: add support for unicorn engine

Cargo.toml

@@ -9,6 +9,7 @@ members = [
     "libafl_tinyinst",
     "libafl_sugar",
     "libafl_nyx",
+    "libafl_unicorn",
     "libafl_concolic/symcc_runtime",
     "libafl_concolic/symcc_libafl",
     "libafl_concolic/test/dump_constraints",

fuzzers/unicorn/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "unicorn"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+libafl = { path = "../../libafl/" }
+libafl_unicorn = { path = "../../libafl_unicorn/" }
+libafl_targets = { path = "../../libafl_targets", version = "0.8.2" }
+
+unicorn-engine = "2.0.1"
+iced-x86 = "1.18.0"

fuzzers/unicorn/libafl_unicorn_test/Makefile

@@ -0,0 +1,31 @@
+arm64="aarch64-linux-gnu"
+arm="arm-linux-gnueabihf"
+x64="x86_64-linux-gnu"
+assembly_arm64:
+	$(arm64)-gcc -O2 -S -c foo.c -o foo_arm64.s
+
+binary_arm64:
+	$(arm64)-as foo_arm64.s -o foo_arm64
+
+assembly_arm:
+	$(arm)-gcc -O2 -S -c foo.c -o foo_arm.s
+
+binary_arm:
+	$(arm)-as foo_arm.s -o foo_arm
+
+assembly_x86:
+	$(x64)-gcc -O2 -S -c foo.c -o foo_x86.s
+
+binary_x86:
+	$(x64)-as foo_x86.s -o foo_x86
+
+build_arm: assembly_arm binary_arm
+build_arm64: assembly_arm64 binary_arm64
+build_x86: assembly_x86 binary_x86
+
+clean:
+	rm foo_*
+
+
+all: build_arm build_arm64 build_x86
+# sudo apt install gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu

fuzzers/unicorn/libafl_unicorn_test/foo.c

@@ -0,0 +1,31 @@
+#include <stdint.h>
+#define len 2
+
+int main() {
+  volatile unsigned char a;  // = 0x1;
+  volatile unsigned char b;  // = 0x0;
+  volatile unsigned char c = 0;  // The result, so should be initialized at 0;
+
+  /*volatile unsigned char f[len];
+
+  for(int i = 0; i< len; i++){
+    f[i] = i;
+  }*/
+  c = 0x1;
+  if (a > b) {
+    c = 0x2;
+    if (a > 0x20) {
+      c = 0x3;
+      if (a == 0x50) {
+        c = 0x4;
+        if (b == 0x24) { c = 0x5; }
+      }
+    }
+  }
+  /*
+  a = 0xDE;
+  b = 0xEA;
+  c = 0xBE;
+  */
+  return c;
+}

fuzzers/unicorn/libafl_unicorn_test/foo_arm.s

@@ -0,0 +1,62 @@
+	.arch armv7-a
+	.fpu vfpv3-d16
+	.eabi_attribute 28, 1
+	.eabi_attribute 20, 1
+	.eabi_attribute 21, 1
+	.eabi_attribute 23, 3
+	.eabi_attribute 24, 1
+	.eabi_attribute 25, 1
+	.eabi_attribute 26, 2
+	.eabi_attribute 30, 2
+	.eabi_attribute 34, 1
+	.eabi_attribute 18, 4
+	.file	"foo.c"
+	.text
+	.section	.text.startup,"ax",%progbits
+	.align	1
+	.p2align 2,,3
+	.global	main
+	.syntax unified
+	.thumb
+	.thumb_func
+	.type	main, %function
+main:
+	@ args = 0, pretend = 0, frame = 8
+	@ frame_needed = 0, uses_anonymous_args = 0
+	@ link register save eliminated.
+	sub	sp, sp, #8
+	movs	r2, #0
+	movs	r3, #1
+	strb	r2, [sp, #7]
+	strb	r3, [sp, #7]
+	ldrb	r2, [sp, #5]	@ zero_extendqisi2
+	ldrb	r3, [sp, #6]	@ zero_extendqisi2
+	cmp	r2, r3
+	bls	.L3
+	movs	r3, #2
+	strb	r3, [sp, #7]
+	ldrb	r3, [sp, #5]	@ zero_extendqisi2
+	cmp	r3, #32
+	bls	.L3
+	movs	r3, #3
+	strb	r3, [sp, #7]
+	ldrb	r3, [sp, #5]	@ zero_extendqisi2
+	cmp	r3, #80
+	beq	.L7
+.L3:
+	ldrb	r0, [sp, #7]	@ zero_extendqisi2
+	add	sp, sp, #8
+	@ sp needed
+	bx	lr
+.L7:
+	movs	r3, #4
+	strb	r3, [sp, #7]
+	ldrb	r3, [sp, #6]	@ zero_extendqisi2
+	cmp	r3, #36
+	itt	eq
+	moveq	r3, #5
+	strbeq	r3, [sp, #7]
+	b	.L3
+	.size	main, .-main
+	.ident	"GCC: (Ubuntu 12.2.0-3ubuntu1) 12.2.0"
+	.section	.note.GNU-stack,"",%progbits

fuzzers/unicorn/libafl_unicorn_test/foo_arm64.s

@@ -0,0 +1,56 @@
+	.arch armv8-a
+	.file	"foo.c"
+	.text
+	.section	.text.startup,"ax",@progbits
+	.align	2
+	.p2align 4,,11
+	.global	main
+	.type	main, %function
+main:
+.LFB0:
+	.cfi_startproc
+	sub	sp, sp, #16
+	.cfi_def_cfa_offset 16
+	mov	w0, 1
+	strb	wzr, [sp, 15]
+	strb	w0, [sp, 15]
+	ldrb	w1, [sp, 13]
+	ldrb	w0, [sp, 14]
+	and	w0, w0, 255
+	cmp	w0, w1, uxtb
+	bcs	.L3
+	mov	w0, 2
+	strb	w0, [sp, 15]
+	ldrb	w0, [sp, 13]
+	and	w0, w0, 255
+	cmp	w0, 32
+	bls	.L3
+	mov	w0, 3
+	strb	w0, [sp, 15]
+	ldrb	w0, [sp, 13]
+	and	w0, w0, 255
+	cmp	w0, 80
+	beq	.L7
+.L3:
+	ldrb	w0, [sp, 15]
+	add	sp, sp, 16
+	.cfi_remember_state
+	.cfi_def_cfa_offset 0
+	and	w0, w0, 255
+	ret
+.L7:
+	.cfi_restore_state
+	mov	w0, 4
+	strb	w0, [sp, 15]
+	ldrb	w0, [sp, 14]
+	and	w0, w0, 255
+	cmp	w0, 36
+	bne	.L3
+	mov	w0, 5
+	strb	w0, [sp, 15]
+	b	.L3
+	.cfi_endproc
+.LFE0:
+	.size	main, .-main
+	.ident	"GCC: (Ubuntu 12.2.0-3ubuntu1) 12.2.0"
+	.section	.note.GNU-stack,"",@progbits

fuzzers/unicorn/libafl_unicorn_test/foo_x86.s

@@ -0,0 +1,55 @@
+	.file	"foo.c"
+	.text
+	.section	.text.startup,"ax",@progbits
+	.p2align 4
+	.globl	main
+	.type	main, @function
+main:
+.LFB0:
+	.cfi_startproc
+	endbr64
+	movb	$0, -1(%rsp)
+	movb	$1, -1(%rsp)
+	movzbl	-3(%rsp), %eax
+	movzbl	-2(%rsp), %edx
+	cmpb	%al, %dl
+	jnb	.L3
+	movb	$2, -1(%rsp)
+	movzbl	-3(%rsp), %eax
+	cmpb	$32, %al
+	jbe	.L3
+	movb	$3, -1(%rsp)
+	movzbl	-3(%rsp), %eax
+	cmpb	$80, %al
+	je	.L6
+.L3:
+	movzbl	-1(%rsp), %eax
+	ret
+.L6:
+	movb	$4, -1(%rsp)
+	movzbl	-2(%rsp), %eax
+	cmpb	$36, %al
+	jne	.L3
+	movb	$5, -1(%rsp)
+	jmp	.L3
+	.cfi_endproc
+.LFE0:
+	.size	main, .-main
+	.ident	"GCC: (Ubuntu 12.2.0-3ubuntu1) 12.2.0"
+	.section	.note.GNU-stack,"",@progbits
+	.section	.note.gnu.property,"a"
+	.align 8
+	.long	1f - 0f
+	.long	4f - 1f
+	.long	5
+0:
+	.string	"GNU"
+1:
+	.align 8
+	.long	0xc0000002
+	.long	3f - 2f
+2:
+	.long	0x3
+3:
+	.align 8
+4: